choosing)the)rightdirectory)integraon)framework)) for)your… · productivity customer service...
TRANSCRIPT
Extending Iden+ty to the Cloud:
Choosing the Right Directory Integra+on Framework for Your Cloud Applica+on PorBolio
Brian Desmond Microsoft MVP for Directory
Services
Collin Hachwi IT Infrastructure Manager
Elias Terman VP Product Marketing
Managing users
Corporate Network The Cloud
Signing into apps Securing and enabling mobile users
Enterprises' Challenges with Cloud and Iden+ty
Remote access to internal apps
VPN
Directory integra+on
Analyzing usage Managing apps Preven+ng unauthorized access
High Tech Media Healthcare Industrial Finance/Legal Education Services
OneLogin has 800+ paying customers in 44 countries across the globe
How Companies Use OneLogin
Employee Productivity
Customer Service Portals
Federation for partners
On-premise Integration
Eliminate passwords for
employees and provide one-click to
their apps.
Let customers sign into sales and
support apps with their social identity.
Establish trust relationship with partner identity
providers.
Bridge the gap between on-prem applications and
identity providers – and the cloud.
OneLogin Enterprise Iden+ty -‐ Key Capabili+es
Single sign-on Directory Integration
MFA
Reporting
Password Vaulting User Management
Global Enterprise-‐grade Infrastructure
Chicago
Dallas
Amsterdam
London
Local EU hos+ng conforms to developing EU data protec+on guidelines
Iden%ty in the Cloud with Microso4 and Azure
Brian Desmond
Agenda
• Microso1 Azure Ac4ve Directory
• Federa4on with Ac4ve Directory Federa4on Services • Iden4ty and Office 365
Microso1 Azure Ac4ve Directory
• Microso1’s strategy for iden4ty in the cloud • Iden4ty repository for cloud applica4ons • Backing store for Office 365 services • Single point of federa4on for applica4ons • Rapidly emerging self-‐service and applica4on catalog func4onality
• Available in free and premium edi4ons
• Don’t confuse the brand with the features • Ac4ve Directory Domain Services (AD DS) and Azure Ac4ve Directory do not have feature parity
Microso1 Azure Ac4ve Directory Premium Edi4on
• Licensed per user under an Enterprise Agreement
• Five key feature areas • Branding and Customiza4on • Group/Role Based Access Control • Self Service Password Management • Mul4-‐Factor Authen4ca4on • Enhanced Security Repor4ng and Analy4cs
• Factor in these capabili4es versus your business and technical requirements as you evaluate the free edi4on
Azure Ac4ve Directory Architecture
Ac4ve Directory Federa4on Services
• AD FS is the bridge from on-‐premises to the cloud • You can federate each individual applica4on with AD FS • You can also just federate with AAD and then federate each applica4on with AAD
• Suppor4ng AD FS will require some new skills • Interpre4ng HTTP traces is cri4cal • Understanding federa4on protocols like SAML
• The availability of your cloud services will never be greater than your iden4ty infrastructure
AD FS Infrastructure Considera4ons
• Consider your high availability requirements for AD FS • What infrastructure will you need to deploy? • What teams will you depend on to meet your goals?
• Single site and mul4ple site op4ons are common
• Networking and DNS dependencies are key • Highly available SQL Server may also be required
Highly Available Single Site ADFS Deployment
Enterprise Network
DMZ
Web Applica4on
Proxy
Ac4ve Directory
AD FS Server
AD FS Server
Web Applica4on
Proxy
NLB
Highly Available Mul4 Site ADFS Deployment
Site A Enterprise Network
Ac4ve Directory
AD FS Server
AD FS Server
Site A DMZ
GLB NLB GLB NLB
Web Applica4on
Proxy
Web Applica4on
Proxy SQL Server Cluster
Site B Enterprise Network
Ac4ve Directory
AD FS Server
AD FS Server
Site B DMZ
GLB NLB GLB NLB
Web Applica4on
Proxy
Web Applica4on
Proxy SQL Server Cluster
SQ
L M
irror
ing
Prerequisites for Office 365 (and AAD)
• Azure Ac4ve Directory is founda4onal to Office 365
• Synchronize your Ac4ve Directory forest to AAD • Microso1’s Directory Synchroniza4on appliance takes care of this
• Mul4-‐forest topologies will require custom integra4on
• Establish federa4on with AD FS • Password synchroniza4on is also an op4on
• Ensure your infrastructure can deliver the SLAs you need to be successful with Office 365
The Big Picture
• Cloud applica4ons and services are rapidly becoming the main stream • Your IT organiza4on needs to evolve to respond to this shi1
• Iden4ty management is a cri4cal component of the cloud picture • Federa4on is a technology you must be on top of
• The tools and services IT must run to run successfully in the cloud are new and evolving • You will need to adapt both in skills and service sets to succeed as an enabler
• Don’t discount the cost and complexity of new on-‐premises infrastructure
www.disys.com © 2013 Digital Intelligence Systems, LLC.
Office 365 and OneLogin Collin Hachwi
IT Infrastructure Manager
Digital Intelligence Systems, LLC
• Global Services and Staffing • 650 + employees and 4000 consultants, • Offices through US, Brazil, Asia and Europe
2 © 2013 Digital Intelligence Systems, LLC.
Digital Intelligence Systems, LLC
User Environment • Increasing use of Cloud Apps:
Office 365, BMC Remedyforce, Concur
• 4,650 Users – personal devices, mobile access, 24/7, 20% YOY growth in users
• Demanding and knowledgeable sales force
IT Environment • Datacenter
• 5 person team with 50 simultaneous projects
• Two Active Directory Instances
• Opening 3 or 4 new offices per year
© 2013 Digital Intelligence Systems, LLC. 3
Time to Federate!
Office 365 – Time to Federate
Requirements
• Real-time directory integration • Quick provisioning and deprovisioning • Compliance reporting • Secure, easy to manage solution • Ability to go beyond Office 365 • 99.99% uptime SLA
5 © 2013 Digital Intelligence Systems, LLC.
Office 365 – Time to Federate with ADFS?
ADFS Overhead • 4 Servers: Compute, Storage &
Licensing • On-going maintenance & support • Impact on disaster recovery &
backup • Specialized skills • Clunky, too many components
Limited Functionality • No reporting • Not real time • No security policies • No integrated MFA • No integration with Google Directory • No support for form-based apps • No provisioning with entitlements • No mobile support
© 2013 Digital Intelligence Systems, LLC. 6
…but the biggest consideration was time
Office 365 – Time to Federate
© 2013 Digital Intelligence Systems, LLC. 7
Prepare Plan Deploy Infrastructure Test Finalize
Federation Ongoing
Maintenance and Support
ADFS
1 2 3 4 5 6 7 8 9 10 11 12 ….
Prepare Plan Deploy and Test Federate Ongoing
Office 365 – Time to Federate
OneLogin
© 2013 Digital Intelligence Systems, LLC. 8
Prepare Plan Finalize Federation Test
2 hr 2 hr 30 min 30 min
Prepare Plan Federate Test
OneLogin
© 2013 Digital Intelligence Systems, LLC. 9
OneLogin – Provisioning with Entitlements
© 2013 Digital Intelligence Systems, LLC. 10
© 2013 Digital Intelligence Systems, LLC. 11
OneLogin Provisioning with Entitlements
OneLogin – Desktop SSO
© 2013 Digital Intelligence Systems, LLC. 12
• Automatic sign-on within corporate network • One less step for end users
OneLogin – Desktop SSO
© 2013 Digital Intelligence Systems, LLC. 13
• Automatic sign-on within corporate network • One less step for end users
OneLogin – MFA Policies
© 2013 Digital Intelligence Systems, LLC. 14
• Supported without any special hardware or software
© 2013 Digital Intelligence Systems, LLC. 15
OneLogin – MFA Policies
• Supported without any special hardware or software
Assume User
© 2013 Digital Intelligence Systems, LLC. 16
OneLogin - Assume User
© 2013 Digital Intelligence Systems, LLC. 17
OneLogin – Real-time de-provisioning
© 2013 Digital Intelligence Systems, LLC. 18
• Do it once • All access to corporate data and apps is immediately removed
• Never over or under subscribed for apps
Recommendations
© 2013 Digital Intelligence Systems, LLC. 19
• Have a plan • Layout your groups and policies beforehand • Identify your report and security environment
Do More
• Team is working on new business solutions • Saved time and money • Use anywhere on any device • MFA support • With subscription services, you are never under or over provisioned • More than just Office 365
© 2013 Digital Intelligence Systems, LLC. 20