70 likes | 578 Vues
Shibboleth 2.x with Office 365. David Fisher ( dfisher ) – 2/21/2013. Shibboleth 2.X with Office 365. What is the Shibboleth Identity Provider ( IdP )? Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0)
E N D
Shibboleth 2.x with Office 365 David Fisher (dfisher) – 2/21/2013
Shibboleth2.X with Office 365 • What is the Shibboleth Identity Provider (IdP)? • Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0) • Popular implementation of SAML 2.x with Higher Education institutions world-wide • Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html) • Latest version is 2.3.6 • How do customers with a Shibboleth IdP* interoperate with Office 365? • Setup a SAML 2.0 federation between Office 365 and their Shibboleth IdP • Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD Supported Clients Email Rich Clients Shibboleth 2.x IdP Shibboleth 2.x IdP Web Client Non-AD AD MSOMA + FIM MSOMA + FIM Contoso.edu Fabrikam.edu * This means that only Shibboleth implementation of SAML is supported, not any SAML implementation
Sign on experience • Web Clients • Office with SharePoint Online • Outlook Web Application • Exchange Clients • Outlook • Active Sync/POP/IMAP • Entourage • Rich Applications (SIA) • Lync • Office Subscriptions • CRM Rich Client Cloud Identity Username and Password Username and Password Username and Password Online ID Online ID Online ID Federation w/ Shibboleth Username and Password Username and Password* Not currently supported On-premises credentials On-premises credentials Federation w/ ADFS/3rd party (non-domain joined) Username and Password Username and Password Username and Password AD credentials AD credentials AD credentials * Exchange clients support w/ Shibboleth requires Enhanced Client/Proxy (ECP) extension to be enabled/configured
Deployment ConsiderationsLive@edu to Office 365 Upgrade Federation using Shibboleth IdP supports the following clients: • Web-based clients such as Outlook Web App and SharePoint Online. • Email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync, or MAPI. (You must install the Shibboleth IDP Enhanced Client/Proxy (ECP) extension), including: • Microsoft Outlook 2007 and2009 • Thunderbird 8 and 9 • iPhone (iOS 4, ioS 5) • Windows Phone 7 & 8
Configuring Shibboleth ECP for Office 365Live@edu to Office 365 Upgrade In Shibboleth’s relying-party.xml, add the following ECP configuration entries to Microsoft Online Relying Party node <rp:RelyingParty id="urn:federation:MicrosoftOnline" provider="https://idp.contoso.edu/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"> <rp:ProfileConfigurationxsi:type="saml:SAML2SSOProfile" signAssertions="conditional" encryptAssertions="never" encryptNameIds="never" /> <rp:ProfileConfigurationxsi:type="saml:SAML2ECPProfile" signAssertions="always" encryptAssertions="never" encryptNameIds="never"/> </rp:RelyingParty> Add this binding to a local copy of the Microsoft Online metadata NOTE: The public Microsoft Online metadata does not currently have the entry below. <AssertionConsumerServiceindex="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://login.microsoftonline.com/login.srf" />
Non-AD Synchronization Preferred option for Directory Synchronization with Non-AD Sources Non-AD support with FIM is available through Microsoft-led deployments FIM 2010 Office 365 connector supports complex multi-forest topologies Windows Azure Active Directory Office 365 Connector on FIM Federation using Non-ADFS STS Non-AD (LDAP) On-Premises Identity Ex: Domain\Alice User