AD FS 2.0 での Microsoft Office 365 シングル サインオン (SSO)€¦ · Web view1 つの...
Transcript of AD FS 2.0 での Microsoft Office 365 シングル サインオン (SSO)€¦ · Web view1 つの...
AD FS 2.0 Microsoft Office 365 (SSO)
AD FS 2.0 Microsoft Office 365 (SSO)
Microsoft France
: 2012 6
: 1.0a
: Philippe Beraud (Microsoft France)Jean-Yves Grasset (Microsoft France)
: Philippe Maurent (Microsoft Corporation)
2012 Microsoft Corporation.All rights reserved.
Microsoft Active Directory (AD FS) 2.0 WS-Federation (WS-Fed) WS-Trust Microsoft Office 365 Web (Web) (ID )
Office 365 Active Directory AD FS 2.0 Office
AD FS 2.0 Office 365 IT
AD FS 2.0 Microsoft Office 365 (SSO)ii
URL Web
2012 Microsoft Corporation.All rights reserved.
MicrosoftActive DirectoryInternet ExplorerSQL ServerWindowsWindows PowerShell Windows Server
11
1.12
1.24
1.34
1.4MTC / 5
2Active Directory (AD FS) 2.0 6
2.1/ (STS)7
2.28
2.310
2.412
3Microsoft Office 365 15
3.1 ID 16
3.2 ID 21
3.3 ID 23
4SSO 26
4.1 27
4.2AD FS 2.0 29
4.3Microsoft Online Services 33
4.4 45
5Office 365 47
5.1AD FS 2.0 47
5.2/Web 62
5.3MEX/ 65
5.4EAS / 66
669
6.1 69
6.2Office 365 (2FA) 70
6.3 Office 365 73
6.4Office 365 77
AD FS 2.0 Microsoft Office 365 (SSO) PAGE
Microsoft Office 365[footnoteRef:1] (IM) [1: Microsoft Office 365: http://office365.microsoft.com/]
Microsoft Office 365
Microsoft Office: Microsoft Office Professional Plus 2010 Microsoft Office Web Apps PC
:
Office Mobile 2010 (Office 2010 Office Web Apps ) Office Web AppsOffice Mobile 2010 Office 2010
Microsoft Exchange Online: Exchange Online Exchange Online
Microsoft SharePoint Online: SharePoint Online
Microsoft Lync Online: Lync Online IM /
:
Office 365 [footnoteRef:2]Office 365 for Enterprises [footnoteRef:3]Office 365 TechCenter[footnoteRef:4] Office 365 Web (Wiki )[footnoteRef:5] [2: Office 365 : http://onlinehelp.microsoft.com/ja-jp /office365-enterprises/] [3: Office 365 for Enterprise : http://www.microsoft.com/download/ja-jp/details.aspx?id=26509] [4: Office 365 TechCenter Web : http://technet.microsoft.com/ja-jp/office365/default] [5: Office 365 Web : http://community.office365.com/ja-jp/default.aspx]
SharePoint Online Office 365
Office 365 Active Directory (AD DS) Office 365
VPN Office 365 Office 365
: Office 365
: () Office 365
: Office 365 Office 365 1
Office 365 Active Directory (AD FS) 2.0 Office 365
OASIS
WS-Federation (WS-Fed) ()[footnoteRef:6] [6: Web Services Federation Language (WS-Federation) Version 1.2: http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf]
WS-Trust ()[footnoteRef:7] [7: WS-Trust Version 1.3: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.pdf]
Security Assertion Markup Language (SAML) 2.0 ()[footnoteRef:8] [8: Security Assertion Markup Language (SAML) 2.0: http://go.microsoft.com/fwlink/?LinkId=193996]
Microsoft ActiveDirectory Federation Services (ADFS)2.0 Release to Web (RTW)[footnoteRef:9][footnoteRef:10] Microsoft Microsoft (Web) (SSO) (ID ) [9: Microsoft AD FS 2.0 Release to Web (RTW) : http://www.microsoft.com/ja-jp/download/details.aspx?id=10909] [10: Microsoft AD FS 2.0 : http://www.microsoft.com/ja-jp/download/details.aspx?id=10909]
Wikipedia[footnoteRef:11] ID () [11: Wikipedia ID : http://ja.wikipedia.org/wiki/]
Microsoft Office 365 (ID )
MSDN Channel 9 Web Microsoft Office 365: Identity and Access Solutions ()[footnoteRef:12] Microsoft Ross Adams [12: Microsoft Office 365: Identity and Access Solutions: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/OSP215]
AD FS 2.0
Office 365 ID
Office 365 ID
AD FS 2.0
AD FS 2.0 Microsoft Office 365 Microsoft Office 365
( )
AD DS Microsoft Online Services 1 Active Directory Office 365 Microsoft Online Services AD DS Office 365
Office 365 Microsoft Identity Lifecycle Management (ILM) 2007 ( Microsoft Forefront Identity Manager (FIM) 2010) Office 365
Office 365 Active Directory : [footnoteRef:13][footnoteRef:14] [13: Active Directory : : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652543.aspx] [14: : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652533.aspx]
Active Directory (AD FS) 2.0 ;
Microsoft Office 365 ;
Office 365 ;
SSO ;
;
Web
( ) (ID )
AD FS 2.0 ()
:
AD FS 2.0 Office 365 ()[footnoteRef:15] FAQ[footnoteRef:16]Office 365 SSO [footnoteRef:17] [15: Active Directory 2.0 : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652539.aspx] [16: FAQ: http://community.office365.com/ja-jp/wikis/sso/381.aspx] [17: Office 365 SSO : http://community.office365.com/ja-jp/wikis/sso/1067.aspx]
Office 365 IT Office 365 Virtual Lab ()[footnoteRef:18] [18: Office 365 Virtual Labs for IT Pros: http://technet.microsoft.com/en-us/office365/hh699847]
MTC /
Microsoft Technology Center[footnoteRef:19] (MTC) [19: Microsoft Technology Center: http://www.microsoft.com/ja-jp/business/mtc]
2004 MTC Microsoft MTC Microsoft MTC
MTC Microsoft Microsoft / Web PHPJavaSAP ID
MTC 20 300 200 MTC Microsoft
ID ID Microsoft ID (STS) ()
MTC ID ID OASIS WS-Trust WS-Federation ID Microsoft AD FS 2.0 Microsoft Office 365
Active Directory (AD FS) 2.0
Windows 2000 (Server) AD DS Kerberos ID (Microsoft Microsoft ) Active Directory / Active Directory /
AD FS 2.0 ID Web
ID Web
AD FS 2.0
(: Microsoft PaaS (Platform as a Service)Microsoft Windows Azure [footnoteRef:20] ) [20: Microsoft Windows Azure : http://www.windowsazure.com/]
ID SaaS (Software as a Service) (: Microsoft Office 365[footnoteRef:21] / Microsoft) [21: Microsoft Office 365: http://office365.microsoft.com/]
AD FS 2.0 Windows (Server)
:
Windows Server 2008 (R2) AD FS AD FS 2.0 1.1 (Windows Server 2008 Windows Server 2008 R2) AD FS 2.0 AdfsSetup.exe Active Directory Federation Services 2.0 RTW[footnoteRef:22] [22: Active Directory Federation Services 2.0 RTW: http://www.microsoft.com/download/ja-jp/details.aspx?id=10909]
:
AD FS 2.0 2 ([footnoteRef:23]) Office 365 AD FS 2.0 RTW 2681584Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 ()[footnoteRef:24] [23: 2607496 Active Directory (AD FS) 2.0 1 : http://support.microsoft.com/kb/2607496] [24: 2681584 Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0: http://support.microsoft.com/kb/2681584]
/ (STS)
AD FS 2.0 (STS)
ID.
( ) ( )
OASIS Security Services (SAML) Technical Committee (TC) ()[footnoteRef:25] Security Assertion Markup Language (SAML) SAML Office 365 SAML 1.1 / [25: OASIS Security Services (SAML) Technical Committee (TC): http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security]
STS X.509 ()
()
AD FS 2.0 STS STS
AD FS AD DS AD FS 2.0 Active Directory Lightweight Directory Service (AD LDS)Microsoft SQL Server
AD FS 2.0 Understanding Key Concepts Before You Deploy AD FS 2.0 ()[footnoteRef:26] [26: Understanding Key Concepts Before You Deploy AD FS 2.0: http://technet.microsoft.com/en-us/library/ee913566(WS.10).aspx]
AD FS 2.0 ()
ID (IP-STS): AD FS 2.0
IP-STS
STS (RP-STS): AD FS 2.0 AD FS 2.0 /STS
RP-STS (Act As )
: AD FS 2.0
AD FS 2.0 WS-FederationWS-TrustSAML 2.0 OASIS
AD FS 2.0 1.1 WS-Fed ()[footnoteRef:27] SAML [27: Web Services Federation Language (WS-Federation) Version 1.2: http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf]
IDA AD FS 2.0 WS-Fed Office 365
AD FS 2.0 Security Assertion Markup Language (SAML) 2.0 ()[footnoteRef:28] SAML 1.1 2.0 ( ) Using AD FS 2.0 for interoperable SAML 2.0-based federated Web Single Sign-On ()[footnoteRef:29] SAML 2.0 Web [28: Security Assertion Markup Language (SAML) 2.0: http://go.microsoft.com/fwlink/?LinkId=193996] [29: Using AD FS 2.0 for interoperable SAML 2.0-based federated Web Single Sign-On: http://download.microsoft.com/documents/France/Interop/2010/Using_ADFS2_0_For_Interoperable_SAML_2_0-Based_Federated_SSO.docx]
SAML (SAML-P) Office 365
:
SAML XML SAML Core SAML 1 SAML Office 365 SAML 2.0 (SAML-P 2.0) SAML 1.1 Core ()[footnoteRef:30] SAML 1.1 [30: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1: http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf]
:
SAML-P 2.0 Office 365
AD FS 2.0 SAML 2.0 WS-Fed Step-by-Step Guide: Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 technologies[footnoteRef:31]SharePoint 2010 [31: Step-by-Step Guide: Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 technologies: http://download.microsoft.com/documents/France/Interop/2010/Federated_Collaboration_With_Shibboleth_2_0_and_SharePoint_2010_technologies-1_0.docx]
AD FS 2.0 SAML 2.0 Liberty Interoperability Testing Procedures for SAML 2.0 version 3.2.2 ()[footnoteRef:32] [32: Liberty Interoperability Testing Procedures for SAML 2.0 version 3.2.2: http://www.projectliberty.org/liberty/content/download/4709/32204/file/Liberty_Interoperability_SAML_Test_Plan_v3.2.2%20.pdf]
AD FS 2.0 2008 2 Microsoft ()[footnoteRef:33] [33: News Press Release. Microsoft Makes Strategic Changes in Technology and Business Practices to Expand Interoperability: http://www.microsoft.com/presspass/press/2008/feb08/02-21ExpandInteroperabilityPR.mspx]
Microsoft Microsoft
Microsoft 4 Windows ServerSharePoint
1.
2.
3.
4. IT
AD FS 2.0
AD FS 2.0 WS-Fed SAML 2.0 OASIS WS-Trust ()[footnoteRef:34]Office 365 [34: WS-Trust Version 1.3: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.pdf]
IAM (ID ) GRC () European Identity Conference (EIC) 2009 Microsoft Geneva (AD FS 2.0 WIF 1.0) Kuppinger Cole 2009 European Identity ()[footnoteRef:35] ID 1 [35: European Identity Award 2009: http://www.id-conf.com/blog/2009/05/07/awards-for-outstanding-identity-management-projects/]
AD FS 2.0
: AD FS 2.0
AD FS 2.0
1 AD FS 2.0 Windows Server 2008 (R2) Windows Internal Database (WID) Microsoft SQL Server
(Office 365 ) 1
AD FS 2.0 (FS) SSL/TLS DNS SSL/TLS
AD FS 2.0 (FS) Windows Server 2008 (R2) ID ()
1 2
Windows Server 2008 (R2) Office 365 (FS-P)
AD FS 2.0
AD FS 2.0 ( Office 365)
() ( ) AD FS 2.0 NLB DNS
:
AD FS 2.0 ()[footnoteRef:36] AD FS 2.0 Q&A ()[footnoteRef:37] [36: AD FS 2.0 TechNet : http://technet.microsoft.com/en-us/library/adfs2(WS.10).aspx] [37: AD FS 2.0 Q&A : http://social.msdn.microsoft.com/Forums/en-US/Geneva/threads]
Windows Server Microsoft Active Directory Federation Services (AD FS) 2.0 Release to Web (RTW)[footnoteRef:38][footnoteRef:39] Windows Server 2008 Service Pack 2 (SP2) Windows Server 2008 R2 [38: Microsoft AD FS 2.0 Release to Web (RTW) : http://www.microsoft.com/ja-jp/download/details.aspx?id=10909] [39: Microsoft AD FS 2.0 : http://www.microsoft.com/ja-jp/download/details.aspx?id=10909]
:
Windows Server 2008 Windows Server 2008 R2 AD FS 1.1 Office 365 2.0
AD FS 2.0 RTW
(IIS) 7 7.5 (Windows Server )
Microsoft .NET Framework 3.5 SP1
AD FS 2.0 [footnoteRef:40] [40: AD FS 2.0 : http://www.microsoft.com/ja-jp/server-cloud/windows-server/active-directory-overview.aspx]
AD FS 2.0 AD FS 2.0 AD FS 2.0 2 Office 365 AD FS 2.0 RTW
AD FS 2.0 2 1 1
1 AD FS 2.0
()
AD FS 2.0 Windows Internal Database (WID)
WID WID Windows Windows Server 2008 Windows Server 2008 R2 SQL Server Express WID SQL
WID /() /
SQL Server ( WID 5 )SAML SAML Federation Server Farm Using SQL Server ()[footnoteRef:41] [41: Federation Server Farm Using SQL Server: http://technet.microsoft.com/en-us/library/gg982487(WS.10).aspx]
AD FS 2.0
AD FS 2.0
: () HTTP AD FS 2.0 ()
: AD FS 2.0 ID
: Active Directory AD FS 2.0
: HTTP
[ ]
()
AD FS 2.0 (5.1.5 ) /Microsoft Threat Management Gateway (TMG) Publishing ADFS through ISA or TMG Server ()[footnoteRef:42] [42: Publishing ADFS through ISA or TMG Server: http://blog.c7solutions.com/2011/06/publishing-adfs-through-isa-or-tmg.html]
(AD FS 2.0 Microsoft Forefront Unified Application Gateway (UAG) Service Pack 1 (SP1) UAG SP1 for AD FS 2.0 UAG Deploying federation with AD FS ()[footnoteRef:43] [43: Deploying federation with AD FS: http://technet.microsoft.com/en-us/library/dd857388.aspx]
Microsoft Office 365
AD FS 2.0 SharePoint Online Office 365
Microsoft Office 365 2 ID
1. Microsoft Online Services ID ( ID): Office 365 / ID ID
:
ID ID /
2. ID: Active Directory Active Directory Office 365 Active Directory ID ID ID
Office 365 Office 365 ID Office 365 3
1. ID
2. ID (DirSync)
3. ID (DirSync)
ID () Office 365
ID : ID ID /
2 ID 1 ID 1 Office 365 ID Microsoft Online Service ID Office 365 AD
ID : ID Online 365 AD FS 2.0 Active Directory SSO 2 (2FA)
ID : ID Office 365 Microsoft Online Services ID 2FA
ID : ID Active Directory ID 2FA (6.2 Office 365 (2FA) )
: Office 365 ID
ID Office 365 ID Office 365 ID [footnoteRef:44] [44: Office 365 ID : http://www.microsoft.com/download/ja-jp/details.aspx?id=13602]
ID Active Directory
Office 365 Windows Server 2003
Windows XPWindows Vista Windows 7 Offie 365 (Office Professional Plus 2010 ) Office 365
Microsoft Office 365 1 Microsoft Online Services Connector Office 365
Office 365
Internet Explorer Lync Office 365
:
Office 365 [footnoteRef:45] [45: Office 365 : http://community.office365.com/ja-jp/wikis/administration/852.aspx]
Office 365 Microsoft Online (MOP) SharePoint OnlineOutlook Web App (OWA) Web Office 365 OutlookLync
Office 365 1 Microsoft Online Services (MOS SIA) Office 365
:
IT Microsoft Online Services RTW[footnoteRef:46] (msoidcli_32bit.msi (32 ) msoidcli_64bit.msi (64 )) IT System Center Configuration Manager (SCCM) Office 365 MOS SIA Office 365 Office 365 [46: IT Microsoft Online Services RTW: http://www.microsoft.com/download/ja-jp/details.aspx?id=28177]
Microsoft Online Services (MOS SIA) [footnoteRef:47]MOS SIA (DLL) Windows Office Lync Office 365 AD FS 2.0 [47: Microsoft Online Services (MOS SIA) : http://community.office365.com/ja-jp/wikis/office/1080.aspx]
: Microsoft Online Services
:
Windows (SSPI) API ( ) 1 (SSP) (DLL) SSP 1 SSP Windows NTLM Microsoft Kerberos Secure Socket Layer (SSL) SSPI SSP
SSPI Microsoft TechNet The Security Support Provider Interface ()[footnoteRef:48] Microsoft MSDN Security Support Provider Interface (SSPI) ()[footnoteRef:49] [48: The Security Support Provider Interface: http://technet.microsoft.com/en-us/library/bb742535.aspx] [49: Security Support Provider Interface (SSPI): http://msdn.microsoft.com/en-us/library/windows/desktop/aa378663(v=vs.85).aspx]
%Program Files%\Common Files\Microsoft Shared\Microsoft Online Services
MSOIDCLI.dll: Office 365
MSOIDSVC.exe: Windows MSOIDSVC AD FS 2.0 Office 365 ID
MSOIDSVC.exe: MSOIDSVC MSOIDSVC
MSOIDRES.dll:
Windows 7 DLL
MSOIDCredProv.dll: COM Windows
MSOIDSSP.dll: %windir%\system32 SSP
:
64 Windows msoidcli.dll msoidres.dll %Program Files (x86)%\Common Files\Microsoft Shared\Microsoft Online Services 64 Windows 7 msoidcredprov.dll
MOS SIA
:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOIdentityCRL]"Language" (default: dword:00000409)"TargetDir" (default: %Program Files%\Common Files\Microsoft Shared\Microsoft Online Services)"MSOIDCRLVersion" (as of writing, current version is 7.250.4287.0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOIdentityCRL\Environment]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOIdentityCRL\Environment\Production]"RemoteFile" (default: http://clientconfig.microsoftonline-p.net/PPCRLconfig.srf)
"Flags" (default: dword:00000001)"Level" (default: dword:00000002)
MOS SIA Office 365 Office 365 Office 365 Office 365 Office 365 [footnoteRef:50] [50: Office 365 : http://onlinehelp.microsoft.com/ja-jp/Office365-enterprises/ff637594.aspx]
AD FS 2.0
Office 365 Office 365 AD FS 2.0 Windows PowerShell Microsoft Online Services Office 365 Windows PowerShell
:
Windows PowerShell Windows Shell Windows Microsoft Server
Windows PowerShell 2.0 Windows PowerShell Web [footnoteRef:51]Windows PowerShell [footnoteRef:52]Windows PowerShell Weblog ()[footnoteRef:53] Windows PowerShell Software Development Kit (SDK) ()[footnoteRef:54] [51: Windows PowerShell Web : http://technet.microsoft.com/ja-jp/scriptcenter/dd742419.aspx] [52: Windows PowerShell : http://technet.microsoft.com/ja-jp/library/bb978526.aspx] [53: Windows PowerShell Weblog: http://blogs.msdn.com/powershell] [54: Windows PowerShell SDK: http://msdn2.microsoft.com/en-us/library/aa830112.aspx]
Microsoft Online Services Office 365 Microsoft Online Services (MSO SIA)
Office 365 AD FS 2.0
ID
Office 365 ID ()
: Office 365 ID ()
Outlook 2010/Outlook 2007Exchange ActiveSyncPOPIMAP
()
Microsoft Online SharePoint OnlineOffice Web Apps
1
1
Outlook Web Apps
Office 2010/Office 2007 SharePoint Online
Lync 2010 Lync Online
1 (6.4 Office 365 )
ID
Microsoft Online (MOP)SharePoint Online Outlook Web Apps (OWA)
Office 2007 2010 SharePoint Online
Lync 2010 Lync Online
Outlook
: Office 365 ID ()
Outlook 2010/Outlook 2007Exchange ActiveSyncPOPIMAP
()
Microsoft Online SharePoint OnlineOffice Web Apps
1
Outlook Web Apps
Office 2010/Office 2007 SharePoint Online
Lync 2010 Lync Online
1 (6.4 Office 365 )
ID
Office 365 ID
Web
Office 365 Microsoft Online (MOP)SharePoint OnlineOutlook Web App (OWA) Web
ID
1. Web Office 365 IETF RFC 822 Standard for ARPA Internet Text Messages ()[footnoteRef:55] User Principal Name (UPN) ()[footnoteRef:56] ID (: [email protected]) AD FS 2.0 [55: User-Principal-Name attribute: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680857(v=vs.85).aspx] [56: RFC 822 Standard for ARPA Internet Text Messages: http://tools.ietf.org/html/rfc822]
2. () Windows (Kerberos NTLMv2) AD FS 2.0 SAML 1.1 Web Office 365 Web
(EAP)[footnoteRef:57] FirefoxChrome Safari Windows (IWA) Office 365 Office 365 AD FS 2.0 [footnoteRef:58] AD FS 2.0 EAP (Windows 7 ) [57: : http://support.microsoft.com/kb/968389] [58: Office 365 AD FS 2.0 : http://support.microsoft.com/kb/2461628]
Office 365 FirefoxChrome Safari EAP Windows Internet Explorer 8 FirefoxChrome Safari Office 365
Set-ADFSProperties AD FS 2.0
PS C:\Windows\system32> Add-PSSnapin Microsoft.Adfs.Powershell
PS C:\Windows\system32> Set-ADFSProperties ExtendedProtectionTokenCheck:None
:
AD FS 2.0 AD FS 2.0 Administration with Windows PowerShell ()[footnoteRef:59]AD FS 2.0 Cmdlets Reference ()[footnoteRef:60] [59: AD FS 2.0 Administration with Windows PowerShell: http://go.microsoft.com/fwlink/?LinkId=194005] [60: ADFS2.0 Cmdlets Reference: http://go.microsoft.com/fwlink/?LinkId=177389).]
Authentication Handler Overview ()[footnoteRef:61] AD FS 2.0 Web Windows (FBA) [61: Authentication Handler Overview: http://msdn.microsoft.com/en-us/library/ee895365.aspx]
Microsoft Office 2
1. Microsoft Online Services (MOS SIA): (Office 365 ) Microsoft Online Services Windows MSOIDSVC.exe Office 365
ID (5.3 MEX/ )MSOIDSVC AD FS 2.0 (Kerberos NTLMv2 ) Office 365 ((WS-Federation ) WS-Trust )
2. SSL /: Outlook SSL Exchnage Online Exchange Online Office 365 ( ) AD FS 2.0 (5.4 EAS / )
:
(DMZ ) AD FS 2.0
ID
: Office 365 ID
Outlook 2007/Outlook 2010Exchange ActiveSyncPOP/IMAP/SMTP
SSL AD FS 2.0 ( AD FS 2.0 )
Web
Web WS-Federation (AD FS 2.0)
Microsoft Office 2007/Office 2010 (WordExcel PowerPoint)
Web WS-Federation (AD FS 2.0)
Lync 2010
WS-Federation () WS-Trust ( AD FS 2.0)
SSO
Microsoft Online (MOP)
MOP [] [] https://portal.microsoftonline.com/UserManagement/UserManager.aspx
[] [footnoteRef:62] [62: : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652540.aspx]
[] [footnoteRef:63] 10 ( ()) [63: : https://portal.microsoftonline.com/IdentityFederation/IdentityFederation.aspx]
[footnoteRef:64] [64: : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/hh125004.aspx]
[footnoteRef:65] ID IT Active Directory Active Directory [65: : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652540.aspx]
Active Directory Microsoft Office 365 for Enterprise [footnoteRef:66] (Office365DeploymentReadinessTool.exe) Microsoft Office 365 [footnoteRef:67] [66: Microsoft Office 365 for Enterprise: http://community.office365.com/ja-jp/forums/358/t/22545.aspx] [67: Microsoft Office 365 : http://community.office365.com/ja-jp/forums/358/t/23127.aspx]
Active Directory
1. UPN: ID (UPN) (Active Directory ) UPN Office 365 ID ID Office 365
ID UPN (@) UPN ADModify ()[footnoteRef:68] [68: ADModify: http://admodify.codeplex.com/]
: Office 365 Active Directory
2. : idmgt.fr legal.idmgt.frparis.idmgt.fr
3. : .local (idmgt.local ) .int (idmgt.int ) ( DNS ) Office 365 UPN UPN UPN Office 365
4. : 1 UPN (@[email protected] )AD FS 2.0 AD FS 2.0 2 ( AD FS 2.0 1) (4.3 Microsoft Online Services )
5. : ID
AD FS 2.0
Office 365 ID Office 365 AD FS 2.0 Office 365 AD FS 2.0
Active Directory 2.0 [footnoteRef:69] [69: Active Directory 2.0 : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652539.aspx]
Office 365 AD FS 2.0
AD FS 2.0 Office 365 ID AD FS 2.0 [footnoteRef:70] AD FS 2.0 AD FS 2.0 Office 365 [70: Office 365 ID AD FS 2.0 : http://support.microsoft.com/kb/2510193]
AD FS 2.0 Microsoft
AD FS 2.0 ID Office 365 Office 365
1 - AD FS 2.0
AD FS 2.0 Active Directory () AD FS 2.0 AD FS 2.0
: AD FS 2.0
AD FS 2.0 AD FS 2.0
Office 365 Outlook (2007 2010) ID Exchange Online Outlook ( 401 HTTP )
1. : () Office 365
2. : Office 365
3. : Microsoft Exchange ActiveSync Microsoft Exchange Online Office 365
4. Microsoft Outlook : Outlook (2007 2010) Office (IMAP POP ) Office 365
Office 365 Microsoft AD FS 2.0 Microsoft Online (MOP)SharePoint Online Outlook Web Apps (OWA)
2 - AD FS 2.0
AD FS 2.0 Active Directory TMG ( )
:
AD FS 2.0 (EAP)[footnoteRef:71] firewall-published Active Directory (AD FS) [footnoteRef:72] [71: : http://go.microsoft.com/fwlink/?LInkId=178431] [72: firewall-published Active Directory (AD FS) : http://support.microsoft.com/kb/2535789]
Office 365
HTTPS ( 443)
SAML
AD FS SAML
Forefront Threat Management Gateway 2010 Active Directory [footnoteRef:73] [73: Forefront Threat Management Gateway 2010 Active Directory : http://support.microsoft.com/kb/2535789]
3 AD FS 2.0
AD FS 2.0 Active Directory
Exchange Online Outlook Exchange Online [footnoteRef:74] 5.3 MEX/ [74: Exchange Online : http://support.microsoft.com/kb/2466333]
( ) Office 365 Office 365 Office 365
Windows PowerShell Microsoft Online Services Update-MSOLFederatedDomain (4.3.1 Microsoft Online Services ) [footnoteRef:75] [75: : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652538.aspx#BKMK_UpdateTrustProperties]
4 - VPN AD FS 2.0
AD FS 2.0 ( ) Active Directory (VPN) AD FS 2.0
( ) VPN Office 365
Office 365
HTTPS ( 443) DNS AD FS
/DNS Office 365
VPN/
Windows PowerShell Microsoft Online Services Update-MSOLFederatedDomain (4.3.1 Microsoft Online Services )
AD FS 2.0
AD FS 2.0
AD FS 2.0 Active Directory 2.0 [footnoteRef:76]Microsoft TechNet Active Directory Federation Services (AD FS) 2.0 () Install the AD FS 2.0 Software ()[footnoteRef:77] AD FS 2.0 AD FS 2.0 [76: Active Directory 2.0 : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652539.aspx] [77: Install the AD FS 2.0 Software: http://technet.microsoft.com/en-us/library/dd807096(WS.10).aspx]
AD FS 2.0 (AdfsSetup.exe) Active Directory Federation Services 2.0 RTW[footnoteRef:78] AD FS 2.0 2 AD FS 2.0 2681584Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 ()[footnoteRef:79] [78: Active Directory Federation Services 2.0 RTW: http://www.microsoft.com/download/ja-jp/details.aspx? id=10909] [79: 2681584 Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0: http://support.microsoft.com/kb/2681584]
Microsoft Online Services
(4.2.1 Office 365 AD FS 2.0 ) AD FS 2.0 Windows PowerShell Microsoft Online Services
:
Microsoft Online Services (MSO SIA) MSO SIA Office 365 IT Microsoft Online Services [footnoteRef:80] [80: IT Microsoft Online Services : http://www.microsoft.com/download/ja-jp/details.aspx?id=28177]
PowerShell Windows PowerShell Office 365 ID AD FS 2.0 URL
AD FS 2.0 AD FS 2.0
Microsoft Online Services
Microsoft Online Services AD FS 2.0
1. AD FS 2.0 Microsoft Online (MOP) Windows PowerShell Microsoft Online Services [footnoteRef:81] 2. [81: Windows PowerShell Microsoft Online Services : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652560.aspx]
2. Microsoft Online Services (AdministrationConfig-en.msi) (32 64 ) []
:
MOP [] [] [footnoteRef:82] AD FS 2.0 3. [82: : https://portal.microsoftonline.com/IdentityFederation/IdentityFederation.aspx]
Windows PowerShell Microsoft Online Services
3. []
4. [] [] []
5. [] []
6. [] []
7. []
Office 365 Windows PowerShell [footnoteRef:83] (ID ) Office 365 (ID ) [83: Office 365 Windows PowerShell : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/hh125002.aspx]
: Office 365 Windows PowerShell
New-MsolFederatedDomain
Office 365 AD FS 2.0 Office 365
Convert-MsolDomainToStandard
AD FS 2.0 Office 365 Office 365
Convert-MsolDomainToFederated
AD FS 2.0 Office 365
Get-MsolFederationProperty
AD FS 2.0 Office 365 AD FS 2.0 Office 365
Get-MsolDomainFederationSettings
Office 365 Office 365 AD FS 2.0 Get-MsolFederationProperty
Remove-MsolFederatedDomain
Office 365 AD FS 2.0 :
Set-MsolDomainFederationSettings
Set-MsolADFSContext
Office 365 AD FS 2.0 AD FS 2.0 AD FS 2.0
Update-MsolFederatedDomain
AD FS 2.0 Office 365 () AD FS 2.0 URL Office 365 2 Get-MsolFederationProperty
Microsoft Online Services Windows PowerShell
Windows PowerShell Microsoft Online Services Windows PowerShell Windows PowerShell
Windows PowerShell Microsoft Online Services
1. [][][Microsoft Online Services][Windows PowerShell Microsoft Online Services ] Windows PowerShell
2. Windows PowerShell Connect-MsolService Microsoft Online Windows PowerShell
PS C:\Windows\system32> Connect-MsolService
PS C:\Windows\system32> _
:
Windows PowerShell
3. AD FS 2.0 Set-MsolADFSContext AD FS AD FS 2.0
PS C:\Windows\system32> Set-MsolADFSContext
1 Set-MsolADFSContext:: idmgt-dc
PS C:\Windows\system32> _
AD FS 2.0
Windows PowerShell Microsoft Online Services Windows PowerShell
1. Windows PowerShell Microsoft Online Services (4.3.2 Microsoft Online Services Windows PowerShell )
2. New-MsolFederatedDomain DomainName
PS C:\Windows\system32> New-MsolFederatedDomain DomainName demo.idmgt.archims.fr
: ps.microsoftonline.com DNS demo.idmgt.archims.fr CNAME
demo.idmgt.archims.fr
http://technet.microsoft.com/en-us/library/cc742578.aspx PS C:\Windows\system32> _
new-MsolFederatedDomain 1
3. TXT ( MX ) :
: demo.idmgt.archims.fr
: v=verifydomain MS=ms90115610
TTL: 1
Office 365 DNS Office 365 [footnoteRef:84][footnoteRef:85] [84: Office 365 : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff637620.aspx] [85: : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/gg584188.aspx]
4. New-MsolFederatedDomain DomainName
PS C:\Windows\system32> New-MsolFederatedDomain DomainName demo.idmgt.archims.fr
demo.idmgt.archims.fr
PS C:\Windows\system32> _
Exchange Online Office 365
AD FS 2.0 https://adfs.demo.idemgt.archims.com/adfs/ls/
Exchange Online
new-MsolFederatedDomain 2
:
Microsoft Online (MOP) MOP 1
Microsoft Online (MOP) MOP [] [] []
Microsoft Online
AD FS 2.0
Office 365 ID AD FS 2.0
AD FS 2.0 Office 365 ID 1
AD FS 2.0 Office 365
AD FS 2.0 () AD FS 2.0 SSL/TLS ( 1 )
AD FS 2.0 () AD FS 2.0
AD FS 2.0 (4.2.1 Office 365 AD FS 2.0 )
AD FS 2.0 URL
ID Office 365 []
Office 365 ID
1. Windows PowerShell Microsoft Online Services (4.3.2 Microsoft Online Services Windows PowerShell )
2. Update-MsolFederatedDomain DomainName
Microsoft Office 365 ()[footnoteRef:86]Microsoft Office 365 AD FS 2.0 Office 365 ID [86: Microsoft Office 365 http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc]
Microsoft Online (MSOL) AD FS 2.0 Office 365
1. AD FS 2.0
2. O365-Fed-MetaData-Update-Task-Installation.ps1.txt AD FS 2.0 .ps1
3. O365-Fed-MetaData-Update-Task-Installation.ps1 [] [] [] [OK]
4. [] Windows PowerShell []
5. Y
PS C:\Users\Administrator> Set-ExecutionPolicy
6. 2. .ps1
PS C:\Users\Administrator> cd .\Desktop
PS C:\Users\Administrator>.\O365-Fed-MetaData-Update-Task-Installation.ps1
7. (: demo.idmgt.archims.fr)
8.
: ****************
Success
Added MSOL credentials to the local Credential Manager
9.
10.
MSOL AD FS 2.0 Windows PowerShell Microsoft Online Service AD FS 2.0 Office 365
MSOL
1. [] [] []
2. Microsoft-Office365-Update-MSOLFederatedDomain-DEMO.IDMGT.ARCHIMS.FR ([email protected])
3. []
1. [] [] [ ]
2. [ ] Microsoft-Office365-Update-MSOLFederatedDomain-DEMO.IDMGT.ARCHIMS.FR
a.
b.
c.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe command C:\Office365-Scripts\Microsoft-Office365-Update-MSOLFederatedDomain-DEMO.IDMGT.ARCHIMS.FR.ps1
3. [ ]
4. C:\Office365-Scripts
5. Microsoft-Office365-Update-MSOLFederatedDomain-DEMO.IDMGT.ARCHIMS.FR.ps1 .ps1 History.log
6. History.log
[footnoteRef:87] Lync Exchange Online Microsoft Online (MOP) / MOP OWA [87: : http://onlinehelp.microsoft.com/ja-jp/office365-enterprises/ff652538.aspx]
1. Internet Explorer https://portal.microsoftonline.com Microsoft Online (MOP) login.microsoftonline.com URL URL Microsoft Online Services ID
2. [ ID] UPN
3. [] ID (HRD) UPN
:
IE HTTP Fiddler2 ()[footnoteRef:88] HTTP login.microsoftonline.com URL (HRD) GetUserRealm AD FS 2.0 (5.1.5 ) [88: Fiddler2: http://www.fiddler.com]
4. [] AD FS 2.0 [ ]
5. [ ] ( [Demo.idmgt.archims.fr ] ) AD FS 2.0 AD FS 2.0
Office 365
Windows PowerShell Microsoft Online Services AD FS 2.0 AD FS 2.0 Office 365 ID ( ) Office 365
AD FS 2.0 AD FS 2.0
AD FS 2.0 STS (The Role of the Claims Pipeline ()[footnoteRef:89]) SAML [89: The Role of the Claims Pipeline: http://technet.microsoft.com/en-us/library/ee913585(WS.10).aspx]
(The Role of the Claims Engine ()[footnoteRef:90]) [90: The Role of the Claims Engine: http://technet.microsoft.com/en-us/library/ee913582(WS.10).aspx]
3
1. ()
2. ()
3. ()
AD FS 2.0
AD FS 2.0 3
1. : AD FS 2.0 Active Directory (AD DS) AD FS 2.0 Active Directory (AD LDS)Microsoft SQL Server
2. : AD FS 2.0 Active Directory Office 365
3. : AD FS 2.0 Office 365 ID Office 365 Office 365 Exchange OnlineSharePoint Online Office 365 ID
AD FS 2.0 Office 365 ID SAML 1.1 Active Directory () Active Directory Office 365 ID
(UPN)
ID
Active Directory GUID (ImmutableID) GUID ByteArray Base64
2
UPN (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)
ID (http://schemas.microsoft.com/LiveID/Federation/2008/08/ImmutableID)
Active Directory
Active Directory
Windows
SID
SID
SID
SID
SID
SID
Microsoft Office 365 ID
Microsoft Online Services (4.3.3 ) Microsoft Office 365 ID
[Microsoft Office 365 ID ] [] Office 365 URL (https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml)
AD FS 2.0
PKI PKI ( ) PKI
Laura E. Hunter
Office 365 ID AD FS 2.0
Windows Powershell Microsoft Online Services Update-MsolFederatedDomain
Microsoft Office 365
AD FS 2.0 Office 365 ID (4.3.4 AD FS 2.0 ) ( )
Office 365 OASIS Web Services Federation Language (WS-Federation) Version 1.2 ()[footnoteRef:91] [91: OASIS Web Services Federation Language (WS-Federation) Version 1.2 : http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.pdf]
MIICWzCCAcSgAwIBAgIJANswIPW/+LJFMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
BAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0xMDA3MTYyMTI0
NTZaFw0xNTA3MTUyMTI0NTZaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p
bmcgUHVibGljIEtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlM7mGMQ6
Ha0JP8odYF4ArNF294zQzoRoR7PSv88tyHD/6wINeVn/ebD+XVI9ebRmRFdJYRFr
dqOrYwJOPmq9bG+zF2HblKX718BcAKw7Ku6iqkk0YwtCM1hijr9FlyBGIS9XoE+Y
y/qs+WNJyaUnXIw0YMwvoj0ev0KOtd6X7ekCAwEAAaOBijCBhzAdBgNVHQ4EFgQU
v0DdCHPD3pifWehnZfE6eCztZj8wWQYDVR0jBFIwUIAUv0DdCHPD3pifWehnZfE6
eCztZj+hLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGlj
IEtleYIJANswIPW/+LJFMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOBgQBP
FFgHrWNtMRHsbjb/YUj67a7YvVnht11yH73oWLDdS/WW4VYHB3RiZuxU07EtIFXk
yjRQ2lmHuza9+IljVKirLw8Zp6CH6tTiZC8WiyRI8cgenztPLO7x1Rwbg5d4bKkV
P0dX7pe/Z6hrouK9Xc8828mjL09OlyiH6L+tZc0hJw==
MIICWzCCAcSgAwIBAgIJAOAWPCFtWFILMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNV
BAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0xMDA3MTYyMTI0
MjZaFw0xNTA3MTUyMTI0MjZaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p
bmcgUHVibGljIEtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArFszs9TG
9LSN0yT3PDzEMCql9OAN3qV6vv6HSoJR2E1WFZAXEt9KpO9AwVkD0pxat1DoCztf
dVlhk+ZhD8yv7x1PIzQJsLxC233Ch6pd3riFSJdA0BJtgr7V07You6keKDj6hYWk
Io97zOFMbnR8GrJXxOaAR4bvwaF2osYjY3UCAwEAAaOBijCBhzAdBgNVHQ4EFgQU
m7Ph5zX8u1dUl8zE+5jQ+KarrUYwWQYDVR0jBFIwUIAUm7Ph5zX8u1dUl8zE+5jQ
+KarrUahLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGlj
IEtleYIJAOAWPCFtWFILMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOBgQBd
aADu9GMezEPONs2wXMXZnwc3BAFWlP+hlp5T+vuVZlSsczyTn9Kmbw3oos8EMmro
GrzuxF3g71533ZnRC+Z+x1rltMXiI7vIcbwY1h3E6nt5X3/q/rhQu2bsCx7D9051
pCdWWSxjYHz2MH29x68OXOF0447aXyCzCg7O7Lj1cw==
Action for which the token is valid
Domain name of the entity that requested the token on behalf of the user
Indicates this token was not requested directly by the user.
https://login.microsoftonline.com/login.srf
https://login.microsoftonline.com/login.srf
https://login.microsoftonline.com/extSTS.srf
https://login.microsoftonline.com/extSTS.srf
https://login.microsoftonline.com/login.srf
https://ppsanamespace.service.microsoftonline-p.net/pksecure/ProvisionTrustPK.srf
aQPeWCSJOS22Dk60yhNDG/NCiIo=
TCgu1tc0TAuJay2GEPFHlNbwJtXGX203/oEem0gToHNEE6IxOaXgRFduLNqZw/QMJdHgdXPf558E7+GmhQRRSfEiAyXkxQEoh
Q7pvHgujapyo2iSTBgLIT7hme3nxADHvKrlEolKBIh3aBnTz0Eqn1FUB68qvNH7UFuBqTU0bJ0=
MIICWzCCAcSgAwIBAgIJANswIPW/+LJFMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbm
cgUHVibGljIEtleTAeFw0xMDA3MTYyMTI0NTZaFw0xNTA3MTUyMTI0NTZaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNp
Z25pbmcgUHVibGljIEtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlM7mGMQ6Ha0JP8odYF4ArNF294zQzoRoR7
PSv88tyHD/6wINeVn/ebD+XVI9ebRmRFdJYRFrdqOrYwJOPmq9bG+zF2HblKX718BcAKw7Ku6iqkk0YwtCM1hijr9FlyBG
IS9XoE+Yy/qs+WNJyaUnXIw0YMwvoj0ev0KOtd6X7ekCAwEAAaOBijCBhzAdBgNVHQ4EFgQUv0DdCHPD3pifWehnZfE6eC
ztZj8wWQYDVR0jBFIwUIAUv0DdCHPD3pifWehnZfE6eCztZj+hLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25p
bmcgUHVibGljIEtleYIJANswIPW/+LJFMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOBgQBPFFgHrWNtMRHsbjb/YU
j67a7YvVnht11yH73oWLDdS/WW4VYHB3RiZuxU07EtIFXkyjRQ2lmHuza9+IljVKirLw8Zp6CH6tTiZC8WiyRI8cgenztP
LO7x1Rwbg5d4bKkVP0dX7pe/Z6hrouK9Xc8828mjL09OlyiH6L+tZc0hJw==
2 RoleDescriptor Office 365
Office 365 2
1. Web () : https://login.microsoftonline.com/login.srf.
2. : https://login.microsoftonline.com/extSTS.srf.
2
2
1. Active Directory: UPN & ImmutableID : Active Directory
UPN : UPN
ImmutableID : ID ID ID
SAML 1.1 UPN ImmutableID
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN",
"http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?[^\\]+)\\(?.+)", "${user}"), param = c.Value);
2. ImmutableID NameID : ImmutableID SourceID
SAML 1.1
c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
SAML 1.1 XML () ADFS2.0 Office 365
: NameID (ImmutableID) ( UPN ImmutableID)
: AD FS 2.0 () AuthenticationMethod=urn:oasis:names:tc:SAML:1.0:am:password;
SAML 1.1 OASIS SAML Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML)V 1.1 ()[footnoteRef:92] [92: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML)V1.1: http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf]
urn:federation:MicrosoftOnline
jQs1n5IS0EKf4byoSsOr6A==
urn:oasis:names:tc:SAML:1.0:cm:bearer
jQs1n5IS0EKf4byoSsOr6A==
jQs1n5IS0EKf4byoSsOr6A==
urn:oasis:names:tc:SAML:1.0:cm:bearer
hKJnVjG/rq/bdy1RrnztTIiBE6c=
tT4kMFkVL+l2D6fcD9QhDW+HN+rktCq7lZ9WMsPV+3ONoSq+KH/4qMrO0XncZySYlxMlhLbl7ZAJP5t0eErFbEBfH8+J3PPrsaRU+
mXQe7lfIj1ir1l+hCpbC3Hywnirm01sLaj8NUHnM3/B0KDWblOzpPkOXKvM4Rd4SVsNiKykwp2Em3f80hZWLu2mQRJxiti2n6NcOt
Md4YhOV0fNhH5LHzc0SWNUiIALqtrc7b67YaOFMM21oxQBRffxnY4ns5kRU/aTKCTTwZzamBoRdCI97j0CjT8XTv+LfLHkcWaBH+5
up0Xd+g3T8jTikGQpMDzuvbOtIlY69DUnCIz0DQ==
MIIC8DCCAdigAwIBAgIQF1RifzXrH59A+2Jtoe+5ADANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIFNpZ25pbmcgL
SBhZGZzLmRlbW8uaWRtZ3QuYXJjaGltcy5mcjAeFw0xMTA4MTAxOTIyNTZaFw0xMjA4MDkxOTIyNTZaMDQxMjAwBgNVBAMTKU
FERlMgU2lnbmluZyAtIGFkZnMuZGVtby5pZG1ndC5hcmNoaW1zLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQE
AwNpcxWSMJ3TbXfHEAAa4Moi7+S+k6JypSPq45FHAkyn3QkGzRsjJt9KF05/PvUsudukl+OZxXUHsb1pWMQniZAh5G7h6rUXf
k1eeJhDHgBFpwI5yrLGdUlcGrQxNNE4UCLuDwRWG9WjA6Gr7q3bD68vFom/OitsyK18RRB4kCkFWHTln98b7EDieFQQPDxoRP
o+Od6eQ/sejR6D7zJKW9LByT8H8BBOrm4CD9vpBoHiVxIgciLrARx0oCiayh/oYihZDWI8HYv1TlVd9uh+Rxsax7Qt0dWA/Me
06gOO5THo2YmxVA4wG3sdyl74MjgmPSv2qR6mP4GAGxk4sfK59iQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAxr2UPF+6osSL
mF0bdn+Ysj98Q69c6LVLBmTcnd9VBqoefBtcvQe/rp34f2Ok3nqLVRgQv+aWfQrCwM5/5e93saZpdY2UH/U8cvSb+X2PqBK9y
CPDejAtfjo3sCv0ET+0UkoQirK4/CTn07tg+37teZ1EVHaO3DHiI695llnW7Z7j/LH7TLaIP2l9WY2Fe5D+B0iZlYE9kCTDUq
hVR4037cTKC7RKyl/hBPc1xRtQE0ya0lhb4THZjID4fHv9KYQOGaiUHnETt+Qc12pYnZW66O7KXj1Ap47IStGvWiOMbJ6jm4Y
oGyZRa7MC5Gh2z3AQGZ2Rj1KPW3OQ/T3u3u84k
URI (: http://sts.idmgt.demo/adfs/services/trust) Office 365
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
AD FS 2.0 / SAML AD FS 2.0 () () AD FS 2.0 (2.4.4.1 AD FS 2.0 )
AD FS 2.0 AD FS 2.0 AD FS 2.0 AD FS 2.0
(4.2.1.1 1 - AD FS 2.0 ) 443 FS () FS SAML
AD FS 2.0 AD FS 2.0 AD FS 2.0 (Microsoft Forefront Threat Management Gateway (TMG) )
Exchange Online AD FS 2.0 SharePoint 2010 Online Lync Online AD FS 2.0 AD FD 2.0 AD FS 2.0
AD FS 2.0
Office 365 3
1. (WS-Federation ) : Microsoft Online (MOP)SharePoint Online Outlook Web App (OWA) Web
Web () AD FS 2.0
SharePoint Online Office 2007 Service Pack 2 (SP2) Office 2010 (WordExcel PowerPoint) SharePoint Online Web ( WS-Federation)
5.2/Web
2. (WS-Trust ) : AD FS 2.0 Lync 2010 Office
2 AD FS 2.0 5.3MEX/
3. EAS /: ()
Office 365 Microsoft Exchange 2010 ActiveSync (EAS)Outlook 2007 2010IMAPPOP SMTPExchange 2010 Web
SSL Exchange Online Exchange Online AD FS 2.0 5.4EAS /
3 / (4.2.1 Office 365 AD FS 2.0 ) 2011 10 AD FS 2.0 (6.3 Office 365 )
Get-MsolFederationProperty AD FS 2.0
1. Windows PowerShell Microsoft Online Services (4.3.2 Microsoft Online Services Windows PowerShell )
2. Get-MsolFederationProperty DomainName
PS C:\Windows\system32> Get-MSOLFederationProperty -DomainName demo.idmgt.archims.fr
Source : ADFS Server
ActiveClientSignInUrl : https://adfs.demo.idmgt.archims.fr/adfs/services/trust/2005/usernamemixed
FederationServiceDisplayName : ADFS IDMGT MTC ParisFederationServiceIdentifier : http://sts.idmgt.demo/adfs/services/trust
FederationMetadataUrl : https://adfs.demo.idmgt.archims.fr/adfs/services/trust/mexPassiveClientSignInUrl : PassiveClientSignOutUrl :
[Issuer] CN=ADFS Signing - adfs.demo.idmgt.archims.fr
[Serial Number] 1754627F35EB1F9F40FB626DA1EFB900
[Not Before] 10/08/2011 21:22:56
[Not After] 09/08/2012 21:22:56
[Thumbprint] 25A70E3841C2614B097587EBDB9BBF0AE00D818C
NextTokenSigningCertificate :
Source : Microsoft Office 365ActiveClientSignInUrl : https://adfs.demo.idmgt.archims.fr/adfs/services/trust/2005/usernamemixedFederationServiceDisplayName : ADFS IDMGT MTC ParisFederationServiceIdentifier : FederationMetadataUrl : PassiveClientSignInUrl :
[Issuer] CN=ADFS Signing - adfs.demo.idmgt.archims.fr
[Serial Number] 1754627F35EB1F9F40FB626DA1EFB900
[Not Before] 10/08/2011 21:22:56
[Not After] 09/08/2012 21:22:56
[Thumbprint] 25A70E3841C2614B097587EBDB9BBF0AE00D818C
NextTokenSigningCertificate :
AD FS 2.0
(WS-Federation ) PassiveClientSignInUrl adfs/ls/
(WS-Trust ) FederationMetadataUrl /adfs/services/trust/mex/
EAS / ActiveClientSignInUrl /adfs/services/trust/2005/usernamemixed
Office 365
Microsoft Online Services Diagnostics and Logging (MOSDAL) 4.0[footnoteRef:93] AD FS Office 365 / [93: Microsoft Online Services Diagnostics and Logging (MOSDAL) 4.0: http://www.microsoft.com/ja-jp/download/details.aspx?id=626]
Office 365
MEX/ AD FS 2.0
AD FS 2.0 Office 365 /
MOSDAL /
1. .msi Microsoft
2. MOSDAL
3. [O365] [ (ID )] []
4. []
5. []
Microsoft Remote Connectivity Analyzer (RCA)[footnoteRef:94]Office 365 [94: Microsoft (RCA): https://www.testexchangeconnectivity.com/]
RCA
1. Web https://testexchangeconnectivity.com
2. [Office 365]
3. [Microsoft ] []
4. UPN []
AD FS 2.0 Troubleshooting Guide ()[footnoteRef:95] [95: AD FS 2.0 Troubleshooting Guide: http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-guide(WS.10).aspx]
/Web
SharePoint Online Outlook Web App (OWA) Web Office 365
Office 365 AD FS 2.0 SAML 1.1
Windows (Kerberos NTLMv2) AD FS Office 365 Office 365
/Web
1. Web Office 365 Office 365 HTTP 302 Office 365 ID URL
2. Office 365 UPN ( AD FS 2.0 ) AD FS 2.0 URL (adfs/ls/) HTTP 302
3. AD FS 2.0 AD FS 2.0 Active Directory ( Windows ) Active Directory UPN ID (ImmutableID) SAML 1.1 X.509 SAML 1.1
4. SAML 1.1 HTTP POST Office 365 X.509 X.509 Office 365 ID ID ID ( ID) UPN ID
5. Web Office 365 (Office 365 ID ) ID ID ( ID /) Web Office 365
Office 365 [footnoteRef:96] OASIS WS-Federation (WS-Fed) () 13 Web (Passive) Requestors[footnoteRef:97] Fiddler (Fiddler Inspector for Federation Messages ()[footnoteRef:98]) AD FS 2.0: How to Use Fiddler Web Debugger to Analyze a WS-Federation Passive Sign-In ()[footnoteRef:99] [96: Office 365 : http://community.office365.com/ja-jp/wikis/sso/1002.aspx] [97: Web Services Federation Language (WS-Federation) Version 1.2 : http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf] [98: Fiddler Inspector for Federation Messages: http://social.technet.microsoft.com/wiki/contents/articles/fiddler-inspector-for-federation-messages.aspx] [99: AD FS 2.0: How to Use Fiddler Web Debugger to Analyze a WS-Federation Passive Sign-In: http://social.technet.microsoft.com/wiki/contents/articles/3286.aspx]
MEX/
MEX/
Lync Online
1. MSOIDSVC Microsoft Online Services (MOS SIA) (3.1.2 ) UPN Active Directory MSOIDSVC Office 365 ID (HRD)
AD FS 2.0 (MEX ) URL
2. MSOIDSVC MEX URL MSOIDSVC MEX (/adfs/services/trust/mex/) MEX WS-Trust
3. MSOIDSVC SAML 1.1 ( Windows (Kerberos NTLMv2)) MSOIDSVC Kerberos NTLMv2 NTLMv2 Kerberos Active Directory UPN ID (ImmutableID) SAML 1.1 X.509 SAML 1.1 MSOIDSVC
4. MSOIDSVC AD FS 2.0 SAML 1.1 Office 365
Office 365 Office 365 ID ID ID ( ID) (UPN ID )
MSOIDSVC
5. Lync 2010 Lync 2010 Lync Online Lync Online
6. Lync 2010 (MSOIDCLI.dll ) MSOIDSVC MSOIDSVC Lync Online Lync Online
EAS /
Outlook Exchange Online Outlook Office 365 Office 365 AD FS 2.0 SAML Office 365
EAS /
Exchange ActiveSync (EAS) /
1. (MSOIDSVC SAML 1.1 ) Outlook 2010
Outlook Exchange Online (Negotiate Windows SSPI ) Exchange Online
2. 1 (UPN ) Outlook Exchange Online
3. Exchange Online /UPN Office 365
Office 365 ID AD FS 2.0 URL (/adfs/services/trust/2005/usernamemixed)
4. Exchange Online
Active Directory Active Directory SAML 1.1 ( UPN ID (ImmutableID) ) X.509 SAML 1.1 Exchange Online
5. Exchange Online Office 365 Office 365 ID UPN ID ( ID)
Exchange Online
Microsoft
Outlook Outlook [] Windows Credential Manager
Windows Credential Manager ()
Credential Manager
Windows 7 BitLocker
(6.3.2 ) Office 365
Configuring Advanced Options for AD FS 2.0 ()[footnoteRef:100] [100: Configuring Advanced Options for AD FS 2.0: http://technet.microsoft.com/en-us/library/hh237448(WS.10).aspx]
AD FS 2.0 1 AD FS 2.0 UPN (: @[email protected]) AD FS 2.0
2 ( 1) AD FS 2.0 Office 365 UPN ID
Office 365 () AD FS 2.0 Windows PowerShell Microsoft Online Services SupportMultipleDomain
:
1 UPN @[email protected] @idmgt.fr ( idmgt.fr) SupportMultipleDomain 1 AD FS 2.0
(@idmgt.fr @ idmgt.co.uk) (@paris.idmgt.fr @london.idmgt.co.uk) SupportMultipleDomain Office 365 AD FS 2.0 URI
1 Office 365 ID (5.1.4.2 ) URI
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/"));
[footnoteRef:101] [101: : http://community.office365.com/ja-jp/wikis/sso/1007.aspx]
Office 365 (2FA)
AD FS 2.0 ( AD FS 2.0 (4.2.1.1 1 - AD FS 2.0 )) Windows (IWA)
Office 365
AD FS 2.0
AD FS 2.0 AD FS 2.0 AD FS 2.0 AD FS 2.0 AD FS 2.0 Office 365
:
2.4.4.2 AD FS 2.0 AD FS 2.0
()
2 (2FA) 2 (/) ()
Office 365 Web
Web 2FA Outlook 2010Lync 2010ActiveSync
Office 2007 Service Pack 2 (SP2) Office 2010 (WordExcel PowerPoint) SharePoint Online SharePoint Online Web (WS-Federation)
2FA (5.2 /Web )
:
() Office 365 Online 2FA ()
Office 365 Web 2FA Office 2007 Service Pack 2 (SP2) Office 2010 (WordExcel PowerPoint) Office 365 (OutlookLync )
AD FS 2.0 ( ) 2FA 2FA
AD FS 2.0
2FA IIS HTTP
AD FS 2.0 2FA
( AD FS 2.0 ) ASP.NET Web
Web (IIS) %SystemRoot%\Inetpub\adfs\ls IIS Web /adfs/ls
WS-Federation (FBA)
:
AD FS 2.0 AD FS 2.0 SDK AD FS 2.0 Sign-In Pages Customization Overview ()[footnoteRef:102] [102: AD FS 2.0 Sign-In Pages Customization Overview: http://msdn.microsoft.com/en-us/library/ee895356.aspx]
AD FS 2.0
AD FS 2.0
2FA IIS HTTP
Windows Server 2008 Windows Server 2008 R2 (IIS) IIS HTTP 2FA AD FS 2.0 2FA URL
2FA 2
1. 2FA 2FA 2FA 2FA
2. 2FA AD FS 2.0
3. Office 365 Web Active Directory
RSA Authentication Agent 7.0 for Web for IIS RSA SecurID AD FS 2.0 Step-by-Step Guide: Integration with RSA SecurID in the Extranet ()[footnoteRef:103][footnoteRef:104] [103: AD FS 2.0 Step-by-Step Guide: Integration with RSA SecurID in the Extranet: http://technet.microsoft.com/en-us/library/hh344805(WS.10).aspx] [104: RSA Authentication Agent 7.0 for Web for IIS: http://www.rsa.com/node.aspx?id=3663]
2
AD FS 2.0
2FA
Login People Digital DNA Technology () (USB ) 2 ID AD FS 2.0 2FA Integrating Login People Digital DNA Server with AD FS 2.0 for interoperable federated Single Sign-On ()[footnoteRef:105] [105: Integrating Login People Digital DNA Server with AD FS 2.0 for interoperable federated Single Sign-On: http://download.microsoft.com/documents/France/Interop/2011/Integrating-LoginPeople-DDNA-Server.docx]
(2FA Active Directory 1 ) 2FA Active Directory
Office 365
Office 365
AD FS 2.0
AD FS 2.0 (5.1.5 )
Web
:
(Outlook 2010 ) AD FS 2.0 Outlook 2010
2011 10 Office 365 AD FS 2.0 2 ( AD FS 2.0 1) Office 365 3
1. AD FS 2.0 5 HTTP AD FS 2.0
a. x-ms-forwarded-client-ip;
b. x-ms-client-application;
c. x-ms-client-user-agent;
d. x-ms-proxy;
e. x-ms-endpoint-absolute-path.
:
AD FS 2.0 (4.2.1.2) HTTP x-ms-proxy DNS
2.
a. http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
b. http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
c. http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
d. http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
e. http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
Active Directory (5.1.3 Active Directory )
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"] => issue(claim = c);
4
3. AD FS 2.0 AD FS 2.0 Office 365 ID (5.1.4.3 )
AD FS 2.0 Office 365 [footnoteRef:106] IP [106: Office 365 : http://community.office365.com/ja-jp/wikis/sso/927.aspx]
Office 365 : Office 365 IP
Exchange ActiveSync (EAS) Office 365 : Office 365 EAS ( ) Office 365
SharePoint OnlineOutlook Web App (OWA) Office 365 : Office 365 Web Office 365
Active Directory Office 365 : 1 Active Directory Office 365
()[footnoteRef:107] AD FS 2.0 [107: : http://gallery.technet.microsoft.com/scriptcenter/Client-Access-Policy-30be8ae2]
AD FS 2.0
1. Office_365_-_Client_Access_Policy_Builder.ps1
2. Office_365_-_Client_Access_Policy_Builder.ps1 [] [] [] [OK]
3. Office_365_-_Client_Access_Policy_Builder.ps1 [PowerShell ]
4. [Create Rules for Claim Types] Active Directory 5
5. [Office 365 - Client Access Policy Builder] [Step 1] [Step 2]
6.
7. [Single external IP address] IP IP [External IP address range] [Office 365 - Client Access Policy Builder]
8. IP [Build] Office 365 ID
Office 365
Office ID Office 365 Web Microsoft Online (MOP)Outlook Web Access (OWA) SharePoint Online (SPO)
Office 365 UPN login.microsoftonline.com (HRD) AD FS 2.0 (4.4 )
Office 365 Office 365 [footnoteRef:108] [108: Office 365 : http://community.office365.com/ja-jp/wikis/sso/851.aspx]
Microsoft Online (MOP)
https://adfs.demo.idmgt.archims.fr/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline ()
https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=demo.idmgt.archims.fr&wreply=https:%2f%2fportal.microsoftonline.com%2fdefault.aspx
Outlook Web Access (OWA)
https://outlook.com/owa/[email protected]
https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=demo.idmgt.archims.fr&wreply=https:%2f%2foutlook.com%2fowa%2fo365a40demo%2eidmgt%2earchims%2efr%2f?exsvurl=1&ll-cc=en-US
SharePoint Online (SPO)
https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=demo.idmgt.archims.fr&wreply=https:%2f%2fidmgt%2esharepoint%2ecom%2f%5fforms%2fdefault%2easpx
AD FS 2.0 UPN
OASIS WS-Federation (WS-Fed) ()[footnoteRef:109] 13 Web (Passive) Requestors [109: Web Services Federation Language (WS-Federation) Version 1.2 : http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf]
78AD FS 2.0 Microsoft Office 365 (SSO)
AD FS 2.0 Microsoft Office 365 (SSO)77