Identity federation l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Identity Federation PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on
  • Presentation posted in: General

Identity Federation. Timothy Heeney| Microsoft Corporation. Agenda. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation works Basic troubleshooting . NON Federated user and administrative experience . User Experience:

Download Presentation

Identity Federation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Identity federation l.jpg

Identity Federation

Timothy Heeney| Microsoft Corporation


Agenda l.jpg

Agenda

  • Discuss the purpose of Identity Federation

  • Explain how to implement Identity Federation

  • Explain how Identity Federation works

  • Basic troubleshooting


Non federated user and administrative experience l.jpg

NON Federated user and administrative experience

User Experience:

  • Sign in with cloud identity

  • Authentication happens in the cloud

  • Users have two IDs – one to access on-premise services & one for Online services

  • Users prompted for credentials even when logged into the domain when accessing Online Services

    Administrator Experience:

  • Manages password policy in cloud & on premises

  • Password reset for on premises & MS Online IDs

  • No 2 Factor Authentication integration


Federated user and administrative experience l.jpg

Federated user and administrative experience

User Experience:

  • Users Sign in with corporate ID

  • Authentication happens on premises

  • Users have a single credential to provide SSO to on premises and Online services

  • Users get true SSO experience

  • 2 factor Authentication can be utilized if it is deployed on-premise

    Administrator Experience:

  • Manages password policy on premise only

  • Password reset for on premise IDs only

  • 2 Factor Authentication integration options

  • Requires additional servers to enable identity federation so there will be an additional up front cost


Client experience based on client used l.jpg

Client Experience based on client used

For any of the thick client to work properly for SSO you need to have the service connector installed


Service connector l.jpg

Service Connector

  • Installs client and operating system updates to enable best sign-on experience. Some of these updates are hotfixes and are not available through normal Windows Update procedures

  • Enables authentication support for rich clients

  • Ensures clients have all needed configuration data to enable service usage

  • Service connector can be deployed or installed locally by the user if they have local Admin Privileges

  • The SSO client is also needed on the Exchange/ADFS/ servers in order to connect to Online Services


Configuring identity federation l.jpg

Configuring Identity Federation

  • Ensure there is a valid UPN for the on-premise users

  • Install Certificate Authority or deploy a third party certificate

  • Install AD FS 2.0 and configure AD FS 2.0

  • Microsoft Online Services Identity Federation Management tools

  • Implement Directory Synchronization


Ensure there is a valid upn for the on premise users l.jpg

Ensure there is a valid UPN for the on-premise users

  • Users need an External UPN suffix (contoso.com not Contoso.local)

  • You can add this in AD Domains and trusts as an alternate UPN

  • You can use ADUC to change the users to use this new UPN

  • You can use ADMODIFY to change the users to use this new UPN

  • Needed so verification can occur (public CNAME record)


Install certificate authority and iis l.jpg

Install Certificate Authority and IIS

  • With Identity Federation users will be redirected to the AD FS endpoint over https

  • Enterprise CA to be able to create a certificate to be used for AD FS endpoint or we can use a third party cert with the proper names

  • A token signing certificate is also used for validating the claims made by the on premise AD FS with the MFG

  • IIS needs to be installed on the AD FS server and the certificate that was issues to the AD FS server needs to be bound to port 443 on that server

  • Third party certificates can also be used as long as there is a private key with the certificate


Install ad fs 2 0 and configure ad fs 2 0 l.jpg

Install AD FS 2.0 and configure AD FS 2.0

  • Download and install AD FS 2.0 Instruction on the portal

  • Full SQL instance is optional requires command line install

    • ADFSSetup.exe /quiet

    • FSConfig.exe CreateSQLFarm

    • FSConfig.exe JoinSQLFarm

  • Then configure AD FS

    • From the start menu select AD FS 2.0 Management.

    • Select AD FS 2.0 Server Configuration Wizard


Microsoft online services identity federation management l.jpg

Microsoft Online Services Identity Federation Management

  • Download and install the MOSID tool (used to establish trust and transfer proper config and certs) this is available from the portal

  • Click Start—All Programs—Microsoft Online Services-- Microsoft Online Services Identity Federation Management Tool

    • Run the following commands:

      • $cred=Get-Credential

        • This command prompts for your Online Admin credentials

      • Set-MSOLContextCredential –MSOLAdminCredential $cred

  • The above set the context of the Powershell as the Online Administrator account.


Basic troubleshooting of identity federation l.jpg

Basic Troubleshooting of Identity Federation

  • Logs are located in the following location C:\users\userAccount\documents\MicrosoftOnline\MSOL-IdentityFederation-date (show the log)

  • Event logging for AD FS 2.0

  • Enable additional logging and verbose logging

    Edit federation Properties and Enable Verbose Logging in Event Viewer…. To start verbose logging run the following

    -wevtutil.exe sl “AD FS 2.0 Tracing/Debug” /l:5

    -show analytic and debug logs in event viewer

    -enable debug log in event viewer

  • “Your organization could not sign you in to this service.”

    • Link Translation on ISA may be enables

    • The URL’s are configured incorrectly in ADFS

    • The MFG Relay Trust URL is correct

    • Any of the certificates were updated in ADFS but not updated to the MFG


Winhttp trace l.jpg

WinHTTP trace

  • First we browse to https://Portal.MicrosoftOnline.com

  • redirected to the Identity Provider for the Online Services login.microsoftonline.com

  • Then we type in our email address and the realm discover occurs

  • client is redirected to the STS cause Domain part of email is federated

  • We send our creds to STS we receive a token in return

  • We send the token to login.microsoftonline.com

  • We receive token from MFG then submit that token to portal.microsoftonline.com

    Show in WinHTTP Trace


Identity federation authentication flow passive profile l.jpg

Identity FederationAuthentication Flow (Passive Profile)

Customer

Microsoft Online Services

Microsoft Confidential

14


Ad fs 2 0 proxy installation l.jpg

AD FS 2.0 Proxy installation

  • Why use a proxy?

    • Security

    • Key protection

    • Client connections terminate at the proxy

  • How do you install the AD FS proxy?

    • Export the certificate and private key from the AD FS server

    • Import the pfx file into the AD FS proxy server

    • Download the AD FS 2.0 installation files


Management l.jpg

Management

  • After Identity Federation is configured we need to ensure that DirSync is deployed.

  • When DirSync is configured management of user object will be performed on-premise with the exception of licensing

1. Plan

(Read doc)

2. Prepare

3. Establish federation and/or coexistence

Set up Identity

Federation

Configure and perform DirSync

Add and Verify SMTP domains

Configure Services

Install DirSync

Enable CCS for coexistence

GO

Admin Portal

Microsoft Online IdentityTool

DNS Administration

Online Services

Configuration

Microsoft Online DirSync Tool

4. License Users

License users

Admin Portal


Dirsync l.jpg

DirSync

  • Used when there is any type of coexistence

  • Provides unified GAL and User account provisioning

  • When DirSync is enabled and configured Users are mastered on-premise and then synchronized to the cloud


Questions l.jpg

Questions


Slide19 l.jpg

© 2010 Microsoft Corporation.


  • Login