Presentation is loading. Please wait.

Presentation is loading. Please wait.

SharePoint External Login Access – Forms Authentication vs Azure ACS.

Published byMorgan Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "SharePoint External Login Access – Forms Authentication vs Azure ACS."— Presentation transcript:

1 SharePoint External Login Access – Forms Authentication vs Azure ACS

2 Keith Tuomi, SharePoint MVP SharePoint Consultant & Developer

3 Things I will be talking about.. -Extranet scenarios in SharePoint -Claims Authentication -Forms Based Authentication -3 rd party vendor options for Forms Based Auth -Azure ACS Authentication -Pros & Cons of Forms Based Auth vs Azure ACS

4 What’s an Extranet? Controlled access from external networks

5 Extranet Requirements o What do you REALLY need? Who needs access to your SharePoint? How sensitive is the data? How important is ease of access? How important is ease of user management?

6 Extranet Requirements o Who Needs access? Internal employees = Active Directory, Azure Active Directory External users (Clients, partners, consultants) = Active Directory, Forms Based Authentication, Azure ACS Authentication

7 Claims Authentication First things first- understanding Authentication vs Authorization.. Authentication is the process of validating a user’s identity. (SharePoint never performs authentication btw) Authorization is the process of deciding the resources & functionality to which an authenticated user has access to

8 Claims Authentication Q. What’s a Claim? A. A piece of info describing a user: - Name Jane Doe - Email jane.doe@organization.com - Group/Role membership HR - Age 24 - Hire Date 12/10/2013 - etc.

9 Claims Authentication Q. Why do we say “claim” and not “attribute”? A. Consider: - Both Facebook and Microsoft have an Age attribute - Facebook claims user is 18 while Microsoft claims the user is 35 In order to make authorization decisions, your app needs to decide which “claim” it will trust.

10 Claims Authentication How Claims works (the techy diagram):

11 Claims Authentication How Claims works (layman’s terms): You check in at the Airport (SharePoint) (Authentication) - present credentials (Passport) - credentials are validated by security guard You receive a boarding pass (Authorization) - Seat, Frequent Flyer, Gate etc.

12 Claims Authentication More on the details of claims (great party trivia!): http://yalla.itgroove.net/2012/11/claims-based-authentication-in-sharepoint-2010/

13 Forms Based Authentication OPTION A – Roll your own Setting up a basic Forms Authentication implementation http://blogs.visigo.com/chriscoulson/configuring-forms-based-authentication-in- sharepoint-2013-part-1-creating-the-membership-database/ Details config required to enable basic Forms Authentication in your SharePoint 2013 Farm SharePoint 2013 FBA Pack http://sharepoint2013fba.codeplex.com/ Open source add on to basic Forms plumbing that adds extra options in SharePoint site settings & web parts for user management, password reset, etc. http://blogs.visigo.com/chriscoulson/configuring-forms-based-authentication-in- sharepoint-2013-part-1-creating-the-membership-database/ http://sharepoint2013fba.codeplex.com/

14 Forms Based Authentication OPTION A – Roll your own Demo Demo

15 Forms Based Authentication OPTION B – 3 rd Party Vendors - FBA Suite - ExCM 2013 - Extradium - Envision IT Extranet User Manager for SharePoint - itgrooveFBA SuiteExCM 2013ExtradiumEnvision IT Extranet User Manager for SharePointitgroove.. and more.

16 Forms Based Authentication Functionality to consider when planning Forms Auth: Password Policies – Minimum length, complexity, expiry, re-use of old PW Login Details – Failed login lockout criteria, remember PW Self-service – Resetting PW, forgotten PW retrieval Branding – Styling of Login & User facing web pages Data Store – Database encryption, reporting & User auditing

17 Azure ACS Authentication Cloud based Microsoft Identity provider www.WindowsAzure.com www.WindowsAzure.com Management Console: https://manage.windowsazure.com https://manage.windowsazure.com

18 Azure ACS Authentication -Allows Claims authentication against popular identity providers like Google, Microsoft, Yahoo, Facebook etc. -Is a $ free service $ as part of your overall Windows Azure account -Initial setup in SharePoint is performed via a PowerShell that sets up a certificate, defines what Claims to use, and defines your providers -Once the SharePoint web app is married to the Azure ACS Access Control Namespace, we then go to the web app settings in SharePoint Central Administration and enable the new Identity Provider we’ve created

19 Azure ACS Authentication

20

21

22

23 Further references for configuring Azure ACS: http://msdn.microsoft.com/en-us/library/gg429788.aspx http://msdn.microsoft.com/en-us/library/gg429788.aspx http://dannyjessee.com/blog/index.php/2012/11/using-azure-acs-to-sign-in-to- sharepoint-2013-with-facebook/ http://robbincremers.me/2012/02/22/using-windows-azure-access-control-service-to- provide-a-single-sign-on-experience-with-popular-identity-providers/ http://blogs.msdn.com/b/mvpawardprogram/archive/2011/06/17/mvps-for- sharepoint-2010-using-azure-acs-v2-to-authenticate-external-systems-users.aspx

24 Pros & Cons of Forms Based Auth YAY NAY Easy to remove user accounts when they need to be put out to pasture Typically requires low level configuration and mucking about SharePoint guts e.g. web.config Direct control of the login branding and user experience end-to-end Users are stored in a SQL database which is decoupled from your main AD, can make reconciling profile properties later hard Can be completely on-premise and self contained, reading from a SQL database that your organization controls. Great for Government/Orgs with privacy requirements For a truly robust Forms auth implementation, you will likely want to go 3 rd party which involves $ and careful evaluation of product/service offerings Allows a “sticky” login session stickhandled by cookies as compared to the default NTLM experience which tends to be screwy on Chrome/Firefox/iPads etc. Can inherit AD policies such as password complexity rules

25 Pros & Cons of Azure ACS Auth YAY NAY Hosted in the Cloud (stability, global data center redundancy, support) Hosted in the Cloud (privacy and data ownership concerns) Free service as part of your overall Azure accountComplex to set up for different identity providers – Facebook for example requires signing up for a Facebook Dev account and creating a Facebook Application Can be coordinated with an overall hybrid Active Directory/Office 365 strategy The Live ID identity provider is ironically the biggest deadbeat out of the bunch as it returns the username as gobbley gook. In order to get the SharePoint username claim right extra coding is required. Extremely easy user adoption – users can login in with their existing, familiar identity providers The identity providers hold the key to users access to SharePoint – when it comes time to retire a user your only privilege is to remove their SharePoint user rights, leaving potential gaps as it’s hard to audit SharePoint user access rights out of the box

26 Questions?

27 Keith Tuomi Email: ktuomi@itgroove.net Blog: http://yalla.itgroove.nethttp://yalla.itgroove.net Twitter: @itgroove_keith@itgroove_keith

Download ppt "SharePoint External Login Access – Forms Authentication vs Azure ACS."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.

Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Identity and Access Management

Identity and Access Management
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.

Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Identity on Force.com & Benefits of SSO Nick Simha.

Identity on Force.com & Benefits of SSO Nick Simha.
8.1 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.

8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.

Similar presentations

Ads by Google