Creating a SharePoint hybrid environment is about leveraging both SharePoint Server OnPremises and Office 365 SharePoint Online to achieve your business goals.
A hybrid environment enables enterprise users to be connected from almost anywhere to the resources and content they need. A hybrid solution can help your company get started in the cloud, taking a first step to explore the cloud functionality at own your pace. With the Hybrid functionality in SharePoint Server and Office 365, extend your on-premises investment to the cloud by integrating services and moving workloads to the environment that meets your organizational strategy.
However transition from SharePoint OnPremises to Office 365 is a long journey for most enterprises as a lot of planning and migration strategy goes into it which results in lot of companies stuck with hybrid environment for couple of years. This makes workflow strategy very interesting as most SharePoint workflow products out there are targeting only one SharePoint platform which leaves you with two editions of a workflow platform one working OnPremises and other in Office 365.
This is where AgilePoint NX is different. It supports Hybrid SharePoint setup with single installation of AgilePoint NX server. However due to differences between authentication mechanism between SharePoint OnPremises and Office 365, there are few things to be setup which will make your hybrid SharePoint environment work. Some of these are optional steps which I have indicated as we discuss them in detail. Please keep in mind that these are just one time steps which are to be performed at time of setting up the server first time.
Step 1: Setup AgilePoint NX Server and Portal – You can decide to install AgilePoint server and portal either OnPremises or in Private cloud. Typically clients engage with AgilePoint Professional Services team to get this done so that the system is setup properly and verified as well. Please note that if AgilePoint Server is installed OnPrem then the AgilePoint REST port as well as AgilePoint portal port should be opened for external access either directly or through proxy so that it can accept calls coming from Office 365 or other cloud systems like Salesforce.
Step 2: Apply SSL certificate to AgilePoint NX Server and Portal – As you are going to make callbacks from Office 365 app into AgilePoint NX server, you need to expose its REST endpoint externally and Office 365 adds a prerequisite that it will call back into a SSL protected endpoint only. Additionally we also recommend to expose AgilePoint portal over SSL as well.
Step 3 : Bypass Multi Factor Authentication for AgilePoint Server and Portal – If you do have MFA enabled for end users, you need to bypass it for AgilePoint server access token. I have covered this in detail in another post
Step 4 – Enable Single Sign On between AgilePoint Server and Windows Azure AD – Since you are installing AgilePoint server OnPremises or in Private Cloud and want users going to Office 365 to be auto logged into AgilePoint without being challenged to enter credential, it will need few steps to register and trust the AgilePoint server and portal endpoints in Windows Azure AD which is serving your Office 365 environment. This step is covered as part of professional services from AgilePoint team. AgilePoint Identity expert will walk your Windows Azure AD Admin and AgilePoint Server admin step by step on how to set this up.
Step 5 – Write a Claims Transformation Module – When you are working with OnPremise SharePoint, most likely your SharePoint server is setup to authenticate against Active Directory. This results in the authenticated username to be in domain name format i.e. if your domain is xyz then username would be of format xyz\nishant.shrivastava. However when you federate Windows Azure AD with ADFS which is backed by same AD, the username you get in Office 365 is of User Principal Name (UPN) format i.e. firstname.lastname@example.org. However you certainly do not want to maintain 2 different profiles for same user in AgilePoint. What you really want is that if same user logs into SharePoint OnPrem , he/she can see all his tasks for Office 365 as well and vice versa. AgilePoint NX authentication architecture makes it possible. We do allow a Claims Transformation module to be injected in authentication pipeline which takes username coming from Windows Azure AD to be transformed into corresponding domain name format or vice versa before it hits AgilePoint server so that they are considered same user from AgilePoint perspective. This is an interface which needs to be implemented where you would provide the logic of how to map UPN to domain name format as per organization AD setup. Most Orgs has a simple mapping rule for this as they follow certain fixed format while mapping domain name format to UPN. This is done as part of professional services but is typically a small module to write.
Whether you transform name from domain name format to UPN or vice versa really depends on what format you wish to keep in AgilePoint database. It might also be driven by the fact whether your AgilePoint service account is able to connect to the Active Directory to do the conversion or not. It actually does not matter that much as on UI screens you are shown full name of the user only and username is more of a database level thing but even if username is being shown somewhere, users typically recognize both formats easily.
Step 6 – Proactive User Registration in AgilePoint NX from Window Azure AD – This is an optional step which really is dependent on the choice which you made in step 5. If you decided to keep the username in AgilePoint in domain name format as most users are accessing OnPrem SP server then you do not need this step as there is an OOTB module called ADSync which can sync AD groups with AgilePoint groups
This component has been around for a while and used by most enterprise level clients for more than 10 yrs. However if you decide to keep users in UPN format as a company policy and hence proactively sync AgilePoint NX groups with your Windows Azure AD groups, you can buy this add-on component which helps synchronize groups automatically on a pre-defined schedule. Please remember that this is not mandatory as there are other manual ways of registering users from Windows Azure AD to AgilePoint NX as well which are covered in my other post. The posts also covers some details on how the proactive Sync works with Windows Azure AD Add-on Sync.
Again all this is only applicable if you decide to keep username in AgilePoint NX database in UPN format. If you are fine with domain name format and your OnPremises SharePoint is going to be around for a while, it is perfectly fine to just go with domain name format in Step # 5 and use OOTB ADSync module and hence skip step 6.