Outrageous Claims: Where Office 365 Leads, SharePoint Will Follow

Principal Architect Thomas Carpe shares his thoughts and opinions on the state of the art in SharePoint security, including predictions about things to come. This blog post is part of a continuing series leading up to and following the official launch of Liquid Mercury Solutions' new product Beowulf Identity Server.

 

 

Well, okay maybe that's not such an outrageous claim, since that's been Microsoft's strategy all along, right? What I mean here is that most improvements to SharePoint security have been coming out of changes driven by Office 365.  

So, for example, in 2013 we now have application and server based trust through OAuth type authentication. These are new; in 2010 land we could federate two farms through the mutual exchange of certificates, but there wasn't a really good story to tell around authorizing an individual application.

For folks who run on-premises environments, this means that there will be systems that have to be stood up and maintained alongside SharePoint that didn't exist before. For instance, admins now have to consider will they configure the app host services along with the rest of the basic SharePoint feature set. Or, will you do traditional Windows authentication or use a trusted login provider instead?

Living in a cloud first world also means that security measures we sometimes take for granted in Office 365 - like multi-factor authentication - aren't readily available to us in an on-premises farm. Yes, you could circumvent this by making your sites authenticate against ADFS 3.0 or WAAD/Azure ACS, but doing so is a complex exercise. If you're going to go that far, you'll have some very important decisions you'll want to make about what software package to use and how much you want to rely on either cloud-based or on-prem technology to manage something so important. Always keep in mind that if the authentication provider isn't available for any reason, nobody will be using SharePoint.

What we see happening in the industry now is that more and more products are switching from traditional Windows based authentication to claims based authentication. This change is no doubt fueled by the need to integrate in some respect with cloud platforms like Office 365. However, in the rush to support any possible type of authentication scenario, those same products are making trade-offs against single-sign-on.

Take SharePoint Online for example, where providing a windows-based SSO experience to the user requires running an IIS site specifically to redirect the user from a vanity URL to an Office 365 / ADFS sign-on page where the user's domain is already known. This trick lets us just ask for the user's Windows account and make the trip back to SharePoint without a login form, but this is something of a hack.

Another example comes from a third party product that supports many types of claims authentication including Windows, WAAD, and Office 365. Though the product is quite flexible, customers see issues with having to provide a forms based login when browsing between SharePoint sites and the product's web pages. Configuring things so that they are seamless from an authentication perspective takes significant work.

What we hope to see in the near future are improvements to the way these systems work together, both online and behind the company firewall, so that there's a better sign-on experience overall for the user. Seems like just a few years ago people were saying that federated authentication would mean not having to remember so many credentials, but there seem to be more systems today than there were at that time. Certainly, this one of the reasons why we built Beowulf, and we hope that Microsoft and other vendors will continue to open up new possibilities in this area too.