An identity management solution. TELUS AD Sync



Similar documents
Active Directory Synchronization Tool Architecture and Design

Setup guide. TELUS AD Sync

Preparing for GO!Enterprise MDM On-Demand Service

CA Performance Center

FileCloud Security FAQ

Xerox DocuShare Security Features. Security White Paper

Flexible Identity Federation

VMware Identity Manager Administration

Okta/Dropbox Active Directory Integration Guide

Sync Security and Privacy Brief

Configuring User Identification via Active Directory

Centrify Cloud Connector Deployment Guide

ADSelfService Plus Client Software Installation Guide

Integrating Webalo with LDAP or Active Directory

Security Architecture Whitepaper

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

How To - Implement Single Sign On Authentication with Active Directory

How To Secure Your Data Center From Hackers

TIBCO Spotfire Platform IT Brief

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Jesubi Salesforce Integration Guide

VMware Identity Manager Administration

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service

HELP DOCUMENTATION UMRA REFERENCE GUIDE

Password Reset Server User Guide

User Guide. You will be presented with a login screen which will ask you for your username and password.

Getting Started with Clearlogin A Guide for Administrators V1.01

Integrate with Directory Sources

Central Desktop Enterprise Edition (Security Pack)

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Active Directory LDAP Quota and Admin account authentication and management

Migrating Exchange Server to Office 365

Configuring Security Features of Session Recording

Protected Trust Directory Sync Guide

(Installation through ADSelfService Plus web portal and Manual Installation)

Red Hat Enterprise ipa

Tableau Server Security. Version 8.0

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Manage all your Office365 users and licenses

Active Directory Integration

Online Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice

Security whitepaper. CloudAnywhere.

Active Directory Authentication Integration

Installation & Configuration Guide User Provisioning Service 2.0

AVG Business SSO Connecting to Active Directory

LDAP Directory Integration with Cisco Unity Connection

Mod 3: Office 365 DirSync, Single Sign-On & ADFS

Server Installation Manual 4.4.1

ECAT SWE Exchange Customer Administration Tool Web Interface User Guide Version 6.7

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

Salesforce1 Mobile Security Guide

Customer admin guide. UC Management Centre

FaxCore 2007 Getting Started Guide (v1.0)

Broker Portal Tutorial Broker Portal Basics

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Active Directory 2008 Implementation. Version 6.410

Step- by- Step guide to extend Credential Sync between IBM WebSphere Portal 8.5 credential vault and Active Directory 2012 using Security Directory

TFS ApplicationControl White Paper

Group Management Server User Guide

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

2X Cloud Portal v10.5

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

SPHOL300 Synchronizing Profile Pictures from On-Premises AD to SharePoint Online

Ciphermail Gateway PDF Encryption Setup Guide

LDAP Synchronization Agent Configuration Guide

Installation and Configuration Guide

activecho Driving Secure Enterprise File Sharing and Syncing

A Guide to New Features in Propalms OneGate 4.0

Office 365 deploym. ployment checklists. Chapter 27

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Mediasite EX server deployment guide

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

System Area Management Software Tool Tip: Agent Deployment utilizing. the silent installation with Active Directory

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

Transporter from Connected Data Date: February 2015 Author: Kerry Dolan, Lab Analyst and Vinny Choinski, Sr. Lab Analyst

PowerChute TM Network Shutdown Security Features & Deployment

Vital Link 2.X Pre-Install Checklist

Configuration Guide BES12. Version 12.1

Configuration Guide. BES12 Cloud

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Using LDAP Authentication in a PowerCenter Domain

Configuration Guide BES12. Version 12.3

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

G-Lock EasyMail7. Admin Guide. Client-Server Marketing Solution for Windows. Copyright G-Lock Software. All Rights Reserved.

MOBILE DEVICE CONFIGURATION GUIDE ActiveSync

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

RemotelyAnywhere Getting Started Guide

Mod 2: User Management

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

Mobile Admin Security

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

TIGERPAW EXCHANGE INTEGRATOR SETUP GUIDE V3.6.0 August 26, 2015

Please evaluate this documentation on the following site:

IIS SECURE ACCESS FILTER 1.3

What you need to know about DirSync - our experiences with DirSync and Office 365, by David Parizek and Henry Verlander.

Ensuring the security of your mobile business intelligence

Transcription:

An identity management solution TELUS AD Sync June 2013

Introduction An important historic challenge faced by small and mid-sized businesses when opting for the TELUS Business E-mail Service is the requirement to have two sets of credentials; one to log on to their computer and on-premises applications, and one for their TELUS-hosted applications. This White Paper presents a new solution by TELUS for automated provisioning and synchronization of user account details between customer-premise and TELUS-hosted Active Directory environments. The problem The Internet has matured to the point where both business users and consumers are now dependent on Internet connectivity. The hosting of business applications has become a reality and offers great advantages for businesses of all sizes. The need to have more than one set of login credentials results in more forgotten passwords and lower productivity. Provisioning also adds complication; when a new user is added to an organization the user now has to be created for each group of hosted applications. Procedures to delete accounts for departing employees and contractors become more complex leading to potential for accounts to be left open, which poses security concerns. The TELUS AD Sync Solution. The TELUS AD Sync service allows customers to synchronize their own localized Domain Controller to the TELUS-hosted Domain Controller, meaning that the customer s ID in the TELUS-hosted Domain Controller will be regularly updated with any user changes that have been saved in the customer s domain controller. This allows a customer to add, change, and remove users in their local AD Forest/Domain and have this action replicated automatically in the TELUS Hosted services domain. This service means that shared hosted Unified Communications clients will only have to update their ID credentials in one place, their local Active Directory, not in two places, their local Active Directory and the TELUS Hosting AD. The service is a customer only service. Once provisioned to a customer, the customer s administrator will have access to download and configure the TELUS AD Sync tool to their existing Domain Controller. The interface is a one way connection, where any user updates that are made on the Customer Domain Controller are synchronized to the TELUS Hosted environment. Customers using the TELUS AD Sync service will no longer change their users properties through the UC Management Centre; any user change must be completed in the customer s existing domain controller. TELUS AD Sync: an identity management solution 2

Figure 1 Physical Architectural View The TELUS AD Sync Service monitors password changes in the client Active Directory forest and replicates these changes to the TELUS Hosted Active Directory. User Lifecycle Management. The following features are supported by the solution: Exclude and Include Groups. Users in the Customer AD can be selected for synchronization based on security group membership. Any users in the Include groups will be synchronized, conversely, if Exclude groups are specified, users in the exclude groups will never be synchronized. This gives the customer easy control over the users to be replicated into the hosting environment. Typically, the purpose would be to exclude service and computer accounts or to have control over a migration process from on-premises to hosted Exchange. In the scenario where a user has membership of both an Include and an Exclude group, the exclude group will take precedence. This works in a similar way to most permission systems, where a Deny always takes precedence over an Allow permission. Note: TELUS recommends that the Domain Controller contain a group labeled TELUS AD SYNC which will be used as an include group for the service. User Creation As soon as a user is created and added to the include group, the user will be replicated in the hosted environment. A template is used for creation that can be used to control which AD attributes are transferred to the new hosted user. When a user is created the SID (globally unique user identifier) from the Customer AD is also stored in The UC Management Centre against the user. TELUS AD Sync: an identity management solution 3

User Update Any subsequent changes made to a user in the Customer Active Directory will be replicated across to the TELUS hosted Active Directory. Support is also included for disabling of accounts; a disabled account in the customer AD will disable the account in the TELUS hosted Active Directory. User Deletion Deletion of the user in the customer Active Directory will send another request to The UC Management Centre automatically removing the user from the TELUS hosted environment. This minimizes cost to the customer by minimizing the amount of resource used in the hosted environment. Password Change Detection. TELUS AD Sync implements a Windows password filter DLL, which is registered on each domain controller to receive password change events. This is a standard and recommended approach for detecting password changes and is the approach used by nearly all identity integration products. Use of NT Logon Name / samaccountname. Active directory supports two logon names or identifiers for each user, the samaccountname or Username (simple logon name), and the UPN (User Principal Name). The simple logon name is used to support pre-windows 2000 operating systems. The UPN is available in current Windows operating systems. Enterprise customers may use the simple logon name (this is a limited length string, and typically a naming convention is applied, e.g. firstname + first character of lastname, as an example, John Smith may have a username of johns ), the User Principal Name is commonly used in hosting scenarios and looks similar in format to an email address, e.g. user@domain. In a shared hosting environment, the use of traditional Usernames (simple logon name) is difficult due to duplicate name conflicts that increase with the high volume of users. TELUS recommends that users utilize the same UPN from their customer premise AD. Users will be encouraged to use the UPN for logging on to any system, internal or hosted, as this will minimize logon problems. Aligning the UPN with the users primary email address will also ease this process. TELUS AD Sync: an identity management solution 4

User Principal Name (UPN) Generation and Mapping. The UC Management Centre can be configured to generate a hosting username for each user based on a pre-determined template; this is needed to ensure that usernames are guaranteed to be unique. TELUS AD Sync service will perform the following: 1. If the customer domain exists within the TELUS Hosted environment, then the user s current UPN will be preserved into the hosting environment. 2. If the customer domain doesn t exist in the TELUS Hosted environment, the user s samaccountname (simple logon name) will be pre-pended to the primary domain for the customer. E.g. if the samaccountname is john and the primary domain is domain.com, the hosting UPN would be john@domain.com. Security Security of the solution has been a prime consideration in order to ensure the privacy of data and safe transfer of passwords into the hosting environment. Configuration Sensitive information in the configuration is encrypted. Furthermore, all configuration files and registry data have permissions that restrict access to an Administrator or the Local System user on the Domain Controller. Password Change Detection. A password filter (DLL) is installed onto each Domain Controller. When a password is changed, the user s unique identifier (SID) and the password are immediately encrypted (Windows DPAPI) and stored to a file on the Domain Controller. Encrypted data can only be decrypted on the same machine by an Administrator or the Local System user. The data in the file is also hashed (SHA1) to prevent unauthorized changes. The files have permissions that restrict access to an Administrator or the Local System user. API Secure Requests. Requests are sent to the UC Management Centre infrastructure using HTTPS. The secure API request utilizes a combination of a public/private key and a symmetric key (RSA and AES) to securely transfer data and credentials. This ensures the data cannot be intercepted or diverted to another source. The data in the request is also hashed (SHA1) to prevent unauthorized changes. Request Transfer The transfer of data to the hosting environment can also be sent over HTTPS (SSL), adding an additional layer of security. TELUS AD Sync: an identity management solution 5

UC Management Centre Features for TELUS AD Sync. The UC Management Centre user interface has been adapted to assist in the management and deployment of the TELUS AD Sync tool as well as restricting the changes that can be made for synchronized users. TELUS AD Sync Service. The addition of a new service in The UC Management Centre allows access to the TELUS AD Sync utility to end-customers. This allows TELUS to quickly enable TELUS AD Sync for a customer or reseller and also easily track usage for billing purposes. Configured Setup Any TELUS AD Sync service administrator (or customer level administrator) can gain access to download a customized setup file for installing the TELUS AD Sync customer Active Directory agent. The setup file includes core information needed to connect to The UC Management Centre, including the public key needed for secure API calls and the instance specific connection information needed for the agent to send information back to The UC Management Centre. User Control Users in The UC Management Centre that have been synchronized by the TELUS AD Sync utility are flagged and the UC Management Centre user interface will display non-editable user information. This is to avoid user information being updated in the UC Management Centre and then being overwritten by changes made via the customers Active Directory. User Services can still be provisioned and managed through the UC Management Centre Connectivity The connection between the TELUS host and the TELUS AD Sync client is encrypted with public/private key technology using a technique similar to that of SSL. This allows the connection between TELUS and the client to use any available connection solution, HTTP, HTTPS, VPN, or dedicated circuit. This public/private key solution also makes sure that the TELUS AD Sync client can only connect with the TELUS host that contains the private key. This information is contained in the MSI package. TELUS does not recommend using HTTP connectivity. There are no special ports required or used. The TELUS AD Sync client uses whatever HTTP configuration that the Domain Controller uses. TELUS AD Sync: an identity management solution 6

Managing Password Policies. The password complexity and expiry policy are essentially controlled by the customer s onpremis AD. In order for the solution to work, the TELUS hosted Active Directory must have either the same or a more lenient password policy than the customer password policy in order for passwords to be successfully synchronized. The password policies of the supplied credentials are dependent on the TELUS host Active Directory password policy. This means that if the credentials from the client do not meet the policy requirements of the TELUS hosted Active Directory, the password sync will fail. Limitations The initial release of the TELUS AD Sync utility is a fully operational solution. There are a number of known limitations. Change to Group Membership. At present TELUS AD Sync does not detect changes to users when they are moved in or out of the include/exclude groups. For new users, this means that the user will not get provisioned into the hosting environment until the user object or their password is changed. Changing the users password is however required for the initial synchronization of the account so this should cause minimal concern. Removal of Service. If a customer chooses to opt out of the TELUS AD Sync service there is currently no capability from within the UC Management Centre UI to remove the service. The customer must contact TELUS in order to complete this process. Summary The TELUS AD Sync utility is a simple solution that makes it easier for end-users to synchronize hosted services. The solution is designed to help businesses that have an existing Active Directory infrastructure. Some of the key benefits include: IT Administrators can continue to use the same tools for managing their users. Automatic creation and deletion of users in the hosting environment based on the customers own Active Directory. This minimizes costs and maintenance to the customer. Users no longer need to remember an additional password for their hosted services; they can manage their credentials in one place. This is a cost effective and practical solution for identity management that is designed for professional hosting environments managed by TELUS. TELUS AD Sync: an identity management solution 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information