Paul Andrew Identity Management Overview Recently Announced… Identity Integration Options Verifying that a user, device, or service such as an application provided on a network server is the entity.
Download ReportTranscript Paul Andrew Identity Management Overview Recently Announced… Identity Integration Options Verifying that a user, device, or service such as an application provided on a network server is the entity.
Paul Andrew Identity Management Overview 1 Recently Announced… 2 Identity Integration Options 3 Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network the ability for two disjoint Identity Providers (IDP) to trust each other such that a user logged into one does not need to log in again for the second. YAUP is what you get if you don’t have SSO. The Relying Party (RP) is the system that relies on the Identity Provider to authenticate a user. SAML is a public standard managed by OASIS. SAML is the identity token and also the protocol. SAML 2.0 is built on SAML 1.1, ID-FF and Shibboleth. WS-Federation is used for web browser based authentication with an IDP. WSTrust is used by Office rich client apps to authenticate. Microsoft Account Microsoft Account Ex: [email protected] User Windows Azure Active Directory Organizational Account Ex: [email protected] User Windows Azure Active Directory Authentication platform Directory store Your App Cloud Identity Single identity in the cloud Suitable for small organizations with no integration to onpremises directories Directory Synchronization Single identity suitable for medium and large organizations without federation Federated Identity Single federated identity and credentials suitable for medium and large organizations SAML2 Identity Provider More Details on TechNet: http://aka.ms/sync Password Sync SSO with AD FS Same password to access resources Can control password policies onpremises Support for two factor authentication * No password re-entry if on premises Client access filtering by IP or by time schedule Authentication occurs on-premises. Can immediately block disabled accounts. Change password available from web Works with Forefront Identity Manager * Azure AD offers some 2FA features that are available with ADFS deployment on-premises. Your data and applications are under attack Passwords are easily compromised Consumerization of IT has only increased the scope of vulnerability Strengthening regulatory requirements call for strongly authenticating access 1 Users sign in from any device using their existing username/password. Credentials are checked in Windows Azure AD. Then Active Authentication is triggered for additional verification. 2 Users must also authenticate using their phone or mobile device before access is granted. Azure Active Directory GRAPH API REST API for programmatic access to data in Azure AD Can build multi-tenant applications, or custom LOB Apps Azure Active Directory Connector for FIM 2010 R2 Can be used for multi-forest synchronization and nonAD sources Public Beta starts on Connect soon Cloud Identity Directory Sync Password Sync Graph API FIM Single Sign-On Org size Small All All Large Large Large Control of attributes in directory Least control Full control via on-premises directory Full control via on-premises directory Can control core attributes and select optional Can control core attributes and select optional Full control via on-premises directory Source of authority Cloud On-premises On-Premises Cloud On-premises On-premises Hardware requirements No on-premises hardware required Windows Server OS for DirSync appliance Windows Server OS for DirSync appliance Machine to run Powershell jobs on Federated Identity Manager with office 365 Connector DirSync appliance ADFS (or other STS) deployment Login experience Disjoint username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Same username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Disjoint username, password for onpremises and cloud Same username, password for onpremises and cloud Enter credentials twice Enter credentials twice Enter credentials twice Enter credentials twice Enter credentials twice Login once if onpremises Windows Azure Active Directory Cloud Identity Ex: [email protected] User Windows Azure Active Directory Directory Synchronization AD Cloud Identity Ex: [email protected] On-Premises Identity Ex: Domain\Alice User Windows Azure Active Directory Directory Synchronization with one way Password Hash AD Cloud Identity Ex: [email protected] On-Premises Identity Ex: Domain\Alice User Customers can exclude objects from synchronizing to Office 365. Scoping can be done at the following levels: AD Domain-based Organizational Unit-based User Attribute based Additional filtering capabilities will become available with the O365 Connector. Preventing the synchronization of specific attributes is not supported. Windows Azure Active Directory Federation using ADFS DirSync on FIM AD AD AD On-Premises Identity Ex: Domain\Alice User Start Need onpremises org consolidation After consolidation Number Active Directory forests Multi-forest decision flowchart Single (1) Multiple (>1) No Multiple (>1) Number Exchange Orgs Want to consolidate single forest? None (0) Single (1) “Disjoint” account forests and exchange Yes org accessed by accounts in the same forest? No See consolidation whitepaper Yes “Disjoint” Account Forests? After consolidation No Yes Use Multi Forest DirSync Use Office 365 Connector Use Single Forest DirSync Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses Windows Azure Active Directory Federation Directory Synchronization AD or Non-AD On-Premises Identity Ex: Domain\Alice User Works with AD Works with Office 365 - Identity Shibboleth (SAML) Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Suitable for medium, large enterprises including educational organizations Suitable for educational organizations Recommended option for Active Directory (AD) based customers Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Recommended where customers may use existing non-ADFS Identity systems Single sign-on Single sign-on Single sign-on Secure token based authentication Secure token based authentication Secure token based authentication Support for web and rich clients Support for web and rich clients Support for web clients and outlook (ECP) only Microsoft supported Third-party supported Works for Office 365 Hybrid Scenarios Works for Office 365 Hybrid Scenarios Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers, licenses & support Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios Requires on-premises servers & support Works with AD and other directories on-premises Reuse Investments http://aka.ms/SSOProviders Qualified by Microsoft WS-Trust & WS-Federation Active Directory with ADFS WS-Federation http://bit.ly/17D5Dq0 SAML-P Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online Windows Azure Active Directory Cloud Identity Ex: [email protected] User Cloud Identity Ex: [email protected] ISV apps or SAAS providers or Your App http://channel9.msdn.com/Events/TechEd/Australia/2013 http://www.microsoftvirtualacademy.com/ http://technet.microsoft.com/en-au/ http://msdn.microsoft.com/en-au/ 1. Keep up to date with all the latest Office 365 information at http://ignite.office.com http://fastTrack.office.com http://office.microsoft.com