Choosing)the)RightDirectory)Integraon)Framework)) for)Your ...resources.onelogin.com/Webinar-Choosing-the-Right-Directory... · Office 365 – Time to Federate with ADFS? ADFS Overhead

Extending Iden+ty to the Cloud:

Choosing the Right Directory Integra+on Framework for Your Cloud Applica+on PorBolio

Brian Desmond Microsoft MVP for Directory

Services

Collin Hachwi IT Infrastructure Manager

Elias Terman VP Product Marketing

Managing users

Corporate Network The Cloud

Signing into apps Securing and enabling mobile users

Enterprises' Challenges with Cloud and Iden+ty

Remote access to internal apps

VPN

Directory integra+on

Analyzing usage Managing apps Preven+ng unauthorized access

High Tech Media Healthcare Industrial Finance/Legal Education Services

OneLogin has 800+ paying customers in 44 countries across the globe

How Companies Use OneLogin

Employee Productivity

Customer Service Portals

Federation for partners

On-premise Integration

Eliminate passwords for

employees and provide one-click to

their apps.

Let customers sign into sales and

support apps with their social identity.

Establish trust relationship with partner identity

providers.

Bridge the gap between on-prem applications and

identity providers – and the cloud.

OneLogin Enterprise Iden+ty -‐ Key Capabili+es

Single sign-on Directory Integration

MFA

Reporting

Password Vaulting User Management

Global Enterprise-‐grade Infrastructure

Chicago

Dallas

Amsterdam

London

Local EU hos+ng conforms to developing EU data protec+on guidelines

Iden%ty in the Cloud with Microso4 and Azure

Brian Desmond

Agenda

• Microso1 Azure Ac4ve Directory

•  Federa4on with Ac4ve Directory Federa4on Services •  Iden4ty and Office 365

Microso1 Azure Ac4ve Directory

• Microso1’s strategy for iden4ty in the cloud •  Iden4ty repository for cloud applica4ons •  Backing store for Office 365 services •  Single point of federa4on for applica4ons •  Rapidly emerging self-‐service and applica4on catalog func4onality

• Available in free and premium edi4ons

• Don’t confuse the brand with the features •  Ac4ve Directory Domain Services (AD DS) and Azure Ac4ve Directory do not have feature parity

Microso1 Azure Ac4ve Directory Premium Edi4on

•  Licensed per user under an Enterprise Agreement

•  Five key feature areas •  Branding and Customiza4on •  Group/Role Based Access Control •  Self Service Password Management •  Mul4-‐Factor Authen4ca4on •  Enhanced Security Repor4ng and Analy4cs

•  Factor in these capabili4es versus your business and technical requirements as you evaluate the free edi4on

Azure Ac4ve Directory Architecture

Ac4ve Directory Federa4on Services

• AD FS is the bridge from on-‐premises to the cloud •  You can federate each individual applica4on with AD FS •  You can also just federate with AAD and then federate each applica4on with AAD

•  Suppor4ng AD FS will require some new skills •  Interpre4ng HTTP traces is cri4cal •  Understanding federa4on protocols like SAML

•  The availability of your cloud services will never be greater than your iden4ty infrastructure

AD FS Infrastructure Considera4ons

• Consider your high availability requirements for AD FS • What infrastructure will you need to deploy? • What teams will you depend on to meet your goals?

•  Single site and mul4ple site op4ons are common

• Networking and DNS dependencies are key • Highly available SQL Server may also be required

Highly Available Single Site ADFS Deployment

Enterprise Network

DMZ

Web Applica4on

Proxy

Ac4ve Directory

AD FS Server

AD FS Server

Web Applica4on

Proxy

NLB

Highly Available Mul4 Site ADFS Deployment

Site A Enterprise Network

Ac4ve Directory

AD FS Server

AD FS Server

Site A DMZ

GLB NLB GLB NLB

Web Applica4on

Proxy

Web Applica4on

Proxy SQL Server Cluster

Site B Enterprise Network

Ac4ve Directory

AD FS Server

AD FS Server

Site B DMZ

GLB NLB GLB NLB

Web Applica4on

Proxy

Web Applica4on

Proxy SQL Server Cluster

SQ

L M

irror

ing

Prerequisites for Office 365 (and AAD)

• Azure Ac4ve Directory is founda4onal to Office 365

•  Synchronize your Ac4ve Directory forest to AAD •  Microso1’s Directory Synchroniza4on appliance takes care of this

•  Mul4-‐forest topologies will require custom integra4on

•  Establish federa4on with AD FS •  Password synchroniza4on is also an op4on

•  Ensure your infrastructure can deliver the SLAs you need to be successful with Office 365

The Big Picture

•  Cloud applica4ons and services are rapidly becoming the main stream •  Your IT organiza4on needs to evolve to respond to this shi1

•  Iden4ty management is a cri4cal component of the cloud picture •  Federa4on is a technology you must be on top of

•  The tools and services IT must run to run successfully in the cloud are new and evolving •  You will need to adapt both in skills and service sets to succeed as an enabler

•  Don’t discount the cost and complexity of new on-‐premises infrastructure

www.disys.com © 2013 Digital Intelligence Systems, LLC.

Office 365 and OneLogin Collin Hachwi

IT Infrastructure Manager

Digital Intelligence Systems, LLC

• Global Services and Staffing • 650 + employees and 4000 consultants, • Offices through US, Brazil, Asia and Europe

2 © 2013 Digital Intelligence Systems, LLC.

Digital Intelligence Systems, LLC

User Environment •  Increasing use of Cloud Apps:

Office 365, BMC Remedyforce, Concur

•  4,650 Users – personal devices, mobile access, 24/7, 20% YOY growth in users

•  Demanding and knowledgeable sales force

IT Environment •  Datacenter

•  5 person team with 50 simultaneous projects

•  Two Active Directory Instances

•  Opening 3 or 4 new offices per year

© 2013 Digital Intelligence Systems, LLC. 3

Time to Federate!

Office 365 – Time to Federate

Requirements

• Real-time directory integration • Quick provisioning and deprovisioning • Compliance reporting • Secure, easy to manage solution • Ability to go beyond Office 365 • 99.99% uptime SLA

5 © 2013 Digital Intelligence Systems, LLC.

Office 365 – Time to Federate with ADFS?

ADFS Overhead •  4 Servers: Compute, Storage &

Licensing •  On-going maintenance & support •  Impact on disaster recovery &

backup •  Specialized skills •  Clunky, too many components

Limited Functionality •  No reporting •  Not real time •  No security policies •  No integrated MFA •  No integration with Google Directory •  No support for form-based apps •  No provisioning with entitlements •  No mobile support


…but the biggest consideration was time



Prepare Plan Deploy Infrastructure Test Finalize

Federation Ongoing

Maintenance and Support

ADFS

1 2 3 4 5 6 7 8 9 10 11 12 ….

Prepare Plan Deploy and Test Federate Ongoing


OneLogin


Prepare Plan Finalize Federation Test

2 hr 2 hr 30 min 30 min

Prepare Plan Federate Test

OneLogin


OneLogin – Provisioning with Entitlements



OneLogin Provisioning with Entitlements

OneLogin – Desktop SSO


• Automatic sign-on within corporate network • One less step for end users

OneLogin – Desktop SSO


• Automatic sign-on within corporate network • One less step for end users

OneLogin – MFA Policies


• Supported without any special hardware or software


OneLogin – MFA Policies

• Supported without any special hardware or software

Assume User


OneLogin - Assume User


OneLogin – Real-time de-provisioning


• Do it once • All access to corporate data and apps is immediately removed

• Never over or under subscribed for apps

Recommendations


• Have a plan • Layout your groups and policies beforehand • Identify your report and security environment

Do More

•  Team is working on new business solutions •  Saved time and money •  Use anywhere on any device •  MFA support •  With subscription services, you are never under or over provisioned •  More than just Office 365


Documents

Choosing)the)RightDirectory)Integraon)Framework)) for)Your ...resources.onelogin.com/Webinar-Choosing-the-Right-Directory... · Office 365 – Time to Federate with ADFS? ADFS Overhead