Identity. Provide. ...to Office 365 & Beyond

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Identity. Provide. ...to Office 365 & Beyond"

Transcription

1 Provide Identity...to Office 365 & Beyond Sponsored by shops around the world are increasingly turning to Office 365 Microsoft s cloud-based offering for , instant messaging, and collaboration. A key part of making those applications work is providing the ability for those organizations to seamlessly use their existing identity systems (e.g., Active Directory AD) to authenticate to Office 365 and other Software as a Service (SaaS) applications. The single sign-on (SSO) experience to these 1

2 applications is expected to just work. However, identity integration can be complex. Key features, such as multi-factor authentication (MFA) and advanced authorization rules, require the right set of technologies and the right configuration to work correctly. In this whitepaper, we ll discuss the challenges around identity integration and talk about how products from both Microsoft and Ping Identity can add value to and simplify the identity experience in Office 365. Office 365 & Identity Integration Basics In most organizations, users want to log on to their PC or web browser only once to access , instant messaging, or Microsoft SharePoint sites. They are not interested in having to maintain separate user credentials for each application or enter a password each time they open Outlook or start an Outlook Web Access session. The applications should just work. A key part of making the applications just work is the integration of identity between an on-premises identity provider (IdP) such as AD and Microsoft s cloud-based identity infrastructure, which is called Microsoft Azure AD. Microsoft supports a variety of scenarios for providing this SSO experience. Each scenario requires two main components: 1. Directory Synchronization (DirSync) between the on-premises IdP and the Azure AD instance used for the Office 365 subscription. This is the identity provisioning piece of the puzzle. 2. Authentication of user credentials to the IdP. This is the federation piece of the puzzle. Note that Microsoft also supports synchronization of user passwords (or more precisely, password hashes) between an on-premises AD system and Azure AD. In this scenario, federation is not required because Azure AD acts as the authentication point for users. The on-premises AD system is simply the system of record for user accounts. It is not actively used to authenticate Office 365 users. This scenario is mostly used by smaller organizations that do not want to be in the business of managing and maintaining a federation infrastructure and do not mind using password hash synchronization. 2

3 Figure 1 shows the basic structure of this two-part identity integration with Office 365. Office 365 Azure AD Figure 1 Integrating an On-Premises AD System with Office 365 Direct Synchronization Federation Server Active Directory In this figure, the user attempts to authenticate to Office 365 (by means of a client like Outlook or Outlook Web Access) using his or her corporate credentials. Office 365 and Azure AD redirect the request to a federation server, such as a server running Microsoft s Active Directory Federation Services (ADFS) or Ping Identity s PingFederate or PingOne product. The federation server validates the user on behalf of the IdP (in this case, the on-premises AD system) and passes information about that validation back to Office 365. In terms of the protocols used for this federation handshake, both ADFS and PingFederate support the most common federation protocols, including Security Assertion Markup Language (SAML) 2.0, the WS-* set of standards (e.g., WS-Trust, WS-Federation), and OAuth 2.0. In this scenario, ADFS is an on-premises federation server, capable of providing authentication services to Office 365 users. PingFederate, Ping Identity s on-premises federation server, provides a similar set of services. PingOne is Ping Identity s cloud-based federation service that provides what is referred to as Identity as a 3

4 Service (IDaaS). Essentially, PingOne provides the basic authentication services that an on-premises federation server provides, but within the cloud, with all the availability and manageability advantages that the cloud provides. It is also worth noting that PingOne and PingFederate can work with ADFS if you already have that platform in place. In this situation, PingOne and PingFederate provide additional identity provisioning and federation services on top of what ADFS provides. Account Provisioning In addition to providing authentication services, an identity integration solution must synchronize user, group, and contact information between the on-premises AD system and Azure AD. This allows for the authorization piece of Office 365 access to be done by Azure AD. In addition, Office 365 applications such as Microsoft Exchange Server and Microsoft Lync leverage data held in Azure AD for their proper functioning. This data includes addresses and Session Initiation Protocol (SIP) addresses, which are typically held in AD attributes. There are numerous ways this synchronization, which is also known as provisioning, can be accomplished. Microsoft includes a basic provisioning capability called DirSync within Office 365. Upcoming provisioning technologies include Azure AD Sync (the eventual successor to DirSync) and the Azure AD Graph application programming interface (API). The Azure AD Graph API programmatically populates Azure AD objects. Third-party products, such as PingFederate, can also provide provisioning services. Each of the Microsoft provisioning solutions has a set of capabilities and limitations that must be considered. For example, DirSync has the following capabilities and limitations: Synchronizes users, groups, and contacts Provides only one-way synchronization (from the on-premises AD system to Azure AD) Supports synchronizing only a single on-premises AD forest Synchronizes 150 attributes with the on-premises AD forest (this number is not configurable) Requires Microsoft SQL Server 4

5 Does not support active failover of the on-premises DirSync server (requires downtime to failover to a cold standby) In the near future, Microsoft will be shipping a new subscription-based upgrade to Azure AD called Azure AD Premium. This new version will likely include Azure AD Sync, which provides a few more features beyond what DirSync offers. For example, Azure AD Sync: Provides the ability to control which attributes are synchronized with the onpremises AD forest Supports synchronizing multiple on-premises forests Supports attribute mapping rules Supports other on-premises directories, such as a Lightweight Directory Access Protocol (LDAP) directory, a SQL Server database, or a comma-separated value (CSV) directory There are certain scenarios where you might need to populate Azure AD from a source other than an on-premises AD instance. For example, many large organizations might have other authoritative sources containing identity information (e.g., another LDAP directory, an HR system backed by a database). Unfortunately, the current built-in DirSync capabilities only provide support for synchronization from AD (and currently a single AD forest, although that is changing with Azure AD Sync). In those scenarios, a product like PingFederate can replace and augment the native DirSync capability with support for more types of IdPs. When using Ping- Federate for directory synchronization, the basic identity-integration structure looks like that in Figure 2. As you can see, identity information can come from a variety of on-premises sources, providing more flexibility for the information that you synchronize with Azure AD. 5

6 Office 365 Azure AD Figure 2 Using PingFederate for Directory Synchronization Direct Synchronization PingFederate Active Directory LDAP Directory Database Now that we ve laid out the basic flow of identity integration with Office 365, let s look at some more interesting scenarios concerning authentication and authorization. Authentication and Authorization Scenarios Federation standards differentiate between the types of clients that users use to access an application. In the context of Office 365, this would be the difference between using Outlook Web Access (a web-based application that is referred to as a passive federation client) and Microsoft Outlook (a full-featured client application that is referred to as an active federation client). The reason for this differentiation is that there are different interaction requirements between the client application, the service provider (Office 365 and Azure AD), and the IdP, depending on the client type. The federation server must be able to provide SSO to both types of clients. Both ADFS and PingFederate support these two different client modes. Regardless of the client type, a key consideration for client authentication is the requirement to provide MFA to access Office 365 applications. Many organizations 6

7 require a second authentication factor either when the user is external to the organization or in all cases. Support for MFA is built into both Office 365 and PingFederate. Office 365 support is primarily focused around providing MFA to that platform. Within the Office 365 Admin Portal, it provides features such as: Ability to administratively enforce MFA for groups of users Use of mobile phone, phone call, or Short Message Service (SMS) text as a second factor Support for application passwords for non-browser clients (i.e., Outlook and Lync) Third-party identity integration solutions often provide options for MFA beyond Office 365. For example, PingFederate supports adaptors to such MFA providers as Google Authenticator s Time-based One-Time Password (TOTP), Microsoft Phone- Factor, RSA SecurID, and Symantec Validation and ID Protection Service (VIP). Authorization Rules Before we talk about authorization at the federation server, let s talk a bit more about how the IdP interacts with the application that the user is trying to access. First, explaining some terminology is in order. We talked about the federation server being the IdP. The SaaS application that a user is trying to access is called the relying party (RP), because it is relying on the IdP to authenticate the user s request to access it. Office 365 is an example of a RP. The IdP generates a claim to pass to the RP. The claim says, I stand by the user who is trying to access your application that person is who he or she claims to be. Those claims often contain information about the user. This information gets passed to the RP so that the RP can make its own authorization decisions about the user trying to access the application. As we increasingly move into a bring your own device (BYOD) world, where all sorts of devices located on all sorts of networks will be accessing corporate applications, it becomes increasingly important to have context around that access. Context means knowing who your users are, where they are coming from, and making authorization decisions based on that context. 7

8 What does this mean in practice? Here is a scenario that might be common to everyone. Let s say you have a SharePoint site residing in Office 365 that contains confidential documents about your company s future plans. Marcia, who works in the marketing department, has access to these documents from her PC at work by virtue of her AD account and the security groups to which she belongs. But let s say Marcia is working from home and wants to access, download, and work on those documents from her Apple ipad. That may or may not be a good thing, depending on your company s policy about such documents leaving the four walls of the organization. You might want to provide conditional authorization to those documents. For example, this authorization might be based on the IP address of the device that is authenticating to Azure AD or the client operating system from which the authentication is being performed (e.g., ios is off limits, but Windows and Mac OS are fine). Contextual authorization for SaaS applications in general and Office 365 in particular can be implemented at the point of authentication. In this scenario, it can be implemented at the federation server. Both ADFS and PingFederate support contextual authorization and claim rules, each with its own capabilities. ADFS supports the ability to create claim rules that transform, allow, or deny access to an application based on specified criteria. The criteria are usually defined using AD-based attributes on the user object. PingFederate supports a variety of additional rules for IP addresses, client types, and more. Thus, you can create rules that, for example, prevent users from getting access to Office 365 if they are on a mobile device or coming from a particular IP address range. These capabilities give you additional flexibility in controlling access to Office 365 and other SaaS applications, depending on the user s context. At the end of the day, in a BYOD world, a user s identity (i.e., a user s AD credentials or something similar) is the only piece of information you can hang your hat on. Being able to create additional rules that control the user s access to an application based on his or her context that is, based on where the person is and the device from which he or she is accessing the application is also incredibly valuable. Moving Beyond Office 365 So far in this whitepaper, we have covered how to integrate an on-premises AD system with Office 365 and Azure AD. Let s take a step back and look at the wider world of identity federation within the typical organization. 8

9 Office 365 is but one application to which users need SSO access within a typical organization. If you extend the picture to internal web applications running on heterogeneous platforms, you quickly find value in having a solution that allows SSO to all of these applications, regardless of their native identity model. This is where products like PingFederate can shine. PingFederate provides a set of adapters and libraries that allow you to integrate (through code or plugins) SSO features into your on-premises applications, just as you would integrate SaaS applications in the cloud. These adapters include support for: LDAP v3 directories Custom.NET, Java, and Hypertext Preprocessor (PHP) applications Existing web access management applications such as Oracle Access Manager, CA SiteMinder, and IBM Tivoli Access Manager X.509 certificates Social cloud identities such as Google, Twitter, and LinkedIn Incoming partner IdPs In these scenarios, PingFederate acts as the IdP. Thus, you get all the MFA and authorization rule benefits mentioned previously when providing SSO to internal applications. PingFederate also provides a connector that allows social identities to provide authentication for internally developed applications, making it easier for external users to access those applications. For example, you can integrate Google social identities into an Internet-facing corporate application, as shown in Figure 3. Figure 3 Integrating Google social identity into Internet-facing corporate applications PingFederate Corporate Application 9

10 In addition, PingFederate can add value to your corporate applications by allowing them to accept open, standards-based identity protocols (e.g., OpenID, OAuth, OpenID Connect) to be used as IdPs for your applications. So, users or businesses that leverage social identities like those from Facebook, Google, or Microsoft can be granted access to your corporate applications through PingFederate. This opens up a lot of options for exposing your applications to much wider audiences than before, without having to be in the business of being an identity provider for those users. Essentially, you are trusting those social identity providers to maintain the user s identity (and its integrity) and you are allowing them access to your applications based on that trust. Although this pattern is just beginning to take hold in the typical enterprise application world, it is flourishing in the online social world. Some social applications don t keep any user identity information at all. Instead, they rely on these open standards and public IdPs to do the heavy lifting of managing user identities. Summary Office 365 is often the first experience organizations have with cloud identity integration. Microsoft provides a number of options DirSync, password hash synchronization, and federation to integrate on-premises AD identities with Azure AD and Office running in the cloud. Although these solutions are often a good starting point, they might not be able to accommodate moderately complex integration scenarios. Ping Identity products give you more options for integrating with Office 365 because they embrace open standards (e.g., SAML) and allow multiple application and directory platforms. As an organization s identity federation needs grow beyond just Office 365 access, it becomes increasingly important to plan a cloud identity strategy that is flexible to the heterogeneous application world in which we live. Products such as PingFederate and PingOne give you many options when it is time to expand your cloud identity world beyond Office 365. They can provide you with a flexible set of technologies for accommodating applications and standards such as OpenID, OAuth, and OpenID Connect. 10

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning. PingFederate We went with PingFederate because it s based on standards like SAML, which are important for a secure implementation. John Davidson Senior Product Manager, Opower PingFederate is the leading

More information

Extend and Enhance AD FS

Extend and Enhance AD FS Extend and Enhance AD FS December 2013 Sponsored By Contents Extend and Enhance AD FS By Sean Deuby Introduction...2 Web Service SSO Architecture...3 AD FS Overview...5 Ping Identity Solutions...7 Synergy

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

SECUREAUTH IDP AND OFFICE 365

SECUREAUTH IDP AND OFFICE 365 WHITEPAPER SECUREAUTH IDP AND OFFICE 365 STRONG AUTHENTICATION AND SINGLE SIGN-ON FOR THE CLOUD-BASED OFFICE SUITE EXECUTIVE OVERVIEW As more and more enterprises move to the cloud, it makes sense that

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

USING FEDERATED AUTHENTICATION WITH M-FILES

USING FEDERATED AUTHENTICATION WITH M-FILES M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication

More information

Connecting Users with Identity as a Service

Connecting Users with Identity as a Service Ping Identity has demonstrated support for multiple workforce and external identity use cases, as well as strong service provider support. Gregg Kreizman Gartner 1 Connecting Users with Identity as a Service

More information

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon

More information

Office 365 deployment checklists

Office 365 deployment checklists Chapter 128 Office 365 deployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of issues.

More information

SINGLE & SAME SIGN-ON ASPECTS

SINGLE & SAME SIGN-ON ASPECTS SINGLE & SAME SIGN-ON ASPECTS OF AZURE ACTIVE DIRECTORY Harold Baele Senior ICT Trainer JULY 2, 2015 SLIDE 1 TRAINER INFO Harold Baele MCT at RealDolmen Education Harold.baele@realdolmen.com - @hbaele

More information

Office 365 deploym. ployment checklists. Chapter 27

Office 365 deploym. ployment checklists. Chapter 27 Chapter 27 Office 365 deploym ployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of

More information

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications SOLUTION BRIEF: PROTECTING ACCESS TO THE CLOUD........................................ How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications Who should read this

More information

Pick Your Identity Bridge

Pick Your Identity Bridge Pick Your Identity Bridge Options for connecting users and resources across the hybrid cloud Executive Overview Enterprises are increasing their use of software as a service (SaaS) for two principal reasons:

More information

Single Sign On. SSO & ID Management for Web and Mobile Applications

Single Sign On. SSO & ID Management for Web and Mobile Applications Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing

More information

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:

More information

Enable Your Applications for CAC and PIV Smart Cards

Enable Your Applications for CAC and PIV Smart Cards Enable Your Applications for CAC and PIV Smart Cards Executive Summary Since HSPD-2 was signed in 2004, government agencies have issued over 5 million identity badges. About 90% of government workers and

More information

Safewhere*Identify 3.4. Release Notes

Safewhere*Identify 3.4. Release Notes Safewhere*Identify 3.4 Release Notes Safewhere*identify is a new kind of user identification and administration service providing for externalized and seamless authentication and authorization across organizations.

More information

Ondřej Výšek Sales Lead, Microsoft MVP. vysek@kpcs.cz

Ondřej Výšek Sales Lead, Microsoft MVP. vysek@kpcs.cz Ondřej Výšek Sales Lead, Microsoft MVP vysek@kpcs.cz Azure Active Directory Features Free edition Basic edition Premium edition Directory as a service User and group management using UI or Windows PowerShell

More information

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL39027649-SS. Single Sign-On (SSO) Solution

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL39027649-SS. Single Sign-On (SSO) Solution UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL39027649-SS Single Sign-On (SSO) Solution For University Information Systems (UIS) May 9, 2013 2 University of Colorado

More information

PingFederate. SSO Integration Overview

PingFederate. SSO Integration Overview PingFederate SSO Integration Overview 2006-2012 Ping Identity Corporation. All rights reserved. PingFederate SSO Integration Overview Version 6.6 January, 2012 Ping Identity Corporation 1001 17th Street,

More information

Ping Identity, Euro Cloud award entry

Ping Identity, Euro Cloud award entry Ping Identity, Euro Cloud award entry Category: Best Cloud Offering Product: PingFederate 6.6 About Ping Identity Ping Identity is the cloud identity security leader, specialising in cloud identity, security,

More information

CA Single Sign-On Migration Guide

CA Single Sign-On Migration Guide CA Single Sign-On Migration Guide Web access management (WAM) systems have been a part of enterprises for decades. It is critical to control access and audit applications while reducing the friction for

More information

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory WHITEPAPER 13 Questions You Must Ask When Integrating Office 365 With Active Directory Many organizations have begun their push to the cloud with a handful of applications. Microsoft s Office 365 offering

More information

Interoperate in Cloud with Federation

Interoperate in Cloud with Federation Interoperate in Cloud with Federation - Leveraging federation standards can accelerate Cloud computing adoption by resolving vendor lock-in issues and facilitate On Demand business requirements Neha Mehrotra

More information

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps Sofia Event Center 14-15 May 2014 Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps Radi Atanassov SharePoint MCM & MVP

More information

Speeding Office 365 Implementation Using Identity-as-a-Service

Speeding Office 365 Implementation Using Identity-as-a-Service August 2015 www.sarrelgroup.com info@sarrelgroup.com Speeding Office 365 Implementation Using Identity-as-a-Service White paper August 2015 This white paper is sponsored by Centrify. August 2015 www.sarrelgroup.com

More information

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

White Paper. What is an Identity Provider, and Why Should My Organization Become One? White Paper What is an Identity Provider, and Why Should My Organization Become One? May 2015 Executive Overview Tame Access Control Security Risks: Become an Identity Provider (IdP) Organizations today

More information

Planning your Microsoft Application Strategy in a Cloud Crazy World. Steve Soper Senior Managing Partner

Planning your Microsoft Application Strategy in a Cloud Crazy World. Steve Soper Senior Managing Partner Planning your Microsoft Application Strategy in a Cloud Crazy World Steve Soper Senior Managing Partner Who is AdaptivEdge Founded in June 2013 Partnered with Nth Generation for 2+ years and delivered

More information

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

White Paper. McAfee Cloud Single Sign On Reviewer s Guide White Paper McAfee Cloud Single Sign On Reviewer s Guide Table of Contents Introducing McAfee Cloud Single Sign On 3 Use Cases 3 Key Features 3 Provisioning and De-Provisioning 4 Single Sign On and Authentication

More information

CLAIMS-BASED IDENTITY FOR WINDOWS

CLAIMS-BASED IDENTITY FOR WINDOWS CLAIMS-BASED IDENTITY FOR WINDOWS TECHNOLOGIES AND SCENARIOS DAVID CHAPPELL FEBRUARY 2011 SPONSORED BY MICROSOFT CORPORATION CONTENTS Understanding Claims-Based Identity... 3 The Problem: Working with

More information

SAML SSO Configuration

SAML SSO Configuration SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting

More information

EXECUTIVE VIEW. EmpowerID 2013. KuppingerCole Report. By Peter Cummings October 2013. By Peter Cummings pc@kuppingercole.

EXECUTIVE VIEW. EmpowerID 2013. KuppingerCole Report. By Peter Cummings October 2013. By Peter Cummings pc@kuppingercole. KuppingerCole Report EXECUTIVE VIEW By Peter Cummings October 2013 EmpowerID 2013 By Peter Cummings pc@kuppingercole.com October 2013 Content 1 Vendor Profile... 3 2 Product Description... 4 2.1 Single

More information

OVERVIEW. DIGIPASS Authentication for Office 365

OVERVIEW. DIGIPASS Authentication for Office 365 OVERVIEW DIGIPASS for Office 365 Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility

More information

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support Learning & Development Specialist Customer Support Services Been with Microsoft for 7 years Professionally

More information

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant Easy as 1-2-3: The Steps to XE Mark Hoye Services Portfolio Consultant September 25, 2015 Objective / Agenda Objective Provide relevant information about Banner XE Provide a framework for understanding

More information

Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365

Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365 Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365 Contents Contents 1 About this guide 3 Overview 9 Authentication and authorization 10 Getting started with identity integration 26 Getting

More information

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization Agenda Office 365 Identity overview 1 Federation and Synchronization Federation using ADFS and Extensibility options 2 3 What s New in Azure AD? Cloud Business App - Overview 4 Identity Management is

More information

Getting Started with AD/LDAP SSO

Getting Started with AD/LDAP SSO Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories

More information

How Intel Cloud SSO Works

How Intel Cloud SSO Works TECHNICAL WHITE PAPER Intel Cloud SSO How Intel Cloud SSO Works Just as security professionals have done for ages, we must continue to evolve our processes, methods, and techniques in light of the opportunities

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015 Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 About Fermilab Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding

More information

Increase the Security of Your Box Account With Single Sign-On

Increase the Security of Your Box Account With Single Sign-On A Box White Paper Increase the Security of Your Box Account With Single Sign-On Box s high level of security, 24x7 support and 99.9% uptime are critical for us. The biggest benefits are the reliability

More information

Federated Identity and Single Sign-On using CA API Gateway

Federated Identity and Single Sign-On using CA API Gateway WHITE PAPER DECEMBER 2014 Federated Identity and Single Sign-On using Federation for websites, Web services, APIs and the Cloud K. Scott Morrison VP Engineering and Chief Architect 2 WHITE PAPER: FEDERATED

More information

Leveraging SAML for Federated Single Sign-on:

Leveraging SAML for Federated Single Sign-on: Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.

More information

Collaborating with External Users

Collaborating with External Users Collaborating with External Users Peter Carson March 10, 2015 Gold Sponsor Silver Sponsors Peter Carson President, Envision IT SharePoint MVP Virtual Technical Specialist, Microsoft Canada peter@envisionit.com

More information

A Standards-based Mobile Application IdM Architecture

A Standards-based Mobile Application IdM Architecture A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted

More information

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT Executive Overview SAML (Security Assertion Markup Language) is a standard that facilitates the exchange of security information. Developed by

More information

Identity in the Cloud

Identity in the Cloud White Paper Identity in the Cloud Use the cloud without compromising enterprise security Table of Contents The Cloud Conundrum 3 Managing Cloud Identity 3 The Identity Lifecycle 4 SaaS Single Sign-On 4

More information

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO) WHITEPAPER NAPPS: A Game-Changer for Mobile Single Sign-On (SSO) INTRODUCTION The proliferation of mobile applications, including mobile apps custom to an organization, makes the need for an SSO solution

More information

HOW MICROSOFT AZURE AD USERS CAN EMPLOY SSO

HOW MICROSOFT AZURE AD USERS CAN EMPLOY SSO E-Guide HOW MICROSOFT AZURE AD USERS CAN EMPLOY SearchSecurity HOW MICROSOFT AZURE AD USERS CAN EMPLOY T echnology journalist David Strom explaims how to use Azure Active Directory and Azure Multifactor

More information

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them. This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and

More information

Integrating Single Sign-on Across the Cloud By David Strom

Integrating Single Sign-on Across the Cloud By David Strom Integrating Single Sign-on Across the Cloud By David Strom TABLE OF CONTENTS Introduction 1 Access Control: Web and SSO Gateways 2 Web Gateway Key Features 2 SSO Key Features 3 Conclusion 5 Author Bio

More information

HP Software as a Service. Federated SSO Guide

HP Software as a Service. Federated SSO Guide HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying

More information

Mod 2: User Management

Mod 2: User Management Office 365 for SMB Jump Start Mod 2: User Management Chris Oakman Managing Partner Infrastructure Team Eastridge Technology Stephen Hall CEO & SMB Technologist District Computers 1 Jump Start Schedule

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect Identity Federation: Bridging the Identity Gap Michael Koyfman, Senior Global Security Solutions Architect The Need for Federation 5 key patterns that drive Federation evolution - Mary E. Ruddy, Gartner

More information

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com MOBILITY Transforming the mobile device from a security liability into a business asset. pingidentity.com Table of Contents Introduction 3 Three Technologies That Securely Unleash Mobile and BYOD 4 Three

More information

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS WHITEPAPER SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS EXECUTIVE OVERVIEW 2-Factor as a Service (2FaaS) is a 100% cloud-hosted authentication solution that offers flexible security without compromising user

More information

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication

More information

Azure Active Directory

Azure Active Directory Azure Active Directory Your Cloud Identity Brian Mansure Azure Specialist bmansure@enpointe.com Agenda What Azure Active Directory is What Azure Active Directory is not Hybrid Identity Features Roadmap

More information

Technology Day 2015 Xylos

Technology Day 2015 Xylos Stay in control of your identity with Azure Active Directory (Premium) Technology Day 2015 Xylos Robin Vermeirsch Sr. IT consultant CCM Azure Active Directory Introduction Competence Center Messaging (CCM)

More information

Get a Whiff of WIF Windows Identity Foundation. Keith Brown www.pluralsight.com/keith

Get a Whiff of WIF Windows Identity Foundation. Keith Brown www.pluralsight.com/keith Get a Whiff of WIF Windows Identity Foundation Keith Brown www.pluralsight.com/keith Authentication is challenging on the Web Lots of technologies Lots of APIs Important to get it right The old way: per-app

More information

Federated Identity for Cloud Computing and Cross-organization Collaboration

Federated Identity for Cloud Computing and Cross-organization Collaboration Federated Identity for Cloud Computing and Cross-organization Collaboration Steve Moitozo Strategy and Architecture SIL International 20110616.2 (ICCM) Follow me @SteveMoitozo2 2 Huge Claims You want federated

More information

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM, the only all-in-one open source access management solution, provides the

More information

STRONGER AUTHENTICATION for CA SiteMinder

STRONGER AUTHENTICATION for CA SiteMinder STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive

More information

Symantec Enterprise Vault.cloud Overview

Symantec Enterprise Vault.cloud Overview Fact Sheet: Archiving and ediscovery Introduction The data explosion that has burdened corporations and governments across the globe for the past decade has become increasingly expensive and difficult

More information

AND SUN OPENSSO MICROSOFT GENEVA SERVER ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS. White Paper May 2009.

AND SUN OPENSSO MICROSOFT GENEVA SERVER ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS. White Paper May 2009. MICROSOFT GENEVA SERVER AND SUN OPENSSO ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS White Paper May 2009 Abstract Interoperability between applications in heterogeneous technology

More information

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107 Okta Identity Management for Portals Built on Salesforce.com An Architecture Review Okta Inc. 301 Brannan Street San Francisco, CA 94107 info@okta.com 1-888-722-7871 Contents 1 Okta: A Platform for Cloud

More information

Identity Management. Dave Romig, Sr Founder, CTO

Identity Management. Dave Romig, Sr Founder, CTO Identity Management Dave Romig, Sr Dave.Romig@TCSC.com Founder, CTO Identity Management What it is What it does What it means What it is Problem statement Connected apps must handle two functions Authenticate

More information

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES CONTENTS About Tools4ever... 3 About Deloitte Risk Services... 3 HelloID... 4 Microsoft Azure... 5 HelloID Security Architecture... 6 Scenarios... 8 SAML Identity Provider (IDP)... 8 Service Provider SAML

More information

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES Executive Overview U.S. Federal mandates dictates that personal with defense related initiatives must prove access

More information

Hybrid Cloud Identity and Access Management Challenges

Hybrid Cloud Identity and Access Management Challenges Hybrid Cloud Identity and Access Management Challenges Intro: Timothy P. McAliley timothy.mcaliley@microsoft.com Microsoft Premier Field Engineer, SQL Server, Washington, DC CISA, CISM, CISSP, ITIL V3,

More information

Google Identity Services for work

Google Identity Services for work INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new

More information

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1 PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity

More information

OpenID Connect 1.0 for Enterprise

OpenID Connect 1.0 for Enterprise OpenID Connect 1.0 for Enterprise By Paul Madsen Executive Overview In order to meet the challenges presented by the use of mobile apps and cloud services in the enterprise, a new generation of identity

More information

RSA ACCESS MANAGER. Web Access Management Solution ESSENTIALS SECURE ACCESS TO WEB APPLICATIONS WEB SINGLE SIGN-ON CONTEXTUAL AUTHORIZATION

RSA ACCESS MANAGER. Web Access Management Solution ESSENTIALS SECURE ACCESS TO WEB APPLICATIONS WEB SINGLE SIGN-ON CONTEXTUAL AUTHORIZATION RSA ACCESS MANAGER Web Access Management Solution ESSENTIALS Secure Access Enforces access to Web applications based on risk and context Centralizes security and enforces business policy Web Single Sign-on

More information

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Cloud Computing. Chapter 5 Identity as a Service (IDaaS) Cloud Computing Chapter 5 Identity as a Service (IDaaS) Learning Objectives Describe challenges related to ID management. Describe and discuss single sign-on (SSO) capabilities. List the advantages of

More information

SAP Single Sign-On 2.0 Overview Presentation

SAP Single Sign-On 2.0 Overview Presentation SAP Single Sign-On 2.0 Overview Presentation March 2016 Public Agenda SAP security portfolio Overview SAP Single Sign-On Single sign-on main scenarios Capabilities Summary 2016 SAP SE or an SAP affiliate

More information

Office 365 and SharePoint Local File Share Synchronization

Office 365 and SharePoint Local File Share Synchronization Office 365 and SharePoint Local File Share Synchronization Frank Daske Business Development Manager Layer2 30.03.2015 The Layer2 Cloud Connector can close many gaps and overcome limitations with Office

More information

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper Active Directory Compatibility with ExtremeZ-IP A Technical Best Practices Whitepaper About this Document The purpose of this technical paper is to discuss how ExtremeZ-IP supports Microsoft Active Directory.

More information

IBM Tivoli Federated Identity Manager

IBM Tivoli Federated Identity Manager IBM Tivoli Federated Identity Manager Employ user-centric federated access management to enable secure online business collaboration Highlights Enhance business-to-business and business-to-consumer collaborations

More information

Office365 Adoption eguide. Identity and Mobility Challenges. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta.

Office365 Adoption eguide. Identity and Mobility Challenges. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta. Office365 Adoption eguide Identity and Mobility Challenges Okta Inc. 301 Brannan Street San Francisco, CA 94107 info@okta.com 1-888-722-7871 Executive Summary Office 365 Adoption Accelerating Through the

More information

I D C V E N D O R S P O T L I G H T

I D C V E N D O R S P O T L I G H T I D C V E N D O R S P O T L I G H T E n f o r c i n g I dentity a nd Access Management i n C l o u d a n d Mobile Envi r o n m e n t s November 2012 Adapted from Worldwide Identity and Access Management

More information

nexus Hybrid Access Gateway

nexus Hybrid Access Gateway Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries

More information

AVG Business SSO Partner Getting Started Guide

AVG Business SSO Partner Getting Started Guide AVG Business SSO Partner Getting Started Guide Table of Contents Overview... 2 Getting Started... 3 Web and OS requirements... 3 Supported web and device browsers... 3 Initial Login... 4 Navigation in

More information

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation

More information

SAML 101. Executive Overview WHITE PAPER

SAML 101. Executive Overview WHITE PAPER SAML 101 Executive Overview Today s enterprise employees use an ever-increasing number of applications, both enterprise hosted and in the Cloud, to do their jobs. What s more, they are accessing those

More information

User Identity and Authentication

User Identity and Authentication User Identity and Authentication WordPress, 2FA, and Single Sign-On Isaac Potoczny-Jones ijones@tozny.com http://tozny.com About the Speaker Galois, Inc. - @galoisinc. Research & Development for computer

More information

Identity and Access Management for the Hybrid Enterprise

Identity and Access Management for the Hybrid Enterprise Identity and Access Management for the Hybrid Enterprise Redmond Identity Summit 2014 Directories Devices Identity Keith Brintzenhofe Microsoft Corporation Thank You to our Sponsors Gold Silver Plus Silver

More information

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta.

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta. Directory Integration with Okta An Architectural Overview Okta Inc. 301 Brannan Street San Francisco, CA 94107 info@okta.com 1-888-722-7871 Contents 1 User Directories and the Cloud: An Overview 3 Okta

More information

How Microsoft IT manages mobile device management

How Microsoft IT manages mobile device management IT Insights A service of Microsoft IT Showcase How Microsoft IT manages mobile device management July 2015 Bring Your Own Device (BYOD) is no longer just a trend. It is arguably the dominant culture in

More information

TrustedX - PKI Authentication. Whitepaper

TrustedX - PKI Authentication. Whitepaper TrustedX - PKI Authentication Whitepaper CONTENTS Introduction... 3 1... 4 Use Scenarios... 5 Operation... 5 Architecture and Integration... 6 SAML and OAuth 7 RESTful Web Services 8 Monitoring and Auditing...

More information

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1 Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding

More information

JumpCloud is your Directory-as-a-Service. A fully managed directory to rule your infrastructure whether on-premise or in the cloud.

JumpCloud is your Directory-as-a-Service. A fully managed directory to rule your infrastructure whether on-premise or in the cloud. JumpCloud is your Directory-as-a-Service A fully managed directory to rule your infrastructure whether on-premise or in the cloud. Authenticate Ensure your users are who they say they are. JumpCloud authenticates

More information

HOL9449 Access Management: Secure web, mobile and cloud access

HOL9449 Access Management: Secure web, mobile and cloud access HOL9449 Access Management: Secure web, mobile and cloud access Kanishk Mahajan Principal Product Manager, Oracle September, 2014 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Oracle

More information

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment WHITEPAPER How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment www.onelogin.com 150 Spear Street, Suite 1400, San Francisco, CA 94105 855.426.7272 EXECUTIVE SUMMARY

More information

Getting Started with Clearlogin A Guide for Administrators V1.01

Getting Started with Clearlogin A Guide for Administrators V1.01 Getting Started with Clearlogin A Guide for Administrators V1.01 Clearlogin makes secure access to the cloud easy for users, administrators, and developers. The following guide explains the functionality

More information

Pulse Connect Secure Supported Platforms Guide

Pulse Connect Secure Supported Platforms Guide Pulse Connect Secure Supported Platforms Guide PCS 8.1R5 Build 38093 Supported Platforms Guide The current version of this product is now called Pulse Connect Secure. For more information go to www.pulsesecure.net/products

More information