Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | marsha-hines |
View: | 217 times |
Download: | 0 times |
Microsoft Business Productivity Online Standard Suite (BPOS) v.Next: Identity and Access SolutionsDan KershawPrincipal Program ManagerMicrosoft Corporation
SESSION CODE: COS206
What we’re going to coverOverview of Microsoft Online ServicesCurrent in-market identity and access solutions
Microsoft Online identitiesSign in clientDirectory Synchronization
Future identity and access solutionsNew identity featuresIdentity Federation
Microsoft Online ServicesEnterprise class software delivered via subscription services hosted by Microsoft and sold with partners
Business Productivity Online Suite
• No hardware build-out cost• No more periodic server upgrade consulting projects• Software offered as a pure subscription
Reduce both capital expenditure and
operational expense
• Flat per-user, per-month fee• No need to renew software and hardware purchases
every few years• Your price is protected for the duration of your contract
Make your cost even and predictable
• Avoid over-purchasing• Scale as your business grows• Get the right license for the right users with deskless
worker option
Buy what you need when you need it
Finance benefits
“Not having to pay up front is a significant benefit.”
Ariejan van Saane, General Manager, Procore
“As a businessman, I have to control capital costs and my operating budget. Microsoft Online Services is a fraction of the cost and a quantum leap forward in capability”
Jeff Staser, Founder, Staser Consulting Group
“If we need to support 150 people, we can get 150 people up and running in a matter of days.”
Jennifer Boyd, Administrative Manager, Staser Consulting Group
Microsoft Online Service identities and authenticationManaging organizational identitiesSign in experience
Demo
Contoso customer premises
Current identity architecture
1. Microsoft Online IDs2. Microsoft Online IDs + DirSync
ADMS Online
Directory Sync
Identity platform
Microsoft Online Services
Provisioningplatform
CommunicatorOnline
SharePoint Online
Exchange Online
DirectoryStore
Admin Portal
Authentication platform
Live Meeting
IdPSign-in client
Current identity options summary
1. Microsoft Online IDs: IDs are mastered in the service/cloud. Password policy is in the cloud
2. Microsoft Online IDs + Directory Sync: IDs are mastered on premise, and synchronized to the service/cloud in the form of Microsoft Online IDs. Password policy is in the cloud
Directory synchronization to Microsoft Online ServicesSyncs Users, Groups and ContactsAll users are synced as logon disabled and deactivated users initially.
Identity and access solutionsWhat the future looks like…
Identity solution feedback for the current service
No SSO with corporate credentialPainful to manage separate corporate and cloud credentialPassword policy is not configurableRole-based administration not possibleStrong authentication (2FA) not availablePlatform provisioning APIs not available
MS Online identity features roadmap
Federated IDsDirectory Synchronization updatesRole-based administration
Five admin rolesCompany Admin, Billing Admin, User Account Admin, HelpDesk Admin, Service Support Admin
“Admin on behalf of” for support partners
Authentication optionsEnd user sign-in experience
Sign in with cloud identityAuthentication happens in the cloudUsers have two IDs – one to access on-premises services & one for cloud services
Users prompted for creds
Federated IDs (New)
Sign in with corporate IDAuthentication happens on premisesUsers have a single credential to provide SSO to on premises and cloud services
Users get true SSO
Microsoft Online IDs
Authentication optionsIT Administrator considerations
Manages password policy in cloud & on-premPassword reset for on-prem & MS Online IDsNo 2 Factor Auth integration
Federated IDs (New)
Manages password policy on-premise onlyPassword reset for on-premise IDs only2 Factor Auth integration options
Requires additional servers to enable identity federation
Microsoft Online IDs
Contoso customer premises
Identity architecture: Federated IDs
1. Microsoft Online IDs2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync
ADMS Online
Directory Sync
Identity platform
Provisioningplatform
Sign in client
CommunicatorOnline
SharePoint Online
Exchange Online
FederationGateway
Active Directory Federation Server 2.0
Trust
IdPDirectory
Store
Admin Portal
Authentication platform
Live Meeting
IdP
Sign in assistant
Microsoft Online Services
Identity option summary
1. Microsoft Online IDs: IDs are mastered in the service/cloud. Password policy is in the cloud
2. Microsoft Online IDs + Directory Sync: IDs are mastered on premise, and synchronized to the service/cloud in the form of Microsoft Online IDs. Password policy is in the cloud
3. Federated IDs + Directory Sync: IDs are mastered on premise, and synchronized to the service in the form of Federated IDs.Password policy is controlled on premise.
Identity FederationConfiguration and management
GOAL: Establish a trust relationship with Microsoft Online ServicesAccomplished via the MS Online Identity Federation Management tool Configuring identity federation is a 2-step process
Install and configure AD FS 2.0 serverRun the tool to establish trust for a domain
Enterprise
Server Apps
AD FS 2.0
ActiveDirectory
Microsoft Online Services
Federation Gateway
Identity Platform
Directory store
Trust
IdPSharePoint
Online
Exchange Online
Identity federationSet up identity federationSeamless sign-in experience using a corporate credential
demo
Identity FederationMicrosoft Online Identity Management Tool
PowerShell cmdlets and UI toolTool functionality
Add a new identity federated domainConvert a standard domain to an identity federated domainConvert an identity federated domain back to a standard domain
Converts users back to Microsoft Online IDs
Update the identity federated domainGet the identity federated domain propertiesRemove the identity federated domain
Identity federationActive Directory Federation Server 2.0 deployment options
1. Single server configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server (offsite users)
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
Identity FederationAuthentication flow (passive profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online orSharePoint Online
Active Directory
Customer Microsoft Online Services
Identity federationFutures: what you need to know
Protocols supportedWS-*, SAML1.1SAML2.0 (for EDUs) coming later (Shibboleth)AD FS 2.0 supports SAML2.0
Microsoft Online Services requirementsMS Online business scenarios always use WS-*WS-Trust provides support for rich client authentication
Strong authentication solutions for web applications Via ADFS Proxy sign in page
Related ContentBreakout Sessions
SIA326: Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture DrilldownCOS204: Microsoft Business Productivity Online Standard Suite (BPOS) v.Next: Administration Automation Using Windows PowerShell
Interactive SessionsCOS12-INT: Microsoft Online Services (BPOS) Futures: ID and Access Solutions DrilldownSIA01-INT: Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0
Product Demo Stations (demo station title and location)TLC-70: TLC Yellow: Business Productivity Online Suite (BPOS)
Track ResourcesRead more about Microsoft Online Services – www.microsoft.com/onlineSign up for a 30-Day Trial of the Business Productivity Online Suite:
https://mocp.microsoftonline.comUse Promo Code TENA2010
Continue the conversationMicrosoft Online Services Team Blog – http://blogs.technet.com/msonlineFacebook Fan Page – http://www.facebook.com/MicrosoftOnlineServices You Tube Channel – http://www.youtube.com/user/msonlineservices Twitter – http://twitter.com/msonline
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Directory SyncCoexistence Overview
Core Coexistence Features SupportedFull Shared GALRich messaging (Full format)Meeting requests
Top innovationsWorks over the internetOptimized for midmarketAppliance-like setup‘Try before you buy’
Directory SyncWhat objects get sync’d?
Directory synchronization to MSOSyncs Users, Groups and ContactsAll users are synced as logon disabled and inactivated users initially.
Considers customer as source of authorityIdentities mastered on-premise. Mail properties, UPN are mastered in MSO when licensed. No changes made to on premise identities. Groups are synced as Groups
On premise mail enabled SGs are synced as DG
MS Online Directory Sync and coexistenceFuture features
Identity coexistence – where identities are mastered on-premises.Conf room as Conf roomsSupports Identity FederationSyncs Security GroupsSyncs additional on-premise data (ie. photos) enabling a richer experience.
Optional features Free busy coexistence w/ (Exchange 2010 CAS server on premise)Supports additional Rich Coexistence with Exchange 2010 (Cloud Archive, Filtering Coexistence, and Delegation)
JUNE 7-10, 2010 | NEW ORLEANS, LA