SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How will SharePoint 2013 connect you to your partners?
2 likes1,656 views
The document outlines SharePoint 2013's capabilities for extranet applications and authentication, detailing its architecture, design considerations, and security features. It discusses various authentication modes including claims-based authentication and provides insights on shared portals for external users. Additionally, it highlights mobile experiences and licensing changes in SharePoint 2013.
![Constructive Feedback Is Appreciated
Great information,
but would like to
have learned more
about [Insert Topic]Brian – Your
presentation
was …
Good
Demos!
Thanks!](https://image.slidesharecdn.com/spfest2013dc-extranetsclaimsauthentication-130821211953-phpapp02/85/SharePointFest-2013-Washington-DC-SPT-103-SharePoint-2013-Extranets-How-will-SharePoint-2013-connect-you-to-your-partners-42-320.jpg)
More Related Content
Similar to SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How will SharePoint 2013 connect you to your partners? (20)
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How will SharePoint 2013 connect you to your partners?
- 1. www.expertpointsolutions.com SharePoint 2013 Extranets & Authentication
- 2. About Brian Culver • SharePoint Solutions Architect for Expert Point Solutions • Based in Houston, TX • Author • Upcoming SharePoint 2013 Workflows • SharePoint 2010 Unleashed • Various White Papers • Speaker and Blogger
- 4. Session Agenda • Extranet Definition • Extranet Design Considerations & Challenges • Common Extranet Scenarios and Topologies • SharePoint Authentication • Mixed Mode vs. Multi-Authentication • Extranet Portal Structures • Mobile and Device Channels
- 5. Extranet - Definition • A web application that is shared with external users, such as partners, vendors, and customers • Common attributes for an extranet: • Sharing a private network or secured network • Requires authenticated access, but the identity of the consumer is not always known • Has better security controls than an Internet Web application but usually less secure than the Intranet • Web application
- 6. Extranet – Why? • Better Collaboration • Higher ROI • Employee Access 24/7 • Targeting content • Selling Products and Services • Better Support • Improved Efficiency • Improved Communication • Unite Workforce Experience • …
- 7. Extranet Design Considerations & Challenges Network Topology and Access On-premise scenarios Hybrid Scenarios Identity Management (AD, FBA, ADFS) Seamless Single Sign-on Experience Content Security and Access Antivirus - Client vs Server Mobile Device Experience Licensing
- 12. Hybrid Extranets • Using Office 365 – SaaS/PaaS – Avoid firewall and topology hassles – Allows “Sharing” with external users – 50 free External Users – With Enterprise accounts, 500 free External Users • Azure Infrastructure – IaaS – Build dedicated farms on the Microsoft Cloud – Scale Out – Add servers • Federate with corporate domain For more info: http://technet.microsoft.com/en-us/library/jj151794.aspx
- 13. Security Terms • Authentication is the mechanism whereby systems may securely identify their users • Creates an identity for security principal • Who am I? • Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. • Determines what resources an identity has access to • What can I access?
- 14. SharePoint Authentication • SharePoint does not authenticate • Windows authentication via Windows server and IIS (Kerberos/NTLM) • FBA via ASP. NET and authentication providers (SQL, LDAP, etc.) • Web SSO via Active Directory Federation Services (ADFS) and other Identity Management Systems • SharePoint creates user profiles • SPUser object represents security principal • User Profile List in Site Collections track user profiles
- 15. SharePoint 2010 Security • SharePoint 2010 changes authentication • Uses classic mode and claims based authentication • Classic mode is SharePoint 2007 style legacy mode • Claims-based authentication is the new security model • What are the benefits? • Claims decouples SharePoint from the authentication provider • Allows SharePoint to support multiple authentication providers per URL • Identities can be passed without Kerberos delegation • Allows federation between organizations • ACLs can be configured with • DLs, Audiences and OUs
- 16. SharePoint 2013 Security • SharePoint 2013 authentication: • Still supports classic mode and claims based authentication • Claims-based authentication is the default security model • Supported Authentication modes: • Windows claims–mode sign-in (default) • SAML passive sign-in mode • ASP.NET membership and role passive sign-in • Windows classic–mode sign-in (deprecated in SP2013) • Claims authentication is basically the only way to go!
- 18. Claims-Based Terminology • Identity: security principal used to configure the security policy • Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.) • Security Token: serialized set of claims (assertions) about an authenticated user.
- 19. Claim-based Authentication • Security Token Service (STS): builds, signs and issues security tokens. It can receive and submit tokens. • Issuing Authority: identity management system(s) that “knows” the claims (AD, ASP.NET, LiveID, etc.) • Identity Provider: trusted party that creates and submits claims • Relying Party: application that makes authorization decisions based on received claims
- 22. Mixed Mode Authentication vs Multi-Authentication Regular label-callout text Multi-AuthenticationMixed Authentication SharePoint Farm Web Application Extended Web Application Extended Web Application Extended Web Application Extended Web Application Zone: Custom Zone: Extranet Zone: Intranet Zone: Internet Zone: Default Windows Authentication FBA Authentication ... ... ... SharePoint Farm Web Application Extended Web Application Extended Web Application Extended Web Application Extended Web Application Zone: Custom Zone: Extranet Zone: Intranet Zone: Internet Zone: Default Windows Authentication FBA Authentication SAML Based Authentication FBA Authentication Windows Authentication ... ...
- 23. Auth Scenarios - Multi Authentication s
- 24. Authentication Scenarios Mixed Mode: When to Use It • • • • • • • •
- 25. Authentication Scenarios Multi Authentication: When to Use It • • • • •
- 26. FBA Claims Configuration 1. Run C:WindowsMicrosoft.NETFrameworkv2.0.xaspnet_regsql.exe or C:WindowsMicrosoft.NETFrameworkv4.0.xaspnet_regsql.exe 2. Enable Claims Authentication on Web Application via Central Administration 3. Modify web.config for the FBA Web Application 4. Modify web.config for Central Administration
- 27. FBA Claims Configuration 5. Modify web.config for Security Token Service • %programfiles%common filesMicrosoft Sharedweb server extensions14WebServicesSecurityToken • %programfiles%common filesMicrosoft Sharedweb server extensions15WebServicesSecurityToken • Changes need to be made to the Security Token Service virtual directory on each server hosting CA or the claims- based web application 6. Configure FBA Provider in Central Administration 7. Create Web Application Policy to give SQL Auth User(s) access to site
- 33. Sample Extranet Portal Structures Scenarios Includes Key design elements Corporate Portal with Path-based Sites Most common types of sites deployed within an organization. • Path-based site collections • Claims-based authentication • Multiple authentication providers and authentication types implemented in a single zone Extranet Portal with Host-names sites Most common types of sites deployed within an organization. • Host-named site collections • Claims-based authentication • Multiple authentication providers and authentication types implemented in a single zone Extranet with Dedicated Zones for Authentication Only the partner web site. Provides an alternate configuration for partner collaboration. • Host-named site collections • Claims-based authentication • Different zone for each authentication method
- 34. Extranet Portal Corporate Portal with Path-based Site Collections • Traditional path-based site collections • Dedicated Web applications • Single top-level site collection per Web application • Provides additional security provided by multiple web apps with separate app pools.
- 35. Extranet Portal Corporate Portal with Host-named Site Collections • Host-named site collections • All sites deployed in a single Web application • Highly scalable and provides more flexibility in managing URLs. • 2013 Recommended Approach
- 36. Extranet Portal Extranet with Dedicated Zones for Authentication • Many top-level project sites with vanity URLs by using host-named sites for each project site (instead of organizing project sites underneath a top-level site collection). • Additional isolation between domain URLs, which might be desired in a partner collaboration solution. • Additional costs of managing a greater number of host names, including managing SSL certificates. • If SAML authentication is used, additional configuration is required.
- 37. Mobile Browser Experience SharePoint Server 2013 offers improvements to the mobile browser experience with the introduction of a new contemporary view. Depending on the mobile browser, users have one of the following browsing options: Contemporary view An optimized mobile browser experience to users and renders in HTML5. This view is available to Mobile Internet Explorer version 9.0 or later versions for Windows Phone 7.5, Safari version 4.0 or later versions for iPhone iOS 5.0, and the Android browser for Android 4.0 or later versions. Classic view Renders in HTML format, or similar markup languages (CHTML, WML, and so on), and provides backward compatibility for mobile browsers that cannot render in the new contemporary view. The classic experience in SharePoint Server 2013 is identical to the mobile browser experience of SharePoint Server 2010. Full-screen UI There is also the ability to have a full desktop view of a SharePoint site on a smartphone device.
- 38. Mobile Views Contemporary View Classic View Full Screen UI • Contemporary View - default view (uses HTML5) on select site templates (Team Site, Blank Site, Document Workspace, Document Center, and Project Site). • Classic View - for devices that cannot render the contemporary view. • Full Screen UI – An option in the contemporary view. • Learn more: http://technet.microsoft.com/en-us/library/jj673030.aspx
- 39. Device Channels • For smartphone and tablet devices. Can only be used with a publishing site. • With device channels, you can render a single publishing site in multiple ways by using different designs that target different devices based on their user agent string. • The site and content can be mapped to use different master pages and style sheets for a specific device or group of devices. • You can easily show different content to different device channels by using same page and page layout.
- 40. Licensing in SP2013 • Much simpler to license • Regular SharePoint Server license • SharePoint for Internet Sites (FIS) is gone. • Need CAL for Intranet Users • No need to license Extranet Users • External users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
- 41. Questions ?? ? ?
- 42. Constructive Feedback Is Appreciated Great information, but would like to have learned more about [Insert Topic]Brian – Your presentation was … Good Demos! Thanks!
- 43. Useful Links • SharePoint 2013 design samples: Corporate portal and extranet sites http://technet.microsoft.com/en-us/library/cc261995.aspx • Architecture design for SharePoint 2013 IT pros http://technet.microsoft.com/en-us/sharepoint/fp123594.aspx • Technical diagrams for SharePoint 2013 http://technet.microsoft.com/en-us/library/cc263199.aspx • Plan for mobile devices in SharePoint 2013 http://technet.microsoft.com/en-us/library/gg610510 • Plan for mobile devices in SharePoint 2013 http://technet.microsoft.com/en-us/library/gg610510
- 44. Useful Links • SharePoint 2013 FBA Pack http://sharepoint2013fba.codeplex.com/ • SharePoint 2010 FBA Pack http://sharepoint2010fba.codeplex.com/ • SharePoint 2010 Claims FBA Examples with OpenID http://sp2010claimsfbaexs.codeplex.com/ • Community Kit for SharePoint http://cks.codeplex.com/