Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bert Jan van der Steeg SharePoint Consultant

Similar presentations


Presentation on theme: "Bert Jan van der Steeg SharePoint Consultant"— Presentation transcript:

1 Bert Jan van der Steeg SharePoint Consultant
trainer Office 365 & Identity Federation consultant Bert Jan van der Steeg Bert Jan van der Steeg SharePoint Consultant

2 agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365
Single Sign On Configuration agenda

3 agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365
Single Sign On Configuration agenda

4

5 Identities used to access resources:
On-premise (Active Directory) Cloud (Office 365) Available options: Separate credentials in corporate directory and in Office 365 Migrate existing credentials to Office 365 Identity Federation with ADFS 2.0 IdM options Identities are used for determining what users may access. Companies probably have invested in an identity management solution, such as Active Directory When Office 365 is introduced, the organization has three options: Maintain separate user accounts both on-premise and in the cloud Migrate all accounts to the cloud (only for small shops) Setup Identity Federation

6 Sub-optimal user experience
Painful to manage Separate password policies Multiple credentials to manage Management of sign-in application (BPOS) Sub-optimal user experience Log-in each time the service is accessed 2 accounts and/or passwords to manage Set up of sign-in application with every new computer used by each user (BPOS) IdM options Separate credentials Separate credentials for both Office 365 and on-premise authentication has many disadvantages. Administration is not efficient User experience is not optimal

7 migrate existing credentials
No more corporate credentials Credentials and resources in the cloud Small shops No dedicated IT-guy No local resources IdM options migrate existing credentials Migrating all accounts to Office 365 means there are no more corporate credentials. If at all possible, this would only work for smaller shops. This would work for starting organizations without a dedicated IT-person.

8 Credential management on-premises Trust with Federation Gateway
Office 365 is Relying Party Prerequisites Domain UPN Suffix routable Own the domain (SSL certificate) IdM options identity federation Credentials are managed on-premise and all corporate account and password policies apply. The Federation Gateway ensures access to the online environment, handles authentication for other services. MFG is the intermediate between your directory and MSOL Office 365 is the relying party, in SAMl terminology. Prerequisites for this to work are that you need to prove that you own the domain by modifying the DNS records at your provider Also, the internal domain name must be routable over the internet. That could result in a separate project for renaming the domain.

9 user accounts federated identity identity identity federation
federated identity identity contoso \charlie identity federation Identity Federation enables seamless authentication (SSO) with on-premise credentials to resources in the cloud (Office 365). The credentials that is used on-premise is also used for Authorization purposes in Office 365. Charlie uses his account in many ways to access local resources. When accessing MSOL, he would need to provide a new set of credentials. With federation in place, logging in will be seamless.

10 ten steps Easy, right? Configuring federation and synchronisation consists of 10 steps, most of which is preparation.

11 agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365
Single Sign On Configuration agenda

12 claims history Active Directory Federation Services 2.0
First, a little history. ADFS comes from a long line of products, with many different names and reputations

13 WS-Federation WS-Trust SAML Claims Based AuthN
Architecture and specification for Identity Federation protocols WS-Trust Describes the token exchange procedures SAML Describes standard for exchange of AuthN and AuthZ between security realms Claims Based AuthN

14 federation lingo This.. ..means this STS
Security Token Service (IP-STS, RP-STS) Identity Provider IdP System that generates SAML tokens containing claims Relying Party Application (service) that can accept claims WEB Single Sign On Federated Authentication Systems – AuthN is separated from AuthZ Federated Sign Out Signing out from all systems involved Claim Assertion about an identity that is used for AuthZ purposes FederationMetadata.xml (ADFS2.0) XML file used to exchange information between RP and IP. Should be always available Claims augmentation Adding claims into a SAML token based on attribute store information WAYF Where Are You From. Home Realm Discovery federation lingo

15 ADFS 2.0 ADFS 2.0 Users Office 365 Azure Partner Resources
ADFS in an intermediate between Your local Active Directory and possibly a lot of different resources. Those resources must be enabled for Identity Federation, which means in Microsoft terms, they should be based in Windows Identity Foundation. When the resource is outside of the Microsoft realm, it should adhere to Federation standards, such as SAML. Corp. Resources

16 ADFS 2.0 federation gateway ADFS 2.0 Users Office 365 Azure
Partner Resources Corp. Resources

17 ADFS 2.0 federation gateway Provisioning Service TRUST ADFS 2.0 Users
SharePoint Online Federation Gateway Users AD ADFS 2.0 federation gateway Exchange Online Live ID IdP LiveID Lync Online

18 Online Service based on WS* standards
Connection into Federation ecosystem Billions of authentication daily In production since 2006 Trust provisioning service – checks domain ownership through SSL certificate federation gateway

19 a adfs 2.0 topology Fsconfig /createsqlfarm cloud adfs proxy 1
https://adfs.contoso.com topology adfs 1 adfs 2 https://adfs.contoso.com ADFS uses SQL local database (WID) which can be shared between two ADFS servers Fault tolerance is achieved when ADFS is set up in a SQL Farm (command line only) ADFS Proxies can be places in the DMZ, if exposing the ADFS servers is a problem. Hostnames for proxies and for the ADFS servers are the same. Manage through split DNS or HOSTS file. Publishing the ADFS servers or proxies can be a challenge, due to complex URL’s Fsconfig /createsqlfarm

20 Statements made about users which are understood & trusted by both partners in a federation
name, identity, group, role, privilege, capability Used for authorization purposes within applications Begins at the identity provider when the user provides credentials Inserted into security tokens (SAML tokens) which follow a secure, standardized method of packaging the data for transport to a trusted partner claims

21 adfs claims engine Stage 1: Accepting claims Stage 2:
Claims Provider Trust adfs claims engine Incoming Claims Stage 1: Accepting claims Stage 2: Authorizing claims Stage 3: Issuing Claims Acceptance Transform Rules Issuance Transform Rules Permit Relying Party Trust Outgoing Claims Issuance Authorization Rules Deny

22 adfs 2.0 components Target Application AuthN Store Office 365 Active Directory trust relationships

23 adfs 2.0 components endpoints
1. Passive Federation Endpoint – Browser based connections 2. Active Federation Endpoint – Rich clients (Lync 2010) 3. EAS Endpoint - Activesync, Outlook 2010, Exchange Web Services

24 adfs 2.0 components acceptance transform rules c:[Type == => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value); c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"); c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, "http://${domain}/adfs/services/trust/")); issuance transform rules claim rules

25 agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365
Single Sign On Configuration agenda Moving to the last topic, configuring Single Sign On through Identity Federation

26 add domain convert to federated later

27 $cred=Get-Credentials <credentials>
Connect-MsolService –Credential $cred Set-MsolADFSContext –Computer <FQDN ADFS Server> configure federation connect to MSOL The first step is to connect to the MSOL environment by providing your credentials. This is the account that has Global Administrator in MSOL When entering the MsolADFSContext, use the ADFS computer’s FQDN instead of the Federation Service name.

28 configure federation New-MsolFederatedDomain –DomainName <domainname> -SupportMultipleDomain add federated domain Add the domain that is going to be federated through PowerShell. Enter the information returned in your DNS configuration Repeat the command, which will check if the DNS changes were correct Result is the creation of a Relying Party Trust in ADFS

29 Directory Synchroni-zation
Directory Synchronization is used between Active Directory on-premises and Office 365 Federation requires DirSync in this scenario Users’ UPNs are leveraged for account matching Directory Synchroni-zation The next step is configuring Directory Synchronization by connecting running the DirSync tool from a separate server. This tool cannot be run from the same server that runs ADFS Only after DirSync is configured and the users are synced to MSOL, they can be associated with a license plan. So, Federation is technically not dependent on DirSync, but effectively it won’t work without.

30 Start-OnlineCoexistenceSync Directory Synchroni-zation
Configuring Dirsync is a multistep process. Enable DirSync in MSOL Portal. This can take up to 24 hours. Install the DirSync tool on a server Connect both environments Run Full Synchronization Force Sync through PowerShell

31 login sequence sharepointlabs.nl ADFS 2.0 302 - Redirect cloud
Sign-In Service cloud AD ADFS 2.0 SharePoint Online 302 - Redirect Authentication Token UPN: Source ID: Exchange Online SAML Logon Token UPN: Source ID: ABC123 404 - Authenticate client

32 login sequence

33 Domain joined computer in corporate network
ADFS Server can use Windows Integrated AuthN Domain joined computer, roaming Publish ADFS Server Home or public computer User signs in with corporate credentials Smartphone Microsoft Outlook or other clients Scenarios

34 Troubleshooting tools
MOSDAL (Microsoft Online Services Diagnostics and Logging) Support Toolkit Fiddler trouble shooting

35 adfs additional reading
Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0 Multiple Issuer Support Client Access Policy Support Congestion Avoidance Algorithm Additional AD FS 2.0 performance counters kb adfs additional reading

36 Web Services Federation Language (WS-Federation) Version 1
WS-Trust Version 1.3: Security Assertion Markup Language (SAML) 2.0: Microsoft AD FS 2.0 Release to Web (RTW) download: Identity federation definition from Wikipedia: more info

37 Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0
more info

38 Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0
more info

39


Download ppt "Bert Jan van der Steeg SharePoint Consultant"

Similar presentations


Ads by Google