1 / 39

Bert Jan van der Steeg SharePoint Consultant

trainer. Bert Jan van der Steeg SharePoint Consultant. consultant. bertjan@companio.nl. Office 365 & Identity Federation. Bert Jan van der Steeg. agenda. Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration. agenda. Intro ADFS 2.0 Overview

kishi
Download Presentation

Bert Jan van der Steeg SharePoint Consultant

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. trainer Bert Jan van der SteegSharePoint Consultant consultant bertjan@companio.nl Office 365 & Identity Federation Bert Jan van der Steeg

  2. agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration

  3. agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration

  4. IdMoptions Identities used to access resources: On-premise (Active Directory) Cloud (Office 365) Available options: Separate credentials in corporate directory and in Office 365 Migrate existing credentials to Office 365 Identity Federation with ADFS 2.0

  5. IdMoptions Painful to manage Separate password policies Multiple credentials to manage Management of sign-in application (BPOS) Sub-optimal user experience Log-in each time the service is accessed 2 accounts and/or passwords to manage Set up of sign-in application with every new computer used by each user (BPOS) Separate credentials

  6. IdMoptions No more corporate credentials Credentials and resources in the cloud Small shops No dedicated IT-guy No local resources migrateexistingcredentials

  7. IdMoptions Credential management on-premises Trust with Federation Gateway Office 365 is Relying Party Prerequisites Domain UPN Suffix routable Own the domain (SSL certificate) identity federation

  8. useraccounts charlie @contoso.com federated identity identity contoso \charlie identity federation charlie@contoso.microsoftonline.com

  9. ten steps Easy, right?

  10. agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration

  11. claims history Active Directory Federation Services 2.0

  12. Claims Based AuthN WS-Federation Architecture and specification for Identity Federation protocols WS-Trust Describes the token exchange procedures SAML Describes standard for exchange of AuthN and AuthZ between security realms

  13. federationlingo

  14. Office 365 ADFS 2.0 Azure ADFS 2.0 Users AD Partner Resources Corp. Resources

  15. Office 365 ADFS 2.0 Azure Federation Gateway ADFS 2.0 Users AD federation gateway Partner Resources Corp. Resources

  16. ADFS 2.0 Provisioning Service SharePoint Online TRUST Federation Gateway ADFS 2.0 Users AD federation gateway Exchange Online Live ID IdP Lync Online LiveID

  17. federation gateway Online Service based on WS* standards Connection into Federation ecosystem Billions of authentication daily In production since 2006 Trust provisioning service – checks domain ownership through SSL certificate

  18. adfs 2.0 cloud adfsproxy 1 adfsproxy 2 https://adfs.contoso.com a topology adfs 1 adfs 2 https://adfs.contoso.com Fsconfig /createsqlfarm

  19. Statements made about users which are understood & trusted by both partners in a federation name, identity, group, role, privilege, capability Used for authorization purposes within applications Begins at the identity provider when the user provides credentials Inserted into security tokens (SAML tokens) which follow a secure, standardized method of packaging the data for transport to a trusted partner claims

  20. adfs claims engine Claims Provider Trust Incoming Claims Stage 3: Issuing Claims Stage 1: Accepting claims Stage 2: Authorizing claims Acceptance Transform Rules Issuance Transform Rules Permit Relying Party Trust Outgoing Claims Issuance Authorization Rules Deny

  21. adfs 2.0 components Target Application AuthN Store Active Directory Office 365 trust relationships

  22. adfs 2.0 components endpoints 1. Passive Federation Endpoint – Browser based connections 2. Active Federation Endpoint – Rich clients (Lync 2010) 3. EAS Endpoint - Activesync, Outlook 2010, Exchange Web Services

  23. adfs 2.0 components acceptance transform rules c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"); c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/")); c:[Type == http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value); issuance transform rules claim rules

  24. agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration

  25. add domain convert tofederated later

  26. configure federation $cred=Get-Credentials <credentials> Connect-MsolService –Credential $cred Set-MsolADFSContext –Computer <FQDN ADFS Server> connect to MSOL

  27. configure federation New-MsolFederatedDomain –DomainName <domainname> -SupportMultipleDomain addfederated domain

  28. Directory Synchroni-zation Directory Synchronization is used between Active Directory on-premises and Office 365 Federation requires DirSync in this scenario Users’ UPNs are leveraged for account matching

  29. Start-OnlineCoexistenceSync Directory Synchroni-zation

  30. login sequence sharepointlabs.nl Sign-In Service cloud AD ADFS 2.0 SharePoint Online 302 - Redirect Authentication Token UPN: charlie@sharepointlabs.nl Source ID: 1234567 Exchange Online SAML Logon Token UPN: charlie@sharepointlabs.nl Source ID: ABC123 404 - Authenticate … … client

  31. login sequence

  32. Scenarios Domain joined computer in corporate network ADFS Server canuse Windows IntegratedAuthN Domain joined computer, roaming Publish ADFS Server Home or public computer User signs in with corporate credentials Smartphone Microsoft Outlook or other e-mailclients

  33. trouble shooting Troubleshooting tools MOSDAL (Microsoft Online Services Diagnostics and Logging) Support Toolkit www.testexchangeconnectivity.com Fiddler

  34. kb 2607496 Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0 Multiple Issuer Support Client Access Policy Support CongestionAvoidanceAlgorithm Additional AD FS 2.0 performance counters adfsadditional reading

  35. more info Web Services Federation Language (WS-Federation) Version 1.2 : http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf WS-Trust Version 1.3: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.pdf Security Assertion Markup Language (SAML) 2.0: http://go.microsoft.com/fwlink/?LinkId=193996 Microsoft AD FS 2.0 Release to Web (RTW) download: http://www.microsoft.com/downloads/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b Identity federation definition from Wikipedia: http://en.wikipedia.org/wiki/Federated_identity

  36. more info Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0 http://tinyurl.com/6pbrkop

  37. more info Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0 http://tinyurl.com/6pbrkop

More Related