Office 365 & Identity Federation

joeneetscompetitiveSecurity

Nov 3, 2013 (3 years and 7 months ago)

290 views

Bert Jan
van der
Steeg

SharePoint
Consultant

Office 365

&

Identity
Federation


Bert Jan van der Steeg

consultant

trainer

bertjan@companio.nl


Intro


ADFS
2.0
Overview


Federated Authentication in Office 365


Single Sign On Configuration




agenda


Intro


ADFS
2.0
Overview


Federated Authentication in Office 365


Single Sign On Configuration




agenda

IdM

options

Identities used to access resources:


On
-
premise (Active Directory)


Cloud (Office 365)


Available options:


Separate credentials in corporate directory and in
Office 365


Migrate existing credentials to Office 365


Identity Federation with ADFS 2.0

Separate
credentials

IdM

options

Painful to manage


Separate password policies


Multiple credentials to manage


Management of sign
-
in application (BPOS)


Sub
-
optimal user experience


Log
-
in each time the service is accessed


2 accounts and/or passwords to manage


Set up of sign
-
in application with every new
computer used by each user (BPOS)



migrate

existing

credentials

IdM

options

No more corporate credentials


Credentials and resources in the
cloud


Small shops


No dedicated IT
-
guy


No local resources

identity

federation


IdM

options

Credential management on
-
premises


Trust with Federation Gateway


Office 365 is Relying Party


Prerequisites


Domain UPN Suffix routable


Own the domain (SSL certificate)

user

accounts

charlie@contoso.microsoftonline.com

contoso

\
charlie

identity

identity

federation

c
harlie

@contoso.com

federated
identity

t
en steps

Easy, right?


Intro


ADFS
2.0
Overview


Federated Authentication in Office 365


Single Sign On Configuration




agenda

history

claims

Active Directory

Federation Services 2.0



Claims
Based
AuthN

WS
-
Federation

Architecture and specification for Identity
Federation protocols

WS
-
Trust

Describes the token exchange procedures

SAML

Describes standard for exchange of
AuthN

and
AuthZ

between security realms

federation

lingo

This
..

..means this

STS

Security Token Service

(IP
-
STS, RP
-
STS)

Identity Provider
IdP

System

that generates SAML tokens containing claims

Relying

Party

Application (service) that can

accept claims

WEB Single

Sign On

Federated Authentication Systems


AuthN

is separated
from
AuthZ

Federated Sign Out

Signing out from all systems involved

Claim

Assertion about an

identity that is used for
AuthZ

purposes

FederationMetadata.xml

(ADFS2.0)

XML file used

to exchange information between
RP and
IP. Should be always available

Claims augmentation

Adding claims into a SAML token

based on attribute
store information

WAYF

Where Are You From. Home

Realm Discovery

ADFS 2.0

ADFS
2.0

Corp.
Resources

Partner
Resources

Users

AD

Office 365

Azure

ADFS 2.0

ADFS
2.0

Corp.
Resources

Partner
Resources

Users

AD

Office 365

Azure

Federation
Gateway

federation
gateway

ADFS 2.0

ADFS
2.0

Lync

Online

Users

AD

SharePoint
Online

Exchange
Online

Federation
Gateway

Live ID

IdP

LiveID

federation
gateway

Provisioning
Service

f
ederation

gateway

Online Service based on WS* standards


Connection into Federation ecosystem


Billions of authentication daily


In production since 2006


Trust provisioning service


checks domain
ownership through SSL certificate






https://adfs.contoso.com

topology

a

adfs

2.0

cloud

adfs

2

adfs

1






https://adfs.contoso.com


adfs

proxy 2

adfs

proxy 1

Fsconfig

/
createsqlfarm

claims

Statements made about users which are understood &
trusted by both partners in a federation

name, identity, group, role, privilege, capability


Used for authorization purposes within applications


Begins at the identity provider when the user provides
credentials


Inserted into security tokens (SAML tokens) which follow a
secure, standardized method of packaging the data for
transport to a trusted partner


adfs


claims
engine

Stage 1:

Accepting claims

Stage 2:

Authorizing claims

Stage 3:

Issuing Claims

Acceptance
Transform Rules

Issuance

Transform Rules

Issuance
Authorization

Rules

Deny

Permit

Incoming
Claims

Claims
Provider
Trust

Relying

Party

Trust

Outgoing
Claims

adfs

2.0
components

AuthN

Store

Active Directory

Target Application

Office 365

t
rust
relationships

endpoints

adfs

2.0
components

1. Passive Federation Endpoint


Browser based connections

2. Active Federation Endpoint


Rich clients (
Lync

2010)

3. EAS Endpoint
-

Activesync
, Outlook 2010, Exchange Web
Services

c
laim rules

acceptance
transform

rules

adfs

2.0
components

i
ssuance transform
rules

c:[Type ==
http://schemas.microsoft.com/
ws
/2008/06/
identity
/claims/
windowsaccountname
"]


=> issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/claims/
UPN
",
"http://schemas.microsoft.com/
LiveID
/Federation/
2008/05/
ImmutableID
"), query =
"
samAccountName
={0};
userPrincipalName,objectG
UID
;{1}",
param

=
regexreplace
(
c.Value
,
"(?<domain>[^
\
\
]+)
\
\
(?<user>.+)", "${user}"),
param

=
c.Value
);

c:[Type ==
"http://schemas.microsoft.com/
LiveID
/Federation/
2008/05/
ImmutableID
"]


=> issue(Type =
"http://schemas.xmlsoap.org/
ws
/2005/05/identity/
claims/
nameidentifier
", Value =
c.Value
,
Properties["http://schemas.xmlsoap.org/
ws
/2005/0
5/identity/
claimproperties
/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid
-
format:unspecified
");


c:[Type ==
"http://schemas.xmlsoap.org/claims/
UPN
"]


=> issue(Type =
"http://schemas.microsoft.com/
ws
/2008/06/identit
y/claims/
issuerid
", Value =
regexreplace
(
c.Value
,
".+@(?<domain>.+)",
"http://${domain}/
adfs
/services/trust
/"));






Intro


ADFS
2.0
Overview


Federated Authentication in Office 365


Single Sign On Configuration




agenda

a
dd

domain

c
onvert


to

federated

later

connect


to


MSOL


c
onfigure
federation

$cred=Get
-
Credentials <credentials
>


Connect
-
MsolService


Credential

$
cred


Set
-
MsolADFSContext


Computer <FQDN ADFS
Server
>

add

federated

domain

configure

federation

New
-
MsolFederatedDomain


DomainName

<
domainname
>
-
SupportMultipleDomain

Directory
Synchroni
-
zation

Directory Synchronization is used
between Active Directory on
-
premises and Office 365


Federation requires
DirSync

in this
scenario


Users’ UPNs are leveraged for
account matching



Directory
Synchroni
-
zation

Start
-
OnlineCoexistenceSync


s
harepointlabs.nl

login
sequence

cloud

SharePoint
Online

Exchange
Online

client

ADFS
2.0

AD

Sign
-
In Service

SAML Logon Token

UPN:
charlie@sharepointlabs.nl

Source ID: ABC123



Authentication Token

UPN:
charlie@sharepointlabs.nl

Source ID: 1234567



404

-

Authenticate

302
-

Redirect

login
sequence

Scenarios

Domain
joined

computer in corporate
network

ADFS Server
can

use

Windows
Integrated

AuthN



Domain
joined

computer,
roaming

Publish

ADFS Server


Home or public computer

User
signs

in
with

corporate
credentials



Smartphone


Microsoft Outlook or
other

e
-
mailclients


trouble

shooting

Troubleshooting tools


MOSDAL (Microsoft Online Services
Diagnostics and Logging) Support
Toolkit


www.testexchangeconnectivity.com


Fiddler


adfs

additional

reading

kb
2607496

Update Rollup 1 for Active Directory
Federation Services (AD FS) 2.0


Multiple
Issuer

Support

Client Access Policy Support

Congestion

Avoidance

Algorithm

Additional AD FS 2.0 performance
counters



more info

Web Services Federation Language (WS
-
Federation) Version 1.2 :

http
://docs.oasis
-
open.org/wsfed/federation/v1.2/ws
-
federation.pdf


WS
-
Trust
Version 1.3:

http
://docs.oasis
-
open.org/ws
-
sx/ws
-
trust/200512/ws
-
trust
-
1.3
-
os.pdf


Security
Assertion Markup Language (SAML)

2.0:
http://go.microsoft.com/fwlink/?LinkId=193996


Microsoft
AD FS 2.0 Release to Web (RTW) download:
http://www.microsoft.com/downloads/details.aspx?FamilyID
=118c3588
-
9070
-
426a
-
b655
-
6cec0a92c10b


Identity
federation definition from Wikipedia:
http://en.wikipedia.org/wiki/Federated_identity


more info

Microsoft Office 365 Single Sign
-
On
(SSO) with AD FS
2.0


http://tinyurl.com/6pbrkop


more info

Microsoft Office 365 Single Sign
-
On
(SSO) with AD FS
2.0


http://tinyurl.com/6pbrkop