SharePoint 2013 Business Connectivity Services Hybrid Overview



Similar documents
Hybrid for SharePoint Server Search Reference Architecture

ADS2013: App Development with SharePoint 2013

Setup Guide: Server-side synchronization for CRM Online and Exchange Server

Get started with cloud hybrid search for SharePoint

DEMYSTIFYING THE SHAREPOINT HYBRID ENVIRONMENT. Dan Charlton Senior Consultant MCSE, MCSA, MCP

SHAREPOINT HYBRID AND IMPLICATIONS OF 2016

The Trusted Technology Partner in Business Innovation PASSION DISCIPLINE INNOVATION TEAMING INTEGRITY

Windows Azure Pack Installation and Initial Configuration

IT Exam Training online / Bootcamp

Microsoft SharePoint Architectural Models

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure

SPT2013: Developing Solutions with. SharePoint DAYS AUDIENCE FORMAT COURSE DESCRIPTION STUDENT PREREQUISITES

SAV2013: The Great SharePoint 2013 App Venture

Windows Server Update Services 3.0 SP2 Step By Step Guide

Explore Microsoft SharePoint 2013

This module provides an overview of service and cloud technologies using the Microsoft.NET Framework and the Windows Azure cloud.

Configure Microsoft Dynamics AX Connector for Mobile Applications

Overview of Microsoft Office 365 Development

Microsoft Version: Demo 15.0

The Great Office 365 Adventure

Developing Windows Azure and Web Services

Course MS55077A Project Server 2013 Development. Length: 5 Days

GOA365: The Great Office 365 Adventure

Application Note. Onsight Connect Network Requirements v6.3

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

GSA2013: The Great SharePoint Adventure 2013

Audience Profile This course is intended for any developer that is tasked with creating applications that interface with O365.

Developing Microsoft SharePoint Server 2013 Core Solutions

Exchange Server Hybrid Deployment for Exchange Online Dedicated

Centrify Cloud Connector Deployment Guide

Feature Integration Across Microsoft Office Server Products SharePoint Server, Exchange Server, Lync Server, and Office Web Apps

SharePoint 2013 Logical Architecture

Microsoft Azure Multi-Factor authentication. (Concept Overview Part 1)

Designing a Microsoft SharePoint 2010 Infrastructure

Data Security and Governance with Enterprise Enabler

WatchDox SharePoint Beta Guide. Application Version 1.0.0

Operations Guide for the System Center Cloud Services Process Pack

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Installation and configuration guide

MS 20487A Developing Windows Azure and Web Services

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Developing Microsoft SharePoint Server 2013 Advanced Solutions

MS 20532B - Developing Microsoft Azure Solutions

MICROSOFT EXAM QUESTIONS & ANSWERS

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

MOC DEVELOPING WINDOWS AZURE AND WEB SERVICES

Flexible Identity Federation

Security Best Practices for Microsoft Azure Applications

Sentinet for Windows Azure SENTINET

SharePoint Server Quick Start Guide for Single Server Farms

Microsoft Lync Server 2010

Course 20489B: Developing Microsoft SharePoint Server 2013 Advanced Solutions OVERVIEW

Agenda. How to configure

Developing Windows Azure and Web Services

Extend and Enhance AD FS

Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

Configuring and Administering Microsoft SharePoint 2010

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

MicrosoftDynam ics GP TenantServices Installation and Adm inistration Guide

SINGLE & SAME SIGN-ON ASPECTS

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

ExecProtect Armored Office AD FS 2012 R2 with O365 Demo Guide

Developing Microsoft SharePoint Server 2013 Advanced Solutions

How to Secure a Groove Manager Web Site

New Features of SharePoint 2013

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 5. Microsoft Azure Fundamentals M Length: 2 days Price: $ 1,295.

Enterprise Access Control Patterns For REST and Web APIs

Module: Sharepoint Administrator

Designing a Data Solution with Microsoft SQL Server 2014

White paper Contents

Microsoft Implementing Microsoft Azure Infrastructure Solutions

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Deploy the client as an Azure RemoteApp program

Technical White Paper

Microsoft Dynamics AX 2012 Installation Guide. Microsoft Corporation Published: April 2011 This content is preliminary and is subject to change.

An Overview of Samsung KNOX Active Directory-based Single Sign-On

MultiSite Manager. Setup Guide

Upgrading Your Development Skills to SharePoint 2013 Course 55014A; 5 Days, Instructor-led

Course Outline. Microsoft Azure Fundamentals Course 10979A: 2 days Instructor Led. About this Course. Audience Profile. At Course Completion

USING FEDERATED AUTHENTICATION WITH M-FILES

Installation and configuration guide

Advanced Solutions of Microsoft SharePoint Server 2013 Course 20332A; 5 Days, Instructor-led

dotmailer for Dynamics Frequently Asked Questions v 6,0

Deploying the Workspace Application for Microsoft SharePoint Online

Implementing Microsoft Azure Infrastructure Solutions

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Microsoft Power BI. Nov 21, 2015

Microsoft Dynamics CRM 2011 Performance Counters

Coveo Platform 7.0. Microsoft SharePoint Connector Guide

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

On-premise and Online connection with Provider Hosted APP (Part 1)

Identity and Access Management for the Hybrid Enterprise

Transcription:

SharePoint 2013 Business Connectivity Services Hybrid Overview Christopher J Fox Microsoft Corporation November 2012 Applies to: SharePoint 2013, SharePoint Online Summary: A hybrid SharePoint environment consists of a SharePoint 2013 farm that is deployed on-premises, and a Microsoft Office 365 SharePoint Online tenancy. The integration of SharePoint 2013 on-premises and SharePoint Online allows you to use Business Connectivity Services to securely publish internal Line of Business (LOB) data to SharePoint Online.

This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2012 Microsoft Corporation. All rights reserved. 2

Contents Contents... 3 Business Drivers... 4 What is a SharePoint Business Connectivity Servives Hybrid Solution?... 4 Why use a SharePoint BCS Hybrid Solution?... 4 BCS Hybrid Architecture... 5 Office 365 and SharePoint Online... 5 On-Premises... 5 BCS Hybrid Data Flow... 7 Types of Certificates and Credentials... 8 Server and SharePoint Certificates... 8 User Credentials... 8 3

Business Drivers A Business Connectivity Services (BCS) Hybrid solution enables you to securely publish internal LOB data to your users in SharePoint Online. It solves a very specific business problem in a certain way. This section helps you understand this solution and when you should use it. What is a SharePoint Business Connectivity Services Hybrid Solution? If your company has an on-premises SharePoint 2013 farm and a SharePoint Online 2013 tenancy, you can create a secure connection between the two to make line-of-business (LOB) data available, by using BCS, to applications for SharePoint and external lists in SharePoint Online. This is called a SharePoint BCS Hybrid solution. SharePoint Online 2013 supports only one-way connections from online to on-premises and to only one on-premises farm. The LOB data must be published as an OData source. Why use a SharePoint BCS Hybrid Solution? A SharePoint 2013 BCS Hybrid solution provides a bridge for companies that want to take advantage of cloud-based SharePoint Online to access on-premises LOB data while keeping that proprietary data safe maintained on their corporate intranet. The SharePoint BCS Hybrid solution does not require opening holes in the firewall to allow traffic through and it does not require you to move your LOB data out into the perimeter network. The SharePoint BCS Hybrid solution uses the on-premises BCS services to connect to the LOB data and then, through a reverse proxy, securely publish the endpoint out to the BCS services in SharePoint Online 2013.. 4

BCS Hybrid Architecture The BCS Hybrid solution has components in the Cloud in Office 365 and On-Premises. Office 365 and SharePoint Online O365 Every Microsoft Office 365 subscription hosts a SharePoint Online tenancy. The O365 subscription also provides the Access Control Service (ACS) and Microsoft Online Directory Services (MSODS). SharePoint Online Hosts the sites that surface the on-premises LOB data, the BCS runtime service and metadata store, and the Secure Store Service. BCS Runtime Service Online - The BCS runtime service is a SharePoint service application that manages all BCS functionality, such as administration, security, and communications. O365 Microsoft Online Directory Services (MSODS) Provides directory services in O365 that you can synchronize with your on-premises Active Directory Domain Services (AD DS). The synchronization is done through user profile synchronization and allows users to use the same account for both on-premises and cloud authentication. SharePoint Online Secure Store Service This is the credential mapping SharePoint service application. In the SharePoint BCS Hybrid solution, SharePoint Online stores an SSL Server certificate that authenticates the SharePoint Online request to the reverse proxy. Azure Access Control Service This the Azure security token service that performs authentication and issues security tokens when a user logs in to a SharePoint Online site. It looks up credentials in the MSODS, which has been synchronized with the on-premises Active Directory accounts. This allows the user to use the same set of credentials for both the on-premises and online environments. On-Premises Reverse Proxy This server is responsible for accepting and authenticating inbound traffic from the Internet and publishing out the endpoint for the inbound request to connect to. It is in the perimeter network. SharePoint On-Premises A SharePoint 2013 server farm, this hosts the BCS service, the site that accepts the inbound hybrid requests and the Secure Store Service. AD DS A Windows Server service that stores and manages user accounts, security groups, distribution groups, and computer accounts. User Profile Store A SharePoint database used to store user profile information. User profiles contain detailed information about people in an organization. A user profile organizes and displays all of the properties related to each user, together with social tags, documents, and other items related to that user. In the BCS Hybrid scenario, it is used to map the users ACS OAuth credentials to the users domain credentials. 5

CSOM Pipeline The Client-Side Object Model receives the incoming request from the reverse proxy and maps the OAuth user token from ACS to the users domain credentials. Site/Site Collection A site collection created expressly for the purpose of facilitating all hybrid request communication. The web application that this site collection is in has an alternate access mapping configured. BCS Runtime Service SharePoint On-Premises The BCS Runtime service is a SharePoint service application that manages all BCS functionality, such as administration, security, and communications. Secure Store Service SharePoint On-Premises This is the credential mapping SharePoint service application. In the SharePoint BCS Hybrid solution, SharePoint On- Premises stores the mapping of the users domain credentials to the credentials that are used to access the external data source. OData Service Head The SharePoint BCS Hybrid Solution only supports the OData protocol. If your external data is not natively accessible via an OData source, you must use Visual Studio to build and deploy an OData service head for it. External Data The line-of-business (LOB) data that the SharePoint BCS Hybrid solution works with. 6

BCS Hybrid Data Flow In SharePoint Online, you make external data available through external lists or apps for SharePoint. This example uses an external list. 1. An information worker logs on to their SharePoint Online tenancy and opens an external list which requires data from an on-premises OData source. 2. The external list creates a request for the data and sends it to Business Connectivity Services. BCS looks at the request and refers to the external content type and the connection settings object to see how to connect to the data source and which credentials to use. 3. Business Connectivity Services retrieves a client certificate from the Secure Store service in SharePoint Online. The client certificate is an SSL certificate and it is used for authentication to the reverse proxy. BCS also retrieves an OAuth token form the Access Control Service. These are the uses credentials which are used for user authentication to the SharePoint 2013 on-premises farm. 7

4. The Business Connectivity Service sends a HTTPS request to the endpoint for the data source that is published by the reverse proxy. 5. The reverse proxy authenticates the request by using the client certificate and forwards it to the Client Side Object Model (CSOM) pipeline of the on-premises SharePoint 2013 farm. 6. The CSOM pipeline consults the User Profile Service to look for a mapping between the users OAuth security token from ACS and the user s domain credentials from AD DS. If one exists, the user s domain credentials are returned to the request. The user s domain credentials are used to authenticate to the SharePoint on-premises Site that receives Hybrid requests and the request is passed to the SharePoint On-Premises BCS service. 7. The SharePoint On-Premises BCS retrieves the credentials that are used to authenticate to the external data source from the SharePoint On-Premises Secure Store Service. Then SharePoint on-premises BCS service passes the request for data along with the external data credentials to the OData service head which then performs the desired operations on the external data and returns the results to the SharePoint Online user. Types of Certificates and Credentials The BCS hybrid solution is a combination of the SharePoint Hybrid configuration and a BCS configuration. Each configuration requires different sets of certificates and user credentials and you need both sets in order for the BCS Hybrid solution to work. Server and SharePoint Certificates SSL certificate - This certificate is used to establish trust for the communication channel between the reverse proxy device and O365. This can be a wild card certificate; it should be from a well-known certificate authority. Server to Server Server-to-Server authentication configuration for SharePoint Hybrid environments consists of establishing a trust between SharePoint on-premises and Access Control Service (ACS). ACS is then the trust broker for both SharePoint on-premises and SharePoint Online server. When Server-to-Server trust is fully configured, each server farm trusts the security tokens that are issued by ACS and are used for authenticating access to resources on behalf of the identified user. User Credentials OAuth security token from ACS When a user logs on to SharePoint Online, the user is authenticated by ACS. ACS issues an OAuth security token, which represents the user to all SharePoint Online processes and objects that the user tries to access. This security token is embedded in the request for external data and passed, along with the SSL certificate, to the 8

reverse proxy. From there, it is passed to the Client-Side Object Model (CSOM) pipeline in SharePoint on-premises and is mapped to the users domain credentials Users Active Directory credentials This is another security token that represents the user in the user s Active Directory domain. It represents the user to all domain resources that the user tries to access. In the SharePoint BCS Hybrid configuration, it is used to authenticate the user to SharePoint on-premises. External Data Credentials - The OData service is secured by using either basic authentication or Windows authentication, or by using a custom authentication provider. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information