SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners?

SharePoint 2010 Extranets and Authentication:How will SharePoint 2010 connect you to your partners?
Brian Culver, MCM, MCPD
Solutions Architect
Expert Point Solutions
3/23/2010

Session Agenda
Extranet Definition
Common Extranet Scenarios
Extranet Design Considerations & Challenges
Claims Based Authentication and other Authentication Scenarios
Mixed Mode vs. Multi-Authentication

Extranet - Definition
A web application that is shared with external users, such as partners, vendors, and customers
Common attributes for an extranet:
Sharing a private network or secured network
Requires authenticated access, but the identity of the consumer is not always known
Has better security controls than an Internet Web application but usually less secure than the Intranet Web application

Common Extranet Scenarios
Line of Business Applications
Collaboration
Static Content or Publishing
Isolate and segregate internal data.
Authorize to use only sites and data that are necessary for their contributions.
Restrict partners from viewing other partners’ data.
Target Content
Segment content
Limit content access and search results based on audience.
Remote Employees
Partners
Vendors & Customers

Extranet Design Considerations & Challenges
Network Topology and Access
Identity Management
Seamless Single Sign-on Experience
Content Security and Access
Antivirus
Client
Server
Rich Client Experience (Office Integration)

Edge Firewall Topology
Internet
Corporate Network
External Users
Internal
Users
SharePoint Farm

Back-to-Back Perimeter Topology
Internet
Corporate Network
Perimeter
External Users
Internal
Users
App Servers
Web Front Ends
Infrastructure Servers

Split Back-to-Back Topology
Internet
Corporate Network
Perimeter
External Users
Internal
Users
WFE
App
Infra
App
Infra

Security Terms
Authentication is the mechanism whereby systems may securely identify their users
Creates an identity for security principal
Who am I?
Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.
Determines what resources an identity has access to
What can I access?

SharePoint Authentication
SharePoint does not authenticate
Windows authentication via Windows server and IIS (Kerberos/NTLM)
FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)
Web SSO via Active Directory Federation Services (ADFS) and other Identity Management Systems
SharePoint creates user profiles
SPUser object represents security principal
User Profile List in Site Collections track user profiles

SharePoint 2010 Security
SharePoint 2010 changes authentication
Uses classic mode and claims based authentication
Classic mode is SharePoint 2007 style legacy mode
Claims-based authentication is the new security model
What are the benefits?
Claims decouples SharePoint from the authentication provider
Allows SharePoint to support multiple authentication providers per URL
Identities can be passed without Kerberos delegation
Allows federation between organizations
ACLs can be configured with DLs, Audiences and OUs

Identity Normalization
Classic
Claims
NT TokenWindows Identity
NT TokenWindows Identity
SAML1.1+ADFS, etc.
ASP.NET (FBA)SQL, LDAP, Custom …
SAML Token
Claims Based Identity
SPUser

Claims-Based Terminology
Identity: security principal used to configure the security policy
Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.)
Issuer: trusted party that creates claims
Security Token: serialized set of claims (assertions) about an authenticated user.
Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.)
Security Token Service (STS): builds, signs and issues security tokens
Relying Party: application that makes authorization decisions based on claims

Claim-based Authentication

Mixed Mode Authentication vs Multi-Authentication

Authentication ScenariosMixed Mode
https://extranet.contoso.com
Extranet
Zone
Intranet
Zone
http://contoso
FBA
claims
Windows
claims
Remote Employees
Employees

Authentication ScenariosMixed Mode: When to Use It
Different scheme for different protocols
Intranet HTTP
Extranet HTTPS
Protecting access from different channels
Preventing employees log in from home except Sales division
Dedicate Extranet to vendors only
Preferred choice for solutions that require separate environments
Publishing Portal authored by employees and consumed by customers

Authentication ScenariosMulti Authentication
https://Corporate.contoso.com
Intranet
Zone
FBA
claims
Windows
claims
SAML
claims
Employees
Vendors
Partners

Authentication ScenariosMulti Authentication: When to Use It
Same experience for different class of users
Single URL
Same experience for same users no matter where they access content from:
A la’ Outlook Web Access
Preferred choice for cross company collaboration solutions

SharePoint 2010 Beta 2
Supported at Beta2
Windows-Classic
FBA-Claims
Anonymous
FBA-Claims + Anonymous
NOT Ready for deployment at Beta2
Windows-Claims
SAML-Claims
Windows-Claims + FBA-Claims

Questions

Learn More about SharePoint 2010
Information forIT Prosat TechNet
http://MSSharePointITPro.com
Information forDevelopersat MSDN
http://MSSharePointDeveloper.com
Information forEveryone
http://SharePoint.Microsoft.com

SharePint Anyone?

Sources and Links
Geneva Framework A Better Approach For Building Claims-Based WCF Serviceshttp://msdn.microsoft.com/en-us/magazine/dd278426.aspx
An Introduction to Claims http://msdn.microsoft.com/en-us/library/ff359101.aspx
Microsoft SharePoint Conference 2009 http://www.mssharepointconference.com/Pages/default.aspx
Identity Management http://msdn.microsoft.com/en-us/security/aa570351.aspx

http://blog.expertpointsolutions.com	392
http://www.slideshare.net	368
http://spbrian.blogspot.com	94
http://paper.li	6
http://webcache.googleusercontent.com	5
http://twitter.com	3
http://www.techgig.com	3
http://www.spbrian.blogspot.com	2
http://hal	1
http://spbrian.blogspot.in	1

SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners?

by Brian Culver on Mar 24, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

10 Embeds 875

Statistics

SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners? — Presentation Transcript