Ignite Webcast - Understand Identities and Single Sign onx

learningsnortSecurity

Nov 3, 2013 (3 years and 11 months ago)

138 views

Core identity
scenarios

F
ederation and
synchronization

2

3

Identity
management
overview

1

Additional
features

4

Verifying that a user, device, or service
such as an application provided on a

network server is the entity that it
claims to be.

Determining which actions an
authenticated entity is authorized to
perform on the network




Cloud

I
dentity

Single identity in the cloud
Suitable for small
organizations
with no integration to on
-
premises directories





Directory &
P
assword
S
ynchronization*


Single identity

suitable for medium

and large organizations
without federation*




Federated Identity

Single federated identity

and credentials suitable

for medium and large
organizations

Core
identity scenarios

Windows Azure
Active Directory

User

Rich experience with Office Apps

Ease of deployment, management

and support

Lower cost as no additional servers are required
On
-
Premises

High availability and reliability as all Identities and
Services are managed in the cloud

Cloud Identity

Ex:
alice@contoso.com

Windows Azure
Active Directory

User

Rich experience with Office
Apps

Directory
synchronization between
on
-
premises
and online

Identities are created and managed

on
-
premises and synchronized to the cloud

Single identity and credentials
but no single Sign
-
On for on
-
premises
and office 365
services

Password
synchronization enables single sign
-
on
at lower cost than
federation

Reuse
existing directory implementation
on
-
premises

On
-
Premises Identity

Ex: Domain
\
Alice

Directory
Synchronization

Password
Synchronization

Cloud Identity

Ex:
alice@contoso.com

AD

Non
-
AD

(LDAP)

* Password Synchronization may not be available at
GA, the target is to update the service in
1H CY2013

Windows Azure
Active Directory

User

Single
identity and sign
-
on
for on
-
premises and
office 365
services

Identities mastered on
-
premises with single
point of management

Directory
synchronization to synchronize
directory objects into Office 365

Secure Token based authentication

Client
access control based on IP
address with
ADFS

Strong fa
ctor authentication options

for additional security with ADFS


On
-
Premises Identity

Ex: Domain
\
Alice

Federation

AD

Non
-
AD

(LDAP)

Directory
Synchronization

Federation and
S
ynchronization options

Federation options

Suitable for educational organizations
j

Recommended
where customers may use existing
non
-
ADFS Identity systems

Single
sign
-
on

Secure token based authentication

Support for web clients and outlook only

Microsoft supported for integration only, no
shibboleth deployment support

Requires on
-
premises servers & support

Works with AD and other directories on
-
premises

Shibboleth (SAML*)

Works with AD & Non
-
AD

Suitable for medium,

large enterprises
including educational organizations

Recommended option for

Active Directory (AD)
based customers

Single
sign
-
on

Secure token based authentication

Support for web and rich clients

Microsoft supported

Phonefactor

can be used for two factor
auth

Works for Office

365 Hybrid Scenarios

Requires on
-
premises servers, licenses & support


Works with
AD

Suitable for medium, large enterprises
including educational organizations

Recommended where customers may use existing
non
-
ADFS

Identity systems with AD or Non
-
AD

Single

sign
-
on

Secure token based authentication

Support for web and rich clients

Third
-
party supported

Phonefactor

can be used for two factor
auth

Works for Office 365 Hybrid
Scenarios

Requires on
-
premises servers, licenses & support

Verified through ‘works with Office 365’ program

Works for Office 365 Hybrid Scenarios

Works with AD & Non
-
AD

Program
for third
party identity providers to
interoperate with Office 365

Objective is to help customers that currently
use Non
-
Microsoft identity solutions to
adopt Office 365

Federation with
Identity Partners

Verified by Microsoft

Reuse Investments

Directory Synchronization
O
ptions

Suitable for small/medium size
organizations with AD or Non
-
AD

Performance limitations apply with
PowerShell and Graph API provisioning

PowerShell requires scripting experience

PowerShell option can be used where the
customer/partner may have wrappers
around PowerShell scripts (
eg
: Self Service
Provisioning)


PowerShell & Graph API

Suitable for
Organizations using
Active Directory (AD)

P
rovides

best experience to most
customers using AD

Supports Exchange Co
-
existence scenarios

Couple
d with ADFS, provides best option
for federation and synchronization

Supports Password Synchronization with
no additional cost

Does not require any additional software
licenses



Suitable for large organizations with
certain AD

and Non
-
AD scenarios

Complex multi
-
forest AD scenarios

Non
-
AD synchronization through Microsoft
premier deployment support

Requires Forefront Identity Manager and
additional software licenses


Identity Roadmap

Shibboleth (SAML) Support

Available now

New Works with Office 365 Partners

Ping,

Optimal IDM,
Okta
, IBM
available now

Novell, CA and Oracle in 1H CY2013

DirSync

for Multi
-
forest

AD

Available

now thru’ MCS and Partners

Sync Solution for Non
-
AD using FIM

Available now thru’ MCS and Partners

Password Synchronization for AD

1H CY2013

Broader SAML Support

1H CY2013

Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS
Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When
adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.

From
the
Field
.When working through the firewall considerations ensure that MSO Datacentre IP ranges have
been granted access to port 443 to the ADFS Proxy Server located in the DMZ.

From
the
Field
Understanding client authentication path

Lync
2010
/
Office Subscription
Active Sync
Corporate
Boundary
Exchange
Online
AD FS
2
.
0
Server
MEX
Web
Active
AD FS
2
.
0
Proxy
MEX
Web
Active
Outlook
2010
/
2007
IMAP
/
POP
Username
Password
Username
Password
OWA
Internal
Lync
2010
/
Office Subscription
Outlook
2010
/
2007
IMAP
/
POP
OWA
External
Username
Password
Active Sync
Username
Password
Basic auth
proposal
:
Pass
client IP
,
protocol
,
device name
Block all external
access to
Office 365 based on the IP address
of the external client

Block all external access to Office 365
except
Exchange Active
Sync; all other clients such as
Outlook are
blocked.

Block all external
access to
Office 365
except

for passive
browser based applications such as Outlook Web
Access or
SharePoint Online

Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default
log all denied authorizations and the values it based the denial upon.

From
the
Field
If the customer does not have a valid and routable UPN suffix then one can be added via Active
Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.

From
the
Field
When utilising the full SQL option you must ensure that the EA account has “
sysadmin
” rights on
the SQL database and that the
Dirsync

service account has “public” permissions on the
Dirsync

DB.

From
the
Field



Dirsync

Server must be joined to a domain within the same forest that will be
synchronized


Dirsync

Server should never be installed on a domain controller


Dirsync

Server should be Windows Server 2008 (x64)


By default SQL Server 2008 R2 Express is installed.


10GB database limit (approx. 50,000 objects)


Full SQL Option Available.


Enterprise Administrator Credential should be used to install
Dirsync
, only required
during setup.


X64 Single
\
Multi Forest Appliance available (O365 connector also available for
complex scenarios)


X86
Dirsync

now unsupported.

Windows Azure
Active Directory

User

Multi
-
forest AD support
is available
through
Microsoft
-
led deployments

Multi
-
forest
DirSync

appliance supports multiple
dis
-
joint account forests

FIM 2010 Office 365 connector supports
complex
multi
-
forest
topologies

On
-
Premises Identity

Ex: Domain
\
Alice

Federation
using ADFS

AD

DirSync

on FIM

AD

AD

Windows Azure
Active Directory

User

Preferred option for Directory Synchronization
with Non
-
AD Sources

Non
-
AD support with FIM
is available
through
Microsoft
-
led deployments

FIM
2010 Office 365 connector supports
complex
multi
-
forest
topologies

On
-
Premises Identity

Ex: Domain
\
Alice

Federation
using Non
-
ADFS STS

Office 365
Connector on FIM

Non
-
AD

(LDAP)