Building Secure Extranets with Claims-Based Authentication #SPEvo13
•Transferir como PPTX, PDF•
5 gostaram•10,517 visualizações
Slides from my session at the SharePoint Evolution Conference 2013 about building secure extranets with Claims-Based Authentication
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Building Secure Extranets with Claims-Based Authentication #SPEvo13
Semelhante a Building Secure Extranets with Claims-Based Authentication #SPEvo13 (20)
Mais de Gus Fraser
Mais de Gus Fraser (7)
Último
Último (20)
Building Secure Extranets with Claims-Based Authentication #SPEvo13
- 1. Building Secure SharePoint Extranets with Claims Based Authentication #COM716 Aonghus (Gus) Fraser @gusfraser af@c5.je
- 2. Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey & Guernsey SharePoint Lead Consultant @ C5 Alliance – ~75 Consultants; ~18 SharePoint & CRM* Working with SharePoint since WSS 2.0 af@c5.je / @gusfraser / #COM716 Run www.cispug.org Blog at http://techblurt.com #SPRunners *probably the highest concentration of SharePoint on the planet (unconfirmed)
- 3. Jersey
- 4. Guernsey
- 6. Agenda Extranets – Why? Why Claims? Claims-Based Authentication Secure Extranet Topologies Case Studies & Demonstrations MyGov.je Dvs.MyGov.je SharePoint 2013 – Claims First Azure ACS & 3rd Party Providers
- 8. Extranets – Why? Security Controlled information management & delivery Avoid insecure or uncontrolled use e.g. Email, Dropbox, SkyDrive etc. Customer service Self-service, 24x7 Efficiency Reduced manual effort
- 9. Extranets – Why Claims? Delegate Authentication to a TRUSTED 3rd party (Federation) Standards & Interoperability SharePoint 2013… it’s the future!
- 10. Quis custodiet ipsos custodes? “Who Guards the Guards?” Trust problems since the 1st/2nd century… 21st century version: Who do I trust with my Identity? Which Identity provider do I trust to authenticate users/federate with? – Partner/Customer AD? – LiveID? – Facebook? – OpenID?
- 11. Claims-Based Concepts Identity Set of unique user-defining claims/attributes Claim(s) Identity attributes (e.g. Username, Email, Role) Issuer / Authority / Provider E.g. DC, ADFS, STS Relying Party Application e.g. SharePoint, custom app Token
- 12. What do we mean by Claim? Property that I HAVE / What I AM E.g. Name, Email, Username (could be a Role) NOT What can I do (Authorisation) Wrapped up in a SAML Assertion/Token (XML) C2WTS converts to Windows (Kerberos or NTLM)
- 13. Claim Types SharePoint STS (native SharePoint) Windows Claims (from Kerberos or NTLM to SAML token) Federated Claims ADFS 2.0, Azure ACS Custom Claims Custom STS
- 14. Real World Claims Analogy Identity Provider Claims Identity
- 16. Assumptions / Requirements Separate Extranet Farm (separate AD) Firewalls between Farms (ISA/TMG/UAG etc.) No external access to internal farm No data to be stored in the public Cloud
- 17. Scenario 1: Isolated Farms No access to extranet farm without external AD account Limited collaboration Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02 DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users
- 18. Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02] DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users One way AD Trust Scenario 2: One-way AD Trust Internal users granted access with AD Trust Requires potentially undesirable firewall “holes”
- 19. Firewall DB Cluster APP[01-02] FirewallDC[01-02]WFE[01-02] DMZWFE[01,02] DMZDB ClusterDMZAPP01 DMZDC[01,02] Internal Farm Extranet Farm Internal Users ADFS 2.0 ADFS[01,02] Scenario 3: ADFS 2.0 Internal users granted access via ADFS 2.0 Most secure multiple farm extranet with easy internal user access
- 20. More on ADFS 2.0 Source:Claims-based Identity Second Edition
- 21. Case Studies
- 22. MyGov.je Online Citizen Services Portal Jobs, News, Planning Applications SharePoint 2010 front-end CRM 2011 back-end Web services with X.509 certs SharePoint STS with custom Membership provider
- 23. Systems Integration Payment Gateway JD Edwards Licar (Driving License system) Planning (Northgate)
- 24. MyGov Topology Firewall DB Cluster APP01 Firewall DCs[01 – 02] WFEs[01 – 03] DMZWFEs[01 – 04] DMZDB Cluster DMZAPP01 DMZDCs[01-02] Internal Network Extranet Farm Internal Users CRM[01,02] JD Edwards DVS Planning
- 25. MyGov Sequence Diagram User WFE / STS CRM Anon Request Create SAML token Login Check credentials Success Augment Claim with CRM Identity FedAuth Cookie FedAuth Cookie
- 26. MYGOV CITIZEN PORTAL Claims-based authentication with back-end Microsoft Dynamics CRM integration
- 31. DVS Online Book driving test Re-use of Citizen Portal; different web app SharePoint 2010 front-end CRM 2011 back-end Licar integration
- 32. DVS ONLINE Claims-based authentication with back-end Microsoft Dynamics CRM & Licar Driver licensing system
- 40. SharePoint 2013 “Claims First” – Classic authentication deprecated (PowerShell only) Distributed Cache! No more sticky sessions for FedAuth cookies! Improved Logging (ULS) Without Claims: No Apps! No OWAPP! (e.g. Search result preview) A lot of “net new” 2013 features use Claims..
- 41. Identities in SharePoint 2013 i:0#.f|membershipprovider|user i:0#.w|domainuser i:05.t|azure|email@domain.com i:05.t|facebook|gus@techblurt.com i:0i.t|ms.sp.ext|{guid}@{guid}
- 42. Upgrade / Migration Tips Upgrade Classic 2010 Farms to Claims in 2010 BEFORE Upgrading to 2013 Upgrade WindowsPrincipal code to IClaimsPrincipal
- 43. Azure Acces Control Services Identity Management in the Cloud
- 44. Azure Access Control Services Free! (since Nov 2012) Authentication, authorisation & integration with ID providers Manages Certs, Relying Parties, ID Providers
- 46. ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows Live ID Facebook Google ID Yahoo
- 47. AZURE ACS, SHAREPOINT & FACEBOOK
- 49. Setup Azure ACS ID Provider
- 51. ACS ID Providers, Mappings & Certs
- 54. Facebook App
- 55. Facebook Claims
- 56. References A Guide to Claims-Based Identity and Access Control, Second Edition http://www.microsoft.com/en-us/download/details.aspx?id=28362 Programming WIF http://shop.oreilly.com/product/9780735627185.do ACS Code Samples Index http://msdn.microsoft.com/en-us/library/gg185965.aspx
- 57. Bingo Prizes!
- 58. Thank you for attending! @gusfraser af@c5.je #COM716
Notas do Editor
- NOT a technical deep dive on security or SAML Explanation of the terminology & demonstration of real world examples
- e.g. Facebook OAuth – what is THEIR password complexity? Identity 2.0 – Dick HardtFacebook: When you create a new password, make sure that it's at least 6 characters long. Try to use a complex combination of numbers, letters, and punctuation marks….
- C2WTS – part of WIF, installed with SP2010+ necessary for
- Not all identities or claims are created equally…
- Some of you might recognise this driving license, I use it to present my claim (my name) in exchange for a ticketThe claims application (ground staff) check if he or she trusts the identity provider. It’s actually the Parish of St. Clement in Jersey, but let’s just say Jersey I then get a token which allows me through security, who doesn’t look at my ID anymore
- 53 TCP/UDP DNS 88 TCP/UDP Kerberos 389 TCP/UDP LDAP 445 TCP SMB 636 TCP LDAP (SSL)
- ADFS CAN be installed on the DC however then you must have an ADFS proxy role or UAG to act as a proxy in front of the DCHowever UAG doesn’t provide O365 or Mobile device supportWID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
- WID for less than 100 trusted relationships – internal usersWID + Proxies – external DB
- App Identifier = Issuer Guid @ Realm Guid (Get-SPAuthenticationRealm) – ServiceContext $spweb.SiteBecause applications need permissions too! Security Principal themselves
- Used to be $1.99 per 100,000 transactions. If you used to use