Office 365 Single Sign on with ADFS

Single Sign on with Active Directory Federation in
Office 365/SharePoint Online
Presented by:
Amit Chachra, Principal Lead Consultant with Magenic
Allen Yu, Senior Systems Engineer with WCIRB of California
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Office 365 Identity
– Identity Management Overview
– Identities for Microsoft Cloud Services
– Core Identity Scenarios with Office 365
Directory Sync with Password Sync
ADFS 2.0
– High Availability and Highly Resiliency
Single Sign On Experience
– Demo
Tips, Tricks and Best Practices for configuring ADFS with Office 365
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
What is Identity Management
• Identity management deals with identifying
individuals in a system and controlling access to the
resources in that system
• Integral components of identity and access
– Authentication (Verifies who you are)
Verifying that a user, device, or service such as an
application provided on a
network server is the entity that it claims to be
– Authorization (Verified what you are authorized to do)
Determining which actions an authenticated entity is
authorized to perform on the network
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Identities for Microsoft Cloud Services
Microsoft Account
Organizational Account
Organizational Account
Microsoft Account e.g.
User or
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Cloud vs. Federated Identity
Cloud Identity
• Separate credential from
corporate credential
• Authentication occurs via
cloud directory service
• Password policy stored in
Office 365
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Federated Identity
• Same credential as
corporate credential
• Authentication occurs via
on-premises Active
Directory service
• Password policy is stored
• Requires Directory
Common Identity platform for Organizational Accounts
Windows Azure Active Directory is the underlying identity
platform for various cloud services that use Organizational
Windows Azure
Active Directory
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Core Identity Scenarios with Office 365
Cloud Identity
no integration to onpremises directories
Directory & Password
Federated Identity
Integration without
Single federated identity
and credentials
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Identity Usage Scenarios
Cloud Identity
Cloud Identity + DirSync Federated Identity*
Smaller organizations
without on-premises Active
Medium to large
organizations with Active
Directory on-premises
Large enterprise
organizations with
Active Directory onpremises
Doesn’t require on-premises
server deployment
“Source of Authority” is
Enables co-existence
Single Sign-on
“Source of Authority”
is on-premises
Enables co-existence
No Single Sign-on
No Two factor authentication
2 sets of credentials to
manage with potentially
different password policies
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
No Single Sign-On
No 2-Factor Authentication
2 sets of credentials to
manage with potentially
different password policies
Requires on-premises
server deployment
Requires on-premises
server deployment in
high availability
Prepare your Environment
• Active Directory Attribute Cleanup
– Minimum - User Name, First Name, Last Name, and Display
– Unsupported characters - Space ( ) @ ‘ | = ? /
• Only routable domains can be used with ADFS deployment
– Non-routable domains: .local - .loc - .internal
• Domain must be added and ownership verified
• If organization has AD with only internal namespace, it must:
– Add a routable UPN suffix in Active Directory Forests and
– Configure each user with that routable UserPrincipalName
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
SSL Certificates
• Why SSL certificates?
– SSO experience; ActiveSync
– Secure communications
– Auto-discover the Exchange Server
• Certificates required for these Office 365 components:
– Exchange on-premises
– Single sign-on (for both the ADFS federation servers and ADFS
federation server proxies)
– Auto-discover, Outlook Anywhere, Exchange ActiveSync, and Exchange
Web Service (EWS)
– Exchange hybrid server
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Network and Hardware Considerations
• Ports and Protocols
– Identify the port/protocol requirements for Active Directory,
SharePoint, Lync, Exchange, and migration scenarios
• Firewall Considerations
– Accept connections based on wildcard domain names
• Proxy Device Considerations
– Allow connections from Microsoft Online Services
– URLs
• WAN Accelerators
– Test and optimize your WAN accelerated proxy device(s)
• Hardware and Software Load-Balancing Devices
– These are required for single sign-on and Exchange hybrid
• Test and optimize your load-balancing device(s)
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Application that synchronizes on-premises Active Directory with Office 365
x64 application based on FIM
Designed as an appliance: “Set it and forget it”
Entire Active Directory forest is scoped for synchronization
What is synchronized?
All user objects
All group objects
Mail-enabled contact objects
Passwords (if you opt to sync passwords too)
Synchronization is from on-premises to Office 365 only
Synchronization occurs every 3 hours
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Single Sign On – Server Requirements
Windows Server 2008/2008 R2 or Windows Server 2012
Web Server (IIS)
.NET 3.5 SP1
Windows Identity Foundation
Publicly registered domain name
SSL Trusted Public Certificates
Windows Azure Active Directory Module for Windows PowerShell
– Microsoft Online Sign In Assistant
• High-availability design
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Deploying ADFS 2.0 for SSO
• Deploy ADFS Server
AD FS 2.x Server
• Default topology for Office 365 is an AD
FS 2.x federation server farm that
consists of multiple servers hosting
your organization’s Federation Service
• Recommend using at least two
federation servers in a load-balanced
• Deploy ADFS Server Proxy
AD FS 2.x Proxy Server
• Federation server proxies are used to
redirect client authentication requests
coming from outside your corporate
network to the federation server farm
• Federation server proxies should be
deployed in the DMZ
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Preparing to deploy ADFS
Active Directory running in Windows Server 2003, Windows Server 2008, or
Windows Server 2008 R2 with a functional level of mixed or native mode
AD FS 2.x deployed on Windows Server 2008/R2 or Windows Server 2012
AD FS 2.x Proxy deployed, if some users are connecting from outside the
company’s network
Windows Azure Active Directory Module for Windows PowerShell to establish a
trust with Office 365
Required updates installed for Office 365
A unique third-party certificate when installing and configuring federation
servers and federation server proxies
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
ADFS Certs
Service communication certificate
– AD FS uses this certificate to enable HTTPS which is a requirement for traffic to
and from the federation server and federation server proxies ( to secure
communication) So it is basically a SSL certificate which needs to be installed
on the IIS for each federation server and federation server proxy
Token signing certificate
– AD FS uses this certificate to digitally sign outgoing AD FS tokens. This is not
used to secure data but in fact it is used to ensure the integrity of the security
tokens as they pass between the federation servers and application server via
the client computer.
Token decrypting certificate
– AD FS 2.0 and above has the ability to encrypt the contents of the AD FS
tokens. This is in addition to having these tokens signed by the server's token
signing certificate.
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
ADFS solution
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Federation using PowerShell
Prompt for Office 365 credentials and
store them in a variable
Connect-MsolService –Credential $cred
Connect to Office 365 using stored
Set-MSOLAdfscontext -Computer <AD FS
2.x primary server>
Specify the local AD FS 2.x Server
Convert-MSOLDomainToFederated –
Domainname <>
Convert the standard local domain to an
Identity Federated Domain
Show Identity Federation Proprieties
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
ADFS Farm Architecture – WID vs. SQL
WID Advantages
WID Disadvantages
Very easy to setup and implement
Supports up to five federation servers in a
Load balancing and fault tolerance is
possible if setup as a farm.
SAML artifact resolution and SAML/WSFederation token replay detection feature
is not available
Supports multiple Federation Servers in a
farm (limits to 5 federation server in a
It is not supported if there is more than
100 claim trust providers trust or more
than 100 relying party trusts.
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
ADFS Farm Architecture – WID vs. SQL contd…
SQL Advantages
SQL Disadvantages
Supports multiple federation servers (not
subject to the limitation of WID)
Additional setup complexities. Require
PowerShell to install it
Load balancing and fault tolerance
SQL cluster introduces another potential
point of failure
Easily Scalable
SQL server must be performing well to
service requests
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
ADFS High Availability and High Resiliency
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Single Sign On Experience Demo
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
OnRamp tool
• OnRamp tool may give you errors
and warnings which might not be
applicable to your configuration. In
most cases, you can ignore these
errors and continue with ADFS Set
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
OnRamp tool
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
DirSync Tool Install
DirSync tool installation
may fail the first time when
you run the installer in
Windows Server 2012. Logs
mention that a local
security group
(FlMSyncAdmins) is
configured on the system
during the installation, but
the user doesn't have
rights for that group
membership because the
user needs to log off.
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
DirSync Tool Re-Install
Uninstall DirSync tool,
Reboot the system
afterwards and rerun the
installation. This time it
should go through and
locate the existing FIM
groups created in first run of
the install and will
successfully complete the
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Dedicated “Service” Account in O365 for DirSync
Use a dedicated Microsoft
cloud identity account as a
“service” account (global
administrator) for DirSync. By
default, Azure automatically
requires a password update
every 90 days, but we should
turn off the Password
expiration for this account
using Windows Azure Active
Directory Module for Windows
PowerShell, otherwise DirSync
will break every 90 days.
Set-MsolUser -UserPrincipalName PasswordNeverExpires $true
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Understand the Rollback mechanism (unfederation)
Understand how
works and how and
what does it affect
in O365 and in your
underlying Active
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Convert-MSOLDomainToStandard –DomainName mydomain –
SkipUserConversion $false -PasswordFile c:\temp\userpasswords.txt
The password file stores all the temporary passwords assigned to the user accounts
after federation is removed.
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Plan ahead to test the configuration with a trial version
• No easy way to do a trial of federation in Office 365, so plan
ahead on testing with a trial version of O365, a test domain
and dedicated test infrastructure.
• It is strongly recommended to test it before you federate your
production domain with O365.
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Tips and Tricks for ADFS setup contd…
• For full single sign on experience you need to implement a split DNS
configuration so that external users are treated differently from internal
users on the corporate network for security reasons.
• It is strongly recommended to use a public facing SSL certificate for
configuring Outlook clients using Microsoft autodiscover.
• Office 365 Single Sign On experience works best with Internet Explorer.
Other browsers may have varying experience.
• You must set a group policy to have the federation service URL in the Local
Intranet sites in IE. This is to allow IE’s windows integrated authentication
to work seamlessly with ADFS.
• Make sure you validate that the documentation you got on internet sites
(sometimes even TechNet) is currently applicable to the Office 365 version
you are working with.
• Use the GUI tool Synchronization Service Manager after you have installed
DirSync to monitor the synchronization.
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
Checklist: Setting Up a Federation Server
Windows Server 2012 AD FS Deployment Guide
AD FS Troubleshooting
Converting from SSO domain to Non-Federated
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information
© Magenic Technologies, Inc. 2011 Confidential and Proprietary Information