Bridging on premise identity management

22
John Gilham Principal Consultant Agile IT

description

 

Transcript of Bridging on premise identity management

Page 1: Bridging on premise identity management

John Gilham Principal Consultant

Agile IT

Sheena.Graham
Stamp
Page 2: Bridging on premise identity management

Key Components:

Synchronization (DirSync) and SSO Concepts

SSO Federation (ADFS 2.0)

Email Rich Co-Existance (On-Premise <-> Cloud)

Page 3: Bridging on premise identity management

Password policy controls for Microsoft Online IDs

Single sign-on with corporate credentials

Directory Synchronization updates

Role-based administration: Five administration roles Company Admin

Billing Admin

User Account Admin

HelpDesk Admin

Service Support Admin

“Admin on behalf of” for support partners

Page 4: Bridging on premise identity management

Contoso customer premises

1. Microsoft Online IDs

2. Microsoft Online IDs + Microsoft Online Services Directory Synchronization (DirSync)

3. Single Sign On (SSO) Federation + Directory Synchronization (DirSync

AD MS Online

Directory Sync

Identity Services

Provisioning platform

Lync Online

SharePoint Online

Exchange Online

Active Directory Federation Server

2.0

Trust

IdP Directory

Store

Admin Portal/ PowerShell

Authentication platform

Office 365 Desktop Setup

Microsoft Online Services

IdP

Page 5: Bridging on premise identity management

Appropriate for • Smaller orgs without AD

on-premise

Pros • No servers required on-

premise

Cons • No SSO • No 2FA • 2 sets of credentials to

manage with differing password policies

• IDs mastered in the cloud

Appropriate for • Medium/Large orgs with AD

on-premise

Pros • Users and groups mastered

on-premise • Enables co-existence

scenarios Cons • No SSO • No 2FA • 2 sets of credentials to

manage with differing password policies

• Single server deployment

Appropriate for • Larger enterprise orgs with

AD on-premise Pros • SSO with corporate cred • IDs mastered on-premise • Password policy controlled

on-premise • 2FA solutions possible • Enables co-existence

scenarios Cons • High availability server

deployments required

Page 6: Bridging on premise identity management

Office 365 Desktop setup required for rich clients ◦ Installs client and operating system updates to enable best sign-on experience

◦ Not required for Web kiosk scenarios (e.g. OWA)

Passwords prompts ◦ Can be saved for rich applications, can remain “signed in” for web applications

◦ Will prompt again when the password changes or expires

Single Sign Prompts ◦ Can bypass prompts by using “Smart Links”. Still requires password for non-

domain joined machines.

◦ Prompt for User Name must be in UPN format for realm discovery (no internal TLD such as .local or .loc)

◦ None Domain Joined Machines prompted for both Username Realm Discover and password (Active Directory credentials)

Page 7: Bridging on premise identity management

Win7/Vista/XP

SSO IDs (domain joined)

MS Online IDs

Outlook Web Application

SharePoint Web Application

ActiveSync, POP, IMAP, Entourage

Each session*

Outlook 2007 or 2010

Online ID Online ID Online ID

Win 7/Vista/XP

Office 2010, or Office 2007

SP2

Online ID

Each session*

Win7/Vista/XP

Lync Online

Online ID

Each session*

AD credentials AD credentials AD credentials AD credentials AD credentials

SSO IDs (non-domain joined) AD credentials AD credentials AD credentials AD credentials AD credentials

Page 8: Bridging on premise identity management
Page 9: Bridging on premise identity management
Page 10: Bridging on premise identity management

Authentication flow (Passive/Web profile)

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online or

SharePoint Online

Active Directory

Customer Microsoft Online Services

Logon (SAML 1.1) Token

UPN:[email protected]

Source User ID: ABC123

Auth Token

UPN:[email protected]

Unique ID: 254729

Page 11: Bridging on premise identity management

Authentication flow (MEX/Rich Client Profile)

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Lync Online

Active Directory

Customer Microsoft Online Services

Logon (SAML 1.1) Token

UPN:[email protected]

Source User ID: ABC123

Auth Token

UPN:[email protected]

Unique ID: 254729

Page 12: Bridging on premise identity management

Active flow (Outlook/Active Sync)

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online

Active Directory

Customer Microsoft Online Services

Logon (SAML 1.1) Token

UPN:[email protected]

Source User ID: ABC123

Auth Token

UPN:[email protected]

Unique ID: 254729

Basic Auth Credentilas

Username/Password

Page 13: Bridging on premise identity management
Page 14: Bridging on premise identity management

Microsoft Online Services requirements ◦ MS Online business scenarios always use WS-*

WS-Trust provides support for rich client authentication

◦ Identity federation supported initially only through AD FS 2.0

Protocols supported ◦ WS-*, SAML1.1

◦ SAML-P coming later

Strong authentication (2FA) solutions ◦ Web applications via ADFS Proxy sign in page or other proxies

(UAG/TMG)

◦ Rich Clients dependent on configuration

Page 15: Bridging on premise identity management

1.Single server configuration

2.AD FS 2.0 server farm and load-balancer

3.AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Outlook)

Enterprise

DMZ

AD FS 2.0 Server Proxy

External user

Internal user

Active Directory

AD FS 2.0 Server

AD FS 2.0 Server

AD FS 2.0 Server Proxy

Page 16: Bridging on premise identity management

Structure Description Considerations

Matching domains Internal Domain and External domain are the same i.e. contoso.com

No special requirements

Sub domain Internal domains is a sub domain of the external domain i.e. corp.contoso.com

Requires Domains registered in order, primary then sub domains

.local domain Internal domain is not publicly “registered” i.e. contoso.local

Domain ownership can’t be proved, must use a different domain • Requires all users to get new

UPN. • Use SMTP address if possible

Multiple distinct UPN suffixes in single forest

Mix of users having login UPNs under different domains i.e. contoso.com & fabrikam.com

Currently requires multiple AD FS servers.

Multi Forest Multiple AD Forest Not currently supported.

Page 17: Bridging on premise identity management

High availability design for AD FS 2.0

Every User must have a UPN

UPN suffix must match a validated domain in Office 365

UPN Character restrictions ◦ Letters, numbers, dot, underscore or dash

◦ No dot before @ symbol

Users may need to understand that they must use UPN to logon to Office 365 Apps ◦ Can be hidden from users with smart links from domain machines

Page 18: Bridging on premise identity management

Number of options depending on needs ◦ Rich Applications without strong authentication ◦ Web apps with strong authentication (RSA etc) ◦ OS/ActiveSync devices without strong authentication

Three options:

Authentication Scheme Authentication limitations

AD FS proxy Requires integration of the strong authentication provider with the AD FS proxy login page.

None

Forefront TMG

Publish the AD FS server. Integration with some strong authentication providers is provided out of the box.

Supported but requires each path to be published separately

Forefront UAG SP1

Publish the AD FS server. Integration with a wide range of authentication providers out of the box, very flexible integration options.

Supported but requires each path to be published separately

Page 19: Bridging on premise identity management
Page 20: Bridging on premise identity management

Feature Simple Rich*

Mail routing between on-prem and cloud (recipients on either side)

Mail routing with shared namespace (if desired) - @company.com on both sides

Unified GAL

Free/Busy and calendar sharing cross-prem

Out of Office understands that cross-prem is “Internal” to the organization

Mailtips, messaging tracking, and mailbox search work cross-prem

OWA Redirection cross-premise (single OWA URL for both on-prem and cloud)

Preserve Auth header (ensure internal email is not marked as spam, resolve against GAL, etc)

EMC GUI tool (on-prem) used to manage cross-prem mailbox migrations

Mailbox moves support both onboarding and offboarding

No outlook reconfiguration or OST resync required after mailbox migration equires Exchange 2010 SP1 Hub+CAS on-prem and requires supplemental configuration steps (both on-prem and in the cloud)

Today’s

Focus

Page 21: Bridging on premise identity management

Cutover

◦ Executed over a weekend; switch the MX record ◦ All users moved as part of a

“big switch” to the cloud No option to pilot mailboxes

◦ No on-prem configuration or hardware requirement

Coexistence

◦ Executed over some longer period of time (a week, a month, a year, etc)

◦ No requirement to ever flip “a switch” – can run in coexistence scenario indefinitely

◦ Requires on-prem configuration and hardware

Today’s Focus

Page 22: Bridging on premise identity management

Answer Your Office 365 Questions

@Agile_IT

AgileIT.com/Blog