Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Slides:



Advertisements
Similar presentations
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Advertisements

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Active Directory Integration with Microsoft Office 365
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Guide to MCSE , Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Introduction Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Hands-On Microsoft Windows Server 2008
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Single Sign-On with Microsoft Azure
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Cloud Identity Windows Azure Active Directory Cloud Identity & Directory SyncFederated Identity Appropriate for Smaller orgs without.
Microsoft NDA Confidential Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Office 365 deployment choices Cutover, Staged, Hybrid What is AD FS (Active Directory Federation Services) Attribute Stores, ADFS Configuration Database.
Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online.
Office 365 Directory Synchronization Update: Deploying Password Sync.
Bronze Sky customer premises AD MS Online Directory Sync Provisioning platform Provisioning platform Lync Online Lync Online SharePoint Online SharePoint.
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Implementing Microsoft Exchange Online with Microsoft Office 365
Configuration Manager and InTune Gemeinsam oder einsam?
Adxstudio Portals Training
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
DNS DNS changes required to validate domains in Office 365 UPN – User Principal Name Every user must have a UPN UPN suffixes must match a validated.
Exchange Hybrid: Deployment, best practices, and what’s new
Identities and Azure AD Premium
Microsoft Office 365: Identity and Access Solutions
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Managing Office 365 Identities and Requirements Question Answer
 Step 2 Deployment Overview  What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Understanding.
 What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Demo.
SaaS apps.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Office 365 Migration Challenges Drew St. John 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Consultant
Jhong Catane Exchange Hybrid Deployment PRD34 2.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Recording Brief EMS Partner Bootcamp Variables Values Module Title
Microsoft - Managing Office 365 Identities and Requirements
Directory Synchronization in Office 365
Exam in just 24 hours!!! Pass your exam in first attempt by the help of our latest braindumps
Microsoft Online Services Partner Deployment Training for Office 365
Dumps PDF Implementing Microsoft Azure Infrastructure Solutions dumps.html Are You worried About Your Exam.
Hybrid Search Planning Implementation.
05 | AD to Windows Azure AD IT Professionals
SharePoint Online Hybrid – Configure Outbound Search
M7: New Features for Office 365 Identity Management
Office 365 Identity Management
M6: Advanced Identity Management topics for Office 365
10 | Implementing Directory Synchronization
Everything you need to know about implementing AD FS
Presentation transcript:

Timothy Heeney| Microsoft Corporation

Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation works Basic troubleshooting

User Experience: Sign in with cloud identity Authentication happens in the cloud Users have two IDs – one to access on-premise services & one for Online services Users prompted for credentials even when logged into the domain when accessing Online Services Administrator Experience: Manages password policy in cloud & on premises Password reset for on premises & MS Online IDs No 2 Factor Authentication integration

User Experience: Users Sign in with corporate ID Authentication happens on premises Users have a single credential to provide SSO to on premises and Online services Users get true SSO experience 2 factor Authentication can be utilized if it is deployed on-premise Administrator Experience: Manages password policy on premise only Password reset for on premise IDs only 2 Factor Authentication integration options Requires additional servers to enable identity federation so there will be an additional up front cost

For any of the thick client to work properly for SSO you need to have the service connector installed

Installs client and operating system updates to enable best sign-on experience. Some of these updates are hotfixes and are not available through normal Windows Update procedures Enables authentication support for rich clients Ensures clients have all needed configuration data to enable service usage Service connector can be deployed or installed locally by the user if they have local Admin Privileges The SSO client is also needed on the Exchange/ADFS/ servers in order to connect to Online Services

Ensure there is a valid UPN for the on-premise users Install Certificate Authority or deploy a third party certificate Install AD FS 2.0 and configure AD FS 2.0 Microsoft Online Services Identity Federation Management tools Implement Directory Synchronization

Users need an External UPN suffix (contoso.com not Contoso.local) You can add this in AD Domains and trusts as an alternate UPN You can use ADUC to change the users to use this new UPN You can use ADMODIFY to change the users to use this new UPN Needed so verification can occur (public CNAME record)

With Identity Federation users will be redirected to the AD FS endpoint over https Enterprise CA to be able to create a certificate to be used for AD FS endpoint or we can use a third party cert with the proper names A token signing certificate is also used for validating the claims made by the on premise AD FS with the MFG IIS needs to be installed on the AD FS server and the certificate that was issues to the AD FS server needs to be bound to port 443 on that server Third party certificates can also be used as long as there is a private key with the certificate

Download and install AD FS 2.0 Instruction on the portal Full SQL instance is optional requires command line install − ADFSSetup.exe /quiet − FSConfig.exe CreateSQLFarm − FSConfig.exe JoinSQLFarm Then configure AD FS − From the start menu select AD FS 2.0 Management. − Select AD FS 2.0 Server Configuration Wizard

Download and install the MOSID tool (used to establish trust and transfer proper config and certs) this is available from the portal Click Start—All Programs—Microsoft Online Services- - Microsoft Online Services Identity Federation Management Tool Run the following commands: $cred=Get-Credential This command prompts for your Online Admin credentials Set-MSOLContextCredential – MSOLAdminCredential $cred The above set the context of the Powershell as the Online Administrator account. Cmdlet nameDescription Add-MSOLFederatedDomain Add a new identity federated domain Convert- MSOLDomainToFederated Convert a standard domain to an identity federated domain Convert- MSOLDomainToStandard Convert an identity federated domain back to a standard domain Converts users back to Microsoft Online IDs Update- MSOLFederatedDomain Update the identity federated domain Get- MSOLFederationProperty Get the identity federated domain properties Remove- MSOLFederatedDomain Remove the identity federated domain

− Logs are located in the following location C:\users\userAccount\documents\MicrosoftOnline\MSOL-IdentityFederation-date (show the log) − Event logging for AD FS 2.0 − Enable additional logging and verbose logging Edit federation Properties and Enable Verbose Logging in Event Viewer…. To start verbose logging run the following -wevtutil.exe sl “AD FS 2.0 Tracing/Debug” /l:5 -show analytic and debug logs in event viewer -enable debug log in event viewer − “Your organization could not sign you in to this service.” − Link Translation on ISA may be enables − The URL’s are configured incorrectly in ADFS − The MFG Relay Trust URL is correct − Any of the certificates were updated in ADFS but not updated to the MFG

First we browse to redirected to the Identity Provider for the Online Services login.microsoftonline.com Then we type in our address and the realm discover occurs client is redirected to the STS cause Domain part of is federated We send our creds to STS we receive a token in return We send the token to login.microsoftonline.com We receive token from MFG then submit that token to portal.microsoftonline.com Show in WinHTTP Trace

Microsoft Confidential CustomerMicrosoft Online Services 14

Why use a proxy? − Security − Key protection − Client connections terminate at the proxy How do you install the AD FS proxy? − Export the certificate and private key from the AD FS server − Import the pfx file into the AD FS proxy server − Download the AD FS 2.0 installation files

After Identity Federation is configured we need to ensure that DirSync is deployed. When DirSync is configured management of user object will be performed on-premise with the exception of licensing 4. License Users 3. Establish federation and/or coexistence 2. Prepare 1. Plan (Read doc) 1. Plan (Read doc) GO Add and Verify SMTP domains Configure Services Enable CCS for coexistence Configure and perform DirSync License users DNS Administration Online Services Configuration Admin Portal Microsoft Online DirSync Tool Install DirSync Set up Identity Federation Microsoft Online Identity Tool

Used when there is any type of coexistence Provides unified GAL and User account provisioning When DirSync is enabled and configured Users are mastered on-premise and then synchronized to the cloud

© 2010 Microsoft Corporation.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.