4. Verifying that a user, device, or service
such as an application provided on a
network server is the entity that it
claims to be.
Determining which actions an
authenticated entity is authorized to
perform on the network
10. Directory Synchronization Options
Suitable for small/medium size
organizations with AD or Non-AD
Performance limitations apply with
PowerShell and Graph API provisioning
PowerShell requires scripting experience
PowerShell option can be used where the
customer/partner may have wrappers
around PowerShell scripts (eg: Self Service
Provisioning)
PowerShell & Graph API
Suitable for Organizations using
Active Directory (AD)
Provides best experience to most
customers using AD
Supports Exchange Co-existence scenarios
Coupled with ADFS, provides best option
for federation and synchronization
Supports Password Synchronization with
no additional cost
Does not require any additional software
licenses
Suitable for large organizations with
certain AD and Non-AD scenarios
Complex multi-forest AD scenarios
Non-AD synchronization through Microsoft
premier deployment support
Requires Forefront Identity Manager and
additional software licenses
12. Cloud Identity
no integration to on-premises
directories
Directory & Password
Synchronization*
Integration without
federation*
Federated Identity
Single federated identity
and credentials
13. Federation options
Suitable for educational organizations
j
Recommended where customers may use existing
non-ADFS Identity systems
Single sign-on
Secure token based authentication
Support for web clients and outlook only
Microsoft supported for integration only, no
shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Shibboleth (SAML*)
Works with AD & Non-AD
Suitable for medium, large enterprises
including educational organizations
Recommended option for Active Directory (AD)
based customers
Single sign-on
Secure token based authentication
Support for web and rich clients
Microsoft supported
Phonefactor can be used for two factor auth
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Works with AD
Suitable for medium, large enterprises
including educational organizations
Recommended where customers may use existing
non-ADFS Identity systems with AD or Non-AD
Single sign-on
Secure token based authentication
Support for web and rich clients
Third-party supported
Phonefactor can be used for two factor auth
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Works with AD & Non-AD
15. Program for third party identity providers to
interoperate with Office 365
Objective is to help customers that currently
use Non-Microsoft identity solutions to
adopt Office 365
16. Identity Roadmap
Shibboleth (SAML) Support Available now
New Works with Office 365 Partners Ping, Optimal IDM, Okta, IBM
available now
Novell, CA and Oracle in 1H CY2013
DirSync for Multi-forest AD Available now thru’ MCS and Partners
Sync Solution for Non-AD using FIM Available now thru’ MCS and Partners
Password Synchronization for AD 1H CY2013
Broader SAML Support 1H CY2013
17. Windows Azure
Active Directory
User
Cloud Identity
Ex: alice@contoso.com
Cloud Identity
Ex: alice@contoso.com
Identity managed in Windows Azure AD
single sign-on for Office 365 and other cloud
services federated with single cloud identity
ISV Applications or SAAS providers can
integrate using APIs on Windows Azure AD
Currently in Technical Preview
18.
19. Cloud identity + directory synchronization
Single sign on + directory synchronization
Contoso customer premises
AD
MS Online Directory
Sync
Lync
Online
SharePoint
Online
Exchange
Online
Active Directory
Federation Server
2.0
Trust
IdP
IdP
20.
21.
22. Understanding client authentication path
Lync 2010/
Office Subscription
Active Sync
Corporate
Boundary
Exchange
Online
AD FS 2.0
Server
MEX
Web
Active
AD FS 2.0
Proxy
MEX
Web
Active
Outlook 2010/2007
IMAP/POP
Username
Password
Username
Password
OWA
Internal
Lync 2010/
Office Subscription
Outlook 2010/2007
IMAP/POP
OWA
External
Username
Password
Active Sync
Username
Password
Basic auth
proposal: Pass
client IP, protocol,
device name
23. Web Clients
• Office with SharePoint
Online
• Outlook Web Application
Remember me =Persisted Cookie
Exchange Clients
• Outlook
• Active Sync/POP/IMAP
• Entourage
Can save credentials
Rich Applications (SIA)
• Lync
• Office Subscriptions
• CRM Rich Client
Can save credentials
Federated
Identities
(domain joined)
Cloud Identity
No Prompt
Username and Password
Online ID
AD credentials
Federated
Identities
(non-domain
joined)
Username and Password
AD credentials
Username
Username and Password
Online ID
AD credentials
Username and Password
AD credentials
Username and Password
Username and Password
Online ID
AD credentials
Username and Password
AD credentials
24. Authentication flow (passive/web profile)
Identity federation
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Exchange Online or
SharePoint Online
Active Directory
Customer Microsoft Online Services
Logon (SAML 1.1) Token
UPN:user@contoso.com
Source User ID: ABC123
Auth Token
UPN:user@contoso.com
Unique ID: 254729
25. Authentication flow (MEX/rich client profile)
Identity federation
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Server
Lync Online
Active Directory
Customer Microsoft Online Services
Logon (SAML 1.1) Token
UPN:user@contoso.com
Source User ID: ABC123
Auth Token
UPN:user@contoso.com
Unique ID: 254729
26. Customer Microsoft Online Services
Active flow (Outlook/Active Sync) always external
Identity federation
`
Client
(joined to CorpNet)
Authentication platformAD FS 2.0 Proxy
Exchange Online
Active Directory
Logon (SAML 1.1) Token
UPN:user@contoso.com
Source User ID: ABC123
Auth Token
UPN:user@contoso.com
Unique ID: 254729
Basic Auth Credentilas
Username/Password
27.
28.
29. • Open source software package providing similar
functionality as ADFS (e.g. SSO, Authentication, SAML 2.0)
• Popular implementation of SAML 2.x with Higher Education
institutions world-wide
• Shibboleth is managed by the Shibboleth Consortium
(http://www.shibboleth.net/index.html)
• Latest version is 2.3.6
• Setup a SAML 2.0 federation between Office 365 and their
Shibboleth IdP
• Deploy DirSync for user provisioning with AD and deploy
MSOMA+FIM for user provisioning from non-AD
Shibboleth 2.x IdP
Non-AD
Contoso.edu
Shibboleth 2.x IdP
Fabrikam.edu
MSOMA + FIM AD MSOMA + FIM
Email Rich ClientsWeb
Client
30. Block all external access to Office 365 based on the IP address
of the external client
Block all external access to Office 365 except Exchange Active
Sync; all other clients such as Outlook are blocked.
Block all external access to Office 365 except for passive
browser based applications such as Outlook Web Access or
SharePoint Online
31.
32. Windows Azure
Active Directory
User
Multi-forest AD support is available through
Microsoft-led deployments
Multi-forest DirSync appliance supports multiple
dis-joint account forests
FIM 2010 Office 365 connector supports complex
multi-forest topologies
On-Premises Identity
Ex: DomainAlice
Federation
using ADFS
AD
DirSync on FIM
AD
AD
33. Windows Azure
Active Directory
User
Preferred option for Directory Synchronization
with Non-AD Sources
Non-AD support with FIM is available through
Microsoft-led deployments
FIM 2010 Office 365 connector supports complex
multi-forest topologies
On-Premises Identity
Ex: DomainAlice
Federation
using Non-
ADFS STS
Office 365
Connector on FIM
Non-AD
(LDAP)