Office 365 identity

2,271 views

Published on

Office 365 identity

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,271
On SlideShare
0
From Embeds
0
Number of Embeds
66
Actions
Shares
0
Downloads
84
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Office 365 identity

  1. 1. Core identity scenarios Deep dive on federation and synchronization 2 3 Identity management overview 1 Additional features 4
  2. 2. Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network
  3. 3. User Microsoft Account Ex: alice@outlook.com User Organizational Account Ex: alice@contoso.com Microsoft Account Organizational Account
  4. 4. Directory store Authentication platform Windows Azure Active Directory
  5. 5. Core identity scenarios
  6. 6. Cloud Identity OAuth2 SAML-P WS-Federation Metadata Graph API
  7. 7. Directory & Password Sync OAuth2 SAML-P WS-Federation Metadata Graph API
  8. 8. Directory Synchronization Options Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Provides best experience to most customers using AD Supports Exchange Co-existence scenarios Coupled with ADFS, provides best option for federation and synchronization Supports Password Synchronization with no additional cost Does not require any additional software licenses Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses
  9. 9. Federated Identity OAuth2 SAML-P WS-Federation Metadata Graph API
  10. 10. Cloud Identity no integration to on-premises directories Directory & Password Synchronization* Integration without federation* Federated Identity Single federated identity and credentials
  11. 11. Federation options Suitable for educational organizations j Recommended where customers may use existing non-ADFS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises Shibboleth (SAML*) Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Phonefactor can be used for two factor auth Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Works with AD Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Phonefactor can be used for two factor auth Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios Works with AD & Non-AD
  12. 12. Federation with Identity Partners Verified by MicrosoftReuse Investments
  13. 13. Program for third party identity providers to interoperate with Office 365 Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365
  14. 14. Identity Roadmap Shibboleth (SAML) Support Available now New Works with Office 365 Partners Ping, Optimal IDM, Okta, IBM available now Novell, CA and Oracle in 1H CY2013 DirSync for Multi-forest AD Available now thru’ MCS and Partners Sync Solution for Non-AD using FIM Available now thru’ MCS and Partners Password Synchronization for AD 1H CY2013 Broader SAML Support 1H CY2013
  15. 15. Windows Azure Active Directory User Cloud Identity Ex: alice@contoso.com Cloud Identity Ex: alice@contoso.com Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identity ISV Applications or SAAS providers can integrate using APIs on Windows Azure AD Currently in Technical Preview
  16. 16. Cloud identity + directory synchronization Single sign on + directory synchronization Contoso customer premises AD MS Online Directory Sync Lync Online SharePoint Online Exchange Online Active Directory Federation Server 2.0 Trust IdP IdP
  17. 17. Understanding client authentication path Lync 2010/ Office Subscription Active Sync Corporate Boundary Exchange Online AD FS 2.0 Server MEX Web Active AD FS 2.0 Proxy MEX Web Active Outlook 2010/2007 IMAP/POP Username Password Username Password OWA Internal Lync 2010/ Office Subscription Outlook 2010/2007 IMAP/POP OWA External Username Password Active Sync Username Password Basic auth proposal: Pass client IP, protocol, device name
  18. 18. Web Clients • Office with SharePoint Online • Outlook Web Application Remember me =Persisted Cookie Exchange Clients • Outlook • Active Sync/POP/IMAP • Entourage Can save credentials Rich Applications (SIA) • Lync • Office Subscriptions • CRM Rich Client Can save credentials Federated Identities (domain joined) Cloud Identity No Prompt Username and Password Online ID AD credentials Federated Identities (non-domain joined) Username and Password AD credentials Username Username and Password Online ID AD credentials Username and Password AD credentials Username and Password Username and Password Online ID AD credentials Username and Password AD credentials
  19. 19. Authentication flow (passive/web profile) Identity federation ` Client (joined to CorpNet) Authentication platformAD FS 2.0 Server Exchange Online or SharePoint Online Active Directory Customer Microsoft Online Services Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729
  20. 20. Authentication flow (MEX/rich client profile) Identity federation ` Client (joined to CorpNet) Authentication platformAD FS 2.0 Server Lync Online Active Directory Customer Microsoft Online Services Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729
  21. 21. Customer Microsoft Online Services Active flow (Outlook/Active Sync) always external Identity federation ` Client (joined to CorpNet) Authentication platformAD FS 2.0 Proxy Exchange Online Active Directory Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729 Basic Auth Credentilas Username/Password
  22. 22. • Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0) • Popular implementation of SAML 2.x with Higher Education institutions world-wide • Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html) • Latest version is 2.3.6 • Setup a SAML 2.0 federation between Office 365 and their Shibboleth IdP • Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD Shibboleth 2.x IdP Non-AD Contoso.edu Shibboleth 2.x IdP Fabrikam.edu MSOMA + FIM AD MSOMA + FIM Email Rich ClientsWeb Client
  23. 23. Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online
  24. 24. Windows Azure Active Directory User Multi-forest AD support is available through Microsoft-led deployments Multi-forest DirSync appliance supports multiple dis-joint account forests FIM 2010 Office 365 connector supports complex multi-forest topologies On-Premises Identity Ex: DomainAlice Federation using ADFS AD DirSync on FIM AD AD
  25. 25. Windows Azure Active Directory User Preferred option for Directory Synchronization with Non-AD Sources Non-AD support with FIM is available through Microsoft-led deployments FIM 2010 Office 365 connector supports complex multi-forest topologies On-Premises Identity Ex: DomainAlice Federation using Non- ADFS STS Office 365 Connector on FIM Non-AD (LDAP)

×