• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Bridging on premise identity management
 

Bridging on premise identity management

on

  • 535 views

 

Statistics

Views

Total Views
535
Views on SlideShare
535
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Bridging on premise identity management Bridging on premise identity management Presentation Transcript

    • John GilhamPrincipal Consultant Agile IT
    • Key Components: Synchronization (DirSync) and SSO Concepts SSO Federation (ADFS 2.0) Email Rich Co-Existance (On-Premise <-> Cloud)
    •  Password policy controls for Microsoft Online IDs Single sign-on with corporate credentials Directory Synchronization updates Role-based administration: Five administration roles  Company Admin  Billing Admin  User Account Admin  HelpDesk Admin  Service Support Admin “Admin on behalf of” for support partners
    • 1. Microsoft Online IDs2. Microsoft Online IDs + Microsoft Online Services Directory Synchronization (DirSync)3. Single Sign On (SSO) Federation + Directory Synchronization (DirSync Microsoft Online Services Identity Services Exchange Contoso customer premises Trust Authentication Online platform Active Directory Admin Portal/ Federation Server PowerShell IdP SharePoint 2.0 Online IdP MS Online Provisioning Directory Lync AD Directory Sync platform Store Online Office 365 Desktop Setup
    • Appropriate for Appropriate forAppropriate for • Medium/Large orgs with AD • Larger enterprise orgs with • Smaller orgs without AD on-premise AD on-premise on-premise Pros ProsPros • Users and groups mastered • SSO with corporate cred • No servers required on- on-premise • IDs mastered on-premise premise • Enables co-existence • Password policy controlled scenarios on-premiseCons • 2FA solutions possible • No SSO Cons • Enables co-existence • No 2FA • No SSO scenarios • 2 sets of credentials to • No 2FA manage with differing • 2 sets of credentials to Cons password policies manage with differing • High availability server • IDs mastered in the cloud password policies deployments required • Single server deployment
    •  Office 365 Desktop setup required for rich clients ◦ Installs client and operating system updates to enable best sign-on experience ◦ Not required for Web kiosk scenarios (e.g. OWA) Passwords prompts ◦ Can be saved for rich applications, can remain “signed in” for web applications ◦ Will prompt again when the password changes or expires Single Sign Prompts ◦ Can bypass prompts by using “Smart Links”. Still requires password for non- domain joined machines. ◦ Prompt for User Name must be in UPN format for realm discovery (no internal TLD such as .local or .loc) ◦ None Domain Joined Machines prompted for both Username Realm Discover and password (Active Directory credentials)
    • Outlook Web Application ActiveSync, Office 2010, or Outlook 2007 SharePoint Web POP, IMAP, Office 2007 Lync Online or 2010 Application Entourage SP2 Win7/Vista/XP Win7/Vista/XP Win 7/Vista/XPMS Online IDs Online ID Online ID Online ID Online ID Online IDSSO IDs Each session* Each session* Each session*(domain joined) AD credentials AD credentials AD credentials AD credentials AD credentialsSSO IDs(non-domain joined) AD credentials AD credentials AD credentials AD credentials AD credentials
    • Authentication flow (Passive/Web profile) Customer Microsoft Online Services Active Directory AD FS 2.0 Server (SAML 1.1) Token Logon Authentication platform UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729 ` Exchange Online or Client SharePoint Online (joined to CorpNet)
    • Authentication flow (MEX/Rich Client Profile) Customer Microsoft Online Services Active Directory AD FS 2.0 Server (SAML 1.1) Token Logon Authentication platform UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729 ` Client Lync Online (joined to CorpNet)
    • Active flow (Outlook/Active Sync) Customer Microsoft Online Services Active Directory AD FS 2.0 Server (SAML 1.1) Token Logon Authentication platform UPN:user@contoso.com Source User ID: ABC123 Auth Token UPN:user@contoso.com Unique ID: 254729 ` Basic Auth Credentilas Client Username/Password Exchange Online (joined to CorpNet)
    •  Microsoft Online Services requirements ◦ MS Online business scenarios always use WS-*  WS-Trust provides support for rich client authentication ◦ Identity federation supported initially only through AD FS 2.0 Protocols supported ◦ WS-*, SAML1.1 ◦ SAML-P coming later Strong authentication (2FA) solutions ◦ Web applications via ADFS Proxy sign in page or other proxies (UAG/TMG) ◦ Rich Clients dependent on configuration
    • 1. Singleserver configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Outlook) Active Directory AD FS 2.0 AD FS 2.0 AD FS 2.0 Server Server Server Proxy AD FS 2.0 Server Proxy Internal Enterprise user DMZ
    • Structure Description ConsiderationsMatching domains Internal Domain and External No special requirements domain are the same i.e. contoso.comSub domain Internal domains is a sub domain of Requires Domains registered in the external domain order, primary then sub domains i.e. corp.contoso.com.local domain Internal domain is not publicly Domain ownership can’t be proved, “registered” must use a different domain i.e. contoso.local • Requires all users to get new UPN. • Use SMTP address if possibleMultiple distinct Mix of users having login UPNsUPN suffixes in under different domains Currently requires multiple AD FSsingle forest i.e. contoso.com & fabrikam.com servers.Multi Forest Multiple AD Forest Not currently supported.
    •  High availability design for AD FS 2.0 Every User must have a UPN UPN suffix must match a validated domain in Office 365 UPN Character restrictions ◦ Letters, numbers, dot, underscore or dash ◦ No dot before @ symbol Users may need to understand that they must use UPN to logon to Office 365 Apps ◦ Can be hidden from users with smart links from domain machines
    •  Number of options depending on needs ◦ Rich Applications without strong authentication ◦ Web apps with strong authentication (RSA etc) ◦ OS/ActiveSync devices without strong authentication Three options: Authentication Scheme Authentication limitationsAD FS proxy Requires integration of the strong authentication None provider with the AD FS proxy login page.Forefront Publish the AD FS server. Integration with some Supported but requiresTMG strong authentication providers is provided out of the each path to be published box. separatelyForefront Publish the AD FS server. Integration with a wide Supported but requiresUAG SP1 range of authentication providers out of the box, very each path to be published flexible integration options. separately
    • Today’s Focus Feature Simple Rich* Mail routing between on-prem and cloud (recipients on either side)   Mail routing with shared namespace (if desired) - @company.com on both   sides Unified GAL   Free/Busy and calendar sharing cross-prem  Out of Office understands that cross-prem is “Internal” to the organization  Mailtips, messaging tracking, and mailbox search work cross-prem  OWA Redirection cross-premise (single OWA URL for both on-prem and cloud)  Preserve Auth header (ensure internal email is not marked as spam, resolve  against GAL, etc) EMC GUI tool (on-prem) used to manage cross-prem mailbox migrations  Mailbox moves support both onboarding and offboarding  equires Exchange 2010 SP1 No outlook reconfiguration or OST resync required after mailbox migration Hub+CAS on-prem and requires supplemental configuration steps(both on-prem and in the cloud)
    • Today’s FocusCutover Coexistence ◦ Executed over a weekend; ◦ Executed over some longer switch the MX record period of time (a week, a month, a year, etc) ◦ All users moved as part of a ◦ No requirement to ever flip “big switch” to the cloud “a switch” – can run in  No option to pilot mailboxes coexistence scenario ◦ No on-prem configuration indefinitely or hardware requirement ◦ Requires on-prem configuration and hardware
    • Answer Your Office 365 Questions @Agile_IT AgileIT.com/Blog