Beruflich Dokumente
Kultur Dokumente
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
2 3 4 4 4 4 5 6 6 7 8 8 8 9 9 9 10 10 11 11 12 12 13 14 14
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 2
Introduction
Microsoft
SharePoint
has
gained
wide
spread
popularity
as
a
collaboration
platform,
a
portal,
and
a
document
management
system.
SharePoint
is
easy
to
deploy,
easy
to
use,
and
integrates
seamlessly
with
other
Microsoft
products,
especially
Microsoft
Office
applications.
In
fact,
SharePoint
is
so
easy
to
deploy,
each
business
department
is
quick
to
stand
up
its
own
SharePoint
site
and
develop
SharePoint
applications
to
meet
individual
business
needs.
This
has
led
to
a
sprawling
problem
where
SharePoint
sites
and
applications
are
often
managed
locally
and
with
no
integration
to
an
enterprise
security
platform
and
standard.
This
means
SharePoint
users
often
cannot
single
sign-on
(SSO)
between
SharePoint
deployments
and
other
non-Microsoft
applications.
Also,
once
they
are
connected,
performance
can
be
slow,
leading
to
an
overall
poor
user
experience.
SharePoint
relies
on
Microsoft
security
technologies
such
as
Kerberos,
NTLM,
and
Active
Directory
Federation
Server
(ADFS)
for
access
control.
Whilst
this
tight
integration
works
very
well
in
an
all-Microsoft
environment,
it
makes
integration
to
non-Microsoft
enterprise
access
control
and
SSO
platforms
difficult.
Most
medium
to
large
organizations
have
implemented
some
level
of
SSO
and
access
control
with
products
from
CA,
Entrust,
IBM,
Oracle,
and
RSA.
These
leading
access
management
products
offer
poor
out-of-the-box
integration
to
the
Microsoft
technology
stack.
Enabling
SSO
across
SharePoint
applications
from
tools
like
CA
SiteMinder
or
Oracle
Access
Manager
usually
involves
a
delicate
concoction
of
agents,
caches,
and
custom
code.
Remote
and
mobile
access
to
SharePoint
is
even
more
complex
than
SSO
from
behind
the
firewall.
Enterprises
often
resort
to
point
solutions
that
are
designed
specifically
for
SharePoint
mobile
and
remote
access.
This
white
paper
is
written
for
the
enterprise
architects
and
security
professionals
who
need
to
understand
the
challenges
of
integrating
Microsoft
SharePoint
to
enterprise
access
management
technologies.
This
white
paper
will:
Outline
the
basic
access
management
options
available
to
SharePoint
customers
Highlight
technical
challenges
involved
with
third
party-integrations,
mobile
and
remote
access
to
SharePoint
How
to
use
the
Vordel
SharePoint
Gateway
technology
to
solve
these
problems
Enable
single
sign-on
across
SharePoint
sites
&
applications
in
non-exclusive
Microsoft
environments
For additional information on Vordel SharePoint Gateway and other Vordel solutions, please visit www.vordel.com for a wealth of product, case study, and best practice information.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 3
Integrate
SharePoint
with
enterprise-wide
access
management
platforms
from
CA,
Entrust,
IBM,
Oracle,
RSA
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 4
Enable remote & mobile access to SharePoint from any device, anywhere
Other Challenges Without careful setup of Kerberos authentication, these common deployment scenarios will cause Kerberos authentication to fail: If the Fully Qualified Domain Name (FQDN) is not the same as the NetBIOS name, Kerberos authentication will fail. For example, the IIS server hosting the www.vordel.com website is hosted on a server named www01. The authentication process runs under a non-System identity and no SPN is registered for that identity Applications are hosted across multiple servers that use the same computer name All servers in a web farm use one computer name and one SPN. Load balancers distribute requests to multiple servers.
Because of these limitations, Integrated Windows Authentication is really only suitable for intranet deployment scenarios and most suitable for homogeneous Microsoft environments. It is not suitable if any of the following applies to your situation: Connection goes through a HTTP proxy, but NTLM is being used Application users do not have accounts in your Windows domain Multiple Windows forests that do not have mutual trust relationships Integration with Java or other non-.NET Framework applications Support for non-Windows platform such as Mac OS and Linux
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 5
Enable
claim-based
User
Policies
in
SharePoint
to
reduce
user
account
administration
overhead
In a Microsoft environment, with Windows Server 2008 R2 Enterprise Edition, Active Directory Federation Services (ADFS) 2.0 can be configured as a TIP to issue claims. ADFS provides a number of options to authenticate users, including Kerberos, forms authentication, or certificates. SharePoint can support multiple authentication schemes, so one can potentially set up both Integrated Windows Authentication and a claimed-based scheme for different user populations or different access channels. Custom coding is required to ensure consistency of the claims generated by the different TIPs and provide the proper user interface to let users select an identity provider at login. Follow this link to learn more about setting up ADFS as a TIP for SharePoint: http://msdn.microsoft.com/en-us/library/hh446525.aspx. For detailed step-by-step instructions on how to setup a TIP for SharePoint and other interesting SharePoint topics, check out this very informative blog at Share-n-dipity blog (http://blogs.technet.com/b/speschka/.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 6
Avoid
fragile
custom
solutions
&
invasive
agent-based
solutions
that
are
costly
to
deploy
&
manage
Figure
1:
Claim-Based
Authentication
Using
ADFS
(Diagram
Source:
http://msdn.microsoft.com/en-us/library/ff359108.aspx)
Federated Claims In a federated setup, ADFS can also accept a security token such as a Security Assertion Markup Language (SAML) 2.0 token from another identity provider as proof of authentication. The identity provider / claim issuer can be another ADFS instance; a non-Microsoft federation server; a security token service, or a Cloud based federation broker.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 7
Integrate
SharePoint
to
enterprise
security
framework
&
improve
governance
for
SharePoint
deployments
The challenges associated with using a claim-based model with SharePoint once again centers around integration with third-party technologies in a heterogeneous environment, especially when other proprietary and legacy technologies are involved. Some of the challenges include: Configuring non-Microsoft access management products as TIPs Interoperate with common proprietary tokens such as ObSSO cookie from Oracle Access Manager or CA SiteMinder session token Deploy and manage additional agents from access management products Mediate claim format from multiple TIPs Deploy mixed claim-based and non-claim-based authentication schemes Deploy advanced access control polices based on network, client, time-of-day and other contexts Token caching to minimize token generation and re-authentication requests. Manage WS-Trust and WS-Federation relationships Manage certificates and integrate with Certificate Authorities Reconcile the Microsoft claimed-based model with other fine-grained authorization technologies for Axiomatics, Oracle and Quest
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 8
Maintain
SharePoint
integration
&
update
policies
with
easy-to- use
drag-and-drop
configuration
user
interface
Figure
2:
Drag-and-Drop
Configuration
Please see Vordel.com for more information on the Vordel SharePoint Gateway and other solutions.
Solution Examples
Every
SharePoint
deployment
is
unique
so
every
SharePoint
SSO
problem
is
a
little
bit
different.
Vordel
SharePoint
Gateway
offers
drag-and-drop
configuration
to
accommodate
the
most
demanding
SharePoint
integration
requirements.
We
will
examine
how
the
Vordel
solution
works
using
representative
deployment
scenarios
from
actual
Vordel
customers.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 9
Figure
3:
Single
Sign-on
Using
Third-Party
Access
Management
Product
By routing all SharePoint requests through the Gateway, BigPharma has improved SharePoint performance by a minimum of 30%. Performance acceleration is not in the scope of this security white paper. To learn how the Gateway can accelerate SharePoint performance using intelligent cache management, contact a Vordel product expert.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 10
Expose
SharePoint
data
&
features
externally
with
strong
access
control
&
threat
protection
5.
6.
7.
8.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 11
Figure
4:
Claim-Based
Access
Control
Leveraging
Third-Party
Access
Management
Products
The Flow The user Alex is logged into his Windows PC and domain via username and password. Alex enters a SharePoint site URL in his browser and the request hits the Gateway. The Gateway instructs the browser to send a Kerberos SPNEGO token. The browser obtains a Kerberos ticket for the Gateway from the domain controller. This token is sent to the Gateway in the HTTP headers as a SPNEGO token. Alex is not prompted to enter his credential into the browser. The Gateway maps Alexs Kerberos UPN to a SiteMinder username, authenticates Alex with SiteMinder, obtains additional user attributes, and requests a SiteMinder session token. The Gateway can obtain a SiteMinder session token without knowledge of Alexs SiteMinder password.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 12
Deploy a SharePoint access management solution that has great flexibility, scalability, &performance
Summary
Microsoft
SharePoint
is
easy
to
deploy
and
easy
to
use,
until
you
have
to
integrate
it
with
enterprise
access
management
and
SSO
platforms.
SharePoints
reliance
on
Microsoft
security
foundation
technologies
makes
integration
to
third-party
security
platforms
extremely
complex
and
challenging.
Instead
of
cooking
up
a
concoction
of
custom
integration
code
and
deploying
intrusive
agents
into
every
SharePoint
instance,
Vordel
SharePoint
Gateway
offers
an
alternative
that
is
agent-less,
non- invasive,
easy
to
deploy,
easy
to
manage,
and
ready
to
scale.
The
Gateway
takes
care
of
all
the
complicated
orchestrations
between
Microsoft
and
other
vendors
security
products
to
deliver
a
seamless
experience
for
the
end
users
and
a
painless
experience
for
SharePoint
administrators.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 13
About Vordel
Vordel
delivers
fast,
safe,
connectivity
for
SOA
and
Cloud
Services.
Vordel
Application
Gateway
provides
integration,
security,
governance,
and
acceleration
for
enterprise
applications
and
Cloud
based
services.
Vordel
Application
Gateway
enables
Fortune
5000
enterprises
and
government
agencies
to
extend
their
enterprise
applications
and
SOA
infrastructure
beyond
the
perimeter
to
enable
Cloud
based
services
and
mobile
computing.
Vordel
makes
it
possible
to
deliver
and
consume
Applications
Anywhere
with
ITs
existing
applications
and
infrastructure,
without
costly
upgrades
and
rewrites.
Applications Anywhere
Copyright 2012, Vordel Inc. and/or its affiliates. All rights reserved.
Page 14