Más contenido relacionado
Similar a Office 365 integration using organizational identities (20)
Más de Nixu Corporation (20)
Office 365 integration using organizational identities
- 3. Keys for success in security consulting
9.10.2014 © Nixu 2014
• Security consulting since 1988
• Capacity and reliability: 120 persons, 14 M€ turnover
• Secure premises: Finnish Defence Forces audited facilities
• No strings attached: Product vendor independent
Trust
• Certifications: CISSP, CISA, CISM, CSSLP, CPTS, GCIH, GCFA, GCIA, GSNA, GSSPC,
CCNA, ISO27001 Auditor, MCSE, QSA, PA-QSA, etc
• Payment Card Industry (PCI DSS) Qualified Security Assessor and ASV company
• ca. 140 clients in over 400 assignments during year 2013
• Assignments in around 20 countries
Experience
• Productized methodology for projects guarantees high quality
• Global standards: TOGAF, ITIL, OWASP, ISO27001, ISF, PCI DSS, etc
• Quality assurance included in each project, each project has a team
• Secure practices for transmitting, storing and destroying confidential data
Methodology
99% of our clients say they can recommend Nixu*
* Fall 2013 Customer satisfaction study
- 4. We have SAML 2.0 support!! (March 2014)
9.10.2014 © Nixu 2014 4
Source: http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/
- 5. …well, at least soon?!
“…the following scenarios are blocked when using SAML 2.0 or
Shibboleth.
Lync desktop client
Applications such as Word, Excel, PowerPoint, Visio, etc. when accessing files
from SharePoint Online
Office 365 ProPlus licensing for Office desktop applications
PowerShell access to Office 365
The update to the Office 2013 client applications is expected to be released
later in 2014.”*
9.10.2014 © Nixu 2014 5
Source: http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/
- 6. Possibilities until then (and with legacy clients)
Standards support
– SAML 2.0 support has evolved slowly during 2013-2014
– WS-Federation
– WS-Trust
9.10.2014 © Nixu 2014 6
- 7. Customer requirements (in 2013)
Office 365 “reseller” business case
Existing local user base with external users
Existing authentication service with SAML 2.0 support
(non-ADFS)
Flexible authentication to Office 365 for email
Mobile clients must work with Active Sync
IMAP must work
Multitenant and multidomain environment
9.10.2014 © Nixu 2014 7
- 8. High level architecture
for passive authentication
9.10.2014 © Nixu 2014 8
SSO
Outlook
Web
Access
Azure AD
IDM
Browser
Access
AuthN
AuthZ
User
store
first name
last name
display name
UPN=[default email address]
immutableID=[unique ID]
license type
location
(SMTP address
if other value than
UPN is required)
Forms based
authentication
- 9. High level architecture
for proxy authentication
9.10.2014 © Nixu 2014 9
SSO
Exchange
Online
Azure AD
IDM
Client
Basic auth
AuthN
AuthZ User
store
SAML 2.0
ECP
first name
last name
display name
UPN=[default email address]
immutableID=[unique ID]
license type
location
(SMTP address
if other value than
UPN is required)
- 10. Challenges with integration
Active Sync client requires the use of the SAML 2.0 ECP-profile
(Enhanced Client or Proxy) with HTTP Basic Auth
Multitenancy, i.e. separating different domains in the IdP/SSO
Lack of logging in O365
Converting and modifying identities might take time
9.10.2014 © Nixu 2014 10
- 11. Multiple clients in multiple platforms
Client Platform AuthN mechanism
Browser for MS Online
and Outlook Web Access
PC / MAC SAML 2.0 (Passive
authentication)
Outlook 2007/Outlook
2010/2013?, Exchange
ActiveSync,
POP/IMAP/SMTP client
PC / MAC? Basic authentication over
SSL, SAML 2.0 (Proxy
authentication)
Lync 2010 PC / MAC? WS-Federation and WS-
Trust
Lync mobile >5.2 iOS, Windows Phone SAML 2.0 (Passive
authentication)
Office 2010/Office
2007/2013? applications
PC / MAC? Active authentication
with WS-Trust
9.10.2014 © Nixu 2014 11
- 12. Identity provisioning alternatives
Manual
PowerShell
DirSync
Forefront Identity Manager (Windows Azure Active Directory
Connector)
Azure AD Graph API (2014)
9.10.2014 © Nixu 2014 12
- 13. Other uses for SAML based federation
Many SaaS and cloud providers support SAML 2.0
– E.g. SalesForce, Yammer, Zendesk, Google Apps etc.
9.10.2014 © Nixu 2014 13
- 14. Main takeaways
Standards based integration is still in the making
Plan your business case
Plan your use cases
You need to know your authentication protocols
ADFS not the only option, other SSO products work as well
– Currently with mixed protocols, in the future with SAML 2.0*
9.10.2014 © Nixu 2014 14
* source: http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/
- 15. Links
Announcing support for SAML 2.0 federation with Office 365
http://blogs.office.com/2014/03/06/announcing-support-for-saml-2-
0-federation-with-office-365/
O365 SAML 2.0 implementors guide
http://go.microsoft.com/?linkid=9844221
9.10.2014 © Nixu 2014 15
- 16. Thank you!
Nixu Oy
www.nixu.fi/blogi - www.tietovastuu.fi - twitter: @nixutigerteam
P.O. Box 39 (Keilaranta 15), FI-02150 Espoo, Finland
Tel +358 9 478 1011, Fax +358 9 478 1030, nixu.sales@nixu.com
Joonatan Henriksson
joonatan.henriksson@nixu.com
+358 50 342 3472
Twitter: @jonttuh
9.10.2014 © Nixu 2014 16
Notas del editor
- CCNA Cisco Certified Network Associate 1 CISA Certified Information Systems Auditor 4 CISM Certified Information Security Manager 2 CISSP Certified Information Systems Security Professional 10 CompTIA Security+ 1 CPTS Certified Penetration Testing Specialist 2 CSSLP Certified Secure Software Lifecycle Professional 5 GCFA Giac Certified Forensic Analyst 1 GCIA Gold Giac Certified Intrusion Analyst 1 GCIH Giac Certified Incident Handler 2 GSEC Giac Security Essentials Certification 1 GSNA Giac Systems and Network Auditor 2 GSSPC Giac Secure Software Programmer - C 2 ISO/IEC 27001:2005 Certified Auditor (BVQI) 1 ISO/IEC 9000:2000 series Certified Auditor (BVQI) 1 ITIL foundations v2 2 ITIL foundations v3 2 MCSE Microsoft Certified Systems Engineer 1 PA-QSA Payment Application Qualified Security Assessor 1 QPASP Qualified Payment Application Security Professional 1 QSA Qualified Security Assessor 6 RHCT Red Hat Certified Technician 1 Terena Certified CSIRT member 1 Ubisecure IAM Academy Qualified 2 VMWare Certified Professional 1