Presentation is loading. Please wait.

Presentation is loading. Please wait.

Core identity scenarios Deep dive on federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Similar presentations


Presentation on theme: "Core identity scenarios Deep dive on federation and synchronization 2 3 Identity management overview 1 Additional features 4."— Presentation transcript:

1

2 Core identity scenarios Deep dive on federation and synchronization 2 3 Identity management overview 1 Additional features 4

3

4 Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network

5 User Microsoft Account Ex: User Organizational Account Ex: Microsoft Account Organizational Account

6 Directory store Authentication platform Windows Azure Active Directory

7 Core identity scenarios

8 Cloud Identity OAuth2 SAML-P WS-Federation Metadata Graph API

9 Directory & Password Sync OAuth2 SAML-P WS-Federation Metadata Graph API

10 Directory Synchronization Options Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Provides best experience to most customers using AD Supports Exchange Co-existence scenarios Coupled with ADFS, provides best option for federation and synchronization Supports Password Synchronization with no additional cost Does not require any additional software licenses Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses

11 Federated Identity OAuth2 SAML-P WS-Federation Metadata Graph API

12 Cloud Identity no integration to on-premises directories Directory & Password Synchronization* Integration without federation* Federated Identity Single federated identity and credentials

13 Federation options Suitable for educational organizations j Recommended where customers may use existing non-ADFS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises Shibboleth (SAML*) Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Phonefactor can be used for two factor auth Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Phonefactor can be used for two factor auth Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Verified through works with Office 365 program Works for Office 365 Hybrid Scenarios

14

15 Federation with Identity Partners Verified by MicrosoftReuse Investments

16 Program for third party identity providers to interoperate with Office 365 Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365

17 Identity Roadmap Shibboleth (SAML) SupportAvailable now New Works with Office 365 PartnersPing, Optimal IDM, Okta, IBM available now Novell, CA and Oracle in 1H CY2013 DirSync for Multi-forest ADAvailable now thru MCS and Partners Sync Solution for Non-AD using FIMAvailable now thru MCS and Partners Password Synchronization for AD1H CY2013 Broader SAML Support1H CY2013

18 Windows Azure Active Directory User Cloud Identity Ex: Cloud Identity Ex: Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identity ISV Applications or SAAS providers can integrate using APIs on Windows Azure AD Currently in Technical PreviewTechnical Preview

19

20 Cloud identity + directory synchronization Single sign on + directory synchronization Contoso customer premises AD MS Online Directory Sync Lync Online SharePoint Online Exchange Online Active Directory Federation Server 2.0 Trust IdP

21

22

23 Understanding client authentication path

24 Web Clients Office with SharePoint Online Outlook Web Application Remember me =Persisted Cookie Exchange Clients Outlook Active Sync/POP/IMAP Entourage Can save credentials Rich Applications (SIA) Lync Office Subscriptions CRM Rich Client Can save credentials Federated Identities (domain joined) Cloud Identity No Prompt Username and Password Online ID AD credentials Federated Identities (non-domain joined) Username and Password AD credentials Username Username and Password Online ID AD credentials Username and Password AD credentials Username and Password Online ID AD credentials Username and Password AD credentials

25 Authentication flow (passive/web profile) Identity federation Customer Microsoft Online Services Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID:

26 Authentication flow (MEX/rich client profile) Identity federation Customer Microsoft Online Services Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID:

27 Customer Microsoft Online Services Active flow (Outlook/Active Sync) always external Identity federation Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID: Basic Auth Credentilas Username/Password

28

29

30 What is the Shibboleth Identity Provider (IdP)? Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0) Popular implementation of SAML 2.x with Higher Education institutions world-wide Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html)http://www.shibboleth.net/index.html Latest version is How do customers with a Shibboleth IdP* interoperate with Office 365? Setup a SAML 2.0 federation between Office 365 and their Shibboleth IdP Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD What is the Shibboleth Identity Provider (IdP)? Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0) Popular implementation of SAML 2.x with Higher Education institutions world-wide Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html)http://www.shibboleth.net/index.html Latest version is How do customers with a Shibboleth IdP* interoperate with Office 365? Setup a SAML 2.0 federation between Office 365 and their Shibboleth IdP Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD Shibboleth 2.x IdP Non-AD Contoso.edu Shibboleth 2.x IdP Fabrikam.edu MSOMA + FIM AD MSOMA + FIM Supported Clients Rich Clients Web Client

31 Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online

32

33 Windows Azure Active Directory User Multi-forest AD support is available through Microsoft-led deployments Multi-forest DirSync appliance supports multiple dis-joint account forests FIM 2010 Office 365 connector supports complex multi-forest topologies On-Premises Identity Ex: Domain\Alice Federation using ADFS AD DirSync on FIM AD

34 Windows Azure Active Directory User Preferred option for Directory Synchronization with Non-AD Sources Non-AD support with FIM is available through Microsoft-led deployments FIM 2010 Office 365 connector supports complex multi-forest topologies On-Premises Identity Ex: Domain\Alice Federation using Non- ADFS STS Office 365 Connector on FIM Non-AD (LDAP) Non-AD (LDAP)

35

36

37

38 Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online Passive Active Passive Active Outlook 2010/2007ActiveSync Outlook 2010/2007 Browser Internal AD FS 2.0 Server AD FS 2.0 Proxy Outlook and ActiveSync Auth Web Auth (OWA, SharePoint) Browser External


Download ppt "Core identity scenarios Deep dive on federation and synchronization 2 3 Identity management overview 1 Additional features 4."

Similar presentations


Ads by Google