2. Aonghus Fraser (MCPD, MCITP, MCSD)
Based in (Old) Jersey & Guernsey
SharePoint Lead Consultant @ C5 Alliance
– ~75 Consultants; ~18 SharePoint & CRM*
Working with SharePoint since WSS 2.0
af@c5.je / @gusfraser / #COM716
Run www.cispug.org
Blog at http://techblurt.com
#SPRunners
*probably the highest concentration of SharePoint on the planet (unconfirmed)
8. Extranets – Why?
Security
Controlled information management &
delivery
Avoid insecure or uncontrolled use e.g.
Email, Dropbox, SkyDrive etc.
Customer service
Self-service, 24x7
Efficiency
Reduced manual effort
9. Extranets – Why Claims?
Delegate Authentication to a TRUSTED
3rd party (Federation)
Standards & Interoperability
SharePoint 2013… it’s the future!
10. Quis custodiet ipsos custodes?
“Who Guards the Guards?”
Trust problems since the 1st/2nd century…
21st century version:
Who do I trust with my Identity?
Which Identity provider do I trust to
authenticate users/federate with?
– Partner/Customer AD?
– LiveID?
– Facebook?
– OpenID?
11. Claims-Based Concepts
Identity
Set of unique user-defining claims/attributes
Claim(s)
Identity attributes (e.g. Username, Email, Role)
Issuer / Authority / Provider
E.g. DC, ADFS, STS
Relying Party
Application e.g. SharePoint, custom app
Token
12. What do we mean by Claim?
Property that I HAVE / What I AM
E.g. Name, Email, Username (could be a Role)
NOT What can I do (Authorisation)
Wrapped up in a SAML Assertion/Token
(XML)
C2WTS converts to Windows (Kerberos or
NTLM)
16. Assumptions / Requirements
Separate Extranet Farm (separate AD)
Firewalls between Farms (ISA/TMG/UAG
etc.)
No external access to internal farm
No data to be stored in the public Cloud
17. Scenario 1: Isolated Farms
No access to extranet farm without external AD account
Limited collaboration
Firewall
DB Cluster APP[01-02]
FirewallDC[01-02]WFE[01-02] DMZWFE[01,02
DMZDB ClusterDMZAPP01
DMZDC[01,02]
Internal Farm
Extranet Farm
Internal Users
18. Firewall
DB Cluster APP[01-02]
FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]
DMZDB ClusterDMZAPP01
DMZDC[01,02]
Internal Farm
Extranet Farm
Internal Users
One way AD Trust
Scenario 2: One-way AD Trust
Internal users granted access with AD Trust
Requires potentially undesirable firewall
“holes”
19. Firewall
DB Cluster APP[01-02]
FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]
DMZDB ClusterDMZAPP01
DMZDC[01,02]
Internal Farm
Extranet Farm
Internal Users
ADFS 2.0
ADFS[01,02]
Scenario 3: ADFS 2.0
Internal users granted access via ADFS 2.0
Most secure multiple farm extranet with
easy internal user access
20. More on ADFS 2.0
Source:Claims-based Identity Second Edition
40. SharePoint 2013
“Claims First” – Classic authentication
deprecated (PowerShell only)
Distributed Cache!
No more sticky sessions for FedAuth cookies!
Improved Logging (ULS)
Without Claims:
No Apps!
No OWAPP! (e.g. Search result preview)
A lot of “net new” 2013 features use Claims..
42. Upgrade / Migration Tips
Upgrade Classic 2010 Farms to Claims in
2010 BEFORE Upgrading to 2013
Upgrade WindowsPrincipal code to
IClaimsPrincipal
44. Azure Access Control Services
Free! (since Nov 2012)
Authentication, authorisation & integration
with ID providers
Manages Certs, Relying Parties, ID
Providers
58. Thank you for attending!
@gusfraser
af@c5.je
#COM716
Notas del editor
NOT a technical deep dive on security or SAML Explanation of the terminology & demonstration of real world examples
e.g. Facebook OAuth – what is THEIR password complexity? Identity 2.0 – Dick HardtFacebook: When you create a new password, make sure that it's at least 6 characters long. Try to use a complex combination of numbers, letters, and punctuation marks….
C2WTS – part of WIF, installed with SP2010+ necessary for
Not all identities or claims are created equally…
Some of you might recognise this driving license, I use it to present my claim (my name) in exchange for a ticketThe claims application (ground staff) check if he or she trusts the identity provider. It’s actually the Parish of St. Clement in Jersey, but let’s just say Jersey I then get a token which allows me through security, who doesn’t look at my ID anymore
ADFS CAN be installed on the DC however then you must have an ADFS proxy role or UAG to act as a proxy in front of the DCHowever UAG doesn’t provide O365 or Mobile device supportWID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
WID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
App Identifier = Issuer Guid @ Realm Guid (Get-SPAuthenticationRealm) – ServiceContext $spweb.SiteBecause applications need permissions too! Security Principal themselves
Used to be $1.99 per 100,000 transactions. If you used to use