Shibboleth 2.x with Office 365

1. Shibboleth 2.x with Office 365 David Fisher (dfisher) – 1/24/2013

2. Federation options ADFS Works with AD Third-party STS Works with AD & Non-AD Shibboleth (SAML*) Works with AD & Non-AD Suitable for medium, large enterprises including educational organizations Recommended option for Active Directory (AD) based customers Single sign-on Secure token based authentication Support for web and rich clients Microsoft supported Phonefactor can be used for two factor auth Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Suitable for medium, large enterprises including educational organizations Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD Single sign-on Secure token based authentication Support for web and rich clients Third-party supported Phonefactor can be used for two factor auth Works for Office 365 Hybrid Scenarios Requires on-premises servers, licenses & support Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios Suitable for educational organizations j Recommended where customers may use existing non-ADFS Identity systems Single sign-on Secure token based authentication Support for web clients and outlook only Microsoft supported for integration only, no shibboleth deployment support Requires on-premises servers & support Works with AD and other directories on-premises * Broader SAML implementations will be supported in 1H CY2013

3. Shibboleth2.X with Office 365 • What is the Shibboleth Identity Provider (IdP)? • Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0) • Popular implementation of SAML 2.x with Higher Education institutions world-wide • Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html) • Latest version is 2.3.6 • How do customers with a Shibboleth IdP* interoperate with Office 365? • Setup a SAML 2.0 federation between Office 365 and their Shibboleth IdP • Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD Supported Clients Email Rich Clients Shibboleth 2.x IdP Shibboleth 2.x IdP Web Client Non-AD AD MSOMA + FIM MSOMA + FIM Contoso.edu Fabrikam.edu * This means that only Shibboleth implementation of SAML is supported, not any SAML implementation

4. Non-AD Synchronization Preferred option for Directory Synchronization with Non-AD Sources Non-AD support with FIM is available through Microsoft-led deployments FIM 2010 Office 365 connector supports complex multi-forest topologies Windows Azure Active Directory Office 365 Connector on FIM Federation using Non-ADFS STS Non-AD (LDAP) On-Premises Identity Ex: Domain\Alice User

5. Sign on experience • Web Clients • Office with SharePoint Online • Outlook Web Application • Exchange Clients • Outlook • Active Sync/POP/IMAP • Entourage • Rich Applications (SIA) • Lync • Office Subscriptions • CRM Rich Client Cloud Identity Username and Password Username and Password Username and Password Online ID Online ID Online ID Federation w/ Shibboleth Username and Password Username and Password* Not currently supported On-premises credentials On-premises credentials Federation w/ ADFS/3rd party (non-domain joined) Username and Password Username and Password Username and Password AD credentials AD credentials AD credentials * Exchange clients support w/ Shibboleth requires Enhanced Client/Proxy (ECP) extension to be enabled/configured