Beowulf provides many advantages compared to the standard SharePoint login experience. Here are ten advantages to Beowulf that our customers tell us are the main reasons why they use it.
- Secures public facing SharePoint sites
- Know who's logging in, when they log in
- Limit access by location
- Mobile friendly login
- Reduce user support costs
Works with most identity providers / standards
- Most affordable solution
- Simplifies federated authentication configuration
Allow public access to SharePoint online
- Fixes SharePoint shortcomings
1. Protect SharePoint Login and Servers from Exposure to the Internet
If you have a SharePoint site, and are allowing native Windows (NTLM/Kerberos) based SharePoint login for users outside your firewall, this represents a serious security risk.
Attackers can exploit loopholes and weaknesses in critical Windows services such as WinLogon or RDP to brute-force your access credentials or simply bring your server to its knees. In a worst case scanario, key SharePoint components can expose details about your organizational structure that will help hackers develop further human engineering attacks, expanding the risk beyond just the content stored in SharePoint itself.
Beowulf protects you by shutting SharePoint's front door and offloading the burden of SharePoint login and authentication to completely different hardware that can be hardened against DDoS and similar threats. Beowulf further protects the SharePoint login process by monitoring repeated authentication attempts from the same IP address or against the same user ID, introducing exponentially increasing delays that help to frustrate such attempts to gain unauthorized access.
2. Real-time Access Notifications for Admins or Everyone
Protect and monitor your privileged accounts by configuring real-time e-mail or SMS updates to notify system administrators or security staff that a SharePoint login has occured.
Beowulf can also provide SharePoint login notifications for all users, so that they know when their SharePoint account is being used without permission.
In the event of a security breach, this feature lets you act quickly to minimize any damage or information leaks.
3. Restrict Some or All Accounts by Geographic Location
Beowulf lets you block entire countries by IP address. While this won't prevent a determined intruder using a VPN tunnel, it will keep casual browsers and many so-called zombie networks from accessing your SharePoint login pages and site, which improves overall farm performance.
4. Easy to Use Authentication on Any Device / Platform
Perhaps the best reason to use Beowulf with SharePoint login is that it makes signing into SharePoint a relatively painless process, even as it adds several important security features.
Beowulf's SharePoint login pages are mobile friendly, leveraging Bootstrap's responsive web framework.
Beowulf web server is built on MVC architecture, and support ASPX and Razor, so your developers can customize it to meet your needs. Pages can be fully themed and customized, so you can provide security disclaimers, company branding, and any other enhancements you may like.
5. Reduce Account Maintenance and Support Costs
One of the key benefits to using Beowulf for SharePoint login is that in some cases you can choose to shift the burden and cost of account maintenance onto someone else.
By allowing users to provide credentials from third party identity providers, time and money are no longer being wasted providing password reminders/resets, as these tasks are handled by the identity provider.
Your internal users and affiliates can work side by side in SharePoint, without the need to maintain accounts for external users who access the system infrequently and often forget their credentials entirely. Beowulf's SharePoin login process integrates these two systems seamlessly.
If you're leveraging Active Directory, Beowulf has several features that can help you reduce support costs. We include password expiration reminders during SharePoint login as a standard feature, and self-service password update and reset are fully integrated into our product. If you have Beowulf, there's no need to license seperate products for these purposes.
6. Extend SharePoint Login Using Popular Vendors Like Microsoft, Google, Facebook, LinkedIn, or Twitter
Beowulf's SharePoint login engine supports all the popular identity providers: Facebook, Google, LinkedIn, Microsoft, Twitter - even Yahoo. You don't have to enable all of them; you can choose to allow any that you want to leverage. We use industry accepted standards including OAuth2 and SAML to interoperate with these providers and others, so you can be sure not only that these connections will be supported for some time to come, but that those connections are made in secure fashion.
If external logins for SharePoint just aren't your thing, Beowulf also supports logins via SQL Membership provider databases, Active Directory, and remote LDAP connections. Given the correct VPN or firewall configuration, we can even authenticate users from remote Active Directory servers that are on different physical networks or AD domains.
7. Affordable Alternative to Expensive Solutions Like F-5, Kemp, 9Star SSO, SiteMinder, and Others
Beowulf is less expensive than competitor's products like 9Star SSO or SiteMinder. Yet because Beowulf was built specifically for SharePoint, it offers many features these products don't or can't.
While Beowulf is certainly not a replacement for an application aware firewall/proxy (WAF/WAP), it has many features that overlap with capabilities of more robust security products such as the F-5 Big IP and Kemp Technologies web firewall which are common in SharePoint environments.
We encourage everyone to take security seriously and make the necessary investment to protect critical data. Even so, we understand that these solutions cost many thousands of dollars and can be cost prohibitive. Simply put not everyone can afford them. For less stringent security needs, such as small business, purely commercial, or educational uses, these products may be overkill. (You wouldn't put a bank vault on the front door of your home.) Regardless, doing something is always better than doing nothing at all.
One cost effective (and many-times sufficient) solution is to combine Beowulf Identity Server with a next generation firewall (NGFW) like those from Cisco, standard cloud-based network security configuration provided by Widnows Azure or Amazon AWS, or other firewalls such as the commercially available linux based Endian UTM or open sourceEndian Community Firewall.
If you already have a WAP/WAF in place, that's great! Beowulf is fully tested with F-5 and works very well behind their application load balancer, with or without SSL offloading. Liquid Mercury Solutions is an F-5 partner, and we leverage this relationship to ensure our products work well together in a variety of environments and configurations.
8. Rapid, Automated, Federated SharePoint Authentication
While newer versions of SharePoint do provide a way to create/consume Federation Metadata, these features are almost useless since the implementation is based entirely on JSON that is supported only very narrowly beyond Microsoft's own cloud environment. Beowulf extends SharePoint login providers with full support for XML based
Federation Metadata (FederationMetadata.xml), like that created and consumed by popular SAML providers such as Active Directory Federation Service (ADFS), Beowulf Identity Server, Shibboleth, and more.
Using Beowulf, a single PowerShell command lets you create and federate the SharePoint login provider with a supporting provider, without the risk of human error associated with manual configuration. What once took many hours or days now takes only minutes.
Beowulf also generates federation metadata XML for the SharePoint site too, so you can quickly and easily configure your upstream identity provider such as ADFS, Beowulf IdP, SiteMinder, or Shibboleth server.
When the need arises to replace expiring or comprimised certificates, Beowulf can also update the federation configuration in just moments. Updates can be scheduled, further reducing the burden of running federated authentication services.
9. Public SharePoint Login in Office 365 / SharePoint Online with Proxy Accounts for Anonymous Users and Guests
Although Microsoft took back the feature for public facing SharePoint sites a couple years ago - and we're the first to admit that SharePoint has its limitations and caveats with respect to digital marketing and SEO - there are still many cases where you may want to leverage SharePoint Online for a boarder audience than just your own employees and a small number of affliates. For example, you may wish to allow SharePoint login to a content distribution and delivery platform as part of your e-commerce fullfillment process.
Beowulf Identity Server can be used to allow proxy accounts, with unconventional access methods, to log in to SharePoint Online sites as if they're actual Office 365 users. So for example, you could allow a means of pseudo-anonymous SharePoint access, or you can provide expiring guest logins that last only for a limited time.
10. Overcome the Kludgy SharePoint Login and User Experience for Claims Based Users
If you need to leverage claims based authentication for SharePoint login, but you've been frustrated by the limited and clunky user experience associated with it, Beowulf can help.
Beowulf includes the following components that just make the SharePoint login process (and SharePoint itself) work better:
Flexible People Pickers: Beowulf includes several people pickers to make selecting users from the claims provider as easy as using Windows authentication. Our people pickers are configurable with a variety of options and support several configurations, including direct communication with the user directory / source data, indirect communication through the Beowulf IdP, and leveraging information stored in SharePoint login accounts and user profiles.
Rule Based Realm Selection: Having to click through multiple drop-down boxes every time you sign in is annoying.
But, the default SharePoint login page's realm picker menu has only very basic capabilities. With Beowulf, you'll never need to see this screen again.
Sign Out and Sign In As Another User: Unlike the sign out options that come with SharePoint out-of-the-box, ours actually work with claims authentication.
Microsoft has improved this capability somewhat in SharePoint 2013; ours works with 2010 and provides significant enhancements and configurability in newer versions of SHarePoint.
Convert Claims to Profile Properties: Beowulf ensures that claims information provided by your identity provider is copied into your SharePoint user profile as needed. After the SharePoint login process is complete, these can be leveraged on SharePoint sites and applications nativately.
- Masquerade as Windows User: Once a claims-based user successfully logs in, if they have a Windows base account, Beowulf can convert the claims-based user to their Windows identity.
Full Support for Federation Metadata XML: Did we already mention that, using Beowulf, you can federate SharePoint in just minutes without the risk of human error? Sorry if we repeat ourselves, but we're just very proud of that.