Embed Size (px)
Citation preview
BRINGING SSO TO THE WORLD OF SHAREPOINT,
O365 AND SAASEric Raff
Usergroup contacts:• @SharePointUtah• www.facebook.com/
UtahSharePointUsersGroup• www.UTSharePoint.com
Who am I
Roles:IAM ArchitectSharePoint Architect, EngineerExchange Server EngineerOCS/Lync EngineerGroupWise was my middle nameAuthorTeacher
Say What? SSO IWA Classic Authentication Claims Authentication AuthN AuthZ IdP RP / SP ADFS HRD SAML WS-Fed SaaS IDaaS
Answers: SSO = Single Sign On (SSO) IWA = Integrated Windows Authentication SharePoint Classic Authentication SharePoint Claims Authentication AuthN = Authentication AuthZ = Authorization IdP = Identity Provider (Trusted IdP) RP = Relying Party / SP = Service Provider ADFS = Active Directory Federation Services HRD = Home Realm Discovery SAML = Security Assertion Markup Language WS-Fed = WS-Federation SaaS = Software as a Service IDaaS = Identity as a Service
SSO Defined
End user logs in once and seamlessly can access many different web applications without needing to re-authenticate to each web application.
“Logs in once” could mean a workstation login, or a browser login.
It is NOT what I call “SAME Sign On” – using the same username each time to log into many different web applications.
The 3 SharePoint Doors
Authentication Options1. Windows Authentication
○ Classic (domain\UserID) OR Claims (i:0#.w|domain\UserID)
2. Forms Authentication (i:0#.f|provider|UserID)
○ .net membership provider (LDAP, SQL, Custom)
3. Trusted Identity Provider (c:0#.t|provider|IdentifyerClaim)
○ WS-Federation / SAML
If >1 door enabled, users see “picker page”.
Users SharePoint Identity Each AuthN option is associated 1:1 with a
users identity. The Same user could be represented as 3
different identities to SharePoint depending on HOW the user authenticated to SharePoint.
1. (domain\eraff) OR (i:0#.w|domain\eraff)
2. (i:0#.f|provider|eraff)
3. (c:0#.t|provider|[email protected])
Having 3 options enabled at the same time is not common, but having 2 is.
Windows Authentication
Been around for years 401 challenge response – NTLM,
Negotiate (Kerb) Both Classic and Claims Microsoft “bubble” Every host name requires AuthN NOT an internet friendly solution
Browser/Computer must be able to access AD Domain Controller directly.
IWA Browser Matrix
Browser Prompt HELL!
Forms Authentication
.net membership providerLDAP identity storeSQL identity storeCustom
SharePoint collects user credentials and verifies them against identity store.
Must update 3 web.config files – tedious
Trusted Identity Provider
The Future of SSO – Web friendly using Federated authentication approaches
SharePoint NOT involved in AuthN SharePoint IS still doing AuthZ SharePoint is a Relying Party to an
external “Trusted Identity Provider” (IdP)Anything that supports WS-Federation/SAML
○ ADFS, Windows Azure Access Control, Okta, PingIdentity, OneLogin etc.
Trusted IdP – the ugly
No name resolution OOTB – will affect how you authorize users in SharePoint.
MUST still enable Windows AuthN (claims) for core SP services (search)
Picker page – may need custom login page.
Possible Home Realm Discovery (HRD) issues if IdP have multiple AuthN sources.
SSO Ecosystem?
On-Prem
ADDS
Domain Joined
Workstation
WebApps – SP, OWA, IIS, etc.
SaaS
SaaS
SaaS
SaaS
SSO Ecosystem…YEA
On-Prem
ADDS
Domain Joined
Workstation
WebApps – SP, OWA, IIS, etc.
O365
SaaS
SaaS
SaaS
IdP
DirSync
And Your IdP Is….
The heart of any SSO Architecture. Picking an IdP should be carefully
considered. Lots of options with rapidly changing
and evolving landscape. Depends on company needs, culture,
applications that need to participate, legacy apps etc.
IDaaS
Can significantly simplify an SSO deployment and implementation.
Will likely have a role in your future to some degree.
Bringing greater security offerings to table such as Multi-Factor Authentication (MFA), real time risk analysis, Mobile integration etc.
The Microsoft Cloud Ecosystem:Azure / Azure AD / O365
Microsoft Azure - PaaS
Azure AD | AAD Premium - IDaaS
Sha
reP
oint
Exc
hang
e
Lync
InT
une
RM
SMicrosoft Datacenters in the Cloud
Office 365 - SaaS
OnPrem IdP
Bringing it Together Is there any current SSO technology involved? What web applications do you want to
participate in SSO?SharePointOffice 365SaaS providers Desktop Authentication (IWA)
Do you want Web SSO or Desktop + Web SSO?
What Authentication method should you use for SharePoint?
SSO Discovery Doc
Explains concepts and has 17 questions to help identify scope and impact for a SSO implementation.
http://goo.gl/JOi5wW
Please join us for SharePint!
SharePint will be held at Red Rock Brewing, 254 South 200 West
Salt Lake City, following the prize raffle
