core identity scenarios federation and synchronization 2 3 identity management overview 1 additional...
TRANSCRIPT
Understand Identities and Single Sign onDaniel Kenyon-Smith Microsoft Consultancy Services UK
Agenda
Core identity scenarios
Federation and synchronization
2 3
Identity management overview
1
Additional features
4
Identity management overview
Identity management deals with identifying individuals in a system and controlling access to the resources in that system
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.
Integral components of identity and access management
Determining which actions an authenticated entity is authorized to perform on the network
Authentication Authorization
What is identity management?
Core identity scenarios with Office 365Cloud Identity
Single identity in the cloud Suitable for small organizations with no integration to on-premises directories
Directory & Password Synchronization*
Single identitysuitable for medium and large organizations without federation*
Federated Identity
Single federated identity and credentials suitable for medium and large organizations
* Password Synchronization may not be available at GA, the target is to update the service by 1HCY2013
Core identity scenarios
Cloud identity Windows Azure Active Directory
User
Rich experience with Office Apps
Ease of deployment, management and support
Lower cost as no additional servers are required On-Premises
High availability and reliability as all Identities and Services are managed in the cloud
Cloud IdentityEx: [email protected]
Directory & Password Synchronization*
Windows Azure Active Directory
User
Rich experience with Office Apps
Directory synchronization between on-premises and online
Identities are created and managed on-premises and synchronized to the cloud
Single identity and credentials but no single Sign-On for on-premises and office 365 services
Password synchronization enables single sign-on at lower cost than federation
Reuse existing directory implementation on-premises
On-Premises IdentityEx: Domain\Alice
Directory Synchronization
Password Synchronization
Cloud IdentityEx: [email protected]
AD
Non-AD(LDAP)
* Password Synchronization may not be available at GA, the target is to update the service in 1H CY2013
Federated identityWindows Azure Active Directory
User
Single identity and sign-on for on-premises and office 365 services
Identities mastered on-premises with single point of management
Directory synchronization to synchronize directory objects into Office 365
Secure Token based authentication
Client access control based on IP address with ADFS
Strong factor authentication optionsfor additional security with ADFS
On-Premises IdentityEx: Domain\Alice
Federation
AD
Non-AD(LDAP)
Directory Synchronization
Federation and Synchronization options
Federation options
Suitable for educational organizations j
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth (SAML*)Works with AD & Non-AD
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Phonefactor can be used for two factor auth
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Phonefactor can be used for two factor auth
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Works with AD & Non-AD
* Broader SAML implementations will be supported in 1H CY2013
‘Works with Office 365’Program for third party identity providers to interoperate with Office 365
Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365
13
FlexibilityCoordinated
Support
Partner +
Federation with Identity Partners
Confidence
Verified by MicrosoftReuse Investments
Directory Synchronization Options
Suitable for small/medium size organizations with AD or Non-AD
Performance limitations apply with PowerShell and Graph API provisioning
PowerShell requires scripting experience
PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
PowerShell & Graph API
Suitable for Organizations using Active Directory (AD)
Provides best experience to most customers using AD
Supports Exchange Co-existence scenarios
Coupled with ADFS, provides best option for federation and synchronization
Supports Password Synchronization with no additional cost
Does not require any additional software licenses
Suitable for large organizations with certain AD and Non-AD scenarios
Complex multi-forest AD scenarios
Non-AD synchronization through Microsoft premier deployment support
Requires Forefront Identity Manager and additional software licenses
Identity Roadmap
Shibboleth (SAML) Support Available now
New Works with Office 365 Partners
Ping, Optimal IDM, Okta, IBM available nowNovell, CA and Oracle in 1H CY2013
DirSync for Multi-forest AD Available now thru’ MCS and Partners
Sync Solution for Non-AD using FIM
Available now thru’ MCS and Partners
Password Synchronization for AD 1H CY2013
Broader SAML Support 1H CY2013
Additional Options
ADFS Windows Server 2008 or Windows Server 2008 R2 (2012 not currently supported)
ADFS 2.0 Setup installs: Web Server (IIS), .Net 3.5 SP1, Windows Identity Foundation
Publicly registered, routable domain name SSL Certificate(s), *Wild Card Supported Microsoft Online Services Module for Windows PowerShell Microsoft Online Sign In Assistant High Availability Design, Dual-Site, Load Balanced Choice between Windows Internal Database(WID) and SQL
WID supports a maximum of 5 Federation Servers SQL supports SAML Replay Detection, Artifact Store
Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.
From the Field
Client Endpoints Active Federation (MEX)
Applies to rich clients supporting ADFS Used by Lync and Office Subscription client Clients will negotiate authentication directly with on-premises ADFS server
Basic Authentication (Active Profile) Applies to clients authenticating with basic authentication Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web
Services Clients send “basic authentication” credentials to Exchange Online via SSL.
Exchange Online proxies the request to the on-premises ADFS server on behalf of the client
Passive Federation (Passive Profile) Applies to web browsers and documents opened via SharePoint Online Used by the Microsoft Online Portal, OWA, and SharePoint Portal Web clients (browsers) will authenticate directly with on-premises ADFS server
18
.When working through the firewall considerations ensure that MSO Datacentre IP ranges have been granted access to port 443 to the ADFS Proxy Server located in the DMZ.
From the Field
Understanding client authentication path
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
Client access controlLimit access to Office 365 based on network connectivity (internet versus intranet)
Block all external access to Office 365 based on the IP address of the external client
Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked.
Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online
Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default log all denied authorizations and the values it based the denial upon.
From the Field
Deployment Considerations for UPN User objects must have a value for UPN in on-premises
Active Directory UPN domain suffix must match a verified domain in
Office 365 Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified
domain and is used if UPN does not match a verified domain
Users must switch to using UPN to logon to Office 365 Not domain\username
UPN must have valid characters Office 365 Deployment Readiness Tool will verify that on-premises objects have
valid characters
21
If the customer does not have a valid and routable UPN suffix then one can be added via Active Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.
From the Field
Dirsync
When utilising the full SQL option you must ensure that the EA account has “sysadmin” rights on the SQL database and that the Dirsync service account has “public” permissions on the Dirsync DB.
From the Field
• Dirsync Server must be joined to a domain within the same forest that will be synchronized
• Dirsync Server should never be installed on a domain controller
• Dirsync Server should be Windows Server 2008 (x64)
• By default SQL Server 2008 R2 Express is installed.• 10GB database limit (approx. 50,000 objects)• Full SQL Option Available.
• Enterprise Administrator Credential should be used to install Dirsync, only required during setup.
• X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios)
• X86 Dirsync now unsupported.
Scoping & filtering for SynchronizationCustomers can exclude objects from synchronizing to Office 365
Scoping can be done at the following levels:
AD Domain-based
Organizational Unit-based
User Attribute based
Additional filtering capabilities will become available with the O365 Connector.
Multi-forest AD Windows Azure Active Directory
User
Multi-forest AD support is available through Microsoft-led deployments
Multi-forest DirSync appliance supports multiple dis-joint account forests
FIM 2010 Office 365 connector supports complex multi-forest topologies
On-Premises IdentityEx: Domain\Alice
Federation using ADFS
AD
DirSync on FIM
AD
AD
Non-AD Synchronization Windows Azure
Active Directory
User
Preferred option for Directory Synchronization with Non-AD Sources
Non-AD support with FIM is available through Microsoft-led deployments
FIM 2010 Office 365 connector supports complex multi-forest topologies
On-Premises IdentityEx: Domain\Alice
Federation using Non-ADFS STS
Office 365 Connector on FIM
Non-AD(LDAP)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.