Identity in the cloud using Microsoft

www.orbitone.com

Orbit One BVBARaas van Gaverestraat 83B-9000 GENT, BELGIUM Website www.orbitone.com

E-mail [email protected] Tel. +32 9 330 15 00VAT BE 456.457.353Bank 442-7059001-50 (KBC)

Kevin De Smet12 October, 2011

Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication

http://www.orbitone.com/


mailto:[email protected]

mailto:[email protected]

12 October, 2011Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication2

Introduction

ADFS 2.0: What is Federation?

Single-sign-on: Extending the model to the cloud

Multifactor Authentication

How to make my company cloud-ready?

Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication12 October, 2011

3

Identity


4

Why Cloud?

Why do companies want to move to the cloud?

What can they move to the cloud?

Where do they move it to?

Do they want everything in one location?


5

Cloud Pains

What makes moving to cloud difficult? Identity

Difficult for end-user (confusing & time consuming)Extra Management for IT (password resets, etc.)New employees -> Many accounts in many systemsLeaving employees -> Blocking many accounts = Security Breach

MigrationHard to migrate everything at once (timeframe, downtime)

Convince ManagementMaybe they don’t like it when their data is stored elsewhere


6

Cloud Pains


7

Solution to cloud pains?


8

Solution to cloud pains?

One identity (Active Directory) Used for internal appsUsed for external apps from partnersUsed for external cloud services

How?You’ll learn in this sessionADFS & SSO is the key!


9

Not only MicrosoftImagine 2016...

My Users

Salesforce.comOffice365

Combell

Bank application

AccountingSocial SecretaryFinancial Info


Introduction






User Company

Application Company

12 October, 201111

ADFS 2.0What is Federation?

Before Federation ID STORE


User Company

Application Company

12 October, 201112


With Federation

FEDERATIONTRUST

TRUST

TRUST

ADFS1

ADFS2

AUTHENTICATION

IDSTORE


13


What are claims?Statements about users (name, id, group,...)Used for authorization by claims-aware applications

How are they used?Claims are encrypted in SAML tokens and passed onTokens are signed by a trusted sourceApplications make decisions based on the claims

• if jobtitle == “buyer” and department == “production” then access = trueClaims can be transformed on their way

• if jobtitle == “purchaser” then output_token:jobtitle = “buyer”• if jobtitle == “buyer” and department == “production” then

output_token:spendlimit = “50€”


14


Using Claims

ADFS1

ADFS2

AUTHENTICATION

IDSTORE

AD Attributes:Job Title, Department, ...

SAML

Jobtitle = “Purchaser”

SAMLJobtitle = “Buyer”

If Jobtitle = “Buyer” thenAccess = True


Introduction






16

Single-sign-onHow does it work?

On-premise DOMAINCONTROLLER

Ctrl-Alt-Del

DOMAINJOINED

IIS SERVER

AUTHENTICATION

IS USER AUTHENTICATED?


17

Single-sign-onExtending the model to the Cloud

Windows Azure Connect DOMAINCONTROLLER

Ctrl-Alt-Del

IIS SERVER

AUTHENTICATION

IS USER AUTHENTICATED?

Windows AzureConnect Agent

DOMAINJOINED


ACS

12 October, 201118


Azure with Federation:Access Control Service

TRUST

FEDERATIONTRUST

TRUST ADFSACTIVEDIRECTORY

User Company

AUTHENTICATION

IIS SERVER


19


Office 365 default login

MSODS

MSOLID


MSODSMFG

12 October, 201120


Office 365 with Federation:MS Federation Gateway

TRUST

TRUST ADFSACTIVEDIRECTORY

MSOLID

User Company

AUTHENTICATION

FEDERATIONTRUST


MS ONLINE ID(MSOLID)

12 October, 201121


Office 365 Directory Synchronization

ACTIVEDIRECTORY

MS ONLINEDIRECTORY SERVICE

(MSODS)

ACTIVE DIRECTORYSYNCHRONIZATION SERVER

Name, Email, ObjectGUID,...


MFG

12 October, 201122


Office 365 with Federation ProxyTRUST

ADFS

ACTIVEDIRECTORY

FEDERATIONTRUST

ADFSPROXY

@HOMETRUST


Introduction






24

Multifactor AuthenticationWhat is it?

Different kinds of evidence someone is who they say they areSomething one knows

A secret: password, PIN, ...

Something one hasA passport, physical token, ID Card, ...

Something one isBiometric device: fingerprint, iris-scan, face geometry, ...


25

Multifactor AuthenticationIn the Cloud

Two options available:

Integrate the ADFS 2.0 Proxy login page with your strong authentication provider

In this option, you can customize the AD FS 2.0 proxy login ASPX page introduce extra fields for the users to enter extra factors for authentication.

Use the Forefront Unified Access Gateway (UAG) SP1 serverThis gateway supports a wide range of two-factor authentication providers, as well as direct access to an expanded set of scenarios involving two-factor authentication.


26


ADFS 2.0 Proxy login page


27


Unified Access Gateway (UAG) SP1 serverForefront UAG intercepts the redirection to the Account Federation server

Instead redirects the web browser to the Forefront UAG login page

ADFSADFSPROXY

UAG


Introduction






29

Cloud-ready company

Server RequirementsADFS 2.0 Server(s)

Can be installed on existing domain controllers (if 2008/2008R2)Can be a farm for redundancy (NLB host needed)Optionally, SQL Cluster can be used to store the database

ADFS 2.0 Proxy Server(s)Can be installed on existing web/proxy servers (if 2008/2008R2)Can be a farm for redundancy (NLB needed)

Office 365: Directory Syncrhonization Server(s)Must be a 32-bit server (no 2008R2!), can be 2003/2008Cannot be installed on domain controller, but needs same security!


30

Cloud-ready company

Typical setup for a small CompanyOne ADFS 2.0 Server

Installed on Domain controller or dedicated serverUses WID (Windows Integrated Database)

One ADFS 2.0 ProxyInstalled on existing web/proxy server or dedicated server

Office 365: Directory Syncrhonization Server(s)Installed on a dedicated 2008 32-bit server


31

Cloud-ready company

Typical cost for a small Company1 to 3 extra Windows Licenses

Recommended: Certificate by public CA for ADFS&ADFS Proxy

2 to 3 days sysadmin work

1 day pm work

1 day of testing


32

Benefits

Less Management for ITLess calls to helpdesks for identity related problemsFewer user accounts to manageEasier to manage new employees (only one account to create)

More Transparant & easier for end-userHas to remember one username, one passwordHas to logon only once with SSO (inside company) -> time saving

More securityLeaving employees are blocked on all applications at onceIdentity managed by own IT departmentMultifactor authentication for more security outside the company


33

Q&A


www.orbitone.com

3412 October, 2011


Technology

Identity in the cloud using Microsoft