components of setting up an extranet?

Question

I'm wondering what would be necessary configuration wise to setup an extranet, i've found a ton of articles that provide little peices to how the formula works but nothing that really links all of the components...

If i had a farm on the outside of my company firewall, i think i would need the following from what i've researched...am i missing something? The goal is to enable partners to access the content with Live ID's as well as allowing internal users the abiltiy to log in with their company domain accounts? This way they can collaborate.

I would need to create a claims based web application to host the team sites. I would need to some how work with my domain admins to get it to use Active Directory Federated Services that way i can leverage the Live ID's. I have read that using a Unified Access Gateway like forefront would be best as well.

At that point it should work? i'm probably missing alot of peices but i'm hoping someone can fill in the blanks and give me a better understanding of how it would work.

Answer 1

for that scenario you have two options:

• First option: SharePoint trusting LiveID and ADFS
• Second option: SharePoint trusting Windows Azure Access Control Service (ACS) and ACS trusting LiveID or ADFS.

First option

• Configure claims-based authentication using Windows Live ID (SharePoint Server 2010)

• Configure authentication using a SAML security token (SharePoint Server 2010)

Second option

• http://blogs.perficient.com/microsoft/2010/09/integrating-sharepoint-2010-with-windows-azure-access-control-services-v2/

Personally, I like the second option since SharePoint is not friendly at all to manage those trust relationships (you can see from the tutorials). By using a "trust hub" you are also open to more options and keep the "trust policies" and claim transformation in a single place.

Also take into account that LiveID won't give you the email address of the user as a claim, it will give you just an opaque identifier that will be kept across logins, but you won't be able to configure in the people picker permissions for "john@live.com". You can only grant permissions to "all live id users". You might want to consider using Google which will give you the email if you have that scenario.

Finally, if you want an even simpler setup you can evaluate auth10.com which uses Windows Azure ACS beneath and will simplify both the setup and the management of those rules. Here are a couple of screencasts:

• Configuring SharePoint 2010 to accept Google identities
• Configuring SharePoint 2010 to accept Active Directory users through ADFS

Full disclosure: I am a founder at auth10.