SlideShare una empresa de Scribd logo
1 de 58
Descargar para leer sin conexión
Building Secure SharePoint
Extranets with Claims Based
Authentication
#COM716
Aonghus (Gus) Fraser
@gusfraser
af@c5.je
Aonghus Fraser (MCPD, MCITP, MCSD)
 Based in (Old) Jersey & Guernsey
 SharePoint Lead Consultant @ C5 Alliance
– ~75 Consultants; ~18 SharePoint & CRM*
 Working with SharePoint since WSS 2.0
 af@c5.je / @gusfraser / #COM716
 Run www.cispug.org
 Blog at http://techblurt.com
 #SPRunners
*probably the highest concentration of SharePoint on the planet (unconfirmed)
Jersey
Guernsey
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Agenda
 Extranets – Why? Why Claims?
 Claims-Based Authentication
 Secure Extranet Topologies
 Case Studies & Demonstrations
 MyGov.je
 Dvs.MyGov.je
 SharePoint 2013 – Claims First
 Azure ACS & 3rd Party Providers
SharePoint Buzzword Bingo
Cloud
App
Identity
Trust
SharePoints mean Prizes!
Extranets – Why?
 Security
 Controlled information management &
delivery
 Avoid insecure or uncontrolled use e.g.
Email, Dropbox, SkyDrive etc.
 Customer service
 Self-service, 24x7
 Efficiency
 Reduced manual effort
Extranets – Why Claims?
 Delegate Authentication to a TRUSTED
3rd party (Federation)
 Standards & Interoperability
 SharePoint 2013… it’s the future!
Quis custodiet ipsos custodes?
 “Who Guards the Guards?”
 Trust problems since the 1st/2nd century…
 21st century version:
 Who do I trust with my Identity?
 Which Identity provider do I trust to
authenticate users/federate with?
– Partner/Customer AD?
– LiveID?
– Facebook?
– OpenID?
Claims-Based Concepts
 Identity
 Set of unique user-defining claims/attributes
 Claim(s)
 Identity attributes (e.g. Username, Email, Role)
 Issuer / Authority / Provider
 E.g. DC, ADFS, STS
 Relying Party
 Application e.g. SharePoint, custom app
 Token
What do we mean by Claim?
 Property that I HAVE / What I AM
 E.g. Name, Email, Username (could be a Role)
 NOT What can I do (Authorisation)
 Wrapped up in a SAML Assertion/Token
(XML)
 C2WTS converts to Windows (Kerberos or
NTLM)
Claim Types
 SharePoint STS (native SharePoint)
 Windows Claims (from Kerberos or NTLM to
SAML token)
 Federated Claims
 ADFS 2.0, Azure ACS
 Custom Claims
 Custom STS
Real World Claims Analogy
Identity Provider
Claims
Identity
Secure Extranet Topologies
Assumptions / Requirements
 Separate Extranet Farm (separate AD)
 Firewalls between Farms (ISA/TMG/UAG
etc.)
 No external access to internal farm
 No data to be stored in the public Cloud
Scenario 1: Isolated Farms
No access to extranet farm without external AD account
Limited collaboration
Firewall
DB Cluster APP[01-02]
FirewallDC[01-02]WFE[01-02] DMZWFE[01,02
DMZDB ClusterDMZAPP01
DMZDC[01,02]
Internal Farm
Extranet Farm
Internal Users
Firewall
DB Cluster APP[01-02]
FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]
DMZDB ClusterDMZAPP01
DMZDC[01,02]
Internal Farm
Extranet Farm
Internal Users
One way AD Trust
Scenario 2: One-way AD Trust
Internal users granted access with AD Trust
Requires potentially undesirable firewall
“holes”
Firewall
DB Cluster APP[01-02]
FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]
DMZDB ClusterDMZAPP01
DMZDC[01,02]
Internal Farm
Extranet Farm
Internal Users
ADFS 2.0
ADFS[01,02]
Scenario 3: ADFS 2.0
Internal users granted access via ADFS 2.0
Most secure multiple farm extranet with
easy internal user access
More on ADFS 2.0
Source:Claims-based Identity Second Edition
Case Studies
MyGov.je
 Online Citizen Services Portal
 Jobs, News, Planning Applications
 SharePoint 2010 front-end
 CRM 2011 back-end
 Web services with X.509 certs
 SharePoint STS with custom Membership
provider
Systems Integration
 Payment Gateway
 JD Edwards
 Licar (Driving License system)
 Planning (Northgate)
MyGov Topology
Firewall
DB Cluster
APP01
Firewall
DCs[01 – 02]
WFEs[01 – 03]
DMZWFEs[01 – 04]
DMZDB Cluster
DMZAPP01
DMZDCs[01-02]
Internal Network
Extranet Farm
Internal Users
CRM[01,02]
JD Edwards
DVS
Planning
MyGov Sequence Diagram
User
WFE /
STS
CRM
Anon Request
Create SAML token
Login
Check credentials
Success
Augment Claim with CRM Identity
FedAuth Cookie
FedAuth Cookie
MYGOV CITIZEN PORTAL
Claims-based authentication with back-end Microsoft Dynamics
CRM integration
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
DVS Online
 Book driving test
 Re-use of Citizen Portal; different web
app
 SharePoint 2010 front-end
 CRM 2011 back-end
 Licar integration
DVS ONLINE
Claims-based authentication with back-end Microsoft Dynamics
CRM & Licar Driver licensing system
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
SharePoint 2013 Claims
SharePoint 2013
 “Claims First” – Classic authentication
deprecated (PowerShell only)
 Distributed Cache! 
 No more sticky sessions for FedAuth cookies!
 Improved Logging (ULS)
 Without Claims:
 No Apps!
 No OWAPP! (e.g. Search result preview)
 A lot of “net new” 2013 features use Claims..
Identities in SharePoint 2013
 i:0#.f|membershipprovider|user
 i:0#.w|domainuser
 i:05.t|azure|email@domain.com
 i:05.t|facebook|gus@techblurt.com
 i:0i.t|ms.sp.ext|{guid}@{guid}
Upgrade / Migration Tips
 Upgrade Classic 2010 Farms to Claims in
2010 BEFORE Upgrading to 2013
 Upgrade WindowsPrincipal code to
IClaimsPrincipal
Azure Acces Control Services
Identity Management in the Cloud
Azure Access Control Services
 Free! (since Nov 2012)
 Authentication, authorisation & integration
with ID providers
 Manages Certs, Relying Parties, ID
Providers
ACS Architecture
Source: http://msdn.microsoft.com/en-us/library/windowsazure/gg185957.aspx
ACS Supported ID Providers
 WS-Fed, OpenID
 ADFS 2.0
 Windows Live ID
 Facebook
 Google ID
 Yahoo
AZURE ACS, SHAREPOINT &
FACEBOOK
Create Facebook App
Setup Azure ACS ID Provider
Building Secure Extranets with Claims-Based Authentication #SPEvo13
ACS ID Providers, Mappings &
Certs
ACS Claims Mapping
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Facebook App
Facebook Claims
References
 A Guide to Claims-Based Identity and Access Control,
Second Edition
 http://www.microsoft.com/en-us/download/details.aspx?id=28362
 Programming WIF
 http://shop.oreilly.com/product/9780735627185.do
 ACS Code Samples Index
 http://msdn.microsoft.com/en-us/library/gg185965.aspx
Bingo Prizes!
Thank you for attending!
@gusfraser
af@c5.je
#COM716

Más contenido relacionado

La actualidad más candente

SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
Unlock your Big Data with Analytics and BI on Office 365 - OFF103Unlock your Big Data with Analytics and BI on Office 365 - OFF103
Unlock your Big Data with Analytics and BI on Office 365 - OFF103Brian Culver
 
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldMichele Leroux Bustamante
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsamitchachra
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguestd9aa5
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
OFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case StudyOFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case StudySreenivasa Setty
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365InnoTech
 
T28 implementing adfs and hybrid share point
T28   implementing adfs and hybrid share point T28   implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point Thorbjørn Værp
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spoJethro Seghers
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision IT
 
O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365NCCOMMS
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?Liam Cleary [MVP]
 
Stop Those Prying Eyes Getting To Your Data SPTechCon
Stop Those Prying Eyes Getting To Your Data SPTechConStop Those Prying Eyes Getting To Your Data SPTechCon
Stop Those Prying Eyes Getting To Your Data SPTechConLiam Cleary [MVP]
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 

La actualidad más candente (20)

SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
Unlock your Big Data with Analytics and BI on Office 365 - OFF103Unlock your Big Data with Analytics and BI on Office 365 - OFF103
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
 
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric World
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfs
 
Adfs azure
Adfs azureAdfs azure
Adfs azure
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
OFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case StudyOFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case Study
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
 
Office 365 identity
Office 365 identityOffice 365 identity
Office 365 identity
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365
 
T28 implementing adfs and hybrid share point
T28   implementing adfs and hybrid share point T28   implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spo
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
 
O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
 
Stop Those Prying Eyes Getting To Your Data SPTechCon
Stop Those Prying Eyes Getting To Your Data SPTechConStop Those Prying Eyes Getting To Your Data SPTechCon
Stop Those Prying Eyes Getting To Your Data SPTechCon
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 

Similar a Building Secure Extranets with Claims-Based Authentication #SPEvo13

TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Michael Noel
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceEduserv Foundation
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceEduserv
 
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...Nordic Infrastructure Conference
 
SharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel OlesonSharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel Olesonwebhostingguy
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKPeter Selch Dahl
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
sharepoint.microsoft.com
sharepoint.microsoft.comsharepoint.microsoft.com
sharepoint.microsoft.comwebhostingguy
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The PortalDan Usher
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Hybrid SharePoint - Office 365 & On-prem SharePoint 2013 -part2
Hybrid SharePoint - Office 365 & On-prem SharePoint 2013 -part2Hybrid SharePoint - Office 365 & On-prem SharePoint 2013 -part2
Hybrid SharePoint - Office 365 & On-prem SharePoint 2013 -part2WinWire Technologies Inc
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep DiveConrad23
 
The Cloud for Modern Business
The Cloud for Modern BusinessThe Cloud for Modern Business
The Cloud for Modern BusinessBizTalk360
 
Make IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professionalMake IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professionalBIWUG
 
What is Windows Azure Platform
What is Windows Azure PlatformWhat is Windows Azure Platform
What is Windows Azure PlatformDavid Chou
 

Similar a Building Secure Extranets with Claims-Based Authentication #SPEvo13 (20)

TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-Science
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-Science
 
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
 
SharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel OlesonSharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel Oleson
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
sharepoint.microsoft.com
sharepoint.microsoft.comsharepoint.microsoft.com
sharepoint.microsoft.com
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The Portal
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Hybrid SharePoint - Office 365 & On-prem SharePoint 2013 -part2
Hybrid SharePoint - Office 365 & On-prem SharePoint 2013 -part2Hybrid SharePoint - Office 365 & On-prem SharePoint 2013 -part2
Hybrid SharePoint - Office 365 & On-prem SharePoint 2013 -part2
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep Dive
 
The Cloud for Modern Business
The Cloud for Modern BusinessThe Cloud for Modern Business
The Cloud for Modern Business
 
Make IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professionalMake IT Pro's great again: Microsoft Azure for the SharePoint professional
Make IT Pro's great again: Microsoft Azure for the SharePoint professional
 
What is Windows Azure Platform
What is Windows Azure PlatformWhat is Windows Azure Platform
What is Windows Azure Platform
 

Más de Gus Fraser

Advanced SharePoint Integration (Azure Service Bus and Dynamics CRM)
Advanced SharePoint Integration (Azure Service Bus and Dynamics CRM)Advanced SharePoint Integration (Azure Service Bus and Dynamics CRM)
Advanced SharePoint Integration (Azure Service Bus and Dynamics CRM)Gus Fraser
 
WCM & Public Facing Websites on SharePoint Online / Office 365
WCM & Public Facing Websites on SharePoint Online / Office 365WCM & Public Facing Websites on SharePoint Online / Office 365
WCM & Public Facing Websites on SharePoint Online / Office 365Gus Fraser
 
Automating Business Processes with SharePoint
Automating Business Processes with SharePointAutomating Business Processes with SharePoint
Automating Business Processes with SharePointGus Fraser
 
2012 12-08 #SPSUK SharePoint 2010 SQL 2012
2012 12-08 #SPSUK SharePoint 2010 SQL 20122012 12-08 #SPSUK SharePoint 2010 SQL 2012
2012 12-08 #SPSUK SharePoint 2010 SQL 2012Gus Fraser
 
Delivering a Search-Driven User Experience with SharePoint and FAST
Delivering a Search-Driven User Experience with SharePoint and FASTDelivering a Search-Driven User Experience with SharePoint and FAST
Delivering a Search-Driven User Experience with SharePoint and FASTGus Fraser
 
SharePoint Saturday UK - Intranet Branding for Developers
SharePoint Saturday UK - Intranet Branding for DevelopersSharePoint Saturday UK - Intranet Branding for Developers
SharePoint Saturday UK - Intranet Branding for DevelopersGus Fraser
 
Taking SharePoint 2010 Offline - European Best Practices Conference
Taking SharePoint 2010 Offline - European Best Practices ConferenceTaking SharePoint 2010 Offline - European Best Practices Conference
Taking SharePoint 2010 Offline - European Best Practices ConferenceGus Fraser
 

Más de Gus Fraser (7)

Advanced SharePoint Integration (Azure Service Bus and Dynamics CRM)
Advanced SharePoint Integration (Azure Service Bus and Dynamics CRM)Advanced SharePoint Integration (Azure Service Bus and Dynamics CRM)
Advanced SharePoint Integration (Azure Service Bus and Dynamics CRM)
 
WCM & Public Facing Websites on SharePoint Online / Office 365
WCM & Public Facing Websites on SharePoint Online / Office 365WCM & Public Facing Websites on SharePoint Online / Office 365
WCM & Public Facing Websites on SharePoint Online / Office 365
 
Automating Business Processes with SharePoint
Automating Business Processes with SharePointAutomating Business Processes with SharePoint
Automating Business Processes with SharePoint
 
2012 12-08 #SPSUK SharePoint 2010 SQL 2012
2012 12-08 #SPSUK SharePoint 2010 SQL 20122012 12-08 #SPSUK SharePoint 2010 SQL 2012
2012 12-08 #SPSUK SharePoint 2010 SQL 2012
 
Delivering a Search-Driven User Experience with SharePoint and FAST
Delivering a Search-Driven User Experience with SharePoint and FASTDelivering a Search-Driven User Experience with SharePoint and FAST
Delivering a Search-Driven User Experience with SharePoint and FAST
 
SharePoint Saturday UK - Intranet Branding for Developers
SharePoint Saturday UK - Intranet Branding for DevelopersSharePoint Saturday UK - Intranet Branding for Developers
SharePoint Saturday UK - Intranet Branding for Developers
 
Taking SharePoint 2010 Offline - European Best Practices Conference
Taking SharePoint 2010 Offline - European Best Practices ConferenceTaking SharePoint 2010 Offline - European Best Practices Conference
Taking SharePoint 2010 Offline - European Best Practices Conference
 

Último

Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Último (20)

Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Building Secure Extranets with Claims-Based Authentication #SPEvo13

  • 1. Building Secure SharePoint Extranets with Claims Based Authentication #COM716 Aonghus (Gus) Fraser @gusfraser af@c5.je
  • 2. Aonghus Fraser (MCPD, MCITP, MCSD)  Based in (Old) Jersey & Guernsey  SharePoint Lead Consultant @ C5 Alliance – ~75 Consultants; ~18 SharePoint & CRM*  Working with SharePoint since WSS 2.0  af@c5.je / @gusfraser / #COM716  Run www.cispug.org  Blog at http://techblurt.com  #SPRunners *probably the highest concentration of SharePoint on the planet (unconfirmed)
  • 6. Agenda  Extranets – Why? Why Claims?  Claims-Based Authentication  Secure Extranet Topologies  Case Studies & Demonstrations  MyGov.je  Dvs.MyGov.je  SharePoint 2013 – Claims First  Azure ACS & 3rd Party Providers
  • 8. Extranets – Why?  Security  Controlled information management & delivery  Avoid insecure or uncontrolled use e.g. Email, Dropbox, SkyDrive etc.  Customer service  Self-service, 24x7  Efficiency  Reduced manual effort
  • 9. Extranets – Why Claims?  Delegate Authentication to a TRUSTED 3rd party (Federation)  Standards & Interoperability  SharePoint 2013… it’s the future!
  • 10. Quis custodiet ipsos custodes?  “Who Guards the Guards?”  Trust problems since the 1st/2nd century…  21st century version:  Who do I trust with my Identity?  Which Identity provider do I trust to authenticate users/federate with? – Partner/Customer AD? – LiveID? – Facebook? – OpenID?
  • 11. Claims-Based Concepts  Identity  Set of unique user-defining claims/attributes  Claim(s)  Identity attributes (e.g. Username, Email, Role)  Issuer / Authority / Provider  E.g. DC, ADFS, STS  Relying Party  Application e.g. SharePoint, custom app  Token
  • 12. What do we mean by Claim?  Property that I HAVE / What I AM  E.g. Name, Email, Username (could be a Role)  NOT What can I do (Authorisation)  Wrapped up in a SAML Assertion/Token (XML)  C2WTS converts to Windows (Kerberos or NTLM)
  • 13. Claim Types  SharePoint STS (native SharePoint)  Windows Claims (from Kerberos or NTLM to SAML token)  Federated Claims  ADFS 2.0, Azure ACS  Custom Claims  Custom STS
  • 14. Real World Claims Analogy Identity Provider Claims Identity
  • 16. Assumptions / Requirements  Separate Extranet Farm (separate AD)  Firewalls between Farms (ISA/TMG/UAG etc.)  No external access to internal farm  No data to be stored in the public Cloud
  • 17. Scenario 1: Isolated Farms No access to extranet farm without external AD account Limited collaboration Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02 DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users
  • 18. Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02] DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users One way AD Trust Scenario 2: One-way AD Trust Internal users granted access with AD Trust Requires potentially undesirable firewall “holes”
  • 19. Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02] DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users ADFS 2.0 ADFS[01,02] Scenario 3: ADFS 2.0 Internal users granted access via ADFS 2.0 Most secure multiple farm extranet with easy internal user access
  • 20. More on ADFS 2.0 Source:Claims-based Identity Second Edition
  • 22. MyGov.je  Online Citizen Services Portal  Jobs, News, Planning Applications  SharePoint 2010 front-end  CRM 2011 back-end  Web services with X.509 certs  SharePoint STS with custom Membership provider
  • 23. Systems Integration  Payment Gateway  JD Edwards  Licar (Driving License system)  Planning (Northgate)
  • 24. MyGov Topology Firewall DB Cluster APP01 Firewall DCs[01 – 02] WFEs[01 – 03] DMZWFEs[01 – 04] DMZDB Cluster DMZAPP01 DMZDCs[01-02] Internal Network Extranet Farm Internal Users CRM[01,02] JD Edwards DVS Planning
  • 25. MyGov Sequence Diagram User WFE / STS CRM Anon Request Create SAML token Login Check credentials Success Augment Claim with CRM Identity FedAuth Cookie FedAuth Cookie
  • 26. MYGOV CITIZEN PORTAL Claims-based authentication with back-end Microsoft Dynamics CRM integration
  • 31. DVS Online  Book driving test  Re-use of Citizen Portal; different web app  SharePoint 2010 front-end  CRM 2011 back-end  Licar integration
  • 32. DVS ONLINE Claims-based authentication with back-end Microsoft Dynamics CRM & Licar Driver licensing system
  • 40. SharePoint 2013  “Claims First” – Classic authentication deprecated (PowerShell only)  Distributed Cache!   No more sticky sessions for FedAuth cookies!  Improved Logging (ULS)  Without Claims:  No Apps!  No OWAPP! (e.g. Search result preview)  A lot of “net new” 2013 features use Claims..
  • 41. Identities in SharePoint 2013  i:0#.f|membershipprovider|user  i:0#.w|domainuser  i:05.t|azure|email@domain.com  i:05.t|facebook|gus@techblurt.com  i:0i.t|ms.sp.ext|{guid}@{guid}
  • 42. Upgrade / Migration Tips  Upgrade Classic 2010 Farms to Claims in 2010 BEFORE Upgrading to 2013  Upgrade WindowsPrincipal code to IClaimsPrincipal
  • 43. Azure Acces Control Services Identity Management in the Cloud
  • 44. Azure Access Control Services  Free! (since Nov 2012)  Authentication, authorisation & integration with ID providers  Manages Certs, Relying Parties, ID Providers
  • 46. ACS Supported ID Providers  WS-Fed, OpenID  ADFS 2.0  Windows Live ID  Facebook  Google ID  Yahoo
  • 47. AZURE ACS, SHAREPOINT & FACEBOOK
  • 49. Setup Azure ACS ID Provider
  • 51. ACS ID Providers, Mappings & Certs
  • 56. References  A Guide to Claims-Based Identity and Access Control, Second Edition  http://www.microsoft.com/en-us/download/details.aspx?id=28362  Programming WIF  http://shop.oreilly.com/product/9780735627185.do  ACS Code Samples Index  http://msdn.microsoft.com/en-us/library/gg185965.aspx
  • 58. Thank you for attending! @gusfraser af@c5.je #COM716

Notas del editor

  1. NOT a technical deep dive on security or SAML Explanation of the terminology & demonstration of real world examples
  2. e.g. Facebook OAuth – what is THEIR password complexity? Identity 2.0 – Dick HardtFacebook: When you create a new password, make sure that it's at least 6 characters long. Try to use a complex combination of numbers, letters, and punctuation marks….
  3. C2WTS – part of WIF, installed with SP2010+ necessary for
  4. Not all identities or claims are created equally…
  5. Some of you might recognise this driving license, I use it to present my claim (my name) in exchange for a ticketThe claims application (ground staff) check if he or she trusts the identity provider. It’s actually the Parish of St. Clement in Jersey, but let’s just say Jersey I then get a token which allows me through security, who doesn’t look at my ID anymore
  6. 53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 445 TCP SMB 636 TCP LDAP (SSL)
  7. ADFS CAN be installed on the DC however then you must have an ADFS proxy role or UAG to act as a proxy in front of the DCHowever UAG doesn’t provide O365 or Mobile device supportWID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  8. WID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  9. App Identifier = Issuer Guid @ Realm Guid (Get-SPAuthenticationRealm) – ServiceContext $spweb.SiteBecause applications need permissions too! Security Principal themselves
  10. Used to be $1.99 per 100,000 transactions. If you used to use