Post on 18-Jan-2016
Access Control in BYOD and Directory integration in a Hybrid Identity InfrastructureGayana Bagdasaryan
PCIT-B213
Objectives
• Why AD FS?
• AD FS for Hybrid Identity
• AD FS for BYOD
Why AD FS?
You can implement access control solutions for claims-based applications and other resourcesthat are located across organizational boundaries
AD FS Deployment Goals
• Access claims-based applications within your enterprise
• Remotely access internally hosted Web sites or
services
• Access resources in a federation partner organization
Access claims-based applications within your enterprise
Remotely access internally hosted Web sites or services
Access resources in a federation partner organization
Key AD FS Concepts
• Claims• Claim rules• Attribute stores• Relying party trusts• Claims provider trusts• Configuration databases
AD FS Certificates
• Secure Sockets Layer (SSL) certificate
• Service communication certificate
• Token-signing certificate
• Token-decryption/encryption certificate
AD FS - simplified deployment experience
• No IIS dependency
• Remote installation and configuration via Server Manager
• UI support for installing AD FS with SQL Server
• GMSA support
• SQL Server merge replication support
AD FS - enhanced sign-in experience• Unified customization of the AD FS service
• Support for automatic fallback to forms-based authentication for non-domain-joined-devices
• HRD based on organizational suffix of the user
• Customizable logo, illustration image, IT support links, home page, privacy, description messages in the sign-in pages, web themes, error messages
Devices
AppsUsers
Empowering People-centric IT
Management. Access. Protection.
Data
Hybrid Identity
Unify your environment
Create a centralized identity across on-premises and cloud
Use identity federation to maintain centralized authentication and securely share and collaborate with external users and businesses
Enable users
Provide users with self-service experiences to keep them productive
Enable single sign-on for users across all the resources they need access to
Protect your data
Enforce strong authentication when users access resources and apply conditional access controls to sensitive company information
Configure single sign-on across all company applications
Ensure compliance with governance, attestation and reporting
√
AD FS - access control risk management tools
• Access control based on user / device / location
• Global / per-application access control scope
• MFA based on user / device / location
• AD FS Extranet Lockout, to protect AD accounts from force internet attacks
• Access revocation for workplace-joined devices disabled/deleted in AD
AD FS - access to resources on personal devices from anywhere• Workplace join (DRS)
• Pre-authentication of intranet resources
• Password change from workplace-joined devices
Demo
Workplace join with MFA
Related sessions:
PCIT-IL301-R Wednesday, May 14 8:30 AM - 9:45 AMDEV-B344 Wednesday, May 14 1:30 PM - 2:45 PM PCIT-IL301-RR Thursday, May 15 1:00 PM - 2:15 PM PCIT-B330 Thursday, May 15 8:30 AM - 9:45 AM
Providing Users with a Common Identity
IT can provide users with a common identity across on-premises or cloud-based services, leveraging Windows Server Active Directory and Azure Active Directory.
Users are more productive by having a single sign-on to all their resources.
Users get access through accounts in Azure Active Directory to Azure, Office 365, and third-party applications.
Developers can build applications that leverage the common identity model.
Common Identity with Sync
User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory
Synchronization
*Write back of attributes to support cloud first and co-existence
Common Identity with Federation
User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory
Federation
AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication
Common Identity with Federation
Demo
- OneAD Wizard- Alternate login ID
Identity Federation
Conditional access with multi-factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location
Organizations can federate with partners and other organizations for seamless access to shared resources
Organizations can connect to SaaS applications running in Azure, Office 365 and 3rd party providers
Enhancements to AD FS include simplified deployment and management
Published applications
• Breakout Sessions o PCIT-IL301-R Wednesday, May 14 8:30 AM - 9:45 AM
o DEV-B344 Wednesday, May 14 1:30 PM - 2:45 PM
o PCIT-IL301-RR Thursday, May 15 1:00 PM - 2:15 PM
o PCIT-B330 Thursday, May 15 8:30 AM - 9:45 AM
Find Me at the CSI booth
Related content
TechNet
Resources
Resources for IT ProfessionalsActive Directory Federation Services Overview - http://technet.microsoft.com/en-us/library/hh831502.aspxSetup Geographic Redundancy with SQL Server Replication - http://technet.microsoft.com/en-us/library/dn632406.aspxAD FS Certificate Requirements - http://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1Configuring AD FS Extranet Lockout - http://technet.microsoft.com/en-us/library/dn486806.aspxConfiguring Alternate Login ID - http://technet.microsoft.com/en-us/library/dn659436.aspxWalkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications - http://technet.microsoft.com/en-us/library/dn280946.aspxConfiguring Authentication Policies - http://technet.microsoft.com/en-us/library/dn486781.aspx Developing Modern Applications using OAuth and AD FS - http://msdn.microsoft.com/en-us/library/dn633593.aspx Directory integration - http://msdn.microsoft.com/en-us/library/azure/jj573653.aspx AD FS on Curah - http://curah.microsoft.com/51820/ad-fs-technet-content-mapBYOD on Curah - http://curah.microsoft.com/37111/bring-your-own-device-byod
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.