In this Webinar, Envision IT demonstrates how ADFS federation can allow external users to access an Extranet, their DMZ accounts or other external identities, and use single sign-on to other systems beyond SharePoint. View more details and the webinar recording here: http://www.envisionit.com/products/events/Pages/SharePoint-Extranet-Spring-Webinar-Series-Federation-and-SharePoint-On-Premise.aspx
Ensuring Technical Readiness For Copilot in Microsoft 365
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise
1. SharePoint Extranet Spring
Webinar Series
Federation and SharePoint On
Premise
Presented by Peter Carson
President, Envision IT
April 8, 2014
2. Peter Carson
• President, Envision IT
• SharePoint MVP
• Virtual Technical Specialist,
Microsoft Canada
• peter@envisionit.com
• http://blog.petercarson.ca
• www.envisionit.com
• Twitter @carsonpeter
• VP Toronto SharePoint User
Group
3. Peter Mackenzie
• VP Sales & Marketing
• e: pmackenzie@envisionit.com
• p: (905) 812-3009 x244
• President, International
Association of Microsoft Certified
Partners (IAMCP) Canada
4. Product Support
Corey Thokle, EUM Support Manager
• e: cthokle@envisionit.com
• p: (905) 812 3009 ext.248
• http://www.linkedin.com/company/e
nvision-it-inc
Amanda Da Costa, Sales & Marketing
Support
• e: adacosta@envisionit.com
• p: (905) 812 3009 ext.250
• http://ca.linkedin.com/in/amandadac
osta/
5. Agenda
• Envision IT Overview
• SharePoint On Premises Authentication Options
• What is Federation and how does it work?
• Demo Scenario
• SharePoint App Authentication Alternatives
• Wrap-Up and Q&A
6. Upcoming Sessions
Date Event Location
April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada
April 22 SharePoint Extranet Spring Webinar Series-Extranet
User Provisioning
Online
May 6 SharePoint Extranet Spring Webinar Series-Extranet
Customer Case Studies
Online
May 7 Cloud Business Apps European SharePoint Conference
Barcelona, Spain
May 8 Office 365 REST APIs European SharePoint Conference
Barcelona, Spain
May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada
May 27 Cloud Business Apps Toronto SharePoint Summit
Toronto, Canada
June 18 SharePoint Extranet Full Day Workshop SharePoint Fest
New York City
June 20 Building a Web Site on SharePoint 2013 SharePoint Fest
New York City
www.envisionit.com/events
7.
8. Focused on complex SharePoint solutions,
Envision IT is the “go-to” partner for Microsoft
SharePoint, building integrated public web sites,
Intranets, Extranets, and web applications that
leverage your existing systems anywhere over the
Internet.
Envision IT Services Overview
9. Public Web Sites
We create interactive, content-rich customer-facing web sites
that are able to grow and transform with changing needs
11. Extranets
Envision IT has a wealth of experience building Corporate
Extranets that allow you to securely connect with customers and
partners
12. Intranets
Our Intranet Sites connect people to information, expertise and
key business applications, and SharePoint provides a broad set of
Enterprise Content Management features
14. • Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and sign-on for AD
15. Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assurance provides all
product updates
• Dev and QA farm licenses provided with up to date
Software Assurance
18. Poll 1
Which Version of SharePoint are you currently
using?
• SharePoint Server 2013
• Office 365
• SharePoint Server 2010
• SharePoint Foundation (2010 or 2013)
• MOSS 2007 or WSS 3.0
19. Poll 2
How do you use SharePoint today?
• Internal collaboration
• Internal web publishing (Intranet)
• Extranets
• Public facing website
20. Identity Management, Authentication, and Authorization
Identity Management
• Process for managing the entire
life cycle of digital identities,
including the profiles of people,
systems, and services
• For our purposes we are focused
just on people
• Who creates and manages
identities? The Extranet owner or
the external users themselves?
• Are identities part of the Extranet
or external to it?
Authentication and Authorization
• Authentication is the mechanism
whereby systems may securely
identify their users
• Authentication systems provide
an answers to the questions:
Who is the user?
Is the user really who he/she
represents himself to be?
• Authorization is the mechanism
by which a system determines
what level of access a particular
authenticated user should have
Is user X authorized to access
resource R?
21. SharePoint On Premise Authentication Options
Windows Authentication
Active Directory
Windows Claims
Or
Classic Mode
.NET Providers
Forms-Based
Authentication
AD SQL
Claims
Relying Party
Federated Identity
Trusted Identity Provider
AD User Store
Claims
22. Trusted Identity Providers
• Active Directory Federation Services (ADFS)
• Thinktecture Identity Server
• Social Identities
Facebook
Linkedin
Microsoft Account
Google+
24. SharePoint Infrastructure
• SharePoint Farm (one or more servers)
Web Application
o Site Collection
– Subsites
» Lists and Libraries
Application Pools
IIS Sites
Content Databases
25. Web Application Zones
• Authentication methods are defined for each
zone of a web application
• Each web app can have up to five zones
Default
Intranet
Extranet
Internet
Custom
• Multiple authentication methods can be applied
to a single zone
26. When to Use Zones
• In general we recommend not to use multiple zones
• Everyone (internal and external users) should share a
single https url (https://portal.contoso.com)
• Confusion results otherwise
Emailed links are broken for some of your users
Workflows, tasks, and alerts point to the wrong URL
(unless you are in the Default zone)
• The only exception is where you also need an
anonymous http zone
Mixed public and private sites
This is the only scenario that Microsoft recommends
Secure https zone should always be the default zone
27. Authentication Chooser
• Users decides what method to use to
authenticate
• Goal should be to hide this from the user
Use the IP address
Check the email domain of the login email address
33. Federated Identity
• Trusted Identity Provider does the authentication
• Can be any SAML compliant provider
Active Directory Federation Services
Thinktecture Identity Server
o www.thinktecture.com
Social identities
• Can be AD, SQL, or other user repository under the hood
• Relying parties (such as SharePoint) trust the SAML token
and provide the authorization based off that identity
• Provides Single Sign-On to multiple systems
Can be any SAML claims compliant system, not just SharePoint
35. Internal Firewall Port Requirements
Windows Auth
• 123/UDP - W32Time
• 135/TCP - RPC Endpoint
Mapper
• 464/TCP/UDP - Kerberos
password change
• 49152-65535/TCP - RPC
for LSA, SAM, Netlogon
(*)
• 389/TCP/UDP - LDAP
• 636/TCP - LDAP SSL
• 3268/TCP - LDAP GC
• 3269/TCP - LDAP GC SSL
• 53/TCP/UDP - DNS
• 49152 -65535/TCP - FRS
RPC (*)
• 88/TCP/UDP - Kerberos
• 445/TCP - SMB
• 49152-65535/TCP - DFSR
RPC (*)
Federation
• No internal ports
required
• Done through trusted,
signed tokens passed
through browser posts
• May still want to open
port 443 for internal
users to log in through
ADFS externally
FBA
• LDAP 389
• LDAPS 636
• SMB 445
http://support.microsoft.com/kb/179442#method4
36. Active Directory Federation Services
• ADFS 1.0
Windows Server 2003
• ADFS 1.1
Windows Server 2008
• ADFS 2.0
Minimum to be used with SharePoint
Free download
Windows Server 2008 SP2 minimum
ADFS Proxy is used in the DMZ to expose externally
• ADFS 2.1
Windows Server 2012 Role
ADFS Proxy is used in the DMZ to expose externally
• ADFS 3.0
Windows Server 2012 R2 Role
Web Application Proxy is used in the DMZ to expose externally
39. Authentication Process
Identity ProviderRelying Party Active Directory
Browse app
Not authenticated
Redirected to IP
Authenticate
User
Query for user attributes
Return SAML Security Token
Return page
and cookie
Send Token
ST
ST
RP trusts IP
40. Certificates
• PKI SSL encryption is used for communication
• Token can be self-signed by the Identity Provider
• Token can also be encrypted with a self-signed certificate
from the Identity Provider
CommunicationA
Signing
Relying party Identity Provider
ST
Encyption ST
B
Public key of C C
Public key of DD
Root for ARoot for B
45. Demo Scenario
• Sample site at https://thinktecturedev.eitdev.org
• SharePoint 2013 on premises
• Windows Auth for internal users
• External users
In a separate AD
Authenticating through Thinktecture Identity Server
Managed with the Envision IT Extranet User Manager
46. Why Thinktecture over ADFS?
• Open source allows any customization
• Fully brandable (ADFS allows branding within
very particular parameters)
• Login with email address instead of AD
username
• Use SQL instead of AD as the underlying user
repository
• Ability to incorporate the home realm
discovery into the login form
47. • Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and sign-on
Extranet User Manager
48. Main Components
• Administration console
Used by IT to configure EUM
Used by the business to manage users and groups
• End User
Components that the Extranet users see
Login, disclaimer, change password, forgotten
password
• Registration
Allow users to self-register
Support approval workflows
49. Managing Your External Users with EUM
• Delegate user management internally or
externally to your organization
• Self-registration and approvals
• Full control over the accounts and login
experience
• Delegated group management simplifies
permissions
• Lost password reset
• Improved governance over your Extranet
58. Apps and SharePoint 2013
• Three main types of Apps
SharePoint Hosted
o Client side code only
Auto Hosted
o Server code runs in an Azure instance provided by Office 365
o Only applies to Office 365
Provider Hosted
o Use your own server environment to host your server side
code
o Doesn’t need to be Microsoft technology
59. Apps and SharePoint 2013
• No App code ever runs on the SharePoint farm
• Apps are selected and installed by the end
user
• Need to explicitly trust the app to allow it to
run
• OAuth is used to provide the end-user’s
authentication to the app and back to
SharePoint
60. Challenges with SharePoint Apps
• For full functionality, apps need to be installed
in each site where they are being used
• No way to programmatically install them
• This is a problem for apps that are used on
many sites
61. Alternative App Model
• Client side code and REST APIs is the direction
Microsoft is taking in general
• Use this approach for Apps too
• If SharePoint is authenticated using Thinktecture, that
can be leveraged to authenticate provider hosted apps
too
• Thinktecture can provide a JSON Web Token (JWT) to
the client-side code
Similar to a SAML token
It is the model going forward with WebAPI
• This can be passed to and trusted by the REST API for
authentication
62. App Authentication Process with JWT
Provider AppClient Side Code Thinktecture
Browse app
No JWT
Redirected to IP
User
Return JWT Security Token
Return page
REST call with Token
JWT
JWT
App trusts IP
Save Token in session
Return JSON data
JWT
63. Poll 4
When would you like us to follow up?
• Right away
• May
• June
64. Upcoming Sessions
Date Event Location
April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada
April 22 SharePoint Extranet Spring Webinar Series-Extranet
User Provisioning
Online
May 6 SharePoint Extranet Spring Webinar Series-Extranet
Customer Case Studies
Online
May 7 Cloud Business Apps European SharePoint Conference
Barcelona, Spain
May 8 Office 365 REST APIs European SharePoint Conference
Barcelona, Spain
May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada
May 27 Cloud Business Apps Toronto SharePoint Summit
Toronto, Canada
June 18 SharePoint Extranet Full Day Workshop SharePoint Fest
New York City
June 20 Building a Web Site on SharePoint 2013 SharePoint Fest
New York City
www.envisionit.com/events
65. Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assurance provides all
product updates
• Dev and QA farm licenses provided with up to date
Software Assurance