identity in the cloud using microsoft
DESCRIPTION
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authenticationTRANSCRIPT
www.orbitone.com
Orbit One BVBARaas van Gaverestraat 83B-9000 GENT, BELGIUM Website www.orbitone.com
E-mail [email protected] Tel. +32 9 330 15 00VAT BE 456.457.353Bank 442-7059001-50 (KBC)
Kevin De Smet12 October, 2011
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication
12 October, 2011Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication2
Introduction
ADFS 2.0: What is Federation?
Single-sign-on: Extending the model to the cloud
Multifactor Authentication
How to make my company cloud-ready?
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
3
Identity
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
4
Why Cloud?
Why do companies want to move to the cloud?
What can they move to the cloud?
Where do they move it to?
Do they want everything in one location?
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
5
Cloud Pains
What makes moving to cloud difficult? Identity
Difficult for end-user (confusing & time consuming)Extra Management for IT (password resets, etc.)New employees -> Many accounts in many systemsLeaving employees -> Blocking many accounts = Security Breach
MigrationHard to migrate everything at once (timeframe, downtime)
Convince ManagementMaybe they don’t like it when their data is stored elsewhere
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
6
Cloud Pains
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
7
Solution to cloud pains?
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
8
Solution to cloud pains?
One identity (Active Directory) Used for internal appsUsed for external apps from partnersUsed for external cloud services
How?You’ll learn in this sessionADFS & SSO is the key!
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
9
Not only MicrosoftImagine 2016...
My Users
Salesforce.comOffice365
Combell
Bank application
AccountingSocial SecretaryFinancial Info
12 October, 2011Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication10
Introduction
ADFS 2.0: What is Federation?
Single-sign-on: Extending the model to the cloud
Multifactor Authentication
How to make my company cloud-ready?
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication
User Company
Application Company
12 October, 201111
ADFS 2.0What is Federation?
Before Federation ID STORE
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication
User Company
Application Company
12 October, 201112
ADFS 2.0What is Federation?
With Federation
FEDERATIONTRUST
TRUST
TRUST
ADFS1
ADFS2
AUTHENTICATION
IDSTORE
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
13
ADFS 2.0What is Federation?
What are claims?Statements about users (name, id, group,...)Used for authorization by claims-aware applications
How are they used?Claims are encrypted in SAML tokens and passed onTokens are signed by a trusted sourceApplications make decisions based on the claims
• if jobtitle == “buyer” and department == “production” then access = trueClaims can be transformed on their way
• if jobtitle == “purchaser” then output_token:jobtitle = “buyer”• if jobtitle == “buyer” and department == “production” then
output_token:spendlimit = “50€”
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
14
ADFS 2.0What is Federation?
Using Claims
ADFS1
ADFS2
AUTHENTICATION
IDSTORE
AD Attributes:Job Title, Department, ...
SAML
Jobtitle = “Purchaser”
SAMLJobtitle = “Buyer”
If Jobtitle = “Buyer” thenAccess = True
12 October, 2011Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication15
Introduction
ADFS 2.0: What is Federation?
Single-sign-on: Extending the model to the cloud
Multifactor Authentication
How to make my company cloud-ready?
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
16
Single-sign-onHow does it work?
On-premise DOMAINCONTROLLER
Ctrl-Alt-Del
DOMAINJOINED
IIS SERVER
AUTHENTICATION
IS USER AUTHENTICATED?
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
17
Single-sign-onExtending the model to the Cloud
Windows Azure Connect DOMAINCONTROLLER
Ctrl-Alt-Del
IIS SERVER
AUTHENTICATION
IS USER AUTHENTICATED?
Windows AzureConnect Agent
DOMAINJOINED
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication
ACS
12 October, 201118
Single-sign-onExtending the model to the Cloud
Azure with Federation:Access Control Service
TRUST
FEDERATIONTRUST
TRUST ADFSACTIVEDIRECTORY
User Company
AUTHENTICATION
IIS SERVER
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
19
Single-sign-onExtending the model to the Cloud
Office 365 default login
MSODS
MSOLID
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication
MSODSMFG
12 October, 201120
Single-sign-onExtending the model to the Cloud
Office 365 with Federation:MS Federation Gateway
TRUST
TRUST ADFSACTIVEDIRECTORY
MSOLID
User Company
AUTHENTICATION
FEDERATIONTRUST
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication
MS ONLINE ID(MSOLID)
12 October, 201121
Single-sign-onExtending the model to the Cloud
Office 365 Directory Synchronization
ACTIVEDIRECTORY
MS ONLINEDIRECTORY SERVICE
(MSODS)
ACTIVE DIRECTORYSYNCHRONIZATION SERVER
Name, Email, ObjectGUID,...
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication
MFG
12 October, 201122
Single-sign-onExtending the model to the Cloud
Office 365 with Federation ProxyTRUST
ADFS
ACTIVEDIRECTORY
FEDERATIONTRUST
ADFSPROXY
@HOMETRUST
12 October, 2011Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication23
Introduction
ADFS 2.0: What is Federation?
Single-sign-on: Extending the model to the cloud
Multifactor Authentication
How to make my company cloud-ready?
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
24
Multifactor AuthenticationWhat is it?
Different kinds of evidence someone is who they say they areSomething one knows
A secret: password, PIN, ...
Something one hasA passport, physical token, ID Card, ...
Something one isBiometric device: fingerprint, iris-scan, face geometry, ...
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
25
Multifactor AuthenticationIn the Cloud
Two options available:
Integrate the ADFS 2.0 Proxy login page with your strong authentication provider
In this option, you can customize the AD FS 2.0 proxy login ASPX page introduce extra fields for the users to enter extra factors for authentication.
Use the Forefront Unified Access Gateway (UAG) SP1 serverThis gateway supports a wide range of two-factor authentication providers, as well as direct access to an expanded set of scenarios involving two-factor authentication.
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
26
Multifactor AuthenticationIn the Cloud
ADFS 2.0 Proxy login page
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
27
Multifactor AuthenticationIn the Cloud
Unified Access Gateway (UAG) SP1 serverForefront UAG intercepts the redirection to the Account Federation server
Instead redirects the web browser to the Forefront UAG login page
ADFSADFSPROXY
UAG
12 October, 2011Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication28
Introduction
ADFS 2.0: What is Federation?
Single-sign-on: Extending the model to the cloud
Multifactor Authentication
How to make my company cloud-ready?
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
29
Cloud-ready company
Server RequirementsADFS 2.0 Server(s)
Can be installed on existing domain controllers (if 2008/2008R2)Can be a farm for redundancy (NLB host needed)Optionally, SQL Cluster can be used to store the database
ADFS 2.0 Proxy Server(s)Can be installed on existing web/proxy servers (if 2008/2008R2)Can be a farm for redundancy (NLB needed)
Office 365: Directory Syncrhonization Server(s)Must be a 32-bit server (no 2008R2!), can be 2003/2008Cannot be installed on domain controller, but needs same security!
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
30
Cloud-ready company
Typical setup for a small CompanyOne ADFS 2.0 Server
Installed on Domain controller or dedicated serverUses WID (Windows Integrated Database)
One ADFS 2.0 ProxyInstalled on existing web/proxy server or dedicated server
Office 365: Directory Syncrhonization Server(s)Installed on a dedicated 2008 32-bit server
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
31
Cloud-ready company
Typical cost for a small Company1 to 3 extra Windows Licenses
Recommended: Certificate by public CA for ADFS&ADFS Proxy
2 to 3 days sysadmin work
1 day pm work
1 day of testing
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
32
Benefits
Less Management for ITLess calls to helpdesks for identity related problemsFewer user accounts to manageEasier to manage new employees (only one account to create)
More Transparant & easier for end-userHas to remember one username, one passwordHas to logon only once with SSO (inside company) -> time saving
More securityLeaving employees are blocked on all applications at onceIdentity managed by own IT departmentMultifactor authentication for more security outside the company
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011
33
Q&A
Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication
www.orbitone.com
3412 October, 2011