Azure AD Application Proxy

Slides:



Advertisements
Similar presentations
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Advertisements

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Microsoft Ignite /16/2017 4:55 PM
Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.
Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Active Directory Integration with Microsoft Office 365
Conditional access DirectAccess & automatic VPN Desktop Virtualization.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Securing Microsoft® Exchange Server 2010
External user invited This creates invitation in Access Request List Invitation sent to guest with invitation URL Guest clicks URL. Verification.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Alessandro Cardoso Microsoft MVP | Readify National Manager |
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
SaaS apps.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Today’s challenges Data Users Apps Devices
Identity; What you need to know to be in the Microsoft Cloud
Stop Those Prying Eyes Getting to Your Data
Contents Software components All users in one location:
Throw away your DMZ Azure Active Directory Application Proxy deep-dive
LOCAL CLOUDINESS Dino Buljubašić Rijad Smajlović
Azure Active Directory - Business 2 Consumer
Azure AD Application Proxy
Introduction to Windows Azure AppFabric
Azure Active Directory voor Developers
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
SaaS Application Deep Dive
6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.
Secure Remote Access to on-premises Web Apps using Azure AD
Microsoft Ignite /31/ :08 AM
Single Sign On Office 365 Client 1 Clients
Forefront Security ISA
Information Protection
Wait, Microsoft is in the Security Game?
9/13/2018 4:54 PM BRK How to get Office 365 to the next level with Azure Active Directory Premium Brjann Brekkan Program Manager Lead – Customer.
Office 365 Identity Management
11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Hybrid Search Planning Implementation.
Microsoft Ignite /20/2018 2:21 PM
Access and Information Protection Product Overview October 2013
Getting Started.
SharePoint Online Hybrid – Configure Outbound Search
M7: New Features for Office 365 Identity Management
Getting Started.
Office 365 Identity Management
Office 365 Identity Management
Developing for Windows Azure
4/9/2019 5:05 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.
System Center Marketing
TechEd /6/ :24 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Azure AD Simon May Technical Evangelist.
Securing web applications Externally
Microsoft Virtual Academy
Presentation transcript:

Azure AD Application Proxy Rick Leos uConnect Administrator IET - Enterprise Applications and Infrastructure Services University of California, Davis rmleos@ucdavis.edu (530) 752-1161

Business Intelligence Office Tableau Requirements: Authentication utilizing Active Directory Authorization utilizing Active Directory Groups Must use Multi-factor authentication Must use reverse web proxy

Business Intelligence Office Tableau Deployment option 1: Active Directory connection provides AuthN & AuthZ but no MFA Deployment option 2: SAML provides AuthN & MFA but no AuthZ application can not use groups claims in SAML ticket. Requires custom process to sync AD groups to internal roles in Tableau Additional infrastructure for reverse web proxy Disadvantage: Option 1: would require users to connect to VPN with MFA to gain access to application Option 2: Custom process needed to maintain sync of AD groups to internal Tableau roles.

Business Intelligence Office Tableau How do we get all the benefits of option 1 & 2 without any of the disadvantages?

Azure AD Application Proxy Cloud-scale reverse proxy Secure remote access for web applications hosted on-premises with pre-auth, conditional access and two-step verification. Capable of providing Single sign-on experience. Using Integrated Windows Authentication, Linked sign-on (ADFS to ADFS), Header- based sign-on, Password-based sign-on (requires browser extension ) No inbound connections through your firewall, VPN, DMZs, edge servers, or other complex infrastructures. Pass-through proxy mode available, non default.

Azure AD Application Proxy What kind of applications work with Application Proxy? Web applications that use Integrated Windows Authentication for authentication Web applications that use form-based or header-based access Web APIs that you want to expose to rich applications on different devices Applications hosted behind a Remote Desktop Gateway Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)

Microsoft Azure On-Premises Network 1. User goes to site. AD ADFS On-Premises Internal Network 1. User goes to site. Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network https://iet-internal.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu (CNAME aggiedash-dev-ucdavis365.msappproxy.net)

Microsoft Azure On-Premises Network On-Premises Internal Network 2. User provides email address/ UPN Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network On-Premises Internal Network 3. Proxy forwards user request to Azure AD Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network On-Premises Internal Network 4. Azure AD looks up email address to determine if federated or non federated login. Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network On-Premises Internal Network 5. Request is sent to Active Directory Federation Services for user authentication Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network On-Premises Internal Network 6. User authentication is preformed by Active Directory Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network 7. User has valid SMAL ticket Duo Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

On-Premises External Network 8. Condition Access policy requires user to MFA, proxy sends request to ADFS. Microsoft Azure Duo Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network 9. ADFS triggers DUO MFA for user. User approves request. Microsoft Azure Duo Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network 10. All access polices meet, reverse proxy fulfills request to internal resource. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

11. Request is queued for a connector. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

12. A connector authorized for the app accepts user session. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

13. Session created from Azure Proxy service to connector. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

14. Connector connects to internal app. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

How do user access the app? 1. Directly going to proxy external url 2. myapps.microsoft.com 3. Installing the “My Apps” from Google Play or iTunes 4. office365.ucdavis.edu or and clicking the titles icon top left.

Demo