1. Surviving the Triangle: Shibboleth, ADFS, Office 365
An Adventure Story of the High Seas by: J. Greg Mackinnon Systems Architect Not a Ship Captain
Enterprise Technology Services
University of Vermont
A tale of desperation and survival in the face of nearly insurmountable odds.

2. Overview: “Fun Parts” Edition (FUN = PAIN x TIME):
Design an AD FS / Shibboleth / Office 365 solution for our school.
Deploy of Active Directory Federation Services on Windows Server 2012 R2 (“ADFS 3.0”)
Integrate AD FS with existing Shibboleth 2 IdP
Sync on-premises Active Directory to Azure AD/Office 365 using The Windows Azure Active Directory Sync Tool (DirSync)*
Provision users with Office 365 services using PowerShell using The Microsoft Azure Active Directory Module for Windows PowerShell (formerly “Microsoft Online Services Module for Windows PowerShell”.)
Simplify access to Office 365 using Smart Links
Overcome presentation boredom though exciting narrative tools.
Web Application Proxy replaces ADFS Proxy Role. The WAP is more powerful, and can be used for Kerberos Protocol Transitioning… useful for NTLM remediation.
DirSync now replaced by: “Microsoft Azure AD Sync Services”, which supports more object/attribute filtering, with as few as seven attributes synced! But… the tool to be used may change again. The emphasis here will be on understanding the technology underpinnings to better prepare for future sync technology transitions.
If your school does not use Shibboleth, much of the material in this presentation may still be useful… just ignore all the business about Shibboleth.

3. Assumptions: Familiarity with concepts behind: Federated SSO AD FS
Shibboleth
Office 365 / Azure AD
Claims Authentication

4. Act 1: The Gathering Storm

5. Scene 1: A Gift Horse is Presented
Spring 2014: The Student Advantage program is announced: Free Office software for all students at institutions with Office site licenses for faculty and staff. Three cheers for Microsoft!

6. Scene 2: The Gift Becomes a Task
Provision Office 365 Pro Plus to 14,000+ active students
Do not provision services to faculty/staff
Make it work with the existing UVM Web Single Sign-On system.
Do not disclose any information other than Name, NetID, and active student status to Microsoft. For students requesting additional privacy protection under FERPA, do not even disclose Name.
Do it all before students get back on campus.
Your budget is $0.
Shibboleth and ADFS interop used to feel like a swimming with sharks proposition (nautical theme!), and I still was not overly comfortable looking at it in 2013.
Shib deployment in ~ took over a week with 80% of our team on-board for the entire work day just to get in basic operational condition.

7. Scene 3: Backstory Time! [The Slides you Hate]
University of Vermont:
Land grant school founded by Ira Allen “a long time ago”.
Over 1,300 faculty, perhaps 2,200 staff
[MORE BORING NUMBERS NUMBERS] 14 thousand something students
Enterprise Technology Services
Central IT Services for the institution, 60+ employees, about half of all IT pros on campus.
Systems Architecture and Administration
9 System Admins
3 Windows guys
We do it all, with probably the lowest support ratios of any peer institutions
The backstory lets you know more about us, and what we are up against.
SAA runs central authentication (AD, LDAP, Kerberos), and collaboration services ( , calendar, www, SharePoint), Client deployment and management (SCCM, MDT, Munki, DeployStudio), VDI (View), Server virtualization and hosting (vSphere).
How do we manage to do all of these things? I work with a truly excellent group of dedicated and talented people.
The good part of this situation is we all have broad knowledge of the infrastructure, with insight into how most services work and interoperate. An exciting and interesting place to work.
The bad part is, project tend to proceed slowly as they are sidelined by conflicting priorities. All priorities are conflicting, and new projects can feel a bit like drowning (see that nautical theme again.)

8. Scene 3 (Continued): The Cast of Characters
Our plucky IT Hero:
The dastardly villains:
The mysterious benefactor:
The ship’s crew:
Colorful Characters:

9. Scene 4: Core Technologies Debated
BOSS: UVM web services will use a single web SSO solution. (WebAuth)
The Boss notes the MS supports Shibboleth as an Identity Provider for Office 365:
But Boss, read the fine print… Office 365 ProPlus licensing is not supported with Shibboleth as the primary identity provider!
IT Hero: AD FS already is in pre-production for a SharePoint 2013 upgrade project. Let’s do interop!
AD FS provides the broadest client support (at present).
AD FS lets “Microsoft be Microsoft”. (Support for WS-Federation “active authentication scenarios” in addition to SAML 1 and 2)
Supports Windows Authentication (allows single sign-on from the Windows desktop)
Added benefit of the Web Application Proxy service, which can aid with NTLM remediation.
Things may have changed since this decision was made, but at the time the Shibboleth Idp could not support Lync desktop clients, Office desktop apps with SharePoint online, PowerShell access to Office 365, and Outlook/ActiveSync (unless you have an ECP endpoint on your IdP).

10. Scene 4 (continued): The Best Laid Plans…
A service architecture is developed
An authentication workflow is mapped

11. Service Architecture: Work To Do
Orange boxes and red arrows represent work to be done.
Teal and blue are existing infrastructure.
AD forest, with identities synchronized from OpenLDAP
Mature Shibboleth v2.4 services, backed by Stanford WebAuth, MIT Kerberos realm
AD FS v3 services, in pre-production
AD FS trusts Shibboleth as a trusted external “Claims Provider”
Office 365 test environments. No production use.
[BACK]

12. Federated SSO: The Whole Ugly Truth
[FLIP]

13. Scene 5: A Likely Conversation
IT Hero: ‘Hey Boss… this whole Federated SSO thing is really complicated. Have you seen this diagram of the planned authentication workflow?’
Boss: ‘Yeah… What’s your point? That’s what we do.’
(But is SCALE x COMPLEXITY > SKILL ? Let’s find out!)
The job of the systems administrator is to solve complicated problems, and make them invisible to the end user.
(Note flip side, where scale + complexity > skill)

14. Act 2: The Adventure Begins
And yes… it really will be this exciting!

15. Scene 1: Our Heroes Tackle an Easy Task (AD FS production deployment):
For HA deployments, have a SQL Server ready
Install the AD FS role (2+ Servers):
Configure the role (2+ Servers):
I say this is easy because we had already done it by the time this project started. But really, it is not very difficult.
Our Shibboleth 1 deployment was done by at least six sys admins working together for over a week. ADFS was done by two guys in two days.
HA is a deployment option for the ADFS role. Select this option during “post deployment configuration”, and specify SQL Server info in the deployment wizard.
This is greatly simplified from previous releases where the HA database deployment was a separate process.
That was easy! What’s next?
Install and configure the Web Application Proxy Role

16. Scene 1 (continued) [FX: queue thunder clap]: Load Balancing AD FS
Use F5 Load Balancer in “Direct Server Return”, or “nPath Routing” mode. [LINK]
F5 monitor for HTTPS services on ADFS servers fails!
ADFS 3.0 runs in HTTP.SYS: Requires SNI. OpenSSL 0.98 libraries on F5 do not support SNI. [LINK]
Use NETSH to add additional http.sys binding for “legacy” clients. This will be helpful with Shibboleth interoperability as well. [LINK]
Can’t get into DSR owing to time… see me after or review the deck for details.

17. Scene 2: The Crew Conquers AD FS / Shibboleth Interoperability, With a Little Help From Friends.
Get the whitepaper:
Back to school: A Claims Interoperability Primer… [LINK]
Setup Claims Provider Trust in AD FS:
Reduce token signing requirement to SHA1 (default is SHA256) [LINK]
Must use NETSH to allow ADFS to accept non-SNI connections. (Java SSL libraries used in our Shibboleth deployment do not support SNI.)
Setup Relying Party Trust in Shibboleth:
Import token signing certificate into Shibboleth
Play with XML configuration files (Note OID of released attributes) [LINK]

18. Scene 2 (continued): Beyond the Whitepaper
ADFS now generates tokens based on Shib tokens, but how do I get useful AD data into the token?
A knowledgeable old salt stops in to explain Claims Transformation Language. [LINK]
The Divine Secrets of Claims Transformation Language allows Microsoft applications natively to consume claims generated by Shibboleth.
Who is that salty old guy? Quint! “We’re talking Greeet Whiat Shaark! 22 Children go inna water, 19 come oout. September 12, 1968, a day i-ell not be forgettin. We don want little Jeffie gettin all ate up, now, so I better help ya out.”
Ultimately we changed the primary user UPN in AD to match the ePPN value (also the Kerberos realm UPN), but we could have transformed claims both coming in to ADFS, and going out to Azure AD.

19. Scene 3: A Foray Under the Storm Clouds
Setup an Office 365 Tenant [LINK]
Select “Office 365 Education E3 for Students Trial”, and then add “E1” licenses to your Tenant.
Plan for UPN-based authentication:
Does AD UPN match the Shibboleth ePPN?
Does the AD UPN match a domain configured in Office 365?
Enroll for the Student Advantage Program*
Get your EES program administrator to accept $0 Purchase Order
Contact Microsoft Sales to assign Student Advantage licenses to your tenant.
Request more licenses
Request even more licenses
Install and Configure DirSync [LINK]
Create Office 365 sync account (*onmicrosoft.com recommended)
Create AD sync account
Apply ACLs to satisfy UVM legal privacy requirements
Configure attribute filtering
Apply PowerShell-Foo to assign licenses to students. [LINK]
* Procedures likely have changed since inception. MS now assigns 1 million licenses to institutions with an active EES covering Office for Faculty/Staff.

20. Scene 4: A Plan Comes Together
Hero: “It all works! Hurray, time to take vacation!”
Boss: “This user experience is unacceptable! Fix it!” [LINK]
Create Smart Links to make it all invisible:
[LINK]
The user experience… students need to be told where to go to get their software. We did not understand at project conception how this would be done. I assumed, for some reason, that there would be a SharePoint Online “app” or webpart that we could put in a SharePoint online site in our “msoffice.uvm.edu” tenant. Nope… students are to go to “portal.office.com”, and use the menus to go to the software download pages. Boo!
Further, when then try to navigate log in to “portal.office.com”, they need to log in with UPN. AD users have the suffix, but or tenant is for Fix that… Finally, users are not used to UPN login anyway. What to do? Use the Smart Link! This takes them to webauth.uvm.edu, where they can login with a simple password.
BUT is this really simpler?

21. Federated SSO: “Simplified” with Smart Links
[FLIP]
While complexity has been added to the architecture, the user experience has become far easier. In doing that, we have defined the role of the systems administrator… to make difficult tasks possible, to reduce complicated procedures into elegant user experiences, and to make all of the machinery invisible.

22. Scene 5: Students Invade Campus, and Our Hero Takes a Vacation
The Client Services team prepares “Go: Get Office” materials for residence halls and for students picking up new computers.
1,256 downloads in the first month. (First-time student count is approximately ~2,450)
Zero Complaints (Or if there were, they were not heard from the Outer Banks, NC.)
Assumption is that most downloads are by new, incoming students. Approximately half of the first-time incoming students now have Office This should be a large enough volume of Office 365 users to allow for peer support, and to get the word out to other students that Office software is available for free.

23. Epilogue: Full of sound and fury, signifying nothing.
September 15th, 2014: Microsoft Releases “Azure Active Directory Sync Services”, obsoleting DirSync only three weeks after UVM go-live.
September 20th, 2014: Microsoft ‘enhances’ the Student Advantage program with - address-based opt-out self-enrollment.
October 1st, 2014: Rumors arise that Office 365 Pro Plus will be made available to all Faculty and Staff for EES customers with coverage for Office software.
I understand that there is no particular reason to jump all over Azure AD Sync Services unless you really need features that are in this release.

24. Epilogue: Full of sound and fury, signifying nothing something.
Unified SSO Achieved Cloud Ready
And while DirSync may be deprecated, the FIM engine under it is likely to power all future Azure synchronization tools.

25. THE END Follow up questions to: mailto: gregory.mackinnon@uvm.edu
LinkedIn:
Facebook: j.greg.mackinnon
And more fun at:
The storm clouds have cleared.. Happy sailing!

26. Resources: F5 Guide to Layer 4 nPath Routing (Direct Server Return):
General guidance from F5: ip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_npath.html
Specific directions for configuring Loopback on Server
AD FS:
Windows Server 2012 R2 AD FS Deployment Guide:
Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation:
HTTP.SYS Binding and SNI at UVM (SharePoint Configuration Entry):
User Alternate Login IDs with ADFS and Office 365: alternate-login/

27. Resources (continued…):
Claim Rule Language References:
Primer:
“Understanding Claim Rule Language” [HA!]:
Regular Expressions in Claim Rule Language:
Attribute Stores and Queries: The Ugly Internals:
AD FS Claims Rule Language Deep Dive (with Win-HiEd favorite Laura Hunter!):
UVM Transformations for Sharepoint 2013:
DirSync:
Download:
Setup of Directory Sync computer:
Release History (Useful for determining if you have the current release):
Deploy “Directory Sync with Single Sign-On” scenario for Office 365:
Handling the “Replicating Directory Changes” permission:

28. Resources (continued…)
Azure AD Module for PowerShell:
Download: Always get the latest version!
Provisioning students with O365 ProPlus using PowerShell at UVM: proplus-licenses/
Microsoft Azure Active Directory Sync Services (DirSync, the next generation):
Microsoft guide to creating Smart Links:
authentication-with-office-365.aspx?Sort=MostRecent&PageIndex=1

29. nPath Routing (Direct Server Return):
The Load Balancer forwards the entire Layer 4 TCP packet to the back-end server.
Reduces load on the expensive F5
Reduces complexity of the configuration:
Only on SSL certificate needed.
No complex SSL termination and re-encapsulation at the load balancer.
Kerberos-compatible.
Each back-end server has the IP address for the cluster assigned to a “loopback” adapter with a 28-bit netmask. Each back-end “thinks” it has the cluster IP.
The back-end server forwards the incoming packet from its public interface to the loopback interface.
The back-end server replies directly to the client.
[BACK]

30. HTTP.SYS Binding (1 of 2)
Modern browsers (and SSL Libraries) support the SNI, or “server_name” extension.
Older Java runtimes (1.6), OpenSSL libraries (0.98), and IE6 do not support SNI.
[BACK]

31. HTTP.SYS Binding (2 of 2)
On each ADFS server and proxy, open an elevated command prompt
Run> netsh http show sslcert
Hostname:port : adfs.uvm.edu:443
Certificate Hash : aBunchOfRandomLookingNumbers
Application ID : {yet-another-ugly-product-guid}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled …
Record the certificate hash and application ID for the certificate used by ADFS
Run> netsh http add sslcert ipport= :443 certhash=aBunchOfRandomLookingNumbers appid={yet-another- ugly-product-guid}
[BACK]

32. A Claims Interoperability Primer:
Guidance available from Microsoft!
Claims Authentication:
An Internet-friendly, token-based authentication system.
SAML 1, SAML 2, and WS-Federation
Security Token Service (STS):
A service that generates claims tokens. (ADFS, Shibboleth)
In Shibboleth terms, an Identity Provider (IdP)
Claim (ADFS) = Attribute (Shib2) = Assertion (Shib1)
Relying Party (RP) = Service Provider (SP)
Claim Provider Trust:
A back-end source of user data (AD, LDAP, SQL, or other SAML provider)
AD FS 2 and Shibboleth 2 are both SAML 2 token providers
Different Claim Description formats hamper interoperability. [BACK]

33. AD FS Claims Provider Trust Configuration
You may need to set the ‘secure hash algorithm’ to “SHA-1”:
Transform Shibboleth/InCommon “attributes” into “claims” that more easily can be used by Microsoft applications:
[BACK]
Claims transformation is perhaps the most important, powerful, and difficult parts of this whole configuration. More on this later…

34. Shibboleth Relying Party Trust Configuration
Relying Parties to the IdP are defined in a file (i.e. relying-party.xml):
With AD FS 2+, you will need to import your ADFS token signing certificate into the IdP config:
Your Shibboleth admin may not have seen a configuration that requires the use of a token signing certificate before.
Set a calendar reminder to import a new token signing certificate when the current one expires, because Shib will not do this automatically.
Get the token signing cert from the AD FS console:
View the certificate
Export in Base64 (PEM) format

35. Shibboleth RP Configuration (continued)
Attribute release rules are controlled in an “Attribute Filters” file (i.e. attribute-filters.xml).
Attributes to be released generally are grouped into policies. (i.e. uvm-common)
Displayed attributeID values are friendly names for the attributes, as defined in a resolver file (attribute-resolver.xml):
Note both old (and sane) SAML1 names, and new (incomprehensible) SAML2 names. [BACK]

36. Divine Secrets of the Claims Transformation Language (1 of 3)
Hard task: Convert Shib attribute “ePPN” to ADFS “UPN”
c:[Type == "urn:oid: "]
=> issue(Type = " upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

37. Divine Secrets of the Claims Transformation Language (2 of 3)
Difficult task: Convert ePPN domain suffix to match the AD UPN suffix:
c:[Type == "urn:oid: ”, Value =~
=> issue(Type = " ", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, ValueType = c.ValueType);
=~ Sets up a regular expression match.
regExpReplace() - Allow us to replace one value with another, based on RegExp. “(?...)” Sets up a capture group. <user> is the variable to capture to. {user} puts the variable into the output value.

38. Divine Secrets of the Claims Transformation Language (3 of 3)
Seemingly Impossible Task: Augment incoming Shib claims with user attributes from AD: (Used for an on-premise SharePoint project)
c:[Type == "urn:oid: ”, Value =~
issue(store = "Active Directory", types = (" query = “samAccountName{0};tokenGroups;CAMPUS\foo", param = regexreplace(c.Value, "${user}"));
[BACK]
store = “Active Directory” - means collect the value to issue from the Claims Provider named “Active Directory”
Query = can be a SQL or an LDAP query. For LDAP, we use three parameters: filter value, return value, and domain.
If empty, the filter value is assumed to be samAcountName{0}.
tokenGroups is a collection of recursive group memberships for the queried user.
The domain should be specified in the format “NetBIOS Domain\[throwaway value]”

39. Setup a new Office 365 Tenant
education-plans-FX aspx
Domain considerations:
Does O365 Domain must match the user’s ePPN/UPN suffix? (I.e. Will the UPN be used to login to the O365 domain “domain.com”?)
If no, plan on:
Transforming the UPN suffix in the relying party trust with Office 365 (maybe?) -or-
Changing the UPN suffix for your AD users -or-
Using the supported Alternate Login ID method (see references)
Configure the domain for SSO using PowerShell:
Set-MsolAdfscontext -Computer <AD FS primary server>
Convert-MsolDomainToFederated –DomainName <domain>
[BACK]
Alternate Login ID is now supported when using ADFS on Server 2012 R2. See references.
PowerShell commands are documented in the Directory Sync TechNet documentation. See references, or Direct link:

40. Configuring DirSync for Filtered Replication:
Dedicate a Windows Server OS:
Must use SQL Server Standard/Enterprise if >50,000 objects will be synchronized.
Installer will create an “MSOL_*” user account in your forest root domain:
Documentation claims the name will be “AAD_*”.
Assumption: MSOL account will not be able to read FERPA-protected data, because it is not in a group that can read this info.
Fact: The MSOL account syncs FERPA data anyway. WHY??!?!
Recall that our goal is to limit the user attributes that can be replicated by DirSync. Focus here is not on documenting a step-by-step “how to configure DirSync”, but rather, how to limit what DirSync will replicate
MSOL is a powerful account with “Replicating Directory Changes” rights:
This right will need to be removed if you need to filter user attributes (regulatory compliance/privacy concerns).
OR, just create a new service account for DirSync (supported by Microsoft?)

41. Configuring DirSync for Filtered Replication (continued):
DirSync is FIM-based. Same user interface as seen in FIM and the SharePoint User Profile Synchronization Tool.
Launch from: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
FIM has a lot of filtering options, but for DirSync, support is limited to filtering out whole domains, whole OUs, or to filtering entire accounts based on a limited set of pre-defined attributes. (e.g. extensionAttribute1)

42. Configuring DirSync for Filtered Replication (continued):
Remove any explicit allow ACE that will allow non-privileged accounts from reading FERPA-protected attributes. (Already Done!)
Grant access to required rights using inherited ACLs
Apply an inherited deny ACE that will block access non-exportable user data.
Source:

43. Configuring DirSync for Filtered Replication (continued):
DirSync will read extensionAttribute1-15 values into the “metaverse”
Populate extensionAttribute1 with affiliation type data
Configure the agent to send only users with extensionAttribute1 = Student
[BACK]

44. Provisioning Office 365 Users Using PowerShell
Requires “Microsoft Azure Active Directory Module for Windows PowerShell” (make sure you have the latest build!)
Azure-only accounts have password expiration: Set a reminder to prevent provisioning failures.
>Connect-MsolServices
>Get-MsolUser -UnlicensedUsersOnly -Synchronized -All
>Set-MsolUser -UsageLocation 'US'
>Set-MsolUserLicense -AddLicenses [tenant]:OFFICESUBSCRIPTION_STUDENT
See the blog entry for more details.

45. PowerShell Send-MailMessage
Provisioning report for Office 365/Azure AD for: 10/13/ :15:01 PM Office 365 ProPlus for Student - license report: Total licenses: Consumed licenses: Remaining licenses: 2041 Retrieved active students from Active Directory. Active student count: Retrieved unlicensed MSOL users. Unlicensed user count: 4 Provisioning successfully completed at: 10/13/ :15:22 PM Provisioned 0 accounts. Elapsed Time (hh:mm:ss): 0:0:21
[BACK]

46. Frank Oobarthsen’s Sign-In Experience, Take 1:
GOAL: Get to the login page, login successfully on the first try.
Assuming that Frank even knows about “portal.Microsoft.com” (perhaps he got send a link?), how do we ensure login success?
- Frank Does not read directions, so he puts in his UVM NetID. FAIL!
Frank sees the error message… tries UGH!
He is not likely to try or or anything that you had intended he try.
Use your University primary DNS suffix as your domain. It is about the only thing that is likely to occur to Frank to try on his own.
[BACK]

47. Frank Oobarthsen’s Sign-In Experience, Take 2:
Enables Frank to login successfully on the first try.
[BACK]
Instead of going thought that ugly two-form login process (home realm discovery), could we somehow bypass the Office 365 sign in page? Yes, by using Smart Links:
Enter a UVM address in the URL bar.
Get sent straight to the UVM web login page.
And then right back to the Office 365 software download page.