Building Secure Extranets with Claims-Based Authentication #SPEvo13


Published on

Slides from my session at the SharePoint Evolution Conference 2013 about building secure extranets with Claims-Based Authentication

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • NOT a technical deep dive on security or SAML Explanation of the terminology & demonstration of real world examples
  • e.g. Facebook OAuth – what is THEIR password complexity? Identity 2.0 – Dick HardtFacebook: When you create a new password, make sure that it's at least 6 characters long. Try to use a complex combination of numbers, letters, and punctuation marks….
  • C2WTS – part of WIF, installed with SP2010+ necessary for
  • Not all identities or claims are created equally…
  • Some of you might recognise this driving license, I use it to present my claim (my name) in exchange for a ticketThe claims application (ground staff) check if he or she trusts the identity provider. It’s actually the Parish of St. Clement in Jersey, but let’s just say Jersey I then get a token which allows me through security, who doesn’t look at my ID anymore
  • 53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 445 TCP SMB 636 TCP LDAP (SSL)
  • ADFS CAN be installed on the DC however then you must have an ADFS proxy role or UAG to act as a proxy in front of the DCHowever UAG doesn’t provide O365 or Mobile device supportWID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  • WID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
  • App Identifier = Issuer Guid @ Realm Guid (Get-SPAuthenticationRealm) – ServiceContext $spweb.SiteBecause applications need permissions too! Security Principal themselves
  • Used to be $1.99 per 100,000 transactions. If you used to use
  • Building Secure Extranets with Claims-Based Authentication #SPEvo13

    1. 1. Building Secure SharePointExtranets with Claims BasedAuthentication#COM716Aonghus (Gus)
    2. 2. Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey & Guernsey SharePoint Lead Consultant @ C5 Alliance– ~75 Consultants; ~18 SharePoint & CRM* Working with SharePoint since WSS 2.0 / @gusfraser / #COM716 Run Blog at #SPRunners*probably the highest concentration of SharePoint on the planet (unconfirmed)
    3. 3. Jersey
    4. 4. Guernsey
    5. 5. Agenda Extranets – Why? Why Claims? Claims-Based Authentication Secure Extranet Topologies Case Studies & Demonstrations SharePoint 2013 – Claims First Azure ACS & 3rd Party Providers
    6. 6. SharePoint Buzzword BingoCloudAppIdentityTrustSharePoints mean Prizes!
    7. 7. Extranets – Why? Security Controlled information management &delivery Avoid insecure or uncontrolled use e.g.Email, Dropbox, SkyDrive etc. Customer service Self-service, 24x7 Efficiency Reduced manual effort
    8. 8. Extranets – Why Claims? Delegate Authentication to a TRUSTED3rd party (Federation) Standards & Interoperability SharePoint 2013… it’s the future!
    9. 9. Quis custodiet ipsos custodes? “Who Guards the Guards?” Trust problems since the 1st/2nd century… 21st century version: Who do I trust with my Identity? Which Identity provider do I trust toauthenticate users/federate with?– Partner/Customer AD?– LiveID?– Facebook?– OpenID?
    10. 10. Claims-Based Concepts Identity Set of unique user-defining claims/attributes Claim(s) Identity attributes (e.g. Username, Email, Role) Issuer / Authority / Provider E.g. DC, ADFS, STS Relying Party Application e.g. SharePoint, custom app Token
    11. 11. What do we mean by Claim? Property that I HAVE / What I AM E.g. Name, Email, Username (could be a Role) NOT What can I do (Authorisation) Wrapped up in a SAML Assertion/Token(XML) C2WTS converts to Windows (Kerberos orNTLM)
    12. 12. Claim Types SharePoint STS (native SharePoint) Windows Claims (from Kerberos or NTLM toSAML token) Federated Claims ADFS 2.0, Azure ACS Custom Claims Custom STS
    13. 13. Real World Claims AnalogyIdentity ProviderClaimsIdentity
    14. 14. Secure Extranet Topologies
    15. 15. Assumptions / Requirements Separate Extranet Farm (separate AD) Firewalls between Farms (ISA/TMG/UAGetc.) No external access to internal farm No data to be stored in the public Cloud
    16. 16. Scenario 1: Isolated FarmsNo access to extranet farm without external AD accountLimited collaborationFirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal Users
    17. 17. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersOne way AD TrustScenario 2: One-way AD TrustInternal users granted access with AD TrustRequires potentially undesirable firewall“holes”
    18. 18. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersADFS 2.0ADFS[01,02]Scenario 3: ADFS 2.0Internal users granted access via ADFS 2.0Most secure multiple farm extranet witheasy internal user access
    19. 19. More on ADFS 2.0Source:Claims-based Identity Second Edition
    20. 20. Case Studies
    21. 21. Online Citizen Services Portal Jobs, News, Planning Applications SharePoint 2010 front-end CRM 2011 back-end Web services with X.509 certs SharePoint STS with custom Membershipprovider
    22. 22. Systems Integration Payment Gateway JD Edwards Licar (Driving License system) Planning (Northgate)
    23. 23. MyGov TopologyFirewallDB ClusterAPP01FirewallDCs[01 – 02]WFEs[01 – 03]DMZWFEs[01 – 04]DMZDB ClusterDMZAPP01DMZDCs[01-02]Internal NetworkExtranet FarmInternal UsersCRM[01,02]JD EdwardsDVSPlanning
    24. 24. MyGov Sequence DiagramUserWFE /STSCRMAnon RequestCreate SAML tokenLoginCheck credentialsSuccessAugment Claim with CRM IdentityFedAuth CookieFedAuth Cookie
    25. 25. MYGOV CITIZEN PORTALClaims-based authentication with back-end Microsoft DynamicsCRM integration
    26. 26. DVS Online Book driving test Re-use of Citizen Portal; different webapp SharePoint 2010 front-end CRM 2011 back-end Licar integration
    27. 27. DVS ONLINEClaims-based authentication with back-end Microsoft DynamicsCRM & Licar Driver licensing system
    28. 28. SharePoint 2013 Claims
    29. 29. SharePoint 2013 “Claims First” – Classic authenticationdeprecated (PowerShell only) Distributed Cache!  No more sticky sessions for FedAuth cookies! Improved Logging (ULS) Without Claims: No Apps! No OWAPP! (e.g. Search result preview) A lot of “net new” 2013 features use Claims..
    30. 30. Identities in SharePoint 2013 i:0#.f|membershipprovider|user i:0#.w|domainuser i:05.t|azure| i:05.t|facebook| i:0i.t|ms.sp.ext|{guid}@{guid}
    31. 31. Upgrade / Migration Tips Upgrade Classic 2010 Farms to Claims in2010 BEFORE Upgrading to 2013 Upgrade WindowsPrincipal code toIClaimsPrincipal
    32. 32. Azure Acces Control ServicesIdentity Management in the Cloud
    33. 33. Azure Access Control Services Free! (since Nov 2012) Authentication, authorisation & integrationwith ID providers Manages Certs, Relying Parties, IDProviders
    34. 34. ACS ArchitectureSource:
    35. 35. ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows Live ID Facebook Google ID Yahoo
    37. 37. Create Facebook App
    38. 38. Setup Azure ACS ID Provider
    39. 39. ACS ID Providers, Mappings &Certs
    40. 40. ACS Claims Mapping
    41. 41. Facebook App
    42. 42. Facebook Claims
    43. 43. References A Guide to Claims-Based Identity and Access Control,Second Edition Programming WIF ACS Code Samples Index
    44. 44. Bingo Prizes!
    45. 45. Thank you for attending!