Identity Management Overview Recently Announced… Identity Integration Options Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims.
Download ReportTranscript Identity Management Overview Recently Announced… Identity Integration Options Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims.
Identity Management Overview 1 Recently Announced… 2 Identity Integration Options 3 Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network Microsoft Account Microsoft Account Ex: [email protected] User Windows Azure Active Directory Organizational Account Ex: [email protected] User Windows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts Windows Azure Active Directory Authentication platform Directory store Your App Cloud Identity Single identity in the cloud Suitable for small organizations with no integration to onpremises directories Directory Synchronization Single identity suitable for medium and large organizations without federation Federated Identity Single federated identity and credentials suitable for medium and large organizations Windows Azure Active Directory Sync Tool Update The tool is downloaded from the Office 365 admin portal. Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it. Synchronizes user passwords from on-premises AD to Azure AD (Office 365). Respects on-premises password policies. Can’t sync passwords for Federated Users, but can co-exist. SAML2 Identity Provider More Details on TechNet: http://aka.ms/sync Directory Sync Tool or Active Directory Federation Services Password Sync SSO with AD FS Same password to access resources Can control password policies on-premises Support for two factor authentication * No password re-entry if on premises Client access filtering Authentication occurs in on premises directory * Azure AD offers some basic 2FA features that are available with ADFS deployment on-premises. ADFS can support a larger set of 2FA/Strong Authentication options. Demo Active Authentication: Why Multi-Factor Enterprise authentication using any phone Architecture 1 2 Demo Windows Azure Active Directory Provisioning Updates • • • • REST API for programmatic access to data in Azure AD Can build multi-tenant applications, or custom LOB Apps Can be used for multi-forest synchronization and non-AD sources Public Beta starts on Connect later in June Identity integration options Cloud Identity Directory Sync Password Sync Graph API FIM Single Sign-On Org size Small All All Large Large Large Control of attributes in directory Least control Full control via on-premises directory Full control via on-premises directory Can control core attributes and select optional Can control core attributes and select optional Full control via on-premises directory Source of authority Cloud On-premises On-Premises Cloud On-premises On-premises Hardware requirements No on-premises hardware required Windows Server OS for DirSync appliance Windows Server OS for DirSync appliance Machine to run Powershell jobs on Federated Identity Manager with office 365 Connector DirSync appliance ADFS (or other STS) deployment Login experience Disjoint username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Same username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Same username, password for onpremises and cloud Enter credentials twice Enter credentials twice Enter credentials twice Enter credentials twice Enter credentials twice Login once if onpremises Cloud identity Windows Azure Active Directory Rich experience with Office Apps Ease of deployment, management and support Lower cost as no additional servers are required On-Premises High availability and reliability as all Identities and Services are managed in the cloud Cloud Identity Ex: [email protected] User Directory Synchronization Windows Azure Active Directory Rich experience with Office Apps Directory Synchronization Directory synchronization between onpremises and online Identities are created and managed on-premises and synchronized to the cloud Single identity and credentials but no single Sign-On for on-premises and office 365 services Reuse existing directory implementation onpremises AD Cloud Identity Ex: [email protected] On-Premises Identity Ex: Domain\Alice User Password Synchronization Windows Azure Active Directory Rich experience with Office Apps Directory Synchronization with one way Password Hash Directory synchronization between onpremises and online Identities are created and managed on-premises and synchronized to the cloud Single identity and password credentials but no single Sign-On for on-premises and office 365 services Reuse existing directory implementation onpremises AD Cloud Identity Ex: [email protected] On-Premises Identity Ex: Domain\Alice User Scoping and Filtering for Synchronization • • • AD Domain-based Organizational Unit-based User Attribute based Windows Azure Multi-forest AD support is available Active Directory through Microsoft-led deployments Multi-forest AD Multi-forest DirSync appliance supports Federation on FIM multiple dis-joint accountDirSync forests using ADFS FIM 2010 Office 365 connector supports complex multi-forest topologies AD AD AD On-Premises Identity Ex: Domain\Alice User Start Need onpremises org consolidation After consolidation Number Active Directory forests Multi-forest decision flowchart Single (1) Multiple (>1) No Multiple (>1) Number Exchange Orgs Want to consolidate single forest? None (0) Single (1) “Disjoint” account forests and exchange Yes org accessed by accounts in the same forest? No See consolidation whitepaper Yes “Disjoint” Account Forests? After consolidation No Yes Use Multi Forest DirSync Use Office 365 Connector Use Single Forest DirSync Powershell / Graph REST API Office 365 Connector for Forefront Identity Manager Federated identity Single identity and sign-on for onpremises and office 365 services Windows Azure Active Directory Identities mastered on-premises with single point of management Directory synchronization to synchronize directory objects into Office 365 Federation Directory Synchronization AD Secure Token based authentication Client access control based on IP address with ADFS Strong factor authentication options or Non-AD On-Premises Identity Ex: Domain\Alice for additional security with ADFS User Federation options Works with AD Works with Office 365 - Identity Shibboleth (SAML) Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Suitable for medium, large enterprises including educational organizations Suitable for educational organizations Recommended option for Active Directory (AD) based customers Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Recommended where customers may use existing non-ADFS Identity systems Single sign-on Single sign-on Single sign-on Secure token based authentication Secure token based authentication Secure token based authentication Support for web and rich clients Support for web and rich clients Support for web clients and outlook (ECP) only Microsoft supported Third-party supported Works for Office 365 Hybrid Scenarios Works for Office 365 Hybrid Scenarios Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers, licenses & support Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios Requires on-premises servers & support Works with AD and other directories on-premises ‘Works with Office 365 – Identity’ Program for third party on premises identity providers to interoperate with Office 365 Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365 On TechNet: http://aka.ms/SSOProviders Reuse Investments Qualified by Microsoft WS-Trust & WS-Federation ‘Works with Office 365 – Identity’ On Premises Security Token Services http://aka.ms/SSOProviders Active Directory with ADFS WS-Federation SAML-P Client access control Part of ADFS Limit access to Office 365 based on network connectivity (internet versus intranet) WAAD Identity with other cloud services Windows Azure Active Directory Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identity ISV Applications or SAAS providers can integrate using APIs on Windows Azure AD Cloud Identity Ex: [email protected] User Cloud Identity Ex: [email protected] https://twitter.com/Office365 3724282 http://www.linkedin.com/groups/Microsoft-Office-365- www.microsoft.com/garage : http://fasttrack.office.com// http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn