Supporting Architecture for Office 365 - SPO
Jethro Seghers
Blogger
Twitter: @jseghersE-mail: [email protected]: http://www.j-solutions.be/blog
Consultant
Trainer
Agenda
GoalDifferent Architectural Entities Identities & User ProvisioningAuthenticationDemo
Goal
Goal
Make the correct choice for your Identity modelUnderstand the different toolsProvide a Same Sign On environmentEasy Authentication
Different Architectural Entities
Different Architectural Entities
User ProvisioningPowerShellDirSyncFIM Management Agent
AuthenticationWindows Azure Active Directory (W.A.A.D.)Local Active Directory via ADFSShibboleth (Education)
Identity options comparison1. MS Online IDs
Appropriate for• Smaller organizations without
AD on-premise
Pros• No servers required on-
premise
Cons• No SSO• No 2FA (strong authentication)• 2 sets of credentials to
manage with differing password policies
• Users and groups mastered in the cloud
2. MS Online IDs + Dir Sync
Appropriate for• Orgs with AD on-premise
Pros• Users and groups mastered on-
premise• Enables co-existence scenarios
Cons• No SSO• No 2FA• 2 sets of credentials to manage
with differing password policies• Single server deployment
3. Federated IDs + Dir Sync
Appropriate for• Larger enterprise organizations
with AD on-premise
Pros• SSO with corporate cred• Users and groups mastered on-
premise• Password policy controlled on-
premise• 2FA solutions possible• Enables co-existence scenarios
Cons• High availability server
deployments required
Bronze Sky customer premises
Identity architecture: Identity options1. Microsoft Online IDs
ADMS Online Directory
Sync
Identity platform
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
FederationGateway
Active Directory Federation Server
2.0
Trust
IdP DirectoryStore
Admin Portal
Authentication platform IdP
Service connector
Microsoft Office 365 Services2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync
Sign On Experience across apps and OSsFederated vs. Non-Federated Summary
A new “service connector” is needed – primarily for rich clientsInstalls client and operating system updates to enable best sign-on experienceEnables authentication support for rich clientsEnsures clients have all needed configuration data to enable service usageObsolete in Office 2013
Web kiosk scenarios (e.g. OWA) supported without the service connector
Outlook2010
Win 7 Vista/XP
Federated IDs,
domain joined
MS Online IDs
Outlook Web Application
No prompt No prompt
Each session
ActiveSync, POP, IMAP, Entourage
Once at setup No prompt
Outlook 2007
No prompt
Once at setupEach session Each session Each session
Outlook 2007 or 2010
Win 7
Online IDOnline IDOnline IDOnline IDOnline ID
AD credentials
Win 7/Vista/XP
No prompt
Each session
Office 2010, or Office 2007 SP2
SharePoint Online
Online ID
DirSync
What is DirSync?
“…is a Directory Synchronization engine based on Forefront Identity Manager (FIM) that will
synchronize a subset of your on-premise Active Directory with Windows Azure Active Directory
(Office 365).”
DirSync
How does DirSync work?
SourceADMA
TargetWebService
MA
Active Directory
METAVERSE
What does Directory Sync do for you
Enables you to manage your company’s information in one central location for both on-premise intranet and Office 365
Runs as an applianceInstall and forget
Proactively reports errors via email“No news is good news”
What does Directory Synchronization do for users
Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint)
Flavors of Co-ExistenceIdentity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication)Application Co-Existence
What does Directory Synchronization do for usersIdentity Co-Existence
Facilitates “Single Sign-On” Experience
For users: Single set of credentials to manage
On-premise users, security groups, distribution lists, contacts are available in the cloud
Complete Address Books in Exchange OnlineSharePoint Online ACL’ing via Security Groups
Users, contacts, groups can be created directly in Office 365, or sync’d from on-premise!
What does Directory Synchronization do for usersApplication Co-Existence
2 types:Simple Rich
Simple Co-Existence:Full, consistent Address Book available across all O365 services
Exchange Online users can receive mail at any of their (valid) on-premise Proxy Addresses
Conf Room support (Outlook Room Finder)
What does Directory Synchronization do for usersApplication Co-Existence
Rich Co-Existence:Hybrid Deployments
Staged migrationsKeep data on-premise for various business or legal requirements
Free/Busy available to users on-premise and in cloud
DirSync Deployment
Active Directory Assessment• Prerequisites check (Readiness Tool)• Onramp.office365.com
Topology• Single Forest?• Multiple Domains?
Security• Firewalls, Permissions
DirSync Deployment
(De-)activation time; can take some time to complete
Object filtering required?DomainOUAttribute
SQL Express or Full SQL (+50k objects)
Supported on Windows 2012
lD85BkxzEE2NilRewNm0CQ==
Demo DirSync
Active Directory Domain Federation
Identity FederationAuthentication flow (passive profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365
Identity FederationAuthentication flow (active profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365
AD FS 2.0 deployment options
1. Single server configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server (offsite users)
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
ADFS: On Premise Topology
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
ADFS: Hybrid Topology: IAAS
EnterpriseInternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
IAASExternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
VPN
ADFS: Hybrid Topology: IAAS
EnterpriseInternal
user
ActiveDirectory
AD FS 2.0 Server
IAASExternal
user
ActiveDirectory
AD FS 2.0 Server
VPN
ADFS: Hybrid Topology: Windows Azure
IP SEC DEVICE
GATEWAY
CLOUD SERVICE
AD FS 2.0 Server
AD FS 2.0 Server
LB ENDPOINT
EnterpriseWindows Azure
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
ADFS: Cloud Topology: IAAS
IAAS
InternalExternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
ADFS 2.X
ADFS supports multi forest
ADFS supports multi domain
ADFS 2.0 Rollup 2
ADFS 2.1 With Windows 2012 Server
Use Smart Links for SPO
Key takeaways
ADFS requires a public certificate only for client communications; token signing and encryption can be done with self-signed certificates
Workflow/endpoint is different depending the application you use: Passive (Web)/Rich Client (Lync)/ Active (Outlook)
Troubleshooting is not always easy. e.g. requires understanding how to use tools like fiddler2 etc…
Demo ADFS
Windows Azure Active Directory
Windows Azure Active Directory
W.A.A.D. is a modern, REST-based service that provides identity and access control for your cloud applications.
Already used in:• Windows Azure• Office 365• Dynamics CRM Online• Windows Intune• 3rd party Cloud Services
Windows Azure Active Directory
W.A.A.D. integrates with domain credentials of local AD via ADFS
W.A.A.D. integrates with Access Control Service
W.A.A.D. integrates with Graph API: it allows you to read a subset of the entities in the directory: namely Users, Groups, Roles, Subscriptions, Tenant Details and some of the relationships which tie those together. The interaction is read-only
Windows Azure Active Directory
GO TRY IT OUT