Access resources in a federation partner organization.
-
Upload
eugene-stevens -
Category
Documents
-
view
216 -
download
2
Transcript of Access resources in a federation partner organization.
![Page 1: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/1.jpg)
![Page 2: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/2.jpg)
Access Control in BYOD and Directory integration in a Hybrid Identity InfrastructureGayana Bagdasaryan
PCIT-B213
![Page 3: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/3.jpg)
Objectives
• Why AD FS?
• AD FS for Hybrid Identity
• AD FS for BYOD
![Page 4: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/4.jpg)
Why AD FS?
You can implement access control solutions for claims-based applications and other resourcesthat are located across organizational boundaries
![Page 5: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/5.jpg)
AD FS Deployment Goals
• Access claims-based applications within your enterprise
• Remotely access internally hosted Web sites or
services
• Access resources in a federation partner organization
![Page 6: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/6.jpg)
Access claims-based applications within your enterprise
![Page 7: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/7.jpg)
Remotely access internally hosted Web sites or services
![Page 8: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/8.jpg)
Access resources in a federation partner organization
![Page 9: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/9.jpg)
Key AD FS Concepts
• Claims• Claim rules• Attribute stores• Relying party trusts• Claims provider trusts• Configuration databases
![Page 10: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/10.jpg)
![Page 11: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/11.jpg)
AD FS Certificates
• Secure Sockets Layer (SSL) certificate
• Service communication certificate
• Token-signing certificate
• Token-decryption/encryption certificate
![Page 12: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/12.jpg)
AD FS - simplified deployment experience
• No IIS dependency
• Remote installation and configuration via Server Manager
• UI support for installing AD FS with SQL Server
• GMSA support
• SQL Server merge replication support
![Page 13: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/13.jpg)
AD FS - enhanced sign-in experience• Unified customization of the AD FS service
• Support for automatic fallback to forms-based authentication for non-domain-joined-devices
• HRD based on organizational suffix of the user
• Customizable logo, illustration image, IT support links, home page, privacy, description messages in the sign-in pages, web themes, error messages
![Page 14: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/14.jpg)
Devices
AppsUsers
Empowering People-centric IT
Management. Access. Protection.
Data
![Page 15: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/15.jpg)
Hybrid Identity
Unify your environment
Create a centralized identity across on-premises and cloud
Use identity federation to maintain centralized authentication and securely share and collaborate with external users and businesses
Enable users
Provide users with self-service experiences to keep them productive
Enable single sign-on for users across all the resources they need access to
Protect your data
Enforce strong authentication when users access resources and apply conditional access controls to sensitive company information
Configure single sign-on across all company applications
Ensure compliance with governance, attestation and reporting
√
![Page 16: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/16.jpg)
AD FS - access control risk management tools
• Access control based on user / device / location
• Global / per-application access control scope
• MFA based on user / device / location
• AD FS Extranet Lockout, to protect AD accounts from force internet attacks
• Access revocation for workplace-joined devices disabled/deleted in AD
![Page 17: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/17.jpg)
AD FS - access to resources on personal devices from anywhere• Workplace join (DRS)
• Pre-authentication of intranet resources
• Password change from workplace-joined devices
![Page 18: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/18.jpg)
Demo
Workplace join with MFA
Related sessions:
PCIT-IL301-R Wednesday, May 14 8:30 AM - 9:45 AMDEV-B344 Wednesday, May 14 1:30 PM - 2:45 PM PCIT-IL301-RR Thursday, May 15 1:00 PM - 2:15 PM PCIT-B330 Thursday, May 15 8:30 AM - 9:45 AM
![Page 19: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/19.jpg)
Providing Users with a Common Identity
IT can provide users with a common identity across on-premises or cloud-based services, leveraging Windows Server Active Directory and Azure Active Directory.
Users are more productive by having a single sign-on to all their resources.
Users get access through accounts in Azure Active Directory to Azure, Office 365, and third-party applications.
Developers can build applications that leverage the common identity model.
![Page 20: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/20.jpg)
Common Identity with Sync
User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory
Synchronization
*Write back of attributes to support cloud first and co-existence
![Page 21: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/21.jpg)
Common Identity with Federation
User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory
Federation
AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication
![Page 22: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/22.jpg)
Common Identity with Federation
![Page 23: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/23.jpg)
![Page 24: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/24.jpg)
![Page 25: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/25.jpg)
Demo
- OneAD Wizard- Alternate login ID
![Page 26: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/26.jpg)
Identity Federation
Conditional access with multi-factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location
Organizations can federate with partners and other organizations for seamless access to shared resources
Organizations can connect to SaaS applications running in Azure, Office 365 and 3rd party providers
Enhancements to AD FS include simplified deployment and management
Published applications
![Page 27: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/27.jpg)
• Breakout Sessions o PCIT-IL301-R Wednesday, May 14 8:30 AM - 9:45 AM
o DEV-B344 Wednesday, May 14 1:30 PM - 2:45 PM
o PCIT-IL301-RR Thursday, May 15 1:00 PM - 2:15 PM
o PCIT-B330 Thursday, May 15 8:30 AM - 9:45 AM
Find Me at the CSI booth
Related content
![Page 28: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/28.jpg)
TechNet
Resources
Resources for IT ProfessionalsActive Directory Federation Services Overview - http://technet.microsoft.com/en-us/library/hh831502.aspxSetup Geographic Redundancy with SQL Server Replication - http://technet.microsoft.com/en-us/library/dn632406.aspxAD FS Certificate Requirements - http://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1Configuring AD FS Extranet Lockout - http://technet.microsoft.com/en-us/library/dn486806.aspxConfiguring Alternate Login ID - http://technet.microsoft.com/en-us/library/dn659436.aspxWalkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications - http://technet.microsoft.com/en-us/library/dn280946.aspxConfiguring Authentication Policies - http://technet.microsoft.com/en-us/library/dn486781.aspx Developing Modern Applications using OAuth and AD FS - http://msdn.microsoft.com/en-us/library/dn633593.aspx Directory integration - http://msdn.microsoft.com/en-us/library/azure/jj573653.aspx AD FS on Curah - http://curah.microsoft.com/51820/ad-fs-technet-content-mapBYOD on Curah - http://curah.microsoft.com/37111/bring-your-own-device-byod
![Page 29: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/29.jpg)
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
![Page 30: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/30.jpg)
Complete an evaluation and enter to win!
![Page 31: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/31.jpg)
Evaluate this session
Scan this QR code to evaluate this session.
![Page 32: Access resources in a federation partner organization.](https://reader036.fdocuments.net/reader036/viewer/2022062805/5697bfed1a28abf838cb8ffe/html5/thumbnails/32.jpg)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.