for SharePoint 2013 and Office 365 Nathan Miller Solutions Strategist Microsoft SPC374 Israel Vega Jr SharePoint Architect Agenda Level Set and Catchup Identity Basics Authentication and Authorization ID: 169070
Download Presentation The PPT/PDF document "Authentication patterns" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Authentication patterns for SharePoint 2013 and Office 365
Nathan MillerSolutions StrategistMicrosoft
SPC374
Israel Vega, JrSharePoint ArchitectSlide3
Agenda
Level Set and CatchupIdentity BasicsAuthentication and AuthorizationSharePoint Apps
Advanced PatternsExtranetsCloud Configurations (O365 and Apps)Slide4
Share
Point
ThePreviously…. On….Slide5
Collaboration
Business
Intelligence
Portal
Business
Forms
Search
Content
Management
Platform
Services
Workspaces,
Mgmt, Security,
Storage, Topology,
Site Model
Communities
Search
Sites
Composites
Content
Insights
-6
on a leap year
-6
on a leap year
i:0#.f|membership|user@domain.tld
i:0#.w|domain\sAMAccountNameSlide6
Meanwhile…
back at the ranch….Slide7
Demo - Connected Enterprise Overview
Nathan Miller - MicrosoftSlide8
Identity BasicsSlide9
Identity Parts
User
Type of Access
Authentication Information
Entitlement Information
Profile Information
Runtime Information
Who
Devices
Remote
LAN
Home
Time
Office
LocationSlide10
Planning Identities
Where are your Users Stored?Active DirectoryCloudFederatedHow will they present credentials to prove who they are?
What will they need access to?SharePoint OnlyApplications
Other ServicesHow will I get rid of them?Slide11
Identity Core questions to ask
Do you really have to authenticate?
Does the authentication source matter or is the user ID enough?
Do you own the identity?Do you own the user information?How do they authenticate today?Where do they authenticate from?How do you want them to authenticate?Will they always authenticate that way?Is the information you need for authorization enough or do you need more?Slide12
Common AuthZ & AuthN Patterns
Pattern
AKA
Party timeAnonymousRight this way (keep an eye out)Tracked anonymousIf you got this far, I trust youAlready verified somewhere elseWho are you again?Single Sign once…everywhereHe’s with me/VIPAssociation/federationWait right here
Trusted subsystem
You look like someone I know
Shadow account
Let me do that for you
ImpersonationSlide13
SPUser
The SharePoint User Identity
Authentication Information (STS)
Profile Information(Email, SIP)Additional Runtime Information (Claims, Roles, Groups)User in App / Service ContextUser in SP ContextPC
user@domain.tld
NTLM/Kerberos Token
(Classic Only)
SAML Token
(Windows Claims, FBA, SAML)Slide14
Decouples SharePoint from AuthenticationSupport for multiple authentication providers on one URL
Enables federationWhy Claims?Slide15
SharePoint 2013 supports both claims and classic authenticationClaims authentication
Default authentication modeRecommended modeClassic authenticationCan only be managed in PowerShell – it’s gone from the UI
Support for classic mode is deprecated and will go away in a future release
Authentication ModesSlide16
Authentication and Authorization for AppsSlide17
SharePoint 2013 OAuth with Apps
OAuth is used to authenticate and authorize apps and servicesTo authorize requests by an app for SharePoint to access SharePoint resources on behalf of a user.
To authenticate apps in the Office Store, an app catalog, or a developer tenant.Also Used in well known app principles
SharePoint, Exchange, Lync, Workflow ServerNot Used ForUser sign-in pageCentral Admin, Authentication Provider sectionPeople PickerSlide18
App required permissions to access SharePoint ContentDuring
installation the app requests its required permissionsUser installing the app grants the required permissionsUsers can grant only the permissions that they
have
User must be able to grant ALL permissions required or install failsApp permissionsSlide19
User + APP
The App
Identity – User Present
App IdentityOAuthuser@domain.tld
SharePoint
[Windows User OR
FBA User OR
SAML User] OR
[Organizational ID (O365) AKA
Azure AD (O365)]
SharePoint User
User IdentitySlide20
User + APP
No User + APP
The App
Identity – User Not PresentApp IdentitySharePointOAuth
user@domain.tld
Rehydrate User from local profile
?
user@domain.tld
User Profile Service
user@domain.tldSlide21
Demo - Apps and Identity Patterns
Come right inRight this way (keep an eye out)
If you got this far, I trust youWho are you again?Slide22
Cloud Infrastructure with Hybrid (Apps)
Expose Line of Business Apps to O365
Leverage Identity that makes the most sense (Windows,
OAuth)APP UI meshed With SP UISlide23
Work
Personal/Consumer
End user
At Work
My Credit Card
Microsoft Account
At Home
Organization ID
My Devices
IT admin
Download
Microsoft Account VS Organizational AccountSlide24
Using Apps from Store
Trust to Azure ACS is required access Store AppsConfiguring ACS Server as a trusted authentication serverFor O365 - It's automatically configured - nothing to do
For On Prem SharePoint 2013General SharePoint setup for apps (e.g. App Management Service Application, app isolation).
Connect SharePoint to Azure Active Directory.Create an App Principal in AAD and SharePoint.http://blogs.msdn.com/b/besidethepoint/archive/2012/12/10/sharepoint-low-trust-apps-for-on-premises-deployments.aspxConfiguration for On PremiseSlide25
Apps can use other Identity than what is passed through on OAuth Token
App Publishing from On Premise needs to be a Provider App (SP Apps or App Webs may not get through proxy due to wild card and Kerberos requirements)Consider Audience consuming Apps, especially in Hybrid scenarios
Additional Notes on AppsSlide26
Cloud and Advanced PatternsSlide27
SharePoint Extranet in 2013
Leveraging a Reverse Proxy2012 R2 Replaces UAG / TMG guidanceSlide28
Demo - Publishing an Extranet with Windows 2012 R2 and ADFS
ImpersonationNathan MillerSlide29
Reverse Proxy vs. ADFS Integrated
Leveraging ADFS trust in SharePoint is different than Reverse Proxy. - ADFS integrated into SharePoint is SAML
- ADFS integrated into 2012 R2 (Reverse Proxy is Kerberos)
Need to consider what else user is connecting to and how users are managed.Slide30
Cloud Identity Options
Cloud IdentityIDs only live in Azure AD / O365Directory Sync with SSO
Leveraging ADFS for Authentication and DirSync
or FIMDirectory Sync with Password SyncDirSync with a Password Hash (Hash of a Hash)Slide31
Demo – Cloud Identity Shadow Account
Nathan MillerSlide32
Cloud Infrastructure with ADFS
Publish ADFS from On Premise to do Authentication
DirSync
AD users to Azure AD – O365Authentication request in O365 gets rerouted to ADFSSlide33
Cloud Infrastructure with Password Sync
DirSync
AD users to Azure AD – O365
Password Sync is a Hash of the HashSlide34
O365 Hybrid Configurations
Two Way Hybrid Topology
Supports Search
From On-Premise: On-premise SharePoint can see local and online SharePoint ResultsFrom SharePoint Online: Users of the SharePoint Online Search can see both resultsConfiguration Also Supports - Business Connectivity Services (BCS) - DUET Enterprise OnlineSlide35
Resources
Configuring Windows 2012 R2 Remote Accesshttp://technet.microsoft.com/en-us/library/dn280944.aspx
Connect SharePoint to ACS for Low Trust Apps
http://blogs.msdn.com/b/besidethepoint/archive/2012/12/10/sharepoint-low-trust-apps-for-on-premises-deployments.aspxSlide36
MySPC
Sponsored by
connect.
reimagine.
transform.
Evaluate sessions
on
MySPC
using your
laptop or mobile device:
m
yspc.sharepointconference.comSlide37
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.