How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
Dev Dives: Streamline document processing with UiPath Studio Web
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners?
1. SharePoint 2010 Extranets and Authentication:How will SharePoint 2010 connect you to your partners? Brian Culver, MCM, MCPD Solutions Architect Expert Point Solutions 3/23/2010
2. Session Agenda Extranet Definition Common Extranet Scenarios Extranet Design Considerations & Challenges Claims Based Authentication and other Authentication Scenarios Mixed Mode vs. Multi-Authentication
8. Back-to-Back Perimeter Topology Internet Corporate Network Perimeter External Users Internal Users App Servers Web Front Ends Infrastructure Servers
9. Split Back-to-Back Topology Internet Corporate Network Perimeter External Users Internal Users WFE App Infra App Infra
10. Security Terms Authentication is the mechanism whereby systems may securely identify their users Creates an identity for security principal Who am I? Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. Determines what resources an identity has access to What can I access?
11. SharePoint Authentication SharePoint does not authenticate Windows authentication via Windows server and IIS (Kerberos/NTLM) FBA via ASP. NET and authentication providers (SQL, LDAP, etc.) Web SSO via Active Directory Federation Services (ADFS) and other Identity Management Systems SharePoint creates user profiles SPUser object represents security principal User Profile List in Site Collections track user profiles
12. SharePoint 2010 Security SharePoint 2010 changes authentication Uses classic mode and claims based authentication Classic mode is SharePoint 2007 style legacy mode Claims-based authentication is the new security model What are the benefits? Claims decouples SharePoint from the authentication provider Allows SharePoint to support multiple authentication providers per URL Identities can be passed without Kerberos delegation Allows federation between organizations ACLs can be configured with DLs, Audiences and OUs
13. Identity Normalization Classic Claims NT TokenWindows Identity NT TokenWindows Identity SAML1.1+ADFS, etc. ASP.NET (FBA)SQL, LDAP, Custom … SAML Token Claims Based Identity SPUser
14. Claims-Based Terminology Identity: security principal used to configure the security policy Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.) Issuer: trusted party that creates claims Security Token: serialized set of claims (assertions) about an authenticated user. Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.) Security Token Service (STS): builds, signs and issues security tokens Relying Party: application that makes authorization decisions based on claims
17. Authentication ScenariosMixed Mode https://extranet.contoso.com Extranet Zone Intranet Zone http://contoso FBA claims Windows claims Remote Employees Employees
18. Authentication ScenariosMixed Mode: When to Use It Different scheme for different protocols Intranet HTTP Extranet HTTPS Protecting access from different channels Preventing employees log in from home except Sales division Dedicate Extranet to vendors only Preferred choice for solutions that require separate environments Publishing Portal authored by employees and consumed by customers
20. Authentication ScenariosMulti Authentication: When to Use It Same experience for different class of users Single URL Same experience for same users no matter where they access content from: A la’ Outlook Web Access Preferred choice for cross company collaboration solutions
21. SharePoint 2010 Beta 2 Supported at Beta2 Windows-Classic FBA-Claims Anonymous FBA-Claims + Anonymous NOT Ready for deployment at Beta2 Windows-Claims SAML-Claims Windows-Claims + FBA-Claims
23. Learn More about SharePoint 2010 Information forIT Prosat TechNet http://MSSharePointITPro.com Information forDevelopersat MSDN http://MSSharePointDeveloper.com Information forEveryone http://SharePoint.Microsoft.com
25. Sources and Links Geneva Framework A Better Approach For Building Claims-Based WCF Serviceshttp://msdn.microsoft.com/en-us/magazine/dd278426.aspx An Introduction to Claims http://msdn.microsoft.com/en-us/library/ff359101.aspx Microsoft SharePoint Conference 2009 http://www.mssharepointconference.com/Pages/default.aspx Identity Management http://msdn.microsoft.com/en-us/security/aa570351.aspx
Notas do Editor
So today we are going to define an extranet and cover …
Lets look at three common network topologies …
Authentication returns the security principal in the HttpContext.UserIIS AuthenticatesFBA requires authentication providers to implement the Membership Provider interfaceWebSSO requires authentication providers to implement the Membership Provider interface including an HTTPModule for the WebSSO ProviderMembership Provider:GetUser( string )GetUserNamebyEmailFindUsersbyEmailFindUsersbyNameRole manager: RoleExists, GetRolesForUser, GetAllRolesWebSSOHTTPModule: AuthenticateRequest Uses user auth cookie to set HttpContext.User with security principalEndRequest Used to catch the 401 responses from WSS, turns them into 302 redirect for auth to the WebSSO logon server.
Classic – Windows Native (NTLM, Kerberos). SharePoint consumes the NT token into an SPUser.Claims – Windows (NTLM, Kerberos), FBA (LDAP, ASP.Net/SQL), SAML (ADFS, WSTrust, WSFederation)Claims authentication for Microsoft SharePoint Server 2010 is built on Windows Identity Foundation. Windows Identity Foundation Framework is a set of .NET Framework classes that are used to implement claims-based identity.
Client is using a web browser. The client makes a web request (HTTP GET)SharePoint responds with a 401 Unathenticated and 302 Url to authenticateThe Authentication request is submitted to, and processed by, the local STS or another SAML compliant Identity provider, such as LiveID.The identity provider validates the identity and returns the security token (NT Token/SAML Token)Does SharePoint trust the token? The SharePoint (relying party) STS finds the policy for the requesting Web application in the policy store and creates a token for the requesting user using identity assertion values in the attribute store. Token augmentation, we add additional claims. A valid security token (new SharePoint SAML token) is returned to the user and then submitted to the Web application. The Web Browser requests the SharePoint resource with the Shareoint security token. SAML token is converted into an SPUser.Note there are two different tokens: One from Identity Provider, another from SharePoint.
Mixed Mode Authentication – (MOSS 2007) Single SharePoint Web Application, extended IIS Applications with different Urls and authentication.Multi-Authentication - Single SharePoint Web Application with more than one authentication provider.
Different scheme for different protocolsProtecting access from different channelsAnonymous web sites