Identity in the cloud using Microsoft

2,839 views

Published on

Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,839
On SlideShare
0
From Embeds
0
Number of Embeds
48
Actions
Shares
0
Downloads
89
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Identity in the cloud using Microsoft

  1. 1. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />
  2. 2. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />2<br />Introduction<br />ADFS 2.0: What is Federation?<br />Single-sign-on: Extending the model to the cloud<br />Multifactor Authentication<br />How to make my company cloud-ready?<br />
  3. 3. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />3<br />Identity<br />
  4. 4. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />4<br />Why Cloud?<br />Why do companies want to move to the cloud?<br />What can they move to the cloud?<br />Where do they move it to?<br />Do they want everything in one location?<br />
  5. 5. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />5<br />Cloud Pains<br />What makes moving to cloud difficult?<br />Identity<br />Difficult for end-user (confusing & time consuming)<br />Extra Management for IT (password resets, etc.)<br />New employees -> Many accounts in many systems<br />Leaving employees -> Blocking many accounts = Security Breach<br />Migration<br />Hard to migrate everything at once (timeframe, downtime)<br />Convince Management<br />Maybe they don’t like it when their data is stored elsewhere<br />
  6. 6. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />6<br />Cloud Pains<br />
  7. 7. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />7<br />Solution to cloud pains?<br />
  8. 8. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />8<br />Solution to cloud pains?<br />One identity (Active Directory) <br />Used for internal apps<br />Used for external apps from partners<br />Used for external cloud services<br />How?<br />You’ll learn in this session<br />ADFS & SSO is the key!<br />
  9. 9. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />9<br />Not only MicrosoftImagine 2016...<br />Office365<br />Accounting<br />Financial Info<br />Social Secretary<br />Bank application<br />Combell<br />Salesforce.com<br />My Users<br />
  10. 10. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />10<br />Introduction<br />ADFS 2.0: What is Federation?<br />Single-sign-on: Extending the model to the cloud<br />Multifactor Authentication<br />How to make my company cloud-ready?<br />
  11. 11. Application Company<br />User Company<br />12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />11<br />ADFS 2.0What is Federation?<br />Before Federation<br />ID STORE<br />
  12. 12. Application Company<br />12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />12<br />ADFS 2.0What is Federation?<br />With Federation<br />TRUST<br />TRUST<br />ADFS1<br />ADFS2<br />FEDERATIONTRUST<br />User Company<br />AUTHENTICATION<br />IDSTORE<br />
  13. 13. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />13<br />ADFS 2.0What is Federation?<br />What are claims?<br />Statements about users (name, id, group,...)<br />Used for authorization by claims-aware applications<br />How are they used?<br />Claims are encrypted in SAML tokens and passed on<br />Tokens are signed by a trusted source<br />Applications make decisions based on the claims<br />if jobtitle == “buyer” and department == “production” then access = true<br />Claims can be transformed on their way<br />if jobtitle == “purchaser” then output_token:jobtitle= “buyer”<br />if jobtitle == “buyer” and department == “production” then output_token:spendlimit= “50€”<br />
  14. 14. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />14<br />ADFS 2.0What is Federation?<br />If Jobtitle = “Buyer” thenAccess = True<br />Using Claims<br />ADFS1<br />ADFS2<br />Jobtitle = “Buyer”<br />SAML<br />SAML<br />Jobtitle = “Purchaser”<br />AUTHENTICATION<br />IDSTORE<br />AD Attributes:Job Title, Department, ...<br />
  15. 15. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />15<br />Introduction<br />ADFS 2.0: What is Federation?<br />Single-sign-on: Extending the model to the cloud<br />Multifactor Authentication<br />How to make my company cloud-ready?<br />
  16. 16. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />16<br />Single-sign-onHow does it work?<br />DOMAINCONTROLLER<br />On-premise<br />AUTHENTICATION<br />DOMAINJOINEDIIS SERVER<br />Ctrl-Alt-Del<br />IS USER AUTHENTICATED?<br />
  17. 17. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />17<br />Single-sign-onExtending the model to the Cloud<br />Windows AzureConnect Agent<br />DOMAINCONTROLLER<br />Windows Azure Connect<br />AUTHENTICATION<br />IIS SERVER<br />DOMAINJOINED<br />Ctrl-Alt-Del<br />IS USER AUTHENTICATED?<br />
  18. 18. ACS<br />12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />18<br />Single-sign-onExtending the model to the Cloud<br />Azure with Federation:Access Control Service<br />TRUST<br />TRUST<br />ADFS<br />IIS SERVER<br />FEDERATIONTRUST<br />AUTHENTICATION<br />ACTIVEDIRECTORY<br />User Company<br />
  19. 19. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />19<br />Single-sign-onExtending the model to the Cloud<br />Office 365 default login<br />MSODS<br />MSOLID<br />
  20. 20. MSODS<br />Office 365 with Federation:<br />MS Federation Gateway<br />12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />20<br />Single-sign-onExtending the model to the Cloud<br />TRUST<br />TRUST<br />MFG<br />ADFS<br />MSOLID<br />FEDERATIONTRUST<br />AUTHENTICATION<br />ACTIVEDIRECTORY<br />User Company<br />
  21. 21. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />21<br />Single-sign-onExtending the model to the Cloud<br />Office 365 Directory Synchronization<br />ACTIVE DIRECTORYSYNCHRONIZATION SERVER<br />MS ONLINE ID(MSOLID)<br />MS ONLINEDIRECTORY SERVICE(MSODS)<br />ACTIVEDIRECTORY<br />Name, Email, ObjectGUID,...<br />
  22. 22. MFG<br />12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />22<br />Single-sign-onExtending the model to the Cloud<br />Office 365 with Federation Proxy<br />TRUST<br />ADFS<br />ADFSPROXY<br />FEDERATIONTRUST<br />@HOME<br />TRUST<br />ACTIVEDIRECTORY<br />
  23. 23. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />23<br />Introduction<br />ADFS 2.0: What is Federation?<br />Single-sign-on: Extending the model to the cloud<br />Multifactor Authentication<br />How to make my company cloud-ready?<br />
  24. 24. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />24<br />Multifactor AuthenticationWhat is it?<br />Different kinds of evidence someone is who they say they are<br />Something one knows<br />A secret: password, PIN, ...<br />Something one has<br />A passport, physical token, ID Card, ...<br />Something one is<br />Biometric device: fingerprint, iris-scan, face geometry, ...<br />
  25. 25. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />25<br />Multifactor AuthenticationIn the Cloud<br />Two options available:<br />Integrate the ADFS 2.0 Proxy login page with your strong authentication provider<br />In this option, you can customize the AD FS 2.0 proxy login ASPX page introduce extra fields for the users to enter extra factors for authentication. <br />Use the Forefront Unified Access Gateway (UAG) SP1 server<br />This gateway supports a wide range of two-factor authentication providers, as well as direct access to an expanded set of scenarios involving two-factor authentication.<br />
  26. 26. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />26<br />Multifactor AuthenticationIn the Cloud<br />ADFS 2.0 Proxy login page<br />
  27. 27. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />27<br />Multifactor AuthenticationIn the Cloud<br />Unified Access Gateway (UAG) SP1 server<br />Forefront UAG intercepts the redirection to the Account Federation server<br />Instead redirects the web browser to the Forefront UAG login page<br />UAG<br />ADFSPROXY<br />ADFS<br />
  28. 28. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />28<br />Introduction<br />ADFS 2.0: What is Federation?<br />Single-sign-on: Extending the model to the cloud<br />Multifactor Authentication<br />How to make my company cloud-ready?<br />
  29. 29. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />29<br />Cloud-ready company<br />Server Requirements<br />ADFS 2.0 Server(s)<br />Can be installed on existing domain controllers (if 2008/2008R2)<br />Can be a farm for redundancy (NLB host needed)<br />Optionally, SQL Cluster can be used to store the database<br />ADFS 2.0 Proxy Server(s)<br />Can be installed on existing web/proxy servers (if 2008/2008R2)<br />Can be a farm for redundancy (NLB needed)<br />Office 365: Directory Syncrhonization Server(s)<br />Must be a 32-bit server (no 2008R2!), can be 2003/2008<br />Cannot be installed on domain controller, but needs same security!<br />
  30. 30. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />30<br />Cloud-ready company<br />Typical setup for a small Company<br />One ADFS 2.0 Server<br />Installed on Domain controller or dedicated server<br />Uses WID (Windows Integrated Database)<br />One ADFS 2.0 Proxy<br />Installed on existing web/proxy server or dedicated server<br />Office 365: Directory Syncrhonization Server(s)<br />Installed on a dedicated 2008 32-bit server<br />
  31. 31. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />31<br />Cloud-ready company<br />Typical cost for a small Company<br />1 to 3 extra Windows Licenses<br />Recommended: Certificate by public CA for ADFS&ADFS Proxy<br />2 to 3 days sysadmin work<br />1 day pm work<br />1 day of testing<br />
  32. 32. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />32<br />Benefits<br />Less Management for IT<br />Less calls to helpdesks for identity related problems<br />Fewer user accounts to manage<br />Easier to manage new employees (only one account to create)<br />More Transparant & easier for end-user<br />Has to remember one username, one password<br />Has to logon only once with SSO (inside company) -> time saving<br />More security<br />Leaving employees are blocked on all applications at once<br />Identity managed by own IT department<br />Multifactor authentication for more security outside the company<br />
  33. 33. 12 October, 2011<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />33<br />Q&A<br />
  34. 34. 34<br />Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication<br />12 October, 2011<br />

×