Cloud Connect Seamlessly Azure AD Connect integrates on-premises directories with Azure Active Directory. This provides a common identity for users of Office 365, Azure, and SaaS applications integrated with Azure AD. Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. Users can use a single identity to access on-premises applications and cloud services such as Office 365. A single tool provides an easy deployment experience for synchronization and sign-in. Azure AD Connect replaces older versions of identity integration tools such as DirSync and Azure AD Sync. For more information, see Hybrid Identity directory integration tools comparison. (https://azure.microsoft.com/en-us/documentation/articles/active-directory-hybrid-identity-design-considerations-tools-comparison/) CLICK STEP(S) Click anywhere to begin. Single Sign-On
Azure AD integrates with many of today’s popular SaaS applications (e Azure AD integrates with many of today’s popular SaaS applications (e.g., Box, Twitter, and so on), supporting single sign-on (SSO) authentication and identity, and providing secure access management to applications. It also supports federated SSO through Microsoft Azure AD Single Sign-on and password SSO to third party apps and internal custom apps. Single sign-on allows users to access all the applications and resources they need to do business, by signing in only once using a single user account. Once signed in, users can access all of the applications they need without being required to authenticate (e.g. type a password) a second time. The admin has added the Salesforce application to Azure AD from the Azure AD Application Gallery. CLICK STEP(S) From the Applications list, click on Salesforce.
Contoso is onboarding the Salesforce application for availability to all employees to provide on-demand services that help with global customer communications. To simplify access to the application, the admin configured Salesforce with federated SSO. Let’s review how it was configured. CLICK STEP(S) Click Configure Single Sign-On.
Currently, Azure AD supports three types of single sign-on authentication: Microsoft Azure AD Single Sign-on – This option uses federated sign on to allow users to automatically sign in to the Salesforce application using the user account information from Azure AD. Password Single Sign-On – This option enables users to be automatically signed in to the third-party Salesforce SaaS application by Azure AD using the Salesforce user account information. Existing Single Sign-on – This option supports single sign-on to Salesforce using Active Directory Federation Services (ADFS) or another third-party single sign-on provider. Point Out (DO NOT CLICK): The 3 types of SSO authentication. CLICK STEP(S) Click Next.
The Sign On URL points to the web-based sign-in page for this application. If the application is configured to perform service provider-initiated single sign on, then when a user navigates to this URL, the service provider will do the necessary redirections to authenticate and log the user in to the application. CLICK STEP(S) Click Next.
The admin had to do some configurations within the Salesforce application. This included uploading the certificate that was downloaded from here, and configuring these three URLs in Salesforce to define login and sign out services. Point Out (DO NOT CLICK) #1: Download Certificate link. Point Out (DO NOT CLICK) #2: The 3 configuration URLs. After completing the Salesforce setup, the admin needs to confirm configuration and enable the certificate. CLICK STEP(S) In the upper right corner, click the X to exit without saving.
Azure AD Single Sign-On configuration options includes automatic account provisioning. With this, when users from Azure AD are assigned access to Salesforce, their user account is automatically added to Salesforce. CLICK STEP(S) Click Assign Accounts.
The last step to enabling SSO Integration is to assign users and groups who can access the app. Groups or individual users can be granted access to the app. The admin has assigned the Sales and Marketing security group access to Salesforce so all members of this group have access to this app. CLICK STEP(S) Click on the Starting With text field.
This means anyone who joins the Sales and Marketing group will automatically have access to the Salesforce application. CLICK STEP(S) On the right, click the checkmark.
CLICK STEP(S) In the bottom navigation bar, click on Update.
Because automated user provisioning is enabled, the admin receives a prompt to define what type of Salesforce profile the user should have. CLICK STEP(S) Click on the drop down menu to expand.
Point Out (DO NOT CLICK): Available options for Salesforce profile. CLICK STEP(S) In the upper right corner, click the X to exit without saving.
Contoso is also onboarding the Twitter application to promote social networking internally and externally. CLICK STEP(S) In the upper left corner, under Microsoft Azure, click the Back button (not the browser back button).
CLICK STEP(S) Click the scroll bar to scroll down.
The admin has also added the Twitter application to Azure AD from the Azure AD Application Gallery. CLICK STEP(S) From the Applications list, click on Twitter.
To simplify access to the application, the admin also configured the Single Sign-On (SSO) feature. CLICK STEP(S) Click Configure Single Sign-On.
The Twitter application supports Password Single Sign-on and ADFS. With password-based single sign-on, Azure AD will automatically sign users in to the third-party Twitter application using the user account information from Twitter. When the admin enables this feature, Azure AD collects and securely stores the user account information and the related password. CLICK STEP(S) Click the checkmark to exit.
Azure AD can support password-based single sign on for any cloud-based app that has an HTML-based sign-in page. By using a custom browser plugin, AAD automates the user’s sign in process by securely retrieving application credentials such as the username and the password from the directory, and enters these credentials into the application’s sign in page on behalf of the user. CLICK STEP(S) Click Configure Single Sign-On.
Administrators can assign applications to end users or groups, and allow the end users to enter their own credentials directly upon accessing the application for the first time in their access panel. CLICK STEP(S) Click on the Starting With text field.
This creates a convenience for end users whereby they do not need to continually enter the app-specific passwords each time they access the application. Or, administrators can create and manage application credentials, and assign those credentials to users or groups who need access to the application. CLICK STEP(S) On the right, click the checkmark.
In this case, members of the Sales and Marketing security group will have access to the Twitter account, but do not need to know the credentials CLICK STEP(S) In the bottom navigation bar, click on Update.
With password-based single sign-on, Azure AD will automatically sign users in to the third-party Twitter application using the user account information from Twitter. When the admin enables this feature, Azure AD collects and securely stores the user account information and the related password. Enabling password rollover will automatically update the password for this account at a specific defined frequency. CLICK STEP(S) Below the Password text field, check the checkbox: I want to enable automatic password rollover.
Once enabled, users should access the application exclusively using the Access Panel or the single sign-on link specific to this application. The Applications Access Panel is a cross-device and cross-browser portal, accessible using iOS, Android, Mac, and Windows. To reach the Access Panel, users authenticate against Azure AD once, then see the list of Applications they have access to, and can launch the app with just a click from there. If the application was configured for SSO by the administrator, the users don’t need to re-authenticate to access the application: single sign-on will take care of the authentication automatically. Now that you have experienced the Admin side of SSO, let’s see how SSO impacts an End User. CLICK STEP(S) From the Task Bar, restore Internet Explorer browsing session.
Here, Garth Fort is logged into the Access Panel using his corporate credentials and can see all the applications available to him. CLICK STEP(S) Click on the Salesforce app.
CLICK STEP(S) Close the Salesforce browsing tab.
He has seamless access to various line-of-business and custom applications, without having to remember multiple logins and passwords for each. CLICK STEP(S) Click on the Twitter app.
CLICK STEP(S) Close the Twitter browsing tab.
Organizations are using more Software as a Service (SaaS) applications for productivity because cloud technology and tools are becoming more readily available. As the number of SaaS apps grows, it becomes challenging for the administrators to manage accounts and access rights, and for the users to remember their different passwords. Managing these applications individually creates extra work and is less secure. Employees who have to keep track of many passwords tend to use less-secure methods to remember them, either writing down passwords or using the same passwords across many accounts. When a new employee arrives or one leaves, all their accounts must be individually provisioned or de-provisioned. Additionally, employees may start using SaaS apps for their work without going through IT, which means they are creating their own accounts on systems that the IT administrators haven't approved and aren't monitoring. A solution for all of these challenges is single sign-on (SSO). It's the simplest way to manage multiple apps and provide users with a consistent sign-on experience. Azure Active Directory (Azure AD) provides a robust SSO solution and has many available pre-integrated applications, with tutorials for admins to quickly set up a new app and start provisioning users. CLICK STEP(S) Click anywhere to end presentation.