SlideShare a Scribd company logo

SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners?

Download as PPTX, PDF
Brian Culver
Brian Culver

The document discusses SharePoint 2010's capabilities for creating extranets and managing authentication for external users such as partners and customers. It covers key topics including extranet definitions, design considerations, authentication methods (claims-based vs classic), and common scenarios for access control. The advantages of claims-based authentication are highlighted, emphasizing its flexibility in handling multiple identity providers and improving security measures.

Technology
1 of 24
Downloaded 1,766 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SharePoint 2010 Extranets and Authentication:How will SharePoint 2010 connect you to your partners? Brian Culver, MCM, MCPDSolutions ArchitectExpert Point Solutions3/23/2010
Session AgendaExtranet DefinitionCommon Extranet ScenariosExtranet Design Considerations & ChallengesClaims Based Authentication and other Authentication ScenariosMixed Mode vs. Multi-Authentication
Extranet - DefinitionA web application that is shared with external users, such as partners, vendors, and customersCommon attributes for an extranet:Sharing a private network or secured network
Requires authenticated access, but the identity of the consumer is not always known
Has better security controls than an Internet Web application but usually less secure than the Intranet Web application Common Extranet ScenariosLine of Business ApplicationsCollaborationStatic Content or PublishingIsolate and segregate internal data.Authorize to use only sites and data that are necessary for their contributions.Restrict partners from viewing other partners’ data.Target ContentSegment content Limit content access and search results based on audience.Remote EmployeesPartnersVendors & Customers
Extranet Design Considerations & ChallengesNetwork Topology and AccessIdentity ManagementSeamless Single Sign-on ExperienceContent Security and AccessAntivirusClientServerRich Client Experience (Office Integration)
Edge Firewall TopologyInternetCorporate NetworkExternal UsersInternalUsersSharePoint Farm
Back-to-Back Perimeter TopologyInternetCorporate NetworkPerimeterExternal UsersInternalUsersApp ServersWeb Front EndsInfrastructure Servers
Split Back-to-Back TopologyInternetCorporate NetworkPerimeterExternal UsersInternalUsersWFEAppInfraAppInfra
Security TermsAuthentication is the mechanism whereby systems may securely identify their usersCreates an identity for security principalWho am I?Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.Determines what resources an identity has access toWhat can I access?
SharePoint AuthenticationSharePoint does not authenticateWindows authentication via Windows server and IIS (Kerberos/NTLM)FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)Web SSO via Active Directory Federation Services (ADFS) and other Identity Management SystemsSharePoint creates user profilesSPUser object represents security principalUser Profile List in Site Collections track user profiles
SharePoint 2010 SecuritySharePoint 2010 changes authenticationUses classic mode and claims based authenticationClassic mode is SharePoint 2007 style legacy modeClaims-based authentication is the new security modelWhat are the benefits?Claims decouples SharePoint from the authentication providerAllows SharePoint to support multiple authentication providers per URLIdentities can be passed without Kerberos delegationAllows federation between organizationsACLs can be configured with DLs, Audiences and OUs
Identity NormalizationClassicClaimsNT TokenWindows IdentityNT TokenWindows IdentitySAML1.1+ADFS, etc.ASP.NET (FBA)SQL, LDAP, Custom …SAML TokenClaims Based IdentitySPUser
Claims-Based TerminologyIdentity: security principal used to configure the security policyClaim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.)Issuer: trusted party that creates claimsSecurity Token: serialized set of claims (assertions) about an authenticated user.Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.) Security Token Service (STS): builds, signs and issues security tokensRelying Party: application that makes authorization decisions based on claims
Claim-based Authentication
Mixed Mode Authentication vs Multi-Authentication
Authentication ScenariosMixed Modehttps://extranet.contoso.comExtranetZoneIntranetZonehttp://contosoFBAclaimsWindowsclaimsRemote EmployeesEmployees
Authentication ScenariosMixed Mode: When to Use ItDifferent scheme for different protocolsIntranet HTTPExtranet HTTPSProtecting access from different channelsPreventing employees log in from home except Sales divisionDedicate Extranet to vendors onlyPreferred choice for solutions that require separate environmentsPublishing Portal authored by employees and consumed by customers
Authentication ScenariosMulti Authenticationhttps://Corporate.contoso.comIntranetZoneFBAclaimsWindowsclaimsSAMLclaimsEmployeesVendorsPartners
Authentication ScenariosMulti Authentication: When to Use ItSame experience for different class of usersSingle URLSame experience for same users no matter where they access content from:A la’ Outlook Web AccessPreferred choice for cross company collaboration solutions
SharePoint 2010 Beta 2Supported at Beta2Windows-ClassicFBA-ClaimsAnonymousFBA-Claims + AnonymousNOT Ready for deployment at Beta2Windows-ClaimsSAML-ClaimsWindows-Claims + FBA-Claims
Questions
Learn More about SharePoint 2010Information forIT Prosat TechNethttp://MSSharePointITPro.comInformation forDevelopersat MSDNhttp://MSSharePointDeveloper.comInformation forEveryonehttp://SharePoint.Microsoft.com
SharePint Anyone?

More Related Content

What's hot (19)

PPT
SSO Strategy Implementation Considerations
John Bauer
 
PPTX
SharePoint 2013 and ADFS
Natallia Makarevich
 
PDF
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
PPTX
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
PPTX
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
PPTX
Web Single sign on system
Swati Sinha
 
PDF
Introducing SAML 2.0 Protocol: Security and Performance
Amin Saqi
 
PPTX
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
 
PPTX
IdP, SAML, OAuth
Dan Brinkmann
 
PPTX
Single sign on - SSO
Ajit Dadresa
 
PDF
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
PPTX
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Michael Noel
 
PPTX
Planning Extranet Environments with SharePoint 2010
Michael Noel
 
PDF
Claim based authentaication
Sean Xiong
 
PPTX
SINGLE SIGN-ON
Shambhavi Sahay
 
PPT
Ad fs
Iván Sanchez Vera
 
PPTX
70 346 Managing office 365 identities
clounoud
 
PPTX
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
Nuno Árias Silva
 
PPTX
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
Nuno Árias Silva
 
SSO Strategy Implementation Considerations
John Bauer
 
SharePoint 2013 and ADFS
Natallia Makarevich
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
Web Single sign on system
Swati Sinha
 
Introducing SAML 2.0 Protocol: Security and Performance
Amin Saqi
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
 
IdP, SAML, OAuth
Dan Brinkmann
 
Single sign on - SSO
Ajit Dadresa
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Michael Noel
 
Planning Extranet Environments with SharePoint 2010
Michael Noel
 
Claim based authentaication
Sean Xiong
 
SINGLE SIGN-ON
Shambhavi Sahay
 
Ad fs
Iván Sanchez Vera
 
70 346 Managing office 365 identities
clounoud
 
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
Nuno Árias Silva
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
Nuno Árias Silva
 

Viewers also liked (10)

PPTX
Building the Perfect SharePoint 2010 Farm
Michael Noel
 
PPTX
SharePoint: Internet, Intranet, Extranet - Bringing Organizations Together
Perficient, Inc.
 
PPTX
Deploying an Extranet on SharePoint
Alan Marshall
 
PDF
Envision it SharePoint Extranet Webinar Series - Extranet User Provisioning
Envision IT
 
PPTX
Customer Extranet on SharePoint Foundation
Ian Woodgate
 
PPTX
Infrastructure Best Practices for SharePoint On-Premises presented by Michael...
European SharePoint Conference
 
PPTX
Ultimate SharePoint 2013 Infrastructure Best Practices Session - SPKSLO 2012
Michael Noel
 
PPTX
Best Practice SharePoint Architecture
Michael Noel
 
PPTX
10 Best Productivity Features in SharePoint 2013
Christian Buckley
 
PPTX
Deep Dive into SharePoint Topologies and Server Architecture for SharePoint 2013
K.Mohamed Faizal
 
Building the Perfect SharePoint 2010 Farm
Michael Noel
 
SharePoint: Internet, Intranet, Extranet - Bringing Organizations Together
Perficient, Inc.
 
Deploying an Extranet on SharePoint
Alan Marshall
 
Envision it SharePoint Extranet Webinar Series - Extranet User Provisioning
Envision IT
 
Customer Extranet on SharePoint Foundation
Ian Woodgate
 
Infrastructure Best Practices for SharePoint On-Premises presented by Michael...
European SharePoint Conference
 
Ultimate SharePoint 2013 Infrastructure Best Practices Session - SPKSLO 2012
Michael Noel
 
Best Practice SharePoint Architecture
Michael Noel
 
10 Best Productivity Features in SharePoint 2013
Christian Buckley
 
Deep Dive into SharePoint Topologies and Server Architecture for SharePoint 2013
K.Mohamed Faizal
 
Ad

Similar to SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners? (20)

PPTX
SharePoint Access Control and Claims Based Authentication
Jonathan Schultz
 
PPTX
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
PDF
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision IT
 
PPTX
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
PPTX
Claims Based Authentication in SharePoint 2010
Jonathan Schultz
 
PDF
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision IT
 
PDF
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
NCCOMMS
 
PDF
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
Liam Cleary [MVP]
 
PDF
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision IT
 
PPTX
SharePoint Saturday Austin - Share point authentication and authorization
Liam Cleary [MVP]
 
PPTX
SPSBE 2013 Claims for devs
Steven Van de Craen
 
PPTX
SharePoint Authentication And Authorization SPTechCon San Francisco
Liam Cleary [MVP]
 
PPTX
Claims Based Identity In Share Point 2010
Steve Sofian
 
PPTX
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
Liam Cleary [MVP]
 
PDF
SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication
Brian Culver
 
PPTX
ESPC15 - Extending Authentication and Authorization
Edin Kapic
 
PPT
sharepoint.microsoft.com
webhostingguy
 
PDF
Overcoming Security Threats and Vulnerabilities in SharePoint
AntonioMaio2
 
PPTX
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
PPTX
Extending Authentication and Authorization
Edin Kapic
 
SharePoint Access Control and Claims Based Authentication
Jonathan Schultz
 
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision IT
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
Claims Based Authentication in SharePoint 2010
Jonathan Schultz
 
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision IT
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
NCCOMMS
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
Liam Cleary [MVP]
 
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision IT
 
SharePoint Saturday Austin - Share point authentication and authorization
Liam Cleary [MVP]
 
SPSBE 2013 Claims for devs
Steven Van de Craen
 
SharePoint Authentication And Authorization SPTechCon San Francisco
Liam Cleary [MVP]
 
Claims Based Identity In Share Point 2010
Steve Sofian
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
Liam Cleary [MVP]
 
SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication
Brian Culver
 
ESPC15 - Extending Authentication and Authorization
Edin Kapic
 
sharepoint.microsoft.com
webhostingguy
 
Overcoming Security Threats and Vulnerabilities in SharePoint
AntonioMaio2
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
Extending Authentication and Authorization
Edin Kapic
 
Ad

More from Brian Culver (20)

PDF
Real World SharePoint Framework and Azure Services
Brian Culver
 
PDF
Real World SharePoint Framework and Azure Services
Brian Culver
 
PDF
How to convert your Full Trust Solutions to the SharePoint Framework (SPFx)
Brian Culver
 
PDF
Convert your Full Trust Solutions to the SharePoint Framework (SPFx)
Brian Culver
 
PDF
Share Upgrading and Migrating to SharePoint 2016 Like a Pro
Brian Culver
 
PDF
How to convert your Full Trust Solutions to the SharePoint Framework (SPFx)
Brian Culver
 
PDF
Convert your Full Trust Solutions to the SharePoint Framework (SPFx)
Brian Culver
 
PPTX
Convert your Full Trust Solutions to the SharePoint Framework (SPFx) in 1 hour
Brian Culver
 
PDF
Houston TechFest 2017- Migrate and Upgrade to 2016 Succesfully
Brian Culver
 
PPTX
Real World Add-in Development for Office365
Brian Culver
 
PDF
Building SharePoint 2016 Hybrid the right way
Brian Culver
 
PDF
SPSHOU - Upgrading and Migrating to SharePoint 2016 like a Pro
Brian Culver
 
PDF
HSPUG Loving one drive for business as a productivity tool
Brian Culver
 
PDF
SPT 104 Unlock your big data with analytics and BI on Office 365
Brian Culver
 
PDF
Spt 101 Loving Onedrive for business as a productivity tool
Brian Culver
 
PDF
SPS Utah 2016 - Unlock your big data with analytics and BI on Office 365
Brian Culver
 
PDF
Loving OneDrive for Business as a Productivity Tool
Brian Culver
 
PDF
Unlock your Big Data with Analytics and BI on Office 365
Brian Culver
 
PDF
SharePoint 2013 Search Driven Sites - SPSHOU
Brian Culver
 
PDF
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
Brian Culver
 
Real World SharePoint Framework and Azure Services
Brian Culver
 
Real World SharePoint Framework and Azure Services
Brian Culver
 
How to convert your Full Trust Solutions to the SharePoint Framework (SPFx)
Brian Culver
 
Convert your Full Trust Solutions to the SharePoint Framework (SPFx)
Brian Culver
 
Share Upgrading and Migrating to SharePoint 2016 Like a Pro
Brian Culver
 
How to convert your Full Trust Solutions to the SharePoint Framework (SPFx)
Brian Culver
 
Convert your Full Trust Solutions to the SharePoint Framework (SPFx)
Brian Culver
 
Convert your Full Trust Solutions to the SharePoint Framework (SPFx) in 1 hour
Brian Culver
 
Houston TechFest 2017- Migrate and Upgrade to 2016 Succesfully
Brian Culver
 
Real World Add-in Development for Office365
Brian Culver
 
Building SharePoint 2016 Hybrid the right way
Brian Culver
 
SPSHOU - Upgrading and Migrating to SharePoint 2016 like a Pro
Brian Culver
 
HSPUG Loving one drive for business as a productivity tool
Brian Culver
 
SPT 104 Unlock your big data with analytics and BI on Office 365
Brian Culver
 
Spt 101 Loving Onedrive for business as a productivity tool
Brian Culver
 
SPS Utah 2016 - Unlock your big data with analytics and BI on Office 365
Brian Culver
 
Loving OneDrive for Business as a Productivity Tool
Brian Culver
 
Unlock your Big Data with Analytics and BI on Office 365
Brian Culver
 
SharePoint 2013 Search Driven Sites - SPSHOU
Brian Culver
 
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
Brian Culver
 

Recently uploaded (20)

PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Python basic programing language for automation
DanialHabibi2
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Python basic programing language for automation
DanialHabibi2
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 

SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connect you to your partners?

  • 1. SharePoint 2010 Extranets and Authentication:How will SharePoint 2010 connect you to your partners? Brian Culver, MCM, MCPDSolutions ArchitectExpert Point Solutions3/23/2010
  • 2. Session AgendaExtranet DefinitionCommon Extranet ScenariosExtranet Design Considerations & ChallengesClaims Based Authentication and other Authentication ScenariosMixed Mode vs. Multi-Authentication
  • 3. Extranet - DefinitionA web application that is shared with external users, such as partners, vendors, and customersCommon attributes for an extranet:Sharing a private network or secured network
  • 4. Requires authenticated access, but the identity of the consumer is not always known
  • 5. Has better security controls than an Internet Web application but usually less secure than the Intranet Web application Common Extranet ScenariosLine of Business ApplicationsCollaborationStatic Content or PublishingIsolate and segregate internal data.Authorize to use only sites and data that are necessary for their contributions.Restrict partners from viewing other partners’ data.Target ContentSegment content Limit content access and search results based on audience.Remote EmployeesPartnersVendors & Customers
  • 6. Extranet Design Considerations & ChallengesNetwork Topology and AccessIdentity ManagementSeamless Single Sign-on ExperienceContent Security and AccessAntivirusClientServerRich Client Experience (Office Integration)
  • 7. Edge Firewall TopologyInternetCorporate NetworkExternal UsersInternalUsersSharePoint Farm
  • 8. Back-to-Back Perimeter TopologyInternetCorporate NetworkPerimeterExternal UsersInternalUsersApp ServersWeb Front EndsInfrastructure Servers
  • 9. Split Back-to-Back TopologyInternetCorporate NetworkPerimeterExternal UsersInternalUsersWFEAppInfraAppInfra
  • 10. Security TermsAuthentication is the mechanism whereby systems may securely identify their usersCreates an identity for security principalWho am I?Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.Determines what resources an identity has access toWhat can I access?
  • 11. SharePoint AuthenticationSharePoint does not authenticateWindows authentication via Windows server and IIS (Kerberos/NTLM)FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)Web SSO via Active Directory Federation Services (ADFS) and other Identity Management SystemsSharePoint creates user profilesSPUser object represents security principalUser Profile List in Site Collections track user profiles
  • 12. SharePoint 2010 SecuritySharePoint 2010 changes authenticationUses classic mode and claims based authenticationClassic mode is SharePoint 2007 style legacy modeClaims-based authentication is the new security modelWhat are the benefits?Claims decouples SharePoint from the authentication providerAllows SharePoint to support multiple authentication providers per URLIdentities can be passed without Kerberos delegationAllows federation between organizationsACLs can be configured with DLs, Audiences and OUs
  • 13. Identity NormalizationClassicClaimsNT TokenWindows IdentityNT TokenWindows IdentitySAML1.1+ADFS, etc.ASP.NET (FBA)SQL, LDAP, Custom …SAML TokenClaims Based IdentitySPUser
  • 14. Claims-Based TerminologyIdentity: security principal used to configure the security policyClaim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.)Issuer: trusted party that creates claimsSecurity Token: serialized set of claims (assertions) about an authenticated user.Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.) Security Token Service (STS): builds, signs and issues security tokensRelying Party: application that makes authorization decisions based on claims
  • 16. Mixed Mode Authentication vs Multi-Authentication
  • 18. Authentication ScenariosMixed Mode: When to Use ItDifferent scheme for different protocolsIntranet HTTPExtranet HTTPSProtecting access from different channelsPreventing employees log in from home except Sales divisionDedicate Extranet to vendors onlyPreferred choice for solutions that require separate environmentsPublishing Portal authored by employees and consumed by customers
  • 20. Authentication ScenariosMulti Authentication: When to Use ItSame experience for different class of usersSingle URLSame experience for same users no matter where they access content from:A la’ Outlook Web AccessPreferred choice for cross company collaboration solutions
  • 21. SharePoint 2010 Beta 2Supported at Beta2Windows-ClassicFBA-ClaimsAnonymousFBA-Claims + AnonymousNOT Ready for deployment at Beta2Windows-ClaimsSAML-ClaimsWindows-Claims + FBA-Claims
  • 23. Learn More about SharePoint 2010Information forIT Prosat TechNethttp://MSSharePointITPro.comInformation forDevelopersat MSDNhttp://MSSharePointDeveloper.comInformation forEveryonehttp://SharePoint.Microsoft.com
  • 25. Sources and LinksGeneva Framework A Better Approach For Building Claims-Based WCF Serviceshttp://msdn.microsoft.com/en-us/magazine/dd278426.aspxAn Introduction to Claims http://msdn.microsoft.com/en-us/library/ff359101.aspxMicrosoft SharePoint Conference 2009 http://www.mssharepointconference.com/Pages/default.aspxIdentity Management http://msdn.microsoft.com/en-us/security/aa570351.aspx

Editor's Notes

  • #3: So today we are going to define an extranet and cover …
  • #6: Lets look at three common network topologies …
  • #11: Authentication returns the security principal in the HttpContext.UserIIS AuthenticatesFBA requires authentication providers to implement the Membership Provider interfaceWebSSO requires authentication providers to implement the Membership Provider interface including an HTTPModule for the WebSSO ProviderMembership Provider:GetUser( string )GetUserNamebyEmailFindUsersbyEmailFindUsersbyNameRole manager: RoleExists, GetRolesForUser, GetAllRolesWebSSOHTTPModule: AuthenticateRequest Uses user auth cookie to set HttpContext.User with security principalEndRequest Used to catch the 401 responses from WSS, turns them into 302 redirect for auth to the WebSSO logon server.
  • #13: Classic – Windows Native (NTLM, Kerberos). SharePoint consumes the NT token into an SPUser.Claims – Windows (NTLM, Kerberos), FBA (LDAP, ASP.Net/SQL), SAML (ADFS, WSTrust, WSFederation)Claims authentication for Microsoft SharePoint Server 2010 is built on Windows Identity Foundation. Windows Identity Foundation Framework is a set of .NET Framework classes that are used to implement claims-based identity.
  • #15: Client is using a web browser. The client makes a web request (HTTP GET)SharePoint responds with a 401 Unathenticated and 302 Url to authenticateThe Authentication request is submitted to, and processed by, the local STS or another SAML compliant Identity provider, such as LiveID.The identity provider validates the identity and returns the security token (NT Token/SAML Token)Does SharePoint trust the token? The SharePoint (relying party) STS finds the policy for the requesting Web application in the policy store and creates a token for the requesting user using identity assertion values in the attribute store. Token augmentation, we add additional claims. A valid security token (new SharePoint SAML token) is returned to the user and then submitted to the Web application. The Web Browser requests the SharePoint resource with the Shareoint security token. SAML token is converted into an SPUser.Note there are two different tokens: One from Identity Provider, another from SharePoint.
  • #16: Mixed Mode Authentication – (MOSS 2007) Single SharePoint Web Application, extended IIS Applications with different Urls and authentication.Multi-Authentication - Single SharePoint Web Application with more than one authentication provider.
  • #18: Different scheme for different protocolsProtecting access from different channelsAnonymous web sites