1. Understanding SharePoint Apps,authentication and authorizationinfrastructure in SharePoint 2013/SharePoint OnlineZVONIMIR MAVRETI, K2 ADRIATICS & EVISION

2. SHORT HISTORY OF SHAREPOINT 3. CollaborationBusinessIntelligenceBusiness PortalFormsSearchContentManagementPlatformServicesWorkspaces,Mgmt, Security,Storage, Topology,Site Modeli:0#.f|membership|user@domain.tldi:0#.w|domainsAMAccountNameCommunitiesSitesSearchCompositesInsights Content 4. MEANWHILE 5. DEMO: MULTIPLE AUTHENTICATION 6. IDENTITY BASICS 7. Identity PartsUserType of AccessAuthenticationInformationEntitlementInformationProfileInformationRuntimeInformationRemote Devices LAN Home Time Office Location 8. Planning Identities Where are your Users Stored? Active Directory Cloud Federated How will they present credentials to prove who they are? What will they need access to? SharePoint Only Applications Other Services How will I get rid of them? 9. Identity Core questions to ask1. Do you really have to authenticate?2. Does the authentication source matter or is the user ID enough?3. Do you own the identity?4. Do you own the user information?5. How do they authenticate today?6. Where do they authenticate from?7. How do you want them to authenticate?8. Will they always authenticate that way?9. Is the information you need for authorization enough or do youneed more? 10. Common AuthZ & AuthN PatternsPattern AKAParty time AnonymousRight this way (keep an eye out) Tracked anonymousIf you got this far, I trust you Already verified somewhere elseWho are you again? Single Sign onceeverywhereHes with me/VIP Association/federationWait right here Trusted subsystemYou look like someone I know Shadow accountLet me do that for you Impersonation 11. The SharePoint User IdentityAuthentication Information (STS)Additional Runtime Information (Claims,Roles, Groups)Profile Information(Email, SIP)SPUserPC 12. Why Claims? Decouples SharePoint from Authentication Support for multiple authentication providers on one URL Enables federation 13. Authentication Modes SharePoint 2013 supports both claims and classic authentication Claims authentication Default authentication mode Recommended mode Classic authentication Can only be managed in PowerShell its gone from the UI Support for classic mode is deprecated and will go away in a futurerelease 14. Claims-based Authentication Methods Anonymous Windows Basic, NTLM, Kerberos Forms Based Authentication (FBA) Membership API (ASPNET SQL) LDAP Provider Custom Provider (developed in .NET) Trusted Identity Provider Active Directory Federation Services (ADFS 2.0/3.0) Windows Azure Access Control Services (ACS) Windows Azure Active Directory Services (AAD, via ACS) Custom IP/STS (developed in .NET or any other compliant platform) 15. Identity Claims RepresentationWindows Account:i:0#.w|evisionmavreticFBA Account:i:0#.f|fbamembership|zvonimirmSAML Account: i:05.t|sts1_evision_hr|zvonimir.mavretic@evision.hr 16. How it worksClaim Value Type. = String+ = RFC822 NameSharePoint Protocols = username 17. Windows Azure ACS 2.0 Identity Provider and Security Token Service Leverages external IP Microsoft Account (aka Windows LiveID) Facebook Google Yahoo! ADFS 2.0/3.0 Windows Azure Active Directory Custom WS-Federation Its available for free! You simply need to have a valid Windows Azure subscription 18. Some Specs Supported by ACS 2.0 Protocols OAuth 2.0 WS-Trust WS-Federation Tokens SAML 1.1/2.0 JSON Web token (JWT) 19. AUTHENTICATION AND AUTHORIZATION FORAPPS 20. The OAuth ProtocolThe OAuth 2.0 authorization framework enables a third-partyapplication to obtain limited access to an HTTP service, either onbehalf of a resource owner by orchestrating an approval interactionbetween the resource owner and the HTTP service, or by allowingthe third-party application to obtain access on its own behalf.http://tools.ietf.org/html/rfc6749 21. SharePoint 2013 OAuth with Apps OAuth is used to authenticate and authorize apps and services To authorize requests by an app for SharePoint to access SharePoint resourceson behalf of a user. To authenticate apps in the Office Store, an app catalog, or a developer tenant. Also Used in well known app principles SharePoint, Exchange, Lync, Workflow Server Not Used For User sign-in page Central Admin, Authentication Provider section People Picker 22. App permissions App required permissions to access SharePoint Content During installation the app requests its required permissions User installing the app grants the required permissions 23. SharePoint Apps OAuth Flow7. Access token8. Req. + Access tokenWindows Azure2. Requestcontext tokenACS4. App Redirect 9. SharePoint data5. Request App Start Page + Context Token (SPAppToken)10. App Start Page + Contents1. Start App3. Signedcontext token6. RefreshtokenSubjectApp ServerSharePoint Server 24. Using Apps from Store Trust to Azure ACS is required access Store Apps Configuring ACS Server as a trusted authentication server For O365 - It's automatically configured - nothing to do For On Prem SharePoint 2013 General SharePoint setup for apps (e.g. App Management Service Application, appisolation). Connect SharePoint to Azure Active Directory. Create an App Principal in AAD and SharePoint.http://blogs.msdn.com/b/besidethepoint/archive/2012/12/10/sharepoint-low-trust-apps-for-on-premises-deployments.aspx 25. OVERVIEW OF APPS 26. Evolution of SharePoint customizations 27. So why the need for Apps in SharePoint?SitesViewsColumnsLibrariesPagesListsWeb PartsFeaturesWorkflowsMaster PagesSolutionsContent TypesDocuments 28. So why the need for Apps in SharePoint?SitesLibrariesViewsColumnsAppsPagesListsWeb PartsFeaturesWorkflowsMaster PagesSolutionsContent TypesDocuments 29. SharePoint Store 30. Add an App 31. App hosting optionsCloud SharePointExisting sitesand servicesApp web(optional)Host webApp web 32. App UI components 33. App UI components 34. App UI components 35. App UI components 36. App UI components 37. App UI components 38. The isolated domainhttp://intranet.contoso.com/sites/SPC /Schedulerhttp://app-bdf2016ea7dacb.contosoapps.com/sites/SPC/SchedulerApp prefix (tenant)App IDApp domainHost webApp name 39. DEMO: APPS IN SHAREPOINT 40. Infrastructure configurationDetermine App domain https://app-bdf2016ea7dacb.contosoapps.com/sites/SPC/SchedulerConfigure domain names in DNS https://app-bdf2016ea7dacb.contosoapps.com/sites/SPC/Scheduler *.contosoapps.comCreate a new wildcard SSL certificate 41. SharePoint farm configuration Subscription Settings App ManagementService applications App URLs (App prefix and App domain) App Catalog Store Settings App Domains for multiple zonesSharePoint Appsettings 42. App Domains for multiple zones March 2013 Public Update for SharePoint 2013 enables you toassociate app domains to different zones Steps to do this: Enable the feature using PowerShell:$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService$contentService.SupportMultipleAppDomains = $true$contentService.Update() Create new App Domain:New-SPWebApplicationAppDomain -AppDomain -WebApplication -Zone -Port -SecureSocketsLayer 43. Additional ConsiderationsApps do not support KerberosSpecial requirements for SAML authenticationA routing Web application may be needed 44. Routing Web applicationhttps://app-bdf2016ea7dacb.contosoapps.com/sites/SPC/SchedulerNo host header*.contosoapps.com= 192.168.1.2https://intranet.contoso.comhttps://my.contoso.comApp ManagementService ApplicationNLB192.168.1.2DNSFarm 45. DEMO: ON PREM CONFIGURATION 46. questions?ZVONIMIR@K2.COM@ZVONIMIRM 47. thank you.SHAREPOINT AND PROJECT CONFERENCE ADRIATICSZAGREB, 10/15/2014 - 10/16/2014