1 / 47

Surviving the Triangle: Shibboleth, ADFS, Office 365

Surviving the Triangle: Shibboleth, ADFS, Office 365. An Adventure Story of the High Seas by: J. Greg Mackinnon Systems Architect Not a Ship Captain. Enterprise Technology Services University of Vermont. Overview:. “Fun Parts ” Edition (FUN = PAIN x TIME) :

branden-farmer
Download Presentation

Surviving the Triangle: Shibboleth, ADFS, Office 365

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Surviving the Triangle:Shibboleth, ADFS, Office 365 An Adventure Story of the High Seas by:J. Greg MackinnonSystems ArchitectNot a Ship Captain Enterprise Technology Services University of Vermont

  2. Overview: • “Fun Parts” Edition (FUN = PAIN x TIME): • Design an AD FS / Shibboleth / Office 365 solution for our school. • Deployof Active Directory Federation Services on Windows Server 2012 R2 (“ADFS 3.0”) • Integrate AD FS with existing Shibboleth 2 IdP • Sync on-premises Active Directory to Azure AD/Office 365 usingThe Windows Azure Active Directory Sync Tool (DirSync)* • Provision users with Office 365 services using PowerShell usingThe Microsoft Azure Active Directory Module for Windows PowerShell (formerly “Microsoft Online Services Module for Windows PowerShell”.) • Simplify access to Office 365 using Smart Links • Overcome presentation boredom though exciting narrative tools.

  3. Assumptions: • Familiarity with concepts behind: • Federated SSO • AD FS • Shibboleth • Office 365 / Azure AD • Claims Authentication

  4. Act 1: The Gathering Storm

  5. Scene 1: A Gift Horse is Presented • Spring 2014: The Student Advantage program is announced: Free Office software for all students at institutions with Office site licenses for faculty and staff. Three cheers for Microsoft!

  6. Scene 2: The Gift Becomes a Task • Provision Office 365 Pro Plus to 14,000+ active students • Do not provision services to faculty/staff • Make it work with the existing UVM Web Single Sign-On system. • Do not disclose any information other than Name, NetID, and active student status to Microsoft. For students requesting additional privacy protection under FERPA, do not even disclose Name. • Do it all before students get back on campus. • Your budget is $0.

  7. Scene 3: Backstory Time! [The Slides you Hate] • University of Vermont: • Land grant school founded by Ira Allen “a long time ago”. • Over 1,300 faculty, perhaps 2,200 staff • [MORE BORING NUMBERS NUMBERS] 14 thousand something students • Enterprise Technology Services • Central IT Services for the institution, 60+ employees, about half of all IT pros on campus. • Systems Architecture and Administration • 9 System Admins • 3 Windows guys • We do it all, with probably the lowest support ratios of any peer institutions

  8. Scene 3 (Continued): The Cast of Characters Our plucky IT Hero: The dastardly villains: The ship’s crew: The mysterious benefactor: Colorful Characters:

  9. Scene 4: Core Technologies Debated • BOSS: UVM web services will use a single web SSO solution. (WebAuth) • The Boss notes the MS supports Shibboleth as an Identity Provider for Office 365: • http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/ • http://technet.microsoft.com/en-us/library/jj205456 • But Boss, read the fine print… Office 365 ProPlus licensing is not supported with Shibboleth as the primary identity provider! • IT Hero: AD FS already is in pre-production for a SharePoint 2013 upgrade project. Let’s do interop! • AD FS provides the broadest client support (at present). • AD FS lets “Microsoft be Microsoft”. (Support for WS-Federation “active authentication scenarios” in addition to SAML 1 and 2) • Supports Windows Authentication (allows single sign-on from the Windows desktop) • Added benefit of the Web Application Proxy service, which can aid with NTLM remediation.

  10. Scene 4 (continued): The Best Laid Plans… • A service architecture is developed • An authentication workflow is mapped

  11. Service Architecture: Work To Do [BACK]

  12. Federated SSO: The Whole Ugly Truth [FLIP]

  13. Scene 5: A Likely Conversation • IT Hero:‘Hey Boss… this whole Federated SSO thing is really complicated. Have you seen this diagram of the planned authentication workflow?’ • Boss:‘Yeah… What’s your point? That’s what we do.’ • (But isSCALE x COMPLEXITY > SKILL? Let’s find out!)

  14. Act 2: The Adventure Begins

  15. Scene 1: Our Heroes Tackle an Easy Task(AD FS production deployment): • For HA deployments, have a SQL Server ready • Install the AD FS role (2+ Servers): • Configure the role (2+ Servers): • Install and configure the Web Application Proxy Role

  16. Scene 1 (continued) [FX: queue thunder clap]: Load Balancing AD FS • Use F5 Load Balancer in “Direct Server Return”, or “nPath Routing” mode. [LINK] • F5 monitor for HTTPS services on ADFS servers fails! • ADFS 3.0 runs in HTTP.SYS: Requires SNI. OpenSSL 0.98 libraries on F5 do not support SNI. [LINK] • Use NETSH to add additional http.sys binding for “legacy” clients. This will be helpful with Shibboleth interoperability as well. [LINK]

  17. Scene 2: The Crew Conquers AD FS / Shibboleth Interoperability, With a Little Help From Friends. • Get the whitepaper:http://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx • Back to school: A Claims Interoperability Primer… [LINK] • Setup Claims Provider Trust in AD FS: • Reduce token signing requirement to SHA1 (default is SHA256) [LINK] • Must use NETSH to allow ADFS to accept non-SNI connections.(Java SSL libraries used in our Shibboleth deployment do not support SNI.) • Setup Relying Party Trust in Shibboleth: • Import token signing certificate into Shibboleth • Play with XML configuration files (Note OID of released attributes) [LINK]

  18. Scene 2 (continued):Beyond the Whitepaper • ADFS now generates tokens based on Shib tokens, but how do I get useful AD data into the token? • A knowledgeable old salt stops in to explain Claims Transformation Language. [LINK] • The Divine Secrets of Claims Transformation Language allows Microsoft applications natively to consume claims generated by Shibboleth.

  19. Scene 3: A Foray Underthe Storm Clouds • Setup an Office 365 Tenant [LINK] • Select “Office 365 Education E3 for Students Trial”, and then add “E1” licenses to your Tenant. • Plan for UPN-based authentication: • Does AD UPN match the Shibboleth ePPN? • Does the AD UPN match a domain configured in Office 365? • Enroll for the Student Advantage Program* • Get your EES program administrator to accept $0 Purchase Order • Contact Microsoft Sales to assign Student Advantage licenses to your tenant. • Request more licenses • Request even more licenses • Install and Configure DirSync [LINK] • Create Office 365 sync account (*onmicrosoft.com recommended) • Create AD sync account • Apply ACLs to satisfy UVM legal privacy requirements • Configure attribute filtering • Apply PowerShell-Foo to assign licenses to students. [LINK]

  20. Scene 4: A Plan Comes Together • Hero: “It all works! Hurray, time to take vacation!” • Boss: “This user experience is unacceptable! Fix it!” [LINK] • Create Smart Links to make it all invisible: • https://adfs.uvm.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=wa%253Dwsignin1.0%2526rpsnv%253D3%2526ver%253D6.4.6456.0%2526wp%253DMCMBI%2526wreply%253Dhttps:%25252F%25252Fportal.office.com%25252Flanding.aspx%25253Ftarget%25253D%2525252fOLS%2525252fMySoftware.aspx%2526lc%253D1033%2526id%253D501392%2526%2526LoginOptions%253D3 http://go.uvm.edu/getoffice[LINK] BUT is this really simpler?

  21. Federated SSO: “Simplified” with Smart Links [FLIP]

  22. Scene 5: Students Invade Campus, and Our Hero Takes a Vacation • The Client Services team prepares “Go: Get Office” materials for residence halls and for students picking up new computers. • 1,256 downloads in the first month. (First-time student count is approximately ~2,450) • Zero Complaints (Or if there were, they were not heard from the Outer Banks, NC.)

  23. Epilogue: Full of sound and fury, signifying nothing. • September 15th, 2014:Microsoft Releases “Azure Active Directory Sync Services”, obsoleting DirSync only three weeks after UVM go-live. • September 20th, 2014:Microsoft ‘enhances’ the Student Advantage program with email-address-based opt-out self-enrollment. • October 1st, 2014:Rumors arise that Office 365 Pro Plus will be made available to all Faculty and Staff for EES customers with coverage for Office software.

  24. Epilogue: Full of sound and fury, signifying nothing something. Unified SSO Achieved Cloud Ready

  25. THE END Follow up questions to: mailto: gregory.mackinnon@uvm.edu Twitter: @jgregmac LinkedIn: Facebook: j.greg.mackinnon Ello: @jgreg And more fun at: http://blog.uvm.edu/jgm

  26. Resources: • F5 Guide to Layer 4 nPath Routing (Direct Server Return): • General guidance from F5:http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_npath.html • Specific directions for configuring Loopback on Server 2008+http://blog.uvm.edu/jgm/2010/12/02/f5-layer-4-server-2008/ • AD FS: • Windows Server 2012 R2 AD FS Deployment Guide:http://technet.microsoft.com/en-us/library/dn486820.aspx • Step-by-Step Guide: Federation with Shibboleth 2 and the InCommonFederation:http://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx • HTTP.SYS Binding and SNI at UVM (SharePoint Configuration Entry):http://blog.uvm.edu/jgm/2014/03/18/sharepoint-2013-adfs-shibboleth-the-motion-picture/ • User Alternate Login IDs with ADFS and Office 365:http://blogs.perficient.com/microsoft/2014/04/office-365-configuring-ad-fs-dirsync-with-an-alternate-login/

  27. Resources (continued…): • Claim Rule Language References: • Primer: http://blogs.technet.com/b/askds/archive/2011/10/07/ad-fs-2-0-claims-rule-language-primer.aspx • “Understanding Claim Rule Language” [HA!]: http://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx • Regular Expressions in Claim Rule Language:http://social.technet.microsoft.com/wiki/contents/articles/16161.ad-fs-2-0-using-regex-in-the-claims-rule-language.aspx • Attribute Stores and Queries: The Ugly Internals:http://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores%28WS.10%29.aspx • AD FS Claims Rule Language Deep Dive (with Win-HiEd favorite Laura Hunter!):https://www.youtube.com/watch?v=G279c_5tHfs • UVM Transformations for Sharepoint 2013:http://blog.uvm.edu/jgm/2014/03/18/sharepoint-2013-adfs-shibboleth-the-motion-picture/ • DirSync: • Download:http://go.microsoft.com/fwlink/?LinkID=278924 • Setup of Directory Sync computer:http://technet.microsoft.com/en-us/library/dn441213.aspx • Release History(Useful for determining if you have the current release): http://social.technet.microsoft.com/wiki/contents/articles/18429.dirsync-directory-sync-tool-version-release-history.aspx • Deploy “Directory Sync with Single Sign-On” scenario for Office 365:http://technet.microsoft.com/en-us/library/dn441213.aspx • Handling the “Replicating Directory Changes” permission:http://support.microsoft.com/kb/303972

  28. Resources (continued…) • Azure AD Module for PowerShell: • Download: Always get the latest version!http://go.microsoft.com/fwlink/p/?linkid=236297 • Provisioning students with O365 ProPlus using PowerShell at UVM:http://blog.uvm.edu/jgm/2014/07/30/provisioning-students-with-office-365-proplus-licenses/ • Microsoft Azure Active Directory Sync Services (DirSync, the next generation): • http://www.microsoft.com/en-us/download/details.aspx?id=44225 • Microsoft guide to creating Smart Links: • http://community.office365.com/en-us/w/sso/358.using-smart-links-or-idp-initiated-authentication-with-office-365.aspx?Sort=MostRecent&PageIndex=1

  29. nPath Routing (Direct Server Return): • The Load Balancer forwards the entire Layer 4 TCP packet to the back-end server. • Reduces load on the expensive F5 • Reduces complexity of the configuration: • Only on SSL certificate needed. • No complex SSL termination and re-encapsulation at the load balancer. • Kerberos-compatible. • Each back-end server has the IP address for the cluster assigned to a “loopback” adapter with a 28-bit netmask. Each back-end “thinks” it has the cluster IP. • The back-end server forwards the incoming packet from its public interface to the loopback interface. • The back-end server replies directly to the client. • [BACK]

  30. HTTP.SYS Binding (1 of 2) • Modern browsers (and SSL Libraries) support the SNI, or “server_name” extension. • Older Java runtimes (1.6), OpenSSL libraries (0.98), and IE6 do not support SNI. • [BACK]

  31. HTTP.SYS Binding (2 of 2) • On each ADFS server and proxy, open an elevated command prompt • Run> netshhttp show sslcert Hostname:port : adfs.uvm.edu:443 Certificate Hash : aBunchOfRandomLookingNumbers Application ID : {yet-another-ugly-product-guid} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled … • Record the certificate hash and application ID for the certificate used by ADFS • Run> netsh http add sslcertipport=0.0.0.0:443 certhash=aBunchOfRandomLookingNumbersappid={yet-another-ugly-product-guid} [BACK]

  32. A Claims Interoperability Primer: • Guidance available from Microsoft! • Claims Authentication: • An Internet-friendly, token-based authentication system. • SAML 1, SAML 2, and WS-Federation • Security Token Service (STS): • A service that generates claims tokens. (ADFS, Shibboleth) • In Shibboleth terms, an Identity Provider (IdP) • Claim (ADFS) = Attribute (Shib2) = Assertion (Shib1) • Relying Party (RP) = Service Provider (SP) • Claim Provider Trust: • A back-end source of user data (AD, LDAP, SQL, or other SAML provider) • AD FS 2 and Shibboleth 2 are both SAML 2 token providers • Different Claim Description formats hamper interoperability. [BACK]

  33. AD FS Claims Provider Trust Configuration • You may need to set the ‘secure hash algorithm’ to “SHA-1”: • Transform Shibboleth/InCommon “attributes” into “claims” that more easily can be used by Microsoft applications: • [BACK]

  34. Shibboleth Relying Party Trust Configuration Relying Parties to the IdP are defined in a file (i.e. relying-party.xml): With AD FS 2+, you will need to import your ADFS token signing certificate into the IdPconfig: • Get the token signing cert from the AD FS console: • View the certificate • Export in Base64 (PEM) format

  35. Shibboleth RP Configuration (continued) Attribute release rules are controlled in an “Attribute Filters” file (i.e. attribute-filters.xml). Attributes to be released generally are grouped into policies. (i.e. uvm-common) Displayed attributeID values are friendly names for the attributes, as defined in a resolver file (attribute-resolver.xml): Note both old (and sane) SAML1 names, and new (incomprehensible) SAML2 names. [BACK]

  36. Divine Secrets of the Claims Transformation Language (1 of 3) • Hard task: Convert Shib attribute “ePPN” to ADFS “UPN” c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

  37. Divine Secrets of the Claims Transformation Language (2 of 3) • Difficult task:Convert ePPN domain suffix to match the AD UPN suffix: c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6”, Value =~ "@uvm\.edu$”] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "^(?<user>[^@]+)@(.+)$", "${user}@campus.ad.uvm.edu"), ValueType = c.ValueType);

  38. Divine Secrets of the Claims Transformation Language (3 of 3) • Seemingly Impossible Task:Augment incoming Shib claims with user attributes from AD:(Used for an on-premise SharePoint project) c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6”, Value =~ "@uvm\.edu$”] • issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = “samAccountName{0};tokenGroups;CAMPUS\foo", param= regexreplace(c.Value, "^(?<user>.+)@campus.ad.uvm.edu$", "${user}")); [BACK]

  39. Setup a new Office 365 Tenant • http://office.microsoft.com/en-us/academic/compare-office-365-education-plans-FX103045755.aspx • Domain considerations: • Does O365 Domain must match the user’s ePPN/UPN suffix? (I.e. Will the UPN someone@domain.com be used to login to the O365 domain “domain.com”?) • If no, plan on: • Transforming the UPN suffix in the relying party trust with Office 365 (maybe?) -or- • Changing the UPN suffix for your AD users -or- • Using the supported Alternate Login ID method (see references) • Configure the domain for SSO using PowerShell: • Set-MsolAdfscontext -Computer <AD FS primary server> • Convert-MsolDomainToFederated–DomainName <domain> [BACK]

  40. Configuring DirSync for Filtered Replication: • Dedicate a Windows Server OS: • Must use SQL Server Standard/Enterprise if >50,000 objects will be synchronized. • Installer will create an “MSOL_*” user account in your forest root domain: • Documentation claims the name will be “AAD_*”. • Assumption: MSOL account will not be able to read FERPA-protected data, because it is not in a group that can read this info. • Fact: The MSOL account syncs FERPA data anyway. WHY??!?! • MSOL is a powerful account with “Replicating Directory Changes” rights:http://support.microsoft.com/kb/303972 • This right will need to be removed if you need to filter user attributes (regulatory compliance/privacy concerns). • OR, just create a new service account for DirSync (supported by Microsoft?)

  41. Configuring DirSync for Filtered Replication (continued): • DirSync is FIM-based. Same user interface as seen in FIM and the SharePoint User Profile Synchronization Tool. • Launch from:C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe • FIM has a lot of filtering options, but for DirSync, support is limited to filtering out whole domains, whole OUs, or to filtering entire accounts based on a limited set of pre-defined attributes. (e.g. extensionAttribute1)

  42. Configuring DirSync for Filtered Replication (continued): • Remove any explicit allow ACE that will allow non-privileged accounts from reading FERPA-protected attributes. (Already Done!) • Grant access to required rights using inherited ACLs • Apply an inherited deny ACE that will block access non-exportable user data. Source: http://www.ntfs.com/ntfs-permissions-acl-use.htm

  43. Configuring DirSync for Filtered Replication (continued): • DirSync will read extensionAttribute1-15 values into the “metaverse” • Populate extensionAttribute1 with affiliation type data • Configure the agent to send only users with extensionAttribute1 = Student [BACK]

  44. Provisioning Office 365 Users Using PowerShell • Requires “Microsoft Azure Active Directory Module for Windows PowerShell” (make sure you have the latest build!) • Azure-only accounts have password expiration: Set a reminder to prevent provisioning failures. • >Connect-MsolServices • >Get-MsolUser-UnlicensedUsersOnly -Synchronized -All • >Set-MsolUser -UsageLocation 'US' • >Set-MsolUserLicense-AddLicenses[tenant]:OFFICESUBSCRIPTION_STUDENT • See the blog entry for more details.

  45. PowerShell Send-MailMessage Provisioning report for Office 365/Azure AD for: 10/13/2014 10:15:01 PM Office 365 ProPlus for Student - license report: Total licenses: 18000 Consumed licenses: 15959 Remaining licenses: 2041 Retrieved active students from Active Directory. Active student count: 15335 Retrieved unlicensed MSOL users. Unlicensed user count: 4 Provisioning successfully completed at: 10/13/2014 10:15:22 PM Provisioned 0 accounts. Elapsed Time (hh:mm:ss): 0:0:21 [BACK]

  46. Frank Oobarthsen’s Sign-In Experience, Take 1: GOAL: Get to the login page, login successfully on the first try. [BACK]

  47. Frank Oobarthsen’s Sign-In Experience, Take 2: Enables Frank to login successfully on the first try. [BACK]

More Related