Single Sign-On with Microsoft Azure 4/22/2017 Single Sign-On with Microsoft Azure Julian Soh Mark Ghazai © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure Active Directory Your Directory in the Cloud Cloud authentication A comprehensive identity and access management cloud solution It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers Azure Active Directory Premium includes Multi-Factor Authentication, and server and user CALs for Identity Manager
Difference between Directory Sync and AD FS Directory Synchronization is an identity propagation workload and does not require AD FS. AD FS is responsible for authentication by being the claims middleman. It generally requires some kind of directory synchronization first. AD FS works with AD DC to facilitate authentication.
1a – Simple Configuration Password Sync Lync Online Central AD Forefront Identity Manager (DirSync) Provisioning platform Password Sync IdP Azure Active Directory Office 365 Portal/ PowerShell Authentication platform Exchange SharePoint Exchange Hybrid Portal Support implications: Standard deployment model that is supported by Office 365 support. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
1b – Simple Configuration Federated Authentication ADFS Federation Trust Authentication platform Lync Online Central IdP AD Federation Services Office 365 Portal/ PowerShell IdP SharePoint Online AD Azure Active Directory Provisioning platform Forefront Identity Manager (DirSync) Exchange Online Support implications: Standard deployment model that is supported by Office 365 support. Adds ADFS for federated authentication. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Exchange Hybrid Portal Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
2 Password Sync for Same-Sign-On Agency IdP AD Authentication platform Lync Online FIM w/ Password Sync Office 365 Portal/ PowerShell IdP SharePoint Online Central Azure Active Directory Provisioning platform Forefront Identity Manager Exchange Online Support implications: The ‘Central’ environment is configured as a standard deployment model that is supported by Office 365 support. The complexity is abstracted from the O365 portion through a FIM sync that also replicates password from the ‘Agency’ AD. That FIM implementation or other solution would be supported by paid Microsoft support or the product vendor. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Notes: This model could also use ADFS out of central. If ADFS is used single-sign-on would only be available for users whose desktops exist in the ‘Central’ AD. This solution is useful where a customer: Is planning to do an AD consolidation bring ‘Agency’ into ‘Central’ Wants to use a single namespace for authentication This solution can keep the management of the ‘Central’ environment as a standard deployment Password Sync IdP Central Exchange Hybrid Portal Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
3 Agency Single Sign-On w/ Central ADFS IdP AD Two-way Trust ADFS Federation Trust Authentication platform Lync Online Central IdP Office 365 Portal/ PowerShell IdP SharePoint Online AD AD Federation Services Azure Active Directory FIM Server Provisioning platform Forefront Identity Manager Exchange Online Support implications: The ‘Central’ environment is configured as a standard deployment model w/ FIM+Connector. The main components are supported by Office 365 support. For FIM+Connector, the connector is provided by Microsoft and supported by Office 365 support. The rest of the FIM implementation would need to be maintained by the customer and supported by paid Microsoft support. The complexity is abstracted from the O365 portion through a FIM sync that stamps a custom immutable identifier on users in both forests that is used for ADFS authentication. That FIM implementation or other solution would be supported by paid Microsoft support or the product vendor. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Notes: My understanding is that you can now customize DirSync to pull the immutable ID from a custom attribute. If that is the case DirSync could be used instead of FIM+Connector. This solution is useful where a customer: Already has a FIM sync in place Has a central authority to run the Office 365 solution, but the ‘Agency’ organization wants to remain as autonomous as possible. Does not want to use a single namespace for authentication ‘Agency’ desires single-sign-on There is a potential for a forest consolidation in the future. Exchange Hybrid Portal Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
4 Agency Single-Sign-On w/ Agency Provided ADFS IdP AD AD Federation Services ADFS Federation Trusts ADFS Federation Trusts Authentication platform Lync Online FIM Server Central IdP Office 365 Portal/ PowerShell IdP SharePoint Online AD AD Federation Services Azure Active Directory Provisioning platform Forefront Identity Manager Exchange Online Support implications: The ‘Central’ environment is configured as a standard deployment model w/ FIM+Connector. The main components are supported by Office 365 support. For FIM+Connector, the connector is provided by Microsoft and supported by Office 365 support. The rest of the FIM implementation would need to be maintained by the customer and supported by paid Microsoft support. The complexity is abstracted from the O365 portion through a FIM sync that stamps a custom immutable identifier on users in both forests that is used for ADFS authentication. That FIM implementation or other solution would be supported by paid Microsoft support or the product vendor. The portal is an optional component that can be used for group management or delegation of administration. Depending on what is used, it would be supported via Paid Microsoft support or the product vendor. Notes: This is very similar to the previous example, but is useful where a two-way forest trust is not possible. Requires ADFS multiple ADFS farms My understanding is that you can now customize DirSync to pull the immutable ID from a custom attribute. If that is the case DirSync could be used instead of FIM+Connector. This solution is useful where a customer: Already has a FIM sync in place Has a central authority to run the Office 365 solution, but the ‘Agency’ organization wants to remain as autonomous as possible. Does not want to use a single namespace for authentication ‘Agency’ desires single-sign-on ‘Agency’ or ‘Central’ are opposed to a trust. There is a potential for a forest consolidation in the future. Exchange Hybrid Portal Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
Run these in Azure? Why? How these would look like when running in Azure Connectivity (s2s VPN or ExpressRoute) Why? Uptime, SLA, redundancy
DC Web Server/Application 443 443
443 DC Web Server/Application 443 443
MIM enables consistent IAM policies 4/22/2017 On-premises and private cloud Azure Active Directory Azure AD App Proxy Microsoft Identity Manager vNext Your apps © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Identity Manager Capabilities 4/22/2017 Identity Manager Capabilities Clients Identity Manager Platform Scenarios Portal Outlook Windows Custom Role Management Certificate Management Policies and Workflow Request Permission AuthN AuthZ Service DB Action Group Management Password Reset Identity Stores Cloud Services Identity Synchronization Databases Directories Applications © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure AD Connect Demo
Azure Calculator Demo Typical VM Sizes Description http://azure.microsoft.com/en-us/pricing/calculator/ Typical VM Sizes Description 1x AAD Sync Server with internal database (1 x A2 Basic VM) 1x R/W Domain Controller (1 x A2 Basic VM) 2x AD FS Proxy Servers (optional) (2x A2 Standard VM) 2x AD FS Servers (2 x A2 Standard VM)
Azure AD as an IDaaS demo…
Resources Azure Active Directory Connect https://msdn.microsoft.com/en-us/library/azure/dn832695.aspx Office 365 and ADFS…Active Directory Federation Service Installation http://social.technet.microsoft.com/wiki/contents/articles/9082.office-365-and-adfs-active-directory-federation- service-installation.aspx