More Related Content Similar to How to deploy SharePoint 2010 to external users? (20) How to deploy SharePoint 2010 to external users?1. How to deploy SharePoint to Extranet Users? Raphael Londner SiliconValley SharePoint User Group 02/10/2011 2. © RL Soft 2011 Who am I? SharePoint, .NET, SQL Server, AD… since 2001 Founder of RL Soft www.rl-soft.com www.rl-soft.com/en/blog @rlondner www.youtube.com/xtrashare 3. © RL Soft 2011 Definition and Scenarios Extranet Network Topologies Identity Management in SharePoint Claims-Based Authentication SharePoint 2010 Authentication Options XtraShare for SharePoint Highlight Agenda 4. © RL Soft 2011 Definition and Scenarios Extranet Network Topologies Identity Management in SharePoint Claims-Based Authentication SharePoint 2010 Authentication Options XtraShare for SharePoint Highlight Agenda 7. © RL Soft 2011 Extranet Design Considerations Network Topologies Identity Management 8. © RL Soft 2011 Definition and Scenarios Extranet Network Topologies Identity Management in SharePoint Claims-Based Authentication SharePoint 2010 Authentication Options XtraShare for SharePoint Highlight Agenda 9. © RL Soft 2011 Edge Firewall Topology Pros Least amount of hardware, software and configuration Single point of data Cons Single firewall between corporate network and the Internet 10. © RL Soft 2011 Back-to-back Perimeter Pros Isolated, extranet farm External user access isolated to the perimeter network Cons Additional network infrastructure, hardware, software licenses… 11. © RL Soft 2011 Split-to-back Perimeter Pros Single SQL Server Store, app servers (only) in corporate network Cons Increased complexity (domain trusts…) 12. © RL Soft 2011 Definition and Scenarios Extranet Network Topologies Identity Management in SharePoint Claims-Based Authentication SharePoint 2010 Authentication Options XtraShare for SharePoint Highlight Agenda 13. © RL Soft 2011 Terminology Authentication Creates an identity for a security principal Who am I? Authorization Determines which resources a user has access to What can I access? SharePoint does not authenticate but does authorize SharePoint creates user profiles (SPUser) Stored in the User Information List at the site collection level 14. © RL Soft 2011 SharePoint 2001 Windows Server 2000/IIS 5.0 ASP 3.0 Windows Authentication (Active Directory) 15. © RL Soft 2011 SharePoint 2003 Windows Server 2003/ IIS 6.0 ASP.NET 1.1 2.0 w/ SP1 Windows Authentication (Active Directory) 16. © RL Soft 2011 SharePoint 2007 Windows Server 2003/2008 IIS 6.0/7.0 ASP.NET 2.0 Windows Authentication (Active Directory) Forms-Based Authentication (FBA) Allows users to connect through a web form ASP.NET 2.0 Membership Provider/Role Manager Can authenticate users against “any” user store Web SSO (ADFS), LDAP, SQL… One authencation method per SharePoint Zone 17. © RL Soft 2011 SharePoint 2010 Windows Server 2008/2008 R2 IIS 7.0/7.5 ASP.NET 3.5 Windows Authentication (AD) Claims-Based Authentication (CBA) Windows Identity Foundation (WIF) Multiple authentication methods per SharePoint Zone (Url) Standards-based (WS-Trust, SAML) Automatic, secure identity delegation 18. © RL Soft 2011 Definition and Scenarios Extranet Network Topologies Identity Management in SharePoint Claims-Based Authentication SharePoint 2010 Authentication Options XtraShare for SharePoint Highlight Agenda 19. What is Claims-Based Authentication? Your Applications Are Prisoners! Login.aspx Page1.aspx Credential Stores Credential Types / APIs User Attributes Stores © RL Soft 2011 20. Identity in Real Life Externalizes Authentication ? ? ! Gets user info from the document 21. Claims Can Set Your Applications Free Identity Provider STS Claims Relying Party Security Token 23. © RL Soft 2011 CBA Terminology Identity: security principal used to configure the security policy Claim (Assertion): attribute of an identity (such as Login Name, First Name, Gender, Age, etc.) Issuer: trusted party that creates claims Security Token: serialized set of claims (assertions) about an authenticated user Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.) Security Token Service (STS): builds, signs and issues security tokens Relying Party: application that makes authorization decisions based on claims 24. SharePoint 2007 – Identity Flow SharePoint 2010 – Identity Flow SAML Web SSO ASP.Net (FBA) Windows Windows integrated Roles protected Anonymous access Membership & Role Providers Windows Identity Claims-aware Claims protected Claims Based Identity Trusted sub-systems WebSSO WIF WIF WIF – SPSTS SP-STS Authentication methods Access control Services Application Framework Auth App logic SharePoint Service Applications SharePoint Web Application Content Database Client Windows Identity 25. © RL Soft 2011 Externalizing Authentication - Overview SharePoint-STS Fabrikam Enterprise Farm-A Windows claims 2.2 Augmentclaims 2.1 Authenticate user 2. Redirect to STS for auth 3. Post Token {SP-Token} trust Jill Frank SharePoint Web Applications 3.1 Extract Claims and construct IClaimsPrincipal 1. Attempt access 26. © RL Soft 2011 Externalizing Authentication – In Detail SharePoint-STS Web Application Security Token Service Session Authentication Module Cookie Management 5 6 2 4 WS-Federation Passive Serializer Windows Authentication Module WS-Federation Authentication Module 3 1 7 IIS ASP.NET Browser Client 8. Cookie 27. © RL Soft 2011 Claims-Based Authentication Process 28. © RL Soft 2011 Definition and Scenarios Extranet Network Topologies Identity Management in SharePoint Claims-Based Authentication SharePoint 2010 Authentication Options XtraShare for SharePoint Highlight Agenda 29. Sign-In Methods Sign-in methods supported in SP 2010: Classic Claims NT TokenWindows Identity NT TokenWindows Identity SAML1.1+ADFS, Custom, etc. ASP.NET (FBA)SQL, LDAP, Custom … SAML Token Claims Based Identity SPUser © RL Soft 2011 30. © RL Soft 2011 Mixed-Mode Authentication Pros Automated Authentication Cons Single Url per Authentication Provider 31. © RL Soft 2011 Mixed-Mode Scenario https://extranet.contoso.com Extranet Zone Intranet Zone http://contoso FBA claims Windows claims Remote Employees Employees 32. © RL Soft 2011 Mixed-Mode: When to use it Different protocols on different channels Intranet (HTTP) Extranet (HTTPS) Isolation of authentication providers Dedicate Extranet to partners only Internet Sites Publishing Portal Authored by employees Consumed by customers 33. © RL Soft 2011 Multi-Mode Authentication Pros Single Url Cons Single Prompt for Authentication Type 34. © RL Soft 2011 Multi-Mode Scenario https://Corporate.contoso.com Intranet Zone FBA claims Windows claims SAML claims Employees Vendors Partners 35. © RL Soft 2011 Multi-Mode: When to use it Single experience for different class of users Single URL experience Partner collaboration sites Federation between two organizations 36. © RL Soft 2011 ASP.NET Providers Microsoft provides several OOTB providers Active Directory LDAP ASP.NET SQL Database ADFS (WebSSO) You can write your own too! Added in web.config files <system.web> <membership> <providers> <add…/> </providers> </membership> </system.web> 37. © RL Soft 2011 Active Directory Membership Provider <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnection" connectionUsername="domainccount" connectionPassword="password" attributeMapUsername="SAMAccountName"/> <connectionStrings> <add connectionString="LDAP://DomainController.local/DC=DomainController,DC=local" name="ADConnection"/> </connectionStrings> Note: no role provider seems to be available… 38. © RL Soft 2011 LDAP Membership Provider/Role Manager <add name="LDAPmembership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="redmond.corp.microsoft.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com" userObjectClass="person" userFilter="(&(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> <add name="LDAProlemanager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="redmond.corp.microsoft.com" port="389" useSSL="false" groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&(ObjectClass=group))" userFilter="(&(ObjectClass=person))" scope="Subtree" /> Note: Only available with MOSS 2007 or SP Server 2010 (not WSS 3.0/SP Foundation 2010) 39. © RL Soft 2011 ASP.NET DB Membership Provider <add name="SQLmembership“type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"connectionStringName="FBAConnectionStr" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" /> <add name="SQLrolemanager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAConnectionStr" applicationName="/" /> <connectionStrings> <add name="FBAConnectionStr" connectionString="server=yourserver;database=aspnetdb;Trusted_Connection=True" providerName="" /> </connectionStrings> 40. © RL Soft 2011 ADFS Membership Provider <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs-server/adfs/fs/federationserverservice.asmx" /> 41. © RL Soft 2011 Challenges in extranet scenarios Graceful, branded login page Ability to delegate user management To business users or external users Self-service capability Password reminder, password reset, profile management Registration forms Activation links, Captcha, etc… Automated Notifications Account Lockout mechanism Identity Confidentiality 42. © RL Soft 2011 Windows Claims in Extranet Scenarios Pros OOTB Support in SharePoint Security Cons Separate AD/network/farm for extranet Managed by IT (not business users) No OOTB Self-Service Capability No OOTB User Management Delegation Requires ASP.NET AD Provider (or FIM 2010) to avoid the dreaded Basic Authentication Prompt 43. © RL Soft 2011 FBA Claims in Extranet Scenarios Pros Lightweight footprint on infrastructure Flexibility (development) Cons Many manual configuration steps 3 web.config files to update… at least! Hard to troubleshoot Steve Peshka on MS SharePoint blog: “Admittedly, there are many steps involved in configuring multiple authentication providers for SharePoint” No OOTB Full Name Resolution No Self-Service Capability/Delegated Administration… 44. © RL Soft 2011 Trusted Provider Claims in Extranet Scenarios Pros Easier configuration Reusability (across other applications) It’s the future of authentication OpenID/OAuth… Cons New technology scarce skilled resources Development complexity 45. © RL Soft 2011 Extranet Best Practices Branded sites Use anonymous top-level site collection with custom login web part Secure content in sub-sites or even better site collections User Multi-Tenancy Do NOT use sub-sites User Information List is at site collection level and is always available in the Picker Control for ALL users Use one site collection per external organization Implement a filtering mechanism in the People Picker control stsadm -Peoplepicker-searchadcustomquery for AD Custom filtering in Find…() methods for an ASP.NET Membership Provider 46. © RL Soft 2011 Definition and Scenarios Extranet Network Topologies Identity Management in SharePoint Claims-Based Authentication SharePoint 2010 Authentication Options XtraShare for SharePoint Highlight Agenda 47. © RL Soft 2011 Setting up a SharePoint Extranet is complex… 48. © RL Soft 2011 ..but XtraShare delivers SharePoint Extranets for the Masses! 49. XtraShare for SharePoint A fully-packaged, tightly integrated extranet enablement solution for companies of all sizes 75. Deciphering the XtraShare “Magic”Inside the XtraShare Installer Installation of 3 SharePoint Solutions Administration, End-User Web Parts, Site Templates Deployment of membership/role providers to GAC Creation of Administration Site Central Administration CBA readiness Web.config modifications to support membership/role providers SiteMap Update of Central Administration Modification of admin.sitemap for easy navigation Resource Files Deployment Deployed to CA App_GlobalResources folder 76. © RL Soft 2010 Partner Opportunities How to customize XtraShare Object Model/Web Service to interact with the XtraShare objects (users/groups…) Full source code of Web Parts provided upon request Extensible Event Trigger Mechanism Useful to implement registration workflows 77. © RL Soft 2011 Thanks to… Brian Culver’s Extranet presentation http://www.slideshare.net/bculver/sharepoint-2010-extranets-and-authentication-how-will-sharepoint-2010-connect-you-to-your-partners SharePoint 2010 Unleashed (by Michael Noel) http://www.amazon.com/Microsoft-SharePoint-2010-Unleashed-Michael/dp/0672333252 Windows Identity Foundation Training Kit http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0 Extranet Topologies for SharePoint 2010: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=EB4BFF25-BABA-4112-B518-F2FC442D5467 78. © RL Soft 2011 References An Introduction to Claims http://msdn.microsoft.com/en-us/library/ff359101.aspx Windows Identity Foundation http://msdn.microsoft.com/en-us/security/aa570351.aspx Plan authentication methods (SP 2010) http://technet.microsoft.com/en-us/library/cc262350.aspx 79. If you want to know more…Contact us atinfo@rl-soft.comDownload and evaluate XtraShare athttp://www.rl-soft.com Editor's Notes Authentication = the mechanism whereby systems may securely identify their usersAuthorization = the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system