The document discusses various capabilities that SharePoint add-ins can leverage, including automating business processes using workflow manager, communicating and collaborating using sites and social features, making search more relevant, accessing external data, and identity and security using OAuth authentication. It provides details on configuring authentication using server-to-server trust with an SSL certificate to enable calls between a client app and SharePoint without involving Azure Access Control.
3. AGENDA
Leveraging SharePoint capabilities in your App
Monitoring and Troubleshooting
Identity and Security
Packaging and Deployment
Upgrade and Versioning
5. AGENDA
Model and automate business processes
Communicate and collaborate with people and
track content
Add location and mapping features
Make search results more relevant
6. AGENDA
Access data from external data systems
Work with data, convert file formats, and translate
sites
Work with user access, roles, rights, and claims.
7. AUTOMATE BUSINESS PROCESSES
Workflow Manager
Workflow Manager 1.0 is focused on delivering
these key capabilities:
High Density & Multi-tenancy
Elastic Scale
Activity / Workflow Artifact Management
Tracking and Monitoring
Instance Management
Fully Declarative Authoring
REST and Service Bus Messaging
8. AUTOMATE BUSINESS PROCESSES
SharePoint Workflows can call your code
Call HTTP Web Service
Your code can call Workflow Manager directly or
use a SharePoint list
Workflows use Service Bus – Remote Event
Receivers do not!
9. COMMUNICATE & COLLABORATE
WITH PEOPLE AND TRACK CONTENT
Team Sites
Store documents, calendars, etc
Upload files
Scot Hillier
http://bit.ly/1lxu6lB
OneDrive for Business (a.k.a. Personal Site [f.k.a.
My Sites])
Personal storage for documents
Exposed thru Office Graph
10. COMMUNICATE & COLLABORATE
WITH PEOPLE AND TRACK CONTENT
Social
Add objects to the Office Graph
Leverage Yammer for social
11. MAKE SEARCH RESULTS MORE
RELEVANT
Federated Search
Pass query to remote index
Content Crawling
Include your website – crawled just like Bing
Search Connector – define properties of your
content
12. MAKE SEARCH RESULTS MORE
RELEVANT
Search Results
Vastly improved – completely customizable
Control Templates
Item Templates
Hover card templates
Analytics included
http://msdn.microsoft.com/en-
us/library/office/jj163300(v=office.15).aspx
13. ACCESS DATA FROM EXTERNAL DATA
SYSTEMS
Business Connectivity Services
Reveal external data from enterprise applications,
web services, and OData services in SharePoint
Server 2013 and in rich-client Office applications.
Provide complete interaction with the data, including
write-back capabilities from Office applications and
SharePoint Server to the underlying external
system data and business objects.
14. ACCESS DATA FROM EXTERNAL DATA
SYSTEMS
Business Connectivity Systems
Common data access API regardless of data
format/location.
“Tag” SharePoint content with values from LOB
systems.
17. SHAREPOINT TENANCY
A set of site collections
Office 365 tenants
Scope for app permissions
What About Tenancies in On-premise Farms?
By default, all site collections in a farm run within a
default tenant
Additional tenancies can be created using
PowerShell cmdlets
19. APP PERMISSIONS
Apps are granted permissions
An app has a default set of permissions
Installing user either grants or denies permissions
during installation
If installer denies permission request, SharePoint
does not install the app
20. PERMISSION REQUESTS
Apps request the permissions they require to run
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write">
<Property Name="BaseTemplateId" Value="101"/>
</AppPermissionRequest>
<AppPermissionRequest Scope="http://sharepoint/userprofilestore/feed" Right="Post"/>
<AppPermissionRequest Scope="http://exchange/calendars" Right="Schedule"/>
<AppPermissionRequest Scope="http://lync/contacts" Right="Read"/>
</AppPermissionRequests>
22. AVAILABLE APP PERMISSIONS
Scope Scope Alias Right
http://sharepoint/content/tenant AllSites Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection Site Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web Web Read;Write;Manage;FullControl
http://sharepoint/content/sitecollection/web/list List Read;Write;Manage;FullControl
http://sharepoint/bcs/connection None (not currently supported) Read
http://sharepoint/search Search QueryAsUserIgnoreAppPrincipal
http://sharepoint/projectserver ProjectAdmin Manage
http://sharepoint/projectserver/projects Projects Read;Write
http://sharepoint/projectserver/projects/project Project Read;Write
http://sharepoint/projectserver/enterpriseresources ProjectResources Read;Write
http://sharepoint/projectserver/statusing ProjectStatusing SubmitStatus
http://sharepoint/projectserver/reporting ProjectReporting Read
http://sharepoint/projectserver/workflow ProjectWorkflow Elevate
http://sharepoint/social/tenant AllProfiles Read;Write;Manage;FullControl
http://sharepoint/social/core Social Read;Write;Manage;FullControl
http://sharepoint/social/microfeed Microfeed Read;Write;Manage;FullControl
http://sharepoint/taxonomy TermStore Read;Write
23. GRANTING CONSENT IN SHAREPOINT
2013
Installing User prompted to Deny or to Allow
Access (grant)
Deny prevents app from being installed
Allow Access grants requested permissions to app
as part of installation
24. SHAREPOINT 2013 APP AUTHN
User credentials
provided?
Start
End
User only
context
App only
context
User + App
context
Anonymous
context
App token
provided?
App token
Includes user?
Yes
No
No No
Yes Yes
Call is to an
app web?
No
Yes
25. APP + USER AND APP ONLY
App Only
User
Permissions
App
Permissions
Effective Permissions
App + User
App
Permissions
Effective Permissions
User
Permissions
27. WINDOWS AZURE ACCESS CONTROL
SERVICE (ACS)
ACS required with OAuth implementation in
SharePoint 2013
ACS server acts as authentication server
ACS server must be trusted by content server
ACS server must be trusted by client app
How is the ACS server configured as the
authentication server?
It's automatically configured for sites in Office 365
tenancy - nothing to do
In an on-premise farm, a trust to ACS must be
configured with PowerShell
http://technet.microsoft.com/en-us/library/jj838715.aspx
28. REGISTERING A NEW APP
PRINCIPAL
Client ID
Client Secret
Title
App Domain
Redirect URL
http://contososerver/_layouts/15/appregnew.aspx
35. 3) ACS returns a signed context token
Browser App.com
SharePoint
ACS
2 3
1
36. 4) SharePoint renders page with iframe
which will POST the context token to
App.com
POSThttps://app.com/
…
SPAppToken=eyJ0eXAiOiJKV1QiLCJh
bGciOiJIUzI1NiJ9.e…
Browser App.com
SharePoint
ACS
4
2 3
1
37. 5) iframe causes browser to request
contents from App.com including the
context token
Browser App.com
SharePoint
ACS
4
2 3
1
5
38. 6) App.com validates the signature on the
context token, extracts the auth code, and
uses its credentials to request an access
token from ACS
Browser App.com
SharePoint
ACS
4
2 3
1
6
5
39. 7) Windows Azure Access Control Services
(ACS) returns an access token
Browser App.com
SharePoint
ACS
4
2 3
1
6
7
5
40. 8) App.com calls SharePoint CSOM or
REST API with access token
Browser App.com
SharePoint
ACS
8
4
2 3
1
6
7
5
41. 9) SharePoint returns data from CSOM or
REST API call
Browser App.com
SharePoint
ACS
8
94
2 3
1
6
7
5
51. WHAT IS A SERVER-TO-SERVER (S2S)
TRUST
A trusted connection between client app and
SharePoint Web server
Eliminates need to involve ACS when running apps
within private networks
Trust between servers configured using one or
more SSL certificates
App server code requires access to public/private
key pair of SSL certificate
Requires creating S2S Security Token Service on
SharePoint Web server(s)
52. SERVER-TO-SERVER (S2S) TRUST
Private Network Environment
SharePoint
Web Server
User
Client App
S2S STS
SSL Cert
Public/Private
key pair (.pfx)
1
2
3 4
53. CREATING AN IIS WEB SITE FOR
THE APP
Create an IIS Web Site to deploy developer-
hosted app
Disable anonymous access to ensure all access is
authenticated
Modify web.config file to add location to private key
file and password
54. CREATING AN IIS WEB SITE FOR
THE APP
PnP Core.OnPrem.S2S.WindowsCertStore
Original web.config
Modified web.config
55. CREATING AN IIS WEB SITE FOR
THE APP
PnP Core.OnPrem.S2S.WindowsCertStore
Original TokenHelper.cs
56. CREATING AN IIS WEB SITE FOR
THE APP
PnP Core.OnPrem.S2S.WindowsCertStore
Modified TokenHelper.cs
60. ACCESS TOKEN AND USER PROFILE
_api
UserProfile
GET https://Tenant.SharePoint.com/_api/Web HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1Q…wcjZBbVFqNCJ9.
SPUser
upn
smtp
sip
ClaimToken
Intranet.contoso.comSharePointServer
61. APP IDENTITY ONLINE & ON-PREM
In the cloud
Windows Azure AD comes
with O365
Apps use ‘3-legged’ Oauth
Azure ACS
App Office 365
Cloud
62. APP IDENTITY ONLINE & ON-PREM
On-PremCloud
Azure AD
App Office 365
App SharePoint
In the cloud
Windows Azure AD comes
with O365
Apps use ‘3-legged’ Oauth
On-Premises
Cert-based trust
On-prem to on-prem
63. APP IDENTITY ONLINE & ON-PREM
On-PremCloud
Azure AD
App Office 365
App SharePoint
In the cloud
Windows Azure AD comes
with O365
Apps use ‘3-legged’ Oauth
On-Premises
Cert-based trust
On-prem to on-prem
Hybrid
Use O365 Azure AD with
on-prem SP
Supports Marketplace and
on-prem apps
65. MONITORING AND
TROUBLESHOOTING
Logging & instrumentation
Transient fault handling and retry logic
Caching and performance
Web service connectivity and guaranteed delivery
Expiring Certificates and passwords
67. AGENDA
Minification of web assets
Content Delivery Networks
Packaging and Deployment
Deploying to on-prem and hosted server farms
IIS configuration
74. UPGRADE AND VERSIONING
Upgrading your app
Upgrade packaging and deployment
Multi-tenant & Multi-version runtime
considerations
75. eventmobi.com/sptcboston
Please take a moment to fill out
the class feedback form via
the app. Paper feedback forms
are also available in the back
of the room.