Upload
jethro-seghers
View
865
Download
7
Embed Size (px)
DESCRIPTION
Citation preview
Jethro Seghers
Blogger
Twitter: @jseghersE-mail: [email protected]: http://www.j-solutions.be/blog
Consultant
Trainer
Agenda
Why FederationHow Does ADFS WorkDirSyncPitfalls of ADFSIaaS for ADFSWhy Windows AzureWindows AzureDemo
Identity options comparison1. MS Online IDs
Appropriate for• Smaller organizations without
AD on-premise
Pros• No servers required on-
premise
Cons• No SSO• No 2FA (strong authentication)• 2 sets of credentials to
manage with differing password policies
• Users and groups mastered in the cloud
2. MS Online IDs + Dir Sync
Appropriate for• Orgs with AD on-premise
Pros• Users and groups mastered on-
premise• Enables co-existence scenarios
Cons• No SSO• No 2FA• 2 sets of credentials to manage
with differing password policies• Single server deployment
3. Federated IDs + Dir Sync
Appropriate for• Larger enterprise organizations
with AD on-premise
Pros• SSO with corporate cred• Users and groups mastered on-
premise• Password policy controlled on-
premise• 2FA solutions possible• Enables co-existence scenarios
Cons• High availability server
deployments required
Bronze Sky customer premises
Identity architecture: Identity options1. Microsoft Online IDs
ADMS Online Directory
Sync
Identity platform
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
FederationGateway
Active Directory Federation Server
2.0
Trust
IdP DirectoryStore
Admin Portal
Authentication platform IdP
Service connector
Microsoft Office 365 Services2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync
Sign On Experience across apps and OSsFederated vs. Non-Federated Summary
A new “service connector” is needed – primarily for rich clientsInstalls client and operating system updates to enable best sign-on experienceEnables authentication support for rich clientsEnsures clients have all needed configuration data to enable service usage
Web kiosk scenarios (e.g. OWA) supported without the service connector
Outlook2010
Win 7 Vista/XP
Federated IDs,
domain joined
MS Online IDs
Outlook Web Application
No prompt No prompt
Each session
ActiveSync, POP, IMAP, Entourage
Once at setup No prompt
Outlook 2007
No prompt
Once at setupEach session Each session Each session
Outlook 2007 or 2010
Win 7
Online IDOnline IDOnline IDOnline IDOnline ID
AD credentials
Win 7/Vista/XP
No prompt
Each session
Office 2010, or Office 2007 SP2
SharePoint Online
Online ID
Identity FederationAuthentication flow (passive profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365
Identity FederationAuthentication flow (active profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365
AD FS 2.0 deployment options
1. Single server configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server (offsite users)
Enterprise DMZ
AD FS 2.0 ServerProxy
Internaluser
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
What does Directory Sync do for you
Enables you to manage your company’s information in one central location for both on-premise intranet and Office 365
Runs as an applianceInstall and forget
Proactively reports errors via email“No news is good news”
What does Directory Synchronization do for users
Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint)
Flavors of Co-ExistenceIdentity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication)Application Co-Existence
What does Directory Synchronization do for usersIdentity Co-Existence
Facilitates “Single Sign-On” Experience
For users: Single set of credentials to manage
On-premise users, security groups, distribution lists, contacts are available in the cloud
Complete Address Books in Exchange OnlineSharePoint Online ACL’ing via Security Groups
Users, contacts, groups can be created directly in Office 365, or sync’d from on-premise!
Setting up Directory Sync - Requirements
3 types of requirements:
1. Host OS that runs Directory SyncSupported OS
Microsoft Windows Server® 2003 SP2Microsoft Windows Server 2008
Cannot be Domain ControllerMust be part of Domain
2. Active Directory Forest functional level sync’d by Directory SyncMicrosoft Windows Server 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008Microsoft Windows Server 2008 R2
Setting up Directory Sync - Requirements
3. Rich Co-ExistenceRich co-existence, need Exchange 2010 SP1 Client Access Server (CAS) – FreeInstalls schema extensions required to support Rich Co-Existence
Customer Network
How Directory Synchronization worksArchitecture
AD
Directory Sync
Office 365 DatacenterO
ffic
e 36
5 F
Es
Microsoft Online ID
Exchange
Office Sub
SharePoint
LyncO365
Directory
How Directory Synchronization worksArchitecture - Client
Uses Enterprise Admin credentials at configuration to create self-managed account for sync purposes:
Attribute-level write permissions for Rich Co-ExistenceYourdomain\MSOL_AD_Sync + Yourdomain\MSOL_AD_Sync_RichCoexistence
Uses managed account with Global Administrator privileges for TenantAuthenticates to O365 via Microsoft Online ID
Syncs all users, contacts and groups from your (single) AD forest Queries AD DirSync control for changesFilters out well-known objects and attributes patterns
Syncs every 3 hours
How Directory Synchronization worksArchitecture - Client
First sync run “full sync”Start-up, sync’s all objects
Subsequent runs “delta sync”Changes only
Time required depends on data size/complexity
Common Asks
FilteringSupported – Attribute – OU - domainAutomated “scoping out” can lead to data loss (user mailboxes!)
Highly available Directory SyncDirectory Sync tool not configurable for high availability
NOTE: when Directory Sync tool down, Office 365 data goes “stale”, Federated Authentication, etc. still works!
Pitfalls
High available system = 5 serversCloud Services increases the number of servers on premiseExtra Cost hardware, cooling, …
Internet line = often SPOFInternet line down = authentication impossible
Power Failure
Catastrophic Failure (Fire)
Windows Azure & ADFS
Virtual Network Support – Site to Site VPN
Computing: 99,95% SLA Uptime for High Available System99,9% SLA Uptime for Single System
Storage: 99,9%
Full Control over your Virtual Machines
Pay as you Go, OPEX vs CAPEX
Windows Azure: Terminology
Cloud Service: Role which several VM’s take upon themselves to execute. E.G. ADFS. Cloud services need to have two instances or more to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud Service
Availability Group
Windows Azure: Terminology
EndPoints: You need to add an endpoint to a machine for other resources on the Internet or other virtual networks to communicate with it. You can associate specific ports and a protocol to endpoints. Resources can connect to an endpoint by using a protocol of TCP or UDP. The TCP protocol includes HTTP and HTTPS communication.
Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.
ADFS – Windows Azure
IP SEC DEVICE
GATEWAY
CLOUD SERVICE
AD FS 2.0 Server
AD FS 2.0 Server
DirSync LB ENDPOINT
EnterpriseWindows Azure