Identity
management
overview
Core identity
scenarios
1
Federation and
synchronization
2
3
Additional
features
4
Verifying that a user, device, or service
such as an application provided on a
network server is the entity that it
claims to be.
Determining which actions an
authenticated entity is authorized to
perform on the network
Cloud Identity
Single identity in the cloud
Suitable for small organizations
with no integration to onpremises directories
Directory & Password
Synchronization*
Single identity
suitable for medium
and large organizations
without federation*
Federated Identity
Single federated identity
and credentials suitable
for medium and large
organizations
Core identity scenarios
Rich experience with Office Apps
Windows Azure
Active Directory
Ease of deployment, management
and support
Lower cost as no additional servers are required
On-Premises
High availability and reliability as all Identities and
Services are managed in the cloud
Cloud Identity
Ex: alice@contoso.com
User
Windows Azure
Active Directory
Rich experience with Office Apps
Directory synchronization between on-premises
and online
Directory
Synchronization
Password
Synchronization
Identities are created and managed
on-premises and synchronized to the cloud
AD
Single identity and credentials but no single SignOn for on-premises and office 365 services
Password synchronization enables single sign-on
at lower cost than federation
Reuse existing directory implementation onpremises
* Password Synchronization may not be available at
GA, the target is to update the service in 1H CY2013
Non-AD
(LDAP)
Cloud Identity
Ex: alice@contoso.com
On-Premises Identity
Ex: Domain\Alice
User
Single identity and sign-on for on-premises and
office 365 services
Identities mastered on-premises with single
point of management
Windows Azure
Active Directory
Federation
Directory
Synchronization
Directory synchronization to synchronize
directory objects into Office 365
AD
Secure Token based authentication
Client access control based on IP address with
ADFS
Strong factor authentication options
for additional security with ADFS
Non-AD
(LDAP)
On-Premises Identity
Ex: Domain\Alice
User
Federation and
Synchronization options
Federation options
Works with AD
Works with AD & Non-AD
Shibboleth (SAML*)
Works with AD & Non-AD
Suitable for medium, large enterprises
including educational organizations
Suitable for medium, large enterprises
including educational organizations
Suitable for educational organizations
j
Recommended option for Active Directory (AD)
based customers
Recommended where customers may use existing
non-ADFS Identity systems with AD or Non-AD
Recommended where customers may use existing
non-ADFS Identity systems
Single sign-on
Single sign-on
Single sign-on
Secure token based authentication
Secure token based authentication
Secure token based authentication
Support for web and rich clients
Support for web and rich clients
Support for web clients and outlook only
Microsoft supported
Third-party supported
Phonefactor can be used for two factor auth
Phonefactor can be used for two factor auth
Microsoft supported for integration only, no
shibboleth deployment support
Works for Office 365 Hybrid Scenarios
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Works for Office 365 Hybrid Scenarios
Requires on-premises servers & support
Works with AD and other directories on-premises
Program for third party identity providers to
interoperate with Office 365
Objective is to help customers that currently
use Non-Microsoft identity solutions to
adopt Office 365
Federation with Identity Partners
Reuse Investments
Verified by Microsoft
Directory Synchronization Options
PowerShell & Graph API
Suitable for Organizations using
Active Directory (AD)
Suitable for large organizations with Suitable for small/medium size
certain AD and Non-AD scenarios
organizations with AD or Non-AD
Provides best experience to most
customers using AD
Complex multi-forest AD scenarios
Supports Exchange Co-existence scenarios
Non-AD synchronization through Microsoft
premier deployment support
Coupled with ADFS, provides best option
for federation and synchronization
Requires Forefront Identity Manager and
additional software licenses
Supports Password Synchronization with
no additional cost
Does not require any additional software
licenses
Performance limitations apply with
PowerShell and Graph API provisioning
PowerShell requires scripting experience
PowerShell option can be used where the
customer/partner may have wrappers
around PowerShell scripts (eg: Self Service
Provisioning)
Identity Roadmap
Shibboleth (SAML) Support
Available now
New Works with Office 365 Partners
Ping, Optimal IDM, Okta, IBM
available now
Novell, CA and Oracle in 1H CY2013
DirSync for Multi-forest AD
Available now thru’ MCS and Partners
Sync Solution for Non-AD using FIM
Available now thru’ MCS and Partners
Password Synchronization for AD
1H CY2013
Broader SAML Support
1H CY2013
From
the
Field
Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS
Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When
adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.
From
the
Field
.When working through the firewall considerations ensure that MSO Datacentre IP ranges have
been granted access to port 443 to the ADFS Proxy Server located in the DMZ.
Understanding client authentication path
MEX
Web
Lync 2010/
Office Subscription
Active
AD FS 2.0
Proxy
OWA
Internal
Basic auth
proposal: Pass
client IP, protocol,
device name
Exchange
Online
MEX
Web
Active
Corporate
Boundary
OWA
External
Username
Password
AD FS 2.0
Server
Lync 2010/
Office Subscription
Username
Password
Username
Password
Username
Password
Outlook 2010/2007
IMAP/POP
Outlook 2010/2007
Active Sync
IMAP/POP
Active Sync
Block all external access to Office 365 based on the IP address
of the external client
Block all external access to Office 365 except Exchange Active
Sync; all other clients such as Outlook are blocked.
Block all external access to Office 365 except for passive
browser based applications such as Outlook Web Access or
SharePoint Online
From
the
Field
Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default
log all denied authorizations and the values it based the denial upon.
From
the
Field
If the customer does not have a valid and routable UPN suffix then one can be added via Active
Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.
• Dirsync Server must be joined to a domain within the same forest that will be
synchronized
• Dirsync Server should never be installed on a domain controller
• Dirsync Server should be Windows Server 2008 (x64)
• By default SQL Server 2008 R2 Express is installed.
• 10GB database limit (approx. 50,000 objects)
• Full SQL Option Available.
• Enterprise Administrator Credential should be used to install Dirsync, only required
during setup.
• X64 Single\Multi Forest Appliance available (O365 connector also available for
complex scenarios)
• X86 Dirsync now unsupported.
From
the
Field
When utilising the full SQL option you must ensure that the EA account has “sysadmin” rights on
the SQL database and that the Dirsync service account has “public” permissions on the Dirsync DB.
Windows Azure
Active Directory
Multi-forest AD support is available through
Microsoft-led deployments
Multi-forest DirSync appliance supports multiple
dis-joint account forests
FIM 2010 Office 365 connector supports complex
multi-forest topologies
Federation
using ADFS
DirSync on FIM
AD
AD
AD
On-Premises Identity
Ex: Domain\Alice
User
Windows Azure
Active Directory
Preferred option for Directory Synchronization
with Non-AD Sources
Non-AD support with FIM is available through
Microsoft-led deployments
FIM 2010 Office 365 connector supports complex
multi-forest topologies
Federation
using NonADFS STS
Office 365
Connector on FIM
Non-AD
(LDAP)
On-Premises Identity
Ex: Domain\Alice
User