Document

Download Report

Transcript Document 

consultant
Office 365
&
[email protected]
Federation
Bert Jan van der Steeg
trainer
Bert Jan
van der
Steeg
SharePoint
Consultant




Intro
ADFS 2.0 Overview
Federated Authentication in Office 365
Single Sign On Configuration
agenda




Intro
ADFS 2.0 Overview
Federated Authentication in Office 365
Single Sign On Configuration
agenda
Identities used to access resources:
•
•
On-premise (Active Directory)
Cloud (Office 365)
Available options:
•
•
•
Separate credentials in corporate directory and in
Office 365
Migrate existing credentials to Office 365
Identity Federation with ADFS 2.0
IdM
options
Painful to manage
• Separate password policies
• Multiple credentials to manage
• Management of sign-in application (BPOS)
Sub-optimal user experience
• Log-in each time the service is accessed
• 2 accounts and/or passwords to manage
• Set up of sign-in application with every new
computer used by each user (BPOS)
IdM
options
Separate
credentials
No more corporate credentials
Credentials and resources in the
cloud
Small shops
• No dedicated IT-guy
• No local resources
IdM
options
migrate
existing
credentials
Credential management on-premises
IdM
options
Trust with Federation Gateway
Office 365 is Relying Party
Prerequisites
• Domain UPN Suffix routable
• Own the domain (SSL certificate)
identity
federation
charlie @contoso.com
contoso \charlie
user
accounts
federated
identity
identity
identity
federation
[email protected]
ten steps
Easy, right?




Intro
ADFS 2.0 Overview
Federated Authentication in Office 365
Single Sign On Configuration
agenda
claims
Active Directory
Federation Services 2.0
history
WS-Federation
Architecture and specification for Identity
Federation protocols
WS-Trust
Describes the token exchange procedures
SAML
Describes standard for exchange of AuthN
and AuthZ between security realms
Claims
Based
AuthN
This..
..means this
STS
Security Token Service (IP-STS, RP-STS)
Identity Provider IdP
System that generates SAML tokens containing claims
Relying Party
Application (service) that can accept claims
WEB Single Sign On
Federated Authentication Systems – AuthN is separated
from AuthZ
Federated Sign Out
Signing out from all systems involved
Claim
Assertion about an identity that is used for AuthZ
purposes
FederationMetadata.xml
(ADFS2.0)
XML file used to exchange information between RP and
IP. Should be always available
Claims augmentation
Adding claims into a SAML token based on attribute
store information
WAYF
Where Are You From. Home Realm Discovery
federation
lingo
Office 365
Users
AD
ADFS
2.0
Azure
Partner
Resources
Corp.
Resources
ADFS 2.0
Office 365
Users
AD
ADFS
2.0
Federation
Gateway
ADFS 2.0
Azure
Partner
Resources
Corp.
Resources
federation
gateway
Provisioning
Service
Users
AD
ADFS
2.0
SharePoint
Online
ADFS 2.0
Exchange
Online
federation
gateway
Federation
Gateway
Live ID
IdP
LiveID
Lync
Online
Online Service based on WS* standards
Connection into Federation ecosystem
Billions of authentication daily
In production since 2006
Trust provisioning service – checks domain
ownership through SSL certificate
federation
gateway
adfs
proxy 1
adfs
proxy 2
cloud
a adfs 2.0
https://adfs.contoso.com
topology
adfs 1
adfs 2
Fsconfig /createsqlfarm
https://adfs.contoso.com
Statements made about users which are understood &
trusted by both partners in a federation
name, identity, group, role, privilege, capability
Used for authorization purposes within applications
Begins at the identity provider when the user provides
credentials
Inserted into security tokens (SAML tokens) which follow a
secure, standardized method of packaging the data for
transport to a trusted partner
claims
Claims
Provider
Trust
Incoming
Claims
Stage 1:
Accepting claims
Stage 3:
Issuing Claims
Stage 2:
Authorizing claims
Acceptance
Transform Rules
Issuance
Transform Rules
Permit
Issuance
Authorization
Rules
Deny
Outgoing
Claims
Relying
Party
Trust
adfs
claims
engine
adfs 2.0
components
AuthN Application
Target
Store
Active 365
Directory
Office
trust
relationships
adfs 2.0
components
endpoints
1. Passive Federation Endpoint – Browser based connections
2. Active Federation Endpoint – Rich clients (Lync 2010)
3. EAS Endpoint - Activesync, Outlook 2010, Exchange Web
Services
acceptance
transform
c:[Type ==
rules
issuance transform
"http://schemas.microsoft.com/LiveID/Federation/
"http://schemas.xmlsoap.org/claims/UPN"]
http://schemas.microsoft.com/ws/2008/06/identity
rules
2008/05/ImmutableID"]
=> issue(Type =
/claims/windowsaccountname"]
"http://schemas.microsoft.com/ws/2008/06/identit
=> issue(Type
issue(store =
= "Active Directory", types =
"http://schemas.xmlsoap.org/ws/2005/05/identity/
y/claims/issuerid",
Value = regexreplace(c.Value,
("http://schemas.xmlsoap.org/claims/UPN",
claims/nameidentifier",
".+@(?<domain>.+)",
Value = c.Value,
"http://schemas.microsoft.com/LiveID/Federation/
Properties["http://schemas.xmlsoap.org/ws/2005/0
"http://${domain}/adfs/services/trust/"));
2008/05/ImmutableID"), query =
5/identity/claimproperties/format"]
=
"samAccountName={0};userPrincipalName,objectG
"urn:oasis:names:tc:SAML:1.1:nameidUID;{1}", param = regexreplace(c.Value,
format:unspecified");
"(?<domain>[^\\]+)\\(?<user>.+)", "${user}"),
param = c.Value);
adfs 2.0
components
claim rules




Intro
ADFS 2.0 Overview
Federated Authentication in Office 365
Single Sign On Configuration
agenda
add
domain
convert
to
federated
later
$cred=Get-Credentials <credentials>
Connect-MsolService –Credential $cred
Set-MsolADFSContext –Computer <FQDN ADFS
Server>
configure
federation
connect
to
MSOL
New-MsolFederatedDomain –DomainName
<domainname> -SupportMultipleDomain
configure
federation
add
federated
domain
Directory Synchronization is used
between Active Directory onpremises and Office 365
Federation requires DirSync in this
scenario
Users’ UPNs are leveraged for
account matching
Directory
Synchronization
Start-OnlineCoexistenceSync
Directory
Synchronization
sharepointlabs.nl
AD
ADFS
2.0
Sign-In Service
302 - Redirect
SharePoint
Online
Authentication Token
UPN: [email protected]
Source ID: 1234567
cloud
SAML Logon Token
UPN: [email protected]
Source ID: ABC123
Exchange
Online
404 - Authenticate
…
…
client
login
sequence
login
sequence
Domain joined computer in corporate network
ADFS Server can use Windows Integrated AuthN
Domain joined computer, roaming
Publish ADFS Server
Home or public computer
User signs in with corporate credentials
Smartphone
Microsoft Outlook or other e-mailclients
Scenarios
Troubleshooting tools
MOSDAL (Microsoft Online Services
Diagnostics and Logging) Support
Toolkit
www.testexchangeconnectivity.com
Fiddler
trouble
shooting
Update Rollup 1 for Active Directory
Federation Services (AD FS) 2.0
Multiple Issuer Support
Client Access Policy Support
Congestion Avoidance Algorithm
Additional AD FS 2.0 performance
counters
kb 2607496
adfs
additional
reading
Web Services Federation Language (WS-Federation) Version 1.2 :
http://docs.oasis-open.org/wsfed/federation/v1.2/wsfederation.pdf
WS-Trust Version 1.3:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust1.3-os.pdf
Security Assertion Markup Language (SAML) 2.0:
http://go.microsoft.com/fwlink/?LinkId=193996
Microsoft AD FS 2.0 Release to Web (RTW) download:
http://www.microsoft.com/downloads/details.aspx?FamilyID
=118c3588-9070-426a-b655-6cec0a92c10b
Identity federation definition from Wikipedia:
http://en.wikipedia.org/wiki/Federated_identity
more info
Microsoft Office 365 Single Sign-On
(SSO) with AD FS 2.0
http://tinyurl.com/6pbrkop
more info
Microsoft Office 365 Single Sign-On
(SSO) with AD FS 2.0
http://tinyurl.com/6pbrkop
more info