Microsoft Office SharePoint Server. PingFederate. SharePoint And

Ping Identity Microsoft Office SharePoint Server PingFederate ® SharePoint And PingFederate Ping Identity Microsoft Office SharePoint Server Ta...
1 downloads 0 Views 2MB Size
Ping Identity

Microsoft Office SharePoint Server

PingFederate ®

SharePoint And PingFederate

Ping Identity

Microsoft Office SharePoint Server

Table  of  Contents   Audience ..................................................................................................................................................1   Overview..................................................................................................................................................1   SharePoint  2010 ...................................................................................................................................1   Claims  Aware..........................................................................................................................................1   SharePoint  2010  Scenarios ...............................................................................................................2   Scenario-­1:    SharePoint  2010  as  Service  Provider  (WS-­Fed  natively) .......................................... 2   Description..........................................................................................................................................................................2   Customer  Scenarios.........................................................................................................................................................3   Setting  up  SharePoint  to  be  Claims  Aware ............................................................................................................3   Setting  up  PingFederate ................................................................................................................................................3   Consuming  WS-­‐Federation  metadata......................................................................................................................3   Scenario-­2:  PingFederate  Integration  Kit  for  SharePoint.................................................................. 3   Description..........................................................................................................................................................................3   Microsoft  Office  SharePoint  (MOSS)  2007  Scenarios ...............................................................4   Scenario-­3:  PingFederate  Integration  Kit  for  MSS  3.0  and  MOSS  2007......................................... 4   Description..........................................................................................................................................................................4   Customer  Scenarios.........................................................................................................................................................4   Scenario-­4:  Microsoft  Federation  Extensions  for  SharePoint  3.0 ................................................... 4   Description..........................................................................................................................................................................4   Customer  Scenarios.........................................................................................................................................................5   Setup ......................................................................................................................................................................................5   Frequently  Asked  Questions.............................................................................................................7  

About Tech Notes Ping Identity Corporation publishes Tech Notes periodically to give our customers insight into configuration, deployment, prototypes, or use cases that are not part of the main product manual or basic product deployment.

Disclaimer This document is proprietary and not for general publication. It may be provided ad hoc for informational purposes only, and the information herein is subject to change without notice. Ping Identity does not provide any warranties and specifically disclaims any liability in connection with this document. Note that Ping Identity may not provide support for any sample configurations provided in this document. The variability inherent among security environments prevents full testing and support for all possible platform configurations. If you need special assistance or would like to inquire about implementation or support programs, please contact Ping Identity Global Client Services (support.pingidentity.com).

Contact Information Ping Identity Corporation 1099 18th Street, Suite 2950 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 E-mail: [email protected] Web Site: http://www.pingidentity.com

© 2011 Ping Identity Corporation. All rights reserved. March, 2011

PingFederate

SharePoint And PingFederate

Audience This document is intended for Ping Identity solutions architects and support staff. It is not intended as a customer communication.

Overview Microsoft SharePoint Server is one of the most popular enterprise products in the Microsoft stable. Many of our corporate customers use SharePoint both for internal collaboration and communication needs as well as provide a capability for partner collaboration. Note: This document does not include marketing or competitive positioning, but rather focuses on the technical aspects of interoperating with MOSS and typical use cases.

SharePoint 2010 The primary new capability for SharePoint 2010 is the inclusion of Windows Identity Foundation (WIF) functionality, making it possible for SharePoint 2010 to participate directly in WSFederation use cases as a full fledged Service Provider (SP). SharePoint 2010 can be configured to accept authentication assertions from multiple Identity Providers (IdP), and can even provide explicit IdP discovery so that users can be directed to the appropriate IdP.

Claims Aware The new Microsoft identity strategy revolves around the concept of making all applications “claims aware”. A claims aware application is able to read claims from a standard .Net IPrincipal object. These claims both declare the identity of a user accessing the application as well as provide attributes (claims) about the user. How these attributes are provided or verified is outside the scope of the application. This is the scope of Windows Identity Foundation (WIF). Thus, all applications that take advantage of WIF or of the underlying Windows Communication Framework (WCF) are by default claims aware, and can take advantage of claims that WIF/WCF places in the IPrincipal object. WIF has a variety of mechanisms for consuming attributes and converting to claims. WS-Trust, and WS-Federation are directly supported. Thus, an application that uses WIF can consume SAML assertions from a WS-Federation interaction and use the attributes from that assertion. This is precisely what SharePoint 2010 does. For more information on WIF and claims aware applications, refer to this whitepaper: http://msdn.microsoft.com/en-us/library/ff423674.aspx (Guide to Claims-based Identity and Access Control) http://msdn.microsoft.com/en-us/security/aa570351.aspx (links to blogs, whitepapers, and WIF download)

Ping Identity Tech Note

PROPRIETARY. FOR INTERNAL USE ONLY

Page 1

PingFederate

SharePoint And PingFederate

SharePoint 2010 Scenarios This section defines the principal use cases in which SharePoint 2010 interoperates with PingFederate. Included with each use case is a description of the business drivers supporting this use case, and a brief overview of the topology/flow for the use case.

Scenario-1: SharePoint 2010 as Service Provider (WS-Fed natively) Description SharePoint 2010 can act as a complete WS-Federation SP supporting SP-initiated SSO. In this use case, PingFederate acts as an IdP, providing claims to SharePoint. The browser-based interaction begins with a user requesting access to a web application on SharePoint. SharePoint redirects the user to the identity provider associated with the web app. The identity provider authenticates the user and returns a SAML token wrapped in a WSFederation response containing the identity and any other attributes that are associated with the connection. SharePoint then unpacks the identity and attributes from the token into an IPrincipal object allowing the web application to make identity based decision about the request.

IdM

IP/STS

RP/STS

Web App (RP)

5 3

4

Challenge for Credentials

User Login

2

Post with WS-Federation RSTR

1

7

302 Redirect Supply Access Resource Resource

Browser Interface

Ping Identity Tech Note

PROPRIETARY. FOR INTERNAL USE ONLY

Page 2

PingFederate

SharePoint And PingFederate

Customer Scenarios Customers who have a mature, standards based identity management infrastructure will be most likely to take advantage of SharePoint 2010 in native SP mode. There are however limitations that you should bring up with your customer: •

WS-Federation is the only protocol that SharePoint can natively receive tokens through. If the Identity Provider or providers are unable to use WS-Federation, an intermediary on the Relying Party side (ie PingFederate) will be needed



Information on how to configure SharePoint 2010 for claims aware use cases is often difficult to find. Of course this will change over time, but for now customers need to consider themselves early adopters when taking this strategy.



This use case has been proven in the Microsoft Interop Vendor Alliance (IVA) interop lab. For information on how to set up SharePoint for this use case, please refer to the IVA white paper (in progress).



SharePoint is not a security product. Direct federations between an internal application and an external entity may be frowned upon by corporate security teams.

Setting up SharePoint to be Claims Aware Latest details and known issues around setting up SharePoint are in a Product Management wiki located at SharePoint 2010 Cookbook. Please feel free to update this as you have opportunity. Keep in mind that this is an internal website and not customer accessible. SP2010 can be set up with multiple “Federation Providers”. Theoretically, it is possible to set up hundreds of connections to hundreds of Identity Providers directly from SharePoint, however, customers would likely be missing out on advanced federation features such as failover and redundancy, token replay security within the SharePoint server farm, and centralized management/audit.

Setting up PingFederate Establishing PingFederate as an IdP for SharePoint 2010 is very straightforward. Simply create an SP connection on your IdP that supports WS-Federation. The Microsoft IVA white paper also reflects how this was done in the interop lab.

Consuming WS-Federation metadata SharePoint 2010 advertises a URL containing WS-Federation metadata in xml format. This URL can be used within PingFederate to simplify the work of setting up a connection to SharePoint.

Scenario-2: PingFederate Integration Kit for SharePoint Description The PingFederate Integration Kit for SharePoint (SharePoint IK) is developed using the Constrained Delegation architecture in Windows Server. Using this approach, a user is Ping Identity Tech Note

PROPRIETARY. FOR INTERNAL USE ONLY

Page 3

PingFederate

SharePoint And PingFederate

authenticated by PingFederate, and then a Kerberos ticket is created on behalf of the user. This ticket is presented to SharePoint as the authentication mechanism. Support for constrained delegation has been depreciated in SP2010. So our kit is not a solution for SharePoint 2010 customers.

Microsoft Office SharePoint (MOSS) 2007 Scenarios Scenario-3: PingFederate Integration Kit for MSS 3.0 and MOSS 2007 Description The PingFederate Integration Kit for SharePoint is the standard way to integrate with SharePoint prior to SharePoint 2010.

Customer Scenarios Customers who have and existing SharePoint 2007 capability and have developed an identity solution which includes PingFederate will be most interested in our SharePoint IK. Now that SharePoint 2010 has been released, the only new MOSS instances likely to be seen are those that have become an Enterprise standard image. Those standard images are unlikely to be meddled with just to add federation. The PF integration kit allows for federation enablement without messing with legacy images and servers.

Scenario-4: Microsoft Federation Extensions for SharePoint 3.0 Description Microsoft has released a product that acts as a federation shim between Microsoft SharePoint Server 3.0 and Microsoft Office SharePoint Server 2007. The Federated Authentication Module (or WS-FAM) provides a limited capability for older versions of SharePoint to take advantage of WS-Federation.

Ping Identity Tech Note

PROPRIETARY. FOR INTERNAL USE ONLY

Page 4

PingFederate

SharePoint And PingFederate

IdM

IP/STS

RP/STS Web App (RP) FAM

5 3

Challenge for Credentials

4

User Login

Post with WS-Fed Response

2

WS-Fed 302 Redirect

1

7

Supply Access Resource Resource

Browser Interface

Customer Scenarios Customers who have implemented a mature federation infrastructure and are now mandated or enthusiastic about trying to bring legacy applications into the fold may be interested in this approach. This approach allows the customer to extend the existing SharePoint infrastructure with little change to the configuration of existing SharePoint web applications, etc. This extension appears to do the absolute minimum necessary to allow connections from SharePoint to ADFS for MOSS 2007. The federation extension STS capabilities should be strictly limited to local token transactions, with an actual federation server product performing internet-facing functions. Functions such as token replay prevention within a MOSS 2007 server farm do not appear to be implemented (it is at least not documented).

Setup The Federation Extension is added to an existing SharePoint server and provides the ability to consume WS-Federation messages from a single IdP. Any scenario more complicated than a single connection via WS-Federation to a single IdP will require a federation server. The extension has a simple standalone GUI interface that is not integrated in any way to SharePoint itself. Prerequisites such as windows identity foundation will need to be installed – refer to the MOSS cookbook for more information. Ping Identity Tech Note

PROPRIETARY. FOR INTERNAL USE ONLY

Page 5

PingFederate

Ping Identity Tech Note

SharePoint And PingFederate

PROPRIETARY. FOR INTERNAL USE ONLY

Page 6

PingFederate

SharePoint And PingFederate

Frequently Asked Questions What is MOSS? What is WSS 3.0? Will our SharePoint Integration Kit work with MOSS 2010? Is our SharePoint Integration Kit now defunct? Who should use our SharePoint kit with MOSS 2010? Who should use MOSS 2010 native WS-Federation? Who should use the Federation Extension? What protocols does SharePoint 2010 support? Does SharePoint 2010 have forms for IDP discovery (aka realm discovery)? How many Identity Providers can SharePoint/MOSS/WSS support at the same time? Is WS-Federation the only protocol that works in SharePoint or with the MOSS/WSE Federation extensions? What data do I need to know ahead of time to connect to SharePoint? Can I configure federation from the SharePoint Configuration Administration screen? Can I simultaneously support both Kerberos and federation?

What is MOSS? Microsoft Office SharePoint Server (MOSS) was the official product name for SharePoint through the 2007 release. The previous official name was Windows SharePoint Server (WSS). The current name is simply Microsoft SharePoint. What is WSS 3.0? Windows SharePoint Server 3.0 was the official release of SharePoint before MOSS 2007. With the 2007 release, the name changed from WSS to MOSS as Microsoft began to highlight the Office services. Will our SharePoint Integration Kit work with SharePoint 2010? No. Changes in both IIS7 and SharePoint 2010 make the SharePoint integration Kit unusable for SharePoint 2010. SharePoint 2010 customers should plan to use the built in claims based capabilities of SharePoint 2010. Who should use our SharePoint Integration Kit? Customers using versions of SharePoint prior to SharePoint 2010 should use the IIS based SharePoint Integration Kit for PingFederate. Ping Identity Tech Note

PROPRIETARY. FOR INTERNAL USE ONLY

Page 7

PingFederate

SharePoint And PingFederate

Who should use SharePoint 2010 native WS-Federation? See the above section: Scenario-1: SharePoint 2010 as SP (WS-Fed natively) Who should use the Federation Extension? Customers that have a mature identity/federation infrastructure in place and want to migrate legacy applications, with little change to the application, may be candidates for Microsoft’s Federation Extension for SharePoint. However, our customers should be aware of the fairly significant limitations to the Federation Extension. Refer to the section Scenario-4: Microsoft Federation Extensions for SharePoint 3.0 for more information. What protocols does SharePoint 2010 support? SharePoint 2010 currently only supports WS-Federation. As such, only SAML 1.1 tokens can be issued, since that is the limitation of WS-Federation. Does SharePoint 2010 have forms for IdP discovery (aka realm discovery)? SharePoint has forms for explicit IdP discovery. Meaning that a form is presented to the user with a dropdown list of supported IdPs for the user to select from. The user only needs to be able to recognize the name of his provider. How many Identity Providers can SharePoint/MOSS/WSS support at the same time? SharePoint 2010 can support multiple providers on a single web app. See the section Scenario4: Microsoft Federation Extensions for SharePoint 3.0 for limitations regarding using multiple providers with earlier versions of SharePoint. Is WS-Federation the only protocol that works in SharePoint or with the MOSS/WSE Federation extensions? Yes. This is because WIF, on which the SharePoint claims engine is based, only supports WSFederation (and WS-Trust). ADFSv2, however, does support the SAML 2.0 protocol. What data do I need to know ahead of time to connect to SharePoint? The PowerShell script in the SharePoint 2010 Cookbook has a section that explains exactly what information is needed to create a connection. Can I configure federation from the SharePoint Configuration Administration screen? Not entirely. You will need to drop down to the PowerShell for SharePoint to do some of the configuration. The SharePoint 2010 Cookbook has a good script for performing all tasks in the PowerShell. Can I simultaneously support both Kerberos and federation? Absolutely.

Ping Identity Tech Note

PROPRIETARY. FOR INTERNAL USE ONLY

Page 8

Suggest Documents