SINGLE & SAME SIGN-ON ASPECTS OF AZURE ACTIVE DIRECTORY Harold Baele Senior ICT Trainer JULY 2, 2015 SLIDE 1
TRAINER INFO Harold Baele MCT at RealDolmen Education Harold.baele@realdolmen.com - @hbaele Trainer since 2000 on Operating Systems, Networking, AD Exchange Office 365 & Azure JULY 2, 2015 SLIDE 2
DEFINITIONS Signing in means requesting validation = authentication Verifying access to a resource/application = authorization SSO SINGLE sign-on: ONE authentication, ONE credential, multiple authorizations SAME sign-on: MULTIPLE authentications, ONE credential, multiple authorizations JULY 2, 2015 SLIDE 3
IDENTITY STORES Microsoft Account Web Application Proxy + AD FS JULY 2, 2015 SLIDE 4
CENTRALIZE IDENTITY CONTROL, NOT THE STORE Microsoft Azure Active Directory JULY 2, 2015 SLIDE 5
IDENTITY AND ACCESS MANAGEMENT: PRODUCTS Enable single sign-on between on-premises and cloud identities On-premises Microsoft Azure Azure Active Directory (AAD) Consumer identity providers Enable single sign-on across multiple cloud and on-premises applications with Active Directory Federation Services (ADFS) Integrate cloud with on-premises Active Directory with Active Directory Synchronization Create and manage identities in the cloud Windows Server Active Directory PCs and devices Microsoft apps Third-party cloud/hosting Help secure access to on-premises and cloud apps with Microsoft Azure Multi- Factor Authentication Use Azure Active Directory (AAD) to manage Office 365 with other Microsoft and external cloud services JULY 2, 2015 SLIDE 6
MICROSOFT AZURE CLOUD USAGE-BASED PLATFORM SERVICES An Services open and grouped flexible as cloud Compute, platform Storage, that Network enables and you Application to Services quickly build, deploy, & manage solutions across Distinct Rates for each of these a global network of Microsoftmanaged datacenters. Service meters Customers are billed for usage against one or more of these meters APP SERVICES Build applications using any language, tool, or framework Caching Identity Service bus Media CDN Integration HPC Analytics COMPUTE Integrate public cloud solution with Virtual Cloud Mobile machines Websites services services the existing IT environment STORAGE 99.95% monthly SLA SQL database HDInsight Tables Blob storage Automatic NETWORK OS & service patching Connect Virtual network Traffic manager JULY 2, 2015 SLIDE 7
MICROSOFT AZURE IAAS JULY 2, 2015 SLIDE 8
MICROSOFT AZURE PLATFORM AS A SERVICE (PAAS) JULY 2, 2015 SLIDE 9
WHAT IS MICROSOFT AZURE ACTIVE DIRECTORY? JULY 2, 2015 SLIDE 10 A comprehensive identity and access management cloud solution Azure Active Directory combines directory services, advanced identity governance, application access management, and a rich standardsbased platform for developers Microsoft Azure Active Directory Premium is an advanced offering that includes Identity and Access Management (IAM) capabilities for onpremises, hybrid, and cloud environments
Creating an AAD DEMO JULY 2, 2015 SLIDE 11
EXAMPLE AAD: OFFICE 365 Exchange Online Yammer SharePoint Online Skype for Business Online Office 365 ProPlus Windows Azure Active Directory JULY 2, 2015 SLIDE 12
IDENTITY OPTIONS COMPARISON Appropriate for Smaller orgs without AD on-premise Pros No servers required onpremise Cons No SSO No 2FA 2 sets of credentials to manage with differing password policies IDs mastered in the cloud Appropriate for Medium/Large orgs with AD on-premise Pros Users and groups mastered on-premise Enables co-existence scenarios Cons Same SO No 2FA 2 sets of credentials to manage with differing password policies Single server deployment Appropriate for Larger enterprise orgs with AD on-premise Pros SSO with corporate credentials IDs mastered onpremise Password policy controlled on-premise 2FA solutions possible Enables co-existence scenarios Cons High availability server deployments required JULY 2, 2015 SLIDE 13
PASSWORD SYNC VERSUS SINGLE SIGN-ON Password sync Single Sign-On (ADFS) Same password to access resources Control password policies on premises Support for multi-factor authentication No password re-entry if on premises Authentication occurs in on-premises directory Client access filtering JULY 2, 2015 SLIDE 14
SINGLE SIGN ON SETUP Needs DirSync aka Azure AD Connect (no password sync) Add Domain (returns details for proof of ownership) Single source AD DS: Connect ADFS with Microsoft Office 365 Single source AAD: use AAD application proxy JULY 2, 2015 SLIDE 15
IDENTITY FEDERATION AUTHENTICATION FLOW (PASSIVE/WEB PROFILE) Customer Microsoft Online Services Active Directory AD FS 2.0 ServerLogon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Authentication platform Auth Token UPN:user@contoso.com Unique ID: 254729 ` Client (joined to CorpNet) Exchange Online or SharePoint Online JULY 2, 2015 SLIDE 16
IDENTITY FEDERATION AUTHENTICATION FLOW (RICH CLIENT PROFILE) Customer Microsoft Online Services Active Directory AD FS 2.0 ServerLogon (SAML 1.1) Token UPN:user@contoso.com Source User ID: ABC123 Authentication platform Auth Token UPN:user@contoso.com Unique ID: 254729 ` Client (joined to CorpNet) Skype4B online JULY 2, 2015 SLIDE 17
PREPARING FOR IDENTITY FEDERATION High availability design for AD FS 2.0 Every User must have a User Principal Name UPN suffix must match a validated domain in Office 365 Something@domain.com (preferably built to match e-mail address) JULY 2, 2015 SLIDE 18
Portal logon office 365 DEMO JULY 2, 2015 SLIDE 19
CENTRALLY MANAGED IDENTITIES AND ACCESS JULY 2, 2015 SLIDE 20
PREINTEGRATED SAAS APPS IN THE APPLICATION GALLERY JULY 2, 2015 SLIDE 21
AUTHENTICATION PROTOCOLS SUPPORTED OAUTH 2.0 OpenID Connect WS-Federation SAML 2.0 Info: https://azure.microsoft.com/enus/documentation/articles/active-directoryauthentication-scenarios/ JULY 2, 2015 SLIDE 22
APPLICATIONS TYPES SUPPORTED Web applications using oauth and need a shortcut in the apps portal of Azure Officially supported applications in the Azure gallery Applications accessible using application proxy (needs AAD premium) JULY 2, 2015 SLIDE 23
ACCESS PANEL http://myapps.microsoft.com This is where users can discover the applications they have access to. Features of the Access Panel Users can change the password associated with their organizational account. Users can edit multi-factor authentication-related contact and preference settings. Users can view details about their account. Needs a browser extension on first use JULY 2, 2015 SLIDE 24
ACCESS PANEL FOR IOS 7 & ANDROID Provides SSO to Apps integrated with your Azure Active Directory Full parity with the web-based Application Access Panel JULY 2, 2015 SLIDE 25
Single SignOn Twitter using AAD DEMO JULY 2, 2015 SLIDE 26
DIRECTORY SYNC AZURE AD CONNECT Synchronizes users, groups, and contacts to Microsoft Azure Active Directory Users can have a different password in Microsoft Azure Active Directory than they have for on-premises Active Directory, or not.. GA as of 18 th of june http://www.microsoft.com/en-us/download/details.aspx?id=47594 JULY 2, 2015 SLIDE 27
PREPARING FOR AZURE AD CONNECT JULY 2, 2015 SLIDE 28
Sync ADDS with AAD using Azure Connect DEMO JULY 2, 2015 SLIDE 29
WHAT IS AZURE MULTI-FACTOR AUTHENTICATION? A stand-alone Azure Identity and Access management service Needs AAD Premium. Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication. JULY 2, 2015 SLIDE 30
AND THE SECOND FACTOR IS JULY 2, 2015 SLIDE 31
JULY 2, 2015 SLIDE 32
USER SETUP MFA User required to setup Also needed for password reset JULY 2, 2015 SLIDE 33
Logon with Multi Factor Authenctication DEMO JULY 2, 2015 SLIDE 34
SELF RESET PASSWORD OPTIONS 1,. 2,. 3,. 4,. 5,. JULY 2, 2015 SLIDE 35
(MOBILE) DEVICE MANAGEMENT AND AAD JULY 2, 2015 SLIDE 36
Windows 10 AAD domain join DEMO JULY 2, 2015 SLIDE 37
THANK YOU Follow us on: Selected presentations are available on: WWW.REALDOLMEN.COM JULY 2, 2015 SLIDE 38