Transcript Previously…. On…. The SharePoint -6 on a leap year i:0#.f|membership|[email protected] i:0#.w|domain\sAMAccountName Sites Composites Communities Insights Content Search Business Intelligence Business Forms Content Management Collaboration Platform Services Workspaces, Mgmt, Security, Storage, Topology, Site Model Search Portal Meanwhile… back at the ranch….

Previously….
On….
The
SharePoint
-6
on a
leap year
i:0#.f|membership|[email protected]
i:0#.w|domain\sAMAccountName
Sites
Composites
Communities
Insights
Content
Search
Business
Intelligence
Business
Forms
Content
Management
Collaboration
Platform
Services
Workspaces,
Mgmt, Security,
Storage, Topology,
Site Model
Search
Portal
Meanwhile…
back at the ranch….
User
Type of Access
Remote
Devices
Authentication
Information
LAN
Home
Time Office Location
Entitlement
Information
Profile
Information
Runtime
Information
1.
2.
3.
4.
5.
6.
7.
8.
9.
Do you really have to authenticate?
Does the authentication source matter or is the user ID
enough?
Do you own the identity?
Do you own the user information?
How do they authenticate today?
Where do they authenticate from?
How do you want them to authenticate?
Will they always authenticate that way?
Is the information you need for authorization enough or do
you need more?
Pattern
AKA
Party time
Anonymous
Right this way (keep an eye out)
Tracked anonymous
If you got this far, I trust you
Already verified somewhere else
Who are you again?
Single Sign once…everywhere
He’s with me/VIP
Association/federation
Wait right here
Trusted subsystem
You look like someone I know
Shadow account
Let me do that for you
Impersonation
PC
Authentication Information (STS)
Additional Runtime Information
(Claims, Roles, Groups)
Profile Information
(Email, SIP)
SPUser
Default authentication mode
Recommended mode
Can only be managed in PowerShell – it’s gone from the UI
Support for classic mode is deprecated and will go away in a future release
[Windows User OR
FBA User OR
SAML User] OR
[Organizational ID (O365) AKA
Azure AD (O365)]
SharePoint User
OAuth
User + APP
•
•
•
•
Use Oauth Id,
Windows
or ADFS
App Server
Windows 2012 R2
ADFS
Windows 2012 R2
ADFS Proxy
Azure Cloud
SharePoint
Online
Active Directory
(On prem)
Azure Auth
Platform
Directory Sync
Azure AD







http://blogs.msdn.com/b/besidethepoint/archive/2012/12/10/sharepoint-low-trust-apps-for-on-premisesdeployments.aspx
App Publishing from On Premise needs to be a Provider App
(SP Apps or App Webs may not get through proxy due to wild
card and Kerberos requirements)
Active
Directory
Claims to Windows
Token Service
Windows
Token
Data
Repository, SQL
Server or SSAS
Windows
Token
Windows
2012 R2
Remote
Access
Proxy
Windows
Claim
SharePoint
WFE
SharePoint
App
SP SQL Server SharePoint
Farm
IDs only live in Azure AD / O365
Leveraging ADFS for Authentication and DirSync or FIM
DirSync with a Password Hash (Hash of a Hash)
Windows 2012 R2
ADFS
Windows 2012 R2
ADFS Proxy
Azure Cloud
SharePoint
Online
Active Directory
(On prem)
Azure Auth
Platform
Directory Sync
Azure AD
Active Directory
(On prem)
Directory
Sync
Azure Cloud
Sync Ids
For Profiles, GALs
W/Password Hash
SharePoint
Online
Sign-in
Auth Requests
Azure AD
Azure Auth
Platform
CUSTOMER NETWORK
MICROSOFT DATA CENTER
Supports Search
INTERNET
PERIMETER
NETWORK
Office 365 Tenant
SharePoint Server
2013
SharePoint Online
Search: Bidirectional
BCS: Supported
Duet: Supported
Outbound
Site collection
Configuration Also Supports
- Business Connectivity Services (BCS)
- DUET Enterprise Online
INTRANET
Primary web
application
Inbound
Local/Remote
Search portal:
Local + Remote
search results
SharePoint Online CAN
QUERY SharePoint Server
2013
Local/Remote
Reverse
proxy
Search portal:
Local + Remote
search results
SharePoint Server 2013
CAN QUERY SharePoint
Online
 http://technet.microsoft.com/en-us/library/dn280944.aspx
 http://blogs.msdn.com/b/besidethepoint/archive/2012/12/10/sharepoint-low-trust-apps-for-on-
premises-deployments.aspx
Sponsored by