Slide 1

Bert Jan van der Steeg SharePoint Consultant Office 365 & Identity Federation Bert Jan van der Steeg consultant trainer bertjan@companio.nl Slide 2 Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration agenda Slide 3 Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration agenda Slide 4 Slide 5 IdM options Identities used to access resources: On-premise (Active Directory) Cloud (Office 365) Available options: Separate credentials in corporate directory and in Office 365 Migrate existing credentials to Office 365 Identity Federation with ADFS 2.0 Slide 6 Separate credential s IdM options Painful to manage Separate password policies Multiple credentials to manage Management of sign-in application (BPOS) Sub-optimal user experience Log-in each time the service is accessed 2 accounts and/or passwords to manage Set up of sign-in application with every new computer used by each user (BPOS) Slide 7 migrate existing credential s IdM options No more corporate credentials Credentials and resources in the cloud Small shops No dedicated IT-guy No local resources Slide 8 identity federation IdM options Credential management on-premises Trust with Federation Gateway Office 365 is Relying Party Prerequisites Domain UPN Suffix routable Own the domain (SSL certificate) Slide 9 user accounts charlie@contoso.microsoftonline.c om contoso \charlie identity federation charlie @contoso.com federated identity Slide 10 ten steps Easy, right? Slide 11 Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration agenda Slide 12 history claims Active Directory Federation Services 2.0 Slide 13 Claims Based AuthN WS-Federation Architecture and specification for Identity Federation protocols WS-Trust Describes the token exchange procedures SAML Describes standard for exchange of AuthN and AuthZ between security realms Slide 14 federation lingo This....means this STSSecurity Token Service (IP-STS, RP-STS) Identity Provider IdPSystem that generates SAML tokens containing claims Relying PartyApplication (service) that can accept claims WEB Single Sign OnFederated Authentication Systems AuthN is separated from AuthZ Federated Sign OutSigning out from all systems involved ClaimAssertion about an identity that is used for AuthZ purposes FederationMetadata.xml (ADFS2.0) XML file used to exchange information between RP and IP. Should be always available Claims augmentationAdding claims into a SAML token based on attribute store information WAYFWhere Are You From. Home Realm Discovery Slide 15 ADFS 2.0 Corp. Resources Partner Resources Users AD Users AD Office 365 Azure Slide 16 ADFS 2.0 Corp. Resources Partner Resources Users AD Users AD Office 365 Azure Federation Gateway federation gateway Slide 17 ADFS 2.0 Lync Online Users AD Users AD SharePoint Online Exchange Online Federation Gateway Live ID IdP Live ID IdP LiveID federation gateway Provisioning Service TRUST Slide 18 federation gateway Online Service based on WS* standards Connection into Federation ecosystem Billions of authentication daily In production since 2006 Trust provisioning service checks domain ownership through SSL certificate Slide 19 https://adfs.contoso.com topology a adfs 2.0 cloud adfs 2 adfs 1 https://adfs.contoso.com adfs proxy 2 adfs proxy 1 Fsconfig /createsqlfarm Slide 20 claims Statements made about users which are understood & trusted by both partners in a federation name, identity, group, role, privilege, capability Used for authorization purposes within applications Begins at the identity provider when the user provides credentials Inserted into security tokens (SAML tokens) which follow a secure, standardized method of packaging the data for transport to a trusted partner Slide 21 adfs claims engine Stage 1: Accepting claims Stage 1: Accepting claims Stage 2: Authorizing claims Stage 2: Authorizing claims Stage 3: Issuing Claims Stage 3: Issuing Claims Acceptance Transform Rules Issuance Transform Rules Issuance Transform Rules Issuance Authorization Rules Issuance Authorization Rules Deny Permit Incoming Claims Claims Provider Trust Relying Party Trust Outgoing Claims Slide 22 adfs 2.0 component s AuthN Store Active Directory Target Application Office 365 trust relationship s Slide 23 endpoints adfs 2.0 component s 1. Passive Federation Endpoint Browser based connections 2. Active Federation Endpoint Rich clients (Lync 2010) 3. EAS Endpoint - Activesync, Outlook 2010, Exchange Web Services Slide 24issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federatio n/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,obje ctGUID;{1}", param = regexreplace(c.Value, "(? [^\\]+)\\(?.+)", "${user}"), param = c.Value); c:[Type == "http://schemas.microsoft.com/LiveID/Federatio n/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identit y/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/200 5/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid- format:unspecified"); c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/ident ity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/"));"> claim rules acceptance transform rules adfs 2.0 component s issuance transform rules c:[Type == http://schemas.microsoft.com/ws/2008/06/identi ty/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federatio n/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,obje ctGUID;{1}", param = regexreplace(c.Value, "(? [^\\]+)\\(?.+)", "${user}"), param = c.Value); c:[Type == "http://schemas.microsoft.com/LiveID/Federatio n/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identit y/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/200 5/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid- format:unspecified"); c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/ident ity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); Slide 25 Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration agenda Slide 26 add domain convert to federated later Slide 27 connect to MSOL configure federation $cred=Get-Credentials Connect-MsolService Credential $cred Set-MsolADFSContext Computer Slide 28 add federated domain configure federation New-MsolFederatedDomain DomainName - SupportMultipleDomain Slide 29 Directory Synchroni- zation Directory Synchronization is used between Active Directory on- premises and Office 365 Federation requires DirSync in this scenario Users UPNs are leveraged for account matching Slide 30 Directory Synchroni- zation Start-OnlineCoexistenceSync Slide 31 sharepointlabs.nl login sequence cloud SharePoint Online Exchange Online client ADFS 2.0 AD Sign-In Service SAML Logon Token UPN: charlie@sharepointlabs.nlcharlie@sharepointlabs.nl Source ID: ABC123 SAML Logon Token UPN: charlie@sharepointlabs.nlcharlie@sharepointlabs.nl Source ID: ABC123 Authentication Token UPN: charlie@sharepointlabs.nlcharlie@sharepointlabs.nl Source ID: 1234567 Authentication Token UPN: charlie@sharepointlabs.nlcharlie@sharepointlabs.nl Source ID: 1234567 404 - Authenticate 302 - Redirect Slide 32 login sequence Slide 33 Scenarios Domain joined computer in corporate network ADFS Server can use Windows Integrated AuthN Domain joined computer, roaming Publish ADFS Server Home or public computer User signs in with corporate credentials Smartphone Microsoft Outlook or other e-mailclients Slide 34 trouble shooting Troubleshooting tools MOSDAL (Microsoft Online Services Diagnostics and Logging) Support Toolkit www.testexchangeconnectivity.com Fiddler Slide 35 adfs additional reading kb 2607496 Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0 Multiple Issuer Support Client Access Policy Support Congestion Avoidance Algorithm Additional AD FS 2.0 performance counters Slide 36 more info Web Services Federation Language (WS-Federation) Version 1.2 : http://docs.oasis-open.org/wsfed/federation/v1.2/ws- federation.pdf WS-Trust Version 1.3: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust- 1.3-os.pdf Security Assertion Markup Language (SAML) 2.0: http://go.microsoft.com/fwlink/?LinkId=193996 Microsoft AD FS 2.0 Release to Web (RTW) download: http://www.microsoft.com/downloads/details.aspx?FamilyID =118c3588-9070-426a-b655-6cec0a92c10b Identity federation definition from Wikipedia: http://en.wikipedia.org/wiki/Federated_identity Slide 37 more info Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0 http://tinyurl.com/6pbrkop Slide 38 more info Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0 http://tinyurl.com/6pbrkop Slide 39