Authentication patterns - PowerPoint Presentation

Slide1
Slide2

Authentication patterns for SharePoint 2013 and Office 365

Nathan MillerSolutions StrategistMicrosoft

SPC374

Israel Vega, JrSharePoint ArchitectSlide3

Agenda

Level Set and CatchupIdentity BasicsAuthentication and AuthorizationSharePoint Apps

Advanced PatternsExtranetsCloud Configurations (O365 and Apps)Slide4

Share

Point

ThePreviously…. On….Slide5

Collaboration

Business

Intelligence

Portal

Business

Forms

Search

Content

Management

Platform

Services

Workspaces,

Mgmt, Security,

Storage, Topology,

Site Model

Communities

Search

Sites

Composites

Content

Insights

-6

on a leap year

-6

on a leap year

i:0#.f|membership|user@domain.tld

i:0#.w|domain\sAMAccountNameSlide6

Meanwhile…

back at the ranch….Slide7

Demo - Connected Enterprise Overview

Nathan Miller - MicrosoftSlide8

Identity BasicsSlide9

Identity Parts

User

Type of Access

Authentication Information

Entitlement Information

Profile Information

Runtime Information

Who

Devices

Remote

LAN

Home

Time

Office

LocationSlide10

Planning Identities

Where are your Users Stored?Active DirectoryCloudFederatedHow will they present credentials to prove who they are?

What will they need access to?SharePoint OnlyApplications

Other ServicesHow will I get rid of them?Slide11

Identity Core questions to ask

Do you really have to authenticate?

Does the authentication source matter or is the user ID enough?

Do you own the identity?Do you own the user information?How do they authenticate today?Where do they authenticate from?How do you want them to authenticate?Will they always authenticate that way?Is the information you need for authorization enough or do you need more?Slide12

Common AuthZ & AuthN Patterns

Pattern

AKA

Party timeAnonymousRight this way (keep an eye out)Tracked anonymousIf you got this far, I trust youAlready verified somewhere elseWho are you again?Single Sign once…everywhereHe’s with me/VIPAssociation/federationWait right here

Trusted subsystem

You look like someone I know

Shadow account

Let me do that for you

ImpersonationSlide13

SPUser

The SharePoint User Identity

Authentication Information (STS)

Profile Information(Email, SIP)Additional Runtime Information (Claims, Roles, Groups)User in App / Service ContextUser in SP ContextPC

user@domain.tld

NTLM/Kerberos Token

(Classic Only)

SAML Token

(Windows Claims, FBA, SAML)Slide14

Decouples SharePoint from AuthenticationSupport for multiple authentication providers on one URL

Enables federationWhy Claims?Slide15

SharePoint 2013 supports both claims and classic authenticationClaims authentication

Default authentication modeRecommended modeClassic authenticationCan only be managed in PowerShell – it’s gone from the UI

Support for classic mode is deprecated and will go away in a future release

Authentication ModesSlide16

Authentication and Authorization for AppsSlide17

SharePoint 2013 OAuth with Apps

OAuth is used to authenticate and authorize apps and servicesTo authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user.

To authenticate apps in the Office Store, an app catalog, or a developer tenant.Also Used in well known app principles

SharePoint, Exchange, Lync, Workflow ServerNot Used ForUser sign-in pageCentral Admin, Authentication Provider sectionPeople PickerSlide18

App required permissions to access SharePoint ContentDuring

installation the app requests its required permissionsUser installing the app grants the required permissionsUsers can grant only the permissions that they

have

User must be able to grant ALL permissions required or install failsApp permissionsSlide19

User + APP

The App

Identity – User Present

App IdentityOAuthuser@domain.tld

SharePoint

[Windows User OR

FBA User OR

SAML User] OR

[Organizational ID (O365) AKA

Azure AD (O365)]

SharePoint User

User IdentitySlide20

User + APP

No User + APP

The App

Identity – User Not PresentApp IdentitySharePointOAuth

user@domain.tld

Rehydrate User from local profile

?

user@domain.tld

User Profile Service

user@domain.tldSlide21

Demo - Apps and Identity Patterns

Come right inRight this way (keep an eye out)

If you got this far, I trust youWho are you again?Slide22

Cloud Infrastructure with Hybrid (Apps)

Expose Line of Business Apps to O365

Leverage Identity that makes the most sense (Windows,

OAuth)APP UI meshed With SP UISlide23

Work

Personal/Consumer

End user

At Work

My Credit Card

Microsoft Account

At Home

Organization ID

My Devices

IT admin

Download

Microsoft Account VS Organizational AccountSlide24

Using Apps from Store

Trust to Azure ACS is required access Store AppsConfiguring ACS Server as a trusted authentication serverFor O365 - It's automatically configured - nothing to do

For On Prem SharePoint 2013General SharePoint setup for apps (e.g. App Management Service Application, app isolation).

Connect SharePoint to Azure Active Directory.Create an App Principal in AAD and SharePoint.http://blogs.msdn.com/b/besidethepoint/archive/2012/12/10/sharepoint-low-trust-apps-for-on-premises-deployments.aspxConfiguration for On PremiseSlide25

Apps can use other Identity than what is passed through on OAuth Token

App Publishing from On Premise needs to be a Provider App (SP Apps or App Webs may not get through proxy due to wild card and Kerberos requirements)Consider Audience consuming Apps, especially in Hybrid scenarios

Additional Notes on AppsSlide26

Cloud and Advanced PatternsSlide27

SharePoint Extranet in 2013

Leveraging a Reverse Proxy2012 R2 Replaces UAG / TMG guidanceSlide28

Demo - Publishing an Extranet with Windows 2012 R2 and ADFS

ImpersonationNathan MillerSlide29

Reverse Proxy vs. ADFS Integrated

Leveraging ADFS trust in SharePoint is different than Reverse Proxy. - ADFS integrated into SharePoint is SAML

- ADFS integrated into 2012 R2 (Reverse Proxy is Kerberos)

Need to consider what else user is connecting to and how users are managed.Slide30

Cloud Identity Options

Cloud IdentityIDs only live in Azure AD / O365Directory Sync with SSO

Leveraging ADFS for Authentication and DirSync

or FIMDirectory Sync with Password SyncDirSync with a Password Hash (Hash of a Hash)Slide31

Demo – Cloud Identity Shadow Account

Nathan MillerSlide32

Cloud Infrastructure with ADFS

Publish ADFS from On Premise to do Authentication

DirSync

AD users to Azure AD – O365Authentication request in O365 gets rerouted to ADFSSlide33

Cloud Infrastructure with Password Sync

DirSync

AD users to Azure AD – O365

Password Sync is a Hash of the HashSlide34

O365 Hybrid Configurations

Two Way Hybrid Topology

Supports Search

From On-Premise: On-premise SharePoint can see local and online SharePoint ResultsFrom SharePoint Online: Users of the SharePoint Online Search can see both resultsConfiguration Also Supports   - Business Connectivity Services (BCS)  - DUET Enterprise OnlineSlide35

Resources

Configuring Windows 2012 R2 Remote Accesshttp://technet.microsoft.com/en-us/library/dn280944.aspx

Connect SharePoint to ACS for Low Trust Apps

http://blogs.msdn.com/b/besidethepoint/archive/2012/12/10/sharepoint-low-trust-apps-for-on-premises-deployments.aspxSlide36

MySPC

Sponsored by

connect.

reimagine.

transform.

Evaluate sessions

on

MySPC

using your

laptop or mobile device:

m

yspc.sharepointconference.comSlide37

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.