• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Building Secure Extranets with Claims-Based Authentication #SPEvo13

Building Secure Extranets with Claims-Based Authentication #SPEvo13



Slides from my session at the SharePoint Evolution Conference 2013 about building secure extranets with Claims-Based Authentication

Slides from my session at the SharePoint Evolution Conference 2013 about building secure extranets with Claims-Based Authentication



Total Views
Views on SlideShare
Embed Views



6 Embeds 102

http://techblurt.com 78
http://flavors.me 14
http://feeds.feedburner.com 7
http://fr.flavors.me 1
http://webcache.googleusercontent.com 1
http://mysites 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • NOT a technical deep dive on security or SAML Explanation of the terminology & demonstration of real world examples
  • e.g. Facebook OAuth – what is THEIR password complexity? Identity 2.0 – Dick HardtFacebook: When you create a new password, make sure that it's at least 6 characters long. Try to use a complex combination of numbers, letters, and punctuation marks….
  • C2WTS – part of WIF, installed with SP2010+ necessary for
  • Not all identities or claims are created equally…
  • Some of you might recognise this driving license, I use it to present my claim (my name) in exchange for a ticketThe claims application (ground staff) check if he or she trusts the identity provider. It’s actually the Parish of St. Clement in Jersey, but let’s just say Jersey I then get a token which allows me through security, who doesn’t look at my ID anymore
  • 53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 445 TCP SMB 636 TCP LDAP (SSL)
  • ADFS CAN be installed on the DC however then you must have an ADFS proxy role or UAG to act as a proxy in front of the DCHowever UAG doesn’t provide O365 or Mobile device supportWID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  • WID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  • App Identifier = Issuer Guid @ Realm Guid (Get-SPAuthenticationRealm) – ServiceContext $spweb.SiteBecause applications need permissions too! Security Principal themselves
  • Used to be $1.99 per 100,000 transactions. If you used to use

Building Secure Extranets with Claims-Based Authentication #SPEvo13 Building Secure Extranets with Claims-Based Authentication #SPEvo13 Presentation Transcript

  • Building Secure SharePointExtranets with Claims BasedAuthentication#COM716Aonghus (Gus) Fraser@gusfraseraf@c5.je
  • Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey & Guernsey SharePoint Lead Consultant @ C5 Alliance– ~75 Consultants; ~18 SharePoint & CRM* Working with SharePoint since WSS 2.0 af@c5.je / @gusfraser / #COM716 Run www.cispug.org Blog at http://techblurt.com #SPRunners*probably the highest concentration of SharePoint on the planet (unconfirmed)
  • Jersey
  • Guernsey
  • Agenda Extranets – Why? Why Claims? Claims-Based Authentication Secure Extranet Topologies Case Studies & Demonstrations MyGov.je Dvs.MyGov.je SharePoint 2013 – Claims First Azure ACS & 3rd Party Providers
  • SharePoint Buzzword BingoCloudAppIdentityTrustSharePoints mean Prizes!
  • Extranets – Why? Security Controlled information management &delivery Avoid insecure or uncontrolled use e.g.Email, Dropbox, SkyDrive etc. Customer service Self-service, 24x7 Efficiency Reduced manual effort
  • Extranets – Why Claims? Delegate Authentication to a TRUSTED3rd party (Federation) Standards & Interoperability SharePoint 2013… it’s the future!
  • Quis custodiet ipsos custodes? “Who Guards the Guards?” Trust problems since the 1st/2nd century… 21st century version: Who do I trust with my Identity? Which Identity provider do I trust toauthenticate users/federate with?– Partner/Customer AD?– LiveID?– Facebook?– OpenID?
  • Claims-Based Concepts Identity Set of unique user-defining claims/attributes Claim(s) Identity attributes (e.g. Username, Email, Role) Issuer / Authority / Provider E.g. DC, ADFS, STS Relying Party Application e.g. SharePoint, custom app Token
  • What do we mean by Claim? Property that I HAVE / What I AM E.g. Name, Email, Username (could be a Role) NOT What can I do (Authorisation) Wrapped up in a SAML Assertion/Token(XML) C2WTS converts to Windows (Kerberos orNTLM)
  • Claim Types SharePoint STS (native SharePoint) Windows Claims (from Kerberos or NTLM toSAML token) Federated Claims ADFS 2.0, Azure ACS Custom Claims Custom STS
  • Real World Claims AnalogyIdentity ProviderClaimsIdentity
  • Secure Extranet Topologies
  • Assumptions / Requirements Separate Extranet Farm (separate AD) Firewalls between Farms (ISA/TMG/UAGetc.) No external access to internal farm No data to be stored in the public Cloud
  • Scenario 1: Isolated FarmsNo access to extranet farm without external AD accountLimited collaborationFirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal Users
  • FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersOne way AD TrustScenario 2: One-way AD TrustInternal users granted access with AD TrustRequires potentially undesirable firewall“holes”
  • FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersADFS 2.0ADFS[01,02]Scenario 3: ADFS 2.0Internal users granted access via ADFS 2.0Most secure multiple farm extranet witheasy internal user access
  • More on ADFS 2.0Source:Claims-based Identity Second Edition
  • Case Studies
  • MyGov.je Online Citizen Services Portal Jobs, News, Planning Applications SharePoint 2010 front-end CRM 2011 back-end Web services with X.509 certs SharePoint STS with custom Membershipprovider
  • Systems Integration Payment Gateway JD Edwards Licar (Driving License system) Planning (Northgate)
  • MyGov TopologyFirewallDB ClusterAPP01FirewallDCs[01 – 02]WFEs[01 – 03]DMZWFEs[01 – 04]DMZDB ClusterDMZAPP01DMZDCs[01-02]Internal NetworkExtranet FarmInternal UsersCRM[01,02]JD EdwardsDVSPlanning
  • MyGov Sequence DiagramUserWFE /STSCRMAnon RequestCreate SAML tokenLoginCheck credentialsSuccessAugment Claim with CRM IdentityFedAuth CookieFedAuth Cookie
  • MYGOV CITIZEN PORTALClaims-based authentication with back-end Microsoft DynamicsCRM integration
  • DVS Online Book driving test Re-use of Citizen Portal; different webapp SharePoint 2010 front-end CRM 2011 back-end Licar integration
  • DVS ONLINEClaims-based authentication with back-end Microsoft DynamicsCRM & Licar Driver licensing system
  • SharePoint 2013 Claims
  • SharePoint 2013 “Claims First” – Classic authenticationdeprecated (PowerShell only) Distributed Cache!  No more sticky sessions for FedAuth cookies! Improved Logging (ULS) Without Claims: No Apps! No OWAPP! (e.g. Search result preview) A lot of “net new” 2013 features use Claims..
  • Identities in SharePoint 2013 i:0#.f|membershipprovider|user i:0#.w|domainuser i:05.t|azure|email@domain.com i:05.t|facebook|gus@techblurt.com i:0i.t|ms.sp.ext|{guid}@{guid}
  • Upgrade / Migration Tips Upgrade Classic 2010 Farms to Claims in2010 BEFORE Upgrading to 2013 Upgrade WindowsPrincipal code toIClaimsPrincipal
  • Azure Acces Control ServicesIdentity Management in the Cloud
  • Azure Access Control Services Free! (since Nov 2012) Authentication, authorisation & integrationwith ID providers Manages Certs, Relying Parties, IDProviders
  • ACS ArchitectureSource: http://msdn.microsoft.com/en-us/library/windowsazure/gg185957.aspx
  • ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows Live ID Facebook Google ID Yahoo
  • Create Facebook App
  • Setup Azure ACS ID Provider
  • ACS ID Providers, Mappings &Certs
  • ACS Claims Mapping
  • Facebook App
  • Facebook Claims
  • References A Guide to Claims-Based Identity and Access Control,Second Edition http://www.microsoft.com/en-us/download/details.aspx?id=28362 Programming WIF http://shop.oreilly.com/product/9780735627185.do ACS Code Samples Index http://msdn.microsoft.com/en-us/library/gg185965.aspx
  • Bingo Prizes!
  • Thank you for attending!@gusfraseraf@c5.je#COM716