Single Sign-On with Microsoft Azure Julian Soh Mark Ghazai

Preview:

Citation preview

Single Sign-On with Microsoft AzureJulian SohMark Ghazai

Azure Active Directory• Your Directory in the Cloud• Cloud authentication• A comprehensive identity and access management

cloud solution

• It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers

• Azure Active Directory Premium includes Multi-Factor Authentication, and server and user CALs for Identity Manager

Difference between Directory Sync and AD FS• Directory Synchronization is an identity propagation

workload and does not require AD FS.

• AD FS is responsible for authentication by being the claims middleman. It generally requires some kind of directory synchronization first.

• AD FS works with AD DC to facilitate authentication.

LyncOnlineCentral

AD

Forefront Identity Manager (DirSync)

Provisioningplatform

Password Sync

IdP

Azure Active

Directory

Office 365 Portal/PowerShell

Authentication platform

IdP

ExchangeOnline

SharePointOnline

Exchange Hybrid

Portal

1a – Simple Configuration Password Sync

Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

LyncOnlineCentral

AD

Forefront Identity Manager (DirSync)

Provisioningplatform

AD Federation Services

ADFS FederationTrust

IdP

Azure Active

Directory

Office 365 Portal/PowerShell

Authentication platform

IdP

ExchangeOnline

SharePointOnline

Exchange Hybrid

Portal

1b – Simple Configuration Federated Authentication

Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

LyncOnline

Central

Forefront Identity Manager

Provisioningplatform

Azure Active

Directory

Office 365 Portal/PowerShell

Authentication platform

IdP

ExchangeOnline

SharePointOnline

Central

Exchange Hybrid

Portal

2 Password Sync for Same-Sign-OnAgency

AD

IdP

IdP

FIM

w/

Pass

word

Sync

Password Sync

Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

LyncOnline

Central

AD

Forefront Identity Manager

Provisioningplatform

AD Federation Services

ADFS FederationTrust

IdP

Azure Active

Directory

Office 365 Portal/PowerShell

Authentication platform

IdP

ExchangeOnline

SharePointOnline

Exchange Hybrid

Portal

3 Agency Single Sign-On w/ Central ADFS

Agency

AD

IdP

Two-w

ay T

rust

FIM

Serv

er

Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

LyncOnline

Central

AD

Forefront Identity Manager

Provisioningplatform

AD Federation Services

ADFS FederationTrusts

IdP

Azure Active

Directory

Office 365 Portal/PowerShell

Authentication platform

IdP

ExchangeOnline

SharePointOnline

Exchange Hybrid

Portal

4 Agency Single-Sign-On w/ Agency Provided ADFS

Agency

AD AD Federation Services

IdP

FIM

Serv

er

ADFS FederationTrusts

Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.

Run these in Azure? Why?• How these would look like when running in Azure• Connectivity (s2s VPN or ExpressRoute)• Why? Uptime, SLA, redundancy

Domain Controller

Client

WAP ADFSWeb Service/Application

VPN

Azure

Domain Controller

Corp

443

DC

443

Web Server/Application

Domain Controller

Client

WAP ADFSWeb Service/Application

VPN

Azure

Domain Controller

Corp

443 DC

443

443

Web Server/Application

MIM enables consistent IAM policiesOn-premises and private cloud

Azure Active Directory

Azure ADApp Proxy

Your apps

Microsoft Identity Manager vNext

Identity Stores

Policies andWorkflow

Clients

WindowsOutlookPortal Custom

Identity Manager Capabilities

Cloud Services Databases Directories Applications

Identity Manager Platform Scenarios

Request Permission AuthN AuthZ ActionService DB

Identity Synchronization

RoleManagement

Certificate Management

Group Management

Password Reset

Azure AD Connect Demo

Azure Calculator Demo• Typical VM Sizes

Description1x AAD Sync Server with internal database (1 x A2 Basic VM)1x R/W Domain Controller (1 x A2 Basic VM)2x AD FS Proxy Servers (optional) (2x A2 Standard VM)2x AD FS Servers (2 x A2 Standard VM)

http://azure.microsoft.com/en-us/pricing/calculator/

Azure AD as an IDaaS demo…