Office 365 IdentityJune 2013

Agenda

Core identity scenarios

Deep dive on federation and synchronization

2 3

Identity management overview

1

Additional features

4

Identity management overview

Identity management deals with identifying individuals in a system and controlling access to the resources in that system

Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.

Integral components of identity and access management

Determining which actions an authenticated entity is authorized to perform on the network

Authentication Authorization

What is identity management?

Identities for Microsoft Cloud Services

User

Microsoft AccountEx: alice@outlook.com

User

Organizational AccountEx: alice@contoso.com

Microsoft Account Organizational Account

Common Identity platform for Organizational Accounts

Directory

store

Authentication platform

Windows Azure Active

Directory

Windows Azure Active Directory is the underlying identity platform for various cloud services that use Organizational Accounts

Core identity scenarios

Cloud Identity

Spreadsheet

CSV Import

Office Activation Service

Office 365 Admin Portal

Exchange Mailbox Access

…

Windows Azure Active Directory

OAuth2

SAML-P

WS-Federation

Metadata

Graph API

Authentication

Auth

ori

zati

on

On Premises

Directory & Password Sync

Active Directory

DirSync

Windows Azure Active Directory

OAuth2

SAML-P

WS-Federation

Metadata

Graph API

Office Activation Service

Office 365 Admin Portal

Exchange Mailbox Access

…

Authentication

Auth

ori

zati

on

Directory Synchronization Options

Suitable for small/medium size organizations with AD or Non-AD

Performance limitations apply with PowerShell and Graph API provisioning

PowerShell requires scripting experience

PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)

PowerShell & Graph API

Suitable for Organizations using Active Directory (AD)

Provides best experience to most customers using AD

Supports Exchange Co-existence scenarios

Coupled with ADFS, provides best option for federation and synchronization

Supports Password Synchronization with no additional cost

Does not require any additional software licenses

Suitable for large organizations with certain AD and Non-AD scenarios

Complex multi-forest AD scenarios

Non-AD synchronization through Microsoft premier deployment support

Requires Forefront Identity Manager and additional software licenses

On Premises

Federated Identity

Active Directory

DirSync

Windows Azure Active Directory

OAuth2

SAML-P

WS-Federation

Metadata

Graph API

Active Directory Federation Services

One way trust

Office Activation Service

Office 365 Admin Portal

Exchange Mailbox Access

…

Authentication

Auth

ori

zati

on

Core identity scenarios with Office 365Cloud Identity

no integration to on-premises directories

Directory & Password Synchronization* 

Integration without federation*

Federated Identity

Single federated identity and credentials

* Password Synchronization may not be available at GA, the target is to update the service by 1HCY2013

Federation options

Suitable for educational organizations j

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Secure token based authentication

Support for web clients and outlook only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

Shibboleth (SAML*)Works with AD & Non-AD

Suitable for medium, large enterprises including educational organizations

Recommended option for Active Directory (AD) based customers

Single sign-on

Secure token based authentication

Support for web and rich clients

Microsoft supported

Phonefactor can be used for two factor auth

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Works with AD

Suitable for medium, large enterprises including educational organizations

Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD

Single sign-on

Secure token based authentication

Support for web and rich clients

Third-party supported

Phonefactor can be used for two factor auth

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Verified through ‘works with Office 365’ program

Works for Office 365 Hybrid Scenarios

Works with AD & Non-AD

* Broader SAML implementations will be supported in 1H CY2013

15

FlexibilityCoordinated

Support

Partner +

Federation with Identity Partners

Confidence

Verified by MicrosoftReuse Investments

‘Works with Office 365’Program for third party identity providers to interoperate with Office 365

Objective is to help customers that currently use Non-Microsoft identity solutions to adopt Office 365

Identity Roadmap

Shibboleth (SAML) Support Available now

New Works with Office 365 Partners

Ping, Optimal IDM, Okta, IBM available nowNovell, CA and Oracle in 1H CY2013

DirSync for Multi-forest AD Available now thru’ MCS and Partners

Sync Solution for Non-AD using FIM

Available now thru’ MCS and Partners

Password Synchronization for AD 1H CY2013

Broader SAML Support 1H CY2013

Identity with other Cloud Services Windows Azure

Active Directory

User

Cloud IdentityEx: alice@contoso.com

ISV apps orSAAS providers

Cloud IdentityEx: alice@contoso.com

Identity managed in Windows Azure AD single sign-on for Office 365 and other cloud services federated with single cloud identity

ISV Applications or SAAS providers can integrate using APIs on Windows Azure AD

Currently in Technical Preview

Deep dive

High-level architectureCloud identity + directory synchronizationSingle sign on + directory synchronization

Contoso customer premises

AD

MS Online Directory Sync

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

Active Directory Federation Server

2.0

Trust

IdPDirectory

Store

Admin Portal/PowerShell

Authentication platform

IdP

Protocols Office 365 uses Web Services (WS-*)

WS-Trust provides support for rich client authentication Identity federation supported only through ADFS 2.0

Protocols supported WS-*, SAML1.1(SAML1.1 token) SAML-P (SAML 2.0) platform support

Strong authentication (2FA) solutions Web applications via ADFS Proxy sign in page or other proxies

(UAG/TMG) Rich Clients dependent on configuration

21

Client Endpoints Active Federation (MEX)

Applies to rich clients supporting ADFS Used by Lync and Office Subscription client Clients will negotiate authentication directly with on-premises ADFS server

Basic Authentication (Active Profile) Applies to clients authenticating with basic authentication Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web

Services Clients send “basic authentication” credentials to Exchange Online via SSL.

Exchange Online proxies the request to the on-premises ADFS server on behalf of the client

Passive Federation (Passive Profile) Applies to web browsers and documents opened via SharePoint Online Used by the Microsoft Online Portal, OWA, and SharePoint Portal Web clients (browsers) will authenticate directly with on-premises ADFS server

22

Understanding client authentication path

Lync 2010/Office Subscription

Active Sync

Corporate Boundary

Exchange Online

AD FS 2.0Server

MEX

Web

Active

AD FS 2.0 Proxy

MEX

Web

Active

Outlook 2010/2007IMAP/POP

UsernamePassword

UsernamePassword

OWAInternal

Lync 2010/Office Subscription

Outlook 2010/2007IMAP/POP

OWAExternal

UsernamePassword

Active Sync

UsernamePassword

Basic auth proposal: Pass

client IP, protocol, device name

Sign on experienceWeb Clients• Office with SharePoint

Online• Outlook Web

Application

Remember me =Persisted Cookie

Exchange Clients• Outlook• Active Sync/POP/IMAP• Entourage

Can save credentials

Rich Applications (SIA)• Lync• Office Subscriptions• CRM Rich Client

Can save credentials

Federated Identities(domain joined)

Cloud Identity

No Prompt

Username and PasswordOnline

ID

AD credentials

Federated Identities(non-domain joined)

Username and Password

AD credentials

Username

Username and PasswordOnline

ID

AD credentials

Username and PasswordAD credentials

Username and Password

Username and PasswordOnline

ID

AD credentials

Username and PasswordAD credentials

Authentication flow (passive/web profile)Identity federation

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online orSharePoint Online

Active Directory

Customer Microsoft Online Services

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Authentication flow (MEX/rich client profile)Identity federation

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Lync Online

Active Directory

Customer Microsoft Online Services

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Customer Microsoft Online Services

Active flow (Outlook/Active Sync) always externalIdentity federation

`

Client(joined to CorpNet)

Authentication platformAD FS 2.0 Proxy

Exchange Online

Active Directory

User Source ID

Logon (SAML 1.1) TokenUPN:user@contoso.comSource User ID: ABC123

Auth TokenUPN:user@contoso.comUnique ID: 254729

Basic Auth CredentilasUsername/Password

But wait, there’s more!

User Soft DeleteSimple list of deleted users that are restorable

Easily restore previously deleted users

Smart enough to handle conflicts during bulk restoration

Handle case when the user’s domain is no longer available during restore

Shibboleth 2.X with Office 365

* This means that only Shibboleth implementation of SAML is supported, not any SAML implementation

What is the Shibboleth Identity Provider (IdP)?• Open source software package providing similar

functionality as ADFS (e.g. SSO, Authentication, SAML 2.0)

• Popular implementation of SAML 2.x with Higher Education institutions world-wide

• Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html)

• Latest version is 2.3.6

How do customers with a Shibboleth IdP* interoperate with Office 365?• Setup a SAML 2.0 federation between Office 365

and their Shibboleth IdP

• Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD

Shibboleth 2.x IdP

Non-AD

Contoso.edu

Shibboleth 2.x IdP

Fabrikam.edu

MSOMA + FIM

AD MSOMA + FIM

Supported Clients

Email Rich ClientsWeb Clien

t

Client access controlLimit access to Office 365 based on network connectivity (internet versus intranet)

Block all external access to Office 365 based on the IP address of the external client

Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked.

Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online

Scoping & filtering for SynchronizationCustomers can exclude objects from synchronizing to Office 365

Scoping can be done at the following levels:

AD Domain-based

Organizational Unit-based

User Attribute based

Additional filtering capabilities will become available with the O365 Connector.

Multi-forest AD Windows Azure Active Directory

User

Multi-forest AD support is available through Microsoft-led deployments

Multi-forest DirSync appliance supports multiple dis-joint account forests

FIM 2010 Office 365 connector supports complex multi-forest topologies

On-Premises IdentityEx: Domain\Alice

Federation using ADFS

AD

DirSync on FIM

AD

AD

Non-AD Synchronization Windows Azure

Active Directory

User

Preferred option for Directory Synchronization with Non-AD Sources

Non-AD support with FIM is available through Microsoft-led deployments

FIM 2010 Office 365 connector supports complex multi-forest topologies

On-Premises IdentityEx: Domain\Alice

Federation using Non-ADFS STS

Office 365 Connector on FIM

Non-AD(LDAP)

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

Multi-forest decision flowchart

Client access control

38

Block all external access to Office 365 based on the IP address of the external client

Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked.

Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online

Passive Active

Passive Active

Outlook 2010/2007 ActiveSync ActiveSync Outlook 2010/2007

Browser InternalAD FS 2.0 Server

AD FS 2.0 Proxy

Outlook and ActiveSync Auth

Web Auth (OWA, SharePoint)

Browser External