Download presentation
Presentation is loading. Please wait.
Published byStewart Winfred Campbell Modified over 6 years ago
1
Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0
11/22/2018 7:33 PM SIM319 Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0 Samuel Devasahayam Lead Program Manager Identity & Access, Microsoft © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Microsoft Claims-Based Access Model
Directory (AD DS) Security Token Service (AD FS 2.0) 2. AuthN (Creds) 3. Get claims Configure: Establish Relationship / Trust (Signing key) Configure: Claims Rules (Federation Metadata) End User 1. Get policy Claims Framework (WIF) 4. AuthN (Claims) 5. Grant/deny access App Business Logic Resource Provider Claims-aware application
3
AD FS 2.0 Scenarios Single sign-on (SSO) for internal use
SSO to outsourced services or the cloud Providing Outsourced services Provide Active Directory Users Access to Claims-Aware Applications and Services Provide Active Directory Users Access to Applications and Services of Other Organizations Provide Users in Another Organization Access to Claims-Aware Applications and Services
4
SharePoint 2007 – Identity Flow
11/22/2018 7:33 PM SharePoint 2010 – Identity Flow SharePoint 2007 – Identity Flow Windows Forms SAML Web SSO Windows integrated Roles protected Membership & Role Providers Anonymous access Claims-aware Windows Identity Claims-Based Identity Claims protected Trusted sub-systems Web SSO WIF – SPSTS WIF SP-STS WIF Authentication methods Access control Services Application Framework Auth App logic SharePoint Web Application SharePoint Service Applications Client Content Database Windows Identity © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5
Why AD FS 2.0 with SharePoint 2010?
Web SSO to multiple Applications Provide seamless login to multiple applications Source claims from any arbitrary store in your organization Federate with Partner Orgs Enable access to partner organizations Connect to organizations via SAML-Protocol Provide Access to Consumer IDs Enable access to consumer IDs (Live, Google, Yahoo, Facebook) Flexible Authorization with Claims Use Centralized Roles and Claims to provide access Use Claims Transformations in AD FS 2.0 to transform data to cater to your application needs
6
Configure SharePoint 2010 with AD FS 2.0
11/22/2018 7:33 PM Configure SharePoint with AD FS 2.0 demo © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7
Configuration CONTOSO Token for SPDOCS Send Token and get access AD
Request Webpage 1 Unauthorized! Get a token from CONTOSO CONTOSO.COM 2 4 3 Authenticate 3 5 Kobe Token for SPDOCS 2 4 Kevin Send Token and get access 5 1 SharePoint 2010 CONTOSO
8
Identity Normalization
Microsoft SharePoint Conference 2009 11/22/2018 Identity Normalization Classic Claims NT Token Windows Identity Anonymous User NT Token Windows Identity ASP.Net (FBA) SAL, LDAP, Custom … SAML WS-Fed Claims Identity SAML Token Claims Based Identity SPUser © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
9
Microsoft SharePoint Conference 2009
11/22/2018 Sign-In © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10
AD FS 2.0 Rule Configuration
CP Rules RP Rules AD Authority Pass Through Group Info Get from AD SPDOCS Pass Through Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ CONTOSO – AD FS 2.0 CONTOSO
11
Key Learning Abstract authorization via Claims/Roles for easier management Simplify setup with AD FS Federation Metadata AD FS 2.0 Rule Learning Send AD attributes as claims Convert Security Groups to Role Claims
12
Extend SharePoint 2010 to partner Organizations with AD FS 2.0
11/22/2018 7:33 PM Extend SharePoint 2010 to partner Organizations with AD FS 2.0 demo © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
13
Configuration CONTOSO FABRIKAM AD AD Lebron Ray SharePoint 2010
8 Token for SP2010 7 Send token to CONTSO from FABRIKAM! 4 Sorry, but you need a Token from FABRIKAM 3 6 Get Token for CONTOSO Hey, I’m from FABRIKAM! 5 Authenticate to FABRIKAM 9 Present Token and gain access 2 Unauthorized! Give me a token Lebron 1 Request Website Ray SharePoint 2010 CONTOSO FABRIKAM
14
AD FS 2.0 Rule Configuration
CP Rules RP Rules AD Authority Pass Through Group Info Get from AD Pass Through Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ FABRIKAM Pass Through only with suffix Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ FABRIKAM Issue Claim Transform ‘Department’ = ‘Heat’ to ‘B2BPartnerLevel’ = ‘Level1’ Transform ‘B2BPartnerLevel’=‘Level1’ to ‘Role’=‘spdocs_readers’ Issue Department Claim Transform ‘Department’ = ‘Celtics’ to ‘B2BPartnerLevel’ = ‘Level2’ Transform ‘B2BPartnerLevel’=‘Level2’ to ‘Role’=‘spdocs_contributors’ CONTOSO – AD FS 2.0
15
Key Learning Setup partner trust to extend SharePoint to partner organizations AD FS 2.0 Rule Learning Normalize organizational access levels via Claims Provider Trust Rules Create new Claim Descriptions to aid managing your rules Convert Fabrikam ‘Department’ claim to Contoso ‘B2BPartnerLevel’ claim
16
Extend SharePoint 2010 to Consumer Identities with AD FS 2.0 & ACS
11/22/2018 7:33 PM Extend SharePoint 2010 to Consumer Identities with AD FS 2.0 & ACS demo © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
17
Configuration FABRIKAM CONTOSO CONTOSO ACS AD AD Identity Trust
8 7 Token for SP2010 4 Token to CONTSO from my ACS 3 You need Token from my ACS I have a Consumer ID! 9 Identity Trust CONTOSO ACS Present Token and gain access 2 Unauthorized! Give me a token CONTOSO STS 1 Request Website Get Token for CONTOSO 6 SharePoint 2010 CONTOSO Charles 5 Kenny Authenticate to FABRIKAM
18
AD FS 2.0 Rule Configuration
CP Rules RP Rules AD Authority Pass Through Group Info Get from AD Pass Through Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ FABRIKAM Pass Through only with suffix Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ FABRIKAM Issue Claim Transform ‘Department’ = ‘Heat’ to ‘B2BPartnerLevel’ = ‘Level1’ Transform ‘B2BPartnerLevel’=‘Level1’ to ‘Role’=‘spdocs_readers’ Issue Department Claim Transform ‘Department’ = ‘Celtics’ to ‘B2BPartnerLevel’ = ‘Level2’ Transform ‘B2BPartnerLevel’=‘Level2’ to ‘Role’=‘spdocs_contributors’ CONTOSO – AD FS 2.0 Get roles based on LocalNameIdentifier ACS ACS Pass Through IssuerID Issue IssuerID Pass Through IssuerNameID Issue IssuerNameID Get & Issue LocalNameIdentifier SQL Issue Get & Issue Address from LocalNameIdentifier Issue Name
19
Key Learning Evaluate consumer identities based on the sensitivity level of resources that you would like to provide access to Register consumer identities to enable flexible control of provisioning and access Always use the IssuerID && IssuerNameIdentifier claims from ACS as a primary key for the consumer identity Convert to a local Identifier in your realm for flexibility to switch local Identifier to a different consumer identity (Hey, I moved from Google ID to Facebook) AD FS 2.0 Rule Learning Source claims from different attribute stores like SQL
20
Summary AD FS 2.0 connects your SharePoint 2010 to
Your Active Directory users Partner Organizations Consumer Identities Provide central authorization using claims sourced from AD FS 2.0 (and from any attribute store) Harness the power of claims to transform data as needed by your applications
21
Track Resources Required Slide
Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC. Tech Ed North America 2010 11/22/2018 7:33 PM Track Resources Active Directory WSV401: Tricks-of-the-Trade after More Than a Decade of Microsoft Active Directory 5:00pm, C305) SIM376-INT: Meet the Active Directory (Identity & Access) Product Group AD FS 2.0 SIM402: Active Directory Federation Services, Part1: How do they really work? 3:15pm, B406) SIM403: Active Directory Federation Services, Par2: Building Federated Identity Solutions 5pm, B406) Cloud & Identity SIM324: Using Windows Azure Access Control Service 2.0 with Your Cloud Application 8:30am, C302) SIM358: Preparing Identities for Cloud Services with Microsoft Forefront Identity Manager 10:15am, C201) SIM323: User Identity and Authentication for Desktop and Phone Applications 2:45pm, C206) O365 OSP215: Microsoft Office 365: Identity and Access Solutions 3:15pm, B314) SIM320: Using Active Directory with Microsoft Office 365 4:30pm, B402) Hands-On Labs COS277-HOL: Web Services and Identity in Windows Azure SIM399-HOL Managing Claims AuthN using FIM 2010 MID274-HOL | Introduction to the Windows Azure AppFabric Access Control Service V2 © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
22
Related Content AD FS 2.0 Portal AD FS 2.0 Content Map
Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Tech Ed North America 2010 11/22/2018 7:33 PM Related Content AD FS 2.0 Portal AD FS 2.0 Content Map Claims Based Identity Blog © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
23
SharePoint 2010 Setup Scripts
24
Configure SharePoint ‘settings.xml’ file contains all the settings
Powershell Script (sharepointConfig.ps1) Extracts trust information (certificate, URL’s) from AD FS 2.0 FederationMetadata document Sets up Web Application Sets up New SharePoint Team Site from template (‘STS#0’)
25
Generate SharePoint Metadata
‘settings.xml’ file contains all the settings PowerShell Script ‘generateSharePointMetadata.ps1’ Creates FederationMetadata document that can be imported into AD FS 2.0
26
Configure User Permissions
‘userPermissionSettings.xml’ contains all the user data that needs to be provisioned PowerShell Script ‘giveUserPermission.ps1’ Provides user access using Address as the identifier for users Provides ability to use ‘department’ claim for authorization as well
27
Tech Ed North America 2010 11/22/2018 7:33 PM Track Resources Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. You can also find the latest information about our products at the following links: Cloud Power - Private Cloud - Windows Server - Windows Azure - Microsoft System Center - Microsoft Forefront - © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
28
Resources Learning http://northamerica.msteched.com
Tech Ed North America 2010 11/22/2018 7:33 PM Resources Connect. Share. Discuss. Learning Sessions On-Demand & Community Microsoft Certification & Training Resources Resources for IT Professionals Resources for Developers © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
29
Complete an evaluation on CommNet and enter to win!
Tech Ed North America 2010 11/22/2018 7:33 PM Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
30
Tech Ed North America 2010 11/22/2018 7:33 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
31
11/22/2018 7:33 PM © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.