Office 365: Understanding Identities and Single Sign On

Download Report

Transcript Office 365: Understanding Identities and Single Sign On 

Scenario covered in
this presentation





Types of Identities
Usage Scenarios
User Sign-On Experience
Types of Domains

 Purpose
 Requirements
 Installation and
Configuration

• Separate credential from onpremises credential
• Authentication occurs via cloud
directory service
• Does not require on-premises server
deployment
• Same credential as on-premises
credential
• Authentication occurs via onpremises directory service
• Requires on-premises DirSync server
• Requires on-premises AD FS
server(s)
Cloud Identity
Scenario
Federated Identity
 Smaller organizations with or
without on-premises Active
Directory
 Medium to Large organizations with
Active Directory on-premises
 Large enterprise organizations with
Active Directory on-premises
 Does not require on-premises
server deployment
 “Source of Authority” is on-premises
 Single Sign-On experience
 Enables coexistence
 “Source of Authority” is on-premises
Benefits
 2 Factor Authentication options
 No Single Sign-On
Limitations
Cloud Identity + DirSync
 No Single Sign-On
 No 2 Factor Authentication options  No 2 Factor Authentication options (*)
(*)
 Requires on-premises DirSync server
deployment (**)
 Two sets of credentials to manage
 Different password policies
 Requires on-premises AD FS server
deployment in high availability scenario
 Requires on-premises DirSync server
deployment
Cloud Identity
Federated Identity
Federated Identity
(domain joined computer)
(non-domain joined computer)
Outlook (PC and Mac)
Sign in each session
Sign in each session
Sign in each session
Exchange ActiveSync
Sign in each session
Sign in each session
Sign in each session
POP, IMAP
Sign in each session
Sign in each session
Sign in each session
Sign in each browser session
No Prompt
Sign in each browser session
Sign in each SharePoint Online session
Sign in each SharePoint Online Session
Sign in each SharePoint Online Session
Sign in each session
No prompt
Sign in each session
Web Experiences: Office 365 Portal /
Outlook Web App / SharePoint
Online / Office Web Apps
Office using SharePoint Online
Lync Client











 Office 365 Admin Center
 Active Directory tools
 Exchange management
tools
 Identity management
solutions
 Windows Azure AD
PowerShell
 Remote PowerShell





































 http://technet.microsoft.com/en-us/library/hh237448(WS.10).aspx








http://technet.microsoft.com/en-us/library/dn151310.aspx
http://support.microsoft.com/kb/2790338





 http://go.microsoft.com/fwlink/?LinkId=286152
























Office 365
Identity
Services
On-Premises
Active Directory
Federation
Server 2.0/2.1
Trust
Admin Portal/
PowerShell
Update
Add Trust
- Claim Rules
- User Source ID = AD ObjectGUID
Provisioning
Service
Required
TXT/MX Record
MSOL PowerShell
Module
Authentication
platform
Add Domain
Verify-Domain
- Active/Mex/Passive
- Token certs Current/Next
- Brand URI etc
Directory
Store





















MEX
Web
Lync client /
Office Subscription
Active
OWA
Internal
AD FS
Proxy
Basic auth
proposal: Pass
client IP, protocol,
device name
Exchange
Online
MEX
Web
Active
Corporate
Boundary
OWA
External
Username
Password
AD FS Server
Lync client /
Office Subscription
Username
Password
Username
Password
Username
Password
Outlook
IMAP/POP
Active Sync
Active Sync
Outlook
IMAP/POP
On-Premises
Office 365
Active Directory
Logon (SAML 1.1) Token
AD FS Server
UPN:[email protected]
Authentication platform
Source User ID: ABC123
Auth Token
UPN:[email protected]
Unique ID: 254729
`
Client
(joined to CorpNet)
Lync Online
On-Premises
Office 365
Active Directory
Logon (SAML 1.1) Token
AD FS Proxy
UPN:[email protected]
Authentication platform
Source User ID: ABC123
Auth Token
UPN:[email protected]
Unique ID: 254729
`
Basic Auth Credentilas
Username/Password
Client
(joined to CorpNet)
Exchange Online
On-Premises
Office 365
Active Directory
Logon (SAML 1.1) Token
AD FS Server
UPN:[email protected]
Authentication platform
Source User ID: ABC123
Auth Token
UPN:[email protected]
Unique ID: 254729
`
Client
(joined to CorpNet)
Exchange Online or
SharePoint Online











http://gallery.technet.microsoft.com/scriptcenter/ClientAccess-Policy-30be8ae2









Internal Network
Passive Federation
(Passive Profile)
AD FS
Active
Directory
AD FS
Proxy
Load balancer
AD FS
Perimeter Network
AD FS
Proxy
Load balancer
Basic Authentication
(Active Profile)
Number of users
Minimum number of servers
Fewer than 1,000 users
Implement fault-tolerance but
no need for dedicated federation servers
1,000 to 15,000 users
2 dedicated federation servers
2 dedicated federation server proxies
15,000 to 60,000 users
Between 3 and 5 dedicated federation servers
At least 2 dedicated federation server proxies








