It’s a common desire to be able to let external vendors, partners, clients & other users into your SharePoint portal in a controlled, secure way. Here are two options to allow this, Forms Authentication and
Azure ACS.
We will dig into the pros and cons of both login architectures without getting too technical, allowing you to walk away with a good understanding of what features and options are available to you.
2. Things I will be talking about..
- Extranet scenarios in SharePoint
- Claims Authentication
- Forms Based Authentication
- 3rd party vendor options for Forms Based Auth
- Azure ACS Authentication
- Pros & Cons of Forms Based Auth vs Azure ACS
4. Extranet Requirements
o What do you REALLY need?
• Who needs access to your SharePoint?
•
How sensitive is the data?
•
How important is ease of access?
•
How important is ease of user management?
5. Extranet Requirements
o Who Needs access?
Internal employees = Active Directory, Azure Active
Directory
External users (Clients, partners, consultants) = Active
Directory, Forms Based Authentication, Azure ACS
Authentication
6. Claims Authentication
First things first- understanding Authentication vs Authorization..
Authentication is the process of validating a user’s identity.
(SharePoint never performs authentication btw)
Authorization is the process of deciding the resources &
functionality to which an authenticated user has access to
7. Claims Authentication
Q. What’s a Claim?
A. A piece of info describing a user:
- Name Jane Doe
- Email jane.doe@organization.com
- Group/Role membership HR
- Age 24
- Hire Date 12/10/2013
- etc.
8. Claims Authentication
Q. Why do we say “claim” and not “attribute”?
A. Consider:
- Both Facebook and Microsoft have an Age attribute
- Facebook claims user is 18 while Microsoft claims the user is
35
In order to make authorization decisions, your app needs to
decide which “claim” it will trust.
10. Claims Authentication
How Claims works (layman’s terms):
You check in at the Airport (SharePoint)
(Authentication)
- present credentials (Passport)
- credentials are validated by security guard
You receive a boarding pass
(Authorization)
- Seat, Frequent Flyer, Gate etc.
11. Claims Authentication
More on the details of claims (great party trivia!):
http://yalla.itgroove.net/2012/11/claims-based-authentication-in-sharepoint-2010/
12. Forms Based Authentication
OPTION A – Roll your own
Setting up a basic Forms Authentication implementation
http://blogs.visigo.com/chriscoulson/configuring-forms-based-authentication-insharepoint-2013-part-1-creating-the-membership-database/
Details config required to enable basic Forms Authentication in your SharePoint 2013
Farm
SharePoint 2013 FBA Pack
http://sharepoint2013fba.codeplex.com/
Open source add on to basic Forms plumbing that adds extra options in SharePoint
site settings & web parts for user management, password reset, etc.
14. Forms Based Authentication
OPTION B – 3rd Party Vendors
- FBA Suite
- ExCM 2013
- Extradium
- Envision IT Extranet User Manager for SharePoint
- itgroove
.. and more.
15. Forms Based Authentication
Functionality to consider when planning Forms Auth:
• Password Policies – Minimum length, complexity, expiry,
re-use of old PW
• Login Details – Failed login lockout criteria, remember PW
• Self-service – Resetting PW, forgotten PW retrieval
• Branding – Styling of Login & User facing web pages
• Data Store – Database encryption, reporting & User
auditing
16. Azure ACS Authentication
Cloud based Microsoft Identity provider
www.WindowsAzure.com
Management Console:
https://manage.windowsazure.com
17. Azure ACS Authentication
- Allows Claims authentication against popular identity providers like
Google, Microsoft, Yahoo, Facebook etc.
- Is a $ free service $ as part of your overall Windows Azure account
- Initial setup in SharePoint is performed via a PowerShell that sets up a
certificate, defines what Claims to use, and defines your providers
- Once the SharePoint web app is married to the Azure ACS Access
Control Namespace, we then go to the web app settings in
SharePoint Central Administration and enable the new Identity
Provider we’ve created
22. Azure ACS Authentication
Further references for configuring Azure ACS:
http://msdn.microsoft.com/en-us/library/gg429788.aspx
http://dannyjessee.com/blog/index.php/2012/11/using-azure-acs-to-sign-in-tosharepoint-2013-with-facebook/
http://robbincremers.me/2012/02/22/using-windows-azure-access-control-service-to-
provide-a-single-sign-on-experience-with-popular-identity-providers/
http://blogs.msdn.com/b/mvpawardprogram/archive/2011/06/17/mvps-forsharepoint-2010-using-azure-acs-v2-to-authenticate-external-systems-users.aspx
23. Pros & Cons of Forms Based Auth
YAY
NAY
Easy to remove user accounts when they need to
be put out to pasture
Typically requires low level configuration and
mucking about SharePoint guts e.g. web.config
Direct control of the login branding and user
experience end-to-end
Users are stored in a SQL database which is
decoupled from your main AD, can make
reconciling profile properties later hard
Can be completely on-premise and self contained,
reading from a SQL database that your
organization controls. Great for Government/Orgs
with privacy requirements
For a truly robust Forms auth implementation, you
will likely want to go 3rd party which involves $ and
careful evaluation of product/service offerings
Allows a “sticky” login session stickhandled by
cookies as compared to the default NTLM
experience which tends to be screwy on
Chrome/Firefox/iPads etc.
Can inherit AD policies such as password
complexity rules
24. Pros & Cons of Azure ACS Auth
YAY
NAY
Hosted in the Cloud
(stability, global data center redundancy, support)
Hosted in the Cloud
(privacy and data ownership concerns)
Free service as part of your overall Azure account
Complex to set up for different identity providers –
Facebook for example requires signing up for a
Facebook Dev account and creating a Facebook
Application
Can be coordinated with an overall hybrid Active
Directory/Office 365 strategy
The Live ID identity provider is ironically the
biggest deadbeat out of the bunch as it returns
the username as gobbley gook. In order to get the
SharePoint username claim right extra coding is
required.
Extremely easy user adoption – users can login in
with their existing, familiar identity providers
The identity providers hold the key to users access
to SharePoint – when it comes time to retire a user
your only privilege is to remove their SharePoint
user rights, leaving potential gaps as it’s hard to
audit SharePoint user access rights out of the box
A user profile is composed of a set of user properties. Each user property provides an item of information related to a user. User property values can come from directory services, business systems, or user input. You can configure some properties so that they can be exported to a directory service. Many of the decisions that you make in planning user profiles are about which user properties to include and how their values are set
A user profile is composed of a set of user properties. Each user property provides an item of information related to a user. User property values can come from directory services, business systems, or user input. You can configure some properties so that they can be exported to a directory service. Many of the decisions that you make in planning user profiles are about which user properties to include and how their values are set