1 / 32

Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0

SIM319. Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0. Samuel Devasahayam Lead Program Manager Identity & Access, Microsoft. Microsoft Claims-Based Access Model. Security Token Service (AD FS 2.0). Directory (AD DS). Configure : Establish Relationship / Trust

guillermina
Download Presentation

Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIM319 Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0 Samuel Devasahayam Lead Program Manager Identity & Access, Microsoft

  2. Microsoft Claims-Based Access Model • Security Token Service • (AD FS 2.0) • Directory • (AD DS) Configure: Establish Relationship / Trust (Signing key) Configure: Claims Rules (Federation Metadata) 2. AuthN (Creds) 3. Get claims End User Claims Framework (WIF) 1. Get policy 4. AuthN (Claims) App Business Logic 5. Grant/deny access • Resource Provider • Claims-aware application

  3. AD FS 2.0 Scenarios Single sign-on (SSO) for internal use SSO to outsourced services or the cloud • Providing Outsourced services Provide Active Directory Users Access to Claims-Aware Applications and Services Provide Active Directory Users Access to Applications and Services of Other Organizations Provide Users in Another Organization Access to Claims-Aware Applications and Services

  4. SharePoint 2007 – Identity Flow SharePoint 2010 – Identity Flow SAML Web SSO Forms Windows Windows integrated Roles protected Anonymous access Membership & Role Providers Windows Identity Claims-aware Claims protected Claims-Based Identity Trusted sub-systems WebSSO WIF WIF WIF – SPSTS SP-STS Authentication methods Access control Services Application Framework Auth App logic SharePoint Service Applications SharePoint Web Application Content Database Client Windows Identity

  5. Why AD FS 2.0 with SharePoint 2010? Web SSO to multiple Applications • Provide seamless login to multiple applications • Source claims from any arbitrary store in your organization Federate with Partner Orgs • Enable access to partner organizations • Connect to organizations via SAML-Protocol Provide Access to Consumer IDs • Enable access to consumer IDs (Live, Google, Yahoo, Facebook) Flexible Authorization with Claims • Use Centralized Roles and Claims to provide access • Use Claims Transformations in AD FS 2.0 to transform data to cater to your application needs

  6. Configure SharePoint 2010 with AD FS 2.0 demo

  7. Configuration AD https://sts.contoso.com Request Webpage 1 Unauthorized! Get a token from CONTOSO CONTOSO.COM 2 4 3 Authenticate 3 5 Kobe Token for SPDOCS 2 4 Kevin Send Token and get access 5 1 https://docs.contoso.com SharePoint 2010 CONTOSO

  8. Identity Normalization Classic Claims SAML 1.1 + WS-Fed Claims Identity Anonymous User ASP.Net (FBA)SAL, LDAP, Custom … NT TokenWindows Identity NT TokenWindows Identity SAML Token Claims Based Identity SPUser

  9. Sign-In

  10. AD FS 2.0 Rule Configuration CP Rules RP Rules AD Authority Pass Through Group Info Get Email from AD SPDOCS Pass Through Email Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ https://docs.contoso.com CONTOSO – AD FS 2.0 CONTOSO

  11. Key Learning • Abstract authorization via Claims/Roles for easier management • Simplify setup with AD FS Federation Metadata • AD FS 2.0 Rule Learning • Send AD attributes as claims • Convert Security Groups to Role Claims

  12. Extend SharePoint 2010 to partner Organizations with AD FS 2.0 demo

  13. Configuration AD AD 8 Token for SP2010 7 https://sts.fabrikam.com Send token to CONTSO from FABRIKAM! 4 Sorry, but you need a Token from FABRIKAM https://sts.contoso.com 6 3 Get Token for CONTOSO Hey, I’m from FABRIKAM! 5 Authenticate to FABRIKAM 9 Present Token and gain access 2 Unauthorized! Give me a token Lebron Ray 1 Request Website https://docs.contoso.com SharePoint 2010 CONTOSO FABRIKAM

  14. AD FS 2.0 Rule Configuration CP Rules RP Rules AD Authority Pass Through Group Info Get Email from AD Pass Through Email Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ FABRIKAM Pass Through Email only with suffix ‘@fabrikam.com’ Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ FABRIKAM Transform ‘Department’ = ‘Heat’ to ‘B2BPartnerLevel’ = ‘Level1’ Issue Email Claim Transform ‘B2BPartnerLevel’=‘Level1’ to ‘Role’=‘spdocs_readers’ Issue Department Claim https://docs.contoso.com Transform ‘Department’ = ‘Celtics’ to ‘B2BPartnerLevel’ = ‘Level2’ Transform ‘B2BPartnerLevel’=‘Level2’ to ‘Role’=‘spdocs_contributors’ CONTOSO – AD FS 2.0

  15. Key Learning • Setup partner trust to extend SharePoint to partner organizations • AD FS 2.0 Rule Learning • Normalize organizational access levels via Claims Provider Trust Rules • Create new Claim Descriptions to aid managing your rules • Convert Fabrikam ‘Department’ claim to Contoso ‘B2BPartnerLevel’ claim

  16. Extend SharePoint 2010 to Consumer Identities with AD FS 2.0 & ACS demo

  17. Configuration AD AD FABRIKAM Identity Trust 8 7 https://sts.fabrikam.com Token for SP2010 4 Token to CONTSO from my ACS https://sts.contoso.com 3 You need Token from my ACS I have a Consumer ID! 9 Identity Trust CONTOSO ACS Present Token and gain access 2 https://contosd.accesscontrol.windows.net Unauthorized! Give me a token CONTOSO STS 1 https://docs.contoso.com Get Token for CONTOSO Request Website 6 SharePoint 2010 CONTOSO Charles 5 Kenny Authenticate to FABRIKAM

  18. AD FS 2.0 Rule Configuration CP Rules RP Rules AD Authority Pass Through Group Info Get Email from AD Pass Through Email Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ FABRIKAM Pass Through Email only with suffix ‘@fabrikam.com’ Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ FABRIKAM Transform ‘Department’ = ‘Heat’ to ‘B2BPartnerLevel’ = ‘Level1’ Issue Email Claim Transform ‘B2BPartnerLevel’=‘Level1’ to ‘Role’=‘spdocs_readers’ Issue Department Claim https://docs.contoso.com Transform ‘Department’ = ‘Celtics’ to ‘B2BPartnerLevel’ = ‘Level2’ Transform ‘B2BPartnerLevel’=‘Level2’ to ‘Role’=‘spdocs_contributors’ Get roles based on LocalNameIdentifier CONTOSO – AD FS 2.0 ACS ACS Pass Through IssuerID Issue IssuerID Pass Through IssuerNameID Issue IssuerNameID Get & Issue LocalNameIdentifier SQL Issue Email Get & Issue Email Address from LocalNameIdentifier Issue Name

  19. Key Learning • Evaluate consumer identities based on the sensitivity level of resources that you would like to provide access to • Register consumer identities to enable flexible control of provisioning and access • Always use the IssuerID && IssuerNameIdentifier claims from ACS as a primary key for the consumer identity • Convert to a local Identifier in your realm for flexibility to switch local Identifier to a different consumer identity (Hey, I moved from Google ID to Facebook) • AD FS 2.0 Rule Learning • Source claims from different attribute stores like SQL

  20. Summary • AD FS 2.0 connects your SharePoint 2010 to • Your Active Directory users • Partner Organizations • Consumer Identities • Provide central authorization using claims sourced from AD FS 2.0 (and from any attribute store) • Harness the power of claims to transform data as needed by your applications

  21. Required Slide Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC. Track Resources • Active Directory • WSV401: Tricks-of-the-Trade after More Than a Decade of Microsoft Active Directory (5/17 @ 5:00pm, C305) • SIM376-INT: Meet the Active Directory (Identity & Access) Product Group • AD FS 2.0 • SIM402: Active Directory Federation Services, Part1: How do they really work? (5/18 @ 3:15pm, B406) • SIM403: Active Directory Federation Services, Par2: Building Federated Identity Solutions (5/18 @ 5pm, B406) • Cloud & Identity • SIM324: Using Windows Azure Access Control Service 2.0 with Your Cloud Application (5/17 @ 8:30am, C302) • SIM358: Preparing Identities for Cloud Services with Microsoft Forefront Identity Manager (5/17 @ 10:15am, C201) • SIM323: User Identity and Authentication for Desktop and Phone Applications (5/19 @ 2:45pm, C206) • O365 • OSP215: Microsoft Office 365: Identity and Access Solutions (5/17 @ 3:15pm, B314) • SIM320: Using Active Directory with Microsoft Office 365 (5/19 @ 4:30pm, B402) • Hands-On Labs • COS277-HOL: Web Services and Identity in Windows Azure • SIM399-HOL Managing Claims AuthN using FIM 2010 • MID274-HOL | Introduction to the Windows Azure AppFabric Access Control Service V2

  22. Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Related Content • AD FS 2.0 Portal • AD FS 2.0 Content Map • Claims Based Identity Blog

  23. SharePoint 2010 Setup Scripts Scripts

  24. Configure SharePoint • ‘settings.xml’ file contains all the settings • Powershell Script (sharepointConfig.ps1) • Extracts trust information (certificate, URL’s) from AD FS 2.0 FederationMetadata document • Sets up Web Application • Sets up New SharePoint Team Site from template (‘STS#0’)

  25. Generate SharePoint Metadata • ‘settings.xml’ file contains all the settings • PowerShell Script ‘generateSharePointMetadata.ps1’ • Creates FederationMetadatadocument that can be imported into AD FS 2.0

  26. Configure User Permissions • ‘userPermissionSettings.xml’ contains all the user data that needs to be provisioned • PowerShell Script ‘giveUserPermission.ps1’ • Provides user access using Email Address as the identifier for users • Provides ability to use ‘department’ claim for authorization as well

  27. Track Resources Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/

  28. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  29. Complete an evaluation on CommNet and enter to win!

  30. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related