2. day 2 - identify and sso
TRANSCRIPT
Agenda
Overview of Identity Management in Office 365
Synchronize Identity Model (DirSync)
2 3
Explain Azure Active Directory
1
Federated Identity Model (SSO)
455
Self-service Single sign on
•••••••••••
Username
Identity as the control plane
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises
Microsoft Azure Active Directory
Connect and Sync on-premises directories with Azure.
Your Directory on the cloud
Azure Active Directory Connect
*
Microsoft AzureActive Directory
Other Directories
PowerShell
LDAP v3
SQL (ODBC)
Web Services ( SOAP, JAVA, REST)
*
Office 365 Identity Management
Cloud IdentityDirectory
Synchronization
Single identitysuitable for medium and large organizations without federation
Federated Identity
Single federated identity and credentials suitable for medium and large organizations
Single identity in the cloud Suitable for small organizations with no integration to on-premises directories
The end to end Microsoft Stack
On-Premises
Active Directory Federation Services
Active Directory Federation Services
Windows Azure Active Directory
WS-Federation
WS-Trust
Windows Active Directory
DirSync
Exchange Web Access
SharePoint Online
Outlook, Lync, Word, etc
Identity Synchronization with password hash
sync
Identity Synchronization
AD FS
Delivering a seamless user authentication experience
User attributes are synchronized using Identity Synchronization services including a password hash, Authentication is completed against Azure Active Directory
Microsoft Azure
User attributes are synchronized using Identity Synchronization tools, Authentication is passed back through federation and completed against Windows Server Active Directory
Microsoft Azure
Password Sync: What it is Feature of DirSync – synchronizes user password hashes from on-premises AD to Windows Azure AD
Enables users to log to Windows Azure AD services using the same username/password as on-prem AD
Part of DirSyncNo additional softwareNo changes to domain controllers, no reboots
12
Password Sync: What it is Easier, less-expensive alternative to AD FS Single Sign-On, but not the same thingNo redirection to on-prem authenticationNo token exchange between the on-premises environment and the
cloudAuthentication takes place in the cloud
Only for single-forest scenario
13
Password Sync: How it works Security considerations
Synchronizes hashes from on-premises AD to Azure ADNever see or store plaintext passwords
Password Policy considerationsDefer to on-premises password policiesOn-premises complexity policies override cloud policies for
synchronized usersPasswords of synchronized users “never expire” in the cloud
14
Deploying Directory Synchronization
15
Manage DirSync
Activate Users
Sync Directori
es
Setup DirSync
Activate DirSync
Prepare for
DirSync
Typical steps in deploying the Windows Azure Directory Synchronization tool
Enable password sync
Initial password sync
Password handling during activation
Force a full sync Monitor events
Synchronization
16
Microsoft Online Services
Logon Enabled User Object (Unlicensed)Mail-Enabled User (not Mailbox-Enabled)ProxyAddresses: SMTP: [email protected] smtp: [email protected]: [email protected]
On-premises
Active Directory
DirSyncOnline
Directory
DirSync Web
Service
SharePoint Online
Live ID
Exchange Online
Lync Online
Sync Cycle Step 1:Import Users, Groups,and Contacts from source Active Directory forest
Sync Cycle Step 2:Imports Users, Groups, and Contacts from Microsoft Online Services via AWS
Sync Cycle Step 3:Export Users, Groups, and Contacts that do not already exist in Microsoft Online Services
User ObjectMailbox-EnabledProxyAddresses: SMTP: [email protected]
User
s on
ly
Mail-enabled
objects
Manage: Monitor App Log Events
17
Application Log, Event Source = Directory Synchronization
Password synchronization starts retrieving updated
passwords from the on-premises AD DS
Event ID 650Finished retrieving
updated passwords from on-premises AD DS
Event ID 651
success
Failed to retrieve updated passwords from
on-premises AD DS
Event ID 652
error
Manage: Monitor App Log Events
18
Application Log, Event Source = Directory Synchronization
Password synchronization starts informing Windows Azure AD that there are
no passwords to be synced
Event ID 653Finishes informing
Windows Azure AD that there are no passwords to
be synced
Event ID 654
success
Failed to inform Windows Azure AD that there are
no passwords to be synced
Event ID 655
error** This occurs every 30 minutes if no passwords have been updated on-premises
Manage: Monitor App Log Events
19
Application Log, Event Source = Directory Synchronization
Password synchronization detects password
changes and tries to sync it to Windows Azure AD
Event ID 656 User(s) whose password was successfully synced
Result : Success
Event ID 657
success
User(s) whose password was not syncedResult : Failed
error
** Lists at least 1 user, at most 50 users
Understanding Identities
• Separate credential from on-premises credential
• Authentication occurs via cloud directory service
• Password policy is stored in Office 365
• Does not require on-premises server deployment
• Same credential as on-premises credential
• Authentication occurs via on-premises directory service
• Password policy is stored on-premises
• Requires on-premises DirSync server
• Requires on-premises ADFS server
Cloud Identity Federated Identity
Understanding Identities
22
Cloud Identity Cloud Identity + DirSync Federated Identity
Scenario
Smaller organizations with or without on-premises Active Directory
Medium to Large organizations with Active Directory on-premises
Large enterprise organizations with Active Directory on-premises
Benefits
Does not require on-premises server deployment
“Source of Authority” is on-premises
Enables coexistence
Single Sign-On experience
“Source of Authority” is on-premises
2 Factor Authentication options
Enables coexistence
Limitations
No Single Sign-On
No 2 Factor Authentication options
Two sets of credentials to manage
Different password policies
No Single Sign-On
No 2 Factor Authentication options
Two sets of credentials to manage
Different password policies
Requires on-premises DirSync server deployment
Requires on-premises ADFS server deployment in high availability scenario
Requires on-premises DirSync server deployment
Understanding Identities Two types of Domains
Managed Domain Federated Domain
Domain ownership must be verified Must use publicly registered namespace (i.e. cannot use *.local, etc.)
Options for adding new domains: Microsoft Online Portal Microsoft Online Services Module for Windows PowerShell
23
Purpose Enables users to access both the on-premises and cloud-based organizations with a single user name and password
Provides users with a familiar sign-on experience
Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.
24
Deployment Architecture Single internal/proxy server
Not recommended because it is not highly available ADFS Proxy is required for Basic Authentication (Active Profile)
endpoint 2+ internal/proxy servers with load balancers
27
Perimeter Network
ADFS 2.0Proxy
ActiveDirector
y
ADFS 2.0
ADFS 2.0ADFS 2.0
Proxy
Load balancer
Load balancer
Internal Network
Basic Authentication (Active Profile)
Passive Federation (Passive Profile)
Deployment Architecture
28
Number of users Minimum number of servers
Fewer than 1,000 users0 dedicated federation servers0 dedicated federation server proxies 1 dedicated NLB server
1,000 to 15,000 users2 dedicated federation servers2 dedicated federation server proxies
15,000 to 60,000 users
Between 3 and 5 dedicated federation serversAt least 2 dedicated federation server proxies
Deployment Topology ADFS can use Windows Internal Database or SQL WID has a limit of 5 servers per farm No imposed limit for SQL
When configured as an ADFS farm, WID supports basic database redundancy via pull replication Primary server contains read/write copy Secondary servers check for updates every 5 minutes by default If primary fails, all secondary servers continue to process requests Secondary servers can become the primary
SQL supports failover clustering or mirroring
29
Deployment Considerations for UPN User objects must have a value for UPN in on-premises Active Directory
UPN domain suffix must match a verified domain in Office 365 Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified
domain and is used if UPN does not match a verified domain
Users must switch to using UPN to logon to Office 365 Not domain\username
UPN must have valid characters Office 365 Deployment Readiness Tool will verify that on-premises objects have
valid characters30
Sign-in: How does SSO work
Fire
wall
Fire
wall
Start1. User accesses application
2. Redirected to Azure AD; User enters their login ID for HRD
3. Redirected to ADFS; desktop SSO on domain joined machine
4. Redirected to AAD; AAD validates user token and generates new token for app
5. User now has accesses to application
Intranet User
Sign-in: How does SSO work
Fire
wall
Fire
wall
Start
1. User accesses application
2. Redirected to Azure AD; User enters their login ID for HRD
3. Redirected to WAP; U/P or Cert Auth
4. Redirected to AAD; AAD validates user token and generates new token for app
5. User now has accesses to application
Extranet User
Client Endpoints Active Federation (MEX)
Applies to rich clients supporting ADFS Used by Lync and Office Subscription client Clients will negotiate authentication directly with on-premises ADFS server
Basic Authentication (Active Profile) Applies to clients authenticating with basic authentication Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web
Services Clients send “basic authentication” credentials to Exchange Online via SSL.
Exchange Online proxies the request to the on-premises ADFS server on behalf of the client
Passive Federation (Passive Profile) Applies to web browsers and documents opened via SharePoint Online Used by the Microsoft Online Portal, OWA, and SharePoint Portal Web clients (browsers) will authenticate directly with on-premises ADFS server
34
Client Endpoints
35
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
Authentication Flow – MEX Profile
36
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Lync Online
Active Directory
Customer Microsoft Online Services
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Authentication Flow – Active Profile
37
Customer Microsoft Online Services
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Proxy
Exchange Online
Active Directory
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
Basic Auth CredentilasUsername/Password
Authentication Flow – Passive Profile
38
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online orSharePoint Online
Active Directory
Customer Microsoft Online Services
User Source ID
Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123
Auth TokenUPN:[email protected] ID: 254729
SSO: Tips for a successful deployment
• Use Windows 2012 R2• Co-locate ADFS on domain controllers (no
IIS needed)• You don’t need SQL unless you are greater
than 90K users!• Use self-signed token signing certificates.
Deployment
• Deploy Web Application Proxy. Current Outlook/EAS need this to work.
• AAD uses federation metadata endpoint that is internet accessible to keep token signing cert information up to date.
• Don’t use sticky sessions on your Load Balancer
• Configure SNI on load balancer or use HTTP health probes (MS14-08)
Network
• Enable extranet soft account lockout• Enable MFA with smartcards, Azure MFA
or 3rd party MFA (SafeNet, RSA, Gemalto, LoginPeople …)
• Enable client access policies in the prescribed manner.
Security
• Ensure that SPN (HOST/adfs.contoso.com) is set on ADFS service account
• Customize illustration & logo to have a great end user experience
• Enable ‘Keep Me Signed In’ option for better SSO
Sign-In Experience
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.