Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eric Raff. Usergroup up

Similar presentations


Presentation on theme: "Eric Raff. Usergroup up"— Presentation transcript:

1 Eric Raff

2 Usergroup contacts: @SharePointUtah www.facebook.com/UtahSharePointUsersGro up www.UTSharePoint.com

3 Who am I  Roles: IAM Architect SharePoint Architect, Engineer Exchange Server Engineer OCS/Lync Engineer GroupWise was my middle name Author Teacher

4 Say What?  SSO  IWA  Classic Authentication  Claims Authentication  AuthN  AuthZ  IdP  RP / SP  ADFS  HRD  SAML  WS-Fed  SaaS  IDaaS

5 Answers:  SSO = Single Sign On (SSO)  IWA = Integrated Windows Authentication  SharePoint Classic Authentication  SharePoint Claims Authentication  AuthN = Authentication  AuthZ = Authorization  IdP = Identity Provider (Trusted IdP)  RP = Relying Party / SP = Service Provider  ADFS = Active Directory Federation Services  HRD = Home Realm Discovery  SAML = Security Assertion Markup Language  WS-Fed = WS-Federation  SaaS = Software as a Service  IDaaS = Identity as a Service

6 SSO Defined  End user logs in once and seamlessly can access many different web applications without needing to re- authenticate to each web application.  “Logs in once” could mean a workstation login, or a browser login.  It is NOT what I call “SAME Sign On” – using the same username each time to log into many different web applications.

7 The 3 SharePoint Doors  Authentication Options 1. Windows Authentication ○ Classic (domain\UserID) OR Claims (i:0#.w|domain\UserID) 2. Forms Authentication (i:0#.f|provider|UserID) ○.net membership provider (LDAP, SQL, Custom) 3. Trusted Identity Provider (c:0#.t|provider|IdentifyerClaim) ○ WS-Federation / SAML  If >1 door enabled, users see “picker page”.

8 Users SharePoint Identity  Each AuthN option is associated 1:1 with a users identity.  The Same user could be represented as 3 different identities to SharePoint depending on HOW the user authenticated to SharePoint. 1. (domain\eraff) OR (i:0#.w|domain\eraff) 2. (i:0#.f|provider|eraff) 3. (c:0#.t|provider|eric.raff@outlook.com) Having 3 options enabled at the same time is not common, but having 2 is.

9 Windows Authentication  Been around for years  401 challenge response – NTLM, Negotiate (Kerb)  Both Classic and Claims  Microsoft “bubble”  Every host name requires AuthN  NOT an internet friendly solution Browser/Computer must be able to access AD Domain Controller directly.

10 IWA Browser Matrix Browser Prompt HELL!

11 Forms Authentication .net membership provider LDAP identity store SQL identity store Custom  SharePoint collects user credentials and verifies them against identity store.  Must update 3 web.config files – tedious

12 Trusted Identity Provider  The Future of SSO – Web friendly using Federated authentication approaches  SharePoint NOT involved in AuthN  SharePoint IS still doing AuthZ  SharePoint is a Relying Party to an external “Trusted Identity Provider” (IdP) Anything that supports WS- Federation/SAML ○ ADFS, Windows Azure Access Control, Okta, PingIdentity, OneLogin etc.

13 Trusted IdP – the ugly  No name resolution OOTB – will affect how you authorize users in SharePoint.  MUST still enable Windows AuthN (claims) for core SP services (search)  Picker page – may need custom login page.  Possible Home Realm Discovery (HRD) issues if IdP have multiple AuthN sources.

14 SSO Ecosystem? On-Prem ADDS Domain Joined Workstation WebApps – SP, OWA, IIS, etc. SaaS

15 SSO Ecosystem…YEA On-Prem ADDS Domain Joined Workstation WebApps – SP, OWA, IIS, etc. O365 SaaS IdP DirSync

16 And Your IdP Is….  The heart of any SSO Architecture.  Picking an IdP should be carefully considered.  Lots of options with rapidly changing and evolving landscape.  Depends on company needs, culture, applications that need to participate, legacy apps etc.

17 IDaaS  Can significantly simplify an SSO deployment and implementation.  Will likely have a role in your future to some degree.  Bringing greater security offerings to table such as Multi-Factor Authentication (MFA), real time risk analysis, Mobile integration etc.

18 The Microsoft Cloud Ecosystem: Azure / Azure AD / O365 Microsoft Azure - PaaS Azure AD | AAD Premium - IDaaS SharePointExchangeLyncInTuneRMS Microsoft Datacenters in the Cloud Office 365 - SaaS OnPrem IdP

19 Bringing it Together  Is there any current SSO technology involved?  What web applications do you want to participate in SSO? SharePoint Office 365 SaaS providers Desktop Authentication (IWA)  Do you want Web SSO or Desktop + Web SSO?  What Authentication method should you use for SharePoint?

20 SSO Discovery Doc  Explains concepts and has 17 questions to help identify scope and impact for a SSO implementation. http://goo.gl/JOi5wW

21 THANK YOU! eric.raff@outlook.com

22 Please join us for SharePint! SharePint will be held at Red Rock Brewing, 254 South 200 West Salt Lake City, following the prize raffle


Download ppt "Eric Raff. Usergroup up"

Similar presentations


Ads by Google