The document discusses identity management in the cloud using ADFS 2.0, Azure, and Office 365. It introduces federation and single sign-on capabilities that allow users to access both on-premises and cloud-based applications using one set of credentials. Multifactor authentication is also covered as an option for increasing security. Specific configurations are presented, including typical server requirements and costs for a small company to implement a cloud-ready identity management solution.

1. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication

2. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 2 Introduction ADFS 2.0: What is Federation? Single-sign-on: Extending the model to the cloud Multifactor Authentication How to make my company cloud-ready?

3. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 3 Identity

4. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 4 Why Cloud? Why do companies want to move to the cloud? What can they move to the cloud? Where do they move it to? Do they want everything in one location?

5. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 5 Cloud Pains What makes moving to cloud difficult? Identity Difficult for end-user (confusing & time consuming) Extra Management for IT (password resets, etc.) New employees -> Many accounts in many systems Leaving employees -> Blocking many accounts = Security Breach Migration Hard to migrate everything at once (timeframe, downtime) Convince Management Maybe they don’t like it when their data is stored elsewhere

6. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 6 Cloud Pains

7. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 7 Solution to cloud pains?

8. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 8 Solution to cloud pains? One identity (Active Directory) Used for internal apps Used for external apps from partners Used for external cloud services How? You’ll learn in this session ADFS & SSO is the key!

9. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 9 Not only MicrosoftImagine 2016... Office365 Accounting Financial Info Social Secretary Bank application Combell Salesforce.com My Users

10. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 10 Introduction ADFS 2.0: What is Federation? Single-sign-on: Extending the model to the cloud Multifactor Authentication How to make my company cloud-ready?

11. Application Company User Company 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 11 ADFS 2.0What is Federation? Before Federation ID STORE

12. Application Company 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 12 ADFS 2.0What is Federation? With Federation TRUST TRUST ADFS1 ADFS2 FEDERATIONTRUST User Company AUTHENTICATION IDSTORE

13. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 13 ADFS 2.0What is Federation? What are claims? Statements about users (name, id, group,...) Used for authorization by claims-aware applications How are they used? Claims are encrypted in SAML tokens and passed on Tokens are signed by a trusted source Applications make decisions based on the claims if jobtitle == “buyer” and department == “production” then access = true Claims can be transformed on their way if jobtitle == “purchaser” then output_token:jobtitle= “buyer” if jobtitle == “buyer” and department == “production” then output_token:spendlimit= “50€”

14. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 14 ADFS 2.0What is Federation? If Jobtitle = “Buyer” thenAccess = True Using Claims ADFS1 ADFS2 Jobtitle = “Buyer” SAML SAML Jobtitle = “Purchaser” AUTHENTICATION IDSTORE AD Attributes:Job Title, Department, ...

15. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 15 Introduction ADFS 2.0: What is Federation? Single-sign-on: Extending the model to the cloud Multifactor Authentication How to make my company cloud-ready?

16. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 16 Single-sign-onHow does it work? DOMAINCONTROLLER On-premise AUTHENTICATION DOMAINJOINEDIIS SERVER Ctrl-Alt-Del IS USER AUTHENTICATED?

17. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 17 Single-sign-onExtending the model to the Cloud Windows AzureConnect Agent DOMAINCONTROLLER Windows Azure Connect AUTHENTICATION IIS SERVER DOMAINJOINED Ctrl-Alt-Del IS USER AUTHENTICATED?

18. ACS 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 18 Single-sign-onExtending the model to the Cloud Azure with Federation:Access Control Service TRUST TRUST ADFS IIS SERVER FEDERATIONTRUST AUTHENTICATION ACTIVEDIRECTORY User Company

19. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 19 Single-sign-onExtending the model to the Cloud Office 365 default login MSODS MSOLID

20. MSODS Office 365 with Federation: MS Federation Gateway 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 20 Single-sign-onExtending the model to the Cloud TRUST TRUST MFG ADFS MSOLID FEDERATIONTRUST AUTHENTICATION ACTIVEDIRECTORY User Company

21. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 21 Single-sign-onExtending the model to the Cloud Office 365 Directory Synchronization ACTIVE DIRECTORYSYNCHRONIZATION SERVER MS ONLINE ID(MSOLID) MS ONLINEDIRECTORY SERVICE(MSODS) ACTIVEDIRECTORY Name, Email, ObjectGUID,...

22. MFG 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 22 Single-sign-onExtending the model to the Cloud Office 365 with Federation Proxy TRUST ADFS ADFSPROXY FEDERATIONTRUST @HOME TRUST ACTIVEDIRECTORY

23. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 23 Introduction ADFS 2.0: What is Federation? Single-sign-on: Extending the model to the cloud Multifactor Authentication How to make my company cloud-ready?

24. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 24 Multifactor AuthenticationWhat is it? Different kinds of evidence someone is who they say they are Something one knows A secret: password, PIN, ... Something one has A passport, physical token, ID Card, ... Something one is Biometric device: fingerprint, iris-scan, face geometry, ...

25. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 25 Multifactor AuthenticationIn the Cloud Two options available: Integrate the ADFS 2.0 Proxy login page with your strong authentication provider In this option, you can customize the AD FS 2.0 proxy login ASPX page introduce extra fields for the users to enter extra factors for authentication. Use the Forefront Unified Access Gateway (UAG) SP1 server This gateway supports a wide range of two-factor authentication providers, as well as direct access to an expanded set of scenarios involving two-factor authentication.

26. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 26 Multifactor AuthenticationIn the Cloud ADFS 2.0 Proxy login page

27. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 27 Multifactor AuthenticationIn the Cloud Unified Access Gateway (UAG) SP1 server Forefront UAG intercepts the redirection to the Account Federation server Instead redirects the web browser to the Forefront UAG login page UAG ADFSPROXY ADFS

28. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 28 Introduction ADFS 2.0: What is Federation? Single-sign-on: Extending the model to the cloud Multifactor Authentication How to make my company cloud-ready?

29. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 29 Cloud-ready company Server Requirements ADFS 2.0 Server(s) Can be installed on existing domain controllers (if 2008/2008R2) Can be a farm for redundancy (NLB host needed) Optionally, SQL Cluster can be used to store the database ADFS 2.0 Proxy Server(s) Can be installed on existing web/proxy servers (if 2008/2008R2) Can be a farm for redundancy (NLB needed) Office 365: Directory Syncrhonization Server(s) Must be a 32-bit server (no 2008R2!), can be 2003/2008 Cannot be installed on domain controller, but needs same security!

30. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 30 Cloud-ready company Typical setup for a small Company One ADFS 2.0 Server Installed on Domain controller or dedicated server Uses WID (Windows Integrated Database) One ADFS 2.0 Proxy Installed on existing web/proxy server or dedicated server Office 365: Directory Syncrhonization Server(s) Installed on a dedicated 2008 32-bit server

31. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 31 Cloud-ready company Typical cost for a small Company 1 to 3 extra Windows Licenses Recommended: Certificate by public CA for ADFS&ADFS Proxy 2 to 3 days sysadmin work 1 day pm work 1 day of testing

32. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 32 Benefits Less Management for IT Less calls to helpdesks for identity related problems Fewer user accounts to manage Easier to manage new employees (only one account to create) More Transparant & easier for end-user Has to remember one username, one password Has to logon only once with SSO (inside company) -> time saving More security Leaving employees are blocked on all applications at once Identity managed by own IT department Multifactor authentication for more security outside the company

33. 12 October, 2011 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 33 Q&A

34. 34 Identity in the cloud: ADFS 2.0, Azure, Office 365, Multifactor authentication 12 October, 2011