SPS Belgium 2015 - High-trust Apps for On-Premises Development
Download as PPTX, PDF0 likes504 views
This document summarizes the high-trust app model for on-premises SharePoint development. It discusses the differences between low-trust and high-trust app authentication, how high-trust apps use certificates instead of OAuth, and the prerequisites and mechanism for high-trust app authentication. It also covers some gotchas, using other authentication methods, technology stacks, extending the TokenHelper code, and provides examples of high-trust app projects and information sources.
More Related Content
Similar to SPS Belgium 2015 - High-trust Apps for On-Premises Development (19)
SPS Belgium 2015 - High-trust Apps for On-Premises Development
- 1. High-Trust App Model for On-Premises Development #SPSBE06 Edin Kapić April 18th, 2015
- 2. PlatinumGoldSilver Thanks to our sponsors!
- 4. http://www.spsevents.org/city/Barcelona/Barcelona2015/ SharePoint, sun and beach (Sept 26th)
- 6. Agenda SharePoint app model review High-trust apps mechanism DEMO Advanced scenarios
- 7. SharePoint “cloud apps model” SharePoint-hosted apps Provider-hosted apps (remote apps)
- 8. Provider-hosted apps The code runs in a separate server Uses REST/CSOM API to call SharePoint Uses OAuth for authorization
- 9. App authentication Apps are now first class security principals They have their own identity and permissions App authentication only happens on REST/CSOM endpoints
- 10. App authentication methods OAuth Brokered by Access Control Service (ACS) • Server-to-server Using SSL certificates
- 15. High-trust app prerequisites SSL certificate Configure Trusted Root Authority Configure Trusted Token Issuer Secure Token Service User profiles
- 16. High-trust mechanism App has x.509 certificate with public/private key pair Private key used to sign certain aspects in access token Public key registered with SharePoint farm This creates a trusted security token issuer App creates access token to call into SharePoint App creates access token with a specific client ID and signs it with private key Trusted security token issuer validates signature SharePoint establishes app identity App identity maps to a specific client ID You can have many client IDs associated with a single x.509 certificate Ted Pattison SPC12 talk
- 18. Gotchas Provider-hosted app authentication (Windows, SAML, fixed…) SharePoint host web application mode (Claims, Classic-Windows) can cause auth failures TokenHelper uses Active Directory SID as the identifier App-only tokens are not supported by all API areas
- 20. Using other authentication methods TokenHelper uses WindowsIdentity under the covers Custom code for SAML Federated Authentication contributed by Wictor Wilén (http://bit.ly/1aFponK) FBA is also supported
- 21. Using other technology stacks Overview of options by Kirk Evans http://bit.ly/1jK3Evh Java, PHP, Node.js JWT token creation Token signing with X.509 certificate
- 22. Extending the TokenHelper code TokenHelper is just code, you can edit and extend it Retrieving app parameters from a database Caching access tokens Creating custom user identity Extending token lifetime Retrieving certificates from a repository
- 23. My recent project 3 provider-hosted apps (2 MVC, 1 Lightswitch) SharePoint 2013 back-end platform 2 types of users Windows Online Banking
- 25. High-trust apps in SharePoint 2013 Alternative for on-premises app development Cloud-ready code More flexible than the low-trust apps
- 26. Useful information sources about HTA Kirk Evans http://blogs.msdn.com/b/kaevans/ Steve Peschka http://blogs.technet.com/b/speschka/ Wictor Wilén http://www.wictorwilen.se
- 27. Thank you! Dank jullie wel! Merci beaucoup! Vielen dank!
Editor's Notes
- #2: Template may not be modified Twitter hashtag: #spsbe for all sessions