Surviving the Triangle: Shibboleth, ADFS, Office 365 An Adventure Story of the High Seas by: J. Greg Mackinnon Systems Architect Not a Ship Captain Enterprise Technology Services University of Vermont Overview: • “Fun Parts” Edition (FUN = PAIN x TIME): • Design an AD FS / Shibboleth / Office 365 solution for our school. • Deploy of Active Directory Federation Services on Windows Server 2012 R2 (“ADFS 3.0”) • Integrate AD FS with existing Shibboleth 2 IdP • Sync on-premises Active Directory to Azure AD/Office 365 using The Windows Azure Active Directory Sync Tool (DirSync)* • Provision users with Office 365 services using PowerShell using The Microsoft Azure Active Directory Module for Windows PowerShell (formerly “Microsoft Online Services Module for Windows PowerShell”.) • Simplify access to Office 365 using Smart Links • Overcome presentation boredom though exciting narrative tools. Assumptions: • Familiarity with concepts behind: • • • • • Federated SSO AD FS Shibboleth Office 365 / Azure AD Claims Authentication Act 1: The Gathering Storm Scene 1: A Gift Horse is Presented • Spring 2014: The Student Advantage program is announced: Free Office software for all students at institutions with Office site licenses for faculty and staff. Three cheers for Microsoft! Scene 2: The Gift Becomes a Task • Provision Office 365 Pro Plus to 14,000+ active students • Do not provision services to faculty/staff • Make it work with the existing UVM Web Single Sign-On system. • Do not disclose any information other than Name, NetID, and active student status to Microsoft. For students requesting additional privacy protection under FERPA, do not even disclose Name. • Do it all before students get back on campus. • Your budget is $0. Scene 3: Backstory Time! [The Slides you Hate] • University of Vermont: • Land grant school founded by Ira Allen “a long time ago”. • Over 1,300 faculty, perhaps 2,200 staff • [MORE BORING NUMBERS NUMBERS] 14 thousand something students • Enterprise Technology Services • Central IT Services for the institution, 60+ employees, about half of all IT pros on campus. • Systems Architecture and Administration • 9 System Admins • 3 Windows guys • We do it all, with probably the lowest support ratios of any peer institutions Scene 3 (Continued): The Cast of Characters Our plucky IT Hero: The dastardly villains: The mysterious benefactor: The ship’s crew: Colorful Characters: Scene 4: Core Technologies Debated • BOSS: UVM web services will use a single web SSO solution. (WebAuth) • The Boss notes the MS supports Shibboleth as an Identity Provider for Office 365: • http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/ • http://technet.microsoft.com/en-us/library/jj205456 • But Boss, read the fine print… Office 365 ProPlus licensing is not supported with Shibboleth as the primary identity provider! • IT Hero: AD FS already is in pre-production for a SharePoint 2013 upgrade project. Let’s do interop! • AD FS provides the broadest client support (at present). • AD FS lets “Microsoft be Microsoft”. (Support for WS-Federation “active authentication scenarios” in addition to SAML 1 and 2) • Supports Windows Authentication (allows single sign-on from the Windows desktop) • Added benefit of the Web Application Proxy service, which can aid with NTLM remediation. Scene 4 (continued): The Best Laid Plans… • A service architecture is developed • An authentication workflow is mapped Service Architecture: Work To Do [BACK] Federated SSO: The Whole Ugly Truth [FLIP] Scene 5: A Likely Conversation • IT Hero: ‘Hey Boss… this whole Federated SSO thing is really complicated. Have you seen this diagram of the planned authentication workflow?’ • Boss: ‘Yeah… What’s your point? That’s what we do.’ • (But is SCALE x COMPLEXITY > SKILL ? Let’s find out!) Act 2: The Adventure Begins Scene 1: Our Heroes Tackle an Easy Task (AD FS production deployment): • For HA deployments, have a SQL Server ready • Install the AD FS role (2+ Servers): • Configure the role (2+ Servers): • Install and configure the Web Application Proxy Role Scene 1 (continued) [FX: queue thunder clap]: Load Balancing AD FS • Use F5 Load Balancer in “Direct Server Return”, or “nPath Routing” mode. [LINK] • F5 monitor for HTTPS services on ADFS servers fails! • ADFS 3.0 runs in HTTP.SYS: Requires SNI. OpenSSL 0.98 libraries on F5 do not support SNI. [LINK] • Use NETSH to add additional http.sys binding for “legacy” clients. This will be helpful with Shibboleth interoperability as well. [LINK] Scene 2: The Crew Conquers AD FS / Shibboleth Interoperability, With a Little Help From Friends. • Get the whitepaper: http://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx • Back to school: A Claims Interoperability Primer… [LINK] • Setup Claims Provider Trust in AD FS: • Reduce token signing requirement to SHA1 (default is SHA256) [LINK] • Must use NETSH to allow ADFS to accept non-SNI connections. (Java SSL libraries used in our Shibboleth deployment do not support SNI.) • Setup Relying Party Trust in Shibboleth: • Import token signing certificate into Shibboleth • Play with XML configuration files (Note OID of released attributes) [LINK] Scene 2 (continued): Beyond the Whitepaper • ADFS now generates tokens based on Shib tokens, but how do I get useful AD data into the token? • A knowledgeable old salt stops in to explain Claims Transformation Language. [LINK] • The Divine Secrets of Claims Transformation Language allows Microsoft applications natively to consume claims generated by Shibboleth. Scene 3: A Foray Under the Storm Clouds • Setup an Office 365 Tenant [LINK] • Select “Office 365 Education E3 for Students Trial”, and then add “E1” licenses to your Tenant. • Plan for UPN-based authentication: • • Does AD UPN match the Shibboleth ePPN? Does the AD UPN match a domain configured in Office 365? • Enroll for the Student Advantage Program* • • • • Get your EES program administrator to accept $0 Purchase Order Contact Microsoft Sales to assign Student Advantage licenses to your tenant. Request more licenses Request even more licenses • Install and Configure DirSync [LINK] • Create Office 365 sync account (*onmicrosoft.com recommended) • Create AD sync account • Apply ACLs to satisfy UVM legal privacy requirements • Configure attribute filtering • Apply PowerShell-Foo to assign licenses to students. [LINK] Scene 4: A Plan Comes Together • Hero: “It all works! Hurray, time to take vacation!” • Boss: “This user experience is unacceptable! Fix it!” [LINK] • Create Smart Links to make it all invisible: https://adfs.uvm.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftO nline&wctx=wa%253Dwsignin1.0%2526rpsnv%253D3%2526ver%253D6.4.6456.0%2 526wp%253DMCMBI%2526wreply%253Dhttps:%25252F%25252Fportal.office.com% BUT is this really simpler? 25252Flanding.aspx%25253Ftarget%25253D%2525252fOLS%2525252fMySoftware.a [LINK] spx%2526lc%253D1033%2526id%253D501392%2526%2526LoginOptions%253D3 http://go.uvm.edu/getoffice Federated SSO: “Simplified” with Smart Links [FLIP] Scene 5: Students Invade Campus, and Our Hero Takes a Vacation • The Client Services team prepares “Go: Get Office” materials for residence halls and for students picking up new computers. • 1,256 downloads in the first month. (First-time student count is approximately ~2,450) • Zero Complaints (Or if there were, they were not heard from the Outer Banks, NC.) Epilogue: Full of sound and fury, signifying nothing. • September 15th, 2014: Microsoft Releases “Azure Active Directory Sync Services”, obsoleting DirSync only three weeks after UVM go-live. • September 20th, 2014: Microsoft ‘enhances’ the Student Advantage program with emailaddress-based opt-out self-enrollment. • October 1st, 2014: Rumors arise that Office 365 Pro Plus will be made available to all Faculty and Staff for EES customers with coverage for Office software. Epilogue: Full of sound and fury, signifying nothing something. Unified SSO Achieved Cloud Ready THE END Follow up questions to: mailto: gregory.mackinnon@uvm.edu Twitter: @jgregmac LinkedIn: Facebook: j.greg.mackinnon Ello: @jgreg And more fun at: http://blog.uvm.edu/jgm Resources: • F5 Guide to Layer 4 nPath Routing (Direct Server Return): • General guidance from F5: http://support.f5.com/kb/en-us/products/bigip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_npath.html • Specific directions for configuring Loopback on Server 2008+ http://blog.uvm.edu/jgm/2010/12/02/f5-layer-4-server-2008/ • AD FS: • Windows Server 2012 R2 AD FS Deployment Guide: http://technet.microsoft.com/en-us/library/dn486820.aspx • Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation: http://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx • HTTP.SYS Binding and SNI at UVM (SharePoint Configuration Entry): http://blog.uvm.edu/jgm/2014/03/18/sharepoint-2013-adfs-shibboleth-the-motion-picture/ • User Alternate Login IDs with ADFS and Office 365: http://blogs.perficient.com/microsoft/2014/04/office-365-configuring-ad-fs-dirsync-with-analternate-login/ Resources (continued…): • Claim Rule Language References: • • • • • • Primer: http://blogs.technet.com/b/askds/archive/2011/10/07/ad-fs-2-0-claims-rule-language-primer.aspx “Understanding Claim Rule Language” [HA!]: http://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx Regular Expressions in Claim Rule Language: http://social.technet.microsoft.com/wiki/contents/articles/16161.ad-fs-2-0-using-regex-in-the-claims-rule-language.aspx Attribute Stores and Queries: The Ugly Internals: http://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores%28WS.10%29.aspx AD FS Claims Rule Language Deep Dive (with Win-HiEd favorite Laura Hunter!): https://www.youtube.com/watch?v=G279c_5tHfs UVM Transformations for Sharepoint 2013: http://blog.uvm.edu/jgm/2014/03/18/sharepoint-2013-adfs-shibboleth-the-motion-picture/ • DirSync: • • • • • Download: http://go.microsoft.com/fwlink/?LinkID=278924 Setup of Directory Sync computer: http://technet.microsoft.com/en-us/library/dn441213.aspx Release History (Useful for determining if you have the current release): http://social.technet.microsoft.com/wiki/contents/articles/18429.dirsync-directory-sync-tool-version-release-history.aspx Deploy “Directory Sync with Single Sign-On” scenario for Office 365: http://technet.microsoft.com/en-us/library/dn441213.aspx Handling the “Replicating Directory Changes” permission: http://support.microsoft.com/kb/303972 Resources (continued…) • Azure AD Module for PowerShell: • Download: Always get the latest version! http://go.microsoft.com/fwlink/p/?linkid=236297 • Provisioning students with O365 ProPlus using PowerShell at UVM: http://blog.uvm.edu/jgm/2014/07/30/provisioning-students-with-office-365proplus-licenses/ • Microsoft Azure Active Directory Sync Services (DirSync, the next generation): • http://www.microsoft.com/en-us/download/details.aspx?id=44225 • Microsoft guide to creating Smart Links: • http://community.office365.com/en-us/w/sso/358.using-smart-links-or-idp-initiatedauthentication-with-office-365.aspx?Sort=MostRecent&PageIndex=1 nPath Routing (Direct Server Return): • The Load Balancer forwards the entire Layer 4 TCP packet to the back-end server. • Reduces load on the expensive F5 • Reduces complexity of the configuration: • Only on SSL certificate needed. • No complex SSL termination and reencapsulation at the load balancer. • Kerberos-compatible. • Each back-end server has the IP address for the cluster assigned to a “loopback” adapter with a 28bit netmask. Each back-end “thinks” it has the cluster IP. • The back-end server forwards the incoming packet from its public interface to the loopback interface. • The back-end server replies directly to the client. [BACK] HTTP.SYS Binding (1 of 2) • Modern browsers (and SSL Libraries) support the SNI, or “server_name” extension. • Older Java runtimes (1.6), OpenSSL libraries (0.98), and IE6 do not support SNI. [BACK] HTTP.SYS Binding (2 of 2) • On each ADFS server and proxy, open an elevated command prompt • Run> netsh http show sslcert Hostname:port : adfs.uvm.edu:443 Certificate Hash : aBunchOfRandomLookingNumbers Application ID : {yet-another-ugly-product-guid} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled … • Record the certificate hash and application ID for the certificate used by ADFS • Run> netsh http add sslcert ipport=0.0.0.0:443 certhash=aBunchOfRandomLookingNumbers appid={yet-anotherugly-product-guid} [BACK] A Claims Interoperability Primer: • Guidance available from Microsoft! • Claims Authentication: • An Internet-friendly, token-based authentication system. • SAML 1, SAML 2, and WS-Federation • Security Token Service (STS): • A service that generates claims tokens. (ADFS, Shibboleth) • In Shibboleth terms, an Identity Provider (IdP) • Claim (ADFS) = Attribute (Shib2) = Assertion (Shib1) • Relying Party (RP) = Service Provider (SP) • Claim Provider Trust: • A back-end source of user data (AD, LDAP, SQL, or other SAML provider) • AD FS 2 and Shibboleth 2 are both SAML 2 token providers • Different Claim Description formats hamper interoperability. [BACK] AD FS Claims Provider Trust Configuration • You may need to set the ‘secure hash algorithm’ to “SHA-1”: • Transform Shibboleth/InCommon “attributes” into “claims” that more easily can be used by Microsoft applications: [BACK] Shibboleth Relying Party Trust Configuration Relying Parties to the IdP are defined in a file (i.e. relying-party.xml): With AD FS 2+, you will need to import your ADFS token signing certificate into the IdP config: Get the token signing cert from the AD FS console: • View the certificate • Export in Base64 (PEM) format Shibboleth RP Configuration (continued) Attribute release rules are controlled in an “Attribute Filters” file (i.e. attribute-filters.xml). Attributes to be released generally are grouped into policies. (i.e. uvm-common) Displayed attributeID values are friendly names for the attributes, as defined in a resolver file (attribute-resolver.xml): Note both old (and sane) SAML1 names, and new (incomprehensible) SAML2 names. [BACK] Divine Secrets of the Claims Transformation Language (1 of 3) • Hard task: Convert Shib attribute “ePPN” to ADFS “UPN” c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType); Divine Secrets of the Claims Transformation Language (2 of 3) • Difficult task: Convert ePPN domain suffix to match the AD UPN suffix: c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6”, Value =~ "@uvm\.edu$”] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn ", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "^(?<user>[^@]+)@(.+)$", "${user}@campus.ad.uvm.edu"), ValueType = c.ValueType); Divine Secrets of the Claims Transformation Language (3 of 3) • Seemingly Impossible Task: Augment incoming Shib claims with user attributes from AD: (Used for an on-premise SharePoint project) c:[Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6”, Value =~ "@uvm\.edu$”] issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = “samAccountName{0};tokenGroups;CAMPUS\foo", param = regexreplace(c.Value, "^(?<user>.+)@campus.ad.uvm.edu$", "${user}")); [BACK] Setup a new Office 365 Tenant • http://office.microsoft.com/en-us/academic/compare-office-365education-plans-FX103045755.aspx • Domain considerations: • Does O365 Domain must match the user’s ePPN/UPN suffix? (I.e. Will the UPN someone@domain.com be used to login to the O365 domain “domain.com”?) • If no, plan on: • Transforming the UPN suffix in the relying party trust with Office 365 (maybe?) -or• Changing the UPN suffix for your AD users -or• Using the supported Alternate Login ID method (see references) • Configure the domain for SSO using PowerShell: • Set-MsolAdfscontext -Computer <AD FS primary server> • Convert-MsolDomainToFederated –DomainName <domain> [BACK] Configuring DirSync for Filtered Replication: • Dedicate a Windows Server OS: • Must use SQL Server Standard/Enterprise if >50,000 objects will be synchronized. • Installer will create an “MSOL_*” user account in your forest root domain: • Documentation claims the name will be “AAD_*”. • Assumption: MSOL account will not be able to read FERPA-protected data, because it is not in a group that can read this info. • Fact: The MSOL account syncs FERPA data anyway. WHY??!?! • MSOL is a powerful account with “Replicating Directory Changes” rights: http://support.microsoft.com/kb/303972 This right will need to be removed if you need to filter user attributes (regulatory compliance/privacy concerns). OR, just create a new service account for DirSync (supported by Microsoft?) Configuring DirSync for Filtered Replication (continued): • DirSync is FIM-based. Same user interface as seen in FIM and the SharePoint User Profile Synchronization Tool. • Launch from: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe • FIM has a lot of filtering options, but for DirSync, support is limited to filtering out whole domains, whole OUs, or to filtering entire accounts based on a limited set of pre-defined attributes. (e.g. extensionAttribute1) Configuring DirSync for Filtered Replication (continued): • Remove any explicit allow ACE that will allow non-privileged accounts from reading FERPA-protected attributes. (Already Done!) • Grant access to required rights using inherited ACLs • Apply an inherited deny ACE that will block access non-exportable user data. Source: http://www.ntfs.com/ntfs-permissions-acl-use.htm Configuring DirSync for Filtered Replication (continued): • DirSync will read extensionAttribute1-15 values into the “metaverse” • Populate extensionAttribute1 with affiliation type data • Configure the agent to send only users with extensionAttribute1 = Student [BACK] Provisioning Office 365 Users Using PowerShell • Requires “Microsoft Azure Active Directory Module for Windows PowerShell” (make sure you have the latest build!) • Azure-only accounts have password expiration: Set a reminder to prevent provisioning failures. • >Connect-MsolServices • >Get-MsolUser -UnlicensedUsersOnly -Synchronized -All • >Set-MsolUser -UsageLocation 'US' • >Set-MsolUserLicense -AddLicenses [tenant]:OFFICESUBSCRIPTION_STUDENT • See the blog entry for more details. PowerShell Send-MailMessage Provisioning report for Office 365/Azure AD for: 10/13/2014 10:15:01 PM Office 365 ProPlus for Student - license report: Total licenses: 18000 Consumed licenses: 15959 Remaining licenses: 2041 Retrieved active students from Active Directory. Active student count: 15335 Retrieved unlicensed MSOL users. Unlicensed user count: 4 Provisioning successfully completed at: 10/13/2014 10:15:22 PM Provisioned 0 accounts. Elapsed Time (hh:mm:ss): 0:0:21 [BACK] Frank Oobarthsen’s Sign-In Experience, Take 1: GOAL: Get to the login page, login successfully on the first try. [BACK] Frank Oobarthsen’s Sign-In Experience, Take 2: Enables Frank to login successfully on the first try. [BACK]