Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eric Raff. Usergroup up

Published byAsher Lane Modified over 9 years ago

Similar presentations

Presentation on theme: "Eric Raff. Usergroup up"— Presentation transcript:

1 Eric Raff

2 Usergroup contacts: @SharePointUtah www.facebook.com/UtahSharePointUsersGro up www.UTSharePoint.com

3 Who am I  Roles: IAM Architect SharePoint Architect, Engineer Exchange Server Engineer OCS/Lync Engineer GroupWise was my middle name Author Teacher

4 Say What?  SSO  IWA  Classic Authentication  Claims Authentication  AuthN  AuthZ  IdP  RP / SP  ADFS  HRD  SAML  WS-Fed  SaaS  IDaaS

5 Answers:  SSO = Single Sign On (SSO)  IWA = Integrated Windows Authentication  SharePoint Classic Authentication  SharePoint Claims Authentication  AuthN = Authentication  AuthZ = Authorization  IdP = Identity Provider (Trusted IdP)  RP = Relying Party / SP = Service Provider  ADFS = Active Directory Federation Services  HRD = Home Realm Discovery  SAML = Security Assertion Markup Language  WS-Fed = WS-Federation  SaaS = Software as a Service  IDaaS = Identity as a Service

6 SSO Defined  End user logs in once and seamlessly can access many different web applications without needing to re- authenticate to each web application.  “Logs in once” could mean a workstation login, or a browser login.  It is NOT what I call “SAME Sign On” – using the same username each time to log into many different web applications.

7 The 3 SharePoint Doors  Authentication Options 1. Windows Authentication ○ Classic (domain\UserID) OR Claims (i:0#.w|domain\UserID) 2. Forms Authentication (i:0#.f|provider|UserID) ○.net membership provider (LDAP, SQL, Custom) 3. Trusted Identity Provider (c:0#.t|provider|IdentifyerClaim) ○ WS-Federation / SAML  If >1 door enabled, users see “picker page”.

8 Users SharePoint Identity  Each AuthN option is associated 1:1 with a users identity.  The Same user could be represented as 3 different identities to SharePoint depending on HOW the user authenticated to SharePoint. 1. (domain\eraff) OR (i:0#.w|domain\eraff) 2. (i:0#.f|provider|eraff) 3. (c:0#.t|provider|eric.raff@outlook.com) Having 3 options enabled at the same time is not common, but having 2 is.

9 Windows Authentication  Been around for years  401 challenge response – NTLM, Negotiate (Kerb)  Both Classic and Claims  Microsoft “bubble”  Every host name requires AuthN  NOT an internet friendly solution Browser/Computer must be able to access AD Domain Controller directly.

10 IWA Browser Matrix Browser Prompt HELL!

11 Forms Authentication .net membership provider LDAP identity store SQL identity store Custom  SharePoint collects user credentials and verifies them against identity store.  Must update 3 web.config files – tedious

12 Trusted Identity Provider  The Future of SSO – Web friendly using Federated authentication approaches  SharePoint NOT involved in AuthN  SharePoint IS still doing AuthZ  SharePoint is a Relying Party to an external “Trusted Identity Provider” (IdP) Anything that supports WS- Federation/SAML ○ ADFS, Windows Azure Access Control, Okta, PingIdentity, OneLogin etc.

13 Trusted IdP – the ugly  No name resolution OOTB – will affect how you authorize users in SharePoint.  MUST still enable Windows AuthN (claims) for core SP services (search)  Picker page – may need custom login page.  Possible Home Realm Discovery (HRD) issues if IdP have multiple AuthN sources.

14 SSO Ecosystem? On-Prem ADDS Domain Joined Workstation WebApps – SP, OWA, IIS, etc. SaaS

15 SSO Ecosystem…YEA On-Prem ADDS Domain Joined Workstation WebApps – SP, OWA, IIS, etc. O365 SaaS IdP DirSync

16 And Your IdP Is….  The heart of any SSO Architecture.  Picking an IdP should be carefully considered.  Lots of options with rapidly changing and evolving landscape.  Depends on company needs, culture, applications that need to participate, legacy apps etc.

17 IDaaS  Can significantly simplify an SSO deployment and implementation.  Will likely have a role in your future to some degree.  Bringing greater security offerings to table such as Multi-Factor Authentication (MFA), real time risk analysis, Mobile integration etc.

18 The Microsoft Cloud Ecosystem: Azure / Azure AD / O365 Microsoft Azure - PaaS Azure AD | AAD Premium - IDaaS SharePointExchangeLyncInTuneRMS Microsoft Datacenters in the Cloud Office 365 - SaaS OnPrem IdP

19 Bringing it Together  Is there any current SSO technology involved?  What web applications do you want to participate in SSO? SharePoint Office 365 SaaS providers Desktop Authentication (IWA)  Do you want Web SSO or Desktop + Web SSO?  What Authentication method should you use for SharePoint?

20 SSO Discovery Doc  Explains concepts and has 17 questions to help identify scope and impact for a SSO implementation. http://goo.gl/JOi5wW

21 THANK YOU! eric.raff@outlook.com

22 Please join us for SharePint! SharePint will be held at Red Rock Brewing, 254 South 200 West Salt Lake City, following the prize raffle

Download ppt "Eric Raff. Usergroup up"

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Implementing and Administering AD FS

Implementing and Administering AD FS
Microsoft Ignite /16/2017 3:28 PM

Microsoft Ignite /16/2017 3:28 PM
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.

Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.
JourneyTEAM - www.journeyteam.com – 801.565.9199 Tales From The Field: 2010 to 2013 Upgrade Horror Stories and How to Avoid Creating a Horror of Your Own.

JourneyTEAM - – Tales From The Field: 2010 to 2013 Upgrade Horror Stories and How to Avoid Creating a Horror of Your Own.
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.

IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.

User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Windows Azure Active Directory.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Single Sign-On with Microsoft Azure

Single Sign-On with Microsoft Azure

Similar presentations

Ads by Google