SharePoint Extranet Spring
Webinar Series
Federation and SharePoint On
Premise
Presented by Peter Carson
President, Envisi...
Peter Carson
• President, Envision IT
• SharePoint MVP
• Virtual Technical Specialist,
Microsoft Canada
• peter@envisionit...
Peter Mackenzie
• VP Sales & Marketing
• e: pmackenzie@envisionit.com
• p: (905) 812-3009 x244
• President, International
...
Product Support
Corey Thokle, EUM Support Manager
• e: cthokle@envisionit.com
• p: (905) 812 3009 ext.248
• http://www.lin...
Agenda
• Envision IT Overview
• SharePoint On Premises Authentication Options
• What is Federation and how does it work?
•...
Upcoming Sessions
Date Event Location
April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada
April 22 SharePoint Ext...
Focused on complex SharePoint solutions,
Envision IT is the “go-to” partner for Microsoft
SharePoint, building integrated ...
Public Web Sites
We create interactive, content-rich customer-facing web sites
that are able to grow and transform with ch...
Collaboration Portals
Our Collaboration Portals provide a secure space for teams to
share knowledge and resources
Extranets
Envision IT has a wealth of experience building Corporate
Extranets that allow you to securely connect with cust...
Intranets
Our Intranet Sites connect people to information, expertise and
key business applications, and SharePoint provid...
Products
• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and...
Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assuranc...
Extranet Clients
Microsoft SharePoint
Poll 1
Which Version of SharePoint are you currently
using?
• SharePoint Server 2013
• Office 365
• SharePoint Server 2010...
Poll 2
How do you use SharePoint today?
• Internal collaboration
• Internal web publishing (Intranet)
• Extranets
• Public...
Identity Management, Authentication, and Authorization
Identity Management
• Process for managing the entire
life cycle of...
SharePoint On Premise Authentication Options
Windows Authentication
Active Directory
Windows Claims
Or
Classic Mode
.NET P...
Trusted Identity Providers
• Active Directory Federation Services (ADFS)
• Thinktecture Identity Server
• Social Identitie...
Authentication Providers
SharePoint Infrastructure
• SharePoint Farm (one or more servers)
 Web Application
o Site Collection
– Subsites
» Lists a...
Web Application Zones
• Authentication methods are defined for each
zone of a web application
• Each web app can have up t...
When to Use Zones
• In general we recommend not to use multiple zones
• Everyone (internal and external users) should shar...
Authentication Chooser
• Users decides what method to use to
authenticate
• Goal should be to hide this from the user
 Us...
SharePoint 2010/2013 Infrastructure
One Way Trust
EZ-Login FBA and LDAP
EZ Login FBA and LDAP Externally
EZ-Login FBA External User
Federated Identity
• Trusted Identity Provider does the authentication
• Can be any SAML compliant provider
 Active Direc...
Federation
Internal Firewall Port Requirements
Windows Auth
• 123/UDP - W32Time
• 135/TCP - RPC Endpoint
Mapper
• 464/TCP/UDP - Kerbe...
Active Directory Federation Services
• ADFS 1.0
 Windows Server 2003
• ADFS 1.1
 Windows Server 2008
• ADFS 2.0
 Minimu...
Mixed Mode Extranet
Federation FBA
ADFS Externally
ADFS Proxy
Web Application Proxy
Authentication Process
Identity ProviderRelying Party Active Directory
Browse app
Not authenticated
Redirected to IP
Authe...
Certificates
• PKI SSL encryption is used for communication
• Token can be self-signed by the Identity Provider
• Token ca...
ADFS Servers
Internal ADFS/DC Servers DMZ ADFS Proxies
Web Application Proxy
ADFS Login Form
• Internal users shouldn’t see this
• Can be branded, within limits
Poll 3
What type of federation do you leverage today?
• ADFS
• Social identities (Facebook, Google, etc.)
• Other identity...
External User Federation
Demo Scenario
• Sample site at https://thinktecturedev.eitdev.org
• SharePoint 2013 on premises
• Windows Auth for interna...
Why Thinktecture over ADFS?
• Open source allows any customization
• Fully brandable (ADFS allows branding within
very par...
• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and...
Main Components
• Administration console
 Used by IT to configure EUM
 Used by the business to manage users and groups
•...
Managing Your External Users with EUM
• Delegate user management internally or
externally to your organization
• Self-regi...
Registration
Approval Email
Approve the User
Welcome Email
Set Your Password
Login
Forgotten Password
Demo
Apps and SharePoint 2013
• Three main types of Apps
 SharePoint Hosted
o Client side code only
 Auto Hosted
o Server cod...
Apps and SharePoint 2013
• No App code ever runs on the SharePoint farm
• Apps are selected and installed by the end
user
...
Challenges with SharePoint Apps
• For full functionality, apps need to be installed
in each site where they are being used...
Alternative App Model
• Client side code and REST APIs is the direction
Microsoft is taking in general
• Use this approach...
App Authentication Process with JWT
Provider AppClient Side Code Thinktecture
Browse app
No JWT
Redirected to IP
User
Retu...
Poll 4
When would you like us to follow up?
• Right away
• May
• June
Upcoming Sessions
Date Event Location
April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada
April 22 SharePoint Ext...
Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assuranc...
Links
• www.envisionit.com
• blog.petercarson.ca
• www.envisionit.com/eum
• Video and presentation deck will be at
www.env...
Questions?
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise
Upcoming SlideShare
Loading in …5
×

Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise

615 views

Published on

In this Webinar, Envision IT demonstrates how ADFS federation can allow external users to access an Extranet, their DMZ accounts or other external identities, and use single sign-on to other systems beyond SharePoint. View more details and the webinar recording here: http://www.envisionit.com/products/events/Pages/SharePoint-Extranet-Spring-Webinar-Series-Federation-and-SharePoint-On-Premise.aspx

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise

  1. 1. SharePoint Extranet Spring Webinar Series Federation and SharePoint On Premise Presented by Peter Carson President, Envision IT April 8, 2014
  2. 2. Peter Carson • President, Envision IT • SharePoint MVP • Virtual Technical Specialist, Microsoft Canada • peter@envisionit.com • http://blog.petercarson.ca • www.envisionit.com • Twitter @carsonpeter • VP Toronto SharePoint User Group
  3. 3. Peter Mackenzie • VP Sales & Marketing • e: pmackenzie@envisionit.com • p: (905) 812-3009 x244 • President, International Association of Microsoft Certified Partners (IAMCP) Canada
  4. 4. Product Support Corey Thokle, EUM Support Manager • e: cthokle@envisionit.com • p: (905) 812 3009 ext.248 • http://www.linkedin.com/company/e nvision-it-inc Amanda Da Costa, Sales & Marketing Support • e: adacosta@envisionit.com • p: (905) 812 3009 ext.250 • http://ca.linkedin.com/in/amandadac osta/
  5. 5. Agenda • Envision IT Overview • SharePoint On Premises Authentication Options • What is Federation and how does it work? • Demo Scenario • SharePoint App Authentication Alternatives • Wrap-Up and Q&A
  6. 6. Upcoming Sessions Date Event Location April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada April 22 SharePoint Extranet Spring Webinar Series-Extranet User Provisioning Online May 6 SharePoint Extranet Spring Webinar Series-Extranet Customer Case Studies Online May 7 Cloud Business Apps European SharePoint Conference Barcelona, Spain May 8 Office 365 REST APIs European SharePoint Conference Barcelona, Spain May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada May 27 Cloud Business Apps Toronto SharePoint Summit Toronto, Canada June 18 SharePoint Extranet Full Day Workshop SharePoint Fest New York City June 20 Building a Web Site on SharePoint 2013 SharePoint Fest New York City www.envisionit.com/events
  7. 7. Focused on complex SharePoint solutions, Envision IT is the “go-to” partner for Microsoft SharePoint, building integrated public web sites, Intranets, Extranets, and web applications that leverage your existing systems anywhere over the Internet. Envision IT Services Overview
  8. 8. Public Web Sites We create interactive, content-rich customer-facing web sites that are able to grow and transform with changing needs
  9. 9. Collaboration Portals Our Collaboration Portals provide a secure space for teams to share knowledge and resources
  10. 10. Extranets Envision IT has a wealth of experience building Corporate Extranets that allow you to securely connect with customers and partners
  11. 11. Intranets Our Intranet Sites connect people to information, expertise and key business applications, and SharePoint provides a broad set of Enterprise Content Management features
  12. 12. Products
  13. 13. • Easy delegation of user management to business • Self-registration, approvals, forgotten password reset • Single URL and sign-on for AD
  14. 14. Pricing • $8,000 per production SharePoint farm • No limits on the number of web front ends • 20% annual Software Assurance provides all product updates • Dev and QA farm licenses provided with up to date Software Assurance
  15. 15. Extranet Clients
  16. 16. Microsoft SharePoint
  17. 17. Poll 1 Which Version of SharePoint are you currently using? • SharePoint Server 2013 • Office 365 • SharePoint Server 2010 • SharePoint Foundation (2010 or 2013) • MOSS 2007 or WSS 3.0
  18. 18. Poll 2 How do you use SharePoint today? • Internal collaboration • Internal web publishing (Intranet) • Extranets • Public facing website
  19. 19. Identity Management, Authentication, and Authorization Identity Management • Process for managing the entire life cycle of digital identities, including the profiles of people, systems, and services • For our purposes we are focused just on people • Who creates and manages identities? The Extranet owner or the external users themselves? • Are identities part of the Extranet or external to it? Authentication and Authorization • Authentication is the mechanism whereby systems may securely identify their users • Authentication systems provide an answers to the questions:  Who is the user?  Is the user really who he/she represents himself to be? • Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have  Is user X authorized to access resource R?
  20. 20. SharePoint On Premise Authentication Options Windows Authentication Active Directory Windows Claims Or Classic Mode .NET Providers Forms-Based Authentication AD SQL Claims Relying Party Federated Identity Trusted Identity Provider AD User Store Claims
  21. 21. Trusted Identity Providers • Active Directory Federation Services (ADFS) • Thinktecture Identity Server • Social Identities  Facebook  Linkedin  Microsoft Account  Google+
  22. 22. Authentication Providers
  23. 23. SharePoint Infrastructure • SharePoint Farm (one or more servers)  Web Application o Site Collection – Subsites » Lists and Libraries  Application Pools  IIS Sites  Content Databases
  24. 24. Web Application Zones • Authentication methods are defined for each zone of a web application • Each web app can have up to five zones  Default  Intranet  Extranet  Internet  Custom • Multiple authentication methods can be applied to a single zone
  25. 25. When to Use Zones • In general we recommend not to use multiple zones • Everyone (internal and external users) should share a single https url (https://portal.contoso.com) • Confusion results otherwise  Emailed links are broken for some of your users  Workflows, tasks, and alerts point to the wrong URL (unless you are in the Default zone) • The only exception is where you also need an anonymous http zone  Mixed public and private sites  This is the only scenario that Microsoft recommends  Secure https zone should always be the default zone
  26. 26. Authentication Chooser • Users decides what method to use to authenticate • Goal should be to hide this from the user  Use the IP address  Check the email domain of the login email address
  27. 27. SharePoint 2010/2013 Infrastructure
  28. 28. One Way Trust
  29. 29. EZ-Login FBA and LDAP
  30. 30. EZ Login FBA and LDAP Externally
  31. 31. EZ-Login FBA External User
  32. 32. Federated Identity • Trusted Identity Provider does the authentication • Can be any SAML compliant provider  Active Directory Federation Services  Thinktecture Identity Server o www.thinktecture.com  Social identities • Can be AD, SQL, or other user repository under the hood • Relying parties (such as SharePoint) trust the SAML token and provide the authorization based off that identity • Provides Single Sign-On to multiple systems  Can be any SAML claims compliant system, not just SharePoint
  33. 33. Federation
  34. 34. Internal Firewall Port Requirements Windows Auth • 123/UDP - W32Time • 135/TCP - RPC Endpoint Mapper • 464/TCP/UDP - Kerberos password change • 49152-65535/TCP - RPC for LSA, SAM, Netlogon (*) • 389/TCP/UDP - LDAP • 636/TCP - LDAP SSL • 3268/TCP - LDAP GC • 3269/TCP - LDAP GC SSL • 53/TCP/UDP - DNS • 49152 -65535/TCP - FRS RPC (*) • 88/TCP/UDP - Kerberos • 445/TCP - SMB • 49152-65535/TCP - DFSR RPC (*) Federation • No internal ports required • Done through trusted, signed tokens passed through browser posts • May still want to open port 443 for internal users to log in through ADFS externally FBA • LDAP 389 • LDAPS 636 • SMB 445 http://support.microsoft.com/kb/179442#method4
  35. 35. Active Directory Federation Services • ADFS 1.0  Windows Server 2003 • ADFS 1.1  Windows Server 2008 • ADFS 2.0  Minimum to be used with SharePoint  Free download  Windows Server 2008 SP2 minimum  ADFS Proxy is used in the DMZ to expose externally • ADFS 2.1  Windows Server 2012 Role  ADFS Proxy is used in the DMZ to expose externally • ADFS 3.0  Windows Server 2012 R2 Role  Web Application Proxy is used in the DMZ to expose externally
  36. 36. Mixed Mode Extranet Federation FBA
  37. 37. ADFS Externally ADFS Proxy Web Application Proxy
  38. 38. Authentication Process Identity ProviderRelying Party Active Directory Browse app Not authenticated Redirected to IP Authenticate User Query for user attributes Return SAML Security Token Return page and cookie Send Token ST ST RP trusts IP
  39. 39. Certificates • PKI SSL encryption is used for communication • Token can be self-signed by the Identity Provider • Token can also be encrypted with a self-signed certificate from the Identity Provider CommunicationA Signing Relying party Identity Provider ST Encyption ST B Public key of C C Public key of DD Root for ARoot for B
  40. 40. ADFS Servers Internal ADFS/DC Servers DMZ ADFS Proxies Web Application Proxy
  41. 41. ADFS Login Form • Internal users shouldn’t see this • Can be branded, within limits
  42. 42. Poll 3 What type of federation do you leverage today? • ADFS • Social identities (Facebook, Google, etc.) • Other identity solution • None
  43. 43. External User Federation
  44. 44. Demo Scenario • Sample site at https://thinktecturedev.eitdev.org • SharePoint 2013 on premises • Windows Auth for internal users • External users  In a separate AD  Authenticating through Thinktecture Identity Server  Managed with the Envision IT Extranet User Manager
  45. 45. Why Thinktecture over ADFS? • Open source allows any customization • Fully brandable (ADFS allows branding within very particular parameters) • Login with email address instead of AD username • Use SQL instead of AD as the underlying user repository • Ability to incorporate the home realm discovery into the login form
  46. 46. • Easy delegation of user management to business • Self-registration, approvals, forgotten password reset • Single URL and sign-on Extranet User Manager
  47. 47. Main Components • Administration console  Used by IT to configure EUM  Used by the business to manage users and groups • End User  Components that the Extranet users see  Login, disclaimer, change password, forgotten password • Registration  Allow users to self-register  Support approval workflows
  48. 48. Managing Your External Users with EUM • Delegate user management internally or externally to your organization • Self-registration and approvals • Full control over the accounts and login experience • Delegated group management simplifies permissions • Lost password reset • Improved governance over your Extranet
  49. 49. Registration
  50. 50. Approval Email
  51. 51. Approve the User
  52. 52. Welcome Email
  53. 53. Set Your Password
  54. 54. Login
  55. 55. Forgotten Password
  56. 56. Demo
  57. 57. Apps and SharePoint 2013 • Three main types of Apps  SharePoint Hosted o Client side code only  Auto Hosted o Server code runs in an Azure instance provided by Office 365 o Only applies to Office 365  Provider Hosted o Use your own server environment to host your server side code o Doesn’t need to be Microsoft technology
  58. 58. Apps and SharePoint 2013 • No App code ever runs on the SharePoint farm • Apps are selected and installed by the end user • Need to explicitly trust the app to allow it to run • OAuth is used to provide the end-user’s authentication to the app and back to SharePoint
  59. 59. Challenges with SharePoint Apps • For full functionality, apps need to be installed in each site where they are being used • No way to programmatically install them • This is a problem for apps that are used on many sites
  60. 60. Alternative App Model • Client side code and REST APIs is the direction Microsoft is taking in general • Use this approach for Apps too • If SharePoint is authenticated using Thinktecture, that can be leveraged to authenticate provider hosted apps too • Thinktecture can provide a JSON Web Token (JWT) to the client-side code  Similar to a SAML token  It is the model going forward with WebAPI • This can be passed to and trusted by the REST API for authentication
  61. 61. App Authentication Process with JWT Provider AppClient Side Code Thinktecture Browse app No JWT Redirected to IP User Return JWT Security Token Return page REST call with Token JWT JWT App trusts IP Save Token in session Return JSON data JWT
  62. 62. Poll 4 When would you like us to follow up? • Right away • May • June
  63. 63. Upcoming Sessions Date Event Location April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada April 22 SharePoint Extranet Spring Webinar Series-Extranet User Provisioning Online May 6 SharePoint Extranet Spring Webinar Series-Extranet Customer Case Studies Online May 7 Cloud Business Apps European SharePoint Conference Barcelona, Spain May 8 Office 365 REST APIs European SharePoint Conference Barcelona, Spain May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada May 27 Cloud Business Apps Toronto SharePoint Summit Toronto, Canada June 18 SharePoint Extranet Full Day Workshop SharePoint Fest New York City June 20 Building a Web Site on SharePoint 2013 SharePoint Fest New York City www.envisionit.com/events
  64. 64. Pricing • $8,000 per production SharePoint farm • No limits on the number of web front ends • 20% annual Software Assurance provides all product updates • Dev and QA farm licenses provided with up to date Software Assurance
  65. 65. Links • www.envisionit.com • blog.petercarson.ca • www.envisionit.com/eum • Video and presentation deck will be at www.envisionit.com/events
  66. 66. Questions?

×