5 Identities used to access resources: On-premise (Active Directory)Cloud (Office 365)Available options:Separate credentials in corporate directory and in Office 365Migrate existing credentials to Office 365Identity Federation with ADFS 2.0IdM optionsIdentities are used for determining what users may access.Companies probably have invested in an identity management solution, such as Active DirectoryWhen Office 365 is introduced, the organization has three options:Maintain separate user accounts both on-premise and in the cloudMigrate all accounts to the cloud (only for small shops)Setup Identity Federation
6 Sub-optimal user experience Painful to manageSeparate password policiesMultiple credentials to manageManagement of sign-in application (BPOS)Sub-optimal user experienceLog-in each time the service is accessed2 accounts and/or passwords to manageSet up of sign-in application with every new computer used by each user (BPOS)IdM optionsSeparate credentialsSeparate credentials for both Office 365 and on-premise authentication has many disadvantages.Administration is not efficientUser experience is not optimal
7 migrate existing credentials No more corporate credentialsCredentials and resources in the cloudSmall shopsNo dedicated IT-guyNo local resourcesIdM optionsmigrate existing credentialsMigrating all accounts to Office 365 means there are no more corporate credentials. If at all possible, this would only work for smaller shops.This would work for starting organizations without a dedicated IT-person.
8 Credential management on-premises Trust with Federation Gateway Office 365 is Relying PartyPrerequisitesDomain UPN Suffix routableOwn the domain (SSL certificate)IdM optionsidentity federationCredentials are managed on-premise and all corporate account and password policies apply.The Federation Gateway ensures access to the online environment, handles authentication for other services. MFG is the intermediate between your directory and MSOLOffice 365 is the relying party, in SAMl terminology.Prerequisites for this to work are that you need to prove that you own the domain by modifying the DNS records at your providerAlso, the internal domain name must be routable over the internet. That could result in a separate project for renaming the domain.
9 user accounts federated identity identity identity federation federated identityidentitycontoso \charlieidentityfederationIdentity Federation enables seamless authentication (SSO) with on-premise credentials to resources in the cloud (Office 365).The credentials that is used on-premise is also used for Authorization purposes in Office 365.Charlie uses his account in many ways to access local resources. When accessing MSOL, he would need to provide a new set of credentials. With federation in place, logging in will be seamless.
10 ten stepsEasy, right?Configuring federation and synchronisation consists of 10 steps, most of which is preparation.
11 agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configurationagenda
12 claims history Active Directory Federation Services 2.0 First, a little history.ADFS comes from a long line of products, with many different names and reputations
13 WS-Federation WS-Trust SAML Claims Based AuthN Architecture and specification for Identity Federation protocolsWS-TrustDescribes the token exchange proceduresSAMLDescribes standard for exchange of AuthN and AuthZ between security realmsClaims Based AuthN
14 federation lingo This.. ..means this STS Security Token Service (IP-STS, RP-STS)Identity Provider IdPSystem that generates SAML tokens containing claimsRelying PartyApplication (service) that can accept claimsWEB Single Sign OnFederated Authentication Systems – AuthN is separated from AuthZFederated Sign OutSigning out from all systems involvedClaimAssertion about an identity that is used for AuthZ purposesFederationMetadata.xml (ADFS2.0)XML file used to exchange information between RP and IP. Should be always availableClaims augmentationAdding claims into a SAML token based on attribute store informationWAYFWhere Are You From. Home Realm Discoveryfederation lingo
15 ADFS 2.0 ADFS 2.0 Users Office 365 Azure Partner Resources ADFS in an intermediate between Your local Active Directory and possibly a lot of different resources. Those resources must be enabled for Identity Federation, which means in Microsoft terms, they should be based in Windows Identity Foundation. When the resource is outside of the Microsoft realm, it should adhere to Federation standards, such as SAML.Corp. Resources
18 Online Service based on WS* standards Connection into Federation ecosystemBillions of authentication dailyIn production since 2006Trust provisioning service – checks domain ownership through SSL certificatefederation gateway
19 a adfs 2.0 topology Fsconfig /createsqlfarm cloud adfs proxy 1 topologyadfs 1adfs 2ADFS uses SQL local database (WID) which can be shared between two ADFS serversFault tolerance is achieved when ADFS is set up in a SQL Farm (command line only)ADFS Proxies can be places in the DMZ, if exposing the ADFS servers is a problem.Hostnames for proxies and for the ADFS servers are the same. Manage through split DNS or HOSTS file.Publishing the ADFS servers or proxies can be a challenge, due to complex URL’sFsconfig /createsqlfarm
20 Statements made about users which are understood & trusted by both partners in a federation name, identity, group, role, privilege, capabilityUsed for authorization purposes within applicationsBegins at the identity provider when the user provides credentialsInserted into security tokens (SAML tokens) which follow a secure, standardized method of packaging the data for transport to a trusted partnerclaims
27 $cred=Get-Credentials <credentials> Connect-MsolService –Credential $credSet-MsolADFSContext –Computer <FQDN ADFS Server>configure federationconnecttoMSOLThe first step is to connect to the MSOL environment by providing your credentials. This is the account that has Global Administrator in MSOLWhen entering the MsolADFSContext, use the ADFS computer’s FQDN instead of the Federation Service name.
28 configure federationNew-MsolFederatedDomain –DomainName <domainname> -SupportMultipleDomainadd federated domainAdd the domain that is going to be federated through PowerShell.Enter the information returned in your DNS configurationRepeat the command, which will check if the DNS changes were correctResult is the creation of a Relying Party Trust in ADFS
29 Directory Synchroni-zation Directory Synchronization is used between Active Directory on-premises and Office 365Federation requires DirSync in this scenarioUsers’ UPNs are leveraged for account matchingDirectory Synchroni-zationThe next step is configuring Directory Synchronization by connecting running the DirSync tool from a separate server. This tool cannot be run from the same server that runs ADFSOnly after DirSync is configured and the users are synced to MSOL, they can be associated with a license plan. So, Federation is technically not dependent on DirSync, but effectively it won’t work without.
30 Start-OnlineCoexistenceSync Directory Synchroni-zation Configuring Dirsync is a multistep process.Enable DirSync in MSOL Portal. This can take up to 24 hours.Install the DirSync tool on a serverConnect both environmentsRun Full SynchronizationForce Sync through PowerShell
33 Domain joined computer in corporate network ADFS Server can use Windows Integrated AuthNDomain joined computer, roamingPublish ADFS ServerHome or public computerUser signs in with corporate credentialsSmartphoneMicrosoft Outlook or other clientsScenarios
34 Troubleshooting tools MOSDAL (Microsoft Online Services Diagnostics and Logging) Support ToolkitFiddlertroubleshooting
35 adfs additional reading Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0Multiple Issuer SupportClient Access Policy SupportCongestion Avoidance AlgorithmAdditional AD FS 2.0 performance counterskbadfs additional reading
36 Web Services Federation Language (WS-Federation) Version 1 WS-Trust Version 1.3:Security Assertion Markup Language (SAML) 2.0:Microsoft AD FS 2.0 Release to Web (RTW) download:Identity federation definition from Wikipedia:more info
37 Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0 more info
38 Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0 more info