• No results found

SINGLE & SAME SIGN-ON ASPECTS

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SINGLE & SAME SIGN-ON ASPECTS"

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

SINGLE & SAME SIGN-ON ASPECTS OF AZURE ACTIVE DIRECTORY

(2)

TRAINER INFO

Harold Baele – MCT at RealDolmen Education [email protected] - @hbaele

Trainer since 2000 on

Operating Systems, Networking, AD

Exchange

Office 365 & Azure

(3)

D

EFINITIONS

 Signing in means requesting validation

= authentication

 Verifying access to a resource/application

= authorization

 SSO…

 SINGLE sign-on: ONE authentication, ONE credential, multiple authorizations

(4)

I DENTITY STORES

Web Application Proxy +

AD FS

Microsoft Account

(5)

C

ENTRALIZE

I

DENTITY CONTROL

,

NOT THE STORE

Microsoft Azure Active Directory

(6)

On-premises

Microsoft Azure

Windows Server Active Directory

Azure Active Directory (AAD)

Consumer identity providers

PCs and devices

Microsoft apps

Third-party cloud/hosting

Enable single sign-on across multiple cloud and on-premises applications with Active Directory Federation Services (ADFS)

Integrate cloud with on-premises Active Directory with Active Directory

Synchronization

Create and manage identities in the cloud

Help secure access to on-premises and cloud apps with Microsoft Azure Multi- Factor Authentication

Use Azure Active Directory (AAD) to manage Office 365 with other Microsoft and external cloud services

I

DENTITY AND ACCESS MANAGEMENT

: P

RODUCTS

Enable single sign-on between on-premises and cloud identities

(7)

M

ICROSOFT

A

ZURE

Build applications using any language, tool, or framework

Integrate public cloud solution with the existing IT environment

99.95% monthly SLA CLOUD PLATFORM

USAGE-BASED SERVICES

An open and flexible cloud platform that enables you to quickly build, deploy,

& manage solutions across a global network of Microsoft- managed datacenters.

Caching Identity Service bus Media CDN Integration HPC Analytics

APP SERVICES

Websites Virtual

machines Cloud

services Mobile services

COMPUTE

SQL

database HDInsight Tables Blob storage

STORAGE

Services grouped as Compute, Storage, Network and Application Services

Distinct Rates for each of these Service “meters”

Customers are billed for usage against one or more of these meters

(8)

M

ICROSOFT

A

ZURE

I

AA

S

(9)

M

ICROSOFT

A

ZURE

P

LATFORM AS A

S

ERVICE

(P

AA

S)

(10)

W

HAT IS

M

ICROSOFT

A

ZURE

A

CTIVE

D

IRECTORY

?

A comprehensive identity and access management cloud solution

Azure Active Directory combines directory services, advanced identity governance, application access

management, and a rich standards- based platform for developers

Microsoft Azure Active Directory

Premium is an advanced offering that includes Identity and Access

Management (IAM) capabilities for on- premises, hybrid, and cloud

environments

(11)

DEMO

Creating an AAD

(12)

E

XAMPLE

AAD: O

FFICE

365

Windows Azure Active Directory Exchange

Online SharePoint

Online

Skype for Business

Online

Office 365 ProPlus Yammer

(13)

I

DENTITY OPTIONS COMPARISON

Appropriate for

• Smaller orgs without AD on-premise

Pros

• No servers required on- premise

Cons

• No SSO

• No 2FA

• 2 sets of credentials to manage with differing

Appropriate for

• Medium/Large orgs with AD on-premise

Pros

• Users and groups mastered on-premise

• Enables co-existence scenarios

Cons

• Same SO

• No 2FA

• 2 sets of credentials to manage with differing

Appropriate for

• Larger enterprise orgs with AD on-premise Pros

• SSO with corporate credentials

• IDs mastered on- premise

• Password policy controlled on-premise

• 2FA solutions possible

• Enables co-existence scenarios

(14)

P

ASSWORD SYNC VERSUS

S

INGLE

S

IGN

-O

N

Password sync Single Sign-On (ADFS)

Same password to access resources

Control password policies on premises

Support for multi-factor authentication

No password re-entry if on premises

Authentication occurs in on-premises directory

Client access filtering

(15)

S

INGLE

S

IGN ON

S

ETUP

 Needs DirSync aka Azure AD Connect (no password sync)

 Add Domain (returns details for proof of ownership)

 Single source AD DS: Connect ADFS with Microsoft Office 365

 Single source AAD: use AAD application proxy

(16)

I

DENTITY

F

EDERATION

A

UTHENTICATION FLOW

(P

ASSIVE

/W

EB PROFILE

)

`

Client (joined to CorpNet)

Authentication platform AD FS 2.0 Server

Exchange Online or SharePoint Online Active Directory

Customer Microsoft Online Services

Logon (SAML 1.1) Token UPN:[email protected]

Source User ID: ABC123 Auth Token

UPN:[email protected] Unique ID: 254729

(17)

I

DENTITY

F

EDERATION

A

UTHENTICATION FLOW

(R

ICH

C

LIENT

P

ROFILE

)

Authentication platform AD FS 2.0 Server

Active Directory

Customer Microsoft Online Services

Logon (SAML 1.1) Token UPN:[email protected] Source User ID: ABC123

Auth Token

UPN:[email protected] Unique ID: 254729

(18)

P

REPARING FOR

I

DENTITY

F

EDERATION

 High availability design for AD FS 2.0

 Every User must have a User Principal Name

 UPN suffix must match a validated domain in Office 365

[email protected]

(preferably built to match e-mail address)

(19)

DEMO

Portal logon office 365

(20)

C

ENTRALLY MANAGED IDENTITIES AND ACCESS

(21)

P

REINTEGRATED

S

AA

S

APPS IN THE APPLICATION GALLERY

(22)

A

UTHENTICATION PROTOCOLS SUPPORTED

 OAUTH 2.0

 OpenID Connect

 WS-Federation

 SAML 2.0

 Info: https://azure.microsoft.com/en-

us/documentation/articles/active-directory- authentication-scenarios/

(23)

A

PPLICATIONS TYPES SUPPORTED

 Web applications using oAUTH and need a shortcut in the apps portal of Azure

 Officially supported applications in the Azure gallery

 Applications accessible using

application proxy (needs

(24)

A

CCESS

P

ANEL

 http://myapps.microsoft.com

 This is where users can discover the applications they have access to.

 Features of the Access Panel

Users can change the password associated with their organizational account.

Users can edit multi-factor authentication-related contact and preference settings.

Users can view details about their account.

 Needs a browser extension on first use

(25)

A

CCESS

P

ANEL FOR I

OS 7 & A

NDROID

 Provides SSO to Apps

integrated with your Azure Active Directory

 Full parity with the web-based Application Access Panel

(26)

DEMO

Single SignOn Twitter using AAD

(27)

D

IRECTORY SYNC

– A

ZURE

AD C

ONNECT

 Synchronizes users, groups, and contacts to Microsoft Azure Active Directory

 Users can have a different password in Microsoft

Azure Active Directory than they have for on-premises

(28)

P

REPARING FOR

A

ZURE

AD C

ONNECT

(29)

DEMO

Sync ADDS with AAD using Azure Connect

(30)

W

HAT IS

A

ZURE MULTI

-

FACTOR AUTHENTICATION

?

 A stand-alone Azure Identity and Access management service

 Needs AAD Premium.

 Prevents unauthorized access to both on-premises and cloud

applications by providing an

additional level of authentication.

(31)

A

ND THE SECOND FACTOR IS

(32)
(33)

U

SER SETUP

MFA

 User required to setup

 Also needed for password reset

(34)

DEMO

Logon with Multi Factor Authenctication

(35)

S

ELF

R

ESET

P

ASSWORD OPTIONS

1, ….

2, ….

3, ….

4, ….

5, ….

(36)

(M

OBILE

)

DEVICE MANAGEMENT AND

AAD

(37)

DEMO

Windows 10 AAD domain join

(38)

T HANK Y OU

WWW.REALDOLMEN.COM

Follow us on:

Selected presentations are available on:

References

Download now ( PDF - 38 Page - 2.92 MB )

Related documents

Bridging the gap between local IT and Cloud services, keeping you in control

The SMB IT Appliance utilises Microsoft Active Directory Federation Services to provide Single Sign On to SaaS applications including Microsoft Office 365, Adobe, Salesforce and

Getting Started with Single Sign-On

1 Exchange metadata & endpoint information 2 Configure account information & field names 3 Test integration in NobleHour staging environment 4 Rollout production

Getting Started with Single Sign-On

1 Exchange metadata & endpoint information 2 Configure account information & field names 3 Test integration in Collaboratory staging environment 4 Rollout production

Reduce Cost and Increase Sales with Oracle Fusion Sales Planning

E-Business Suite Incentive Compensation Recommended to upgrade to latest release of Oracle E-Business R12.x also evaluate to Implement Oracle Fusion Sales Territory and

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

At the “Finish” screen, check the box next to the option to “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes”; click “Close”... Egnyte

Centrify Cloud Connector Deployment Guide

For customers who want to integrate the Centrify Cloud with their on-premises Active Directory or LDAP directory for user authentication or connect to their on-premises

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

SalesForce is a customer relationship management tool (CRM) that can be configured to use a local Active Directory Federation Service (ADFS) to enable local users to sign on with

Single Sign-On. Document Scope. Single Sign-On

For locally configured user groups, the user name can be configured to be the full name returned from the authorization agent running the SSO Agent (configuring the names in the