Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise

SharePoint Extranet Spring
Webinar Series
Federation and SharePoint On
Premise
Presented by Peter Carson
President, Envision IT
April 8, 2014

Peter Carson
• President, Envision IT
• SharePoint MVP
• Virtual Technical Specialist,
Microsoft Canada
• peter@envisionit.com
• http://blog.petercarson.ca
• www.envisionit.com
• Twitter @carsonpeter
• VP Toronto SharePoint User
Group

Peter Mackenzie
• VP Sales & Marketing
• e: pmackenzie@envisionit.com
• p: (905) 812-3009 x244
• President, International
Association of Microsoft Certified
Partners (IAMCP) Canada

Product Support
Corey Thokle, EUM Support Manager
• e: cthokle@envisionit.com
• p: (905) 812 3009 ext.248
• http://www.linkedin.com/company/e
nvision-it-inc
Amanda Da Costa, Sales & Marketing
Support
• e: adacosta@envisionit.com
• p: (905) 812 3009 ext.250
• http://ca.linkedin.com/in/amandadac
osta/

Agenda
• Envision IT Overview
• SharePoint On Premises Authentication Options
• What is Federation and how does it work?
• Demo Scenario
• SharePoint App Authentication Alternatives
• Wrap-Up and Q&A

Upcoming Sessions
Date Event Location
April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada
April 22 SharePoint Extranet Spring Webinar Series-Extranet
User Provisioning
Online
May 6 SharePoint Extranet Spring Webinar Series-Extranet
Customer Case Studies
Online
May 7 Cloud Business Apps European SharePoint Conference
Barcelona, Spain
May 8 Office 365 REST APIs European SharePoint Conference
Barcelona, Spain
May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada
May 27 Cloud Business Apps Toronto SharePoint Summit
Toronto, Canada
June 18 SharePoint Extranet Full Day Workshop SharePoint Fest
New York City
June 20 Building a Web Site on SharePoint 2013 SharePoint Fest
New York City
www.envisionit.com/events

Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise

Focused on complex SharePoint solutions,
Envision IT is the “go-to” partner for Microsoft
SharePoint, building integrated public web sites,
Intranets, Extranets, and web applications that
leverage your existing systems anywhere over the
Internet.
Envision IT Services Overview

Public Web Sites
We create interactive, content-rich customer-facing web sites
that are able to grow and transform with changing needs

Collaboration Portals
Our Collaboration Portals provide a secure space for teams to
share knowledge and resources

Extranets
Envision IT has a wealth of experience building Corporate
Extranets that allow you to securely connect with customers and
partners

Intranets
Our Intranet Sites connect people to information, expertise and
key business applications, and SharePoint provides a broad set of
Enterprise Content Management features

• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and sign-on for AD

Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assurance provides all
product updates
• Dev and QA farm licenses provided with up to date
Software Assurance

Poll 1
Which Version of SharePoint are you currently
using?
• SharePoint Server 2013
• Office 365
• SharePoint Server 2010
• SharePoint Foundation (2010 or 2013)
• MOSS 2007 or WSS 3.0

Poll 2
How do you use SharePoint today?
• Internal collaboration
• Internal web publishing (Intranet)
• Extranets
• Public facing website

Identity Management, Authentication, and Authorization
Identity Management
• Process for managing the entire
life cycle of digital identities,
including the profiles of people,
systems, and services
• For our purposes we are focused
just on people
• Who creates and manages
identities? The Extranet owner or
the external users themselves?
• Are identities part of the Extranet
or external to it?
Authentication and Authorization
• Authentication is the mechanism
whereby systems may securely
identify their users
• Authentication systems provide
an answers to the questions:
 Who is the user?
 Is the user really who he/she
represents himself to be?
• Authorization is the mechanism
by which a system determines
what level of access a particular
authenticated user should have
 Is user X authorized to access
resource R?

SharePoint On Premise Authentication Options
Windows Authentication
Active Directory
Windows Claims
Or
Classic Mode
.NET Providers
Forms-Based
Authentication
AD SQL
Claims
Relying Party
Federated Identity
Trusted Identity Provider
AD User Store
Claims

Trusted Identity Providers
• Active Directory Federation Services (ADFS)
• Thinktecture Identity Server
• Social Identities
 Facebook
 Linkedin
 Microsoft Account
 Google+

SharePoint Infrastructure
• SharePoint Farm (one or more servers)
 Web Application
o Site Collection
– Subsites
» Lists and Libraries
 Application Pools
 IIS Sites
 Content Databases

Web Application Zones
• Authentication methods are defined for each
zone of a web application
• Each web app can have up to five zones
 Default
 Intranet
 Extranet
 Internet
 Custom
• Multiple authentication methods can be applied
to a single zone

When to Use Zones
• In general we recommend not to use multiple zones
• Everyone (internal and external users) should share a
single https url (https://portal.contoso.com)
• Confusion results otherwise
 Emailed links are broken for some of your users
 Workflows, tasks, and alerts point to the wrong URL
(unless you are in the Default zone)
• The only exception is where you also need an
anonymous http zone
 Mixed public and private sites
 This is the only scenario that Microsoft recommends
 Secure https zone should always be the default zone

Authentication Chooser
• Users decides what method to use to
authenticate
• Goal should be to hide this from the user
 Use the IP address
 Check the email domain of the login email address

SharePoint 2010/2013 Infrastructure

EZ Login FBA and LDAP Externally

Federated Identity
• Trusted Identity Provider does the authentication
• Can be any SAML compliant provider
 Active Directory Federation Services
 Thinktecture Identity Server
o www.thinktecture.com
 Social identities
• Can be AD, SQL, or other user repository under the hood
• Relying parties (such as SharePoint) trust the SAML token
and provide the authorization based off that identity
• Provides Single Sign-On to multiple systems
 Can be any SAML claims compliant system, not just SharePoint

Internal Firewall Port Requirements
Windows Auth
• 123/UDP - W32Time
• 135/TCP - RPC Endpoint
Mapper
• 464/TCP/UDP - Kerberos
password change
• 49152-65535/TCP - RPC
for LSA, SAM, Netlogon
(*)
• 389/TCP/UDP - LDAP
• 636/TCP - LDAP SSL
• 3268/TCP - LDAP GC
• 3269/TCP - LDAP GC SSL
• 53/TCP/UDP - DNS
• 49152 -65535/TCP - FRS
RPC (*)
• 88/TCP/UDP - Kerberos
• 445/TCP - SMB
• 49152-65535/TCP - DFSR
RPC (*)
Federation
• No internal ports
required
• Done through trusted,
signed tokens passed
through browser posts
• May still want to open
port 443 for internal
users to log in through
ADFS externally
FBA
• LDAP 389
• LDAPS 636
• SMB 445
http://support.microsoft.com/kb/179442#method4

Active Directory Federation Services
• ADFS 1.0
 Windows Server 2003
• ADFS 1.1
 Windows Server 2008
• ADFS 2.0
 Minimum to be used with SharePoint
 Free download
 Windows Server 2008 SP2 minimum
 ADFS Proxy is used in the DMZ to expose externally
• ADFS 2.1
 Windows Server 2012 Role
 ADFS Proxy is used in the DMZ to expose externally
• ADFS 3.0
 Windows Server 2012 R2 Role
 Web Application Proxy is used in the DMZ to expose externally

Mixed Mode Extranet
Federation FBA

ADFS Externally
ADFS Proxy
Web Application Proxy

Authentication Process
Identity ProviderRelying Party Active Directory
Browse app
Not authenticated
Redirected to IP
Authenticate
User
Query for user attributes
Return SAML Security Token
Return page
and cookie
Send Token
ST
ST
RP trusts IP

Certificates
• PKI SSL encryption is used for communication
• Token can be self-signed by the Identity Provider
• Token can also be encrypted with a self-signed certificate
from the Identity Provider
CommunicationA
Signing
Relying party Identity Provider
ST
Encyption ST
B
Public key of C C
Public key of DD
Root for ARoot for B

ADFS Servers
Internal ADFS/DC Servers DMZ ADFS Proxies
Web Application Proxy

ADFS Login Form
• Internal users shouldn’t see this
• Can be branded, within limits

Poll 3
What type of federation do you leverage today?
• ADFS
• Social identities (Facebook, Google, etc.)
• Other identity solution
• None

Demo Scenario
• Sample site at https://thinktecturedev.eitdev.org
• SharePoint 2013 on premises
• Windows Auth for internal users
• External users
 In a separate AD
 Authenticating through Thinktecture Identity Server
 Managed with the Envision IT Extranet User Manager

Why Thinktecture over ADFS?
• Open source allows any customization
• Fully brandable (ADFS allows branding within
very particular parameters)
• Login with email address instead of AD
username
• Use SQL instead of AD as the underlying user
repository
• Ability to incorporate the home realm
discovery into the login form

• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and sign-on
Extranet User Manager

Main Components
• Administration console
 Used by IT to configure EUM
 Used by the business to manage users and groups
• End User
 Components that the Extranet users see
 Login, disclaimer, change password, forgotten
password
• Registration
 Allow users to self-register
 Support approval workflows

Managing Your External Users with EUM
• Delegate user management internally or
externally to your organization
• Self-registration and approvals
• Full control over the accounts and login
experience
• Delegated group management simplifies
permissions
• Lost password reset
• Improved governance over your Extranet

Apps and SharePoint 2013
• Three main types of Apps
 SharePoint Hosted
o Client side code only
 Auto Hosted
o Server code runs in an Azure instance provided by Office 365
o Only applies to Office 365
 Provider Hosted
o Use your own server environment to host your server side
code
o Doesn’t need to be Microsoft technology

Apps and SharePoint 2013
• No App code ever runs on the SharePoint farm
• Apps are selected and installed by the end
user
• Need to explicitly trust the app to allow it to
run
• OAuth is used to provide the end-user’s
authentication to the app and back to
SharePoint

Challenges with SharePoint Apps
• For full functionality, apps need to be installed
in each site where they are being used
• No way to programmatically install them
• This is a problem for apps that are used on
many sites

Alternative App Model
• Client side code and REST APIs is the direction
Microsoft is taking in general
• Use this approach for Apps too
• If SharePoint is authenticated using Thinktecture, that
can be leveraged to authenticate provider hosted apps
too
• Thinktecture can provide a JSON Web Token (JWT) to
the client-side code
 Similar to a SAML token
 It is the model going forward with WebAPI
• This can be passed to and trusted by the REST API for
authentication

App Authentication Process with JWT
Provider AppClient Side Code Thinktecture
Browse app
No JWT
Redirected to IP
User
Return JWT Security Token
Return page
REST call with Token
JWT
JWT
App trusts IP
Save Token in session
Return JSON data
JWT

Poll 4
When would you like us to follow up?
• Right away
• May
• June

Links
• www.envisionit.com
• blog.petercarson.ca
• www.envisionit.com/eum
• Video and presentation deck will be at
www.envisionit.com/events

Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise

More Related Content

What's hot (20)

Similar to Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise (20)

Recently uploaded (20)

Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On Premise