This subject will be looking at what ADFS is, what are the environmental requirements, and how to configure it with Office 365. Note: this post is based on the Office 365 Beta for Enterprises. The post will be split into the following two parts:
Office 365 supports identity federation which allows true single sign-on capabilities. This is achieved through Active Directory Federation Services (ADFS) 2.0. With identity federation, users can enter their Active Directory credentials to access Office 365 services.
An ADFS 2.0 solution consists of the following components:
- ADFS server(s) (internal network joined to AD forest)
- ADFS Proxy Server(s) (perimeter network used to support remote users)
There are three basic ADFS 2.0 deployment options for Office 365 with differing levels of access and availability:
- Single server configuration
- ADFS 2.0 server farm and load-balancer
- ADFS 2.0 Proxy server(s) for offsite users
Benefits of implementing ADFS:
- Improves user productivity by enabling true single sign-on to domain joined computers
- Reduces usability issues by allowing users to use AD credentials to access all Office 365 services and not have to remember two identities and two passwords
- Allows administrators the ability to enforce the organization’s password policies and account restrictions in both the on-premises and cloud-based organizations
- Increases security of AD credentials since passwords are never synced to the cloud, all authentication happens on-premises
- Reduces overall administration time and costs associated due to the above points
The following are different sign-on experiences when using Federated Identity depending on location and status of computer:
Environment | Sign-in Experience |
Outlook 2010 on Windows 7 | No prompt*** |
Outlook 2007 on Windows 7 | Sign in each session* |
Outlook 2010/2007 on Windows Vista or XP | Sign in each session** |
Exchange ActiveSync | Sign in each session** |
POP, IMAP | Sign in each session** |
Web Experiences: Office 365 Portal, Outlook Web App, SharePoint Online, Office Web Apps | No prompt |
Office 2010/2007 using SharePoint Online | No prompt |
Lync Online | No prompt |
Outlook for Mac 2001 | Sign in each session** |
* – Outlook 2007 will be updated after Office 365 has been made generally available to have same experience as Outlook 2010 on Windows 7
** – When first prompted, you can save your password for future use. You will not receive another prompt until you change the password
*** – In beta period, you will be prompted when first accessing the services
Authentication Mechanisms when using Federated Identity:
Application | Authentication Mechanism |
Web browser | Web sign in, WS-Trust and WS-Federation (ADFS 2.0) |
Outlook 2010 on Windows 7 | Web sign in, WS-Trust and WS-Federation (ADFS 2.0) |
Outlook 2007 on Windows 7 | Basic over SSL, authenticated via the ADFS 2.0 proxy |
Outlook 2010/2007 on Windows Vista and XP | Basic over SSL, authenticated via the ADFS 2.0 proxy |
Exchange ActiveSync | Basic over SSL, authenticated via the ADFS 2.0 proxy |
POP/IMAP/SMTP client | Basic over SSL, authenticated via the ADFS 2.0 proxy |
Lync Online | Web sign in, WS-Trust and WS-Federation (ADFS 2.0) |
Note that Outlook 2007 is planned to be backported to support WS-Trust and WS-Federation after the beta period.
Two-Factor Authentication can be achieved for Office 365. The Office 365 Beta Identity Service Description describes the requirements.
The following are requirements of ADFS 2.0:
- Microsoft Online Services Directory Synchronization tool (DirSync) is installed
- ADFS servers must have Windows 2008 or Windows 2008 R2 Server operating system installed
- Client computers must be running the latest updates of Windows 7, Windows Vista, or Windows XP (running the Office 365 Desktop Setup from the Office 365 portal will automatically install necessary updates)
- Public SSL certificate to secure traffic associated with ADFS
- Microsoft Online Services Identity Federation Management Tool to establish trust with Office 365
Capacity Planning
When identity federation is enabled and configured in Office 365 there is no fall-back to a different form of authentication if ADFS servers fail. This means that if ADFS servers are not available, users will not be able to authenticate with Office 365 servers. It is very important to configure a highly available ADFS solution utilizing multiple servers and hardware or software load balancing. It is also critical to implement a monitoring solution for the ADFS servers. This includes both the internal ADFS servers and the ADFS proxy servers.
Namespace Planning
ADFS currently only allows for one namespace per ADFS farm/instance. If your company will support multiple namespaces for authentication, you will need to implement an ADFS infrastructure for each. Only internet routable domains that have been validated within Office 365 can be used in an ADFS deployment. If your organization has a non-routable domain for the AD infrastructure (such as .local, .priv, etc), you will need to add a UserPrincipalName (UPN) suffix in AD and configure each user with that UPN suffix (discussed in Part 2).
Summary
Part 1 of this post introduced ADFS 2.0 in relation to Office 365 and discussed environmental requirements required to implement. Part 2 will walk through the configuration of ADFS 2.0 and Office 365.
References: