Extend and Enhance AD FS



Similar documents
Identity. Provide. ...to Office 365 & Beyond

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Flexible Identity Federation

Connecting Users with Identity as a Service

Pick Your Identity Bridge

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

SAML SSO Configuration

SINGLE & SAME SIGN-ON ASPECTS

The Top 5 Federated Single Sign-On Scenarios

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Speeding Office 365 Implementation Using Identity-as-a-Service

USING FEDERATED AUTHENTICATION WITH M-FILES

The Primer: Nuts and Bolts of Federated Identity Management

OPENIAM ACCESS MANAGER. Web Access Management made Easy

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

Azure Active Directory

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

NetworkingPS Federated Identity Solution Solutions Overview

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

Flexible Identity Federation

An Overview of Samsung KNOX Active Directory and Group Policy Features

The Primer: Nuts and Bolts of Federated Identity Management

A Standards-based Mobile Application IdM Architecture

An Overview of Samsung KNOX Active Directory-based Single Sign-On

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

The Top 3 Identity Management Considerations When Implementing Google Apps for the Enterprise

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Single Sign On. SSO & ID Management for Web and Mobile Applications

Copyright

NCSU SSO. Case Study

managing SSO with shared credentials

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

CLAIMS-BASED IDENTITY FOR WINDOWS

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Hybrid Cloud Identity and Access Management Challenges

SAML 101. Executive Overview WHITE PAPER

Managing Access for External Users with ARMS

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

Avoid the Hidden Costs of AD FS with Okta

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

Creating a Single Sign on Web Portal using Azure. Robert Crane Office 365

SECUREAUTH IDP AND OFFICE 365

Federated Identity and Single Sign-On using CA API Gateway

The increasing popularity of mobile devices is rapidly changing how and where we

Implementing Microsoft Azure Infrastructure Solutions

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Mod 3: Office 365 DirSync, Single Sign-On & ADFS

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS

HOL9449 Access Management: Secure web, mobile and cloud access

SAML-Based SSO Solution

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Managing Office 365 Identities and Services 20346C; 5 Days, Instructor-led

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Course 20346: Managing Office 365 Identities and Services

SharePoint 2013 Business Connectivity Services Hybrid Overview

Managing Office 365 Identities and Services

Introduction to SAML

Enable Your Applications for CAC and PIV Smart Cards

Authentication Integration

WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM)

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

Office 365 deploym. ployment checklists. Chapter 27

Web Applications Access Control Single Sign On

Office 365 deployment checklists

Interoperate in Cloud with Federation

G Cloud 6 CDG Service Definition for Forgerock Software Services

White paper Contents

Identity & Access Management in the Cloud: Fewer passwords, more productivity

CA Federation Manager

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

AVG Business Secure Sign On Active Directory Quick Start Guide

Microsoft Implementing Microsoft Azure Infrastructure Solutions

Implementing Microsoft Azure Infrastructure Solutions

Managing Office 365 Identities and Services

SAP Cloud Identity Service

Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365

Identity and Access Management for the Hybrid Enterprise

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Google Identity Services for work

Tech Brief: Upgrading from Sun IAM to ForgeRock Open Identity Stack

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

How Microsoft IT manages mobile device management

Identity in the Cloud

Transcription:

Extend and Enhance AD FS December 2013 Sponsored By

Contents Extend and Enhance AD FS By Sean Deuby Introduction...2 Web Service SSO Architecture...3 AD FS Overview...5 Ping Identity Solutions...7 Synergy of Combining AD FS + Ping Identity Solutions...8 Figures Figure 1: Major Internet SSO Components...3 Figure 2: AD FS Server Farm...6 Figure 3: AD FS + PingOne IDaaS Solution...8 Introduction Many enterprises have chosen to deploy and use Active Directory Federation Services (AD FS), a Windows Server role, to provide users with single sign-on (SSO) access and federation to a variety of Software as a Service (SaaS) applications. AD FS, a component of Microsoft s Active Directory family of services, extends Active Directory Domain Services (AD DS) in order to provide web services that AD DS does not support natively. Although AD FS is lacking some key features that would improve both its administrators and end users experiences, many enterprises have already made significant time and monetary investments in its deployment and operation. It is highly unlikely these organizations are willing to immediately rip out AD FS and begin anew with another SSO/federation solution. Working with AD FS in an environment where SaaS application use is growing dramatically often without the IT department s sanction or knowledge presents a strong set of challenges for enterprises. Scaling AD FS to provide SSO to hundreds or thousands of SaaS applications in a timely manner, with a good user experience, is simply beyond the capabilities of many already-overburdened IT departments. This situation is a major reason why Identity as a Service (IDaaS) solutions have arisen. They offload the SaaS connection burden from the on-premises IT department to a subscription cloud service. The good news is that organizations that have deployed AD FS do not have to start over. Enterprises can continue to use their existing AD FS solution as an identity bridge to 2

the Ping Identity SSO/federation IDaaS solution, PingOne. The marriage of these two best-of-breed solutions yields a variety of complementary benefits, including: A wider variety of open standards-based SaaS applications are supported. Onboarding new SaaS applications is easier for AD FS administrators, as is user provisioning, especially when there are many SaaS applications. Only one connection to PingOne is needed to handle all SaaS applications. Scalability requirements are handled on demand with PingOne rather than scaling up the on-premises AD FS solution. Connections are managed through PingOne s easy-to-use interface. An end user portal allows users access to all the applications they are authorized to use through a single, device-independent user interface. This white paper will review AD FS s history and capabilities as they have evolved, as well as some gaps in the product s current feature set. It will also outline the Ping Identity solutions and where they fit into an enterprise identity architecture. Finally, it will show how AD FS and Ping Identity solutions easily integrate with each other to provide your business with scalable, highly available, and user-friendly SSO access to SaaS applications. Web Service SSO Architecture It s important to understand the basic architecture of services that provide SSO to web services using credentials from a business s identity databases. As Figure 1 shows, there are six major components: web service, service provider (SP), identity provider (IdP), federation service, identity bridge, and provisioning service. In this example, the identity database that contains user credentials is Active Directory Domain Services (AD DS). Figure 1: Major Internet SSO Components 3

Web Service A web service is a browser-based (HTTP) application, provided at a network address over the web. Although web services provide a wide variety of capabilities (including both IdP and SP roles), the best known web services are SaaS applications. Service Provider (SP) The SP role is a web service that provides a business or consumer service (such as Microsoft Office 365, Salesforce.com, or Concur Travel) based on accounts it holds. An SP that supports federation standards (such as SAML 2.0) relies on identities, held at the IdP, to authoritatively authenticate these accounts. The SP is also referred to as the relying party because it relies on the IdP to authenticate its accounts. SPs that do not support federation require local, form-based authentication with a user ID and password. The term service provider is also used colloquially to describe the business providing the web service used as an application. Identity Provider (IdP) In a transaction between two web services, the IdP role negotiates with Active Directory (and possibly other corporate data stores) to: Authenticate the credentials provided by the user. Provide a set of claims about these credentials that can be authoritatively communicated back to the SP or to other web services that require identity information on behalf of the business. Colloquially, the term identity provider describes the business that provides the identities of the users who require the SSO capability. The identities can be stored in Active Directory, HR databases, or other miscellaneous data stores. Federation Service A federation service performs several functions. The most important functions are: Supporting federated trusts established between the IdP and SP. Performing security token translation between the Kerberos security protocol used in Active Directory and the SAML 2.0 claims model used in web services. This translation is performed by the Security Token Service (STS). Identity Bridge The on-premises services that connect your enterprise to cloud web services are collectively known as the identity bridge. An identity bridge can be one or more 4

services running on separate servers or on a single instance. This bridge may act alone and connect directly to an SP, or in conjunction with a cloud-based federation service (IDaaS), which acts as an IdP and connects to the SP. Provisioning Service For federated SSO to function, the SP must have its user accounts authenticated by the IdP and have those accounts populated with user data provided by the IdP. How is this user data replicated to the SP? A variety of methods are currently popular, including proprietary directory synchronization services and standards-based provisioning protocols. Some methods handle the complete provisioning lifecycle (i.e., CRUD create, read, update, delete), whereas others do not. The System for Crossdomain Identity Management (SCIM) is an emerging provisioning standard that supports the entire provisioning lifecycle. The provisioning service can be incorporated into the federation server (e.g., PingOne s AD Connect uses SCIM for its provisioning capability) or run as a standalone service. AD FS Overview AD FS first made its appearance as a downloadable addition to Windows Server 2003 R2. It was later incorporated into Windows Server 2008 and Windows Server 2008 R2. In Windows Server 2012, AD FS 2.1 is an installable server role, and Windows Server 2012 R2 continues this configuration with AD FS 2.2. AD FS s feature set and supported protocols have grown as the product has matured. AD FS was initially built around the core WS-* set of standards (such as WS-Federation, WSDL, SOAP, and UDDI) for web services. A key capability upgrade occurred in AD FS 2.0, as it added support for SAML 2.0, the most widely used identity federation standard. AD FS 2.2 added support for a rapidly growing identity and authorization framework, OAuth 2.0. Typical Enterprise Deployment Architecture In a typical high availability architecture (see Figure 2), AD FS is configured as a server farm of two or more AD FS servers in a Network Load Balancing (NLB) cluster behind one or more federation server proxies (or Web Application Proxies in Windows Server 2012 R2). For enterprises with fewer than 100 trust relationships to relying parties, the built-in Windows internal database on each AD FS server can be used to store configuration data. For larger AD FS deployments, a SQL Server database should be used. A robust, fault tolerant AD FS farm requires at least four servers (two AD FS servers and two proxy servers) in addition to the NLB servers. 5

Figure 2: AD FS Server Farm SOURCE: MICROSOFT TECHNET AD FS Strengths AD FS has several strengths, including: High availability. As a mission critical service, AD FS can be configured for high availability, as illustrated in Figure 2. Federation services. AD FS provides token translation through its STS. In addition, it queries AD DS to add user and group attributes to claims to be used by web services. Provisioning service. Microsoft s Directory Synchronization (DirSync) will synchronize all users in a single forest to Windows Azure Active Directory (Azure AD) in support of Microsoft s online services such as Office 365. AD FS Weaknesses Despite its evolution, AD FS still has some gaps in its feature set, including gaps in its provisioning support and standards support. Minimal provisioning support. AD FS has no provisioning support beyond its DirSync service to provision AD DS accounts to Azure AD, the Microsoft SP data store. Non-Microsoft SPs must provide their own provisioning, which leads to complexity, scalability, and support issues. If the non-microsoft SPs do not have an automated provisioning method, the enterprise must manually manage every account, which can result in an unmanageable overhead and security issues. 6

Minimal standards support. AD FS does not support SAML 1.0, OpenID, SCIM, or the FIDO Alliance (which is driving the effort to develop standards for strong authentication). It also does not support OpenID Connect. This new and popular identity specification is based on OAuth 2.0, which is recognized as the successor to SAML 2.0. Other gaps in AD FS s feature set include: AD FS has no built-in reporting capabilities. AD FS does not have a built-in end user portal to external web services. Users must remember or bookmark the web services they are subscribed to. AD FS has no support for web services that do not support identity standards such as SAML. AD FS does not have built-in multi-factor authentication capabilities. AD FS Summary AD FS is a built-in capability of Windows Server, but it is not without its own substantial deployment and operating costs. It also requires specialized expertise to manage the service and to configure and maintain multiple relationships with web service providers a problem whose seriousness increases for every new web service you trust. Ping Identity Solutions Ping Identity offers two major products in the identity and access management (IAM) market: PingFederate and PingOne. PingFederate is a lightweight and powerful identity bridge that delivers a comprehensive identity management solution for federated access to applications using existing identity infrastructure. PingOne is an IDaaS solution that delivers cloud SSO for your workforce. With one username and one password for users to manage, PingOne offloads the IT department s burden of collecting, configuring and maintaining connections from the on-premises identity bridge to the PingOne cloud service. The one-to-many relationship between enterprise IdP and cloud SPs is hosted in the cloud. The enterprise only needs to maintain an identity bridge with one connection to PingOne, as shown in Figure 3. PingOne is itself a cloud service and is configured to be highly available worldwide. The connection from the IdP to PingOne can be made with the Ping Identity s AD Connect for simple implementations or PingFederate for more complex scenarios. Users gain access to SaaS applications through the PingOne CloudDesktop web portal, which has both desktop and mobile-optimized versions. 7

Figure 3: AD FS + PingOne IDaaS Solution Synergy of Combining AD FS + Ping Identity Solutions Ping Identity products are standards-based, so you are not limited to AD Connect or PingFederate as your identity bridge to the PingOne cloud service. You can use any SAML-enabled identity management platform. AD FS is such a platform, and PingOne fully supports it. This means you can use your existing AD FS solution as your connection to PingOne and gain SSO access to the many SaaS applications on PingOne s CloudDesktop. Setting up a federated trust between AD FS and PingOne is simply a matter of adding PingOne to AD FS as you would add any other SaaS application. On the PingOne side of the trust, a simple guided setup process will enable the connection. After you have configured the PingOne CloudDesktop to provide users access to the SaaS applications they formerly accessed directly, you can remove the now-redundant trusts from AD FS and leave the single trust to PingOne. To provide provisioning capability, you can install AD Connect on any domainjoined IIS server running Windows Server 2008 or greater, with external connectivity over port 443. AD Connect is installed using a simple guided procedure that 8

is part of the PingOne configuration process. It usually takes less than 30 minutes to install. AD Connect is lightweight. Instead of using a heavyweight full synchronization engine, it uses the efficient SCIM provisioning standard to get user identity data from Active Directory to PingOne. In an AD FS + PingOne configuration, the AD Connect federation service will be disabled, as this is being provided by AD FS. Unlike AD FS, AD Connect also works across multiple domains, trees and forests if the trust relationship is configured and established among these differing domains. An AD FS + PingOne Internet SSO architecture has a number of advantages over a standalone AD FS implementation: Your AD DS/AD FS architecture has not changed. Your identities remain in AD DS. Implementation is simplified because you only need one federated trust to PingOne. Because you have essentially outsourced the heavy lifting of SaaS federation to the PingOne service, there is no longer a question of how many SaaS connections your company can effectively use. If a SaaS application is available in the Cloud- Desktop portal and you have established a subscription with the application, you can have SSO access to it. PingOne provides SSO access to SaaS applications that support SAML by extending an enterprise user s identity data to the cloud service provider without providing a password. However, a large number of SaaS applications do not yet support federation. They require that a user ID and password be provided at logon time (known as form-based authentication). Ping Identity recognizes this is the less-than-perfect state that cloud identity is in today. To provide SSO access to these applications, PingOne uses a password vaulting capability that will securely store a user ID and password (which has no requirement to match the user s enterprise credentials) for a given form-based SaaS application and automatically fill in the logon information. Although not a federation solution, providing SSO access to non-saml-enabled SaaS applications is another PingOne capability that AD FS does not provide. Another advantage of an AD FS + PingOne architecture is in the area of reporting and auditing. PingOne provides reporting on SaaS application usage to provide IT dashboard feedback; AD FS by itself has no reporting capability. And should you consider eliminating the cost of maintaining an AD FS server farm, the Ping Identity suite of products provides you several options. If you only need to connect Active Directory to PingOne, the lightweight AD Connect identity bridge installs in minutes on an IIS server, scales to high capacity, and is fully compliant with secure Internet 9

identity standards. If your on-premises identity landscape is more complicated, consider PingOne Enterprise. It gives you PingFederate as an identity bridge to handle a wide variety of configurations, including multi-factor authentication and integration with existing enterprise reporting and monitoring tools like Splunk, HP OpenView, or HP ArcSight. PingOne gives you the ability to dip your toe into the water of IDaaS in the most painless way possible. Without altering your existing AD FS connections, you can set up a connection to PingOne and use PingOne for Groups for free with up to 50 users and 5 applications to see if it meets your requirements. If you move to PingOne for Business, its expanded capability of 1,000 or more users and the entire PingOne applications catalog will allow you to shift your SaaS usage away from AD FS, maintaining only the connection to PingOne. Finally, you can use PingOne for Enterprise, and use any combination of PingFederate, ADConnect, or AD FS to bridge your identities to the internet as you see fit. Integrating PingOne with your existing AD FS installation quickly gives you scalability and options you cannot get with AD FS by itself. You do not have to remove your existing AD FS installation but you can simplify it. The synergy of the two solutions brings web SSO to your users for both federated and non-federated SPs. You can have much more detailed reporting on SaaS activity and a friendly portal for your users, whether they are on-premises or outside your company. AD FS + PingOne quickly gives you a best-in-class, standards-based means to securely integrate your business with the capabilities of cloud services. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information