sps belgium 2015 - high-trust apps for on-premises development
TRANSCRIPT
![Page 1: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/1.jpg)
High-Trust App Model for On-Premises Development
#SPSBE06
Edin Kapić
April 18th, 2015
![Page 2: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/2.jpg)
Platinum
Go
ldSilver
Thanks to our sponsors!
![Page 3: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/3.jpg)
About me
edinkapic
@ekapic
![Page 4: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/4.jpg)
http://www.spsevents.org/city/Barcelona/Barcelona2015/
SharePoint, sun and beach (Sept 26th)
![Page 5: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/5.jpg)
![Page 6: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/6.jpg)
Agenda
SharePoint app model review
High-trust apps mechanism
DEMO
Advanced scenarios
![Page 7: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/7.jpg)
SharePoint “cloud apps model”
SharePoint-hosted apps
Provider-hosted apps (remote apps)
![Page 8: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/8.jpg)
Provider-hosted apps
The code runs in a separate server
Uses REST/CSOM API to call SharePoint
Uses OAuth for authorization
![Page 9: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/9.jpg)
App authentication
Apps are now first class securityprincipals
They have their own identity andpermissions
App authentication only happenson REST/CSOM endpoints
![Page 10: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/10.jpg)
App authentication methods
OAuth Brokered by Access Control Service (ACS)
• Server-to-server Using SSL certificates
![Page 11: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/11.jpg)
Low-trust app authentication
![Page 12: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/12.jpg)
High-trust app authentication
![Page 13: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/13.jpg)
![Page 14: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/14.jpg)
![Page 15: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/15.jpg)
High-trust app prerequisites
SSL certificate
Configure Trusted Root Authority
Configure Trusted Token Issuer
Secure Token Service
User profiles
![Page 16: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/16.jpg)
High-trust mechanism
App has x.509 certificate with public/private key pair Private key used to sign certain aspects in access token
Public key registered with SharePoint farm This creates a trusted security token issuer
App creates access token to call into SharePoint App creates access token with a specific client ID and signs it with private key
Trusted security token issuer validates signature
SharePoint establishes app identity App identity maps to a specific client ID
You can have many client IDs associated with a single x.509 certificateTed Pattison SPC12 talk
![Page 17: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/17.jpg)
![Page 18: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/18.jpg)
Gotchas
Provider-hosted app authentication (Windows, SAML, fixed…)
SharePoint host web application mode (Claims, Classic-Windows) can cause auth failures
TokenHelper uses Active Directory SID as the identifier
App-only tokens are not supported by all API areas
![Page 19: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/19.jpg)
![Page 20: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/20.jpg)
Using other authentication methods
TokenHelper uses WindowsIdentity under the covers
Custom code for SAML Federated Authenticationcontributed by Wictor Wilén (http://bit.ly/1aFponK)
FBA is also supported
![Page 21: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/21.jpg)
Using other technology stacks
Overview of options by Kirk Evans http://bit.ly/1jK3Evh
Java, PHP, Node.js
JWT token creation
Token signing with X.509 certificate
![Page 22: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/22.jpg)
Extending the TokenHelper code
TokenHelper is just code, you can edit and extend it
Retrieving app parameters from a database
Caching access tokens
Creating custom user identity
Extending token lifetime
Retrieving certificates from a repository
![Page 23: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/23.jpg)
My recent project
3 provider-hosted apps (2 MVC, 1 Lightswitch)
SharePoint 2013 back-end platform
2 types of users Windows
Online Banking
![Page 24: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/24.jpg)
![Page 25: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/25.jpg)
High-trust apps in SharePoint 2013
Alternative for on-premises appdevelopment
Cloud-ready code
More flexible than the low-trust apps
![Page 26: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/26.jpg)
Useful information sources about HTA
Kirk Evanshttp://blogs.msdn.com/b/kaevans/
Steve Peschkahttp://blogs.technet.com/b/speschka/
Wictor Wilénhttp://www.wictorwilen.se
![Page 27: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/27.jpg)
Thank you!
Dank jullie wel!Merci beaucoup!Vielen dank!
![Page 28: SPS Belgium 2015 - High-trust Apps for On-Premises Development](https://reader034.vdocuments.site/reader034/viewer/2022042607/55ab1b911a28ab68268b4709/html5/thumbnails/28.jpg)