Building Secure Extranets with Claims-Based Authentication #SPEvo13
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Building Secure Extranets with Claims-Based Authentication #SPEvo13

  • 6,644 views
Uploaded on

Slides from my session at the SharePoint Evolution Conference 2013 about building secure extranets with Claims-Based Authentication

Slides from my session at the SharePoint Evolution Conference 2013 about building secure extranets with Claims-Based Authentication

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,644
On Slideshare
6,535
From Embeds
109
Number of Embeds
6

Actions

Shares
Downloads
103
Comments
0
Likes
5

Embeds 109

http://techblurt.com 85
http://flavors.me 14
http://feeds.feedburner.com 7
http://fr.flavors.me 1
http://webcache.googleusercontent.com 1
http://mysites 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • NOT a technical deep dive on security or SAML Explanation of the terminology & demonstration of real world examples
  • e.g. Facebook OAuth – what is THEIR password complexity? Identity 2.0 – Dick HardtFacebook: When you create a new password, make sure that it's at least 6 characters long. Try to use a complex combination of numbers, letters, and punctuation marks….
  • C2WTS – part of WIF, installed with SP2010+ necessary for
  • Not all identities or claims are created equally…
  • Some of you might recognise this driving license, I use it to present my claim (my name) in exchange for a ticketThe claims application (ground staff) check if he or she trusts the identity provider. It’s actually the Parish of St. Clement in Jersey, but let’s just say Jersey I then get a token which allows me through security, who doesn’t look at my ID anymore
  • 53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 445 TCP SMB 636 TCP LDAP (SSL)
  • ADFS CAN be installed on the DC however then you must have an ADFS proxy role or UAG to act as a proxy in front of the DCHowever UAG doesn’t provide O365 or Mobile device supportWID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  • WID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  • App Identifier = Issuer Guid @ Realm Guid (Get-SPAuthenticationRealm) – ServiceContext $spweb.SiteBecause applications need permissions too! Security Principal themselves
  • Used to be $1.99 per 100,000 transactions. If you used to use

Transcript

  • 1. Building Secure SharePointExtranets with Claims BasedAuthentication#COM716Aonghus (Gus) Fraser@gusfraseraf@c5.je
  • 2. Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey & Guernsey SharePoint Lead Consultant @ C5 Alliance– ~75 Consultants; ~18 SharePoint & CRM* Working with SharePoint since WSS 2.0 af@c5.je / @gusfraser / #COM716 Run www.cispug.org Blog at http://techblurt.com #SPRunners*probably the highest concentration of SharePoint on the planet (unconfirmed)
  • 3. Jersey
  • 4. Guernsey
  • 5. Agenda Extranets – Why? Why Claims? Claims-Based Authentication Secure Extranet Topologies Case Studies & Demonstrations MyGov.je Dvs.MyGov.je SharePoint 2013 – Claims First Azure ACS & 3rd Party Providers
  • 6. SharePoint Buzzword BingoCloudAppIdentityTrustSharePoints mean Prizes!
  • 7. Extranets – Why? Security Controlled information management &delivery Avoid insecure or uncontrolled use e.g.Email, Dropbox, SkyDrive etc. Customer service Self-service, 24x7 Efficiency Reduced manual effort
  • 8. Extranets – Why Claims? Delegate Authentication to a TRUSTED3rd party (Federation) Standards & Interoperability SharePoint 2013… it’s the future!
  • 9. Quis custodiet ipsos custodes? “Who Guards the Guards?” Trust problems since the 1st/2nd century… 21st century version: Who do I trust with my Identity? Which Identity provider do I trust toauthenticate users/federate with?– Partner/Customer AD?– LiveID?– Facebook?– OpenID?
  • 10. Claims-Based Concepts Identity Set of unique user-defining claims/attributes Claim(s) Identity attributes (e.g. Username, Email, Role) Issuer / Authority / Provider E.g. DC, ADFS, STS Relying Party Application e.g. SharePoint, custom app Token
  • 11. What do we mean by Claim? Property that I HAVE / What I AM E.g. Name, Email, Username (could be a Role) NOT What can I do (Authorisation) Wrapped up in a SAML Assertion/Token(XML) C2WTS converts to Windows (Kerberos orNTLM)
  • 12. Claim Types SharePoint STS (native SharePoint) Windows Claims (from Kerberos or NTLM toSAML token) Federated Claims ADFS 2.0, Azure ACS Custom Claims Custom STS
  • 13. Real World Claims AnalogyIdentity ProviderClaimsIdentity
  • 14. Secure Extranet Topologies
  • 15. Assumptions / Requirements Separate Extranet Farm (separate AD) Firewalls between Farms (ISA/TMG/UAGetc.) No external access to internal farm No data to be stored in the public Cloud
  • 16. Scenario 1: Isolated FarmsNo access to extranet farm without external AD accountLimited collaborationFirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal Users
  • 17. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersOne way AD TrustScenario 2: One-way AD TrustInternal users granted access with AD TrustRequires potentially undesirable firewall“holes”
  • 18. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersADFS 2.0ADFS[01,02]Scenario 3: ADFS 2.0Internal users granted access via ADFS 2.0Most secure multiple farm extranet witheasy internal user access
  • 19. More on ADFS 2.0Source:Claims-based Identity Second Edition
  • 20. Case Studies
  • 21. MyGov.je Online Citizen Services Portal Jobs, News, Planning Applications SharePoint 2010 front-end CRM 2011 back-end Web services with X.509 certs SharePoint STS with custom Membershipprovider
  • 22. Systems Integration Payment Gateway JD Edwards Licar (Driving License system) Planning (Northgate)
  • 23. MyGov TopologyFirewallDB ClusterAPP01FirewallDCs[01 – 02]WFEs[01 – 03]DMZWFEs[01 – 04]DMZDB ClusterDMZAPP01DMZDCs[01-02]Internal NetworkExtranet FarmInternal UsersCRM[01,02]JD EdwardsDVSPlanning
  • 24. MyGov Sequence DiagramUserWFE /STSCRMAnon RequestCreate SAML tokenLoginCheck credentialsSuccessAugment Claim with CRM IdentityFedAuth CookieFedAuth Cookie
  • 25. MYGOV CITIZEN PORTALClaims-based authentication with back-end Microsoft DynamicsCRM integration
  • 26. DVS Online Book driving test Re-use of Citizen Portal; different webapp SharePoint 2010 front-end CRM 2011 back-end Licar integration
  • 27. DVS ONLINEClaims-based authentication with back-end Microsoft DynamicsCRM & Licar Driver licensing system
  • 28. SharePoint 2013 Claims
  • 29. SharePoint 2013 “Claims First” – Classic authenticationdeprecated (PowerShell only) Distributed Cache!  No more sticky sessions for FedAuth cookies! Improved Logging (ULS) Without Claims: No Apps! No OWAPP! (e.g. Search result preview) A lot of “net new” 2013 features use Claims..
  • 30. Identities in SharePoint 2013 i:0#.f|membershipprovider|user i:0#.w|domainuser i:05.t|azure|email@domain.com i:05.t|facebook|gus@techblurt.com i:0i.t|ms.sp.ext|{guid}@{guid}
  • 31. Upgrade / Migration Tips Upgrade Classic 2010 Farms to Claims in2010 BEFORE Upgrading to 2013 Upgrade WindowsPrincipal code toIClaimsPrincipal
  • 32. Azure Acces Control ServicesIdentity Management in the Cloud
  • 33. Azure Access Control Services Free! (since Nov 2012) Authentication, authorisation & integrationwith ID providers Manages Certs, Relying Parties, IDProviders
  • 34. ACS ArchitectureSource: http://msdn.microsoft.com/en-us/library/windowsazure/gg185957.aspx
  • 35. ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows Live ID Facebook Google ID Yahoo
  • 36. AZURE ACS, SHAREPOINT &FACEBOOK
  • 37. Create Facebook App
  • 38. Setup Azure ACS ID Provider
  • 39. ACS ID Providers, Mappings &Certs
  • 40. ACS Claims Mapping
  • 41. Facebook App
  • 42. Facebook Claims
  • 43. References A Guide to Claims-Based Identity and Access Control,Second Edition http://www.microsoft.com/en-us/download/details.aspx?id=28362 Programming WIF http://shop.oreilly.com/product/9780735627185.do ACS Code Samples Index http://msdn.microsoft.com/en-us/library/gg185965.aspx
  • 44. Bingo Prizes!
  • 45. Thank you for attending!@gusfraseraf@c5.je#COM716