Download presentation
Presentation is loading. Please wait.
1
Eric Raff
2
Usergroup contacts: @SharePointUtah www.facebook.com/UtahSharePointUsersGro up www.UTSharePoint.com
3
Who am I Roles: IAM Architect SharePoint Architect, Engineer Exchange Server Engineer OCS/Lync Engineer GroupWise was my middle name Author Teacher
4
Say What? SSO IWA Classic Authentication Claims Authentication AuthN AuthZ IdP RP / SP ADFS HRD SAML WS-Fed SaaS IDaaS
5
Answers: SSO = Single Sign On (SSO) IWA = Integrated Windows Authentication SharePoint Classic Authentication SharePoint Claims Authentication AuthN = Authentication AuthZ = Authorization IdP = Identity Provider (Trusted IdP) RP = Relying Party / SP = Service Provider ADFS = Active Directory Federation Services HRD = Home Realm Discovery SAML = Security Assertion Markup Language WS-Fed = WS-Federation SaaS = Software as a Service IDaaS = Identity as a Service
6
SSO Defined End user logs in once and seamlessly can access many different web applications without needing to re- authenticate to each web application. “Logs in once” could mean a workstation login, or a browser login. It is NOT what I call “SAME Sign On” – using the same username each time to log into many different web applications.
7
The 3 SharePoint Doors Authentication Options 1. Windows Authentication ○ Classic (domain\UserID) OR Claims (i:0#.w|domain\UserID) 2. Forms Authentication (i:0#.f|provider|UserID) ○.net membership provider (LDAP, SQL, Custom) 3. Trusted Identity Provider (c:0#.t|provider|IdentifyerClaim) ○ WS-Federation / SAML If >1 door enabled, users see “picker page”.
8
Users SharePoint Identity Each AuthN option is associated 1:1 with a users identity. The Same user could be represented as 3 different identities to SharePoint depending on HOW the user authenticated to SharePoint. 1. (domain\eraff) OR (i:0#.w|domain\eraff) 2. (i:0#.f|provider|eraff) 3. (c:0#.t|provider|eric.raff@outlook.com) Having 3 options enabled at the same time is not common, but having 2 is.
9
Windows Authentication Been around for years 401 challenge response – NTLM, Negotiate (Kerb) Both Classic and Claims Microsoft “bubble” Every host name requires AuthN NOT an internet friendly solution Browser/Computer must be able to access AD Domain Controller directly.
10
IWA Browser Matrix Browser Prompt HELL!
11
Forms Authentication .net membership provider LDAP identity store SQL identity store Custom SharePoint collects user credentials and verifies them against identity store. Must update 3 web.config files – tedious
12
Trusted Identity Provider The Future of SSO – Web friendly using Federated authentication approaches SharePoint NOT involved in AuthN SharePoint IS still doing AuthZ SharePoint is a Relying Party to an external “Trusted Identity Provider” (IdP) Anything that supports WS- Federation/SAML ○ ADFS, Windows Azure Access Control, Okta, PingIdentity, OneLogin etc.
13
Trusted IdP – the ugly No name resolution OOTB – will affect how you authorize users in SharePoint. MUST still enable Windows AuthN (claims) for core SP services (search) Picker page – may need custom login page. Possible Home Realm Discovery (HRD) issues if IdP have multiple AuthN sources.
14
SSO Ecosystem? On-Prem ADDS Domain Joined Workstation WebApps – SP, OWA, IIS, etc. SaaS
15
SSO Ecosystem…YEA On-Prem ADDS Domain Joined Workstation WebApps – SP, OWA, IIS, etc. O365 SaaS IdP DirSync
16
And Your IdP Is…. The heart of any SSO Architecture. Picking an IdP should be carefully considered. Lots of options with rapidly changing and evolving landscape. Depends on company needs, culture, applications that need to participate, legacy apps etc.
17
IDaaS Can significantly simplify an SSO deployment and implementation. Will likely have a role in your future to some degree. Bringing greater security offerings to table such as Multi-Factor Authentication (MFA), real time risk analysis, Mobile integration etc.
18
The Microsoft Cloud Ecosystem: Azure / Azure AD / O365 Microsoft Azure - PaaS Azure AD | AAD Premium - IDaaS SharePointExchangeLyncInTuneRMS Microsoft Datacenters in the Cloud Office 365 - SaaS OnPrem IdP
19
Bringing it Together Is there any current SSO technology involved? What web applications do you want to participate in SSO? SharePoint Office 365 SaaS providers Desktop Authentication (IWA) Do you want Web SSO or Desktop + Web SSO? What Authentication method should you use for SharePoint?
20
SSO Discovery Doc Explains concepts and has 17 questions to help identify scope and impact for a SSO implementation. http://goo.gl/JOi5wW
21
THANK YOU! eric.raff@outlook.com
22
Please join us for SharePint! SharePint will be held at Red Rock Brewing, 254 South 200 West Salt Lake City, following the prize raffle
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.