Hybrid Search BonanzaCloud Search Service Application -
Custom Security Trimmer and Claims Provider
Petter Skodvin-Hvammen - Puzzlepart
Petter Skodvin-Hvammenskodvinhvammen.wordpress.com | @pettersh | [email protected]
business apps for sharepoint
Principal Consultant
http://www.puzzlepart.com
The Ultimate Vision of Enterprise Search!
One Search Box | Blended Search Results | Common Ranking | One Index
Image couresy of https://en.wikipedia.org/wiki/Portal:Middle-earth/Selected_picture/4
Search in Everything
Multiple Auth Providers Custom Claims Provider Custom Security Trimming
Search across multiple domains on-prem
Getting Started Cloud scenarios On-prem scenarios Extras
Search across on-prem and Office 365
Scenario 1 Scenario 2
Scenario 1Search across multiple domains on-prem
Intranet• SharePoint 2013 farm in the
corporate domain / internal network• Windows authentication only• Only Internal users in
Active Directory
Scenario 1
CONTOSOActive
Directory
Windows Authentication
https://intranet.contoso.com
Internal users
Extranet• SharePoint 2013 farm in an
external domain / external network• ADFS/SAML authentication• Internal and external users
in MS SQL Server• Custom claims provider
Scenario 1
EXTERNALSQL
Server
SAML Authentication
https://extranet.contoso.com
Custom Claims Provider
External users
ADFS
Business RequirementsScenario 1
Internal users External users
Intranet Extranet
Scenario 1
CONTOSO EXTERNAL
ADFSTrust
Active Directory
SQLServer
SAML Authentication
https://extranet.contoso.com
Custom Claims Provider
FIMSync
Internal domain users
External users(individual)
• ADFS trust to authenticate• Internal users• External users authenticated
by trusted partners
• ADFS using SQL database as directory• FIM synch to external users DB• Custom claims provider
ADFS Trust
External users(partner domain)
Claims Based Authentication
Issuer (Trusted Provider)
Identity / Subject (SSN)
Roles
Claims
ADFS Configuration and External User DB• PPID as Identity Claim
• http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
• Groups SID (Internal users)• http://schemas.microsoft.com/ws/2008/06/
identity/claims/groupsid
Scenario 1
https://fsext.contoso.com/adfs/ls/
Id Sid Domain
12345 S-1-5-21-606747145-796845957-725345543-571903 CONTOSO
23456 S-1-5-21-606747145-796845957-725345543-540805 FABRICAM
34567 S-1-5-21-606747145-796845957-725345543-1734 -CONTOSO FABRICAMEXTERNAL
USERS
Configure SAML-based claims authentication with AD FS in SharePoint 2013https://technet.microsoft.com/en-us/library/hh305235.aspx
https
://f
s.fab
ricam
.com
/adf
s/ls/
https
://f
sint.c
onto
so.c
om/a
dfs/
ls/
Custom Claims Provider / People Picker• Search and name resolution• Internal and external users from
Users table in SQL Server• Internal groups from
Active Directory (CONTOSO)
• ACLs matching ADFS claims
Scenario 1
Plan for custom claims providers for People Picker in SharePoint 2013https://technet.microsoft.com/en-us/library/gg602072.aspx
Claims-based identity in SharePoint 2013https://msdn.microsoft.com/en-us/library/office/ee535242.aspx
Crawling external content from internal farm• Setup windows authentication in
external web application• Why not multiple zones?
• Same urls for internal and external users ease collaboration• Internal users manage
permissions for external users• Crawl default zone or else…• Outlook use default zone for
calendar integration…• Alerts and emails…
Scenario 1
Multiple Authentication Providers…Scenario 1
ADFS
Scenario 1
CONTOSO EXTERNAL
ADFSTrust
Active Directory
SQLServer
SAML Authentication
Windows Authentication
https://intranet.contoso.com https://extranet.contoso.com
Custom Claims Provider
FIMSync
Crawl Search
ADFS Trust
Internal domain users
External users(individual)
External users(partner domain)
Querying external content in internal farm
Scenario 1
Internal Windows ClaimsClaim Type Claim Value Issuer Original
Issuerhttp://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
S-1-5-21-606747145-796845957-725345543-571903
SharePoint Windows
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
S-1-5-21-606747145-796845957-725345543-1734
SharePoint Windows
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
SharePoint Windows
http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname
CONTOSO\petter SharePoint Windows
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-606747145-796845957-725345543-1734
SharePoint Windows
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-606747145-796845957-725345543-540805
SharePoint Windows
External ADFS / SAML ClaimsClaim Type Claim Value Issuer Original
Issuerhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
12345 SharePoint TrustedProvider:ADSFS
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
12345 SharePoint SharePoint
http://schemas.xmlsoap.org/ws/2009/08/claims/userid
0\.t|adfs|12345 SharePoint SecurityTokenService
http://schemas.microsoft.com/sharepoint/2005/05/claims/name
0\.t|adfs|12345 SharePoint SecurityTokenService
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-606747145-796845957-725345543-1734
SharePoint TrustedProvider:ADFS
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-606747145-796845957-725345543-540805
SharePoint TrustedProvider:ADFS
Custom Security Trimmer• Runs as search service account• Loaded by Query Component• Requires a local cache for performance / latency• Beware of not being able to RunWithElevatedPrivileges
Scenario 1
DEMOSecurity Trimmer in Visual Studiohttps://github.com/pskodvin/sp2013-securitytrimmer
Scenario 1
Scenario 2Search across on-prem and Office 365Cloud Search Service Application
The New Cloud Search Service Application• SharePoint Server 2016 and 2013 with
August 2015 UpdateDocumentation and scripts on• https://connect.microsoft.com/office
Scenario 2
Scenario 2
• Search Server Name• Search Service Account• Search Service Application Name• Database Server Name
Create a Cloud Search Service Application
Scenario 2
Scenario 2
• Portal Url• Hybrid SSA Id
Configure Integration On-prem Farm – Office 365 Tenant
Cloud Search Service ApplicationDEMO - SharePoint Server 2013
Scenario 2
SharePoint Online – Search On-Prem Sources• SharePoint Content• SharePoint User Profiles• Web Sites• File Shares• BCS Connector (Databases / Web services)• .NET Connectors (Custom / Third Party)
Scenario 2
Search On-Prem ContentDEMO - SharePoint Online
Scenario 2
SharePoint Online – Search On-Prem Sources• Document Previews• On-Prem Office Web Application Server
• Content Source Refiner• Search configuration available from
https://github.com/pskodvin/search-configuration
• Open files from on-prem file shares• Setup IIS on file server• Server name mappings• Endpoint configuration
Scenario 2
Content Search Web PartDEMO – On-Prem Content
Scenario 2
SharePoint On-Prem – Search Office 365• SharePoint Content• Delve User Profiles• OneDrive 4 Biz• Delve Blogs• Office 365 Videos
What about?
• Office 365 Groups• Sways• Office Graph• GraphQuery property not yet
supported for SharePoint 2013
Scenario 2
Search Office 365 ContentDEMO - SharePoint Server 2013
Scenario 2
Search First MigrationScenario 2
Production
Staging
Test
Production
Staging
Test
Production
Related SessionsTuesday• 15:15 - The Four Pillars of Enterprise Search Strategy (Joel Olesen)• 15:15 - Closer look at the new Cloud Hybrid Search Solution (Donald Hessing)
Wednesday• 10:15 - Developing Search-driven Applications with SharePoint, the Office Graph and Azure Search
(Jeff Fried)• 11:45 - Office 365 SharePoint Hybrid – What’s New & Roadmap (Bill Baer)
Thursday• 14:00 - Content Recommendation with SharePoint Search (André Vala)
Petter Skodvin-Hvammenskodvinhvammen.wordpress.com | @pettersh | [email protected]
Principal Consultant
Thank You!
