1 / 40

Identities in the Cloud

Identities in the Cloud. Els Putzeys. Identities in the Cloud. User Management in Windows Azure. Identity Options. Microsoft Online IDs Microsoft Online IDs + Directory Synchronization Federated IDs + Directory Synchronization. Microsoft Online IDs.

wayde
Download Presentation

Identities in the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identities in the Cloud Els Putzeys

  2. Identities in the Cloud User Management in Windows Azure

  3. Identity Options • Microsoft Online IDs • Microsoft Online IDs + Directory Synchronization • Federated IDs + Directory Synchronization

  4. Microsoft Online IDs • Appropriatefor small organizations without on-prem AD • Pros • No servers required on-premises • Cons • No SSO • 2 sets of credentialsto manage with different password policies • IDsmastered in the cloud

  5. Microsoft Online IDs + DirSync • Appropriatefor medium/large organizationswith on-prem AD • Pros • Users andgroupsmastered on-premises • Enablescoexistencescenarios • Passwordscanbesynchronizedwith password sync tool • Cons • No SSO • 2 sets of credentialstomaintain • DirSync server required on-premises

  6. Federated IDs + DirSync • Appropriatefor medium/large enterpriseswith on-prem AD • Pros • SSO • IDsmastered on-prem • Password policy controlled on-prem • Enablescoexistencescenarios • Cons • Servers required on-premises

  7. Microsoft Online IDs Windows Azure AD

  8. Windows Azure AD • Identity and access management in the cloud • Yourorganization’scloud directory • Usedby • Windows Azure • Office 365 • Windows Intune • Canbeintegratedwith on-premises AD • Integration withcloudapplications • Single sign-on experience • Apphosted in cloud • Users authenticatewith corporate credentials

  9. Windows Azure AD Windows PowerShell Office 365 Account Portal Windows Intune Account Portal Windows Azure AD Portal Tenant data Windows Azure AD

  10. Windows Azure AD • Azure AD is a multi-tenant service • Authenticationprocess • User accesses a SaaSapplication • User authenticatestoAzurewith username and password • Azure AD returns token • Token is sent toSaaSapplication • Application validates token andusesits content

  11. Create Online IDs • Windows Azure AD Portal • Office 365 Portal • Windows PowerShell

  12. Demo

  13. Microsoft Online IDs + DirSync Directory Synchronization

  14. Directory Synchronization • Synchronize users from on-premto online • User management is done on-prem • Password synchronization • Synchronizepasswordsfrom on-premto online • Users have 1 set of credentialsacross on-premand online • But 2 accounts

  15. Directory Synchronization Exchange Online SharePoint Online Office 365 DirSync Azure AD MS Online IDs AD Lync Online Customer Network Windows Azure Datacenter

  16. DirSync: Preparation • Synchronization computer • Windows Server 2008 R2 SP1 or Windows Server 2012 (R2) • Domain-joined • Prerequisite software: • .Net Framework 3.5 SP1 and 4.0 • PowerShell • DC Requirements: • Forestfunctional level: • Windows Server 2003 or higher • Domain Controllers: • Windows Server 2003 SP1 or higher

  17. DirSync: Preparation • ToinstallDirSync, youneed the followingpermissions: • Administrator of the DirSync Server • Administrator of the local AD environment • Administrator of the Cloud Service • DirSync setup creates service account • MSOL_AD_SYNC • Created in Users container • Read fromlocal AD • Write to Windows AzureAD • Do not move or removethis account!

  18. DirSync: Preparation • Initialsynchronization • All AD objectscopiedto WAAD • Maximum 50000 objects • If more, contact support • DirSyncrequires SQL • SQL Express • < 50000 objects • Installedby default • Full SQL • > 50000 objects

  19. DirSync: Preparation • UPN Requirements • Every user must have a UPN • UPNs must match a validated domain in the cloud • Make sure AD contains the correct UPN Suffix • Check UPN in the cloudaftersynchronization • Users must use UPN tologontocloud services

  20. DirSync: Installation • Download andinstall the Directory Sync tool • Installation can take up to 10 minutes

  21. DirSync: Configure • Start DirSyncConfiguration wizard • Specify Windows Azure AD Credentials • Specify AD Credentials • Enablehybriddeployment (ifrequired) • Givesdirsync service account limited Write permissionto on-prem AD

  22. DirSync: Password Sync • Password Synchronization • Feature of Sync Tool • Synchronize on-prempasswordsto WAAD • Users canusesame password in cloudand on-prem • No SSO • Extract password hashfrom AD • Overwritescloud password • Initialdirsyncsynchronizesallpasswords • User changes on-prem password • Tool detectsandsynchronizes (within minutes)

  23. DirSync: Password Sync • Password complexity policy • On-prempoliciesoverridecloudpoliciesforsynchronized users • Password expiration policy • Cloud user password is set to “Never Expire”

  24. DirSync: Manage • PowerShell • %Program Files%\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1 • Add-PSSnapinCoexistence-Configuration • Cmdlets: • Get-Command –PssnapinCoexistence-Configuration

  25. DirSync: Synchronize • Automatically • Every 3 hours • Manually • PowerShell • Start-OnlineCoexistenceSync • Configuration Wizard • Start menu – Directory SyncConfiguration

  26. Demo

  27. Federated IDs + Dirsync Active Directory Federation Services

  28. Federated Identities • Across on-premandcloud services • Single identity • Single sign-on • User management happens on-prem • On-prem AD usedto: • Sign in • Authenticate • Requires the following services • Directory synchronization • Federation Service

  29. Identity Federation Security Token Identity Provider Relying Party SAML Token Claims: Name = Els Email = Els @Fabrikam.com Age = 38 DC Web Server AD Contoso.com AD Fabrikam.com DC 2 6 Federation Trust 7 STS STS 4 ST 9 10 AD AD FS 8 ST ST Shibboleth Unix 3 Home realmdiscovery 1 ST Azure ACS Live ID Google ID Facebook 5 https://web.contoso.com

  30. Identity FederationwithAzure On-Premises Domain Windows Azure Platform MS Federation Gateway Active Directory Logon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 AD FS Auth Token UPN:user@contoso.com Unique ID: 254729 Exchange Online

  31. AD FS Deployment Options Active Directory AD FS Proxy AD FS Server AD FS Server AD FS Proxy External User Internal User Internal Network Perimeter Network • Single server configuration • AD FS server farm and load-balancer • AD FS proxy server or UAG/TMG (External Users, Active Sync, Outlook)

  32. Federation: AD FS • Requirements: • Windows Server 2008 (R2) – 2012 (R2) • ADFS 2.0 / ADFS 3.0 • Public, validated domain name • SSL certificate • MS Online Services Module for PS • MS Online Sign-In Assistant

  33. Federation: AD FS • InstallADFS • WS2012 (R2): Addrolesand features • WS2008: Download andinstallADFS

  34. Federation: AD FS • Run ADFS Configuration Wizard • Create new Federation Service • Federation farm • Stand-alone server • Select SSL Certificate • ADFS certificate • Federation service name: adfs.fabrikam.com • Create Host record for the federation servicein DNS

  35. Federation: AD FS • Install MS Online Sign-In Assistant • Install MS Online Services Module for PS • Configure Trust withMicrosoft Online Services • PowerShell • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainNamefabrikam.com

  36. Federation: Test • Create account in local AD • UPN must beyour domain name (fabrikam.com) • Synchronize account toAzure AD • Addapplicationlicenses • PrepareClient pc • InstallSign-In Assistant • Add ADFS urlto Intranet zone in IE • Sign in toclient pc as test user • Browse to https://portal.microsoftonline.com • Enter username (user@fabrikam.com)

  37. Demo

  38. Give Me Feedback And take home the Lumia 1320 Present your feedback form when you exit the last session & go for the drink

  39. Be the first to know Follow Technet Belgium @technetbelux Subscribe to the TechNet newsletter aka.ms/benews

  40. Belgiums’ biggest IT PRO Conference

More Related