Have you made the crucial decision to deploy the Federated Identity model for your Microsoft Office 365 cloud productivity suite? You might have made this decision based on business requirements such as keeping the user authentication process within your on-premises Active Directory and providing your users seamless single sign-on (SSO) using existing Active Directory corporate credentials. Federation can also be used to provide single sign-on to other cloud-based and SaaS applications. The Federated Identity for Office 365 has various benefits, however, it requires setting up Active Directory Federation Services (AD FS), AD FS Proxies, and Directory Synchronization tool.
In this blog post, we will discuss the various steps involved in configuring AD FS and enabling SSO for Office 365.
Architecture Planning for AD FS & Directory Synchronization
Federation Server and Federation Proxy
AD FS 3.0 is a component of Windows Server 2012 R2 and is included in the server license. From a planning perspective, we need to consider the two distinct roles of ADFS servers – Federation Server and Federation Proxy. Federation Server performs the bulk of the workload. It is the central point of your administration, and this is where the majority of the users will authenticate using Kerberos. It handles creating the claims and sending them to the browser for authentication. It is joined to the production Active Directory and usually resides in the internal network. Federation Proxy works in conjunction with the web application proxy and is the gateway to the federation infrastructure. It may or may not be joined to Active Directory. It usually resides in the DMZ network and is open to the internet. From a user perspective, internal users are authenticated and receive the claims using the internal federation server whereas external users connect to the proxy to receive their claims. The Federation Proxies do not authenticate but act as a gateway to Federation Servers.High Availability
To make sure that Office 365 services are always active and available even during planned maintenance, power outage, or any other failure, it is highly recommended to deploy the servers in pairs or multiples depending on the number of your datacenters. High Availability can be achieved through hardware or software load balancing.Public IP Address
Public IP Address is required for mapping at the external firewall. As it is not recommended to expose proxies directly to the internet, the public IP address helps in connecting the external users to the federation proxies.User Principal Names
You will need to create custom User Principal Names (UPNs) if you are using an internal domain name, for ex. mydomain.local. Custom UPNs will enable internet routable public domain name, for ex. mydomain.com, to federate with Office 365. UPN is an Active Directory attribute that is configured in the user profiles and must match the external name space used for Office 365. UPN for the domain can be configured by going into domains and trusts and later it can be used to configure user accounts.Prerequisites for AD FS and Office 365 Integration
DNS
You would need a Federation Service Name that is an FQDN or a DNS label that should be assigned to the federation infrastructure. It cannot be same as the AD FS server name. It should have split-brain DNS. Alternately, you can also use a thumbprint record if you do not have split-brain DNS.Certificates
You need to procure one public SSL service communications certificate. It can be procured from any external registrar. You would also need token signing and decryption certificates that can be easily self-signed.Service Account
An Active Directory based service account or a normal user account is also a prerequisite. If you are running AD in Windows Server 2012 function mode, you can also use a Global Match Service Account (gMSA) Account.Azure AD Connect software (or any other older version of Directory Synchronization tool)
Another piece of software that is needed is the Azure AD Connect software that was recently released, as a replacement for the DirSync tool. It can be acquired from https://www.microsoft.com/en-us/download/details.aspx?id=47594. Azure AD connect uploads/syncs AD user and group information. It is installed on a single server in the corporate network and connects to multiple forests. Azure AD Connect is much more robust than DirSync, and the new capabilities include multi-forest and write-back capabilities. It also provides user activity reporting.AD FS Installation
Provision Two VMs or hardware servers (Windows Server 2012 R2, Azure, EC2)
- Using Server Manager, install the AD FS role
- Install the public certificate that you procured
- No other configuration required
Run through the AD FS Setup wizard
- Assign the DNS federation service name
- Assign the service account
- Select the service communications certificate (SSL)
- Use self-signed for the other certificates
- Use Windows Internal Database (WID) for the AD FS storage. You can have five AD FS servers in the farm. SQL database can also be used for storage, but it comes with a license cost.
On the Second AD FS Server
- Install the role again
- Run through the setup wizard
- Join an existing farm
- Enter service account information
- Install certificate
Enabling Directory Synchronization
Log onto the Azure AD Server
- Can be an AD FS Server
- Cannot be a domain controller
- Log on with domain enterprise admin credentials – only one per O365 instance
Install Azure AD Connect (or any other older version of Directory Synchronization tool)
- Download MSI from Microsoft
- Choose Custom Settings
- Enter your Azure AD administrator account
- Enter your AD Enterprise Admin Credentials
- Enter the primary federation server name and service account
Choose Options (Similar options available on older version of Directory Synchronization tool)
- Write-back options
- Federated domain names
- Stage or begin sync immediately
- Will configure O365 automatically
Celestix Federated
Celestix Federated solution simplifies AD FS deployments with reporting and audit capabilities. It is designed to deploy on either existing AD FS servers running Windows Server 2012 R2, or onto new AD FS farm deployments. If you are considering or evaluating federation services, Celestix Federated Series solution is simple to install and configure. For Office 365 deployments, we provide all the tools and steps in an easy to use wizard that will configure all the necessary components. Contact us at [email protected] or call us at (510) 668-0700 for a live demo, trial license for Celestix Federated A and VA Series.
Celestix Federated A Series AppliancePurpose-built appliance – Does not require the level of expertise that do-it-yourself solutions require, they reduce the time to deploy them while reducing total cost of ownership. Click here to Request for A Demo. |