Building Secure Extranets with Claims Based Authentication
•Als PPTX, PDF herunterladen•
5 gefällt mir•10,517 views
Slides from my session at the SharePoint Evolution Conference 2013 about building secure extranets with Claims-Based Authentication
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Building Secure Extranets with Claims Based Authentication
Ähnlich wie Building Secure Extranets with Claims Based Authentication (20)
Mehr von Gus Fraser
Mehr von Gus Fraser (7)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Building Secure Extranets with Claims Based Authentication
- 1. Building Secure SharePoint Extranets with Claims Based Authentication #COM716 Aonghus (Gus) Fraser @gusfraser af@c5.je
- 2. Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey & Guernsey SharePoint Lead Consultant @ C5 Alliance – ~75 Consultants; ~18 SharePoint & CRM* Working with SharePoint since WSS 2.0 af@c5.je / @gusfraser / #COM716 Run www.cispug.org Blog at http://techblurt.com #SPRunners *probably the highest concentration of SharePoint on the planet (unconfirmed)
- 3. Jersey
- 4. Guernsey
- 6. Agenda Extranets – Why? Why Claims? Claims-Based Authentication Secure Extranet Topologies Case Studies & Demonstrations MyGov.je Dvs.MyGov.je SharePoint 2013 – Claims First Azure ACS & 3rd Party Providers
- 8. Extranets – Why? Security Controlled information management & delivery Avoid insecure or uncontrolled use e.g. Email, Dropbox, SkyDrive etc. Customer service Self-service, 24x7 Efficiency Reduced manual effort
- 9. Extranets – Why Claims? Delegate Authentication to a TRUSTED 3rd party (Federation) Standards & Interoperability SharePoint 2013… it’s the future!
- 10. Quis custodiet ipsos custodes? “Who Guards the Guards?” Trust problems since the 1st/2nd century… 21st century version: Who do I trust with my Identity? Which Identity provider do I trust to authenticate users/federate with? – Partner/Customer AD? – LiveID? – Facebook? – OpenID?
- 11. Claims-Based Concepts Identity Set of unique user-defining claims/attributes Claim(s) Identity attributes (e.g. Username, Email, Role) Issuer / Authority / Provider E.g. DC, ADFS, STS Relying Party Application e.g. SharePoint, custom app Token
- 12. What do we mean by Claim? Property that I HAVE / What I AM E.g. Name, Email, Username (could be a Role) NOT What can I do (Authorisation) Wrapped up in a SAML Assertion/Token (XML) C2WTS converts to Windows (Kerberos or NTLM)
- 13. Claim Types SharePoint STS (native SharePoint) Windows Claims (from Kerberos or NTLM to SAML token) Federated Claims ADFS 2.0, Azure ACS Custom Claims Custom STS
- 14. Real World Claims Analogy Identity Provider Claims Identity
- 16. Assumptions / Requirements Separate Extranet Farm (separate AD) Firewalls between Farms (ISA/TMG/UAG etc.) No external access to internal farm No data to be stored in the public Cloud
- 17. Scenario 1: Isolated Farms No access to extranet farm without external AD account Limited collaboration Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02 DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users
- 18. Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02] DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users One way AD Trust Scenario 2: One-way AD Trust Internal users granted access with AD Trust Requires potentially undesirable firewall “holes”
- 19. Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02] DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users ADFS 2.0 ADFS[01,02] Scenario 3: ADFS 2.0 Internal users granted access via ADFS 2.0 Most secure multiple farm extranet with easy internal user access
- 20. More on ADFS 2.0 Source:Claims-based Identity Second Edition
- 21. Case Studies
- 22. MyGov.je Online Citizen Services Portal Jobs, News, Planning Applications SharePoint 2010 front-end CRM 2011 back-end Web services with X.509 certs SharePoint STS with custom Membership provider
- 23. Systems Integration Payment Gateway JD Edwards Licar (Driving License system) Planning (Northgate)
- 24. MyGov Topology Firewall DB Cluster APP01 Firewall DCs[01 – 02] WFEs[01 – 03] DMZWFEs[01 – 04] DMZDB Cluster DMZAPP01 DMZDCs[01-02] Internal Network Extranet Farm Internal Users CRM[01,02] JD Edwards DVS Planning
- 25. MyGov Sequence Diagram User WFE / STS CRM Anon Request Create SAML token Login Check credentials Success Augment Claim with CRM Identity FedAuth Cookie FedAuth Cookie
- 26. MYGOV CITIZEN PORTAL Claims-based authentication with back-end Microsoft Dynamics CRM integration
- 31. DVS Online Book driving test Re-use of Citizen Portal; different web app SharePoint 2010 front-end CRM 2011 back-end Licar integration
- 32. DVS ONLINE Claims-based authentication with back-end Microsoft Dynamics CRM & Licar Driver licensing system
- 40. SharePoint 2013 “Claims First” – Classic authentication deprecated (PowerShell only) Distributed Cache! No more sticky sessions for FedAuth cookies! Improved Logging (ULS) Without Claims: No Apps! No OWAPP! (e.g. Search result preview) A lot of “net new” 2013 features use Claims..
- 41. Identities in SharePoint 2013 i:0#.f|membershipprovider|user i:0#.w|domainuser i:05.t|azure|email@domain.com i:05.t|facebook|gus@techblurt.com i:0i.t|ms.sp.ext|{guid}@{guid}
- 42. Upgrade / Migration Tips Upgrade Classic 2010 Farms to Claims in 2010 BEFORE Upgrading to 2013 Upgrade WindowsPrincipal code to IClaimsPrincipal
- 43. Azure Acces Control Services Identity Management in the Cloud
- 44. Azure Access Control Services Free! (since Nov 2012) Authentication, authorisation & integration with ID providers Manages Certs, Relying Parties, ID Providers
- 46. ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows Live ID Facebook Google ID Yahoo
- 47. AZURE ACS, SHAREPOINT & FACEBOOK
- 49. Setup Azure ACS ID Provider
- 51. ACS ID Providers, Mappings & Certs
- 54. Facebook App
- 55. Facebook Claims
- 56. References A Guide to Claims-Based Identity and Access Control, Second Edition http://www.microsoft.com/en-us/download/details.aspx?id=28362 Programming WIF http://shop.oreilly.com/product/9780735627185.do ACS Code Samples Index http://msdn.microsoft.com/en-us/library/gg185965.aspx
- 57. Bingo Prizes!
- 58. Thank you for attending! @gusfraser af@c5.je #COM716
Hinweis der Redaktion
- NOT a technical deep dive on security or SAML Explanation of the terminology & demonstration of real world examples
- e.g. Facebook OAuth – what is THEIR password complexity? Identity 2.0 – Dick HardtFacebook: When you create a new password, make sure that it's at least 6 characters long. Try to use a complex combination of numbers, letters, and punctuation marks….
- C2WTS – part of WIF, installed with SP2010+ necessary for
- Not all identities or claims are created equally…
- Some of you might recognise this driving license, I use it to present my claim (my name) in exchange for a ticketThe claims application (ground staff) check if he or she trusts the identity provider. It’s actually the Parish of St. Clement in Jersey, but let’s just say Jersey I then get a token which allows me through security, who doesn’t look at my ID anymore
- 53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 445 TCP SMB 636 TCP LDAP (SSL)
- ADFS CAN be installed on the DC however then you must have an ADFS proxy role or UAG to act as a proxy in front of the DCHowever UAG doesn’t provide O365 or Mobile device supportWID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
- WID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
- App Identifier = Issuer Guid @ Realm Guid (Get-SPAuthenticationRealm) – ServiceContext $spweb.SiteBecause applications need permissions too! Security Principal themselves
- Used to be $1.99 per 100,000 transactions. If you used to use