You Are Here:   SimpleSharePoint Separator Sharepoint Consulting > Security Technologies Separator Sharepoint Consulting > Security Technologies

Advanced Security & ADFS

Some situations require advanced security configurations for password management, single sign-on, two-way Active Directory sync, user management policies, and federated security frameworks. Having properly managed security is the only way to keep content trimmed to those who should have access, and to ensure users are not experiencing unproductive time due to inability to access a misappropriated area.

We Can Help With:

  • Content-specific security
  • Role-based as well is individual security
  • Collaboration security
  • Cross Team
  • Cross Organization
  • Cross Company
  • Specific permission sets for types of access and functionality

SharePoint publishing typically uses a reverse proxy to act as a secure endpoint for SharePoint. The primary purpose of this device or software-based application is to carry out pre-authentication of connections to authenticate users first, and then only allowing authenticated users to access SharePoint. It essentially stops anonymous users gaining access to the servers hosting SharePoint without first being authenticated.

Related software:

Our Simple Account Manager makes management of security accounts easier!

ADFS Security Configurations

You need ADFS when you want your staff to authenticate to your domain's active directory and then be able to log into an external SharePoint portal seamlessly. Microsoft's Active Directory Federation Service (ADFS) provides secure, federated identity management for SharePoint hosted at remote locations and uses your internal active directory for all your users for single sign-on (SSO).

Our Services Include:

  • Configure SharePoint Web Applications
  • Install and Configure ADFS
  • Create a relying party trust
  • Configure constrained delegation
  • Publish SharePoint Web Applications in WAP
  • Verify external access to SharePoint Web Applications

Microsoft ADFS is included as part of Microsoft Windows 2003 R2 Enterprise Edition and later. The new version of ADFS included with Windows Server 2012 R2 is very different to its predecessor, and environments that encompass a perimeter network can utilize WAP servers as the proxy server rather than additional AD FS Proxy servers.

SharePoint Account and Resource Partner 

  • Step 1.  A user opening the Web Interface home page on the resource partner is redirected to the account partner’s authentication page (if not already logged into AD).

  • Step 2.  The account partner authenticates the user and sends a token containing a series of claims about the user to the resource partner.

  • Step 3.  AD FS on the resource partner validates the claims token and allows access to SharePoint based on the claims in the token.

  • Step 4.  The Web Interface displays the application set for the user.

Federated Web SSO with Forest Trust scenario 
  • Web single sign-on (SSO)
    AD FS provides Web SSO to federated partners outside your organization, which enables their users to have an SSO experience when they access your organization’s Web-based applications.

  • Interoperability
    AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS follows the WS-Federation specification (for passive clients; that is, browsers), which makes it possible for environments that do not use the Windows identity model to federate with Windows environments.

  • Partner user account management not required
    The federated partner's Identity Provider (IP) sends claims that reflect its users' identity, groups, and attribute data. Therefore, your organization no longer needs to revoke, change, or reset the credentials for the partner's users, since the credentials are managed by the partner organization. Additionally, if a partnership needs to be terminated, it can be performed with a single trust policy change. Without AD FS, individual accounts for each partner user would need to be deactivated.

  • Claim mapping
    Claims are defined in terms that each partner understands and appropriately mapped in the AD FS trust policy for exchange between federation partners.

  • Centralized federated partner management
    All federated partner management is performed using the AD FS Microsoft Management Console (MMC) snap-in.

  • Extensible architecture
    AD FS provides an extensible architecture for claim augmentation, for example, adding or modifying claims using custom business logic during claims processing. Organizations can use this extensibility to modify ADFS to finally support their business policies.

ADFS uses terminology from several different technologies, including certificate services, Internet Information Services (IIS), Active Directory, ADAM, and Web Services (WS-*). The following table describes these terms.

Term Description

account partner

A federation partner that is trusted by the Federation Service to provide security tokens. The account partner issues these tokens to its users (that is, users in the account partner realm) so that they can access Web-based applications in the resource partner.

Active Directory Federation Services (ADFS)

A Windows Server 2003 R2 component that provides Web SSO technologies to authenticate a user to multiple Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries. ADFS in Windows Server 2003 R2 supports the WS-F PRP.

claim

A statement that an issuer makes (for example, name, identity, key, group, privilege, or capability) about a client.

claim mapping

The act of mapping, removing or filtering, or passing claims between various claim sets.

claims-aware application

An ASP.NET application that performs authorization based on the claims that are present in an ADFS security token, such as SharePoint 2010.

client account partner discovery Web page

The Web page that is used to interact with the user to determine which account partner the user belongs to when ADFS cannot automatically determine which of the account partners should authenticate the user.

federation

A pair of realms or domains that have established a federation trust.

Federation Service

A security token service that is built into Windows Server 2003 R2. The Federation Service provides tokens in response to requests for security tokens.

Federation Service Proxy

A proxy to the Federation Service in the perimeter network (also known as a DMZ or a screened subnet). The Federation Service Proxy uses WS-F PRP protocols to collect user credential information from browser clients and Web applications and send the information to the Federation Service on their behalf.

passive client

A Hypertext Transfer Protocol (HTTP) browser, capable of broadly supported HTTP, that can make use of cookies. ADFS in Windows Server 2003 R2 supports only passive clients, and it adheres to the WS-F PRP specification.

resource partner

A federation partner that trusts the Federation Service to issue claims-based security tokens. The resource partner contains published Web-based applications that users in the account partner can access.

security token

A cryptographically signed data unit that expresses one or more claims.

security token service (STS)

A Web service that issues security tokens. An STS makes assertions based on evidence that it trusts, to whoever trusts it (or to specific recipients). To communicate trust, a service requires proof, such as a signature, to prove knowledge of a security token or set of security tokens. A service itself can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement. This forms the basis of trust brokering. In ADFS, the Federation Service is an STS.

server farm

In ADFS, a collection of load-balanced federation servers, federation server proxies, or Web servers hosting the ADFS Web Agent.

single sign-on (SSO)

An optimization of the authentication sequence to remove the burden of repeated login actions by an end user.

token-signing certificate

An X509 certificate who's associated public/private key pair is used to provide integrity for security tokens.

Uniform Resource Identifier (URI)

A compact string of characters that identifies an abstract resource or physical resource. In ADFS, URIs are used to uniquely identify partners and account stores.

Web Services (WS-*)

The specifications for a Web Services Architecture that is based on industry standards such as Simple Object Access Protocol (SOAP); XML; Web Service Description Language (WSDL); and Universal Description, Discovery, and Integration (UDDI). WS-* provides a foundation for delivering complete, interoperable business enterprise, including the ability to manage federated identity and security.

The Web services model is based on the idea that enterprise systems are written in different languages, with different programming models, which run on and are accessed from many different types of devices. Web services are a means of building distributed systems that can connect and interact with one another easily and efficiently across the Internet, regardless of what language they are written in or what platform they run on.

Web Services Security (WS-Security)

A series of specifications that describes how to attach signature and encryption headers to SOAP messages. In addition, WA series of specifications that describes how to attach signature and encryption headers to SOAP messages. In addition, WS-Security describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages. In ADFS, WS-Security is used when Kerberos signs security tokens.

WS-Federation

A specification that defines a model and set of messages for brokering trust and the federation of identity and authentication information across different trust realms.

The WS-Federation specification identifies two sources of identity and authentication requests across trust realms: active requestors, such as SOAP-enabled applications, and passive requestors, which are defined as HTTP browsers capable of supporting broadly supported HTTP, for example, HTTP 1.1.

WS-Federation Passive Requestor Profile (WS-F PRP)

An implementation of the WS-Federation specification that proposes a standard protocol for how passive clients (such as Web browsers) apply the federation framework. Within this protocol, Web service requestors are expected to understand the new security mechanisms and be capable of interacting with Web service providers.

What is Hybrid Cloud?

A hybrid environment allows organizations to retain the on-premise SharePoint Server environment they have and plan a phased transition of some workloads to the cloud. The new features in SharePoint 2013 make it possible to connect some services running in both on-premise SharePoint as well as SharePoint Online in order to create an application that spans across cloud and on-premise.

Companies with On-Premises SharePoint 2013 are using a hybrid of on-premises intranet and Office 365 Personal Sites/OneDrives. Why? The primary reason is the availability of the OneDrive for Business app available for mobile devices. (get it below).  On-Premises MySites do not have an equivalent app available to sync personal documents.

Common hybrid configurations include search results from both environments, and utilizing OneDrive for Business in the cloud for on-prem users.

Our Services Include:

  • O365 federation via AD FS
  • VPN tunnels to cloud hosts
  • Redirection of your on-premise SharePoint MySite to O365 OneDrive

  Microsoft SharePoint Farm vs. Office 365 

Benefits of using OneDrive for Business:

  • Users can take their documents offline with them and have them synchronize when they are online again.
  • Users' documents can be synchronized across all client devices and servers where the files are stored and synchronized.
  • Multiple users (online or offline) can work on documents at the same time, and the OneDrive for Business Windows Sync client will synchronize the changes between the users. If there are conflicts, users are prompted to resolve the conflicts.
  • Users can share and collaborate on documents.
  • Mobile Apps allow users to work from many locations, either online or offline, and work from many devices.

OneDrive apps are available for Windows, Android, Mac OSX, iOS, Windows Phone, Xbox
Get It

The related Office Mobile app allows you to edit Office documents stored in various locations – including OneDrive and OneDrive for Business.
Get It

What is FBA?

Companies utilize forms-based authentication (FBA) with Internet-facing portals so that partners, clients, or board members don't require an active directory account. User identities are stored in a Microsoft SQL Server database.

Our Services Include:

  • FBA Configuration
  • Beautiful authentication forms that match your branding
  • Web parts for registering users, changing passwords, and password recovery
  • Tools for managing users and for approving registrations

If you want to share information between users who are within the corporate domain and external users, we can extend your SharePoint Web application to create an extranet-facing access point.

Example FBA Forms

FBA Sample Branding FBA Sample Branding 

Simple is good when it comes to security infrastructure management ...

Simple SharePoint Security

SharePoint Apps Security

SharePoint Topic Drilldown


SharePoint Support

Let us will build your SharePoint
Server, or server farm, and keep it up-to-date with our proactive maintenance and unlimited support. Take advantage of the expertise of a leading Gold Partner specialized in SharePoint.

Microsoft SharePoint Consulting Gold Partners

Schedule A Demo

Getting introduced through a brief demo of our work quickly shows our solutions and begins discussion of your SharePoint goals and how we can assist.