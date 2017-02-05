okta confidential 2
Federated SSO • Initially only supported ADFS as IDP • Now opened up to partners • WS-Federation for b...
Firewall
Firewall Federated SSO Active Directory Federation Services (ADFS) Directory Synchronization Microsoft DirSync
Internet Firewall Customer Network AD Domain Controller ADFS Farm Separate Windows Server for DirSync
Year One Year Two Year Three Total More apps = more cost
All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobil...
Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employ...
Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employ...
okta confidential 16 1 2 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Firewall
okta confidential 17 1 2 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Firewall
okta confidential 18 1 2 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Firewall• • • • • •
User Management Internet Firewall Customer Network AD Domain Controller Okta Agent (On Windows Server)
Based on Powershell + Graph API today Okta for Federated SSO + DirSync for Provisioning • Use this deployment when users r...
okta confidential 22 Implementation Challenge With ADFS With Okta Additional On-Prem Hardware Clustered Servers behind Fir...
okta confidential 24 Define SSO Method WS-Fed or SWA Define Policy Define User- Management & Import Policy
okta confidential 30 Greenfield Deployments • DyrSync Required • Windows Server • Need access to Windows Server • Flexibil...
okta confidential 32 Firewall 1 Okta agent per domain 1 DirSync Server AD DC 1 Separate Windows Server for DirSync Domain ...
okta confidential 33 WS- Federation Active Directory Agent Office 365 instance in Okta Standard PowerShell Federation Comm...
Visit - www.okta.com/office365
1,000’s of Applications
okta confidential 38 Eliminate the need to maintain ADFS • No need to deploy/manage additional Windows Servers • No need t...
  • Microsoft recommend hardware requirements for ADFS is Quad-Core, 2Ghz processors, 4 GB RAM, in addition to the base requirements for Windows Server 2012.

    ADFS Certificate requirements are SSL Server Cert, Service Communication Certificate (enables WCF message security between all internal federation servers), Token-signing certificate (x.509 cert used for securely signing all tokens that the Federation server issues), & Token-Decryption Certificate (SSL cert used in published federation metadata and for partner federation servers)

    ADFS Proxy servers require the standard Server Authentication Certificate (used for securing communication between Federation server proxy and internet client computers.)
  • In Windows Server 2012, Federation Proxy Server is called the Web Application Proxy.

    Federated SSO • Initially only supported ADFS as IDP • Now opened up to partners • WS-Federation for both ADFS and Okta User Management • Object syncronization through DirSync (Microsoft tool) • Okta can do basic user prov. today. • Plans for DirSync replacement
    Federated SSO Active Directory Federation Services (ADFS) Directory Synchronization Microsoft DirSync
    Internet Firewall Customer Network AD Domain Controller ADFS Farm Separate Windows Server for DirSync
    Year One Year Two Year Three Total More apps = more cost
    All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
    Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors
    Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors
    1 2 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Firewall
    1 2 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Firewall
    1 2 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Firewall• • • • • •
    User Management Internet Firewall Customer Network AD Domain Controller Okta Agent (On Windows Server)
    Based on Powershell + Graph API today Okta for Federated SSO + DirSync for Provisioning • Use this deployment when users require Sharepoint and Skydrive integration with local office applications and Lync Okta for Federated SSO + Okta • Use this for simple user provisioning to onboard/deprovision new accounts in Office 365 based on AD account creation/disablement with only cloud apps H1 2014 - Okta for Federated SSO + Okta for Full Coexistence mode
    Implementation Challenge With ADFS With Okta Additional On-Prem Hardware Clustered Servers behind Firewall; additional clustered servers in DMZ None Firewall Reconfiguration Requires hole in firewall None Third Party Certificates 4 Required internally; 1 additional for proxies None Support for additional Applications Time consuming configuration and debugging required Natively speaks WS- Federation and SAML to large catalog of applications Time to Implement 1-2 weeks typically 1 hour typically Cost to implement ADFS is "free"; $25,000 and more for hardware, software, & services Free to implement Office 365
    Define SSO Method WS-Fed or SWA Define Policy Define User- Management & Import Policy
    22. 22. okta confidential 25
    23. 23. okta confidential 26
    24. 24. okta confidential 27
    25. 25. okta confidential 28
    26. 26. okta confidential 29
    Greenfield Deployments • DyrSync Required • Windows Server • Need access to Windows Server • Flexibility to enable federated endpoints Brownfield Deployments • Migrate Endpoints from ADFS to Okta using PowerShell • Should recommend using a Sandbox (E3 free trial) User Management • Push users from Okta or AD to Office 365 tenant • Current Okta UM for Office 365 for Cloud only • License Policy enforcement from Okta.
    Firewall 1 Okta agent per domain 1 DirSync Server AD DC 1 Separate Windows Server for DirSync Domain 1 Domain 2 Domain 3 Single tenant Multi-domain Setup AD DC 2 AD DC 3 O365 app 1 O365 app 2 O365 app 3
    WS- Federation Active Directory Agent Office 365 instance in Okta Standard PowerShell Federation Commands
    Visit - www.okta.com/office365
    32. 32. 1,000’s of Applications
    Eliminate the need to maintain ADFS • No need to deploy/manage additional Windows Servers • No need to make network changes to support ADFS • No need to maintain O365 SSO integration • Time consuming to set up ADFS Infrastructure • http://technet.microsoft.com/en-us/office365/hh744605.aspx Microsoft Certified Federated-SSO partner • Okta has been certified by Microsoft • Full alignment between Microsoft Support and Okta Support

    ×