@eshupps sharepointcowboywww.sharepointcowboy.com
slideshare.net/eshupps linkedin.com/in/eshupps
Eric ShuppsSharePoint Server MVP
Resource
Owner
Grants access
to a protected
resource
Resource
Server
Hosts the
protected
resource and
accepts
access
requests
Client
Application
making
protected
resource
requests on
behalf of the
resource
owner
Authorization
Server
Issues access
tokens
Client
Resource
Owner
Authorization
Server
Resource
Server
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
User requests access
App requests Request Token
Provider returns Request Token
App builds authlink w/ Request
Token
User requests URL + Request Token
Provider returns access token
User requests URL + Access Token
App validates access token
Access token validated
User granted access
1
2
3
User requests access
App requests Access Token
Provider returns Access Token
App builds authlink w/ Access
Token
User requests URL + Access Token
App validates access token
Access token validated
User granted access
1
2
Manages identity information for principals (STS) Identity Provider
Handles requests for trusted identity claimsSecurity Token Service
Identity provider associated with a web applicationIdentity Token Issuer
Trusted resource (farm, server, etc.)Security Token Issuer
Resource information and signing certificate (JSON)Metadata Endpoint
Used to request permission to protected resourceRequest Token
Used by App to access resource on behalf of userAccess Token
Operation scope for authorizationRealm
Cloud-based security token service (IP-STS)Azure ACS
Consumer
Export Root & STS Certificates
Copy Certificates
Import root certificate(s) and
create trusted root authority
Provider
Export Root Certificate
Copy Certificates
Import STS Certificate
Create Trusted Service Token
Issuer
Import root certificate(s) and
create trusted root authority
Consumer Provider
Create Trusted Root Authority
Set Authentication Realm
Create Trusted Security Token
Issuer
Create App Principals
Create Trusted Root Authority
Create Trusted Security Token
Issuer
App establishes context
SP validates S2S trust
App requests access token from SP
Browser POSTS parameters to App
SP returns parameters
User browses to App
On
Pre
mis
e
App establishes context
ACS provides access token
App requests access token from ACS
Browser POSTS request token to app
SP sends request tokens to browser
SP gets request token from ACS
User browses to app
On
line
1
2 3
4
5
6
7
8 9
On
Pre
mis
eO
nlin
e
Establish client context
Get access token with S2S
Get claims from Windows identity
Get request parameters
Get client context from SP with access token
Get access token
Read and validate context token
Parse out Context Token
Get POST parameters from SP
Client ID App URL
Tenant ID
Tenant IDAzure ACS
StartEnd
SharePoint
Tenant ID
User ID + Issuer + App + Realm
IP-STS URL
Browser or Event Receiver
Token sent to IP-STS (Azure ACS)
{"typ":"JWT""alg":"RS256""x5t":"kriMPdmBvx68skT8-mPAB3BseeA"}.{"aud":
"00000003-0000-0ff1-ce00- 000000000000/binarywaveinc.sharepoint.com@
2ae1caa2-a173-4989-b8f5-9da45655b8f4""iss":"00000001-0000-0000-c000-000000000000@
2ae1caa2-a173-4989-b8f5-9da45655b8f4""nbf":1400013357"exp":1400056557"nameid":"1003000086ad02d6""actor":"c90047b7-392a-42e7-8c52-65afa92e5d0d@
2ae1caa2-a173-4989-b8f5-9da45655b8f4""identityprovider":"urn:federation:microsoftonline“
}
SharePointHost Web
Tenant ID
Start
Azure ACSTenant ID
End
Tenant ID
UPNSTS ID
Description Link
OAuth Working Group http://oauth.net/
OAuth Resource Guide http://bit.ly/14CWPNb
Authorization and authentication for apps in SharePoint 2013 http://bit.ly/16f8WFh
Setting up an OAuth trust between farms in SharePoint 2013 http://bit.ly/12Yr7e3
Plan for server-to-server authentication in SharePoint 2013 http://bit.ly/1chAgFl
What’s new in authentication for SharePoint 2013 http://bit.ly/1e6KaYv
Creating High-Trust apps with S2S http://bit.ly/18RL8uL
Using O365 to Authorize On-Premise Apps http://bit.ly/1fvv1Bo