Post on 08-Jun-2015
description
Implementing ADFS andHybrid SharePoint
#spsosloThorbjørn VærpMay 31st, 2014
Platinum
SharePint
Raffle
Platinum
Gold
Thanks to our Sponsors!
About me
Thorbjørn VærpPrincipal Consultant & Regional Manager PuzzlepartKristiansand, Norway
www.Sharepoint13.net | @vaerpn
Celebrating 21 years IT-pro, 11 of them in SPMCT | XVC
Agenda
• History• Claims-based authentication• ADFS & SharePoint 2013
HISTORY
#spsoslo
Lingo
• An open standard for authentication• Similar architecture to WS-*• OpenID authentication used by PayPal, Google,
VeriSign, Twitter +
• An open standard for authorization• Method for clients to access server resources on behalf of a
resource owner• Oauth has no signing or encryption (it relies only on ssl for
opacity)• Wide adoption, Facebook, Twitter, Microsoft, DropBox,
Amazon, Instagram, Google• Two version, 1.0 & 2.0 –no backwards compability.
Traditional authentication mechanisms
• Anonymous• Basic• NTLM / Kerberos (WIA)• Forms based AuthN
Cannot tra
verse
firewalls
or
proxie
s!!!
The problem with authentication
• Current technologies do not work well on the Internet (NTLM, Kerberos etc.)
• Several and different user stores (AD, LDAP, eDir)• Relies on your particular platform• Authentication had to be handled and understood by the
developers, (whose time is better spent developing the application)• Each new authentication scheme required chaning the code
Claims-based identity
#spsoslo
What is claims-based identity?
• Abstraction layer (indirection)• A claim is an authoritative statement about a subject made by an
entity• A claim can be anything (not just security information) that can be
associated with a subject• Name | Age | Group membership | Role
• A claim is always associated with the entity that issued it• There are several claim standards • Claims are stored and transmitted in security tokens
What is claims-based identity?
• Abstraction layer (indirection)• A claim is an authoritative statement about a subject made by an
entity• A claim can be anything (not just security information) that can be
associated with a subject• Name | Age | Group membership | Role
• A claim is always associated with the entity that issued it• There are several claim standards • Claims are stored and transmitted in security tokens
What is claims-based identity?
• Abstraction layer (indirection)• A claim is an authoritative statement about a subject made by an
entity• A claim can be anything (not just security information) that can be
associated with a subject• Name | Age | Group membership | Role
• A claim is always associated with the entity that issued it• There are several claim standards • Claims are stored and transmitted in security tokens
Subject
Claims
Issuer / Security Token Service
Claims in SharePoint 2013
3 types of claim providers
WindowsTrusted Provider (SAML)Forms Based AuthN
Multiple AuthN providers possible in the same zoneClassic mode only via PowerShell
Claims in SharePoint 2013
• SP 2013 has its own STS implementation• The SP 2013 Federation Metadata is in JSON, not XML• Both Classic authentication mode (WIA) and claims mode
(WIA/FBA/SAML) is supported, but claims is the default• In claims mode every form of AuthN is transformed to a SAML token
SAML-based Claims in SP2013
Authentication process
Authentication process
Authentication process
Authentication process
Authentication process
Authentication process
Authentication process
Authentication process
ADFS & SharePoint 2013 #spsoslo
Grocery list
• 4 Public Certificates + (eg.RapidSSL)• Fs3.vaerpn.com• Sp.vaerpn.com• Tokensign.vaerpn.com• Decrypt.vaerpn.com
• Reverse proxy, (WEP, F5, Netscaler, Azure Endpoints,)• Update public DNS• Update internal DNS• ADFS server, one or more• SharePoint 2013
Step by Step
The Environment• We got AD with a routable domain | vaerpn.com, externaly
registered.• Enterprise Admin access AD DS & available admin e-mail• SP 2013 with SQL server• Firewall/ReverseProxy or Azure• One or more Win2012 R2 domain joined servers to add ADFS
3.0 RoleWhat to do:
1.Get those Certificates, 2. Add ADFS Role, 3. Configure ADFS & Certificates 4. Configure Claim Rule, 5: Add RelayingParty Identifier, 6. Create & Connect SP Trusted Identity Provider.
Certificates ToDo
#spsoslo
1.Get t
hose C
ertifi
cate
s
Copy this
Certifica
te to
the A
DFS serv
er
Do this
on the A
DFS serv
er
Repeat until you have at minimum 4 certificates:
adfs.vaerpn.com -> for ADFS service signing.vaerpn.com ->for token signingdecrypt.vaerpn.com ->for decrypt (not used by SP but a prereq)sp.vaerpn.com ->for SSL on SharePoint web app (one pr.web app)
Install ADFS
#spsoslo
2. Add A
DFS
Role
2. Add A
DFS
Role
2. Add A
DFS
Role
2. Add A
DFS
Role
2. Add A
DFS
Role
Configure ADFS
#spsoslo
3. Configure
ADFS
3. Configure
ADFS
3. Configure
ADFS
3. Configure
ADFS
3. Configure
ADFS
3. Configure
ADFS
3. Configure
ADFS
3. Configure
ADFS
3. Configure
ADFS
3. Configure
ADFS
3. Test
ADFS
3. Configure
ADFS
3. Configure
ADFS
Configure ClaimRule
#spsoslo
4. Configure
Cla
im R
ule
4. Configure
Cla
im R
ule
AddRelayingParty
Identifier
#spsoslo
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
5. Add R
elayi
ng Part
y
Identifi
er
Export the Token signing
certificate
Export
the to
ken si
gning ce
rt
• Copy this to the SharePoint WFE
Export
the to
ken si
gning ce
rt
Create & Connect SP
trusted Identity Provider
Do this
on the S
P WFE se
rver
6. Cre
ate &
Connect
SP
trust
ed
Id
entity
Provi
der
-> Run this-> Check this
6. Cre
ate &
Connect
SP
trust
ed
Id
entity
Provi
der
6. Cre
ate &
Connect
SP
trust
ed
Id
entity
Provi
der
6. Cre
ate &
Connect
SP
trust
ed
Id
entity
Provi
der
6. Cre
ate &
Connect
SP
trust
ed
Id
entity
Provi
der
6. Cre
ate &
Connect
SP
trust
ed
Id
entity
Provi
der
DemoWalk around & Customize
Wrap Up
HistoryWS-*, OpenID, OpenAuth, David Wheeler "All problems in computer science can be solved by another level of indirection."
Claims-based IdentityA claim is an authoritative statement about a subject made by an entity. In claims mode every form of AuthN is transformed to a SAML token
ADFS & SharePoint 2013ADFS 3.0 no IIS. Always use public certificates, plan stuff, Must use PowerShell
Q&AThank You!
@vaerpn#spsoslo