single sign on with active directory federation in office 365/sharepoint online

© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information

Single Sign on with Active Directory Federation in Office 365/SharePoint Online

1

Presented by: Amit Chachra, Principal Lead Consultant with MagenicAllen Yu, Senior Systems Engineer with WCIRB of California


Agenda• Office 365 Identity

– Identity Management Overview

– Identities for Microsoft Cloud Services

– Core Identity Scenarios with Office 365

• Directory Sync with Password Sync

• ADFS 2.0

– High Availability and Highly Resiliency

• Single Sign On Experience

– Demo

• Tips, Tricks and Best Practices for configuring ADFS with Office 365

• References

2


OFFICE 365 IDENTITY MANAGEMENT

3


What is Identity Management• Identity management deals with identifying

individuals in a system and controlling access to the resources in that system

• Integral components of identity and access management

– Authentication (Verifies who you are)Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be

– Authorization (Verified what you are authorized to do)Determining which actions an authenticated entity is authorized to perform on the network

4


Identities for Microsoft Cloud Services

5

UserMicrosoft Account e.g.

[email protected] or [email protected] User

Organizational AccountEx: [email protected]

Microsoft Account Organizational Account

mailto:[email protected]

mailto:[email protected]


Cloud vs. Federated Identity

6

Cloud Identity

• Separate credential from corporate credential

• Authentication occurs via cloud directory service

• Password policy stored in Office 365

Federated Identity

• Same credential as corporate credential

• Authentication occurs via on-premises Active Directory service

• Password policy is stored on-premises

• Requires Directory Synchronization


Common Identity platform for Organizational Accounts

7

Windows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts

Directorystore

Authentication platform

Windows Azure Active Directory


Core Identity Scenarios with Office 365

8

Cloud Identity

no integration to on-premises directories

Directory & Password

Synchronization*

Integration without federation*

Federated Identity

Single federated identity and credentials


Identity Usage Scenarios

9

Cloud Identity Cloud Identity + DirSync Federated Identity*Scenario • Smaller organizations

without on-premises Active Directory

• Medium to large organizations with Active Directory on-premises

• Large enterprise organizations with Active Directory on-premises

Pros • Doesn’t require on-premises server deployment

• “Source of Authority” is on-premises

• Enables co-existence

• Single Sign-on experience

• “Source of Authority” is on-premises

• Enables co-existence

Cons • No Single Sign-on• No Two factor authentication

options• 2 sets of credentials to

manage with potentially different password policies

• No Single Sign-On• No 2-Factor Authentication

options• 2 sets of credentials to

manage with potentially different password policies

• Requires on-premises server deployment

• Requires on-premises server deployment in high availability scenario


Prepare your Environment

• Active Directory Attribute Cleanup– Minimum - User Name, First Name, Last Name, and

Display Name– Unsupported characters - Space ( ) @ ‘ | = ? /

• Only routable domains can be used with ADFS deployment – Non-routable domains: .local - .loc - .internal

• Domain must be added and ownership verified• If organization has AD with only internal namespace, it must:– Add a routable UPN suffix in Active Directory Forests and

Trusts.– Configure each user with that routable UserPrincipalName

10


SSL Certificates

• Why SSL certificates?– SSO experience; ActiveSync

– Secure communications

– Auto-discover the Exchange Server

• Certificates required for these Office 365 components:– Exchange on-premises

– Single sign-on (for both the ADFS federation servers and ADFS federation server proxies)

– Auto-discover, Outlook Anywhere, Exchange ActiveSync, and Exchange Web Service (EWS)

– Exchange hybrid server

11


Network and Hardware Considerations• Ports and Protocols

– Identify the port/protocol requirements for Active Directory, SharePoint, Lync, Exchange, and migration scenarios

• Firewall Considerations– Accept connections based on wildcard domain names

• Proxy Device Considerations– Allow connections from Microsoft Online Services– URLs

• WAN Accelerators– Test and optimize your WAN accelerated proxy device(s)

• Hardware and Software Load-Balancing Devices– These are required for single sign-on and Exchange hybrid

deployments• Test and optimize your load-balancing device(s)

12


DirSync• Application that synchronizes on-premises Active Directory with Office 365• x64 application based on FIM• Designed as an appliance: “Set it and forget it”• Entire Active Directory forest is scoped for synchronization• What is synchronized?• All user objects• All group objects• Mail-enabled contact objects• Passwords (if you opt to sync passwords too)• Synchronization is from on-premises to Office 365 only • Synchronization occurs every 3 hours

13


Single Sign On – Server Requirements• Windows Server 2008/2008 R2 or Windows Server 2012• PowerShell• Web Server (IIS)• .NET 3.5 SP1• Windows Identity Foundation• Publicly registered domain name• SSL Trusted Public Certificates• Windows Azure Active Directory Module for Windows PowerShell

– Microsoft Online Sign In Assistant• High-availability design

14


Deploying ADFS 2.0 for SSO• Deploy ADFS Server

• Deploy ADFS Server Proxy

15

AD FS 2.x Server• Default topology for Office 365 is an AD

FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service

• Recommend using at least two federation servers in a load-balanced configuration

AD FS 2.x Proxy Server• Federation server proxies are used to

redirect client authentication requests coming from outside your corporate network to the federation server farm

• Federation server proxies should be deployed in the DMZ


Preparing to deploy ADFS

16

Active Directory running in Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 with a functional level of mixed or native mode

AD FS 2.x deployed on Windows Server 2008/R2 or Windows Server 2012AD FS 2.x Proxy deployed, if some users are connecting from outside the company’s networkWindows Azure Active Directory Module for Windows PowerShell to establish a trust with Office 365

Required updates installed for Office 365

A unique third-party certificate when installing and configuring federation servers and federation server proxies


ADFS Certs• Service communication certificate

– AD FS uses this certificate to enable HTTPS which is a requirement for traffic to and from the federation server and federation server proxies ( to secure communication) So it is basically a SSL certificate which needs to be installed on the IIS for each federation server and federation server proxy

• Token signing certificate– AD FS uses this certificate to digitally sign outgoing AD FS tokens. This is not

used to secure data but in fact it is used to ensure the integrity of the security tokens as they pass between the federation servers and application server via the client computer.

• Token decrypting certificate– AD FS 2.0 and above has the ability to encrypt the contents of the AD FS

tokens. This is in addition to having these tokens signed by the server's token signing certificate.

17


ADFS solution

18


Federation using PowerShellCommand Description$cred=Get-Credential Prompt for Office 365 credentials and

store them in a variableConnect-MsolService –Credential $cred Connect to Office 365 using stored

credentialsSet-MSOLAdfscontext -Computer <AD FS 2.x primary server>

Specify the local AD FS 2.x Server

Convert-MSOLDomainToFederated –Domainname <domain.com>

Convert the standard local domain to an Identity Federated Domain

Get-MSOLFederationProperty Show Identity Federation Proprieties

19


ADFS Farm Architecture – WID vs. SQL

20

WID Advantages WID Disadvantages

Very easy to setup and implement Supports up to five federation servers in a farm

Load balancing and fault tolerance is possible if setup as a farm.

SAML artifact resolution and SAML/WS-Federation token replay detection feature is not available

Supports multiple Federation Servers in a farm (limits to 5 federation server in a farm)

It is not supported if there is more than 100 claim trust providers trust or more than 100 relying party trusts.


ADFS Farm Architecture – WID vs. SQL contd…

21

SQL Advantages SQL DisadvantagesSupports multiple federation servers (not subject to the limitation of WID)

Additional setup complexities. Require PowerShell to install it

Load balancing and fault tolerance SQL cluster introduces another potential point of failure

Easily Scalable SQL server must be performing well to service requests


ADFS High Availability and High Resiliency

22


Single Sign On Experience Demo

23


TIPS, TRICKS AND BEST PRACTICES FOR ADFS WITH O365

24


OnRamp tool• OnRamp tool may give you errors

and warnings which might not be applicable to your configuration. In most cases, you can ignore these errors and continue with ADFS Set up.

25


OnRamp tool

26


DirSync Tool InstallDirSync tool installation may fail the first time when you run the installer in Windows Server 2012. Logs mention that a local security group (FlMSyncAdmins) is configured on the system during the installation, but the user doesn't have rights for that group membership because the user needs to log off.

27


DirSync Tool Re-Install

28

Uninstall DirSync tool, Reboot the system afterwards and rerun the installation. This time it should go through and locate the existing FIM groups created in first run of the install and will successfully complete the installation.


Dedicated “Service” Account in O365 for DirSyncUse a dedicated Microsoft cloud identity account as a “service” account (global administrator) for DirSync. By default, Azure automatically requires a password update every 90 days, but we should turn off the Password expiration for this account using Windows Azure Active Directory Module for Windows PowerShell, otherwise DirSync will break every 90 days.

Set-MsolUser -UserPrincipalName [email protected] -PasswordNeverExpires $true

29


Understand the Rollback mechanism (unfederation)Understand how un-federation works and how and what does it affect in O365 and in your underlying Active Directory.

30


UnfederationConvert-MSOLDomainToStandard –DomainName mydomain –SkipUserConversion $false -PasswordFile c:\temp\userpasswords.txt

The password file stores all the temporary passwords assigned to the user accounts after federation is removed.

31


Plan ahead to test the configuration with a trial version

• No easy way to do a trial of federation in Office 365, so plan ahead on testing with a trial version of O365, a test domain and dedicated test infrastructure.

• It is strongly recommended to test it before you federate your production domain with O365.

32


Tips and Tricks for ADFS setup contd…• For full single sign on experience you need to implement a split DNS

configuration so that external users are treated differently from internal users on the corporate network for security reasons.

• It is strongly recommended to use a public facing SSL certificate for configuring Outlook clients using Microsoft autodiscover.

• Office 365 Single Sign On experience works best with Internet Explorer. Other browsers may have varying experience.

• You must set a group policy to have the federation service URL in the Local Intranet sites in IE. This is to allow IE’s windows integrated authentication to work seamlessly with ADFS.

• Make sure you validate that the documentation you got on internet sites (sometimes even TechNet) is currently applicable to the Office 365 version you are working with.

• Use the GUI tool Synchronization Service Manager after you have installed DirSync to monitor the synchronization.

33


References• Checklist: Setting Up a Federation Server• Windows Server 2012 AD FS Deployment Guide• FAQ on ADFS • AD FS Troubleshooting• Converting from SSO domain to Non-Federated

34

http://technet.microsoft.com/en-us/library/dd807086.aspx



http://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspx

http://support.microsoft.com/kb/2392130

http://community.office365.com/en-us/forums/613/t/177708.aspx


Questions?

35

single sign on with active directory federation in office 365/sharepoint online

Documents