Downloaded 43 times
Uploaded byThorbjørn Værp
T28 implementing adfs and hybrid share point
The document discusses the implementation of ADFS and claims-based authentication in SharePoint 2013, highlighting the limitations of traditional authentication mechanisms. It explains claims-based identity as an abstraction layer with claims being authoritative statements stored in security tokens, and outlines the ADFS setup process for SharePoint. The author emphasizes the need for public certificates and proper configuration to ensure a functional environment.
More Related Content
Similar to T28 implementing adfs and hybrid share point
More from Thorbjørn Værp
T28 implementing adfs and hybrid share point
- 1. Implementing ADFS and HybridSharePoint Thorbjørn Værp
- 2. About me Thorbjørn Værp PrincipalConsultant Puzzlepart Kristiansand, Norway www.Sharepoint13.net | @vaerpn Celebrating 21 years IT-pro, 11 of them in SP MCT | XVC #ESPC14
- 3. Agenda • History • Claims-basedauthentication • ADFS & SharePoint 2013
- 4.
- 6. A Web serviceis a method of communications between two electronic devices over a network. It is a software function provided at a network address over the web with the service always on as in the concept of utility computing.
- 7. An open standardfor authentication Similar architecture to WS-* OpenID authentication used by PayPal, Google, VeriSign, Twitter +
- 8. An open standardfor authorization Method for clients to access server resources on behalf of a resource owner Oauth has no signing or encryption (it relies only on ssl for opacity) Wide adoption, Facebook, Microsoft, Two version, 1.0 & 2.0 –no backwards compability.
- 9. Traditional authentication mechanisms •Anonymous • Basic • NTLM / Kerberos (WIA) • Forms based AuthN
- 10. The problem withauthentication • Current technologies do not work well on the Internet (NTLM, Kerberos etc.) – Basic is the only authentication mechanism that was part of the HTTP (1.0), all the others are bolted on • Several and different user stores (AD, LDAP, eDir) • Relies on your particular platform • Authentication had to be handled and understood by the developers, whose time is better spent developing the application • Each new authentication scheme required chaning the code
- 12.
- 13. What is claims-basedidentity? • Abstraction layer (indirection) • A claim is an authoritative statement about a subject made by an entity • A claim can be anything (not just security information) that can be associated with a subject – Name | Age | Group membership | Role • A claim is always associated with the entity that issued it • There are several claim standards • Claims are stored and transmitted in security tokens
- 14. What is claimsbased identity? – XML or binary fragments constructed according to some security standard – Digitally signed • There are several token formats • SAML (Security Assertion Markup Language) JWT (JSON Web Token) SWT (Simple Web Token) • Claims based identity requires a trust model – Usually implemented with digital certificates
- 15. Claims in SharePoint2013 3 types of claim providers Windows Trusted Provider (SAML) Forms Based AuthN Multiple AuthN providers possible in the same zone Classic mode only via PowerShell
- 16. Claims in SharePoint2013 • SP 2013 has its own STS implementation • The SP 2013 Federation Metadata is in JSON, not XML • Both Classic authentication mode (WIA) and claims mode (WIA/FBA/SAML) is supported, but claims is the default • In claims mode every form of AuthN is transformed to a SAML token
- 17. SAML-based Claims inSP2013
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26. Grocery list • 4Public Certificates + (eg.RapidSSL) • Fs3.vaerpn.com • Sp.vaerpn.com • Tokensign.vaerpn.com • Decrypt.vaerpn.com • Reverse proxy, (WEP, F5, Netscaler, Azure Endpoints,) • Update public DNS • Update internal DNS • ADFS server, one or more • SharePoint 2013
- 27. Step by Step TheEnvironment • We got AD with a routable domain | vaerpn.com, externaly registered. • Enterprise Admin access AD DS & available admin e-mail • SP 2013 with SQL server • Firewall/ReverseProxy or Azure • One or more Win2012 R2 domain joined servers to add ADFS 3.0 Role What to do: 1.Get those Certificates, 2. Add ADFS Role, 3. Configure ADFS & Certificates 4. Configure Claim Rule, 5: Add RelayingParty Identifier, 6. Create & Connect SP Trusted Identity Provider
- 39. Repeat until youhave 4 certificates adfs.vaerpn.com -> for ADFS service signing.vaerpn.com ->for token signing decrypt.vaerpn.com ->for decrypt (not used by SP but a prereq) sp.vaerpn.com ->for SSL on SharePoint web app (one pr.web app)
- 78. • Copy thisto the SharePoint WFE
- 81. -> Run this ->Check this
- 88. Wrap Up History WS-*, OpenID,OpenAuth, David Wheeler "All problems in computer science can be solved by another level of indirection." Claims A claim is an authoritative statement about a subject made by an entity. In claims mode every form of AuthN is transformed to a SAML token ADFS & SharePoint 2013 ADFS 3.0 no IIS. Always use public certificates, plan stuff, Must use PowerShell
- 90.
Editor's Notes
- #2 welcome. Click slide
- #3 Takethe Picture
- #4 Hands up IT-pro or IT-dev, BI/Business (great) , ADFS 2.0 or 3.0, Is it a great first day -?
- #6 Subject: anythingthatneeds to be identified (authenticated) aka. principal/userAuthentication (AuthN): The processofestablishingidentity, preferably mutual. This requiresproof, usually in the form ofcredentials. Authorization (AuthZ): Determining, and granting or denyingaccess to resources for subjectImpersonation: A service canact as theuserwhileperforming an action onthe same server the service is hostedonDelegation: A service canact as theuserwhileperforming an action hostedonanother server Profile store: Service/appprofileinformationwith an immutable ID for eachsubject
- #7 There are a variety of specifications associated with web services. These specifications are in varying degrees of maturity and are maintained or supported by various standards bodies and entities. These variety of specifications are the basic web services framework established by first-generation standards represented by WSDL, SOAP, and UDDI.[1] Specifications may complement, overlap, and compete with each other. Web service specifications are occasionally referred to collectively as "WS-*", though there is not a single managed set of specifications that this consistently refers to, nor a recognized owning body across them all.“WS-“is a prefix used to indicate specifications associated with Web Services and there exist many WS* standards including WS-Addressing, WS-Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust.[2] This page includes many of the specifications that might be considered a part of "WS-*".
- #8 OpenID is an open standard that allows users to be authenticated by certain co-operating sites (known as Relying Parties or RP) using a third party service, eliminating the need for webmasters to provide their own ad hoc systems and allowing users to consolidate their digital identities.[1]
- #9 OAuth began in November 2006 when Blaine Cook was developing the TwitterOpenID implementation. Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorize Dashboard Widgets to access their service. Cook, Chris Messina and Larry Halff from Magnolia met with David Recordon to discuss using OpenID with the Twitter and Ma.gnolia APIs to delegate authentication. They concluded that there were no open standards for API access delegation.OAuth 2.0 is the next evolution of the OAuth protocol and is not backwards compatible with OAuth 1.0. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The specification and associated RFCs are developed by the IETF OAuth WG;[4] the main framework was published in October 2012. (It was expected to be finalized by the end of 2010, according to Eran Hammer.[5] However, due to discordant views about the evolution of OAuth, Hammer left the working group.[6])Facebook's new Graph API only supports OAuth 2.0.[7]Google supports OAuth 2.0 as the recommended authentication mechanism for all of its APIs.[8] As of 2011 Microsoft[9] has added OAuth 2.0 experimental support to their APIs.The OAuth 2.0 Framework[10] and Bearer Token Usage[11] were published in October 2012. Other documents are still being worked on within the OAuth working group.
- #10 Anonymous • Not technicallyclientauthentication • Basic • Part of HTTP 1.0 spec • Ubiquitous support • Server knowstheusername/password • NTLM/Kerberos (WIA) • Cannottraversefirewalls or proxies • Forms basedAuthN • Authenticationhappensindependentof transfer protocol • Authenticationimplemented in theapplication • Occursafter IIS authentication
- #12 From wikipediaEducation[edit]Wheeler was born in Birmingham and gained a scholarship at Trinity College, Cambridge to read the Cambridge Mathematical Tripos, graduating in 1948.[14] He completed the world's first[citation needed] PhD in computer science in 1951.[15]Career[edit]Wheeler's contributions to the field included work on the EDSAC[16] and the Burrows–Wheeler transform. Along with Maurice Wilkes and Stanley Gill he is credited with the invention of the subroutine (which they referred to as the closed subroutine), a predecessor of the infamous goto statement;[5] as a result, the jump to subroutine instruction is often called Wheeler Jump. He was responsible for the implementation of the CAP computer, the first to be based on security capabilities. In cryptography, he was the designer of WAKE and the co-designer of the TEA and XTEA encryption algorithms together with Roger Needham.Wheeler married Joyce Blackler in August 1957, who herself used EDSAC for her own mathematical investigations as a research student from 1955. He became a Fellow of Darwin College, Cambridge in 1964 and formally retired in 1994, although he continued to be an active member of the University of CambridgeComputer Laboratory until his death. In 1994 he was inducted as a Fellow of the Association for Computing Machinery. In 2003 he was a Computer History Museum Fellow Award recipient. The Computer Laboratory at the University of Cambridge annually holds the "Wheeler Lecture", a series of distinguished lectures named after him.[17]Wheeler is often quoted as saying "All problems in computer science can be solved by another level of indirection."[18] Another quotation attributed to him is "Compatibility means deliberately repeating other people's mistakes
- #14 • • • Abstractionlayer (indirection) A claim is an authoritative statement about a subjectmade by an entity A claimcan be anything (not just securityinformation) thatcan be associatedwith a subject • • • • • • • • XML or binary fragments constructedaccording to somesecurity standard Digitallysigned • • • • • • Name Age Group membershipRole SAML (Security AssertionMarkup Language) JWT (JSON Web Token) SWT (Simple Web Token) • Usuallyimplementedwith digital certificates A claim is alwaysassociatedwiththeentitythatissued it Thereareseveralclaim standards Claimsarestored and transmitted in security tokens Thereareseveral token formats Claimsbasedidentityrequires a trust modelClaims-based identity is a common way for applications to acquire the identity information they need about users inside their organization, in other organizations, and on the Internet.[1] It also provides a consistent approach for applications running on-premises or in the cloud.The key strength of claims-based identity is that it abstracts the individual elements of identity and access control into two parts; a single, general notion of claims and the concept of an issuer or an authority.[2]A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. For example the statement can be about a name, group, buying preference, ethnicity, privilege, association or capability. The subject making the claim or claims is the provider. Claims are packaged into one or more tokens that are then issued by an issuer (provider), commonly known as a Security Token Service (STS).[2]
- #15 Claims-based identity is a common way for applications to acquire the identity information they need about users inside their organization, in other organizations, and on the Internet.[1] It also provides a consistent approach for applications running on-premises or in the cloud.The key strength of claims-based identity is that it abstracts the individual elements of identity and access control into two parts; a single, general notion of claims and the concept of an issuer or an authority.[2]A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. For example the statement can be about a name, group, buying preference, ethnicity, privilege, association or capability. The subject making the claim or claims is the provider. Claims are packaged into one or more tokens that are then issued by an issuer (provider), commonly known as a Security Token Service (STS).[2]
- #18 SAML-Basedclaimsauthenticationprocess for SharePoint 2013Security AssertionMarkup Languagehttp://en.wikipedia.org/wiki/Saml
- #26 WHY ADFSNatural candidate for SharePointSupports the necessary standardsIntegration with Active DirectoryOften used as a go-betweenPowerful capabilitiesFree with Windows Server licenseSolutions on the market:CA SiteMinderShibollethOracle Access ManagerIBM Tivoli Access ManagerActive Directory Federation ServicesCustom solutions using WIF
- #27 Edge FireWall –not recommended.
- #28 Adminenabled e-mail for thatcertificateapprover e-mail.RP=Relaying Party
- #42 Consideraddroles and featurespic, server manager dashboard
- #54 Apearwithout KDR, set -spn
- #57 DNS onthe AD DS, A record, not C-name
- #58 https://fs3.vaerpn.com/federationmetadata/2007-06/federationmetadata.xmlhttps://fs3.vaerpn.com/adfs/ls/IDPInitiatedSignon.aspx
- #78 Animation: Copy to file, export