Post on 27-Nov-2014
description
SharePoint 2010 Extranets and Authentication:How will SharePoint 2010 connect you to your partners?
Brian Culver, MCM, MCPD
Solutions Architect
Expert Point Solutions
3/23/2010
Session Agenda
• Extranet Definition• Common Extranet Scenarios• Extranet Design Considerations &
Challenges• Claims Based Authentication and other
Authentication Scenarios• Mixed Mode vs. Multi-Authentication
Extranet - Definition
• A web application that is shared with external users, such as partners, vendors, and customers
• Common attributes for an extranet:• Sharing a private network or secured network• Requires authenticated access, but the identity of
the consumer is not always known• Has better security controls than an Internet Web
application but usually less secure than the Intranet Web application
Common Extranet Scenarios
Line of Business ApplicationsCollaborationStatic Content or Publishing
Remote Employees
Isolate and segregate internal data.Authorize to use only sites and data that are necessary for their contributions.Restrict partners from viewing other partners’ data.
Partners
Target ContentSegment content Limit content access and search results based on audience.
Vendors & Customers
Extranet Design Considerations & Challenges
• Network Topology and Access• Identity Management
– Seamless Single Sign-on Experience• Content Security and Access• Antivirus
– Client– Server
• Rich Client Experience (Office Integration)
Edge Firewall Topology
Internet Corporate Network
External Users
SharePoint Farm
InternalUsers
Back-to-Back Perimeter Topology
Internet Corporate Network
External Users
Web Front Ends
InternalUsers
App Servers Infrastructure Servers
Perimeter
Split Back-to-Back Topology
Internet Corporate Network
External Users
WFE
InternalUsers
App
Perimeter
Infra App Infra
Security Terms
• Authentication is the mechanism whereby systems may securely identify their users– Creates an identity for security principal– Who am I?
• Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.– Determines what resources an identity has access to– What can I access?
SharePoint Authentication
• SharePoint does not authenticate– Windows authentication via Windows server and IIS
(Kerberos/NTLM)– FBA via ASP. NET and authentication providers (SQL,
LDAP, etc.)– Web SSO via Active Directory Federation Services (ADFS)
and other Identity Management Systems
• SharePoint creates user profiles– SPUser object represents security principal– User Profile List in Site Collections track user profiles
SharePoint 2010 Security
• SharePoint 2010 changes authentication– Uses classic mode and claims based authentication– Classic mode is SharePoint 2007 style legacy mode– Claims-based authentication is the new security model
• What are the benefits?– Claims decouples SharePoint from the authentication provider– Allows SharePoint to support multiple authentication providers per
URL– Identities can be passed without Kerberos delegation– Allows federation between organizations– ACLs can be configured with DLs, Audiences and OUs
Identity Normalization
NT TokenWindows Identity
ASP.NET (FBA)SQL, LDAP, Custom …
SAML TokenClaims Based
Identity
SPUser
NT TokenWindows Identity
SAML1.1+ADFS, etc.
Classic Claims
Claims-Based Terminology
• Identity: security principal used to configure the security policy
• Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.)
• Issuer: trusted party that creates claims• Security Token: serialized set of claims (assertions) about an
authenticated user.• Issuing Authority: issues security tokens knowing claims
desired by target application (AD, ASP.NET, LiveID, etc.) • Security Token Service (STS): builds, signs and issues
security tokens• Relying Party: application that makes authorization decisions
based on claims
Claim-based Authentication
Active Directory
LiveID
ASP.net Membership Trust
SharePointSTS
Client
SharePoint
Security token
4
Service token request5
Identity ProviderSecurity Token Service
(IP-STS)
SAML Based
SharePointAuthorization
ClaimsProviders
Trust
Authentication Request
3
Request Resource with service token
7
Security token response6
Request Resource
1
Authenticate Request/Redirect
2
Mixed Mode Authentication vs Multi-Authentication
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBAAuthentication
...
...
...
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows AuthenticationFBA Authentication
SAML Based AuthenticationFBA Authentication
Windows Authentication
...
...
Authentication ScenariosMixed Mode
Remote Employees
ExtranetZone
IntranetZone
EmployeesFBAclaims
Windowsclaims
https://extranet.contoso.com http://contoso
Authentication ScenariosMixed Mode: When to Use It
Different scheme for different protocolsIntranet HTTPExtranet HTTPS
Protecting access from different channelsPreventing employees log in from home except Sales divisionDedicate Extranet to vendors only
Preferred choice for solutions that require separate environments
Publishing Portal authored by employees and consumed by customers
Authentication ScenariosMulti Authentication
IntranetZone
Employees
FBAclaims
Windowsclaims
https://Corporate.contoso.com
SAMLclaims
Vendors Partners
Authentication ScenariosMulti Authentication: When to Use It
Same experience for different class of users
Single URL
Same experience for same users no matter where they access content from:
A la’ Outlook Web Access
Preferred choice for cross company collaboration solutions
SharePoint 2010 Beta 2
• Supported at Beta2– Windows-Classic– FBA-Claims– Anonymous– FBA-Claims + Anonymous
• NOT Ready for deployment at Beta2– Windows-Claims– SAML-Claims– Windows-Claims + FBA-Claims
Questions
Learn More about SharePoint 2010
Information forIT Prosat TechNet
http://MSSharePointITPro.com
Information forDevelopers
at MSDNhttp://MSSharePointDeveloper.com
Information forEveryone
http://SharePoint.Microsoft.com
SharePint Anyone?
Sources and Links
• Geneva Framework A Better Approach For Building Claims-Based WCF Services http://msdn.microsoft.com/en-us/magazine/dd278426.aspx
• An Introduction to Claims http://msdn.microsoft.com/en-us/library/ff359101.aspx
• Microsoft SharePoint Conference 2009 http://www.mssharepointconference.com/Pages/default.aspx
• Identity Management http://msdn.microsoft.com/en-us/security/aa570351.aspx