1. Building Secure SharePointExtranets with Claims
BasedAuthentication#COM716Aonghus (Gus)
Fraser@[email protected]
2. Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey
& Guernsey SharePoint Lead Consultant @ C5 Alliance ~75
Consultants; ~18 SharePoint & CRM* Working with SharePoint
since WSS 2.0 [email protected] / @gusfraser / #COM716 Run www.cispug.org
Blog at http://techblurt.com #SPRunners*probably the highest
concentration of SharePoint on the planet (unconfirmed)
3. Jersey
4. Guernsey
5. Agenda Extranets Why? Why Claims? Claims-Based
Authentication Secure Extranet Topologies Case Studies &
Demonstrations MyGov.je Dvs.MyGov.je SharePoint 2013 Claims First
Azure ACS & 3rd Party Providers
6. SharePoint Buzzword BingoCloudAppIdentityTrustSharePoints
mean Prizes!
7. Extranets Why? Security Controlled information management
&delivery Avoid insecure or uncontrolled use e.g.Email,
Dropbox, SkyDrive etc. Customer service Self-service, 24x7
Efficiency Reduced manual effort
8. Extranets Why Claims? Delegate Authentication to a
TRUSTED3rd party (Federation) Standards & Interoperability
SharePoint 2013 its the future!
9. Quis custodiet ipsos custodes? Who Guards the Guards? Trust
problems since the 1st/2nd century 21st century version: Who do I
trust with my Identity? Which Identity provider do I trust
toauthenticate users/federate with? Partner/Customer AD? LiveID?
Facebook? OpenID?
10. Claims-Based Concepts Identity Set of unique user-defining
claims/attributes Claim(s) Identity attributes (e.g. Username,
Email, Role) Issuer / Authority / Provider E.g. DC, ADFS, STS
Relying Party Application e.g. SharePoint, custom app Token
11. What do we mean by Claim? Property that I HAVE / What I AM
E.g. Name, Email, Username (could be a Role) NOT What can I do
(Authorisation) Wrapped up in a SAML Assertion/Token(XML) C2WTS
converts to Windows (Kerberos orNTLM)
13. Real World Claims AnalogyIdentity
ProviderClaimsIdentity
14. Secure Extranet Topologies
15. Assumptions / Requirements Separate Extranet Farm (separate
AD) Firewalls between Farms (ISA/TMG/UAGetc.) No external access to
internal farm No data to be stored in the public Cloud
16. Scenario 1: Isolated FarmsNo access to extranet farm
without external AD accountLimited collaborationFirewallDB Cluster
APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02DMZDB
ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal
Users
17. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02]
DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet
FarmInternal UsersOne way AD TrustScenario 2: One-way AD
TrustInternal users granted access with AD TrustRequires
potentially undesirable firewallholes
25. MYGOV CITIZEN PORTALClaims-based authentication with
back-end Microsoft DynamicsCRM integration
26. DVS Online Book driving test Re-use of Citizen Portal;
different webapp SharePoint 2010 front-end CRM 2011 back-end Licar
integration
27. DVS ONLINEClaims-based authentication with back-end
Microsoft DynamicsCRM & Licar Driver licensing system
28. SharePoint 2013 Claims
29. SharePoint 2013 Claims First Classic
authenticationdeprecated (PowerShell only) Distributed Cache! No
more sticky sessions for FedAuth cookies! Improved Logging (ULS)
Without Claims: No Apps! No OWAPP! (e.g. Search result preview) A
lot of net new 2013 features use Claims..
35. ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows
Live ID Facebook Google ID Yahoo
36. AZURE ACS, SHAREPOINT &FACEBOOK
37. Create Facebook App
38. Setup Azure ACS ID Provider
39. ACS ID Providers, Mappings &Certs
40. ACS Claims Mapping
41. Facebook App
42. Facebook Claims
43. References A Guide to Claims-Based Identity and Access
Control,Second Edition
http://www.microsoft.com/en-us/download/details.aspx?id=28362
Programming WIF http://shop.oreilly.com/product/9780735627185.do
ACS Code Samples Index
http://msdn.microsoft.com/en-us/library/gg185965.aspx