Deep dive on server-to-server identity platformSesha ManiProgram Manager, SharePoint

SPC140

SPC208

• Deep dive on S2S platform and how it is used to build cross-server scenarios• Online• On-premise• Hybrid

• Deep dive into how LOB on-premise and Hybrid scenarios can be built in SharePoint 2013 with S2S

Key Takeaway 1: Out-of-box SharePoint 2013 takes cross-services collaboration and hybrid scenarios to the next level

Key Takeaway 2: New opportunities for you to build cross-service and hybrid solutions with SharePoint 2013

Agenda

• Deep dive on S2S platform and how it is used to build SharePoint 2013 cross-server scenarios• Online• Onprem• Hybrid

Agenda

• Deep dive into how LOB on-premise and Hybrid scenarios can be built in SharePoint 2013 with S2S

Is it possible to access data across hosting boundaries and sourced in different Apps in a consistent and secure manner?

S2S (Server-to-server) auth platform makes it possible

Let us see ‘how’…

First, what are all the out-of-box S2S cross-product scenarios in SharePoint 2013…

S2S SharePoint Cross-product Scenarios Services Scenarios Descriptions

SharePoint toExchange

eDiscovery Search and put legal holds on Exchange mailboxes from SharePoint

Site Mailboxes Provisioning team mail boxes in Exchange from SharePoint

MySite Project Tasks Sync

Tasks in Exchange are synchronized with tasks in SharePoint “My” site

High Resolution Photos

SharePoint syncs users’ high resolution photos from Exchange

SharePoint to SharePoint

Translation service Documents hosted in SharePoint are translated on the fly

Hybrid: Duet/SAP Reports from on-premise SAP presented in SharePoint Online

Hybrid Search Searching in SharePoint on-premise brings results from the SharePoint online, vice-versa

SharePoint to MTW

Multi-tenant Workflows (MTW)

Workflows are triggered from SharePoint and execute on behalf of users in MTW

• Claims-based authentication• Claim is an attribute that of a user not confined to only groups. SharePoint 2010 introduces claims based

identity infrastructure.

• STS (Security Token Service): • Service that issues security tokens intended for relying party applications.

• SharePoint 2010 introduced a local STS and in 2013 it is enhanced to light-up new scenarios.

• Trust broker:• An STS that acts as a broker between two or more applications. ACS (Azure Access Control Service) is a trust

broker between two apps.

• [New] OAuth 2.0:• Industry standard RFC 6749 that enables applications to gain access to user’s resources without prompting for

user’s credentials.

• [New] S2S (Server-to-Server): • Extension to OAuth 2.0 to allow an application to be high trust and to delegate a user’s identity.

• [New] Application principal: • Directory principal object that represents an application, much like users are represented by a principal in

directory, MSO-DS & AD

Terminologies

Now…let us see how S2S is implemented for O365…

• Use a “trust broker” between online workloads instead of “direct trust”• ACS (Azure Access Control Service) is the ‘trust broker’ for SPO• Flexible architecture to scale up number of applications that can call to SPO• Performance optimized token issuance for each S2S call

• “S2S App” is a high trust app and can vouch a user identity

• “Application principals” are sourced in a single master source• MSO-DS is the source of application principals• All S2S application principals need to be provisioned or registered with MSO-DS

Online Design Goals

S2S authentication – Online - flow• Tasks sync scenario: SharePoint accesses Peter’s Exchange tasks list on behalf of Peter

Security Token

Service

Exchange Online

SharePoint Online

Peter@Contosobrowses to SP page and triggers tasks syncfrom Exchange

1

2 3

5

6

Online

Security Token

Service OM

trustMSO-DS ACS

trust

trust

sync

4

1. User authentication and accesses tasks portal page in SharePoint• User Peter@contoso.com signs in to SPO, assigned with a PUID (Personal Unique Identifier) by OrgID,

the identity provider for O365• User navigates to the tasks portal page and triggers a sync

2. SPO requests an S2S token from ACS• SPO authenticates to ACS with ‘self-authenticator’ token that it created with local STS• SPO requests token for EXO resource

3. ACS validation of SPO’s request• ACS validates the request that,• it is indeed SPO app principal• resource it is trying to access is indeed a host name that it knows

• Upon successful validation, ACS issues a signed S2S ‘inner’ token that,• identifies SPO app principal• audience that the token is intended for• valid for only certain time period and signed with its certificate

4. SPO amending to S2S token and sends to EXO• adds S2S ‘outer’ token about the user identity information and inserts ‘inner’ token and sends to EXO• sends the S2S token to EXO

5. EXO validates SPO’s request• EXO validates that the token is indeed issued by ACS• verifies audience, accepts the user info, and rehydrates user• authorizes SPO’s request

6. EXO returns the resources that SPO requested

S2S in Online – ‘Under the hood’ <take home slide>

S2S in action in O365 servicesSesha Mani

That’s great… but

my customers are still heavy on-premise users…

Is S2S supported for on-premise?

Absolutely…

Now…

let us explore how S2S scenarios are implemented for on-premise…

• No cloud dependency for on-premise only S2S scenarios• On-premise products support ‘direct trust’ and can ‘self-issue’ the S2S tokens• Remember SharePoint ships with a local STS!

• S2S App can vouch a user identity to another app• Kerberos constrained delegation or C2WTS (Claims-to-Windows Token Service) is NOT needed!• User Profile Application is SharePoint’s source for user information

• Single master for app principals - App Management Service• SharePoint on-premise sources and caches app principals in its local app management service

• No hard dependency on Active Directory forest topology• S2S trust between on-premise products are certificate based, no active directory trust required• Forms-based authentication and SAML claims authentication supports S2S platform

On-premise only Design Goals

S2S authentication – On-premise - flow

• eDiscovery scenario: Peter signed-in to SharePoint and put hold on documents and Exchange mailboxes

Security Token

Service

ExchangeSharePoint

peter@contosobrowses to SP page and triggers hold on Exchange mailbox

1 2 3

5

6

On-premise

Security Token Service OM

trust

4

App Management

Service

User Profile App (UPA)

Service

1. User authentication and accesses eDiscovery center page in SharePoint• User Peter@contoso.com signs in to SP Windows Claims, assigned with a SID (Security Identifier) by

Active Directory• User navigates to the eDiscovery center page and triggers a hold on a mailbox in Exchange on-premise

2. SP requests an S2S token from its local SP-STS• SP requests a S2S token from its local STS• SP requests token for EX on-premise resource

3. SP-STS validation of request• SP-STS issues a signed S2S ‘inner’ token that,• identifies SP on-premise app principal• audience that the token is intended for• valid for only certain time period and signed with its certificate

4. SP amending to S2S token and sends to EX on-premise• adds S2S ‘outer’ token about the user identity information and inserts ‘inner’ token and sends to EX on-

premise• sends the S2S token to EX on-premise

5. EX On-premise validates SP’s request• EX On-premise validates that the token is indeed issued by a trusted S2S token issuer• verifies audience, accepts the user info, and rehydrates user• authorizes SP’s request

6. EX returns the results for the operation that SP On-premise requested

S2S in On-premise – ‘Under the hood’ <take home slide>

S2S authentication – On-premise - Config

• Each S2S scenario provides guidance on how to setup the scenario• Here is a high-level checklist:

Configuration steps

In layman terms…

SharePoint Exchange

1.

S2S trust establishment

Certificate stuff… New-SPTrustedSecurityTokenIssuer

New-PartnerApplication

2.

Permissions for principal

Allows A to access B

Set-SPAppPrincipalPermissions

Set-PartnerApplication

3.

Scenario specific settings

Special sauce… <depends on scenario>

<depends on scenario>

• Learn how S2S platform is used to deliver SharePoint 2013 OOB cross-server scenarios• Online• Onprem• Hybrid

• Deep dive into how LOB on-premise and Hybrid scenarios can be built in SharePoint 2013 with S2S

Agenda

How about HYBRID? i.e. O365 + On-premise …

• Platform enables “SharePoint to SharePoint” hybrid and allows other app principals• Design makes no assumption that app principal is indeed SharePoint app principal

• No compromise on user identity information in Hybrid S2S• Hybrid S2S calls result in user identity as if it is an interactive user sign-in• Seamless mapping between Online and Onpremise identity• peter@contoso.com (PUID) <-> CONTOSO\peter (SID/UPN)

• Enabling hybrid in an on-premise doesn’t impact existing on-premise scenarios• Connecting to the cloud adds new capabilities and at the same time keeping existing scenarios intact

• Use a ‘trust broker’ instead of ‘direct trust’• ACS (Azure Access Control Service) is the ‘trust broker’ for SPO• Flexible architecture to scale up number of applications that can call to SPO

• “Application principals” are sourced in a single master source• MSO-DS is the source of application principals; local App Management Service caches the info• All S2S application principals need to be provisioned or registered with MSO-DS

Hybrid Design Goals

Exchange

Security Token

Service

SharePoint (online)

Hybrid scenario with S2S - on-premise and cloud - flow• SharePoint on-premise accesses SharePoint Online resource without passing Joe’s online

credentials

Security Token

Service

MSO-DSACS

SharePoint (on-premise)

peter@contosobrowses to SP page and starts a query

trust

1

2

3

4

5 Online

sync

On-premise

trust

Security Token

Service OM

trust

6

syncActive

Directory

App Management

Service

User Profile App (UPA)

Service

SPO-DS

sync

sync

• Enabling hybrid in an on-premise environment• On-premise Active Directory is the source for user identities and attributes• Sync to O365 using DirSync (MSO-DS, SPO-DS) and SPO sees same foot

print of a user• Sync to SP on-premise UPA using prescribed mechanisms

• SP on-premise app is registered with MSO-DS, source of app principals for O365

• SP on-premise and SP Online uses a trust broker, ACS, to make S2S calls to each other

• User identity mapping based on user claims and UPA and SPO-DS• User identity claims:• UPN• SMTP (from ProxyAddresses – user Active Directory attribute)• SIP (from ProxyAddresses – user Active Directory attribute)

• SharePoint source for user rehydration in S2S hybrid calls• On-premise: UPA• Online: SPO-DS

S2S Hybrid scenario – Key points to remember

1. User authentication and accesses Search center page in SharePoint• User Peter@contoso.com signs in to SP Windows Claims, assigned with a SID (Security Identifier) by Active

Directory• User navigates to the Search center page and queries for a term and chooses to see results from Online

too2. SP on-premise requests an S2S token from ACS• SP On-premise authenticates to ACS with ‘self-authenticator’ token that it created with local STS• SP On-premise requests a S2S token from its trust broker, ACS, for calling SP Online

3. ACS validation of SPO’s request• ACS validates the request that,• it is indeed SP On-premise app• resource it is trying to access is indeed a host name that it knows

• Upon successful validation, ACS issues a signed S2S ‘inner’ token that,• identifies SP On-premise app• audience that the token is intended for• valid for only certain time period and signed with its certificate

4. SP On-premise amending to S2S token and sends to SP Online• adds S2S ‘outer’ token about the user identity information and inserts ‘inner’ token• sends the S2S token to SP Online

5. SP Online validates SP On-premise’s request• SP Online validates that the token is indeed issued by a trusted S2S token issuer• verifies audience, accepts the user info, and rehydrates user with SPO-DS (note that for on-premise UPA is

source)• authorizes SP On-premise’s request

6. SP Online returns the results for the operation that SP On-premise requested

S2S in Hybrid – ‘Under the hood’ <take home slide>

• Cross-premise cross-product S2S calls• Example: SharePoint on-premise calls to Exchange online• The only supported scenario in 2013 is Lync on-premise to EXO

• Cross tenant scenarios• Example: SPO call from Contoso tenancy to Fabrikam tenancy

• S2S call between SharePoint with non-Active Directory identity provider to Exchange or Lync on-premise

• Example: SharePoint on-premise in FBA-Claims to Exchange in Windows

• Web apps configured with Windows-Classic Authentication

• Remember: Classic authentication mode is deprecated in SharePoint 2013

S2S Platform – Not supported topologies

That is great out-of-box experience…

but… one thing…

…I am interested to write custom LOB S2S Apps and access SharePoint data, is that possible?

Absolutely…

It’s all ‘standard protocols’ and LOB apps can be written against it…

S2S protocol is an extension to OAuth 2.0 and is documented by MSFT, Extensions here

S2S Protocol Profile docs are:- SharePoint S2S Profile; Exchange S2S Profile; Lync S2S Profile

• Learn how S2S platform is used to deliver SharePoint 2013 OOB cross-server scenarios• Online• Onprem• Hybrid

• Deep dive into how LOB on-premise and Hybrid scenarios can be built in SharePoint 2013 with S2S

Agenda

Now…

let us explore a LOB app that uses S2S to talk with SharePoint on-premise…

• No cloud dependency to talk to on-premise only

• Uses ‘direct trust’ instead of ‘trust broker’• New-SPTrustedSecurityTokenIssuer –Name “<appName>” –certificate

“<appSigningCert>”

• LOB App shall be able to vouch for user identity in SharePoint• Uses REST interfaces in SharePoint to retrieve users’ and site information

• Design is extensible to hybrid model such that App can access both SPO and SP on-premise resources with same code

Custom LOB App using S2S to call SharePoint On-premise – Design points

Now…

let us explore how to enable that LOB app to talk with SharePoint Online …

• LOB App shall be able to contact SharePoint Online with zero code changes from the app code contacting on-premise• App determines SP online vs on-premise through SharePoint challenge response• If app’s self-issuer is trusted then it issues a S2S token itself• Else requests ‘trust broker’ to issue a S2S token

• Uses a ‘trust broker’ instead of ‘direct trust’

• App principal is mastered in MSODS, introduce it through SharePoint on-premise hybrid environment

• App can vouch for a user identity and can be mapped to an online identity

Custom LOB App using S2S to call SharePoint Online – Design points contd.

S2S in action in LOB App to SharePoint OnlineSesha Mani

• Deep dive on S2S platform and how it is used to build out-of-box cross-server scenarios• Online (O365 Tasks sync)• On-premise (eDiscovery)• Hybrid (Search)

• Deep dive into how Hybrid and LOB scenarios can be built in SharePoint 2013 with S2S• LOB application to SharePoint On-premise• LOB application to SharePoint online

Is that all OR there is more in Identity platform in SharePoint 2013?

To summarize …

Beyond S2S - Auth platform patterns in SharePoint 2013

Patterns Descriptions

S2S Incoming* User is signed in to high-trust app and calls triggered to SharePoint

S2S Outgoing* User is signed in to SharePoint and calls triggered to high-trust app

Marketplace applications authentication

Authenticating the marketplace applications in SharePoint

Impersonation Being able to impersonate a user in SharePoint

App-only authentication Application by itself calls to SharePoint resources; no user identity

Non-interactive authentication

User initiated the S2S call but the execution of call is at a later time when user may not be signed in to SharePoint (Example: Timer Jobs)

* Patterns covered in this sessionFor other patterns, refer to our technet site and ‘Related Content’ slide for other relevant SPC sessions

Key Takeaway 1:

Out-of-box SharePoint 2013 takes cross-services collaboration and hybrid scenarios to the next level using the S2S identity platform!

Key Takeaway 2:

New opportunities for you to build cross-service and hybrid solutions with SharePoint 2013 and win the customers!

Key takeaways to home …

THANK YOU !

• SPC209 – SharePoint 2013 Identity and Authentication Smackdown• SPC216 – Best practices for configuring SharePoint Online and Office 365

identities• SPC218 – SharePoint Online Hybrid – Configuring BCS and Duet Online• SPC039 – Claims-based authentication: Migrating to SharePoint 2013

identity model• SPC241 – Understanding authentication for apps in SharePoint Online• SPC243 – Hybrid Overview: Connecting SharePoint on-premises to O365• SPC125 – Hybrid and Search in the cloud• SPC267 – Working with User Profiles in SharePoint 2013• SPC106 - Getting your apps to Office and SharePoint store

Related Content

Evaluate this session now on MySPC using your laptop or mobile device: http://myspc.sharepointconference.com

MySPC

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.