Upload
eric-shupps
View
150
Download
0
Tags:
Embed Size (px)
Citation preview
1
Welcome to SharePoint Saturday Houston
• Please turn off all electronic devices or set them to vibrate• If you must take a phone call, please do so in the hall so as not to disturb others• Special thanks to our Title Sponsor, ProSymmetry
Thank you for being a part of the 5th Annual SharePoint Saturday for the greater Houston area!
3
Information• Speaker presentation slides should be available from the SPSHOU website within a week or so
• The Houston SharePoint User Group will be having it’s next meeting Wednesday April 15th. Please join us at www.h-‐spug.org
4
About Me
CKS:DEV
TheSharePoint
Cowboy
Patterns&
Practices
Eric Shupps
www.sharepointcowboy.com [email protected] facebook.com/sharepointcowboy @eshupps
7
• Open standard for app integration and authorization
• Authentication independent
• “Valet Key”– Access– Permissions
What is OAuth?
10
•
– HTTPS also supported (and preferred by many)
••–Man in the Middle– Private keys– Session fixation– Covert redirect
Security
12
Roles
ResourceOwner
Grants access to a protected
resource
ResourceServer
Hosts the protected
resource and accepts access
requests
Client
Application making
protected resource
requests on behalf of the
resource owner
AuthorizationServer
Issues access tokens
13
Flow
Client
ResourceOwner
AuthorizationServer
ResourceServer
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
14
Three Legged Authorization
User App Provider
User requests access
App requests Request Token
Provider returns Request Token
App builds authlink w/ Request
Token
User requests URL + Request Token
Provider returns access token
User requests URL + Access Token
App validates access token
Access token validated
User granted access
1
2
3
15
Two Legged Authorization
User App Provider
User requests access
App requests Access Token
Provider returns Access Token
App builds authlink w/ Access
Token
User requests URL + Access Token
App validates access token
Access token validated
User granted access
1
2
18
Manages identity information for principals (STS) Identity Provider
Handles requests for trusted identity claimsSecurity Token Service
Identity provider associated with a web applicationIdentity Token Issuer
Trusted resource (farm, server, etc.)Security Token Issuer
Resource information and signing certificate (JSON)Metadata Endpoint
Used to request permission to protected resourceRequest Token
Used by App to access resource on behalf of userAccess Token
Operation scope for authorizationRealm
Cloud-‐based security token service (IP-‐STS)Azure ACS
Concepts
21
Configuration -‐ Certificates
ConsumerExport Root & STS Certificates
Copy Certificates
Import root certificate(s) and create trusted root authority
Provider
Export Root Certificate
Copy Certificates
Import STS Certificate
Create Trusted Service Token Issuer
Import root certificate(s) and create trusted root authority
22
Configuration -‐ Metadata
Consumer Provider
Create Trusted Root Authority
Set Authentication Realm
Create Trusted Security Token Issuer
Create App Principals
Create Trusted Root Authority
Create Trusted Security Token Issuer
25
Context
App establishes context
SP validates S2S trust
App requests access token from SP
Browser POSTS parameters to App
SP returns parameters
User browses to App
On
Prem
ise
App establishes context
ACS provides access token
App requests access token from ACS
Browser POSTS request token to app
SP sends request tokens to browser
SP gets request token from ACS
User browses to app
Online
1
2 3
4
5
6
7
8 9
26
Token ManagementO
n Pr
emis
e Online
Establish client context
Get access token with S2S
Get claims from Windows identity
Get request parameters
Get client context from SP with access token
Get access token
Read and validate context token
Parse out Context Token
Get POST parameters from SP
29
Request Token{
"aud": "c7f21d1e-‐95df-‐41df-‐a2e0-‐a2e29ad2f62b/localhost:44305@2ae1caa2-‐a173-‐4989-‐b8f5-‐9da45655b8f4",
"iss": "00000001-‐0000-‐0000-‐c000-‐000000000000@2ae1caa2-‐a173-‐4989-‐b8f5-‐9da45655b8f4",
"nbf": 1398292956,"exp": 1398336156,"appctxsender": "00000003-‐0000-‐0ff1-‐ce00-‐000000000000@
2ae1caa2-‐a173-‐4989-‐b8f5-‐9da45655b8f4","appctx":
"{\"CacheKey\":\"082e7cPwbER/1hDi2XQ9knd0+yBxexLQr4NGa2/OeQ8=\",\"SecurityTokenServiceUri\":\"https://accounts.accesscontrol.windows.net/tokens/OAuth/2\"}",
"refreshtoken": "IAAAAL-‐NR6oQnFU49avbpq7mAhglyGqBvmT3YF8_DGO88fIAIXioxAllnYe0XHr-‐rb_RDk8X8iqc4gmcyBjpV8E-‐uVgRG9d6j-‐IvQQ8qtk2acNXaJ3JpuFKNRhAJoOGOep1i3XGi5jX3Z1u5MzyjmHv2VBGJFEhYtc99TGlZTDIFTqlJmDcxcMAjLZWnY5sMBr-‐B5IRvl5Cw6l2hvqolj3R2hJ9mPDpVQ4l0l-‐v28wK6OLi57wPpKAUWlbcRCxmC6oGggdkkF2OEoxujZvZSCCG05YQaS2Z1w_Gphgu5kcYfwVU27bAYfsq3TcA8W0sIt_lUxvD3Lg3mGLr_X5JoTw-‐t28g",
"isbrowserhostedapp": "true"}
Client ID App URLTenant ID
Tenant IDAzure ACS
StartEnd
SharePointTenant ID
User ID + Issuer + App + Realm
IP-‐STS URL
Browser or Event Receiver
Token sent to IP-‐STS (Azure ACS)
30
Access Token
{"typ":"JWT""alg":"RS256""x5t":"kriMPdmBvx68skT8-‐mPAB3BseeA"}.{"aud":
"00000003-‐0000-‐0ff1-‐ce00-‐ 000000000000/binarywaveinc.sharepoint.com@
2ae1caa2-‐a173-‐4989-‐b8f5-‐9da45655b8f4""iss":"00000001-‐0000-‐0000-‐c000-‐000000000000@
2ae1caa2-‐a173-‐4989-‐b8f5-‐9da45655b8f4""nbf":1400013357"exp":1400056557"nameid":"1003000086ad02d6""actor":"c90047b7-‐392a-‐42e7-‐8c52-‐65afa92e5d0d@
2ae1caa2-‐a173-‐4989-‐b8f5-‐9da45655b8f4""identityprovider":"urn:federation:microsoftonline“
}
SharePointHost Web
Tenant ID
Start
Azure ACSTenant ID
End
Tenant ID
UPNSTS ID
32
Resources
Description LinkOAuth Working Group http://oauth.net/
OAuth Resource Guide http://bit.ly/14CWPNb
Authorization and authentication for apps in SharePoint 2013 http://bit.ly/16f8WFh
Setting up an OAuth trust between farms in SharePoint 2013 http://bit.ly/12Yr7e3
Plan for server-‐to-‐server authentication in SharePoint 2013 http://bit.ly/1chAgFl
What’s new in authentication for SharePoint 2013 http://bit.ly/1e6KaYv
Creating High-‐Trust apps with S2S http://bit.ly/18RL8uL
Using O365 to Authorize On-‐Premise Apps http://bit.ly/1fvv1Bo
Demos http://bit.ly/1z6gohH
Slides http://bit.ly/1IUADUN