Embed Size (px)
Citation preview
Single Sign-On with Microsoft AzureJulian SohMark Ghazai
Azure Active Directory• Your Directory in the Cloud• Cloud authentication• A comprehensive identity and access management
cloud solution
• It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers
• Azure Active Directory Premium includes Multi-Factor Authentication, and server and user CALs for Identity Manager
Difference between Directory Sync and AD FS• Directory Synchronization is an identity propagation
workload and does not require AD FS.
• AD FS is responsible for authentication by being the claims middleman. It generally requires some kind of directory synchronization first.
• AD FS works with AD DC to facilitate authentication.
LyncOnlineCentral
AD
Forefront Identity Manager (DirSync)
Provisioningplatform
Password Sync
IdP
Azure Active
Directory
Office 365 Portal/PowerShell
Authentication platform
IdP
ExchangeOnline
SharePointOnline
Exchange Hybrid
Portal
1a – Simple Configuration Password Sync
Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
LyncOnlineCentral
AD
Forefront Identity Manager (DirSync)
Provisioningplatform
AD Federation Services
ADFS FederationTrust
IdP
Azure Active
Directory
Office 365 Portal/PowerShell
Authentication platform
IdP
ExchangeOnline
SharePointOnline
Exchange Hybrid
Portal
1b – Simple Configuration Federated Authentication
Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
LyncOnline
Central
Forefront Identity Manager
Provisioningplatform
Azure Active
Directory
Office 365 Portal/PowerShell
Authentication platform
IdP
ExchangeOnline
SharePointOnline
Central
Exchange Hybrid
Portal
2 Password Sync for Same-Sign-OnAgency
AD
IdP
IdP
FIM
w/
Pass
word
Sync
Password Sync
Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
LyncOnline
Central
AD
Forefront Identity Manager
Provisioningplatform
AD Federation Services
ADFS FederationTrust
IdP
Azure Active
Directory
Office 365 Portal/PowerShell
Authentication platform
IdP
ExchangeOnline
SharePointOnline
Exchange Hybrid
Portal
3 Agency Single Sign-On w/ Central ADFS
Agency
AD
IdP
Two-w
ay T
rust
FIM
Serv
er
Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
LyncOnline
Central
AD
Forefront Identity Manager
Provisioningplatform
AD Federation Services
ADFS FederationTrusts
IdP
Azure Active
Directory
Office 365 Portal/PowerShell
Authentication platform
IdP
ExchangeOnline
SharePointOnline
Exchange Hybrid
Portal
4 Agency Single-Sign-On w/ Agency Provided ADFS
Agency
AD AD Federation Services
IdP
FIM
Serv
er
ADFS FederationTrusts
Information is provided as examples with no assumption of support expressed or implied. Deployment recommendations should be obtained through consulting services.
Run these in Azure? Why?• How these would look like when running in Azure• Connectivity (s2s VPN or ExpressRoute)• Why? Uptime, SLA, redundancy
Domain Controller
Client
WAP ADFSWeb Service/Application
VPN
Azure
Domain Controller
Corp
443
DC
443
Web Server/Application
Domain Controller
Client
WAP ADFSWeb Service/Application
VPN
Azure
Domain Controller
Corp
443 DC
443
443
Web Server/Application
MIM enables consistent IAM policiesOn-premises and private cloud
Azure Active Directory
Azure ADApp Proxy
Your apps
Microsoft Identity Manager vNext
Identity Stores
Policies andWorkflow
Clients
WindowsOutlookPortal Custom
Identity Manager Capabilities
Cloud Services Databases Directories Applications
Identity Manager Platform Scenarios
Request Permission AuthN AuthZ ActionService DB
Identity Synchronization
RoleManagement
Certificate Management
Group Management
Password Reset
Azure AD Connect Demo
Azure Calculator Demo• Typical VM Sizes
Description1x AAD Sync Server with internal database (1 x A2 Basic VM)1x R/W Domain Controller (1 x A2 Basic VM)2x AD FS Proxy Servers (optional) (2x A2 Standard VM)2x AD FS Servers (2 x A2 Standard VM)
http://azure.microsoft.com/en-us/pricing/calculator/
Azure AD as an IDaaS demo…
ResourcesAzure Active Directory Connecthttps://msdn.microsoft.com/en-us/library/azure/dn832695.aspx
Office 365 and ADFS…Active Directory Federation Service Installationhttp://social.technet.microsoft.com/wiki/contents/articles/9082.office-365-and-adfs-active-directory-federation-service-installation.aspx
