Key Point: Federation relationships are based on trust
SharePoint Federation Gateway
Multiple, Unique, Dynamic Temporal Single, Instance specific, Dynamic Single, Unique, Static, Stable ss ss /authenticationinstant /authenticationmethod /authenticationinstant /authenticationmethod
Identify Authentication and provisioning AD ADFS Public (other) Perform Claims Rationalization (Families) ID’s Roles Groups Define SharePoint Container Security Web App Policies Site Security
URL’s and Federation Realms Explicit Allow or Deny Web Application Policy on zone Explicit Allow SP Groups Direct Permission
Internal authentication AD for corporate users (AD) Extranet with external authentication Collaboration by Role Incoming Groups Mapped to Roles Separating by Roles (Sales, Legal and Portal Users) Audience: Private Federation for Partners (ADFS) Read Only + Audience: Consumer ID for customers (Live, G.., FB)
Private Federation with ADFS
SharePoint Federation Gateway
i:0#.w|domain\sAMAccountName 1: “I” for identity claim (user unique identifier) 3: Reserved as 0 (to enable more claim types in the future) Claim value6: Issuer W=Windows 4: Claim Type encoded value (#=User Logon Name) ClaimType : Value: Value Type: OriginalIssuer : domain\saMAccountName Windows
1: “I” for identity claim (user unique identifier) 3: Reserved as 0 (to enable more claim types in the future) Claim value6: Issuer Type T=Trusted 4: Claim Type encoded value (e=UPN) Original Issuer name: Name of membership role provider, name of trusted STS ClaimType : Value: Value Type: OriginalIssuer : TrustedProvider:fedpartner
1: C for Claim 3: Reserved as 0 (to enable more claim types in the future) Claim value 6: Issuer S=SharePoint STS 4: Claim Type encoded value (‘(‘ = IsAuthenticated) ClaimType : Value: Value Type: OriginalIssuer : true SecurityTokenService
C for Claim3: Reserved as 0 (to enable more claim types in the future) Claim value6: Issuer Type T=Trusted 4: Claim Type encoded value (“Next” ASCII Char) Original Issuer name: Name of membership role provider, name of trusted STS TrustedPartner TrustedProvider:fedpartner ClaimType : Value: Value Type: OriginalIssuer :
Internal authentication AD for corporate users (AD) Extranet with external authentication Collaboration by Role Incoming Groups Mapped to Roles Separating by Roles (Sales, Legal and Portal Users) Audience: Private Federation for Partners (ADFS) Read Only + Audience: Consumer ID for customers (Live, G.., FB)
Public Federation with Azure
Internal authentication AD for corporate users (AD) Extranet with external authentication Collaboration by Role Incoming Groups Mapped to Roles Separating by Roles (Sales, Legal and Portal Users) Audience: Private Federation for Partners (ADFS) Read Only + Audience: Consumer ID for customers (Live, G.., FB)
Custom Claims Provider
Internal authentication AD for corporate users (AD) Extranet with external authentication Collaboration by Role Incoming Groups Mapped to Roles Separating by Roles (Sales, Legal and Portal Users) Audience: Private Federation for Partners (ADFS) Read Only + Audience: Consumer ID for customers (Live, G.., FB) BONUS – FB Group Claim Provider
SharePoint Federation Gateway