SharePoint On-premise by default supports windows authentication to query and validate user credentials against your organization Active Directory. This is sufficient for most of the organization who are using SharePoint as their collaboration tool inside organization, however it is possible to securely extend your SharePoint to your clients, vendors and partners. In this article we are going to talk about why you may want to do that and possible options to do it.
If SharePoint is used as your employee productivity and content management tool but your clients, vendors and partners are still receiving content via email, its probably good time to think about extending SharePoint to reduce content duplication, process automation and increased efficiency. By extending your SharePoint securely, you will be able to achieve less redundant content, easy collaboration and improved productivity.
What are the options?
Once you understand that extending SharePoint is something that is going to be valuable to you, you can start browsing options about securely extending your SharePoint Farm. Based on your current infrastructure setup, you can choose from following:
- ADFS Authentication - SharePoint has support to integrate ADFS authentication using claims authentication and SAML. If you are already having ADFS Server configured and you are managing external users there through AD Groups, this will the best option to go with.
- Forms Authentication - SharePoint supports form based authentication through Microsoft Sql Server Membership Provider or you can use LDAP based forms authentication.
SharePoint has support to integrate ADFS authentication using claims authentication and SAML. If you are already having ADFS Server configured and you are managing external users there through AD Groups, this will the best option to go with.
In this method, you will manage all your external users inside your Active Directory by creating specific organization units and AD Groups. Once you have ADFS Authentication configured correctly with SharePoint, you can manage access for your ADFS Users through their AD Groups directly into SharePoint. If your Active Directory Administrator can maintain a single group and that single group is Configured to access SharePoint, you can easily manage access at single point without needing ongoing support for maintaining SharePoint Access Management.
There are so many articles already available on internet to configure ADFS Authentication in SharePoint correctly.
Form Based Authentication
SharePoint supports both Microsoft Sql Server and LDAP to store your users and roles. In order to easily manage your Form Based authentication users, roles, email templates, change password etc through a third party free wsp solution called FBA Pack but sadly its only available for Microsoft Sql Server Based fba implementation. There are some third party vendors that provides Form Based Authentication management tools for LDAP but that are not free.
When you are planning ADFS Authentication, please consider following important parameters:
- Zones & Security - You can configure your SharePoint web application to internet zone and allow a public domain mapping to one of your WFE server to access it from internet. Other option is to extend and create a new extended sharepoint web application that is used dedicatedly for secure access of your web application for external users.
- Login Page - Default Login page provided by SharePoint is not so good, you many need to setup a custom login page that looks like trusted and sophisticated enough to represent your brand identity.
- User Profiles Properties - Once ADFS Authentication is configured, you need to adjust some User Profile Service Application properties so that people picker, user menu and other areas in site collection displays logged in user details normally
- User Profiles Synchronization - You need to adjust your user profile synchronization connection to add this new authentication method so that users and groups added through ADFS Authentication are visible in various areas in Central administration and site collections
- Search Service Application - You need to adjust your search center site collection to allow access to ADFS Authentication users.
- My Sites - All the ADFS Users will be able to create their my sites as per the self service site creation configuration in your farm. Be prepared to consider and plan accordingly
- Third Party Components - Make sure to check with all your vendors providing third party components to double check their custom solutions and products support ADFS Authentication.
- SharePoint API Access - If your SharePoint is integrated with other applications, make sure those applications are not affected by this new authentication method.
- Support - Once you will setup to allow your SharePoint to external organizations, they will start requesting to add, block, unblock, change password etc. requests in order to continue accessing your site.
Hope this article helps you find detailed information on various methods to extend SharePoint. Please feel free to tell us what you think about extending sharepoint through comments.