T28 implementing adfs and hybrid share point

Implementing ADFS andHybrid SharePoint

Thorbjørn Værp

About me

Thorbjørn VærpPrincipal Consultant PuzzlepartKristiansand, Norwaywww.Sharepoint13.net | @vaerpn

Celebrating 21 years IT-pro, 11 of them in SPMCT | XVC

#ESPC14

Agenda

• History• Claims-based authentication• ADFS & SharePoint 2013

HISTORY

A Web service is a method of communications between two electronic devices over a network. It is a software function provided at a network address over the web with the service always on as in the concept of utility computing.

An open standard for authenticationSimilar architecture to WS-*OpenID authentication used by PayPal, Google, VeriSign, Twitter +

An open standard for authorizationMethod for clients to access server resources on behalf of a resource ownerOauth has no signing or encryption (it relies only on ssl for opacity)Wide adoption, Facebook, Microsoft,Two version, 1.0 & 2.0 –no backwards compability.

Traditional authentication mechanisms

• Anonymous• Basic• NTLM / Kerberos (WIA)• Forms based AuthN

Cannot traverse

firewalls or p

roxies!!!

The problem with authentication

• Current technologies do not work well on the Internet (NTLM, Kerberos etc.)– Basic is the only authentication mechanism that was part of the

HTTP (1.0), all the others are bolted on• Several and different user stores (AD, LDAP, eDir)• Relies on your particular platform• Authentication had to be handled and understood by the

developers, whose time is better spent developing the application• Each new authentication scheme required chaning the code

Claims-based identity

What is claims-based identity?

• Abstraction layer (indirection)• A claim is an authoritative statement about a subject made by an

entity• A claim can be anything (not just security information) that can be

associated with a subject– Name | Age | Group membership | Role

• A claim is always associated with the entity that issued it• There are several claim standards • Claims are stored and transmitted in security tokens

What is claims based identity?

– XML or binary fragments constructed according to some security standard

– Digitally signed• There are several token formats• SAML (Security Assertion Markup Language) JWT (JSON

Web Token) SWT (Simple Web Token) • Claims based identity requires a trust model – Usually implemented with digital certificates

Claims in SharePoint 2013

3 types of claim providers

WindowsTrusted Provider (SAML)Forms Based AuthN

Multiple AuthN providers possible in the same zoneClassic mode only via PowerShell

Claims in SharePoint 2013

• SP 2013 has its own STS implementation• The SP 2013 Federation Metadata is in JSON, not XML• Both Classic authentication mode (WIA) and claims mode

(WIA/FBA/SAML) is supported, but claims is the default• In claims mode every form of AuthN is transformed to a

SAML token

SAML-based Claims in SP2013

Authentication process

ADFS & SharePoint 2013

Grocery list• 4 Public Certificates + (eg.RapidSSL)

• Fs3.vaerpn.com• Sp.vaerpn.com• Tokensign.vaerpn.com• Decrypt.vaerpn.com

• Reverse proxy, (WEP, F5, Netscaler, Azure Endpoints,)

• Update public DNS• Update internal DNS• ADFS server, one or more• SharePoint 2013

Step by Step The Environment• We got AD with a routable domain | vaerpn.com,

externaly registered.• Enterprise Admin access AD DS & available admin e-mail• SP 2013 with SQL server• Firewall/ReverseProxy or Azure• One or more Win2012 R2 domain joined servers to add

ADFS 3.0 Role

What to do:1.Get those Certificates, 2. Add ADFS Role, 3. Configure ADFS & Certificates 4. Configure Claim Rule, 5: Add RelayingParty Identifier, 6. Create & Connect SP Trusted Identity Provider

Certificates ToDo

1.Get those Certificates

Copy this C

ertificate to th

e ADFS server

Do this o

n the ADFS se

rver

Repeat until you have 4 certificatesadfs.vaerpn.com -> for ADFS service signing.vaerpn.com ->for token signingdecrypt.vaerpn.com ->for decrypt (not used by SP but a prereq)sp.vaerpn.com ->for SSL on SharePoint web app (one pr.web app)

Install ADFS

2. Add ADFS Role

Configure ADFS

3. Configure ADFS

3. Test A

DFS

Add Decrypting and signing certificates

3. Configure ADFS

3. Configure ADFS

Configure ClaimRule

4. Configure Claim

Rule

AddRelayingParty

Identifier

5. Add Relaying Party

Identifier

Export the Token signing

certificate

Export the to

ken signing ce

rt

• Copy this to the SharePoint WFE

Export the to

ken signing ce

rt

Create & Connect SP

trusted Identity Provider

Do this o

n the SP W

FE server

6. Create & Connect S

P truste

d

Identity

Provider

-> Run this-> Check this

6. Create & Connect S

P truste

d

Identity

Provider

DemoWalk around & Customize

Wrap UpHistoryWS-*, OpenID, OpenAuth, David Wheeler "All problems in computer science can be solved by another level of indirection."

ClaimsA claim is an authoritative statement about a subject made by an entity. In claims mode every form of AuthN is transformed to a SAML token

ADFS & SharePoint 2013ADFS 3.0 no IIS. Always use public certificates, plan stuff, Must use PowerShell

Q&AThank You!

@vaerpn#ESPC14

T28 implementing adfs and hybrid share point

Software

Transcript of T28 implementing adfs and hybrid share point