SharePoint Extranet Spring
Webinar Series
Federation and Office 365
Presented by Peter Carson
President, Envision IT
March...
Peter Carson
• President, Envision IT
• SharePoint MVP
• Virtual Technical Specialist,
Microsoft Canada
• peter@envisionit...
Peter Mackenzie
• VP Sales & Marketing
• e: pmackenzie@envisionit.com
• p: (905) 812-3009 x244
• President, International
...
Product Support
Corey Thokle, EUM Support Manager
• e: cthokle@envisionit.com
• p: (905) 812 3009 ext.248
• http://www.lin...
Additional Credits
• Mark Jones, Envision IT Lead Architect
• Zulfiqar Ahmed
 http://zamd.net/2013/02/08/federating-a-
cu...
Agenda
• Envision IT Overview
• Office 365 Authentication Options
• What is Federation and how does it work?
• Setting up ...
Focused on complex SharePoint solutions,
Envision IT is the “go-to” partner for Microsoft
SharePoint, building integrated ...
Public Web Sites
We create interactive, content-rich customer-facing web sites
that are able to grow and transform with ch...
Collaboration Portals
Our Collaboration Portals provide a secure space for teams to
share knowledge and resources
Extranets
Envision IT has a wealth of experience building Corporate
Extranets that allow you to securely connect with cust...
Intranets
Our Intranet Sites connect people to information, expertise and
key business applications, and SharePoint provid...
Products
• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and...
Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assuranc...
Extranet Clients
Microsoft SharePoint
Poll 1
Which Version of SharePoint are you currently
using?
• Office 365
• SharePoint Server 2013
• SharePoint Server 2010...
Poll 2
How do you use SharePoint today?
• Internal collaboration
• Internal web publishing (Intranet)
• Extranets
• Public...
Identity Management, Authentication, and Authorization
Identity Management
• Process for managing the entire
life cycle of...
Office 365 Authentication Options
Windows Azure Active Directory
No Integration
Cloud Identity
Windows Azure Active Direct...
Windows Azure Active Directory
• All Office 365 users have a WAAD shadow
account
• DirSync can create WAAD accounts for al...
DirSync Process
http://technet.microsoft.com/en-us/library/dn441212.aspx
Demo 1 Scenario
• Sign up at http://office.microsoft.com/en-
ca/sharepoint/sharepoint-products-and-free-
trial-online-coll...
Federated Identity
• Trusted Identity Provider does the authentication
• Can be any SAML compliant provider
 Active Direc...
Authentication Process
Identity ProviderRelying Party Active Directory
Browse app
Not authenticated
Redirected to IP
Authe...
Certificates
• PKI SSL encryption is used for communication
• Token can be self-signed by the Identity Provider
• Token ca...
ADFS Servers
https://login.thinktecturedev.com
Internal ADFS/DC Servers DMZ ADFS Proxies
ADFS Server Considerations
• Should have at least two each of ADFS and
ADFS Proxy Servers
• If there is only one Internet ...
Setting up ADFS with Office 365
• http://technet.microsoft.com/en-
us/library/jj205462.aspx
• DirSync is still used to cre...
Demo 2 Scenario
• Sample site at
https://envisionit.sharepoint.com/sites/eumw
ebinar
• Internal user in authenticated auto...
Microsoft Home Realm Discovery
Smart Links
• Run Fiddler as you are logging in
• Capture the 302 redirect
 https://fedsrv.envisionit.com/adfs/ls/?cbcxt=...
Smart Links
https://fedsrv.envisionit.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:Micr
osoftOnline&wctx=wa%3Dwsignin...
Extranets in Office 365
• External sharing using Microsoft accounts or
other federated users
• Licensing of external users...
External Sharing
• Supported by default by
Office 365
• Up to 10,000 external
users can access a
SharePoint Online site
fo...
Licensed External Users
• Centrally managed
• Group permissions
• Full control over the
login experience
• Need to pay for...
Demo 3 Scenario
• Sample site at https://thinktecturedev.sharepoint.com
• Federated with Thinktecture Identity Server
• Cu...
Why Thinktecture over ADFS?
• Open source allows any customization
• Fully brandable (ADFS allows branding within
very par...
Authentication Process
Managing Your External O365 Users with EUM
• Delegate user management internally or
externally to your organization
• Self...
• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and...
Main Components
• Administration console
• Used by IT to configure EUM
• Used by the business to manage users and groups
•...
Demo 4
• Self-registration and approval of a new external user
• https://eum.eitdev.org/landing/register/register.aspx
• W...
Apps and Office 365
• Three main types of Apps
 SharePoint Hosted
o Client side code only
 Auto Hosted
o Server code run...
Apps and Office 365
• No App code ever runs on the SharePoint farm
• Apps are selected and installed by the end
user
• Nee...
Challenges with SharePoint Apps
• For full functionality, apps need to be installed
in each site where they are being used...
Alternative App Model
• Client side code and REST APIs is the direction
Microsoft is taking in general
• Use this approach...
App Authentication Process with JWT
Provider AppClient Side Code Thinktecture
Browse app
No JWT
Redirected to IP
User
Retu...
Poll 3
Is there one of the topics you’d like me to go
back over?
• What is Federation?
• ADFS and Office 365
• External Sc...
Poll 4
When would you like us to follow up?
• Right away
• April
• May
Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assuranc...
Links
• www.envisionit.com
• blog.petercarson.ca
• www.envisionit.com/eum
• Video and presentation deck will be at
www.env...
Questions?
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Upcoming SlideShare
Loading in …5
×

Envision it SharePoint Extranet Webinar Series - Federation and Office 365

11,731 views

Published on

In this Webinar, Envision IT demonstrates how to set up ADFS so that staff are automatically signed in to their corporate network, and external users are provided with a rich login experience. View more details and the webinar recording here:
http://www.envisionit.com/products/events/Pages/SharePoint-Extranet-Spring-Webinar-Series-Federation-and-Office-365.aspx

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
11,731
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Envision it SharePoint Extranet Webinar Series - Federation and Office 365

  1. 1. SharePoint Extranet Spring Webinar Series Federation and Office 365 Presented by Peter Carson President, Envision IT March 25, 2014
  2. 2. Peter Carson • President, Envision IT • SharePoint MVP • Virtual Technical Specialist, Microsoft Canada • peter@envisionit.com • http://blog.petercarson.ca • www.envisionit.com • Twitter @carsonpeter • VP Toronto SharePoint User Group
  3. 3. Peter Mackenzie • VP Sales & Marketing • e: pmackenzie@envisionit.com • p: (905) 812-3009 x244 • President, International Association of Microsoft Certified Partners (IAMCP) Canada
  4. 4. Product Support Corey Thokle, EUM Support Manager • e: cthokle@envisionit.com • p: (905) 812 3009 ext.248 • http://www.linkedin.com/company/e nvision-it-inc Amanda Da Costa, Sales & Marketing Support • e: adacosta@envisionit.com • p: (905) 812 3009 ext.250 • http://ca.linkedin.com/in/amandadac osta/
  5. 5. Additional Credits • Mark Jones, Envision IT Lead Architect • Zulfiqar Ahmed  http://zamd.net/2013/02/08/federating-a- custom-sts-with-office-365-azure-active-directory/ • Brock Allen  www.thinktecture.com
  6. 6. Agenda • Envision IT Overview • Office 365 Authentication Options • What is Federation and how does it work? • Setting up ADFS with Office 365 • Extranet Scenarios in Office 365 • Federation Customization using ADFS or Thinktecture Identity Server • Using Extranet User Manager to create and manage the external users • SharePoint App Authentication Alternatives • Wrap-Up and Q&A
  7. 7. Focused on complex SharePoint solutions, Envision IT is the “go-to” partner for Microsoft SharePoint, building integrated public web sites, Intranets, Extranets, and web applications that leverage your existing systems anywhere over the Internet. Envision IT Services Overview
  8. 8. Public Web Sites We create interactive, content-rich customer-facing web sites that are able to grow and transform with changing needs
  9. 9. Collaboration Portals Our Collaboration Portals provide a secure space for teams to share knowledge and resources
  10. 10. Extranets Envision IT has a wealth of experience building Corporate Extranets that allow you to securely connect with customers and partners
  11. 11. Intranets Our Intranet Sites connect people to information, expertise and key business applications, and SharePoint provides a broad set of Enterprise Content Management features
  12. 12. Products
  13. 13. • Easy delegation of user management to business • Self-registration, approvals, forgotten password reset • Single URL and sign-on for AD
  14. 14. Pricing • $8,000 per production SharePoint farm • No limits on the number of web front ends • 20% annual Software Assurance provides all product updates • Dev and QA farm licenses provided with up to date Software Assurance
  15. 15. Extranet Clients
  16. 16. Microsoft SharePoint
  17. 17. Poll 1 Which Version of SharePoint are you currently using? • Office 365 • SharePoint Server 2013 • SharePoint Server 2010 • SharePoint Foundation (2010 or 2013) • MOSS 2007 or WSS 3.0
  18. 18. Poll 2 How do you use SharePoint today? • Internal collaboration • Internal web publishing (Intranet) • Extranets • Public facing website
  19. 19. Identity Management, Authentication, and Authorization Identity Management • Process for managing the entire life cycle of digital identities, including the profiles of people, systems, and services • For our purposes we are focused just on people • Who creates and manages identities? The Extranet owner or the external users themselves? • Are identities part of the Extranet or external to it? Authentication and Authorization • Authentication is the mechanism whereby systems may securely identify their users • Authentication systems provide an answers to the questions:  Who is the user?  Is the user really who he/she represents himself to be? • Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have  Is user X authorized to access resource R?
  20. 20. Office 365 Authentication Options Windows Azure Active Directory No Integration Cloud Identity Windows Azure Active Directory Integration with no federation Directory and Password Synchronization DirSync and Password Sync On Premise Identity Windows Azure Active Directory Single federated identity and credentials Federated Identity On Premise Identity Federation User Sync
  21. 21. Windows Azure Active Directory • All Office 365 users have a WAAD shadow account • DirSync can create WAAD accounts for all your AD users  Password Sync can also sync your passwords  Doesn’t provide Single sign-On, but does allow users to use the same password on premise and in the cloud  Syncs a hash of the password, rather than the password itself • PowerShell or Graph API (REST interface) can also be used to manage WAAD
  22. 22. DirSync Process http://technet.microsoft.com/en-us/library/dn441212.aspx
  23. 23. Demo 1 Scenario • Sign up at http://office.microsoft.com/en- ca/sharepoint/sharepoint-products-and-free- trial-online-collaboration-tools- FX103789417.aspx • Sample site created at https://eumwebinar.sharepoint.com • Cloud Identity admin user format is user@eumwebinar.onmicrosoft.com
  24. 24. Federated Identity • Trusted Identity Provider does the authentication • Can be any SAML compliant provider  Active Directory Federation Services  Thinktecture Identity Server o www.thinktecture.com  Social identities • Can be AD, SQL, or other user repository under the hood • Relying parties (such as SharePoint) trust the SAML token and provide the authorization based off that identity • Provides Single Sign-On to multiple systems  Can be any SAML claims compliant system, not just SharePoint
  25. 25. Authentication Process Identity ProviderRelying Party Active Directory Browse app Not authenticated Redirected to IP Authenticate User Query for user attributes Return SAML Security Token Return page and cookie Send Token ST ST RP trusts IP Home Realm Discovery
  26. 26. Certificates • PKI SSL encryption is used for communication • Token can be self-signed by the Identity Provider • Token can also be encrypted with a self-signed certificate from the Identity Provider CommunicationA Signing Relying party Identity Provider ST Encyption ST B Public key of C C Public key of DD Root for ARoot for B
  27. 27. ADFS Servers https://login.thinktecturedev.com Internal ADFS/DC Servers DMZ ADFS Proxies
  28. 28. ADFS Server Considerations • Should have at least two each of ADFS and ADFS Proxy Servers • If there is only one Internet connection, consider putting them in Azure • Having Lync and Exchange in the cloud and not being able to authenticate because your Internet pipe is down is a problem
  29. 29. Setting up ADFS with Office 365 • http://technet.microsoft.com/en- us/library/jj205462.aspx • DirSync is still used to create the shadow WAAD accounts • Set up a trust between ADFS and Windows Azure AD  Setup through PowerShell  Requires you to setup some TXT DNS records to prove you own the domain • Accounts need to be licensed in the Office 365 portal
  30. 30. Demo 2 Scenario • Sample site at https://envisionit.sharepoint.com/sites/eumw ebinar • Internal user in authenticated automatically through the ADFS Server • Need to go through the Microsoft home realm discovery page  This can be overridden for Exchange Online but not SharePoint Online (yet)
  31. 31. Microsoft Home Realm Discovery
  32. 32. Smart Links • Run Fiddler as you are logging in • Capture the 302 redirect  https://fedsrv.envisionit.com/adfs/ls/?cbcxt=&popupui=&vv=&username=peter% 40envisionit.com&mkt=&lc=1033&wfresh=&wa=wsignin1.0&wtrealm=urn:federat ion:MicrosoftOnline&wctx=wa%3Dwsignin1%252E0%26rpsnv%3D3%26ct%3D139 5748967%26rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3D https%253A%252F%252Fenvisionit%252Esharepoint%252Ecom%252F%255Fform s%252Fdefault%252Easpx%26lc%3D1033%26id%3D500046%26%26bk%3D139574 8967%26LoginOptions%3D3 • Remove the highlighted text • Add the desired URL as double-encoded text
  33. 33. Smart Links https://fedsrv.envisionit.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:Micr osoftOnline&wctx=wa%3Dwsignin1%252E0%26rpsnv%3D3%26ct%3D1395748967%2 6rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3Dhttps%253A%2 52F%252Fenvisionit%252Esharepoint%252Ecom%252Fsites%252Feumwebinar Character Double-Encoded Value : %253A . %252E / %252F  A friendly URL and redirect can be setup to hide the complex URL  Our Custom 404 product is a good option for this  https://productdemo.envisionit.com/eumwebinar
  34. 34. Extranets in Office 365 • External sharing using Microsoft accounts or other federated users • Licensing of external users as subscribers
  35. 35. External Sharing • Supported by default by Office 365 • Up to 10,000 external users can access a SharePoint Online site for free using Microsoft accounts • Also works for other federated users with subscriptions • Need to enable external sharing • Email invitations are sent out • Can be authenticated or anonymous • Hard to hide the Microsoft experience • No groups or central management
  36. 36. Licensed External Users • Centrally managed • Group permissions • Full control over the login experience • Need to pay for a subscription
  37. 37. Demo 3 Scenario • Sample site at https://thinktecturedev.sharepoint.com • Federated with Thinktecture Identity Server • Customized to work with Office 365 • Login is customized with branding and ability to login with email address • Can still use ADFS for internal users • Smart link is https://productdemo.envisionit.com/thinktecturedev
  38. 38. Why Thinktecture over ADFS? • Open source allows any customization • Fully brandable (ADFS allows branding within very particular parameters) • Login with email address instead of AD username • Use SQL instead of AD as the underlying user repository • Ability to incorporate the home realm discovery into the login form
  39. 39. Authentication Process
  40. 40. Managing Your External O365 Users with EUM • Delegate user management internally or externally to your organization • Self-registration and approvals • Full control over the accounts and login experience • Delegated group management simplifies permissions • Lost password reset • Improved governance over your Extranet
  41. 41. • Easy delegation of user management to business • Self-registration, approvals, forgotten password reset • Single URL and sign-on
  42. 42. Main Components • Administration console • Used by IT to configure EUM • Used by the business to manage users and groups • End User • Components that the Extranet users see • Login, disclaimer, change password, forgotten password • Registration • Allow users to self-register • Support approval workflows
  43. 43. Demo 4 • Self-registration and approval of a new external user • https://eum.eitdev.org/landing/register/register.aspx • We have not fully implemented the Graph API yet • Licensing of the new user is proving problematic • Using PowerShell for now Get-MsolAccountSku | format-Table AccountSkuID, SkuPartNumber $User = get-aduser userid $immutableId = [convert]::ToBase64String($User.ObjectGuid.ToByteArray()); $DisplayName = $User.GivenName + " " + $User.Surname New-MsolUser -DisplayName $DisplayName -UserPrincipalName $User.UserPrincipalName -ImmutableId $immutableId -UsageLocation CA Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses "Thinktecturedev:SHAREPOINTSTANDARD_YAMMER" Get-MsolUser | select UserPrincipalName, DisplayName, isLicensed
  44. 44. Apps and Office 365 • Three main types of Apps  SharePoint Hosted o Client side code only  Auto Hosted o Server code runs in an Azure instance provided by Office 365  Provider Hosted o Use your own server environment to host your server side code o Doesn’t need to be Microsoft technology
  45. 45. Apps and Office 365 • No App code ever runs on the SharePoint farm • Apps are selected and installed by the end user • Need to explicitly trust the app to allow it to run • OAuth is used to provide the end-user’s authentication to the app and back to SharePoint
  46. 46. Challenges with SharePoint Apps • For full functionality, apps need to be installed in each site where they are being used • No way to programmatically install them • This is a problem for apps that are used on many sites
  47. 47. Alternative App Model • Client side code and REST APIs is the direction Microsoft is taking in general • Use this approach for Apps too • If Office 365 is authenticated using Thinktecture, that can be leveraged to authenticate provider hosted apps too • Thinktecture can provide a JSON Web Token (JWT) to the client-side code  Similar to a SAML token  It is the model going forward with WebAPI • This can be passed to and trusted by the REST API for authentication
  48. 48. App Authentication Process with JWT Provider AppClient Side Code Thinktecture Browse app No JWT Redirected to IP User Return JWT Security Token Return page REST call with Token JWT JWT App trusts IP Save Token in session Return JSON data JWT
  49. 49. Poll 3 Is there one of the topics you’d like me to go back over? • What is Federation? • ADFS and Office 365 • External Scenarios in Office 365 • Federation Customization with Thinktecture • Managing the Users with EUM • SharePoint App Authentication Alternative
  50. 50. Poll 4 When would you like us to follow up? • Right away • April • May
  51. 51. Pricing • $8,000 per production SharePoint farm • No limits on the number of web front ends • 20% annual Software Assurance provides all product updates • Dev and QA farm licenses provided with up to date Software Assurance
  52. 52. Links • www.envisionit.com • blog.petercarson.ca • www.envisionit.com/eum • Video and presentation deck will be at www.envisionit.com/events
  53. 53. Questions?

×