1. Building Secure SharePointExtranets with Claims BasedAuthentication#COM716Aonghus (Gus) Fraser@gusfraseraf@c5.je

2. Aonghus Fraser (MCPD, MCITP, MCSD) Based in (Old) Jersey & Guernsey SharePoint Lead Consultant @ C5 Alliance ~75 Consultants; ~18 SharePoint & CRM* Working with SharePoint since WSS 2.0 af@c5.je / @gusfraser / #COM716 Run www.cispug.org Blog at http://techblurt.com #SPRunners*probably the highest concentration of SharePoint on the planet (unconfirmed)

3. Jersey

4. Guernsey

5. Agenda Extranets Why? Why Claims? Claims-Based Authentication Secure Extranet Topologies Case Studies & Demonstrations MyGov.je Dvs.MyGov.je SharePoint 2013 Claims First Azure ACS & 3rd Party Providers

6. SharePoint Buzzword BingoCloudAppIdentityTrustSharePoints mean Prizes!

7. Extranets Why? Security Controlled information management &delivery Avoid insecure or uncontrolled use e.g.Email, Dropbox, SkyDrive etc. Customer service Self-service, 24x7 Efficiency Reduced manual effort

8. Extranets Why Claims? Delegate Authentication to a TRUSTED3rd party (Federation) Standards & Interoperability SharePoint 2013 its the future!

9. Quis custodiet ipsos custodes? Who Guards the Guards? Trust problems since the 1st/2nd century 21st century version: Who do I trust with my Identity? Which Identity provider do I trust toauthenticate users/federate with? Partner/Customer AD? LiveID? Facebook? OpenID?

10. Claims-Based Concepts Identity Set of unique user-defining claims/attributes Claim(s) Identity attributes (e.g. Username, Email, Role) Issuer / Authority / Provider E.g. DC, ADFS, STS Relying Party Application e.g. SharePoint, custom app Token

11. What do we mean by Claim? Property that I HAVE / What I AM E.g. Name, Email, Username (could be a Role) NOT What can I do (Authorisation) Wrapped up in a SAML Assertion/Token(XML) C2WTS converts to Windows (Kerberos orNTLM)

12. Claim Types SharePoint STS (native SharePoint) Windows Claims (from Kerberos or NTLM toSAML token) Federated Claims ADFS 2.0, Azure ACS Custom Claims Custom STS

13. Real World Claims AnalogyIdentity ProviderClaimsIdentity

14. Secure Extranet Topologies

15. Assumptions / Requirements Separate Extranet Farm (separate AD) Firewalls between Farms (ISA/TMG/UAGetc.) No external access to internal farm No data to be stored in the public Cloud

16. Scenario 1: Isolated FarmsNo access to extranet farm without external AD accountLimited collaborationFirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal Users

17. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersOne way AD TrustScenario 2: One-way AD TrustInternal users granted access with AD TrustRequires potentially undesirable firewallholes

18. FirewallDB Cluster APP[01-02]FirewallDC[01-02]WFE[01-02] DMZWFE[01,02]DMZDB ClusterDMZAPP01DMZDC[01,02]Internal FarmExtranet FarmInternal UsersADFS 2.0ADFS[01,02]Scenario 3: ADFS 2.0Internal users granted access via ADFS 2.0Most secure multiple farm extranet witheasy internal user access

19. More on ADFS 2.0Source:Claims-based Identity Second Edition

20. Case Studies

21. MyGov.je Online Citizen Services Portal Jobs, News, Planning Applications SharePoint 2010 front-end CRM 2011 back-end Web services with X.509 certs SharePoint STS with custom Membershipprovider

22. Systems Integration Payment Gateway JD Edwards Licar (Driving License system) Planning (Northgate)

23. MyGov TopologyFirewallDB ClusterAPP01FirewallDCs[01 02]WFEs[01 03]DMZWFEs[01 04]DMZDB ClusterDMZAPP01DMZDCs[01-02]Internal NetworkExtranet FarmInternal UsersCRM[01,02]JD EdwardsDVSPlanning

24. MyGov Sequence DiagramUserWFE /STSCRMAnon RequestCreate SAML tokenLoginCheck credentialsSuccessAugment Claim with CRM IdentityFedAuth CookieFedAuth Cookie

25. MYGOV CITIZEN PORTALClaims-based authentication with back-end Microsoft DynamicsCRM integration

26. DVS Online Book driving test Re-use of Citizen Portal; different webapp SharePoint 2010 front-end CRM 2011 back-end Licar integration

27. DVS ONLINEClaims-based authentication with back-end Microsoft DynamicsCRM & Licar Driver licensing system

28. SharePoint 2013 Claims

29. SharePoint 2013 Claims First Classic authenticationdeprecated (PowerShell only) Distributed Cache! No more sticky sessions for FedAuth cookies! Improved Logging (ULS) Without Claims: No Apps! No OWAPP! (e.g. Search result preview) A lot of net new 2013 features use Claims..

30. Identities in SharePoint 2013 i:0#.f|membershipprovider|user i:0#.w|domainuser i:05.t|azure|email@domain.com i:05.t|facebook|gus@techblurt.com i:0i.t|ms.sp.ext|{guid}@{guid}

31. Upgrade / Migration Tips Upgrade Classic 2010 Farms to Claims in2010 BEFORE Upgrading to 2013 Upgrade WindowsPrincipal code toIClaimsPrincipal

32. Azure Acces Control ServicesIdentity Management in the Cloud

33. Azure Access Control Services Free! (since Nov 2012) Authentication, authorisation & integrationwith ID providers Manages Certs, Relying Parties, IDProviders

34. ACS ArchitectureSource: http://msdn.microsoft.com/en-us/library/windowsazure/gg185957.aspx

35. ACS Supported ID Providers WS-Fed, OpenID ADFS 2.0 Windows Live ID Facebook Google ID Yahoo

36. AZURE ACS, SHAREPOINT &FACEBOOK

37. Create Facebook App

38. Setup Azure ACS ID Provider

39. ACS ID Providers, Mappings &Certs

40. ACS Claims Mapping

41. Facebook App

42. Facebook Claims

43. References A Guide to Claims-Based Identity and Access Control,Second Edition http://www.microsoft.com/en-us/download/details.aspx?id=28362 Programming WIF http://shop.oreilly.com/product/9780735627185.do ACS Code Samples Index http://msdn.microsoft.com/en-us/library/gg185965.aspx

44. Bingo Prizes!

45. Thank you for attending!@gusfraseraf@c5.je#COM716