Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bert Jan van der Steeg SharePoint Consultant Office 365 & Identity Federation Bert Jan van der Steeg consultant trainer

Similar presentations


Presentation on theme: "Bert Jan van der Steeg SharePoint Consultant Office 365 & Identity Federation Bert Jan van der Steeg consultant trainer"— Presentation transcript:

1 Bert Jan van der Steeg SharePoint Consultant Office 365 & Identity Federation Bert Jan van der Steeg consultant trainer

2 Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration agenda

3 Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration agenda

4

5 IdM options Identities used to access resources: On-premise (Active Directory) Cloud (Office 365) Available options: Separate credentials in corporate directory and in Office 365 Migrate existing credentials to Office 365 Identity Federation with ADFS 2.0

6 Separate credential s IdM options Painful to manage Separate password policies Multiple credentials to manage Management of sign-in application (BPOS) Sub-optimal user experience Log-in each time the service is accessed 2 accounts and/or passwords to manage Set up of sign-in application with every new computer used by each user (BPOS)

7 migrate existing credential s IdM options No more corporate credentials Credentials and resources in the cloud Small shops No dedicated IT-guy No local resources

8 identity federation IdM options Credential management on-premises Trust with Federation Gateway Office 365 is Relying Party Prerequisites Domain UPN Suffix routable Own the domain (SSL certificate)

9 user accounts om contoso \charlie identity federation federated identity

10 ten steps Easy, right?

11 Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration agenda

12 history claims Active Directory Federation Services 2.0

13 Claims Based AuthN WS-Federation Architecture and specification for Identity Federation protocols WS-Trust Describes the token exchange procedures SAML Describes standard for exchange of AuthN and AuthZ between security realms

14 federation lingo This....means this STSSecurity Token Service (IP-STS, RP-STS) Identity Provider IdPSystem that generates SAML tokens containing claims Relying PartyApplication (service) that can accept claims WEB Single Sign OnFederated Authentication Systems – AuthN is separated from AuthZ Federated Sign OutSigning out from all systems involved ClaimAssertion about an identity that is used for AuthZ purposes FederationMetadata.xml (ADFS2.0) XML file used to exchange information between RP and IP. Should be always available Claims augmentationAdding claims into a SAML token based on attribute store information WAYFWhere Are You From. Home Realm Discovery

15 ADFS 2.0 Corp. Resources Partner Resources Users AD Users AD Office 365 Azure

16 ADFS 2.0 Corp. Resources Partner Resources Users AD Users AD Office 365 Azure Federation Gateway federation gateway

17 ADFS 2.0 Lync Online Users AD Users AD SharePoint Online Exchange Online Federation Gateway Live ID IdP Live ID IdP LiveID federation gateway Provisioning Service TRUST

18 federation gateway Online Service based on WS* standards Connection into Federation ecosystem Billions of authentication daily In production since 2006 Trust provisioning service – checks domain ownership through SSL certificate

19 https://adfs.contoso.com topology a adfs 2.0 cloud adfs 2 adfs 1 https://adfs.contoso.com adfs proxy 2 adfs proxy 1 Fsconfig /createsqlfarm

20 claims Statements made about users which are understood & trusted by both partners in a federation name, identity, group, role, privilege, capability Used for authorization purposes within applications Begins at the identity provider when the user provides credentials Inserted into security tokens (SAML tokens) which follow a secure, standardized method of packaging the data for transport to a trusted partner

21 adfs claims engine Stage 1: Accepting claims Stage 1: Accepting claims Stage 2: Authorizing claims Stage 2: Authorizing claims Stage 3: Issuing Claims Stage 3: Issuing Claims Acceptance Transform Rules Issuance Transform Rules Issuance Transform Rules Issuance Authorization Rules Issuance Authorization Rules Deny Permit Incoming Claims Claims Provider Trust Relying Party Trust Outgoing Claims

22 adfs 2.0 component s AuthN Store Active Directory Target Application Office 365 trust relationship s

23 endpoints adfs 2.0 component s 1. Passive Federation Endpoint – Browser based connections 2. Active Federation Endpoint – Rich clients (Lync 2010) 3. EAS Endpoint - Activesync, Outlook 2010, Exchange Web Services

24 claim rules acceptance transform rules adfs 2.0 component s issuance transform rules c:[Type == ty/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federatio n/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,obje ctGUID;{1}", param = regexreplace(c.Value, "(? [^\\]+)\\(?.+)", "${user}"), param = c.Value); c:[Type == "http://schemas.microsoft.com/LiveID/Federatio n/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identit y/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/200 5/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid- format:unspecified"); c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/ident ity/claims/issuerid", Value = regexreplace(c.Value, "http://${domain}/adfs/services/trust/"));

25 Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration agenda

26 add domain convert to federated later

27 connect to MSOL configure federation $cred=Get-Credentials Connect-MsolService –Credential $cred Set-MsolADFSContext –Computer

28 add federated domain configure federation New-MsolFederatedDomain – DomainName - SupportMultipleDomain

29 Directory Synchroni- zation Directory Synchronization is used between Active Directory on- premises and Office 365 Federation requires DirSync in this scenario Users UPNs are leveraged for account matching

30 Directory Synchroni- zation Start-OnlineCoexistenceSync

31 sharepointlabs.nl login sequence cloud SharePoint Online Exchange Online client ADFS 2.0 AD Sign-In Service SAML Logon Token UPN: Source ID: ABC123 SAML Logon Token UPN: Source ID: ABC123 … … Authentication Token UPN: Source ID: Authentication Token UPN: Source ID: … … Authenticate Redirect

32 login sequence

33 Scenarios Domain joined computer in corporate network ADFS Server can use Windows Integrated AuthN Domain joined computer, roaming Publish ADFS Server Home or public computer User signs in with corporate credentials Smartphone Microsoft Outlook or other clients

34 trouble shooting Troubleshooting tools MOSDAL (Microsoft Online Services Diagnostics and Logging) Support Toolkit Fiddler

35 adfs additional reading kb Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0 Multiple Issuer Support Client Access Policy Support Congestion Avoidance Algorithm Additional AD FS 2.0 performance counters

36 more info Web Services Federation Language (WS-Federation) Version 1.2 : federation.pdf WS-Trust Version 1.3: 1.3-os.pdf Security Assertion Markup Language (SAML) 2.0: Microsoft AD FS 2.0 Release to Web (RTW) download: =118c a-b655-6cec0a92c10b Identity federation definition from Wikipedia:

37 more info Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0

38 more info Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0

39


Download ppt "Bert Jan van der Steeg SharePoint Consultant Office 365 & Identity Federation Bert Jan van der Steeg consultant trainer"

Similar presentations


Ads by Google