Building Secure SharePointExtranets with Claims BasedAuthentication#COM716Aonghus (Gus) Fraser@gusfraseraf@c5.je
Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey & Guernsey SharePoint Lead Consultant @ C5 Alliance– ~75 Consul...
Jersey
Guernsey
Agenda Extranets – Why? Why Claims? Claims-Based Authentication Secure Extranet Topologies Case Studies & Demonstratio...
SharePoint Buzzword BingoCloudAppIdentityTrustSharePoints mean Prizes!
Extranets – Why? Security Controlled information management &delivery Avoid insecure or uncontrolled use e.g.Email, Dro...
Extranets – Why Claims? Delegate Authentication to a TRUSTED3rd party (Federation) Standards & Interoperability SharePo...
Quis custodiet ipsos custodes? “Who Guards the Guards?” Trust problems since the 1st/2nd century… 21st century version:...
Claims-Based Concepts Identity Set of unique user-defining claims/attributes Claim(s) Identity attributes (e.g. Userna...
What do we mean by Claim? Property that I HAVE / What I AM E.g. Name, Email, Username (could be a Role) NOT What can I ...
Claim Types SharePoint STS (native SharePoint) Windows Claims (from Kerberos or NTLM toSAML token) Federated Claims AD...
Real World Claims AnalogyIdentity ProviderClaimsIdentity
Secure Extranet Topologies
Assumptions / Requirements Separate Extranet Farm (separate AD) Firewalls between Farms (ISA/TMG/UAGetc.) No external a...
Scenario 1: Isolated FarmsNo access to extranet farm without external AD accountLimited collaborationFirewallDB Cluster AP...
FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtran...
FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtran...
More on ADFS 2.0Source:Claims-based Identity Second Edition
Case Studies
MyGov.je Online Citizen Services Portal Jobs, News, Planning Applications SharePoint 2010 front-end CRM 2011 back-end...
Systems Integration Payment Gateway JD Edwards Licar (Driving License system) Planning (Northgate)
MyGov TopologyFirewallDB ClusterAPP01FirewallDCs[01 – 02]WFEs[01 – 03]DMZWFEs[01 – 04]DMZDB ClusterDMZAPP01DMZDCs[01-02]In...
MyGov Sequence DiagramUserWFE /STSCRMAnon RequestCreate SAML tokenLoginCheck credentialsSuccessAugment Claim with CRM Iden...
MYGOV CITIZEN PORTALClaims-based authentication with back-end Microsoft DynamicsCRM integration
DVS Online Book driving test Re-use of Citizen Portal; different webapp SharePoint 2010 front-end CRM 2011 back-end L...
DVS ONLINEClaims-based authentication with back-end Microsoft DynamicsCRM & Licar Driver licensing system
SharePoint 2013 Claims
SharePoint 2013 “Claims First” – Classic authenticationdeprecated (PowerShell only) Distributed Cache!  No more sticky...
Identities in SharePoint 2013 i:0#.f|membershipprovider|user i:0#.w|domainuser i:05.t|azure|email@domain.com i:05.t|fa...
Upgrade / Migration Tips Upgrade Classic 2010 Farms to Claims in2010 BEFORE Upgrading to 2013 Upgrade WindowsPrincipal c...
Azure Acces Control ServicesIdentity Management in the Cloud
Azure Access Control Services Free! (since Nov 2012) Authentication, authorisation & integrationwith ID providers Manag...
ACS ArchitectureSource: http://msdn.microsoft.com/en-us/library/windowsazure/gg185957.aspx
ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows Live ID Facebook Google ID Yahoo
AZURE ACS, SHAREPOINT &FACEBOOK
Create Facebook App
Setup Azure ACS ID Provider
ACS ID Providers, Mappings &Certs
ACS Claims Mapping
Facebook App
Facebook Claims
References A Guide to Claims-Based Identity and Access Control,Second Edition http://www.microsoft.com/en-us/download/de...
Bingo Prizes!
Thank you for attending!@gusfraseraf@c5.je#COM716
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Upcoming SlideShare
Loading in...5
×

Building Secure Extranets with Claims-Based Authentication #SPEvo13

6,575

Published on

Slides from my session at the SharePoint Evolution Conference 2013 about building secure extranets with Claims-Based Authentication

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,575
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
136
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • NOT a technical deep dive on security or SAML Explanation of the terminology & demonstration of real world examples
  • e.g. Facebook OAuth – what is THEIR password complexity? Identity 2.0 – Dick HardtFacebook: When you create a new password, make sure that it's at least 6 characters long. Try to use a complex combination of numbers, letters, and punctuation marks….
  • C2WTS – part of WIF, installed with SP2010+ necessary for
  • Not all identities or claims are created equally…
  • Some of you might recognise this driving license, I use it to present my claim (my name) in exchange for a ticketThe claims application (ground staff) check if he or she trusts the identity provider. It’s actually the Parish of St. Clement in Jersey, but let’s just say Jersey I then get a token which allows me through security, who doesn’t look at my ID anymore
  • 53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 445 TCP SMB 636 TCP LDAP (SSL)
  • ADFS CAN be installed on the DC however then you must have an ADFS proxy role or UAG to act as a proxy in front of the DCHowever UAG doesn’t provide O365 or Mobile device supportWID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  • WID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  • App Identifier = Issuer Guid @ Realm Guid (Get-SPAuthenticationRealm) – ServiceContext $spweb.SiteBecause applications need permissions too! Security Principal themselves
  • Used to be $1.99 per 100,000 transactions. If you used to use
  • Building Secure Extranets with Claims-Based Authentication #SPEvo13

    1. 1. Building Secure SharePointExtranets with Claims BasedAuthentication#COM716Aonghus (Gus) Fraser@gusfraseraf@c5.je
    2. 2. Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey & Guernsey SharePoint Lead Consultant @ C5 Alliance– ~75 Consultants; ~18 SharePoint & CRM* Working with SharePoint since WSS 2.0 af@c5.je / @gusfraser / #COM716 Run www.cispug.org Blog at http://techblurt.com #SPRunners*probably the highest concentration of SharePoint on the planet (unconfirmed)
    3. 3. Jersey
    4. 4. Guernsey
    5. 5. Agenda Extranets – Why? Why Claims? Claims-Based Authentication Secure Extranet Topologies Case Studies & Demonstrations MyGov.je Dvs.MyGov.je SharePoint 2013 – Claims First Azure ACS & 3rd Party Providers
    6. 6. SharePoint Buzzword BingoCloudAppIdentityTrustSharePoints mean Prizes!
    7. 7. Extranets – Why? Security Controlled information management &delivery Avoid insecure or uncontrolled use e.g.Email, Dropbox, SkyDrive etc. Customer service Self-service, 24x7 Efficiency Reduced manual effort
    8. 8. Extranets – Why Claims? Delegate Authentication to a TRUSTED3rd party (Federation) Standards & Interoperability SharePoint 2013… it’s the future!
    9. 9. Quis custodiet ipsos custodes? “Who Guards the Guards?” Trust problems since the 1st/2nd century… 21st century version: Who do I trust with my Identity? Which Identity provider do I trust toauthenticate users/federate with?– Partner/Customer AD?– LiveID?– Facebook?– OpenID?
    10. 10. Claims-Based Concepts Identity Set of unique user-defining claims/attributes Claim(s) Identity attributes (e.g. Username, Email, Role) Issuer / Authority / Provider E.g. DC, ADFS, STS Relying Party Application e.g. SharePoint, custom app Token
    11. 11. What do we mean by Claim? Property that I HAVE / What I AM E.g. Name, Email, Username (could be a Role) NOT What can I do (Authorisation) Wrapped up in a SAML Assertion/Token(XML) C2WTS converts to Windows (Kerberos orNTLM)
    12. 12. Claim Types SharePoint STS (native SharePoint) Windows Claims (from Kerberos or NTLM toSAML token) Federated Claims ADFS 2.0, Azure ACS Custom Claims Custom STS
    13. 13. Real World Claims AnalogyIdentity ProviderClaimsIdentity
    14. 14. Secure Extranet Topologies
    15. 15. Assumptions / Requirements Separate Extranet Farm (separate AD) Firewalls between Farms (ISA/TMG/UAGetc.) No external access to internal farm No data to be stored in the public Cloud
    16. 16. Scenario 1: Isolated FarmsNo access to extranet farm without external AD accountLimited collaborationFirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal Users
    17. 17. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersOne way AD TrustScenario 2: One-way AD TrustInternal users granted access with AD TrustRequires potentially undesirable firewall“holes”
    18. 18. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersADFS 2.0ADFS[01,02]Scenario 3: ADFS 2.0Internal users granted access via ADFS 2.0Most secure multiple farm extranet witheasy internal user access
    19. 19. More on ADFS 2.0Source:Claims-based Identity Second Edition
    20. 20. Case Studies
    21. 21. MyGov.je Online Citizen Services Portal Jobs, News, Planning Applications SharePoint 2010 front-end CRM 2011 back-end Web services with X.509 certs SharePoint STS with custom Membershipprovider
    22. 22. Systems Integration Payment Gateway JD Edwards Licar (Driving License system) Planning (Northgate)
    23. 23. MyGov TopologyFirewallDB ClusterAPP01FirewallDCs[01 – 02]WFEs[01 – 03]DMZWFEs[01 – 04]DMZDB ClusterDMZAPP01DMZDCs[01-02]Internal NetworkExtranet FarmInternal UsersCRM[01,02]JD EdwardsDVSPlanning
    24. 24. MyGov Sequence DiagramUserWFE /STSCRMAnon RequestCreate SAML tokenLoginCheck credentialsSuccessAugment Claim with CRM IdentityFedAuth CookieFedAuth Cookie
    25. 25. MYGOV CITIZEN PORTALClaims-based authentication with back-end Microsoft DynamicsCRM integration
    26. 26. DVS Online Book driving test Re-use of Citizen Portal; different webapp SharePoint 2010 front-end CRM 2011 back-end Licar integration
    27. 27. DVS ONLINEClaims-based authentication with back-end Microsoft DynamicsCRM & Licar Driver licensing system
    28. 28. SharePoint 2013 Claims
    29. 29. SharePoint 2013 “Claims First” – Classic authenticationdeprecated (PowerShell only) Distributed Cache!  No more sticky sessions for FedAuth cookies! Improved Logging (ULS) Without Claims: No Apps! No OWAPP! (e.g. Search result preview) A lot of “net new” 2013 features use Claims..
    30. 30. Identities in SharePoint 2013 i:0#.f|membershipprovider|user i:0#.w|domainuser i:05.t|azure|email@domain.com i:05.t|facebook|gus@techblurt.com i:0i.t|ms.sp.ext|{guid}@{guid}
    31. 31. Upgrade / Migration Tips Upgrade Classic 2010 Farms to Claims in2010 BEFORE Upgrading to 2013 Upgrade WindowsPrincipal code toIClaimsPrincipal
    32. 32. Azure Acces Control ServicesIdentity Management in the Cloud
    33. 33. Azure Access Control Services Free! (since Nov 2012) Authentication, authorisation & integrationwith ID providers Manages Certs, Relying Parties, IDProviders
    34. 34. ACS ArchitectureSource: http://msdn.microsoft.com/en-us/library/windowsazure/gg185957.aspx
    35. 35. ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows Live ID Facebook Google ID Yahoo
    36. 36. AZURE ACS, SHAREPOINT &FACEBOOK
    37. 37. Create Facebook App
    38. 38. Setup Azure ACS ID Provider
    39. 39. ACS ID Providers, Mappings &Certs
    40. 40. ACS Claims Mapping
    41. 41. Facebook App
    42. 42. Facebook Claims
    43. 43. References A Guide to Claims-Based Identity and Access Control,Second Edition http://www.microsoft.com/en-us/download/details.aspx?id=28362 Programming WIF http://shop.oreilly.com/product/9780735627185.do ACS Code Samples Index http://msdn.microsoft.com/en-us/library/gg185965.aspx
    44. 44. Bingo Prizes!
    45. 45. Thank you for attending!@gusfraseraf@c5.je#COM716
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×