Wednesday, June 9, 2010

Microsoft Business Productivity Online Standard Suite (BPOS) v:Next Identity and Access solutions. June 9th, 2010

 

Microsoft Online Services:

Enterprise class software delivered via subscription services hosted by Microsoft and sold with partners.

  • SharePoint Online
  • Forefront Online
  • Exchange Online
  • Office Live Meeting
  • Office Communications Online

Financial Benefits:

  • Reduce both capital expenditure and operational expense
  • No hardware buildout cost
    • No more periodic server upgrade consulting projects
    • Software offered as a pure subscription
  • Make your cost even and predictable
    • Flat per-user per month fee
    • No need to renew software and hardware purchases every few years
    • Your piece is protected for the duration of you contract
  • Buy what you need when you need it
    • Avoid over purchasing
    • Scale as your business grows
    • Get the right license for the right users with deskless worker option

Current identity options summary

  1. Microsoft Online ID’s:
    1. ID’s are mastered in the service/cloud
    2. Password Policy is in the cloud
  2. Microsoft Online ID’s & Directory Sync
    1. ID’s are mastered on premise, and synchronized to the service/cloud in the form of Microsoft Online ID’s
    2. Password policy in in the cloud
  3. Directory Synchronization to Microsoft Online Services
    1. Syncs Users, Groups, and Contacts
    2. All users are synced as logon disabled and deactivated users initially. (process runs on local DC’s)

Feedback from customers:

  • No SSO with corporate credential
  • Painful to manage separate corporate and cloud credential
  • Password Policy is not configurable
  • Role-based administration not possible
  • Strong authentication (2FA) not available
  • Platform provisioning API’s are not available.

MS Online identity features roadmap

  • Federated ID’s
  • Directory Synchronization updates
  • Role Based Administration
    • Five admin roles
      • Company Admin
      • Billing admin
      • User Account Admin
      • Helpdesk Admin
      • Service Support Admin
  • “Admin on behalf of” for support partners

Authentication options

Microsoft Online ID

Federated ID

Sign in with cloud identity

Sign in with corporate ID

Authentication happens in the cloud

Authentication happens on premise

Users have two ID’s – one to access on-premises services & one for cloud services

Users have a single credential to provide SSO to on premises and cloud services

Users prompted for credentials

Users get true SSO

Manages password policy in the cloud and on premise

Manages password policy on premise only

Password reset for on premise & MS Online ID’s

  

No 2FA

  

Identity architecture: Federated ID’s

  1. Federation Gateway – runs in the cloud.
  2. Require ADFS 2.0 on premise and a trust between the Federation Gateway and ADFS
    1. You also need to still use Directory Sync to sync users, groups, etc.

GOAL: Establish a trust relationship with Microsoft Online Services

  1. Accomplished via the MS Online Identity Federation Management tool
  2. Configuring identity federation in a 2 step process
    1. Install and configure AD FS 2.0 server
    2. Run the tool to establish a trust for a domain

Online Identity Management Tool

  1. Powershell cmdlets and UI tool
  2. Tool functionality
    1. Add a new identity federated domain
    2. Convert a standard domain to an identity federated domain
    3. Convert an identity federated domain back to a standard domain
    4. Converts users back to Microsoft Online ID’s
    5. Update the identity federated domain
    6. Get the identity federated domain properties
    7. Remove the identity federated domain

Active Directory Federation Server 2.0 deployment options

  1. Single server configuration
  2. AD FS 2.0 server farm behind a load balancer
  3. AD FS 2.0 proxy server (for offsite users) deployed in DMZ

Identity federation

  1. Protocols supported
    1. WS-*, SAML1.1
    2. SAML2.0 (for EDU’s) coming later (Shibboleth)
    3. AD FS 2.0 supports SAML2.0
  2. Microsoft Online Services requirements
    1. MS Online business scenarios always use WS-*
    2. WS-Trust provides support for rich client authentication
  3. Strong authentication solutions for web applications
    1. Via ADFS Proxy sign in page

Check out how busy this conference is: 

teched halls

For some reason I keep choosing the sessions that are on opposite sides of the convention center too.  I estimate that its about a half mile in length.  My pedometer is putting me over 20,000 steps every day!

Blog note – taking notes in Windows Live Writer and then editing later is the BEST way to get a good formatted blog.  Sorry iPad. This darn laptop is heavy though…

Posted by at

2 comments:

  1. Kevin McDonaldJune 9, 2010 at 10:01 AM

    ok - I know that live writer totally hosed that table. I'll fix it tonight. :(

    ReplyDelete
  2. Kevin McDonaldJune 9, 2010 at 11:03 AM

    Fixed. Had to modify the html code for the table. Microsoft had assigned the table a width of 483, and the cells a higher value. :P

    ReplyDelete

Subscribe to: Post Comments (Atom)