SlideShare a Scribd company logo
1 of 25
Download to read offline
SharePoint External Login Access –
Forms Authentication vs Azure ACS
Things I will be talking about..
- Extranet scenarios in SharePoint
- Claims Authentication
- Forms Based Authentication
- 3rd party vendor options for Forms Based Auth
- Azure ACS Authentication
- Pros & Cons of Forms Based Auth vs Azure ACS
What’s an Extranet?
Controlled access from
external networks
Extranet Requirements
o What do you REALLY need?

• Who needs access to your SharePoint?
•

How sensitive is the data?

•

How important is ease of access?

•

How important is ease of user management?
Extranet Requirements
o Who Needs access?

Internal employees = Active Directory, Azure Active
Directory
External users (Clients, partners, consultants) = Active
Directory, Forms Based Authentication, Azure ACS
Authentication
Claims Authentication
First things first- understanding Authentication vs Authorization..
Authentication is the process of validating a user’s identity.
(SharePoint never performs authentication btw)
Authorization is the process of deciding the resources &
functionality to which an authenticated user has access to
Claims Authentication
Q. What’s a Claim?
A. A piece of info describing a user:
- Name Jane Doe
- Email jane.doe@organization.com
- Group/Role membership HR
- Age 24
- Hire Date 12/10/2013
- etc.
Claims Authentication
Q. Why do we say “claim” and not “attribute”?
A. Consider:
- Both Facebook and Microsoft have an Age attribute
- Facebook claims user is 18 while Microsoft claims the user is

35
In order to make authorization decisions, your app needs to

decide which “claim” it will trust.
Claims Authentication
How Claims works (the techy diagram):
Claims Authentication
How Claims works (layman’s terms):
You check in at the Airport (SharePoint)
(Authentication)
- present credentials (Passport)
- credentials are validated by security guard
You receive a boarding pass
(Authorization)
- Seat, Frequent Flyer, Gate etc.
Claims Authentication
More on the details of claims (great party trivia!):
http://yalla.itgroove.net/2012/11/claims-based-authentication-in-sharepoint-2010/
Forms Based Authentication
OPTION A – Roll your own
Setting up a basic Forms Authentication implementation
http://blogs.visigo.com/chriscoulson/configuring-forms-based-authentication-insharepoint-2013-part-1-creating-the-membership-database/
Details config required to enable basic Forms Authentication in your SharePoint 2013
Farm
SharePoint 2013 FBA Pack
http://sharepoint2013fba.codeplex.com/
Open source add on to basic Forms plumbing that adds extra options in SharePoint
site settings & web parts for user management, password reset, etc.
Forms Based Authentication
OPTION A – Roll your own
Demo
Forms Based Authentication
OPTION B – 3rd Party Vendors
- FBA Suite
- ExCM 2013
- Extradium
- Envision IT Extranet User Manager for SharePoint
- itgroove
.. and more.
Forms Based Authentication
Functionality to consider when planning Forms Auth:
• Password Policies – Minimum length, complexity, expiry,
re-use of old PW
• Login Details – Failed login lockout criteria, remember PW
• Self-service – Resetting PW, forgotten PW retrieval
• Branding – Styling of Login & User facing web pages
• Data Store – Database encryption, reporting & User
auditing
Azure ACS Authentication

Cloud based Microsoft Identity provider
www.WindowsAzure.com
Management Console:
https://manage.windowsazure.com
Azure ACS Authentication
- Allows Claims authentication against popular identity providers like
Google, Microsoft, Yahoo, Facebook etc.

- Is a $ free service $ as part of your overall Windows Azure account
- Initial setup in SharePoint is performed via a PowerShell that sets up a
certificate, defines what Claims to use, and defines your providers

- Once the SharePoint web app is married to the Azure ACS Access
Control Namespace, we then go to the web app settings in
SharePoint Central Administration and enable the new Identity
Provider we’ve created
Azure ACS Authentication
Azure ACS Authentication
Azure ACS Authentication
Azure ACS Authentication
Azure ACS Authentication
Further references for configuring Azure ACS:
http://msdn.microsoft.com/en-us/library/gg429788.aspx

http://dannyjessee.com/blog/index.php/2012/11/using-azure-acs-to-sign-in-tosharepoint-2013-with-facebook/
http://robbincremers.me/2012/02/22/using-windows-azure-access-control-service-to-

provide-a-single-sign-on-experience-with-popular-identity-providers/
http://blogs.msdn.com/b/mvpawardprogram/archive/2011/06/17/mvps-forsharepoint-2010-using-azure-acs-v2-to-authenticate-external-systems-users.aspx
Pros & Cons of Forms Based Auth
YAY

NAY

Easy to remove user accounts when they need to
be put out to pasture

Typically requires low level configuration and
mucking about SharePoint guts e.g. web.config

Direct control of the login branding and user
experience end-to-end

Users are stored in a SQL database which is
decoupled from your main AD, can make
reconciling profile properties later hard

Can be completely on-premise and self contained,
reading from a SQL database that your
organization controls. Great for Government/Orgs
with privacy requirements

For a truly robust Forms auth implementation, you
will likely want to go 3rd party which involves $ and
careful evaluation of product/service offerings

Allows a “sticky” login session stickhandled by
cookies as compared to the default NTLM
experience which tends to be screwy on
Chrome/Firefox/iPads etc.
Can inherit AD policies such as password
complexity rules
Pros & Cons of Azure ACS Auth
YAY

NAY

Hosted in the Cloud
(stability, global data center redundancy, support)

Hosted in the Cloud
(privacy and data ownership concerns)

Free service as part of your overall Azure account

Complex to set up for different identity providers –
Facebook for example requires signing up for a
Facebook Dev account and creating a Facebook
Application

Can be coordinated with an overall hybrid Active
Directory/Office 365 strategy

The Live ID identity provider is ironically the
biggest deadbeat out of the bunch as it returns
the username as gobbley gook. In order to get the
SharePoint username claim right extra coding is
required.

Extremely easy user adoption – users can login in
with their existing, familiar identity providers

The identity providers hold the key to users access
to SharePoint – when it comes time to retire a user
your only privilege is to remove their SharePoint
user rights, leaving potential gaps as it’s hard to
audit SharePoint user access rights out of the box
Keith Tuomi
Email: ktuomi@itgroove.net
Blog: http://yalla.itgroove.net
Twitter: @itgroove_keith

More Related Content

Viewers also liked

SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015  - Anatomy of configuring provider hosted add-in...SharePoint Fest Chicago 2015  - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...Nik Patel
 
SharePoint External Sharing
SharePoint External SharingSharePoint External Sharing
SharePoint External SharingGregory Zelfond
 
Developing a Provider Hosted SharePoint app
Developing a Provider Hosted SharePoint appDeveloping a Provider Hosted SharePoint app
Developing a Provider Hosted SharePoint appTalbott Crowell
 
SharePoint 5000 Item List view Threshold Checklist and Best Practices
SharePoint 5000 Item List view Threshold Checklist and Best PracticesSharePoint 5000 Item List view Threshold Checklist and Best Practices
SharePoint 5000 Item List view Threshold Checklist and Best PracticesGregory Zelfond
 
Chris O'Brien - Modern SharePoint sites and the SharePoint Framework - reference
Chris O'Brien - Modern SharePoint sites and the SharePoint Framework - referenceChris O'Brien - Modern SharePoint sites and the SharePoint Framework - reference
Chris O'Brien - Modern SharePoint sites and the SharePoint Framework - referenceChris O'Brien
 
Information security in office 365 a shared responsibility - antonio maio
Information security in office 365   a shared responsibility - antonio maioInformation security in office 365   a shared responsibility - antonio maio
Information security in office 365 a shared responsibility - antonio maioAntonioMaio2
 

Viewers also liked (7)

SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015  - Anatomy of configuring provider hosted add-in...SharePoint Fest Chicago 2015  - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
 
SharePoint External Sharing
SharePoint External SharingSharePoint External Sharing
SharePoint External Sharing
 
Developing a Provider Hosted SharePoint app
Developing a Provider Hosted SharePoint appDeveloping a Provider Hosted SharePoint app
Developing a Provider Hosted SharePoint app
 
SharePoint 5000 Item List view Threshold Checklist and Best Practices
SharePoint 5000 Item List view Threshold Checklist and Best PracticesSharePoint 5000 Item List view Threshold Checklist and Best Practices
SharePoint 5000 Item List view Threshold Checklist and Best Practices
 
Chris O'Brien - Modern SharePoint sites and the SharePoint Framework - reference
Chris O'Brien - Modern SharePoint sites and the SharePoint Framework - referenceChris O'Brien - Modern SharePoint sites and the SharePoint Framework - reference
Chris O'Brien - Modern SharePoint sites and the SharePoint Framework - reference
 
Identity in the cloud using Microsoft
Identity in the cloud using MicrosoftIdentity in the cloud using Microsoft
Identity in the cloud using Microsoft
 
Information security in office 365 a shared responsibility - antonio maio
Information security in office 365   a shared responsibility - antonio maioInformation security in office 365   a shared responsibility - antonio maio
Information security in office 365 a shared responsibility - antonio maio
 

More from Regroove

What's New in Microsoft 365 - June 2022
What's New in Microsoft 365 - June 2022What's New in Microsoft 365 - June 2022
What's New in Microsoft 365 - June 2022Regroove
 
New Microsoft Features - Victoria O365 User Group April 2022
New Microsoft Features - Victoria O365 User Group April 2022New Microsoft Features - Victoria O365 User Group April 2022
New Microsoft Features - Victoria O365 User Group April 2022Regroove
 
New Microsoft Features - Victoria O365 User Group February 2022
New Microsoft Features - Victoria O365 User Group February 2022New Microsoft Features - Victoria O365 User Group February 2022
New Microsoft Features - Victoria O365 User Group February 2022Regroove
 
Regroove Teams Tips from Victoria O365 User Group Feb 2022
Regroove Teams Tips from Victoria O365 User Group Feb 2022Regroove Teams Tips from Victoria O365 User Group Feb 2022
Regroove Teams Tips from Victoria O365 User Group Feb 2022Regroove
 
What's new in Microsoft 365 January 20 2022
What's new in Microsoft 365 January 20 2022What's new in Microsoft 365 January 20 2022
What's new in Microsoft 365 January 20 2022Regroove
 
What's new in Microsoft 365 November 2021
What's new in Microsoft 365 November 2021What's new in Microsoft 365 November 2021
What's new in Microsoft 365 November 2021Regroove
 
What's new in Microsoft 365 October 2021
What's new in Microsoft 365 October 2021What's new in Microsoft 365 October 2021
What's new in Microsoft 365 October 2021Regroove
 
What's new in Microsoft 365 September 2021
What's new in Microsoft 365 September 2021What's new in Microsoft 365 September 2021
What's new in Microsoft 365 September 2021Regroove
 
What's New in Microsoft 365 @ Victoria O365 User Group Virtual Meet-up August...
What's New in Microsoft 365 @ Victoria O365 User Group Virtual Meet-up August...What's New in Microsoft 365 @ Victoria O365 User Group Virtual Meet-up August...
What's New in Microsoft 365 @ Victoria O365 User Group Virtual Meet-up August...Regroove
 
What's new in Microsoft 365 July 2021
What's new in Microsoft 365 July 2021What's new in Microsoft 365 July 2021
What's new in Microsoft 365 July 2021Regroove
 
What's new in Microsoft 365 June 2021
What's new in Microsoft 365 June 2021What's new in Microsoft 365 June 2021
What's new in Microsoft 365 June 2021Regroove
 
Microsoft office 365 what's new for May 2021
Microsoft office 365 what's new for May 2021Microsoft office 365 what's new for May 2021
Microsoft office 365 what's new for May 2021Regroove
 
Microsoft Office 365 What's New for April 2021
Microsoft Office 365 What's New for April 2021Microsoft Office 365 What's New for April 2021
Microsoft Office 365 What's New for April 2021Regroove
 
Microsoft Office 365 What's New for March 2021
Microsoft Office 365 What's New for March 2021Microsoft Office 365 What's New for March 2021
Microsoft Office 365 What's New for March 2021Regroove
 
Microsoft Office 365 What's New for February 2021
Microsoft Office 365 What's New for February 2021Microsoft Office 365 What's New for February 2021
Microsoft Office 365 What's New for February 2021Regroove
 
Victoria Office 365 Users Group - Microsoft Teams Breakout Rooms
Victoria Office 365 Users Group - Microsoft Teams Breakout RoomsVictoria Office 365 Users Group - Microsoft Teams Breakout Rooms
Victoria Office 365 Users Group - Microsoft Teams Breakout RoomsRegroove
 
Microsoft Office 365 What's New for January 2021
Microsoft Office 365 What's New for January 2021Microsoft Office 365 What's New for January 2021
Microsoft Office 365 What's New for January 2021Regroove
 
Microsoft Office 365 What's New for November 2020
Microsoft Office 365 What's New for November 2020Microsoft Office 365 What's New for November 2020
Microsoft Office 365 What's New for November 2020Regroove
 
Microsoft Office 365 What's New for October 2020
Microsoft Office 365 What's New for October 2020Microsoft Office 365 What's New for October 2020
Microsoft Office 365 What's New for October 2020Regroove
 
Microsoft Office 365 What's New for September 2020 with Recap of Ignite 2020
Microsoft Office 365 What's New for September 2020 with Recap of Ignite 2020Microsoft Office 365 What's New for September 2020 with Recap of Ignite 2020
Microsoft Office 365 What's New for September 2020 with Recap of Ignite 2020Regroove
 

More from Regroove (20)

What's New in Microsoft 365 - June 2022
What's New in Microsoft 365 - June 2022What's New in Microsoft 365 - June 2022
What's New in Microsoft 365 - June 2022
 
New Microsoft Features - Victoria O365 User Group April 2022
New Microsoft Features - Victoria O365 User Group April 2022New Microsoft Features - Victoria O365 User Group April 2022
New Microsoft Features - Victoria O365 User Group April 2022
 
New Microsoft Features - Victoria O365 User Group February 2022
New Microsoft Features - Victoria O365 User Group February 2022New Microsoft Features - Victoria O365 User Group February 2022
New Microsoft Features - Victoria O365 User Group February 2022
 
Regroove Teams Tips from Victoria O365 User Group Feb 2022
Regroove Teams Tips from Victoria O365 User Group Feb 2022Regroove Teams Tips from Victoria O365 User Group Feb 2022
Regroove Teams Tips from Victoria O365 User Group Feb 2022
 
What's new in Microsoft 365 January 20 2022
What's new in Microsoft 365 January 20 2022What's new in Microsoft 365 January 20 2022
What's new in Microsoft 365 January 20 2022
 
What's new in Microsoft 365 November 2021
What's new in Microsoft 365 November 2021What's new in Microsoft 365 November 2021
What's new in Microsoft 365 November 2021
 
What's new in Microsoft 365 October 2021
What's new in Microsoft 365 October 2021What's new in Microsoft 365 October 2021
What's new in Microsoft 365 October 2021
 
What's new in Microsoft 365 September 2021
What's new in Microsoft 365 September 2021What's new in Microsoft 365 September 2021
What's new in Microsoft 365 September 2021
 
What's New in Microsoft 365 @ Victoria O365 User Group Virtual Meet-up August...
What's New in Microsoft 365 @ Victoria O365 User Group Virtual Meet-up August...What's New in Microsoft 365 @ Victoria O365 User Group Virtual Meet-up August...
What's New in Microsoft 365 @ Victoria O365 User Group Virtual Meet-up August...
 
What's new in Microsoft 365 July 2021
What's new in Microsoft 365 July 2021What's new in Microsoft 365 July 2021
What's new in Microsoft 365 July 2021
 
What's new in Microsoft 365 June 2021
What's new in Microsoft 365 June 2021What's new in Microsoft 365 June 2021
What's new in Microsoft 365 June 2021
 
Microsoft office 365 what's new for May 2021
Microsoft office 365 what's new for May 2021Microsoft office 365 what's new for May 2021
Microsoft office 365 what's new for May 2021
 
Microsoft Office 365 What's New for April 2021
Microsoft Office 365 What's New for April 2021Microsoft Office 365 What's New for April 2021
Microsoft Office 365 What's New for April 2021
 
Microsoft Office 365 What's New for March 2021
Microsoft Office 365 What's New for March 2021Microsoft Office 365 What's New for March 2021
Microsoft Office 365 What's New for March 2021
 
Microsoft Office 365 What's New for February 2021
Microsoft Office 365 What's New for February 2021Microsoft Office 365 What's New for February 2021
Microsoft Office 365 What's New for February 2021
 
Victoria Office 365 Users Group - Microsoft Teams Breakout Rooms
Victoria Office 365 Users Group - Microsoft Teams Breakout RoomsVictoria Office 365 Users Group - Microsoft Teams Breakout Rooms
Victoria Office 365 Users Group - Microsoft Teams Breakout Rooms
 
Microsoft Office 365 What's New for January 2021
Microsoft Office 365 What's New for January 2021Microsoft Office 365 What's New for January 2021
Microsoft Office 365 What's New for January 2021
 
Microsoft Office 365 What's New for November 2020
Microsoft Office 365 What's New for November 2020Microsoft Office 365 What's New for November 2020
Microsoft Office 365 What's New for November 2020
 
Microsoft Office 365 What's New for October 2020
Microsoft Office 365 What's New for October 2020Microsoft Office 365 What's New for October 2020
Microsoft Office 365 What's New for October 2020
 
Microsoft Office 365 What's New for September 2020 with Recap of Ignite 2020
Microsoft Office 365 What's New for September 2020 with Recap of Ignite 2020Microsoft Office 365 What's New for September 2020 with Recap of Ignite 2020
Microsoft Office 365 What's New for September 2020 with Recap of Ignite 2020
 

Recently uploaded

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Recently uploaded (20)

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

SharePoint External Login Access Forms Authentication vs Azure ACS

  • 1. SharePoint External Login Access – Forms Authentication vs Azure ACS
  • 2. Things I will be talking about.. - Extranet scenarios in SharePoint - Claims Authentication - Forms Based Authentication - 3rd party vendor options for Forms Based Auth - Azure ACS Authentication - Pros & Cons of Forms Based Auth vs Azure ACS
  • 3. What’s an Extranet? Controlled access from external networks
  • 4. Extranet Requirements o What do you REALLY need? • Who needs access to your SharePoint? • How sensitive is the data? • How important is ease of access? • How important is ease of user management?
  • 5. Extranet Requirements o Who Needs access? Internal employees = Active Directory, Azure Active Directory External users (Clients, partners, consultants) = Active Directory, Forms Based Authentication, Azure ACS Authentication
  • 6. Claims Authentication First things first- understanding Authentication vs Authorization.. Authentication is the process of validating a user’s identity. (SharePoint never performs authentication btw) Authorization is the process of deciding the resources & functionality to which an authenticated user has access to
  • 7. Claims Authentication Q. What’s a Claim? A. A piece of info describing a user: - Name Jane Doe - Email jane.doe@organization.com - Group/Role membership HR - Age 24 - Hire Date 12/10/2013 - etc.
  • 8. Claims Authentication Q. Why do we say “claim” and not “attribute”? A. Consider: - Both Facebook and Microsoft have an Age attribute - Facebook claims user is 18 while Microsoft claims the user is 35 In order to make authorization decisions, your app needs to decide which “claim” it will trust.
  • 9. Claims Authentication How Claims works (the techy diagram):
  • 10. Claims Authentication How Claims works (layman’s terms): You check in at the Airport (SharePoint) (Authentication) - present credentials (Passport) - credentials are validated by security guard You receive a boarding pass (Authorization) - Seat, Frequent Flyer, Gate etc.
  • 11. Claims Authentication More on the details of claims (great party trivia!): http://yalla.itgroove.net/2012/11/claims-based-authentication-in-sharepoint-2010/
  • 12. Forms Based Authentication OPTION A – Roll your own Setting up a basic Forms Authentication implementation http://blogs.visigo.com/chriscoulson/configuring-forms-based-authentication-insharepoint-2013-part-1-creating-the-membership-database/ Details config required to enable basic Forms Authentication in your SharePoint 2013 Farm SharePoint 2013 FBA Pack http://sharepoint2013fba.codeplex.com/ Open source add on to basic Forms plumbing that adds extra options in SharePoint site settings & web parts for user management, password reset, etc.
  • 13. Forms Based Authentication OPTION A – Roll your own Demo
  • 14. Forms Based Authentication OPTION B – 3rd Party Vendors - FBA Suite - ExCM 2013 - Extradium - Envision IT Extranet User Manager for SharePoint - itgroove .. and more.
  • 15. Forms Based Authentication Functionality to consider when planning Forms Auth: • Password Policies – Minimum length, complexity, expiry, re-use of old PW • Login Details – Failed login lockout criteria, remember PW • Self-service – Resetting PW, forgotten PW retrieval • Branding – Styling of Login & User facing web pages • Data Store – Database encryption, reporting & User auditing
  • 16. Azure ACS Authentication Cloud based Microsoft Identity provider www.WindowsAzure.com Management Console: https://manage.windowsazure.com
  • 17. Azure ACS Authentication - Allows Claims authentication against popular identity providers like Google, Microsoft, Yahoo, Facebook etc. - Is a $ free service $ as part of your overall Windows Azure account - Initial setup in SharePoint is performed via a PowerShell that sets up a certificate, defines what Claims to use, and defines your providers - Once the SharePoint web app is married to the Azure ACS Access Control Namespace, we then go to the web app settings in SharePoint Central Administration and enable the new Identity Provider we’ve created
  • 22. Azure ACS Authentication Further references for configuring Azure ACS: http://msdn.microsoft.com/en-us/library/gg429788.aspx http://dannyjessee.com/blog/index.php/2012/11/using-azure-acs-to-sign-in-tosharepoint-2013-with-facebook/ http://robbincremers.me/2012/02/22/using-windows-azure-access-control-service-to- provide-a-single-sign-on-experience-with-popular-identity-providers/ http://blogs.msdn.com/b/mvpawardprogram/archive/2011/06/17/mvps-forsharepoint-2010-using-azure-acs-v2-to-authenticate-external-systems-users.aspx
  • 23. Pros & Cons of Forms Based Auth YAY NAY Easy to remove user accounts when they need to be put out to pasture Typically requires low level configuration and mucking about SharePoint guts e.g. web.config Direct control of the login branding and user experience end-to-end Users are stored in a SQL database which is decoupled from your main AD, can make reconciling profile properties later hard Can be completely on-premise and self contained, reading from a SQL database that your organization controls. Great for Government/Orgs with privacy requirements For a truly robust Forms auth implementation, you will likely want to go 3rd party which involves $ and careful evaluation of product/service offerings Allows a “sticky” login session stickhandled by cookies as compared to the default NTLM experience which tends to be screwy on Chrome/Firefox/iPads etc. Can inherit AD policies such as password complexity rules
  • 24. Pros & Cons of Azure ACS Auth YAY NAY Hosted in the Cloud (stability, global data center redundancy, support) Hosted in the Cloud (privacy and data ownership concerns) Free service as part of your overall Azure account Complex to set up for different identity providers – Facebook for example requires signing up for a Facebook Dev account and creating a Facebook Application Can be coordinated with an overall hybrid Active Directory/Office 365 strategy The Live ID identity provider is ironically the biggest deadbeat out of the bunch as it returns the username as gobbley gook. In order to get the SharePoint username claim right extra coding is required. Extremely easy user adoption – users can login in with their existing, familiar identity providers The identity providers hold the key to users access to SharePoint – when it comes time to retire a user your only privilege is to remove their SharePoint user rights, leaving potential gaps as it’s hard to audit SharePoint user access rights out of the box
  • 25. Keith Tuomi Email: ktuomi@itgroove.net Blog: http://yalla.itgroove.net Twitter: @itgroove_keith

Editor's Notes

  1. A user profile is composed of a set of user properties. Each user property provides an item of information related to a user. User property values can come from directory services, business systems, or user input. You can configure some properties so that they can be exported to a directory service. Many of the decisions that you make in planning user profiles are about which user properties to include and how their values are set
  2. A user profile is composed of a set of user properties. Each user property provides an item of information related to a user. User property values can come from directory services, business systems, or user input. You can configure some properties so that they can be exported to a directory service. Many of the decisions that you make in planning user profiles are about which user properties to include and how their values are set