T28 implementing adfs and hybrid share point
-
Upload
thorbjorn-vaerp -
Category
Software
-
view
269 -
download
6
description
Transcript of T28 implementing adfs and hybrid share point
Implementing ADFS andHybrid SharePoint
Thorbjørn Værp
About me
Thorbjørn VærpPrincipal Consultant PuzzlepartKristiansand, Norwaywww.Sharepoint13.net | @vaerpn
Celebrating 21 years IT-pro, 11 of them in SPMCT | XVC
#ESPC14
Agenda
• History• Claims-based authentication• ADFS & SharePoint 2013
HISTORY
Lingo
A Web service is a method of communications between two electronic devices over a network. It is a software function provided at a network address over the web with the service always on as in the concept of utility computing.
An open standard for authenticationSimilar architecture to WS-*OpenID authentication used by PayPal, Google, VeriSign, Twitter +
An open standard for authorizationMethod for clients to access server resources on behalf of a resource ownerOauth has no signing or encryption (it relies only on ssl for opacity)Wide adoption, Facebook, Microsoft,Two version, 1.0 & 2.0 –no backwards compability.
Traditional authentication mechanisms
• Anonymous• Basic• NTLM / Kerberos (WIA)• Forms based AuthN
Cannot traverse
firewalls or p
roxies!!!
The problem with authentication
• Current technologies do not work well on the Internet (NTLM, Kerberos etc.)– Basic is the only authentication mechanism that was part of the
HTTP (1.0), all the others are bolted on• Several and different user stores (AD, LDAP, eDir)• Relies on your particular platform• Authentication had to be handled and understood by the
developers, whose time is better spent developing the application• Each new authentication scheme required chaning the code
Claims-based identity
What is claims-based identity?
• Abstraction layer (indirection)• A claim is an authoritative statement about a subject made by an
entity• A claim can be anything (not just security information) that can be
associated with a subject– Name | Age | Group membership | Role
• A claim is always associated with the entity that issued it• There are several claim standards • Claims are stored and transmitted in security tokens
What is claims based identity?
– XML or binary fragments constructed according to some security standard
– Digitally signed• There are several token formats• SAML (Security Assertion Markup Language) JWT (JSON
Web Token) SWT (Simple Web Token) • Claims based identity requires a trust model – Usually implemented with digital certificates
Claims in SharePoint 2013
3 types of claim providers
WindowsTrusted Provider (SAML)Forms Based AuthN
Multiple AuthN providers possible in the same zoneClassic mode only via PowerShell
Claims in SharePoint 2013
• SP 2013 has its own STS implementation• The SP 2013 Federation Metadata is in JSON, not XML• Both Classic authentication mode (WIA) and claims mode
(WIA/FBA/SAML) is supported, but claims is the default• In claims mode every form of AuthN is transformed to a
SAML token
SAML-based Claims in SP2013
Authentication process
Authentication process
Authentication process
Authentication process
Authentication process
Authentication process
Authentication process
ADFS & SharePoint 2013
Grocery list• 4 Public Certificates + (eg.RapidSSL)
• Fs3.vaerpn.com• Sp.vaerpn.com• Tokensign.vaerpn.com• Decrypt.vaerpn.com
• Reverse proxy, (WEP, F5, Netscaler, Azure Endpoints,)
• Update public DNS• Update internal DNS• ADFS server, one or more• SharePoint 2013
Step by Step The Environment• We got AD with a routable domain | vaerpn.com,
externaly registered.• Enterprise Admin access AD DS & available admin e-mail• SP 2013 with SQL server• Firewall/ReverseProxy or Azure• One or more Win2012 R2 domain joined servers to add
ADFS 3.0 Role
What to do:1.Get those Certificates, 2. Add ADFS Role, 3. Configure ADFS & Certificates 4. Configure Claim Rule, 5: Add RelayingParty Identifier, 6. Create & Connect SP Trusted Identity Provider
Certificates ToDo
1.Get those Certificates
Copy this C
ertificate to th
e ADFS server
Do this o
n the ADFS se
rver
Repeat until you have 4 certificatesadfs.vaerpn.com -> for ADFS service signing.vaerpn.com ->for token signingdecrypt.vaerpn.com ->for decrypt (not used by SP but a prereq)sp.vaerpn.com ->for SSL on SharePoint web app (one pr.web app)
Install ADFS
2. Add ADFS Role
2. Add ADFS Role
2. Add ADFS Role
2. Add ADFS Role
2. Add ADFS Role
Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
3. Test A
DFS
Add Decrypting and signing certificates
3. Configure ADFS
3. Configure ADFS
3. Configure ADFS
Configure ClaimRule
4. Configure Claim
Rule
4. Configure Claim
Rule
AddRelayingParty
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
5. Add Relaying Party
Identifier
Export the Token signing
certificate
Export the to
ken signing ce
rt
• Copy this to the SharePoint WFE
Export the to
ken signing ce
rt
Create & Connect SP
trusted Identity Provider
Do this o
n the SP W
FE server
6. Create & Connect S
P truste
d
Identity
Provider
-> Run this-> Check this
6. Create & Connect S
P truste
d
Identity
Provider
6. Create & Connect S
P truste
d
Identity
Provider
6. Create & Connect S
P truste
d
Identity
Provider
6. Create & Connect S
P truste
d
Identity
Provider
6. Create & Connect S
P truste
d
Identity
Provider
DemoWalk around & Customize
Wrap UpHistoryWS-*, OpenID, OpenAuth, David Wheeler "All problems in computer science can be solved by another level of indirection."
ClaimsA claim is an authoritative statement about a subject made by an entity. In claims mode every form of AuthN is transformed to a SAML token
ADFS & SharePoint 2013ADFS 3.0 no IIS. Always use public certificates, plan stuff, Must use PowerShell
Q&AThank You!
@vaerpn#ESPC14