Tuesday March 4, 2014 9:00-10:15am
Speaker: Spencer Harbar
ITPro Session
Agenda
- Identity Management and the Cloud
- Identity Federation for Office 365
- Leveraging Windows Azure to accelerate directory synchronization
Identity Management and the Cloud
- A SharePoint deployment means you are in the identity management business, whether you like it or not
- Importance increases significantly with SharePoint 2013
- User sign in, service interaction, virtually every investment area relies on profiles, App AuthZ, S2S, etc.
- Key functional scenarios require a base level of identity federation
- Hybrid, social
- Office 365 increases this dependency on "plumbing"
- Still a gap in how you deal with anonymous users - except for this, all key areas of SharePoint relies on profiles
- Example: hybrid search scenario - the quality and relevance of search results will depend on the information available, including information user profiles
- There is no product better than SharePoint to expose the implications of weak identity management!
- So, it's important - it exposes these weaknesses to end users via functionality available or not available to them, as opposed to IT operations
- Office 365 amplifies that further - includes Exchange, Lync, etc…
- Advancing identity management initiatives within enterprises…
- 10% technology, 90% everything else
- Can be a big barrier to ramping up an Office 365 project within the enterprise
- Primarily a political endeavor, not a technical one
- Getting consensus, explaining to execs in non-technical terms, discussing pros/cons, etc.
- No toolset from any vendor changes this - still new space, don't have all the tooling yet
- IdM consulting skills a must have for successful implementation
- Example IdM Project Considerations…
- Ownership: who owns which data? departmental controls, IS systems, organizational culture
- Data Quality: is the data even there? is the data clean? is the data up to date?
- System Quality: health of AD, too many forests or domains, line of business systems
- Key decision when moving to Office 365: are we in a position to modify the AD topology (remove forests, re-organize)
- Access Control: regulatory control, external data sources, authentication and authorization, SSL for sync
- Microsoft will only allow federation with O365 over SSL, and rightly so
- These are the considerations that tend to cause project delays
- It takes time for an organization to change in order to benefit from IdM initiatives - can be years
- At MS change happens quickly so they may be used to this, but most organizations are not
- IdM and the cloud
- Cloud deployment pushes identity considerations to the forefront
- Commonly these issues are pushed off when working on-prem
- Even simple scenarios simply don't work without it - for example federated search
- Long term this is perhaps one of the best side benefits of cloud computing, especially for IT Pros or Infrastructure focused practitioners
Identity Federation for Office 365
- Microsoft IdM Tooling
- Microsoft is clear leader and innovator in identity federation and metadirectory tooling
- Since 1999 - first commercial state based metadirectory
- The implementation changes the core concepts and operations remain the same
- Incredible pace of delivery with Windows Azure AD and related tooling
- Examples: include the revisions in directory sync, support for complex scenarios as well as the core service offering
- Remember: IdM tooling is only 10% of the battle
- Microsoft provides a fully documented connector that supports federated IdM to multi-forest environments
- Understanding the concepts, and getting consensus and internal support is the other 90%
- Identity Options
- Cloud Identity, Windows Azure AD
- Appropriate for smaller orgs without AD on-prem
- Pros: no servers requires on-prem
- Cons: no SSO, no multi-factor authentication, 2 sets of creds to manage with differing password policies, IDs mastered in the cloud, No control over password policies
- Cloud Identity and Directory Sync
- Appropriate for medium/large orgs with AD on-prem
- Pros: users and groups mastered on-prem, it enables coexistence scenarios
- Cons: no SSO, no multi-factor authentication, 2 sets of creds to manage with differing password policies, single server deployment
- Federated Identity
- Appropriate for larger enterprise orgs with AD on-prem
- Pros: SSO with corp creds, IDs mastered on-prem, Password policies under your control, support for multi-factor authentication, could use FIM or your own identity manager
- Cons: ???
- Hidden Concepts
- Anything other than cloud identity is a long term commitment to identity co-existence
- Dir sync and federation the only sensible option really; implementation may change but core concepts remain
- Journey to cloud requires more infrastructure on-prem
- And potentially prep, clean-up activities on-prem
- Identity Federation
- Will require ADFS 2 (both full and proxy deployment) and DirSync on-prem - Need 6 or 7 servers on-prem to enable this
- Example AD Considerations - Is AD in the right state to do identity federation?
- Matching domains - internal domain and external domain are the same (ex. Contoso.com)
- Consideration: Nothing special
- Sub-domain - internal domain is a subdomain of the external domain (ex. Corp.contoso.com)
- Consideration: Requires domains to be registered in order, primary and then subdomains
- Local domains - internal domain no publicly registered (ex. Contoso.local)
- Consideration: Domain ownership can't be proved, must use different domain, requires all users to get new UPN, use SMTP address if possible
- Multiple distinct UPN suffixes in single forest - mix users having login UPNs under different domains (ex. Contoso.com and fabrikam.com
- Consideration: AD FS QFE - to resolve this, requires new switch in windows PowerShell (SupportMutlipleDomain)
- Multi-forest - multiple AD forest
- Consideration: External FIM + guidance (guidance is good but its 180 pages)
- Other options
- Office 365 Connector for FIM
- Graph API
- 'Works with Office 365 Identity' program
- Simple options for identity management in Office 365
Leveraging Windows Azure to accelerate directory
synchronization
- Windows Azure Active Directory Sync Tool (New name for 'dirsync')
- Synchronizes on-prem AD users to O365
- Traditionally deployed to a dedicated box on-prem
- Why deploy this to the cloud?
- Reduce deployment time for O365 based services
- Provide high availability for directory sync
- Avoid barriers to deployment on-prem
- Reduce on-prem server count
- Critical Considerations
- Site to site VPN required
- Could be RRAS, juniper, etc.
- Windows Azure virtual network
- Address space, routing tables, firewall rules
- AD on-prem considerations remain 100% the same/valid
- Still significantly less work and much faster than deploying directory sync from scratch to on-prem scenario
- The change control aspects can be the real barriers when doing this for a real-world project
Wrap Up
- Identity Management and the Cloud
- Cloud is driving identity management to the forefront
- Microsoft the true leader in the cloud IdM space
- Identity Federation for O365
- Core concepts and options
- Leveraging Windows Azure to accelerate directory sync
- Deployment overview
- Deploy Office 365 Direcotry Synchronization in Windows Azure
No comments:
Post a Comment