390 likes | 604 Views
trainer. Bert Jan van der Steeg SharePoint Consultant. consultant. bertjan@companio.nl. Office 365 & Identity Federation. Bert Jan van der Steeg. agenda. Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration. agenda. Intro ADFS 2.0 Overview
E N D
trainer Bert Jan van der SteegSharePoint Consultant consultant bertjan@companio.nl Office 365 & Identity Federation Bert Jan van der Steeg
agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration
agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration
IdMoptions Identities used to access resources: On-premise (Active Directory) Cloud (Office 365) Available options: Separate credentials in corporate directory and in Office 365 Migrate existing credentials to Office 365 Identity Federation with ADFS 2.0
IdMoptions Painful to manage Separate password policies Multiple credentials to manage Management of sign-in application (BPOS) Sub-optimal user experience Log-in each time the service is accessed 2 accounts and/or passwords to manage Set up of sign-in application with every new computer used by each user (BPOS) Separate credentials
IdMoptions No more corporate credentials Credentials and resources in the cloud Small shops No dedicated IT-guy No local resources migrateexistingcredentials
IdMoptions Credential management on-premises Trust with Federation Gateway Office 365 is Relying Party Prerequisites Domain UPN Suffix routable Own the domain (SSL certificate) identity federation
useraccounts charlie @contoso.com federated identity identity contoso \charlie identity federation charlie@contoso.microsoftonline.com
ten steps Easy, right?
agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration
claims history Active Directory Federation Services 2.0
Claims Based AuthN WS-Federation Architecture and specification for Identity Federation protocols WS-Trust Describes the token exchange procedures SAML Describes standard for exchange of AuthN and AuthZ between security realms
Office 365 ADFS 2.0 Azure ADFS 2.0 Users AD Partner Resources Corp. Resources
Office 365 ADFS 2.0 Azure Federation Gateway ADFS 2.0 Users AD federation gateway Partner Resources Corp. Resources
ADFS 2.0 Provisioning Service SharePoint Online TRUST Federation Gateway ADFS 2.0 Users AD federation gateway Exchange Online Live ID IdP Lync Online LiveID
federation gateway Online Service based on WS* standards Connection into Federation ecosystem Billions of authentication daily In production since 2006 Trust provisioning service – checks domain ownership through SSL certificate
adfs 2.0 cloud adfsproxy 1 adfsproxy 2 https://adfs.contoso.com a topology adfs 1 adfs 2 https://adfs.contoso.com Fsconfig /createsqlfarm
Statements made about users which are understood & trusted by both partners in a federation name, identity, group, role, privilege, capability Used for authorization purposes within applications Begins at the identity provider when the user provides credentials Inserted into security tokens (SAML tokens) which follow a secure, standardized method of packaging the data for transport to a trusted partner claims
adfs claims engine Claims Provider Trust Incoming Claims Stage 3: Issuing Claims Stage 1: Accepting claims Stage 2: Authorizing claims Acceptance Transform Rules Issuance Transform Rules Permit Relying Party Trust Outgoing Claims Issuance Authorization Rules Deny
adfs 2.0 components Target Application AuthN Store Active Directory Office 365 trust relationships
adfs 2.0 components endpoints 1. Passive Federation Endpoint – Browser based connections 2. Active Federation Endpoint – Rich clients (Lync 2010) 3. EAS Endpoint - Activesync, Outlook 2010, Exchange Web Services
adfs 2.0 components acceptance transform rules c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"); c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/")); c:[Type == http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value); issuance transform rules claim rules
agenda Intro ADFS 2.0 Overview Federated Authentication in Office 365 Single Sign On Configuration
add domain convert tofederated later
configure federation $cred=Get-Credentials <credentials> Connect-MsolService –Credential $cred Set-MsolADFSContext –Computer <FQDN ADFS Server> connect to MSOL
configure federation New-MsolFederatedDomain –DomainName <domainname> -SupportMultipleDomain addfederated domain
Directory Synchroni-zation Directory Synchronization is used between Active Directory on-premises and Office 365 Federation requires DirSync in this scenario Users’ UPNs are leveraged for account matching
Start-OnlineCoexistenceSync Directory Synchroni-zation
login sequence sharepointlabs.nl Sign-In Service cloud AD ADFS 2.0 SharePoint Online 302 - Redirect Authentication Token UPN: charlie@sharepointlabs.nl Source ID: 1234567 Exchange Online SAML Logon Token UPN: charlie@sharepointlabs.nl Source ID: ABC123 404 - Authenticate … … client
Scenarios Domain joined computer in corporate network ADFS Server canuse Windows IntegratedAuthN Domain joined computer, roaming Publish ADFS Server Home or public computer User signs in with corporate credentials Smartphone Microsoft Outlook or other e-mailclients
trouble shooting Troubleshooting tools MOSDAL (Microsoft Online Services Diagnostics and Logging) Support Toolkit www.testexchangeconnectivity.com Fiddler
kb 2607496 Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0 Multiple Issuer Support Client Access Policy Support CongestionAvoidanceAlgorithm Additional AD FS 2.0 performance counters adfsadditional reading
more info Web Services Federation Language (WS-Federation) Version 1.2 : http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf WS-Trust Version 1.3: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.pdf Security Assertion Markup Language (SAML) 2.0: http://go.microsoft.com/fwlink/?LinkId=193996 Microsoft AD FS 2.0 Release to Web (RTW) download: http://www.microsoft.com/downloads/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b Identity federation definition from Wikipedia: http://en.wikipedia.org/wiki/Federated_identity
more info Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0 http://tinyurl.com/6pbrkop
more info Microsoft Office 365 Single Sign-On (SSO) with AD FS 2.0 http://tinyurl.com/6pbrkop