Verifying that a user, device, or service such as an
application provided on a network server is the entity that it
claims to be. Determining which actions an authenticated entity is
authorized to perform on the network
Slide 5
SAML is a public standard managed by OASIS. SAML is the
identity token and also the protocol. SAML 2.0 is built on SAML
1.1, ID-FF and Shibboleth. The Relying Party (RP) is the system
that relies on the Identity Provider to authenticate a user.
WS-Federation is used for web browser based authentication with an
IDP. WS- Trust is used by Office rich client apps to
authenticate.
Slide 6
User Microsoft Account Ex: [email protected] User
Organizational Account Ex: [email protected] Microsoft Account
Windows Azure Active Directory
Slide 7
Directory store Authentication platform Windows Azure Active
Directory Your App
Slide 8
Cloud Identity Single identity in the cloud Suitable for small
organizations with no integration to on- premises directories
Directory Synchronization Single identity suitable for medium and
large organizations without federation Federated Identity Single
federated identity and credentials suitable for medium and large
organizations
Slide 9
Slide 10
SAML2 Identity Provider More Details on TechNet:
http://aka.ms/sync
Slide 11
* Azure AD offers some 2FA features that are available with
ADFS deployment on-premises. Password SyncSSO with AD FS Same
password to access resources Can control password policies on-
premises Support for two factor authentication * No password
re-entry if on premises Client access filtering by IP or by time
schedule Authentication occurs on-premises. Can immediately block
disabled accounts. Change password available from web Works with
Forefront Identity Manager
Slide 12
Slide 13
Your data and applications are under attack Passwords are
easily compromised Consumerization of IT has only increased the
scope of vulnerability Strengthening regulatory requirements call
for strongly authenticating access
Slide 14
Slide 15
Slide 16
Slide 17
Azure Active Directory GRAPH API REST API for programmatic
access to data in Azure AD Can build multi-tenant applications, or
custom LOB Apps Azure Active Directory Connector for FIM 2010 R2
Can be used for multi-forest synchronization and non- AD sources
Public Beta starts on Connect soon
Slide 18
Slide 19
Cloud IdentityDirectory SyncPassword SyncGraph APIFIMSingle
Sign-On Org sizeSmallAll Large Control of attributes in directory
Least controlFull control via on-premises directory Can control
core attributes and select optional Full control via on-premises
directory Source of authority
CloudOn-premisesOn-PremisesCloudOn-premises Hardware requirements
No on-premises hardware required Windows Server OS for DirSync
appliance Machine to run Powershell jobs on Federated Identity
Manager with office 365 Connector DirSync appliance ADFS (or other
STS) deployment Login experienceDisjoint username, password for on-
premises and cloud Enter credentials twice Disjoint username,
password for on- premises and cloud Enter credentials twice Same
username, password for on- premises and cloud Enter credentials
twice Disjoint username, password for on- premises and cloud Enter
credentials twice Disjoint username, password for on- premises and
cloud Enter credentials twice Same username, password for on-
premises and cloud Login once if on- premises
Slide 20
Windows Azure Active Directory User Cloud Identity Ex:
[email protected]
Slide 21
Windows Azure Active Directory User On-Premises Identity Ex:
Domain\Alice Directory Synchronization Cloud Identity Ex:
[email protected] AD
Slide 22
On-Premises Identity Ex: Domain\Alice Directory Synchronization
with one way Password Hash Cloud Identity Ex: [email protected] AD
Windows Azure Active Directory User
Slide 23
On-Premises Identity Ex: Domain\Alice Federation using ADFS AD
DirSync on FIM AD Windows Azure Active Directory User
Slide 24
Number Active Directory forests See consolidation whitepaper
Use Single Forest DirSync Use Office 365 Connector Use Multi Forest
DirSync Need on- premises org consolidation Number Exchange Orgs
Disjoint Account Forests? Disjoint account forests and exchange org
accessed by accounts in the same forest? Want to consolidate single
forest? After consolidation Single (1) Multiple (>1) Yes None
(0) Multiple (>1) Start After consolidation No Single (1) Yes No
Multi-forest decision flowchart
Slide 25
Suitable for small/medium size organizations with AD or Non-AD
Performance limitations apply with PowerShell and Graph API
provisioning PowerShell requires scripting experience PowerShell
option can be used where the customer/partner may have wrappers
around PowerShell scripts (eg: Self Service Provisioning)
Slide 26
Suitable for large organizations with certain AD and Non-AD
scenarios Complex multi-forest AD scenarios Non-AD synchronization
through Microsoft premier deployment support Requires Forefront
Identity Manager and additional software licenses
Slide 27
Windows Azure Active Directory User On-Premises Identity Ex:
Domain\Alice Federation AD Non-AD Directory Synchronization or
Slide 28
Suitable for educational organizations Recommended where
customers may use existing non-ADFS Identity systems Single sign-on
Secure token based authentication Support for web clients and
outlook (ECP) only Microsoft supported for integration only, no
shibboleth deployment support Requires on-premises servers &
support Works with AD and other directories on-premises Shibboleth
(SAML) Works with AD & Non-AD Suitable for medium, large
enterprises including educational organizations Recommended option
for Active Directory (AD) based customers Single sign-on Secure
token based authentication Support for web and rich clients
Microsoft supported Works for Office 365 Hybrid Scenarios Requires
on-premises servers, licenses & support Suitable for medium,
large enterprises including educational organizations Recommended
where customers may use existing non-ADFS Identity systems with AD
or Non-AD Single sign-on Secure token based authentication Support
for web and rich clients Third-party supported Works for Office 365
Hybrid Scenarios Requires on-premises servers, licenses &
support Verified through works with Office 365 program Works for
Office 365 Hybrid Scenarios
Slide 29
Qualified by Microsoft Reuse Investments
Slide 30
WS-Trust & WS-Federation WS-Federation SAML-P Active
Directory with ADFS
Slide 31
Slide 32
Win. Attend any Office 365 or Lync Session and be in-to-win a 1
Year Subscription to Office 365 Home Premium, Spot Prizes, Your
$2,500 Office in the Cloud, or one of 30 Attacknid Doom
Razors!