Surviving the Triangle - Windows in Higher Education

advertisement
Surviving the Triangle:
Shibboleth, ADFS, Office 365
An Adventure Story of
the High Seas by:
J. Greg Mackinnon
Systems Architect
Not a Ship Captain
Enterprise Technology
Services
University of Vermont
Overview:
• “Fun Parts” Edition (FUN = PAIN x TIME):
• Design an AD FS / Shibboleth / Office 365 solution for our school.
• Deploy of Active Directory Federation Services on Windows Server 2012 R2
(“ADFS 3.0”)
• Integrate AD FS with existing Shibboleth 2 IdP
• Sync on-premises Active Directory to Azure AD/Office 365 using
The Windows Azure Active Directory Sync Tool (DirSync)*
• Provision users with Office 365 services using PowerShell using
The Microsoft Azure Active Directory Module for Windows PowerShell
(formerly “Microsoft Online Services Module for Windows PowerShell”.)
• Simplify access to Office 365 using Smart Links
• Overcome presentation boredom though exciting narrative tools.
Assumptions:
• Familiarity with concepts behind:
•
•
•
•
•
Federated SSO
AD FS
Shibboleth
Office 365 / Azure AD
Claims Authentication
Act 1: The Gathering Storm
Scene 1: A Gift Horse is Presented
• Spring 2014: The Student Advantage program is announced:
Free Office software for all students at institutions with Office site
licenses for faculty and staff. Three cheers for Microsoft!
Scene 2: The Gift Becomes a Task
• Provision Office 365 Pro Plus to 14,000+ active students
• Do not provision services to faculty/staff
• Make it work with the existing UVM Web Single Sign-On system.
• Do not disclose any information other than Name, NetID, and active
student status to Microsoft. For students requesting additional
privacy protection under FERPA, do not even disclose Name.
• Do it all before students get back on campus.
• Your budget is $0.
Scene 3: Backstory Time!
[The Slides you Hate]
• University of Vermont:
• Land grant school founded by Ira Allen “a long time ago”.
• Over 1,300 faculty, perhaps 2,200 staff
• [MORE BORING NUMBERS NUMBERS] 14 thousand something students
• Enterprise Technology Services
• Central IT Services for the institution, 60+ employees, about half of all IT pros
on campus.
• Systems Architecture and Administration
• 9 System Admins
• 3 Windows guys
• We do it all, with probably the lowest support ratios of any peer institutions
Scene 3 (Continued): The Cast of Characters
Our plucky IT Hero:
The dastardly villains:
The mysterious benefactor:
The ship’s crew:
Colorful Characters:
Scene 4:
Core Technologies Debated
• BOSS: UVM web services will use a single web SSO solution. (WebAuth)
• The Boss notes the MS supports Shibboleth as an Identity Provider for Office 365:
• http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/
• http://technet.microsoft.com/en-us/library/jj205456
• But Boss, read the fine print… Office 365 ProPlus licensing is not supported with Shibboleth
as the primary identity provider!
• IT Hero: AD FS already is in pre-production for a SharePoint 2013 upgrade project.
Let’s do interop!
• AD FS provides the broadest client support (at present).
• AD FS lets “Microsoft be Microsoft”. (Support for WS-Federation “active authentication
scenarios” in addition to SAML 1 and 2)
• Supports Windows Authentication (allows single sign-on from the Windows desktop)
• Added benefit of the Web Application Proxy service, which can aid with NTLM remediation.
Scene 4 (continued): The Best Laid Plans…
• A service architecture is developed
• An authentication workflow is mapped
Service Architecture: Work To Do
[BACK]
Federated SSO: The Whole Ugly Truth
[FLIP]
Scene 5: A Likely Conversation
• IT Hero:
‘Hey Boss… this whole Federated SSO thing is really complicated.
Have you seen this diagram of the planned authentication workflow?’
• Boss:
‘Yeah… What’s your point? That’s what we do.’
• (But is SCALE x COMPLEXITY > SKILL ? Let’s find out!)
Act 2: The Adventure Begins
Scene 1: Our Heroes Tackle an Easy Task
(AD FS production deployment):
• For HA deployments, have a SQL
Server ready
• Install the AD FS role (2+ Servers):
• Configure the role (2+ Servers):
• Install and configure the Web Application Proxy Role
Scene 1 (continued) [FX: queue thunder clap]:
Load Balancing AD FS
• Use F5 Load Balancer in “Direct Server Return”, or “nPath Routing”
mode. [LINK]
• F5 monitor for HTTPS services on ADFS servers fails!
• ADFS 3.0 runs in HTTP.SYS: Requires SNI. OpenSSL 0.98 libraries on
F5 do not support SNI. [LINK]
• Use NETSH to add additional http.sys binding for “legacy” clients.
This will be helpful with Shibboleth interoperability as well. [LINK]
Scene 2: The Crew Conquers AD FS / Shibboleth
Interoperability, With a Little Help From Friends.
• Get the whitepaper:
http://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx
• Back to school: A Claims Interoperability Primer… [LINK]
• Setup Claims Provider Trust in AD FS:
• Reduce token signing requirement to SHA1 (default is SHA256) [LINK]
• Must use NETSH to allow ADFS to accept non-SNI connections.
(Java SSL libraries used in our Shibboleth deployment do not support SNI.)
• Setup Relying Party Trust in Shibboleth:
• Import token signing certificate into Shibboleth
• Play with XML configuration files (Note OID of released attributes) [LINK]
Scene 2 (continued):
Beyond the Whitepaper
• ADFS now generates tokens based
on Shib tokens, but how do I get
useful AD data into the token?
• A knowledgeable old salt stops in to
explain Claims Transformation
Language. [LINK]
• The Divine Secrets of Claims
Transformation Language allows
Microsoft applications natively to
consume claims generated by
Shibboleth.
Scene 3: A Foray Under the Storm Clouds
• Setup an Office 365 Tenant [LINK]
• Select “Office 365 Education E3 for Students Trial”, and then add “E1” licenses to your Tenant.
• Plan for UPN-based authentication:
•
•
Does AD UPN match the Shibboleth ePPN?
Does the AD UPN match a domain configured in Office 365?
• Enroll for the Student Advantage Program*
•
•
•
•
Get your EES program administrator to accept $0 Purchase Order
Contact Microsoft Sales to assign Student Advantage licenses to your tenant.
Request more licenses
Request even more licenses
• Install and Configure DirSync [LINK]
• Create Office 365 sync account (*onmicrosoft.com recommended)
• Create AD sync account
•
Apply ACLs to satisfy UVM legal privacy requirements
• Configure attribute filtering
• Apply PowerShell-Foo to assign licenses to students. [LINK]
Scene 4: A Plan Comes Together
• Hero: “It all works! Hurray, time to take vacation!”
• Boss: “This user experience is unacceptable! Fix it!” [LINK]
• Create Smart Links to make it all invisible:
https://adfs.uvm.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftO
nline&wctx=wa%253Dwsignin1.0%2526rpsnv%253D3%2526ver%253D6.4.6456.0%2
526wp%253DMCMBI%2526wreply%253Dhttps:%25252F%25252Fportal.office.com%
BUT is this really simpler?
25252Flanding.aspx%25253Ftarget%25253D%2525252fOLS%2525252fMySoftware.a
[LINK]
spx%2526lc%253D1033%2526id%253D501392%2526%2526LoginOptions%253D3
http://go.uvm.edu/getoffice
Federated SSO: “Simplified” with Smart Links
[FLIP]
Scene 5: Students Invade Campus,
and Our Hero Takes a Vacation
• The Client Services team prepares
“Go: Get Office” materials for
residence halls and for students
picking up new computers.
• 1,256 downloads in the first month.
(First-time student count is
approximately ~2,450)
• Zero Complaints
(Or if there were, they were not
heard from the Outer Banks, NC.)
Epilogue:
Full of sound and fury, signifying nothing.
• September 15th, 2014:
Microsoft Releases “Azure Active Directory Sync Services”, obsoleting
DirSync only three weeks after UVM go-live.
• September 20th, 2014:
Microsoft ‘enhances’ the Student Advantage program with emailaddress-based opt-out self-enrollment.
• October 1st, 2014:
Rumors arise that Office 365 Pro Plus will be made available to all
Faculty and Staff for EES customers with coverage for Office software.
Epilogue:
Full of sound and fury, signifying nothing something.
Unified SSO Achieved
Cloud Ready
THE END
Follow up questions to:
mailto: gregory.mackinnon@uvm.edu
Twitter: @jgregmac
LinkedIn:
Facebook: j.greg.mackinnon
Ello: @jgreg
And more fun at: http://blog.uvm.edu/jgm
Resources:
• F5 Guide to Layer 4 nPath Routing (Direct Server Return):
• General guidance from F5:
http://support.f5.com/kb/en-us/products/bigip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_npath.html
• Specific directions for configuring Loopback on Server 2008+
http://blog.uvm.edu/jgm/2010/12/02/f5-layer-4-server-2008/
• AD FS:
• Windows Server 2012 R2 AD FS Deployment Guide:
http://technet.microsoft.com/en-us/library/dn486820.aspx
• Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation:
http://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx
• HTTP.SYS Binding and SNI at UVM (SharePoint Configuration Entry):
http://blog.uvm.edu/jgm/2014/03/18/sharepoint-2013-adfs-shibboleth-the-motion-picture/
• User Alternate Login IDs with ADFS and Office 365:
http://blogs.perficient.com/microsoft/2014/04/office-365-configuring-ad-fs-dirsync-with-analternate-login/
Resources (continued…):
• Claim Rule Language References:
•
•
•
•
•
•
Primer:
http://blogs.technet.com/b/askds/archive/2011/10/07/ad-fs-2-0-claims-rule-language-primer.aspx
“Understanding Claim Rule Language” [HA!]:
http://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx
Regular Expressions in Claim Rule Language:
http://social.technet.microsoft.com/wiki/contents/articles/16161.ad-fs-2-0-using-regex-in-the-claims-rule-language.aspx
Attribute Stores and Queries: The Ugly Internals:
http://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores%28WS.10%29.aspx
AD FS Claims Rule Language Deep Dive (with Win-HiEd favorite Laura Hunter!):
https://www.youtube.com/watch?v=G279c_5tHfs
UVM Transformations for Sharepoint 2013:
http://blog.uvm.edu/jgm/2014/03/18/sharepoint-2013-adfs-shibboleth-the-motion-picture/
• DirSync:
•
•
•
•
•
Download:
http://go.microsoft.com/fwlink/?LinkID=278924
Setup of Directory Sync computer:
http://technet.microsoft.com/en-us/library/dn441213.aspx
Release History (Useful for determining if you have the current release):
http://social.technet.microsoft.com/wiki/contents/articles/18429.dirsync-directory-sync-tool-version-release-history.aspx
Deploy “Directory Sync with Single Sign-On” scenario for Office 365:
http://technet.microsoft.com/en-us/library/dn441213.aspx
Handling the “Replicating Directory Changes” permission:
http://support.microsoft.com/kb/303972
Resources (continued…)
• Azure AD Module for PowerShell:
• Download: Always get the latest version!
http://go.microsoft.com/fwlink/p/?linkid=236297
• Provisioning students with O365 ProPlus using PowerShell at UVM:
http://blog.uvm.edu/jgm/2014/07/30/provisioning-students-with-office-365proplus-licenses/
• Microsoft Azure Active Directory Sync Services
(DirSync, the next generation):
• http://www.microsoft.com/en-us/download/details.aspx?id=44225
• Microsoft guide to creating Smart Links:
• http://community.office365.com/en-us/w/sso/358.using-smart-links-or-idp-initiatedauthentication-with-office-365.aspx?Sort=MostRecent&PageIndex=1
nPath Routing (Direct Server Return):
• The Load Balancer forwards the entire Layer 4 TCP
packet to the back-end server.
• Reduces load on the expensive F5
• Reduces complexity of the configuration:
• Only on SSL certificate needed.
• No complex SSL termination and reencapsulation at the load balancer.
• Kerberos-compatible.
• Each back-end server has the IP address for the
cluster assigned to a “loopback” adapter with a 28bit netmask. Each back-end “thinks” it has the
cluster IP.
• The back-end server forwards the incoming packet
from its public interface to the loopback interface.
• The back-end server replies directly to the client.
[BACK]
HTTP.SYS Binding (1 of 2)
• Modern browsers (and SSL Libraries) support the SNI, or “server_name” extension.
• Older Java runtimes (1.6), OpenSSL libraries (0.98), and IE6 do not support SNI.
[BACK]
HTTP.SYS Binding (2 of 2)
• On each ADFS server and proxy, open an elevated command prompt
• Run>
netsh http show sslcert
Hostname:port
: adfs.uvm.edu:443
Certificate Hash
: aBunchOfRandomLookingNumbers
Application ID
: {yet-another-ugly-product-guid}
Certificate Store Name
: MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
…
• Record the certificate hash and application ID for the certificate used by
ADFS
• Run>
netsh http add sslcert ipport=0.0.0.0:443
certhash=aBunchOfRandomLookingNumbers appid={yet-anotherugly-product-guid}
[BACK]
A Claims Interoperability Primer:
• Guidance available from Microsoft!
• Claims Authentication:
• An Internet-friendly, token-based authentication system.
• SAML 1, SAML 2, and WS-Federation
• Security Token Service (STS):
• A service that generates claims tokens. (ADFS, Shibboleth)
• In Shibboleth terms, an Identity Provider (IdP)
• Claim (ADFS) = Attribute (Shib2) = Assertion (Shib1)
• Relying Party (RP) = Service Provider (SP)
• Claim Provider Trust:
• A back-end source of user data (AD, LDAP, SQL, or other SAML provider)
• AD FS 2 and Shibboleth 2 are both SAML 2 token providers
• Different Claim Description formats hamper interoperability. [BACK]
AD FS Claims Provider Trust Configuration
• You may need to set the ‘secure hash
algorithm’ to “SHA-1”:
• Transform Shibboleth/InCommon
“attributes” into “claims” that more
easily can be used by Microsoft
applications:
[BACK]
Shibboleth Relying Party Trust Configuration
Relying Parties to the IdP are defined in a file (i.e. relying-party.xml):
With AD FS 2+, you will need to import your ADFS token signing certificate into the IdP config:
Get the token signing cert from the AD FS console:
• View the certificate
• Export in Base64 (PEM) format
Shibboleth RP Configuration (continued)
Attribute release rules are controlled in an “Attribute Filters” file (i.e. attribute-filters.xml).
Attributes to be released generally are grouped into policies. (i.e. uvm-common)
Displayed attributeID values are friendly names for the attributes, as defined in a resolver file (attribute-resolver.xml):
Note both old (and sane) SAML1 names, and new (incomprehensible) SAML2 names. [BACK]
Divine Secrets of the
Claims Transformation Language (1 of 3)
• Hard task: Convert Shib attribute “ePPN” to ADFS “UPN”
c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"]
=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer,
Value = c.Value, ValueType = c.ValueType);
Divine Secrets of the
Claims Transformation Language (2 of 3)
• Difficult task:
Convert ePPN domain suffix to match the AD UPN suffix:
c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6”, Value =~
"@uvm\.edu$”]
=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer,
Value = regexreplace(c.Value, "^(?<user>[^@]+)@(.+)$",
"${user}@campus.ad.uvm.edu"), ValueType = c.ValueType);
Divine Secrets of the
Claims Transformation Language (3 of 3)
• Seemingly Impossible Task:
Augment incoming Shib claims with user attributes from AD:
(Used for an on-premise SharePoint project)
c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6”, Value =~ "@uvm\.edu$”]
issue(store = "Active Directory", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),
query = “samAccountName{0};tokenGroups;CAMPUS\foo", param =
regexreplace(c.Value, "^(?<user>.+)@campus.ad.uvm.edu$", "${user}"));
[BACK]
Setup a new Office 365 Tenant
• http://office.microsoft.com/en-us/academic/compare-office-365education-plans-FX103045755.aspx
• Domain considerations:
• Does O365 Domain must match the user’s ePPN/UPN suffix?
(I.e. Will the UPN someone@domain.com be used to login to the O365 domain
“domain.com”?)
• If no, plan on:
• Transforming the UPN suffix in the relying party trust with Office 365 (maybe?) -or• Changing the UPN suffix for your AD users -or• Using the supported Alternate Login ID method (see references)
• Configure the domain for SSO using PowerShell:
• Set-MsolAdfscontext -Computer <AD FS primary server>
• Convert-MsolDomainToFederated –DomainName <domain>
[BACK]
Configuring DirSync for Filtered Replication:
• Dedicate a Windows Server OS:
• Must use SQL Server Standard/Enterprise if >50,000 objects will be synchronized.
• Installer will create an “MSOL_*” user account in your forest root domain:
• Documentation claims the name will be “AAD_*”.
• Assumption: MSOL account will not be able to read FERPA-protected data,
because it is not in a group that can read this info.
• Fact: The MSOL account syncs FERPA data anyway. WHY??!?!
• MSOL is a powerful account with “Replicating Directory Changes” rights:
http://support.microsoft.com/kb/303972
This right will need to be removed if you need to filter user
attributes (regulatory compliance/privacy concerns).
OR, just create a new service account for DirSync (supported by
Microsoft?)
Configuring DirSync for Filtered Replication
(continued):
• DirSync is FIM-based. Same user interface as seen in FIM and the
SharePoint User Profile Synchronization Tool.
• Launch from:
C:\Program Files\Windows Azure Active Directory
Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
• FIM has a lot of filtering options, but for DirSync, support is limited to
filtering out whole domains, whole OUs, or to filtering entire accounts
based on a limited set of pre-defined attributes.
(e.g. extensionAttribute1)
Configuring DirSync for Filtered Replication
(continued):
• Remove any explicit allow ACE that will allow non-privileged accounts
from reading FERPA-protected attributes. (Already Done!)
• Grant access to required rights using inherited ACLs
• Apply an inherited deny ACE that will block access non-exportable
user data.
Source: http://www.ntfs.com/ntfs-permissions-acl-use.htm
Configuring DirSync for Filtered Replication
(continued):
• DirSync will read
extensionAttribute1-15
values into the “metaverse”
• Populate
extensionAttribute1 with
affiliation type data
• Configure the agent to send
only users with
extensionAttribute1 =
Student
[BACK]
Provisioning Office 365 Users Using
PowerShell
• Requires “Microsoft Azure Active Directory Module for Windows
PowerShell” (make sure you have the latest build!)
• Azure-only accounts have password expiration:
Set a reminder to prevent provisioning failures.
• >Connect-MsolServices
• >Get-MsolUser -UnlicensedUsersOnly -Synchronized -All
• >Set-MsolUser -UsageLocation 'US'
• >Set-MsolUserLicense -AddLicenses
[tenant]:OFFICESUBSCRIPTION_STUDENT
• See the blog entry for more details.
PowerShell Send-MailMessage
Provisioning report for Office 365/Azure AD for: 10/13/2014 10:15:01 PM
Office 365 ProPlus for Student - license report:
Total licenses: 18000
Consumed licenses: 15959
Remaining licenses: 2041
Retrieved active students from Active Directory.
Active student count: 15335
Retrieved unlicensed MSOL users.
Unlicensed user count: 4
Provisioning successfully completed at: 10/13/2014 10:15:22 PM
Provisioned 0 accounts.
Elapsed Time (hh:mm:ss): 0:0:21
[BACK]
Frank Oobarthsen’s Sign-In Experience, Take 1:
GOAL: Get to the login page, login successfully on the first try.
[BACK]
Frank Oobarthsen’s Sign-In Experience, Take 2:
Enables Frank to login successfully on the
first try.
[BACK]
Download