Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | ilene-page |
View: | 223 times |
Download: | 0 times |
Office 365 Identity ManagementPaul Andrew
OSP225
Agenda
Recently Announced…
Identity Integration Options
2 3
Identity Management Overview
1
Identity management overview
Identity management deals with identifying individuals in a system and controlling access to the resources in that system
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.
Integral components of identity and access management
Determining which actions an authenticated entity is authorized to perform on the network
Authentication Authorization
Identity management
Single Sign On (SSO) is the ability for two disjoint Identity Providers (IDP) to trust each other such that a user logged into one does not need to log in again for the second. YAUP is what you get if you don’t have SSO.
SAML is a public standard managed by OASIS. SAML is the identity token and also the protocol. SAML 2.0 is built on SAML 1.1, ID-FF and Shibboleth.
The Relying Party (RP) is the system that relies on the Identity Provider to authenticate a user.
WS-Federation is used for web browser based authentication with an IDP. WS-Trust is used by Office rich client apps to authenticate.
Security Assertion Markup Language WS-Federation / WS-Trust
More identity terms
Microsoft cloud services
User
Microsoft AccountEx: [email protected]
User
Organizational AccountEx: [email protected]
Microsoft Account Windows Azure Active Directory
Common identity platform for organizational accounts
Windows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts
Directory
store
Authentication platform
Windows Azure Active
Directory
Your App
Office 365 Identity
Cloud Identity
Single identity in the cloud Suitable for small organizations with no integration to on-premises directories
Directory Synchronization
Single identitysuitable for medium and large organizations without federation
Federated Identity
Single federated identity and credentials suitable for medium and large organizations
Recent Additions
Windows Azure Active Directory Sync ToolUpdate
The tool is downloaded from the Office 365 admin portal.Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it.Synchronizes user passwords from on-premises AD to Azure AD (Office 365).Respects on-premises password policies. Can’t sync passwords for Federated Users, but can co-exist.
SAML2Identity Provider
More Details on TechNet: http://aka.ms/sync
Directory Sync Tool or Active Directory Federation Services
* Azure AD offers some 2FA features that are available with ADFS deployment on-premises.
Password Sync SSO with AD FS
Same password to access resources
Can control password policies on-premises
Support for two factor authentication *
No password re-entry if on premises
Client access filtering by IP or by time schedule
Authentication occurs on-premises. Can immediately block disabled accounts.
Change password available from web
Works with Forefront Identity Manager
Active Authentication: Why Multi-Factor
Your data and applications are under attackPasswords are easily compromisedConsumerization of IT has only increased the scope of vulnerabilityStrengthening regulatory requirements call for strongly authenticating access
Mobile Apps
Enterprise authentication using any phone
Text MessagesPhone Calls
Out-of-Band PushOne-Time-Passcode Out-of-Band Call
Out-of-Band TextOne-Time Passcode
ISV/CSV Apps
Windows AzureActive Directory
Microsoft AppsCustom LOB Apps
Custom LOB Apps
ActiveAuthentication
Users sign in from any device using their existing username/password.
Users must also authenticate using their phone or mobile device before access is granted.
Credentials are checkedin Windows Azure AD. Then Active Authentication is triggered for additional verification.
1
2
Architecture
App Passwords
• Provides rich client login as alternative to Multi Factor Auth
• Not for administrators• 16 characters randomly
generated• Currently in preview
Windows Azure Active Directory Provisioning Updates
Azure Active Directory GRAPH APIREST API for programmatic access to data in Azure ADCan build multi-tenant applications, or custom LOB Apps
Azure Active Directory Connector for FIM 2010 R2Can be used for multi-forest synchronization and non-AD sourcesPublic Beta starts on Connect soon
Identity integration options
Identity integration options
1 2 3 4 5 6Cloud Identity Directory
SyncPassword Sync
Graph API FIM Single Sign-On
Org size Small All All Large Large Large
Control of attributes in directory
Least control Full control via on-premises directory
Full control via on-premises directory
Can control core attributes and select optional
Can control core attributes and select optional
Full control via on-premises directory
Source of authority
Cloud On-premises On-Premises Cloud On-premises On-premises
Hardware requirements
No on-premises hardware required
Windows Server OS for DirSync appliance
Windows Server OS for DirSync appliance
Machine to run Powershell jobs on
Federated Identity Manager with office 365 Connector
DirSync applianceADFS (or other STS) deployment
Login experience
Disjoint username, password for on-premises and cloud
Enter credentials twice
Disjoint username, password for on-premises and cloud
Enter credentials twice
Same username, password for on-premises and cloud
Enter credentials twice
Disjoint username, password for on-premises and cloud
Enter credentials twice
Disjoint username, password for on-premises and cloud
Enter credentials twice
Same username, password for on-premises and cloud
Login once if on-premises
Cloud identity
Rich experience with Office AppsEase of deployment, management and supportLower cost as no additional servers are required On-PremisesHigh availability and reliability as all Identities and Services are managed in the cloud
Windows Azure Active Directory
User
Cloud IdentityEx: [email protected]
1
Directory Synchronization
Rich experience with Office AppsDirectory synchronization between on-premises and onlineIdentities are created and managed on-premises and synchronized to the cloudSingle identity and credentials but no single Sign-On for on-premises and office 365 servicesReuse existing directory implementation on-premises
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Directory Synchronization
Cloud IdentityEx: [email protected]
AD
2
Password Synchronization
Rich experience with Office AppsDirectory synchronization between on-premises and onlineIdentities are created and managed on-premises and synchronized to the cloudSingle identity and password credentials but no single Sign-On for on-premises and office 365 servicesReuse existing directory implementation on-premises
On-Premises IdentityEx: Domain\Alice
Directory Synchronization with one way Password Hash
Cloud IdentityEx: [email protected]
AD
3
Windows Azure Active Directory
User
Scoping and Filtering for Synchronization
Customers can exclude objects from synchronizing to Office 365.Scoping can be done at the following levels:AD Domain-basedOrganizational Unit-basedUser Attribute based
Additional filtering capabilities will become available with the O365 Connector.Preventing the synchronization of specific attributes is not supported.
Multi-forest AD
On-Premises IdentityEx: Domain\Alice
Federation using ADFS
AD
DirSync on FIM
AD
AD
Windows Azure Active Directory
User
Number Active
Directory
forests
See consolidati
on whitepaper
UseSingle Forest
DirSync
UseOffice 365 Connector
UseMulti Forest
DirSync
Need on-premises
org consolidati
on
Number Exchange Orgs
“Disjoint”
Account Forests?
“Disjoint” account forests and exchange
org accessed by accounts in the same
forest?
Want to consolidate
single forest?
After consolidati
on
Single (1)
Multiple (>1)
Yes
None (0)Multiple (>1)
Start
After consolidati
on
No
Single (1) Yes
Yes
No
No
Multi-forest decision flowchart
Powershell / Graph REST API
Suitable for small/medium size organizations with AD or Non-ADPerformance limitations apply with PowerShell and Graph API provisioningPowerShell requires scripting experiencePowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
4
Office 365 Connector for Forefront Identity Manager
Suitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenariosNon-AD synchronization through Microsoft premier deployment supportRequires Forefront Identity Manager and additional software licenses
5
Federated identity
Single identity and sign-on for on-premises and office 365 servicesIdentities mastered on-premises with single point of managementDirectory synchronization to synchronize directory objects into Office 365Secure Token based authenticationClient access control based on IP address with ADFSStrong factor authentication optionsfor additional security with ADFS
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Federation
AD
Non-AD
Directory Synchronization
or
6
Suitable for educational organizations
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth (SAML)Works with AD & Non-AD
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Works with Office 365 - Identity
Federation options
‘Works with Office 365 – Identity’
Program for third party on premises identity providers to interoperate with Office 365Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365On TechNet: http://aka.ms/SSOProviders
FlexibilityCoordinated
Support
Partner +
Confidence
Qualified by MicrosoftReuse Investments
‘Works with Office 365 – Identity’
On Premises Security Token Services
http://bit.ly/17D5Dq0
WS-Trust & WS-Federation
WS-Federation
SAML-P
Active Directory with ADFS
Client access control
Part of ADFSLimit access to Office 365 based on network connectivity (internet versus intranet)
Block all external access to Office 365 based on the IP address of the external clientBlock all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online
Windows Azure Active Directory
User
Cloud IdentityEx: [email protected]
ISV apps orSAAS providers or Your App
Cloud IdentityEx: [email protected]
WAAD Identity with other cloud services
Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identityISV Applications or SAAS providers can integrate using APIs on Windows Azure AD
Summary1. Cloud Identities – Windows Azure Active Directory2. Directory Sync from On-Premises3. Directory Sync from On-Premises (with Password
Sync)4. Graph API and Powershell5. Forefront Identity Manager6. Federation (or Single Sign-On)
• ADFS• WS-Federation and WS-Trust• Shibboleth SAML-P
Active Authentication for multifactorWorks with Office 365 – Identity
Developer Network
Resources for Developers
http://msdn.microsoft.com/en-au/
Learning
Virtual Academy
http://www.microsoftvirtualacademy.com/
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd/Australia/2013
Resources for IT Professionals
http://technet.microsoft.com/en-au/
Keep Learning1. Keep up to date with all the latest Office 365 information
at http://ignite.office.com
2. Get on top of your pilot using the FastTrack deployment process http://fastTrack.office.com
3. Trial Office 365 http://office.microsoft.com
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.