View
234
Download
3
Category
Tags:
Preview:
Citation preview
Office 365 IdentityJune 2013
Agenda
Core identity scenarios
Deep dive on federation and synchronization
2 3
Identity management overview
1
Additional features
4
Identity management overview
Identity management deals with identifying individuals in a system and controlling access to the resources in that system
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.
Integral components of identity and access management
Determining which actions an authenticated entity is authorized to perform on the network
Authentication Authorization
What is identity management?
Identities for Microsoft Cloud Services
User
Microsoft AccountEx: alice@outlook.com
User
Organizational AccountEx: alice@contoso.com
Microsoft Account Organizational Account
Common Identity platform for Organizational Accounts
Directory
store
Authentication platform
Windows Azure Active
Directory
Windows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts
Core identity scenarios
Cloud Identity
Spreadsheet
CSV Import
Office Activation Service
Office 365 Admin Portal
Exchange Mailbox Access
…
Windows Azure Active Directory
OAuth2
SAML-P
WS-Federation
Metadata
Graph API
Authentication
Auth
ori
zati
on
On Premises
Directory & Password Sync
Active Directory
DirSync
Windows Azure Active Directory
OAuth2
SAML-P
WS-Federation
Metadata
Graph API
Office Activation Service
Office 365 Admin Portal
Exchange Mailbox Access
…
Authentication
Auth
ori
zati
on
Directory Synchronization Options
Suitable for small/medium size organizations with AD or Non-AD
Performance limitations apply with PowerShell and Graph API provisioning
PowerShell requires scripting experience
PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
PowerShell & Graph API
Suitable for Organizations using Active Directory (AD)
Provides best experience to most customers using AD
Supports Exchange Co-existence scenarios
Coupled with ADFS, provides best option for federation and synchronization
Supports Password Synchronization with no additional cost
Does not require any additional software licenses
Suitable for large organizations with certain AD and Non-AD scenarios
Complex multi-forest AD scenarios
Non-AD synchronization through Microsoft premier deployment support
Requires Forefront Identity Manager and additional software licenses
On Premises
Federated Identity
Active Directory
DirSync
Windows Azure Active Directory
OAuth2
SAML-P
WS-Federation
Metadata
Graph API
Active Directory Federation Services
One way trust
Office Activation Service
Office 365 Admin Portal
Exchange Mailbox Access
…
Authentication
Auth
ori
zati
on
Core identity scenarios with Office 365Cloud Identity
no integration to on-premises directories
Directory & Password Synchronization*
Integration without federation*
Federated Identity
Single federated identity and credentials
* Password Synchronization may not be available at GA, the target is to update the service by 1HCY2013
Federation options
Suitable for educational organizations j
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth (SAML*)Works with AD & Non-AD
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Phonefactor can be used for two factor auth
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Phonefactor can be used for two factor auth
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Works with AD & Non-AD
* Broader SAML implementations will be supported in 1H CY2013
15
FlexibilityCoordinated
Support
Partner +
Federation with Identity Partners
Confidence
Verified by MicrosoftReuse Investments
‘Works with Office 365’Program for third party identity providers to interoperate with Office 365
Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365
Identity Roadmap
Shibboleth (SAML) Support Available now
New Works with Office 365 Partners
Ping, Optimal IDM, Okta, IBM available nowNovell, CA and Oracle in 1H CY2013
DirSync for Multi-forest AD Available now thru’ MCS and Partners
Sync Solution for Non-AD using FIM
Available now thru’ MCS and Partners
Password Synchronization for AD 1H CY2013
Broader SAML Support 1H CY2013
Identity with other Cloud Services Windows Azure
Active Directory
User
Cloud IdentityEx: alice@contoso.com
ISV apps orSAAS providers
Cloud IdentityEx: alice@contoso.com
Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identity
ISV Applications or SAAS providers can integrate using APIs on Windows Azure AD
Currently in Technical Preview
Deep dive
High-level architectureCloud identity + directory synchronizationSingle sign on + directory synchronization
Contoso customer premises
AD
MS Online Directory Sync
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
Active Directory Federation Server
2.0
Trust
IdPDirectory
Store
Admin Portal/PowerShell
Authentication platform
IdP
Protocols Office 365 uses Web Services (WS-*)
WS-Trust provides support for rich client authentication Identity federation supported only through ADFS 2.0
Protocols supported WS-*, SAML1.1(SAML1.1 token) SAML-P (SAML 2.0) platform support
Strong authentication (2FA) solutions Web applications via ADFS Proxy sign in page or other proxies
(UAG/TMG) Rich Clients dependent on configuration
21
Client Endpoints Active Federation (MEX)
Applies to rich clients supporting ADFS Used by Lync and Office Subscription client Clients will negotiate authentication directly with on-premises ADFS server
Basic Authentication (Active Profile) Applies to clients authenticating with basic authentication Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web
Services Clients send “basic authentication” credentials to Exchange Online via SSL.
Exchange Online proxies the request to the on-premises ADFS server on behalf of the client
Passive Federation (Passive Profile) Applies to web browsers and documents opened via SharePoint Online Used by the Microsoft Online Portal, OWA, and SharePoint Portal Web clients (browsers) will authenticate directly with on-premises ADFS server
22
Understanding client authentication path
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
Sign on experienceWeb Clients• Office with SharePoint
Online• Outlook Web
Application
Remember me =Persisted Cookie
Exchange Clients• Outlook• Active Sync/POP/IMAP• Entourage
Can save credentials
Rich Applications (SIA)• Lync• Office Subscriptions• CRM Rich Client
Can save credentials
Federated Identities(domain joined)
Cloud Identity
No Prompt
Username and PasswordOnline
ID
AD credentials
Federated Identities(non-domain joined)
Username and Password
AD credentials
Username
Username and PasswordOnline
ID
AD credentials
Username and PasswordAD credentials
Username and Password
Username and PasswordOnline
ID
AD credentials
Username and PasswordAD credentials
Authentication flow (passive/web profile)Identity federation
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online orSharePoint Online
Active Directory
Customer Microsoft Online Services
User Source ID
Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123
Auth TokenUPN:user@contoso.comUnique ID: 254729
Authentication flow (MEX/rich client profile)Identity federation
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Lync Online
Active Directory
Customer Microsoft Online Services
User Source ID
Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123
Auth TokenUPN:user@contoso.comUnique ID: 254729
Customer Microsoft Online Services
Active flow (Outlook/Active Sync) always externalIdentity federation
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Proxy
Exchange Online
Active Directory
User Source ID
Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123
Auth TokenUPN:user@contoso.comUnique ID: 254729
Basic Auth CredentilasUsername/Password
But wait, there’s more!
User Soft DeleteSimple list of deleted users that are restorable
Easily restore previously deleted users
Smart enough to handle conflicts during bulk restoration
Handle case when the user’s domain is no longer available during restore
Shibboleth 2.X with Office 365
* This means that only Shibboleth implementation of SAML is supported, not any SAML implementation
What is the Shibboleth Identity Provider (IdP)?• Open source software package providing similar
functionality as ADFS (e.g. SSO, Authentication, SAML 2.0)
• Popular implementation of SAML 2.x with Higher Education institutions world-wide
• Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html)
• Latest version is 2.3.6
How do customers with a Shibboleth IdP* interoperate with Office 365?• Setup a SAML 2.0 federation between Office 365
and their Shibboleth IdP
• Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD
Shibboleth 2.x IdP
Non-AD
Contoso.edu
Shibboleth 2.x IdP
Fabrikam.edu
MSOMA + FIM
AD MSOMA + FIM
Supported Clients
Email Rich ClientsWeb Clien
t
Client access controlLimit access to Office 365 based on network connectivity (internet versus intranet)
Block all external access to Office 365 based on the IP address of the external client
Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked.
Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online
Scoping & filtering for SynchronizationCustomers can exclude objects from synchronizing to Office 365
Scoping can be done at the following levels:
AD Domain-based
Organizational Unit-based
User Attribute based
Additional filtering capabilities will become available with the O365 Connector.
Multi-forest AD Windows Azure Active Directory
User
Multi-forest AD support is available through Microsoft-led deployments
Multi-forest DirSync appliance supports multiple dis-joint account forests
FIM 2010 Office 365 connector supports complex multi-forest topologies
On-Premises IdentityEx: Domain\Alice
Federation using ADFS
AD
DirSync on FIM
AD
AD
Non-AD Synchronization Windows Azure
Active Directory
User
Preferred option for Directory Synchronization with Non-AD Sources
Non-AD support with FIM is available through Microsoft-led deployments
FIM 2010 Office 365 connector supports complex multi-forest topologies
On-Premises IdentityEx: Domain\Alice
Federation using Non-ADFS STS
Office 365 Connector on FIM
Non-AD(LDAP)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Appendix
Multi-forest decision flowchart
Client access control
38
Block all external access to Office 365 based on the IP address of the external client
Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked.
Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online
Passive Active
Passive Active
Outlook 2010/2007 ActiveSync ActiveSync Outlook 2010/2007
Browser InternalAD FS 2.0 Server
AD FS 2.0 Proxy
Outlook and ActiveSync Auth
Web Auth (OWA, SharePoint)
Browser External
Recommended