Your SlideShare is downloading. ×
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners?

48,624
views

Published on

How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively …

How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.

Published in: Technology

5 Comments
13 Likes
Statistics
Notes
  • A new quick way to set up a simplified SharePoint Extranet is BusinessGuest : http://www.business-guest.com
    A smart way to set a bridge between the internal SharePoint users and documents and the external partners through their email and a secure sharing area.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • There are many Intranets solutions on the market, however if you are looking for a solid SharePoint based Intranet solution, check out SharePoint Implementeds' product. I think it's the best solution out for the price.They seem to have put a lot of thought into usability and filling in gaps that you would not know exsist in sharepoint until you start your implementation.

    They offer a turnkey solution which provides a custom Home Site, Department Sites and Project Sites, installation, configuration and training all under $5,000 and even have a source code option.

    One thing that I would love to see that they dont have now is a hosted solution

    You can get more details at http://sharepointimplemented.com/AwesomeIntranetGorilla.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Very informative. Do you know of a script I can use to automate the upload vendors into AD LDS? I'm using it on WinServer 2008 for SP2010.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Nice article.. There's definitely a lot to be learnt with claims based auth. I've setup SharePoint 2007 Extranet's with AD LDS as the Auth Provider which has worked well, and I'm sure SP2010 extends that even further... the learning begins :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Great work!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
48,624
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
1,733
Comments
5
Likes
13
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • So today we are going to define an extranet and cover …
  • Lets look at three common network topologies …
  • Authentication returns the security principal in the HttpContext.UserIIS AuthenticatesFBA requires authentication providers to implement the Membership Provider interfaceWebSSO requires authentication providers to implement the Membership Provider interface including an HTTPModule for the WebSSO ProviderMembership Provider:GetUser( string )GetUserNamebyEmailFindUsersbyEmailFindUsersbyNameRole manager: RoleExists, GetRolesForUser, GetAllRolesWebSSOHTTPModule: AuthenticateRequest Uses user auth cookie to set HttpContext.User with security principalEndRequest Used to catch the 401 responses from WSS, turns them into 302 redirect for auth to the WebSSO logon server.
  • Classic – Windows Native (NTLM, Kerberos). SharePoint consumes the NT token into an SPUser.Claims – Windows (NTLM, Kerberos), FBA (LDAP, ASP.Net/SQL), SAML (ADFS, WSTrust, WSFederation)Claims authentication for Microsoft SharePoint Server 2010 is built on Windows Identity Foundation. Windows Identity Foundation Framework is a set of .NET Framework classes that are used to implement claims-based identity.
  • Client is using a web browser. The client makes a web request (HTTP GET)SharePoint responds with a 401 Unathenticated and 302 Url to authenticateThe Authentication request is submitted to, and processed by, the local STS or another SAML compliant Identity provider, such as LiveID.The identity provider validates the identity and returns the security token (NT Token/SAML Token)Does SharePoint trust the token? The SharePoint (relying party) STS finds the policy for the requesting Web application in the policy store and creates a token for the requesting user using identity assertion values in the attribute store. Token augmentation, we add additional claims. A valid security token (new SharePoint SAML token) is returned to the user and then submitted to the Web application. The Web Browser requests the SharePoint resource with the Shareoint security token. SAML token is converted into an SPUser.Note there are two different tokens: One from Identity Provider, another from SharePoint.
  • Mixed Mode Authentication – (MOSS 2007) Single SharePoint Web Application, extended IIS Applications with different Urls and authentication.Multi-Authentication - Single SharePoint Web Application with more than one authentication provider.
  • Different scheme for different protocolsProtecting access from different channelsAnonymous web sites
  • Transcript

    • 1. SharePoint 2010 Extranets and Authentication:How will SharePoint 2010 connect you to your partners?
      Brian Culver, MCM, MCPD
      Solutions Architect
      Expert Point Solutions
      3/23/2010
    • 2. Session Agenda
      Extranet Definition
      Common Extranet Scenarios
      Extranet Design Considerations & Challenges
      Claims Based Authentication and other Authentication Scenarios
      Mixed Mode vs. Multi-Authentication
    • 3. Extranet - Definition
      A web application that is shared with external users, such as partners, vendors, and customers
      Common attributes for an extranet:
      • Sharing a private network or secured network
      • 4. Requires authenticated access, but the identity of the consumer is not always known
      • 5. Has better security controls than an Internet Web application but usually less secure than the Intranet Web application
    • Common Extranet Scenarios
      Line of Business Applications
      Collaboration
      Static Content or Publishing
      Isolate and segregate internal data.
      Authorize to use only sites and data that are necessary for their contributions.
      Restrict partners from viewing other partners’ data.
      Target Content
      Segment content
      Limit content access and search results based on audience.
      Remote Employees
      Partners
      Vendors & Customers
    • 6. Extranet Design Considerations & Challenges
      Network Topology and Access
      Identity Management
      Seamless Single Sign-on Experience
      Content Security and Access
      Antivirus
      Client
      Server
      Rich Client Experience (Office Integration)
    • 7. Edge Firewall Topology
      Internet
      Corporate Network
      External Users
      Internal
      Users
      SharePoint Farm
    • 8. Back-to-Back Perimeter Topology
      Internet
      Corporate Network
      Perimeter
      External Users
      Internal
      Users
      App Servers
      Web Front Ends
      Infrastructure Servers
    • 9. Split Back-to-Back Topology
      Internet
      Corporate Network
      Perimeter
      External Users
      Internal
      Users
      WFE
      App
      Infra
      App
      Infra
    • 10. Security Terms
      Authentication is the mechanism whereby systems may securely identify their users
      Creates an identity for security principal
      Who am I?
      Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.
      Determines what resources an identity has access to
      What can I access?
    • 11. SharePoint Authentication
      SharePoint does not authenticate
      Windows authentication via Windows server and IIS (Kerberos/NTLM)
      FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)
      Web SSO via Active Directory Federation Services (ADFS) and other Identity Management Systems
      SharePoint creates user profiles
      SPUser object represents security principal
      User Profile List in Site Collections track user profiles
    • 12. SharePoint 2010 Security
      SharePoint 2010 changes authentication
      Uses classic mode and claims based authentication
      Classic mode is SharePoint 2007 style legacy mode
      Claims-based authentication is the new security model
      What are the benefits?
      Claims decouples SharePoint from the authentication provider
      Allows SharePoint to support multiple authentication providers per URL
      Identities can be passed without Kerberos delegation
      Allows federation between organizations
      ACLs can be configured with DLs, Audiences and OUs
    • 13. Identity Normalization
      Classic
      Claims
      NT TokenWindows Identity
      NT TokenWindows Identity
      SAML1.1+ADFS, etc.
      ASP.NET (FBA)SQL, LDAP, Custom …
      SAML Token
      Claims Based Identity
      SPUser
    • 14. Claims-Based Terminology
      Identity: security principal used to configure the security policy
      Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.)
      Issuer: trusted party that creates claims
      Security Token: serialized set of claims (assertions) about an authenticated user.
      Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.)
      Security Token Service (STS): builds, signs and issues security tokens
      Relying Party: application that makes authorization decisions based on claims
    • 15. Claim-based Authentication
    • 16. Mixed Mode Authentication vs Multi-Authentication
    • 17. Authentication ScenariosMixed Mode
      https://extranet.contoso.com
      Extranet
      Zone
      Intranet
      Zone
      http://contoso
      FBA
      claims
      Windows
      claims
      Remote Employees
      Employees
    • 18. Authentication ScenariosMixed Mode: When to Use It
      Different scheme for different protocols
      Intranet HTTP
      Extranet HTTPS
      Protecting access from different channels
      Preventing employees log in from home except Sales division
      Dedicate Extranet to vendors only
      Preferred choice for solutions that require separate environments
      Publishing Portal authored by employees and consumed by customers
    • 19. Authentication ScenariosMulti Authentication
      https://Corporate.contoso.com
      Intranet
      Zone
      FBA
      claims
      Windows
      claims
      SAML
      claims
      Employees
      Vendors
      Partners
    • 20. Authentication ScenariosMulti Authentication: When to Use It
      Same experience for different class of users
      Single URL
      Same experience for same users no matter where they access content from:
      A la’ Outlook Web Access
      Preferred choice for cross company collaboration solutions
    • 21. SharePoint 2010 Beta 2
      Supported at Beta2
      Windows-Classic
      FBA-Claims
      Anonymous
      FBA-Claims + Anonymous
      NOT Ready for deployment at Beta2
      Windows-Claims
      SAML-Claims
      Windows-Claims + FBA-Claims
    • 22. Questions
    • 23. Learn More about SharePoint 2010
      Information forIT Prosat TechNet
      http://MSSharePointITPro.com
      Information forDevelopersat MSDN
      http://MSSharePointDeveloper.com
      Information forEveryone
      http://SharePoint.Microsoft.com
    • 24. SharePint Anyone?
    • 25. Sources and Links
      Geneva Framework A Better Approach For Building Claims-Based WCF Serviceshttp://msdn.microsoft.com/en-us/magazine/dd278426.aspx
      An Introduction to Claims http://msdn.microsoft.com/en-us/library/ff359101.aspx
      Microsoft SharePoint Conference 2009 http://www.mssharepointconference.com/Pages/default.aspx
      Identity Management http://msdn.microsoft.com/en-us/security/aa570351.aspx