SharePoint External Login Access Forms Authentication vs Azure ACS

100 %
0 %
Information about SharePoint External Login Access Forms Authentication vs Azure ACS

Published on February 24, 2014

Author: itgrooveservices



It’s a common desire to be able to let external vendors, partners, clients & other users into your SharePoint portal in a controlled, secure way. Here are two options to allow this, Forms Authentication and
Azure ACS.

We will dig into the pros and cons of both login architectures without getting too technical, allowing you to walk away with a good understanding of what features and options are available to you.

SharePoint External Login Access – Forms Authentication vs Azure ACS

Things I will be talking about.. - Extranet scenarios in SharePoint - Claims Authentication - Forms Based Authentication - 3rd party vendor options for Forms Based Auth - Azure ACS Authentication - Pros & Cons of Forms Based Auth vs Azure ACS

What’s an Extranet? Controlled access from external networks

Extranet Requirements o What do you REALLY need? • Who needs access to your SharePoint? • How sensitive is the data? • How important is ease of access? • How important is ease of user management?

Extranet Requirements o Who Needs access? Internal employees = Active Directory, Azure Active Directory External users (Clients, partners, consultants) = Active Directory, Forms Based Authentication, Azure ACS Authentication

Claims Authentication First things first- understanding Authentication vs Authorization.. Authentication is the process of validating a user’s identity. (SharePoint never performs authentication btw) Authorization is the process of deciding the resources & functionality to which an authenticated user has access to

Claims Authentication Q. What’s a Claim? A. A piece of info describing a user: - Name Jane Doe - Email - Group/Role membership HR - Age 24 - Hire Date 12/10/2013 - etc.

Claims Authentication Q. Why do we say “claim” and not “attribute”? A. Consider: - Both Facebook and Microsoft have an Age attribute - Facebook claims user is 18 while Microsoft claims the user is 35 In order to make authorization decisions, your app needs to decide which “claim” it will trust.

Claims Authentication How Claims works (the techy diagram):

Claims Authentication How Claims works (layman’s terms): You check in at the Airport (SharePoint) (Authentication) - present credentials (Passport) - credentials are validated by security guard You receive a boarding pass (Authorization) - Seat, Frequent Flyer, Gate etc.

Claims Authentication More on the details of claims (great party trivia!):

Forms Based Authentication OPTION A – Roll your own Setting up a basic Forms Authentication implementation Details config required to enable basic Forms Authentication in your SharePoint 2013 Farm SharePoint 2013 FBA Pack Open source add on to basic Forms plumbing that adds extra options in SharePoint site settings & web parts for user management, password reset, etc.

Forms Based Authentication OPTION A – Roll your own Demo

Forms Based Authentication OPTION B – 3rd Party Vendors - FBA Suite - ExCM 2013 - Extradium - Envision IT Extranet User Manager for SharePoint - itgroove .. and more.

Forms Based Authentication Functionality to consider when planning Forms Auth: • Password Policies – Minimum length, complexity, expiry, re-use of old PW • Login Details – Failed login lockout criteria, remember PW • Self-service – Resetting PW, forgotten PW retrieval • Branding – Styling of Login & User facing web pages • Data Store – Database encryption, reporting & User auditing

Azure ACS Authentication Cloud based Microsoft Identity provider Management Console:

Azure ACS Authentication - Allows Claims authentication against popular identity providers like Google, Microsoft, Yahoo, Facebook etc. - Is a $ free service $ as part of your overall Windows Azure account - Initial setup in SharePoint is performed via a PowerShell that sets up a certificate, defines what Claims to use, and defines your providers - Once the SharePoint web app is married to the Azure ACS Access Control Namespace, we then go to the web app settings in SharePoint Central Administration and enable the new Identity Provider we’ve created

Azure ACS Authentication

Azure ACS Authentication

Azure ACS Authentication

Azure ACS Authentication

Azure ACS Authentication Further references for configuring Azure ACS: provide-a-single-sign-on-experience-with-popular-identity-providers/

Pros & Cons of Forms Based Auth YAY NAY Easy to remove user accounts when they need to be put out to pasture Typically requires low level configuration and mucking about SharePoint guts e.g. web.config Direct control of the login branding and user experience end-to-end Users are stored in a SQL database which is decoupled from your main AD, can make reconciling profile properties later hard Can be completely on-premise and self contained, reading from a SQL database that your organization controls. Great for Government/Orgs with privacy requirements For a truly robust Forms auth implementation, you will likely want to go 3rd party which involves $ and careful evaluation of product/service offerings Allows a “sticky” login session stickhandled by cookies as compared to the default NTLM experience which tends to be screwy on Chrome/Firefox/iPads etc. Can inherit AD policies such as password complexity rules

Pros & Cons of Azure ACS Auth YAY NAY Hosted in the Cloud (stability, global data center redundancy, support) Hosted in the Cloud (privacy and data ownership concerns) Free service as part of your overall Azure account Complex to set up for different identity providers – Facebook for example requires signing up for a Facebook Dev account and creating a Facebook Application Can be coordinated with an overall hybrid Active Directory/Office 365 strategy The Live ID identity provider is ironically the biggest deadbeat out of the bunch as it returns the username as gobbley gook. In order to get the SharePoint username claim right extra coding is required. Extremely easy user adoption – users can login in with their existing, familiar identity providers The identity providers hold the key to users access to SharePoint – when it comes time to retire a user your only privilege is to remove their SharePoint user rights, leaving potential gaps as it’s hard to audit SharePoint user access rights out of the box

Keith Tuomi Email: Blog: Twitter: @itgroove_keith

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

SharePoint 2013 Authentication with Azure – Part I ...

SharePoint 2013 Authentication with Azure ... Azure Access Control Services. In this session Mark will introduce Azure ACS and show you how to configure ...
Read more

Using Microsoft Azure Active Directory for SharePoint 2013 ...

... Learn how to use the Azure Access ... Directory for SharePoint 2013 authentication. ... SharePoint secured by SAML in ACS ...
Read more

Configuring Windows Azure Access Control Service (ACS) and ...

Configuring Windows Azure Access Control Service (ACS) and Facebook authentication in SharePoint 2013 ... External list Representation of ext ...
Read more

vSharePoint February Presentation – SharePoint External ...

... Login Access: Forms Auth vs Azure ACS. ... SharePoint External Login Access: Forms ... External Login Access Forms Authentication vs Azure ...
Read more

SharePoint 2013 using Azure ACS – Part 1 | Mike Hacker

... Windows Azure Access Control Services with SharePoint ... the external authentication providers ... Next Post SharePoint 2013 using Azure ACS ...
Read more

Using Azure ACS to Sign In to SharePoint 2013 with Facebook

We must also inform both Azure ACS and SharePoint about the SSL ... to SharePoint 2013 with Facebook. ... to access my external site, login with the ...
Read more

Authentication overview for SharePoint 2013

SharePoint 2013 supports Windows, forms ... App authentication occurs when an external ... an access token from ACS. The SharePoint ...
Read more

SharePoint Authentication using Windows Azure Access ...

... use with the Azure ACS authentication. Open up SharePoint 2010 ... Authentication using Windows Azure Access Control ... Azure ACS login ...
Read more