office 365 identity
Post on 18-Nov-2014
868 Views
Preview:
DESCRIPTION
TRANSCRIPT
Core identity scenarios
Deep dive on federation and synchronization
2 3Identity management overview
1Additional features
4
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.
Determining which actions an authenticated entity is authorized to perform on the network
User
Microsoft AccountEx: alice@outlook.com
User
Organizational AccountEx: alice@contoso.com
Microsoft Account Organizational Account
Directorystore
Authentication platform
Windows Azure Active Directory
Core identity scenarios
Cloud Identity
OAuth2
SAML-P
WS-Federation
Metadata
Graph API
Directory & Password Sync
OAuth2
SAML-P
WS-Federation
Metadata
Graph API
Directory Synchronization Options
Suitable for small/medium size organizations with AD or Non-ADPerformance limitations apply with PowerShell and Graph API provisioning
PowerShell requires scripting experience
PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
PowerShell & Graph API
Suitable for Organizations using Active Directory (AD)Provides best experience to most customers using AD
Supports Exchange Co-existence scenarios
Coupled with ADFS, provides best option for federation and synchronization
Supports Password Synchronization with no additional cost
Does not require any additional software licenses
Suitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenarios
Non-AD synchronization through Microsoft premier deployment support
Requires Forefront Identity Manager and additional software licenses
Federated Identity
OAuth2
SAML-P
WS-Federation
Metadata
Graph API
Cloud Identity
no integration to on-premises directories
Directory & Password Synchronization*
Integration without federation*
Federated Identity
Single federated identity and credentials
Federation options
Suitable for educational organizations j
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth (SAML*)Works with AD & Non-AD
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Phonefactor can be used for two factor auth
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Phonefactor can be used for two factor auth
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Works with AD & Non-AD
Federation with Identity Partners
Verified by MicrosoftReuse Investments
Program for third party identity providers to interoperate with Office 365
Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365
Identity RoadmapShibboleth (SAML) Support Available nowNew Works with Office 365 Partners Ping, Optimal IDM, Okta, IBM
available nowNovell, CA and Oracle in 1H CY2013
DirSync for Multi-forest AD Available now thru’ MCS and PartnersSync Solution for Non-AD using FIM Available now thru’ MCS and PartnersPassword Synchronization for AD 1H CY2013Broader SAML Support 1H CY2013
Windows Azure Active Directory
User
Cloud IdentityEx: alice@contoso.com
Cloud IdentityEx: alice@contoso.com
Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identityISV Applications or SAAS providers can integrate using APIs on Windows Azure ADCurrently in Technical Preview
Cloud identity + directory synchronizationSingle sign on + directory synchronization
Contoso customer premises
ADMS Online Directory
Sync LyncOnline
SharePoint Online
Exchange Online
Active Directory Federation Server
2.0
Trust
IdP
IdP
Understanding client authentication path
Lync 2010/Office Subscription
Active Sync
Corporate Boundary
Exchange Online
AD FS 2.0Server
MEX
Web
Active
AD FS 2.0 Proxy
MEX
Web
Active
Outlook 2010/2007IMAP/POP
UsernamePassword
UsernamePassword
OWAInternal
Lync 2010/Office Subscription
Outlook 2010/2007IMAP/POP
OWAExternal
UsernamePassword
Active Sync
UsernamePassword
Basic auth proposal: Pass
client IP, protocol, device name
Web Clients• Office with SharePoint
Online• Outlook Web Application
Remember me =Persisted Cookie
Exchange Clients• Outlook• Active Sync/POP/IMAP• Entourage
Can save credentials
Rich Applications (SIA)• Lync• Office Subscriptions• CRM Rich Client
Can save credentials
Federated Identities(domain joined)
Cloud Identity
No Prompt
Username and Password
Online ID
AD credentials
Federated Identities(non-domain joined)
Username and Password
AD credentials
Username
Username and PasswordOnline ID
AD credentials
Username and PasswordAD credentials
Username and Password
Username and PasswordOnline ID
AD credentials
Username and PasswordAD credentials
Authentication flow (passive/web profile)Identity federation
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online orSharePoint Online
Active Directory
Customer Microsoft Online Services
Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123
Auth TokenUPN:user@contoso.comUnique ID: 254729
Authentication flow (MEX/rich client profile)Identity federation
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Lync Online
Active Directory
Customer Microsoft Online Services
Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123
Auth TokenUPN:user@contoso.comUnique ID: 254729
Customer Microsoft Online Services
Active flow (Outlook/Active Sync) always externalIdentity federation
`
Client(joined to CorpNet)
Authentication platformAD FS 2.0 Proxy
Exchange Online
Active Directory
Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123
Auth TokenUPN:user@contoso.comUnique ID: 254729
Basic Auth CredentilasUsername/Password
• Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0)
• Popular implementation of SAML 2.x with Higher Education institutions world-wide
• Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html)
• Latest version is 2.3.6
• Setup a SAML 2.0 federation between Office 365 and their Shibboleth IdP
• Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD
Shibboleth 2.x IdP
Non-AD
Contoso.edu
Shibboleth 2.x IdP
Fabrikam.eduMSOMA + FIM AD MSOMA + FIM
Email Rich ClientsWeb Client
Block all external access to Office 365 based on the IP address of the external clientBlock all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online
Windows Azure Active Directory
User
Multi-forest AD support is available through Microsoft-led deploymentsMulti-forest DirSync appliance supports multiple dis-joint account forestsFIM 2010 Office 365 connector supports complex multi-forest topologies
On-Premises IdentityEx: Domain\Alice
Federation using ADFS
AD
DirSync on FIM
AD
AD
Windows Azure Active Directory
User
Preferred option for Directory Synchronization with Non-AD SourcesNon-AD support with FIM is available through Microsoft-led deploymentsFIM 2010 Office 365 connector supports complex multi-forest topologies
On-Premises IdentityEx: Domain\Alice
Federation using Non-
ADFS STSOffice 365 Connector on FIM
Non-AD(LDAP)
top related