Domain 1: Planning & Preparation Domain 2: Classroom Environment Domain 3: Instruction
Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ......
Transcript of Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ......
![Page 1: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/1.jpg)
Single Sign-On s Officeom 365 na Kineziološkom
fakultetu Sveučilišta u Zagrebu
Stipe Gorenjak,
Kineziološki fakultet Sveučilišta u Zagrebu
e-mail: [email protected]
![Page 2: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/2.jpg)
Sponzori
![Page 3: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/3.jpg)
Ugasite mobitele. Hvala.
![Page 4: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/4.jpg)
Sadržaj 1. dio:
• Uvod
• Zašto Office 365?
• Zašto integracija AD-a i Single Sign-On?
• Mogućnosti integracije
• Demo 1 (SSO @ O365 @ KIF)
• Priprema lokalne infrastrukture
![Page 5: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/5.jpg)
Uvod
• Zatečeno stanje na KIF-u
• Serverska infrastruktura
• Usluge
• Što se željelo postići
• Omogućiti veću produktivnost
• Bolje iskoristiti informatičke stručnjake
• Kako do cilja
• Rekonstrukcijom serverske infrastrukture
• Korištenjem potencijala Cloud usluga
![Page 6: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/6.jpg)
Zašto Office 365?
• Sigurnost
• dizajniran kako bi zadovoljio sigurnosne zahtjeve Enterprise okružja
• Pouzdanost
• geo redundantni datacentri (99.9% SLA)
• Dostupnost
• nudi konzistentno korisničko iskustvo bez obzira na koji način i s kojeg uređaja korisnik pristupa
• Produktivnost
• Exchange Online (50 GB inbox)
• SharePoint Online (na primjeru KIF-a, 3,7 TB)
• ONEDRIVE for Business (1 TB po korisniku )
• Lync Online (konekcija prema Skype-u i ostalim Lync Online korisnicima)
• Office Web Apps
• YAMMER (leading enterprise social network for businesses)
![Page 7: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/7.jpg)
Zašto integracija AD-a i Single Sign-On?
• Upravljanje s jednog mjesta
• Jednaki korisnički računi lokalno i u O365
• Jednake korisničke lozinke i politike lozinki
• Jednostavniji pristup Office 365 uslugama
• Autentikacija se vrši samo u lokalnom AD-u
![Page 8: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/8.jpg)
Mogućnosti iplementacije Office365
![Page 9: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/9.jpg)
Mogućnosti implementacije Office365
Office 365
DirectoryStore
Provisioningplatform
Admin Portal
Authentication platform
![Page 10: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/10.jpg)
Mogućnosti implementacije Office365
Office 365
DirectoryStore
Provisioningplatform
Admin Portal
Authentication platform
AD DS
DirSync
![Page 11: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/11.jpg)
Implementacija Office365 na Kineziološkom fakultetu Svučilišta u Zagrebu
Office 365
DirectoryStore
Provisioningplatform
Admin Portal
Authentication platform
AD DS
DirSync
AD FS
![Page 12: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/12.jpg)
Demo 1 - SSO @ O365 @ KIF
![Page 13: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/13.jpg)
Priprema lokalne infrastrukture
![Page 14: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/14.jpg)
Sadržaj 2. dio:
• Priprema AD-a za integraciju
• SSL Certifikati za AD FS
• Podešavanje AD FS servera
• Podešavanje Federation Trust-a
• Podešavanje Directory sinkronizacije
• Demo 2 (DirSync Filtering)
![Page 15: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/15.jpg)
Priprema AD-a za integraciju
• UPN suffix (kif.hr; student.kif.hr; alumni.kif.hr)
• Proxy adrese
• Nepodržani znakovi (Space () @ ’ = | ? /)
• Dodati UPN-ove na O365
• Prilagoditi dizajn OU-a
![Page 16: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/16.jpg)
SSL certifikati za AD FS
• Trusted Public Certifikati (TERENA)
• Potrebni za ADFS server i WEB APLICATION PROXY (WAP)server
![Page 17: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/17.jpg)
Podešavanje AD FS servera
• AD FS Federation Server Configuration Wizard
• kreiranje novog federacijskog servisa
• Federation Server Farm (preporuka čak i ukoliko se podešava samo jedan server)
![Page 18: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/18.jpg)
ADFS Server 3.0
• Farma servera koja služi za hosting Federation servisa
• Preporučeno je koristiti najmanje dva Federation servera u loadbalancing-u
WEB APLICATION PROXY (WAP)
• Proxy serveri služe za preusmjeravanje korisničkih zahtjeva za autentikacijom koji dolaze izvan lokalne mreže
• Trebaju se nalaziti u DMZ-u
![Page 19: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/19.jpg)
Primjer logičke infrastrukture potrebne za SSO sa O365
![Page 20: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/20.jpg)
Podešavanje Federation Trust-a
• Windows Azure AD module for Windows PS
![Page 21: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/21.jpg)
Podešavanje Federation Trust-a
• Set the credential variable Global administrator
$cred=Get-Credential
• Connect to Microsoft Online Services
Connect-MsolService –Credential $cred
• Set the MSOL ADFS Context server, to the ADFS server
Set-MsolADFSContext –Computer adfs_servername.domain_name.com
![Page 22: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/22.jpg)
Podešavanje Federation Trust-a
• Convert the domain to a federated domain
Convert-MsolDomainToFederated –DomainName domain_name.com
• Successful Federation
Successfully updated ‘domain_name.com‘ domain.
• Verify federation
Get-MsolFederationProperty –DomainName domain_name.com
![Page 23: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/23.jpg)
Podešavanje Directory sinkronizacije
• DirSync.exe (Instalacija)
uncheck Synchronize directories now
• Pokreni UI
%Program Files%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
• U Identity Manageru odabrati OU za sinkronizaciju
![Page 24: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/24.jpg)
Demo 2 - DirSync Filtering
![Page 25: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/25.jpg)
Sadržaj 3. dio:
• Forsiranje sinkronizacije AD-a
• Provjera uspješnosti sinkronizacije
• ADFS vs. DirSync w/ Password
• Zaključak
![Page 26: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/26.jpg)
Forsiranje sinkronizacije AD-a
• Pokrenuti PowerShell s učitanim cmdlet-ima
“%Program Files%\Windows Azure Active DirectorySync”\DirSyncConfigShell.psc1
• U powerShell-u pokrenuti
Start-OnlineCoexistenceSync
![Page 27: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/27.jpg)
ADFS vs. DirSync w/ Password
![Page 28: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/28.jpg)
Zaključak
• Značajno bolje korisničko iskustvo za interne korisnike
• Veći zahtjevi za internim resursima
• Serverskim
• Administrativnim
![Page 29: Single Sign-On s Officeom 365 na Kineziološkom …€¢Convert the domain to a federated domain ... •ADFS vs. DirSync w/ Password •Zaključak. Forsiranje sinkronizacije AD-a •Pokrenuti](https://reader033.fdocuments.net/reader033/viewer/2022052711/5aca790e7f8b9a7d548de092/html5/thumbnails/29.jpg)
Pitanja i odgovori.