Extend and Enhance AD FS

Size: px
Start display at page:

Download "Extend and Enhance AD FS"

Transcription

1 Extend and Enhance AD FS December 2013 Sponsored By

2 Contents Extend and Enhance AD FS By Sean Deuby Introduction...2 Web Service SSO Architecture...3 AD FS Overview...5 Ping Identity Solutions...7 Synergy of Combining AD FS + Ping Identity Solutions...8 Figures Figure 1: Major Internet SSO Components...3 Figure 2: AD FS Server Farm...6 Figure 3: AD FS + PingOne IDaaS Solution...8 Introduction Many enterprises have chosen to deploy and use Active Directory Federation Services (AD FS), a Windows Server role, to provide users with single sign-on (SSO) access and federation to a variety of Software as a Service (SaaS) applications. AD FS, a component of Microsoft s Active Directory family of services, extends Active Directory Domain Services (AD DS) in order to provide web services that AD DS does not support natively. Although AD FS is lacking some key features that would improve both its administrators and end users experiences, many enterprises have already made significant time and monetary investments in its deployment and operation. It is highly unlikely these organizations are willing to immediately rip out AD FS and begin anew with another SSO/federation solution. Working with AD FS in an environment where SaaS application use is growing dramatically often without the IT department s sanction or knowledge presents a strong set of challenges for enterprises. Scaling AD FS to provide SSO to hundreds or thousands of SaaS applications in a timely manner, with a good user experience, is simply beyond the capabilities of many already-overburdened IT departments. This situation is a major reason why Identity as a Service (IDaaS) solutions have arisen. They offload the SaaS connection burden from the on-premises IT department to a subscription cloud service. The good news is that organizations that have deployed AD FS do not have to start over. Enterprises can continue to use their existing AD FS solution as an identity bridge to 2

3 the Ping Identity SSO/federation IDaaS solution, PingOne. The marriage of these two best-of-breed solutions yields a variety of complementary benefits, including: A wider variety of open standards-based SaaS applications are supported. Onboarding new SaaS applications is easier for AD FS administrators, as is user provisioning, especially when there are many SaaS applications. Only one connection to PingOne is needed to handle all SaaS applications. Scalability requirements are handled on demand with PingOne rather than scaling up the on-premises AD FS solution. Connections are managed through PingOne s easy-to-use interface. An end user portal allows users access to all the applications they are authorized to use through a single, device-independent user interface. This white paper will review AD FS s history and capabilities as they have evolved, as well as some gaps in the product s current feature set. It will also outline the Ping Identity solutions and where they fit into an enterprise identity architecture. Finally, it will show how AD FS and Ping Identity solutions easily integrate with each other to provide your business with scalable, highly available, and user-friendly SSO access to SaaS applications. Web Service SSO Architecture It s important to understand the basic architecture of services that provide SSO to web services using credentials from a business s identity databases. As Figure 1 shows, there are six major components: web service, service provider (SP), identity provider (IdP), federation service, identity bridge, and provisioning service. In this example, the identity database that contains user credentials is Active Directory Domain Services (AD DS). Figure 1: Major Internet SSO Components 3

4 Web Service A web service is a browser-based (HTTP) application, provided at a network address over the web. Although web services provide a wide variety of capabilities (including both IdP and SP roles), the best known web services are SaaS applications. Service Provider (SP) The SP role is a web service that provides a business or consumer service (such as Microsoft Office 365, Salesforce.com, or Concur Travel) based on accounts it holds. An SP that supports federation standards (such as SAML 2.0) relies on identities, held at the IdP, to authoritatively authenticate these accounts. The SP is also referred to as the relying party because it relies on the IdP to authenticate its accounts. SPs that do not support federation require local, form-based authentication with a user ID and password. The term service provider is also used colloquially to describe the business providing the web service used as an application. Identity Provider (IdP) In a transaction between two web services, the IdP role negotiates with Active Directory (and possibly other corporate data stores) to: Authenticate the credentials provided by the user. Provide a set of claims about these credentials that can be authoritatively communicated back to the SP or to other web services that require identity information on behalf of the business. Colloquially, the term identity provider describes the business that provides the identities of the users who require the SSO capability. The identities can be stored in Active Directory, HR databases, or other miscellaneous data stores. Federation Service A federation service performs several functions. The most important functions are: Supporting federated trusts established between the IdP and SP. Performing security token translation between the Kerberos security protocol used in Active Directory and the SAML 2.0 claims model used in web services. This translation is performed by the Security Token Service (STS). Identity Bridge The on-premises services that connect your enterprise to cloud web services are collectively known as the identity bridge. An identity bridge can be one or more 4

5 services running on separate servers or on a single instance. This bridge may act alone and connect directly to an SP, or in conjunction with a cloud-based federation service (IDaaS), which acts as an IdP and connects to the SP. Provisioning Service For federated SSO to function, the SP must have its user accounts authenticated by the IdP and have those accounts populated with user data provided by the IdP. How is this user data replicated to the SP? A variety of methods are currently popular, including proprietary directory synchronization services and standards-based provisioning protocols. Some methods handle the complete provisioning lifecycle (i.e., CRUD create, read, update, delete), whereas others do not. The System for Crossdomain Identity Management (SCIM) is an emerging provisioning standard that supports the entire provisioning lifecycle. The provisioning service can be incorporated into the federation server (e.g., PingOne s AD Connect uses SCIM for its provisioning capability) or run as a standalone service. AD FS Overview AD FS first made its appearance as a downloadable addition to Windows Server 2003 R2. It was later incorporated into Windows Server 2008 and Windows Server 2008 R2. In Windows Server 2012, AD FS 2.1 is an installable server role, and Windows Server 2012 R2 continues this configuration with AD FS 2.2. AD FS s feature set and supported protocols have grown as the product has matured. AD FS was initially built around the core WS-* set of standards (such as WS-Federation, WSDL, SOAP, and UDDI) for web services. A key capability upgrade occurred in AD FS 2.0, as it added support for SAML 2.0, the most widely used identity federation standard. AD FS 2.2 added support for a rapidly growing identity and authorization framework, OAuth 2.0. Typical Enterprise Deployment Architecture In a typical high availability architecture (see Figure 2), AD FS is configured as a server farm of two or more AD FS servers in a Network Load Balancing (NLB) cluster behind one or more federation server proxies (or Web Application Proxies in Windows Server 2012 R2). For enterprises with fewer than 100 trust relationships to relying parties, the built-in Windows internal database on each AD FS server can be used to store configuration data. For larger AD FS deployments, a SQL Server database should be used. A robust, fault tolerant AD FS farm requires at least four servers (two AD FS servers and two proxy servers) in addition to the NLB servers. 5

6 Figure 2: AD FS Server Farm SOURCE: MICROSOFT TECHNET AD FS Strengths AD FS has several strengths, including: High availability. As a mission critical service, AD FS can be configured for high availability, as illustrated in Figure 2. Federation services. AD FS provides token translation through its STS. In addition, it queries AD DS to add user and group attributes to claims to be used by web services. Provisioning service. Microsoft s Directory Synchronization (DirSync) will synchronize all users in a single forest to Windows Azure Active Directory (Azure AD) in support of Microsoft s online services such as Office 365. AD FS Weaknesses Despite its evolution, AD FS still has some gaps in its feature set, including gaps in its provisioning support and standards support. Minimal provisioning support. AD FS has no provisioning support beyond its DirSync service to provision AD DS accounts to Azure AD, the Microsoft SP data store. Non-Microsoft SPs must provide their own provisioning, which leads to complexity, scalability, and support issues. If the non-microsoft SPs do not have an automated provisioning method, the enterprise must manually manage every account, which can result in an unmanageable overhead and security issues. 6

7 Minimal standards support. AD FS does not support SAML 1.0, OpenID, SCIM, or the FIDO Alliance (which is driving the effort to develop standards for strong authentication). It also does not support OpenID Connect. This new and popular identity specification is based on OAuth 2.0, which is recognized as the successor to SAML 2.0. Other gaps in AD FS s feature set include: AD FS has no built-in reporting capabilities. AD FS does not have a built-in end user portal to external web services. Users must remember or bookmark the web services they are subscribed to. AD FS has no support for web services that do not support identity standards such as SAML. AD FS does not have built-in multi-factor authentication capabilities. AD FS Summary AD FS is a built-in capability of Windows Server, but it is not without its own substantial deployment and operating costs. It also requires specialized expertise to manage the service and to configure and maintain multiple relationships with web service providers a problem whose seriousness increases for every new web service you trust. Ping Identity Solutions Ping Identity offers two major products in the identity and access management (IAM) market: PingFederate and PingOne. PingFederate is a lightweight and powerful identity bridge that delivers a comprehensive identity management solution for federated access to applications using existing identity infrastructure. PingOne is an IDaaS solution that delivers cloud SSO for your workforce. With one username and one password for users to manage, PingOne offloads the IT department s burden of collecting, configuring and maintaining connections from the on-premises identity bridge to the PingOne cloud service. The one-to-many relationship between enterprise IdP and cloud SPs is hosted in the cloud. The enterprise only needs to maintain an identity bridge with one connection to PingOne, as shown in Figure 3. PingOne is itself a cloud service and is configured to be highly available worldwide. The connection from the IdP to PingOne can be made with the Ping Identity s AD Connect for simple implementations or PingFederate for more complex scenarios. Users gain access to SaaS applications through the PingOne CloudDesktop web portal, which has both desktop and mobile-optimized versions. 7

8 Figure 3: AD FS + PingOne IDaaS Solution Synergy of Combining AD FS + Ping Identity Solutions Ping Identity products are standards-based, so you are not limited to AD Connect or PingFederate as your identity bridge to the PingOne cloud service. You can use any SAML-enabled identity management platform. AD FS is such a platform, and PingOne fully supports it. This means you can use your existing AD FS solution as your connection to PingOne and gain SSO access to the many SaaS applications on PingOne s CloudDesktop. Setting up a federated trust between AD FS and PingOne is simply a matter of adding PingOne to AD FS as you would add any other SaaS application. On the PingOne side of the trust, a simple guided setup process will enable the connection. After you have configured the PingOne CloudDesktop to provide users access to the SaaS applications they formerly accessed directly, you can remove the now-redundant trusts from AD FS and leave the single trust to PingOne. To provide provisioning capability, you can install AD Connect on any domainjoined IIS server running Windows Server 2008 or greater, with external connectivity over port 443. AD Connect is installed using a simple guided procedure that 8

9 is part of the PingOne configuration process. It usually takes less than 30 minutes to install. AD Connect is lightweight. Instead of using a heavyweight full synchronization engine, it uses the efficient SCIM provisioning standard to get user identity data from Active Directory to PingOne. In an AD FS + PingOne configuration, the AD Connect federation service will be disabled, as this is being provided by AD FS. Unlike AD FS, AD Connect also works across multiple domains, trees and forests if the trust relationship is configured and established among these differing domains. An AD FS + PingOne Internet SSO architecture has a number of advantages over a standalone AD FS implementation: Your AD DS/AD FS architecture has not changed. Your identities remain in AD DS. Implementation is simplified because you only need one federated trust to PingOne. Because you have essentially outsourced the heavy lifting of SaaS federation to the PingOne service, there is no longer a question of how many SaaS connections your company can effectively use. If a SaaS application is available in the Cloud- Desktop portal and you have established a subscription with the application, you can have SSO access to it. PingOne provides SSO access to SaaS applications that support SAML by extending an enterprise user s identity data to the cloud service provider without providing a password. However, a large number of SaaS applications do not yet support federation. They require that a user ID and password be provided at logon time (known as form-based authentication). Ping Identity recognizes this is the less-than-perfect state that cloud identity is in today. To provide SSO access to these applications, PingOne uses a password vaulting capability that will securely store a user ID and password (which has no requirement to match the user s enterprise credentials) for a given form-based SaaS application and automatically fill in the logon information. Although not a federation solution, providing SSO access to non-saml-enabled SaaS applications is another PingOne capability that AD FS does not provide. Another advantage of an AD FS + PingOne architecture is in the area of reporting and auditing. PingOne provides reporting on SaaS application usage to provide IT dashboard feedback; AD FS by itself has no reporting capability. And should you consider eliminating the cost of maintaining an AD FS server farm, the Ping Identity suite of products provides you several options. If you only need to connect Active Directory to PingOne, the lightweight AD Connect identity bridge installs in minutes on an IIS server, scales to high capacity, and is fully compliant with secure Internet 9

10 identity standards. If your on-premises identity landscape is more complicated, consider PingOne Enterprise. It gives you PingFederate as an identity bridge to handle a wide variety of configurations, including multi-factor authentication and integration with existing enterprise reporting and monitoring tools like Splunk, HP OpenView, or HP ArcSight. PingOne gives you the ability to dip your toe into the water of IDaaS in the most painless way possible. Without altering your existing AD FS connections, you can set up a connection to PingOne and use PingOne for Groups for free with up to 50 users and 5 applications to see if it meets your requirements. If you move to PingOne for Business, its expanded capability of 1,000 or more users and the entire PingOne applications catalog will allow you to shift your SaaS usage away from AD FS, maintaining only the connection to PingOne. Finally, you can use PingOne for Enterprise, and use any combination of PingFederate, ADConnect, or AD FS to bridge your identities to the internet as you see fit. Integrating PingOne with your existing AD FS installation quickly gives you scalability and options you cannot get with AD FS by itself. You do not have to remove your existing AD FS installation but you can simplify it. The synergy of the two solutions brings web SSO to your users for both federated and non-federated SPs. You can have much more detailed reporting on SaaS activity and a friendly portal for your users, whether they are on-premises or outside your company. AD FS + PingOne quickly gives you a best-in-class, standards-based means to securely integrate your business with the capabilities of cloud services. 10

Identity. Provide. ...to Office 365 & Beyond

Identity. Provide. ...to Office 365 & Beyond Provide Identity...to Office 365 & Beyond Sponsored by shops around the world are increasingly turning to Office 365 Microsoft s cloud-based offering for email, instant messaging, and collaboration. A

More information

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning. PingFederate We went with PingFederate because it s based on standards like SAML, which are important for a secure implementation. John Davidson Senior Product Manager, Opower PingFederate is the leading

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

Connecting Users with Identity as a Service

Connecting Users with Identity as a Service Ping Identity has demonstrated support for multiple workforce and external identity use cases, as well as strong service provider support. Gregg Kreizman Gartner 1 Connecting Users with Identity as a Service

More information

Pick Your Identity Bridge

Pick Your Identity Bridge Pick Your Identity Bridge Options for connecting users and resources across the hybrid cloud Executive Overview Enterprises are increasing their use of software as a service (SaaS) for two principal reasons:

More information

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon

More information

SAML SSO Configuration

SAML SSO Configuration SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting

More information

SINGLE & SAME SIGN-ON ASPECTS

SINGLE & SAME SIGN-ON ASPECTS SINGLE & SAME SIGN-ON ASPECTS OF AZURE ACTIVE DIRECTORY Harold Baele Senior ICT Trainer JULY 2, 2015 SLIDE 1 TRAINER INFO Harold Baele MCT at RealDolmen Education Harold.baele@realdolmen.com - @hbaele

More information

Ping Identity, Euro Cloud award entry

Ping Identity, Euro Cloud award entry Ping Identity, Euro Cloud award entry Category: Best Cloud Offering Product: PingFederate 6.6 About Ping Identity Ping Identity is the cloud identity security leader, specialising in cloud identity, security,

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:

More information

Speeding Office 365 Implementation Using Identity-as-a-Service

Speeding Office 365 Implementation Using Identity-as-a-Service August 2015 www.sarrelgroup.com info@sarrelgroup.com Speeding Office 365 Implementation Using Identity-as-a-Service White paper August 2015 This white paper is sponsored by Centrify. August 2015 www.sarrelgroup.com

More information

USING FEDERATED AUTHENTICATION WITH M-FILES

USING FEDERATED AUTHENTICATION WITH M-FILES M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.

More information

OPENIAM ACCESS MANAGER. Web Access Management made Easy

OPENIAM ACCESS MANAGER. Web Access Management made Easy OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access

More information

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO) WHITEPAPER NAPPS: A Game-Changer for Mobile Single Sign-On (SSO) INTRODUCTION The proliferation of mobile applications, including mobile apps custom to an organization, makes the need for an SSO solution

More information

Azure Active Directory

Azure Active Directory Azure Active Directory Your Cloud Identity Brian Mansure Azure Specialist bmansure@enpointe.com Agenda What Azure Active Directory is What Azure Active Directory is not Hybrid Identity Features Roadmap

More information

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 OKTA WHITE PAPER Three Ways to Integrate Active Directory with Your SaaS Applications Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 info@okta.com 1-888-722-7871 wp-3waysad-113012 Table

More information

NetworkingPS Federated Identity Solution Solutions Overview

NetworkingPS Federated Identity Solution Solutions Overview NetworkingPS Federated Identity Solution Solutions Overview OVERVIEW As the global marketplace continues to expand, new and innovating ways of conducting business are becoming a necessity in order for

More information

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL39027649-SS. Single Sign-On (SSO) Solution

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL39027649-SS. Single Sign-On (SSO) Solution UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL39027649-SS Single Sign-On (SSO) Solution For University Information Systems (UIS) May 9, 2013 2 University of Colorado

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Administration guide version 1.0.1 Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

An Overview of Samsung KNOX Active Directory and Group Policy Features

An Overview of Samsung KNOX Active Directory and Group Policy Features C E N T R I F Y W H I T E P A P E R. N O V E M B E R 2013 An Overview of Samsung KNOX Active Directory and Group Policy Features Abstract Samsung KNOX is a set of business-focused enhancements to the Android

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so

More information

A Standards-based Mobile Application IdM Architecture

A Standards-based Mobile Application IdM Architecture A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted

More information

An Overview of Samsung KNOX Active Directory-based Single Sign-On

An Overview of Samsung KNOX Active Directory-based Single Sign-On C E N T R I F Y W H I T E P A P E R. S E P T E M B E R 2013 An Overview of Samsung KNOX Active Directory-based Single Sign-On Abstract Samsung KNOX is a set of business-focused enhancements to the Android

More information

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory WHITEPAPER 13 Questions You Must Ask When Integrating Office 365 With Active Directory Many organizations have begun their push to the cloud with a handful of applications. Microsoft s Office 365 offering

More information

The Top 3 Identity Management Considerations When Implementing Google Apps for the Enterprise

The Top 3 Identity Management Considerations When Implementing Google Apps for the Enterprise The Top 3 Identity Management Considerations When Implementing Google Apps for the Enterprise Google Apps for Work (formerly known as Google Apps) is quickly becoming one of the most popular cloud-based

More information

How To Manage A Plethora Of Identities In A Cloud System (Saas)

How To Manage A Plethora Of Identities In A Cloud System (Saas) TECHNICAL WHITE PAPER Intel Cloud SSO How Intel Cloud SSO Works Just as security professionals have done for ages, we must continue to evolve our processes, methods, and techniques in light of the opportunities

More information

Single Sign On. SSO & ID Management for Web and Mobile Applications

Single Sign On. SSO & ID Management for Web and Mobile Applications Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing

More information

Copyright 2014 http://itfreetraining.com

Copyright 2014 http://itfreetraining.com This video will look the different versions of Active Directory Federation Services. This includes which features are available in each one and which operating system you need in order to use these features.

More information

NCSU SSO. Case Study

NCSU SSO. Case Study NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must

More information

managing SSO with shared credentials

managing SSO with shared credentials managing SSO with shared credentials Introduction to Single Sign On (SSO) All organizations, small and big alike, today have a bunch of applications that must be accessed by different employees throughout

More information

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 Okta White paper Directory Integration with Okta An Architectural Overview Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 info@okta.com 1-888-722-7871 wp-dint-053013 Table of Contents

More information

CLAIMS-BASED IDENTITY FOR WINDOWS

CLAIMS-BASED IDENTITY FOR WINDOWS CLAIMS-BASED IDENTITY FOR WINDOWS TECHNOLOGIES AND SCENARIOS DAVID CHAPPELL FEBRUARY 2011 SPONSORED BY MICROSOFT CORPORATION CONTENTS Understanding Claims-Based Identity... 3 The Problem: Working with

More information

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Course 20533: Implementing Microsoft Azure Infrastructure Solutions Course 20533: Implementing Microsoft Azure Infrastructure Solutions Overview About this course This course is aimed at experienced IT Professionals who currently administer their on-premises infrastructure.

More information

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta.

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta. Directory Integration with Okta An Architectural Overview Okta Inc. 301 Brannan Street San Francisco, CA 94107 info@okta.com 1-888-722-7871 Contents 1 User Directories and the Cloud: An Overview 3 Okta

More information

Hybrid Cloud Identity and Access Management Challenges

Hybrid Cloud Identity and Access Management Challenges Hybrid Cloud Identity and Access Management Challenges Intro: Timothy P. McAliley timothy.mcaliley@microsoft.com Microsoft Premier Field Engineer, SQL Server, Washington, DC CISA, CISM, CISSP, ITIL V3,

More information

SAML 101. Executive Overview WHITE PAPER

SAML 101. Executive Overview WHITE PAPER SAML 101 Executive Overview Today s enterprise employees use an ever-increasing number of applications, both enterprise hosted and in the Cloud, to do their jobs. What s more, they are accessing those

More information

Managing Access for External Users with ARMS

Managing Access for External Users with ARMS Managing Access for External Users with ARMS White Paper 27 th September 2015 ProofID Limited 1 Author: Version: Status: Reference: Creation Date: Revision Date: Reviewed by: Approved by: Tom Eggleston

More information

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com MOBILITY Transforming the mobile device from a security liability into a business asset. pingidentity.com Table of Contents Introduction 3 Three Technologies That Securely Unleash Mobile and BYOD 4 Three

More information

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015 Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 About Fermilab Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding

More information

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM, the only all-in-one open source access management solution, provides the

More information

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps MY1LOGIN SOLUTION BRIEF: PROVISIONING Automated Provisioning of Users Access to Apps MY1LOGIN SOLUTION BRIEF: PROVISIONING Automated Provisioning of Users Access to Apps The ability to centrally provision

More information

Avoid the Hidden Costs of AD FS with Okta

Avoid the Hidden Costs of AD FS with Okta Okta White paper Avoid the Hidden Costs of AD FS with Okta Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 info@okta.com 1-888-722-7871 wp-adfs-031413 Table of Contents 1 Challenges of

More information

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper Okta White paper Top 8 Identity and Access Management Challenges with Your SaaS Applications Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 info@okta.com 1-888-722-7871 wp-top8-113012

More information

Creating a Single Sign on Web Portal using Azure. Robert Crane Office 365 MVP @directorcia

Creating a Single Sign on Web Portal using Azure. Robert Crane Office 365 MVP @directorcia Creating a Single Sign on Web Portal using Azure Robert Crane Office 365 MVP @directorcia Agenda What is Office 365? What is Azure? What is Single Sign on (SSO)? What is WAAD? Accessing your free WAAD

More information

SECUREAUTH IDP AND OFFICE 365

SECUREAUTH IDP AND OFFICE 365 WHITEPAPER SECUREAUTH IDP AND OFFICE 365 STRONG AUTHENTICATION AND SINGLE SIGN-ON FOR THE CLOUD-BASED OFFICE SUITE EXECUTIVE OVERVIEW As more and more enterprises move to the cloud, it makes sense that

More information

Federated Identity and Single Sign-On using CA API Gateway

Federated Identity and Single Sign-On using CA API Gateway WHITE PAPER DECEMBER 2014 Federated Identity and Single Sign-On using Federation for websites, Web services, APIs and the Cloud K. Scott Morrison VP Engineering and Chief Architect 2 WHITE PAPER: FEDERATED

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

Implementing Microsoft Azure Infrastructure Solutions

Implementing Microsoft Azure Infrastructure Solutions Course Code: M20533 Vendor: Microsoft Course Overview Duration: 5 RRP: 2,025 Implementing Microsoft Azure Infrastructure Solutions Overview This course is aimed at experienced IT Professionals who currently

More information

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led Course Description This course is aimed at experienced IT Professionals who currently administer their on-premises infrastructure.

More information

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions Course 20533B: Implementing Microsoft Azure Infrastructure Solutions Sales 406/256-5700 Support 406/252-4959 Fax 406/256-0201 Evergreen Center North 1501 14 th St West, Suite 201 Billings, MT 59102 Course

More information

Mod 3: Office 365 DirSync, Single Sign-On & ADFS

Mod 3: Office 365 DirSync, Single Sign-On & ADFS Office 365 for SMB Jump Start Mod 3: Office 365 DirSync, Single Sign-On & ADFS Chris Oakman Managing Partner Infrastructure Team Eastridge Technology Stephen Hall CEO & SMB Technologist District Computers

More information

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support Learning & Development Specialist Customer Support Services Been with Microsoft for 7 years Professionally

More information

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Cloud Computing. Chapter 5 Identity as a Service (IDaaS) Cloud Computing Chapter 5 Identity as a Service (IDaaS) Learning Objectives Describe challenges related to ID management. Describe and discuss single sign-on (SSO) capabilities. List the advantages of

More information

White Pages Managed Service Solution Rapid Global Directory Implementation. White Paper

White Pages Managed Service Solution Rapid Global Directory Implementation. White Paper White Pages Managed Service Solution Rapid Global Directory Implementation White Paper December 2014 Author: Tom Eggleston Version: 1.0 Status: FINAL Reference: DA-WP01 Creation Date: 03/12/14 Revision

More information

Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS

Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS www.thecloudmouth.com Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS A White Paper Loryan Strant Office 365 MVP Introduction This purpose of this whitepaper is to

More information

HOL9449 Access Management: Secure web, mobile and cloud access

HOL9449 Access Management: Secure web, mobile and cloud access HOL9449 Access Management: Secure web, mobile and cloud access Kanishk Mahajan Principal Product Manager, Oracle September, 2014 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Oracle

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps Sofia Event Center 14-15 May 2014 Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps Radi Atanassov SharePoint MCM & MVP

More information

Managing Office 365 Identities and Services 20346C; 5 Days, Instructor-led

Managing Office 365 Identities and Services 20346C; 5 Days, Instructor-led Managing Office 365 Identities and Services 20346C; 5 Days, Instructor-led Course Description This is a 5-day Instructor Led Training (ILT) course that targets the needs of IT professionals who take part

More information

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

White Paper. McAfee Cloud Single Sign On Reviewer s Guide White Paper McAfee Cloud Single Sign On Reviewer s Guide Table of Contents Introducing McAfee Cloud Single Sign On 3 Use Cases 3 Key Features 3 Provisioning and De-Provisioning 4 Single Sign On and Authentication

More information

Course 20346: Managing Office 365 Identities and Services

Course 20346: Managing Office 365 Identities and Services Course 20346: Managing Office 365 Identities and Services Overview About this course This is a 5-day Instructor Led Training (ILT) course that targets the needs of IT professionals who take part in evaluating,

More information

SharePoint 2013 Business Connectivity Services Hybrid Overview

SharePoint 2013 Business Connectivity Services Hybrid Overview SharePoint 2013 Business Connectivity Services Hybrid Overview Christopher J Fox Microsoft Corporation November 2012 Applies to: SharePoint 2013, SharePoint Online Summary: A hybrid SharePoint environment

More information

Managing Office 365 Identities and Services

Managing Office 365 Identities and Services Course 20346B: Managing Office 365 Identities and Services Page 1 of 7 Managing Office 365 Identities and Services Course 20346B: 4 days; Instructor-Led Introduction This is a 4-day Instructor Led Training

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

Enable Your Applications for CAC and PIV Smart Cards

Enable Your Applications for CAC and PIV Smart Cards Enable Your Applications for CAC and PIV Smart Cards Executive Summary Since HSPD-2 was signed in 2004, government agencies have issued over 5 million identity badges. About 90% of government workers and

More information

Authentication Integration

Authentication Integration Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication

More information

WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM) www.wipro.com

WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM) www.wipro.com WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM) www.wipro.com Table of Contents 03...Introduction 04...Wipro Cloud (WIC) as a Service Type 05...Wipro Cloud Capabilities

More information

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment WHITEPAPER How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment www.onelogin.com 150 Spear Street, Suite 1400, San Francisco, CA 94105 855.426.7272 EXECUTIVE SUMMARY

More information

Office 365 deploym. ployment checklists. Chapter 27

Office 365 deploym. ployment checklists. Chapter 27 Chapter 27 Office 365 deploym ployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of

More information

SSO Plugin. Release notes. J System Solutions. http://www.javasystemsolutions.com Version 3.5

SSO Plugin. Release notes. J System Solutions. http://www.javasystemsolutions.com Version 3.5 SSO Plugin Release notes J System Solutions Version 3.5 JSS SSO Plugin v3.5 Release notes What's new...3 SSO Plugin for HP Service Manager & Request Catalog...3 SAP Business Objects XI (BMC Analytics)...3

More information

Web Applications Access Control Single Sign On

Web Applications Access Control Single Sign On Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,

More information

Office 365 deployment checklists

Office 365 deployment checklists Chapter 128 Office 365 deployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of issues.

More information

Interoperate in Cloud with Federation

Interoperate in Cloud with Federation Interoperate in Cloud with Federation - Leveraging federation standards can accelerate Cloud computing adoption by resolving vendor lock-in issues and facilitate On Demand business requirements Neha Mehrotra

More information

G Cloud 6 CDG Service Definition for Forgerock Software Services

G Cloud 6 CDG Service Definition for Forgerock Software Services G Cloud 6 CDG Service Definition for Forgerock Software Services Author: CDG Date: October 2015 Table of Contents Table of Contents 2 1.0 Service Definition 3 1.0 Service Definition Forgerock as a Platform

More information

White Paper: Cloud Identity is Different. World Leading Directory Technology. Three approaches to identity management for cloud services

White Paper: Cloud Identity is Different. World Leading Directory Technology. Three approaches to identity management for cloud services World Leading Directory Technology White Paper: Cloud Identity is Different Three approaches to identity management for cloud services Published: March 2015 ViewDS Identity Solutions A Changing Landscape

More information

White paper Contents

White paper Contents Three Ways to Integrate Active Directory with Your SaaS Applications Okta Inc. 301 Brannan Street San Francisco, CA 94107 info@okta.com 1-888-722-7871 Contents 1 User Management Challenges of Software

More information

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Identity & Access Management in the Cloud: Fewer passwords, more productivity WHITE PAPER Strategic Marketing Services Identity & Access Management in the Cloud: Fewer passwords, more productivity Cloud services are a natural for small and midsize businesses, with their ability

More information

CA Federation Manager

CA Federation Manager PRODUCT BRIEF: CA FEDERATION MANAGER CA FEDERATION MANAGER PROVIDES STANDARDS-BASED IDENTITY FEDERATION CAPABILITIES THAT ENABLE THE USERS OF ONE ORGANIZATION TO EASILY AND SECURELY ACCESS THE DATA AND

More information

IDDY. Case Study: Rearden Commerce Delivers SaaS Via Federation WINNER

IDDY. Case Study: Rearden Commerce Delivers SaaS Via Federation WINNER 2007 IDDY AWARD WINNER Case Study: Rearden Commerce Delivers SaaS Via Federation Thanks to federation, Rearden Commerce makes it easier than ever for corporate employees to book and manage travel arrangements.

More information

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions Introduction This paper provides an overview of the integrated solution and a summary of implementation options

More information

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102 Cloud Standards Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102 2011 IBM Corporation Agenda Overview on Cloud Standards Identity and Access Management Discussion 2 Overview on Cloud

More information

AVG Business Secure Sign On Active Directory Quick Start Guide

AVG Business Secure Sign On Active Directory Quick Start Guide AVG Business Secure Sign On Active Directory Quick Start Guide The steps below will allow for download and registration of the AVG Business SSO Cloud Connector to integrate SaaS application access and

More information

Microsoft 20533 - Implementing Microsoft Azure Infrastructure Solutions

Microsoft 20533 - Implementing Microsoft Azure Infrastructure Solutions 1800 ULEARN (853 276) www.ddls.com.au Microsoft 20533 - Implementing Microsoft Azure Infrastructure Solutions Length 5 days Price $4389.00 (inc GST) Version C Overview This course is intended for IT professionals

More information

Implementing Microsoft Azure Infrastructure Solutions

Implementing Microsoft Azure Infrastructure Solutions 20533B - Version: 1 02 July 2016 Implementing Microsoft Azure Infrastructure Solutions Implementing Microsoft Azure Infrastructure Solutions 20533B - Version: 1 5 days Course Description: This course is

More information

Managing Office 365 Identities and Services

Managing Office 365 Identities and Services Course 20346B: Managing Office 365 Identities and Services Course Details Course Outline Module 1: Preparing for Office 365 This module reviews the features of Office 365 and identifies recent improvements

More information

SAP Cloud Identity Service

SAP Cloud Identity Service SAP Cloud Identity Service Secure Authentication, Single Sign-On and User Management in the Cloud December 2015 Introduction SAP Cloud Identity Service In the SAP IT application security product portfolio

More information

Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365

Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365 Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365 Contents Contents 1 About this guide 3 Overview 9 Authentication and authorization 10 Getting started with identity integration 26 Getting

More information

Identity and Access Management for the Hybrid Enterprise

Identity and Access Management for the Hybrid Enterprise Identity and Access Management for the Hybrid Enterprise Redmond Identity Summit 2014 Directories Devices Identity Keith Brintzenhofe Microsoft Corporation Thank You to our Sponsors Gold Silver Plus Silver

More information

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Implementation Guide SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before

More information

Google Identity Services for work

Google Identity Services for work INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new

More information

Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity Stack

Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity Stack White Paper Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity Stack 1. Overview 2. OpenAM 3. OpenIDM 4. OpenDJ 5. Getting Started Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity

More information

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015 Managing Your Microsoft Windows Server Fleet with AWS Directory Service May 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational

More information

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service? solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service? provides identity and access management capabilities as a hosted cloud service. This allows you to quickly

More information

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity BYE BYE PASSWORDS The Future of Online Identity Hans Zandbelt Sr. Technical Architect CTO Office - Ping Identity 2015 Copyright 2014 Ping Identity Corp. All rights reserved. 1 Agenda 1 2 3 Cloud & Mobile:

More information

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER Total Cost of Ownership Overview vs OneLogin WHITEPAPER Are you really going to double down on machines, software and professional services to extend Active Directory (AD)? Executive Summary Are you planning

More information

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1 PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity

More information

How Microsoft IT manages mobile device management

How Microsoft IT manages mobile device management IT Insights A service of Microsoft IT Showcase How Microsoft IT manages mobile device management July 2015 Bring Your Own Device (BYOD) is no longer just a trend. It is arguably the dominant culture in

More information

Identity in the Cloud

Identity in the Cloud White Paper Identity in the Cloud Use the cloud without compromising enterprise security Table of Contents The Cloud Conundrum 3 Managing Cloud Identity 3 The Identity Lifecycle 4 SaaS Single Sign-On 4

More information