Single Sign-On Showdown

Similar documents
Office 365 and Azure Active Directory Identities In-depth

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Hybrid Identity de paraplu in de cloud

Identity as the core of enterprise mobility

User Directories. Overview, Pros and Cons

Ten most common Mistakes with AD FS and Hybrid Identity. Sander Berkouwer MVP, DirTeam.com

News and Updates June 1, 2017

/

VMware Identity Manager Administration

O365 Solutions. Three Phase Approach. Page 1 34

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Course Outline 20742B

A tale of Modern Management Part 1

[ Sean TrimarcSecurity.com ]

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Use EMS to protect your mobile data and mobile app

Tech Dive: Microsoft Azure Identity Management and Office 365

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Cloud Access Manager Configuration Guide

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Cloud Secure Integration with ADFS. Deployment Guide

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Azure Active Directory from Zero to Hero

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Securing Office 365 with Okta

BlackBerry UEM Configuration Guide

Configuration Guide. BlackBerry UEM. Version 12.9

AAD Connect setup guide

Securing ArcGIS Services

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Use Microsoft EMS. to Protect your Mobile Data and Mobile Apps. Chris Nackers Nackers Consulting

Object of this document

Implementing Microsoft Azure Infrastructure Solutions

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Identity with Windows Server 2016

Trusted Login Connector (Hosted SSO)

BI Office. Web Authentication Model Guide Version 6

Five9 Plus Adapter for Agent Desktop Toolkit

Extranets in SharePoint and SSO for Claims Apps. January 18, 2017


Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

M20742-Identity with Windows Server 2016

BlackBerry Dynamics Security White Paper. Version 1.6

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Partner Center: Secure application model

StorageZones Controller 3.3

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

20742: Identity with Windows Server 2016

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Liferay Security Features Overview. How Liferay Approaches Security

Identity with Windows Server 2016

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

Real4Test. Real IT Certification Exam Study materials/braindumps

Leveraging Azure Services for a Scalable Windows Remote Desktop Deployment

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Load Balancing Microsoft AD FS. Deployment Guide v Copyright Loadbalancer.org

User Management. Jabber IDs

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Introducing Cisco Unified MeetingPlace Web Conferencing

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

Extranet Identity Management and Authentication for SharePoint On Premise, Office 365 and Beyond

StorageZones Controller 3.4

User Guide. Version R94. English

MOC 20417C: Upgrading Your Skills to MCSA Windows Server 2012

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

SafeNet Authentication Service

70-742: Identity in Windows Server Course Overview

Extranets in SharePoint and Office 365 May 17, 2017

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Crash course in Azure Active Directory

Secure your Infrastructure with Azure Multi-Factor Authentication Server

MCSE Productivity. A Success Guide to Prepare- Advanced Solutions of Microsoft Exchange Server edusum.com

Copyright

Deploying F5 with Microsoft Active Directory Federation Services

Release Note RM Neon. Contents

SAP Security in a Hybrid World. Kiran Kola

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo

SAML-Based SSO Solution


Windows 10 Azure AD / EMS

Deploying F5 with Microsoft Active Directory Federation Services

This module provides an overview of multiple Access and Information Protection (AIP) technologies

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide


EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Lotus Domino Security NSL, Web SSO, Notes ID vault. Collin Murray Program Director, Lotus Domino Product Management

All about SAML End-to-end Tableau and OKTA integration

ShareFile Technical Presentation

AD FS v3. Deployment Guide

PowerApps Security Features

Course 10993A: Integrating On-Premises Identity Infrastructure with Microsoft Azure

Transcription:

Single Sign-On Showdown ADFS vs Pass-Through Authentication Max Fritz Solutions Architect SADA Systems #ITDEVCONNECTIONS

Azure AD Identity Sync & Auth Timeline 2009 2012 DirSync becomes Azure AD Sync 2013 Password Hash Sync added to AAD Sync 2015 Azure AD Sync becomes Azure AD Connect Introduces Health engine 2017 msds- ConsistencyGuid as source anchor Pass Through Authentication introduced Seamless SSO introduced DirSync introduced for identity synchronizat ion

Azure AD Authentication Methods Today Cloud Only Identity Password Hash Synchronization Pass-through Authentication Federated (ADFS) 3 rd Party Federated Identities exist only in AAD Authentication handled by AAD Identities synced to AAD Authentication handled by AAD Identities synced to AAD Authentication handled by local AD Identities synced to AAD Authentication handled by local AD Identities synced to AAD Authentication handled by third-party

Azure AD Authentication Methods Today Password Hash Synchronization Identities synced to AAD Authentication handled by AAD Pass-through Authentication Identities synced to AAD Authentication handled by local AD Federated (ADFS) Identities synced to AAD Authentication handled by local AD

Azure AD Authentication Methods Today Password Hash Synchronization Identities synced to AAD Authentication handled by AAD Pass-through Authentication Identities synced to AAD Authentication handled by local AD Federated (ADFS) Identities synced to AAD Authentication handled by local AD Identity Synchronization through Azure AD Connect

Sidebar: What is Azure AD Connect? Application installed on a Windows machine within your environment Integrates local Active Directory with Azure Active Directory Sync engine based on Microsoft Identity Manager (shared codebase) Uses a local SQL server for sync database (can be separate SQL server) Includes a monitoring component: Azure AD Connect Health Free for all Azure AD customers (so just free ) Can manage ADFS installations

Azure AD Connect is required for all authentication methods we will cover today We will not demo installation or basic configuration of AADC today, however AADC will be a part of some demos

Authentication Methods: How we will rank Ease of Implementation Security Customization Options Available Features Usability Maintenance & Reliability

Scoreboard Password Sync + Seamless SSO PTA + Seamless SSO ADFS (2019) Ease of Implementation Security Customizations Features Usability Maintenance & Reliability Score 00 00 00

Password Hash Synchronization

Password Hash Synchronization Involves syncing hashed passwords to Azure AD Relies on Azure AD Connect Passwords synced every 2 minutes Authentication is completely cloud based

Password Hash Sync Authentication Identity delta sync every 30 minutes Azure AD # AADC request MD4 password hashes from DC via MS-DRSR replication protocol (every 2 min) DC encrypts password in an MD5 envelope and sends to AADC AADC Decrypts MD5 hash and expands MD4 hash to 64 bytes AADC adds a 10-byte salt to MD4 hash, and converts to SHA256 hash (using PBKDF2 function) SHA256 hash is sent to Azure AD over SSL # On Premises

Password Hash Sync Authentication Identity delta sync every 30 minutes # # Azure AD User attempts to sign in to app Session redirected to Azure AD for sign in User provides credentials to Azure AD Azure AD applies MD4+salt+PBKDF2+SHA256 process, and validates resulting hash against stored hash Azure AD completes sign in If successful, user is granted access to the app On Premises

Password Hash Sync Considerations Locked out local accounts are not properly reflected in AAD Disabled local accounts will not be disabled in AAD until an AADC sync cycle (can be manually triggered) MD4 hashes are notoriously easy to crack, and MD5 is not much harder Extra SHA-2 encryption makes the hash much harder to decrypt Extra hashing technically makes this more secure than local AD credentials Allows for leaked credential reports from MS if AAD P1 licensing is in place Remember, Microsoft does not get your passwords. They only receive a triple hashed password. Required for use of Azure AD Domain Services

Pass-through Authentication

Pass-through Authentication (PTA) Relies on Azure AD Connect and PTA (AuthN) Agents Agents can be installed on multiple servers for high availability First agent is on the Azure AD Connect server Additional agents can be deployed via script or manually Networking: only requires outbound communication on 80, 443, and 8080 [for reporting status to AAD] (no inbound ports to open) Requires Server 2013 R2 or later

Pass-through Authentication Identity delta sync every 30 minutes 1 2 Azure AD User attempts to sign in to app Session redirected to Azure AD for sign in User provides credentials to Azure AD Azure AD produces encrypted passwords (1 for each PTA agent registered, using public key for the agent) and places them onto the Service Bus for the tenant PTA Agent retrieves validation request (persistent connection) and decrypts password using private key PTA Agent attempts credential validation against Domain Controller 1 2 PTA Agents On Premises

Pass-through Authentication Identity delta sync every 30 minutes Azure AD DC provides result to PTA agent (success/failure/expired) PTA agent sends result to Azure AD via mutually authenticated HTTPS channel Azure AD completes sign in If successful, user is granted access to the app 2 1 PTA Agents On Premises

Pass-through Authentication Considerations Locked and Disabled local accounts are respected Supports alternate login IDs Fully supports Azure AD conditional access Since sign in request are still process through AAD (as opposed to redirected) Requires Modern Authentication* Supports alternate login IDs Supports AAD Smart Lockout (prevents brute force attacks) Does not support leaked credential reports Not available in GCC at this time

Pass-through Authentication Demo

Seamless Single Sign-on

Seamless Single Sign-On Provides single sign on capabilities to domain joined machines Compatible with Password Hash Sync or PTA Requirements: OS: Windows 7+ or Mac OS X, domain joined (to local AD) Browsers: IE 10+, Chrome, Safari*, Firefox* Does not support Edge at this time 1 URL needs to be added to Intranet Zone (via group policy) Ability to register non-windows 10 devices with Azure AD

Seamless SSO Authentication (browser based) User attempts to sign in to app from domain joined machine Session redirected to Azure AD for sign in* User provides username to Azure AD* Azure AD challenges browser to provide a Kerberos ticket Browser requests a ticket from local AD for the AZUREADSSOACC computer account AD returns ticket to browser encrypted with computer account s secret Browser forward Kerberos ticket to Azure AD Azure AD decrypts ticket, identifies user, and returns token If successful, user is granted access to the app Azure AD On Premises

Seamless Single Sign-On Considerations Opportunistic: If Seamless SSO fails, sign-in experience falls back to regular behavior Sign-out supported: Allows users to sign in with other credentials if desired Requires Modern Authentication Creates a computer account in the local AD named AZUREADSSOACC Kerberos decryption key of this account, if compromised, could be used to generate Kerberos tickets for any user in the forest Recommendation is to manually rollover key every 30 days (automated method coming soon) Only works when devices are on the local network

Seamless Single Sign-on Demo

Active Directory Federation Services

Active Directory Federation Services (2019) Requires Azure AD Connect for identity sync Also can help manage the ADFS farm Requires a minimum of 2 servers (1 Federation and 1 Proxy), recommended minimum of 4 Allows for sign in with more alternative methods samaccountname, Certificate, Smart-Card, Windows Hello for Business, 3 rd party MFA, etc Supports Extranet lockout & extranet smart lockout policies Supports banned IP lists Deep login screen customization Supports Windows Integrated Authentication

ADFS Authentication

ADFS Recommended Deployment using Azure

ADFS Considerations Limited support for Azure AD Conditional Access However additional support for custom conditional access via ADFS claim rules Large investment of on-premises (or cloud) infrastructure, including DMZ deployment Requires valid third party certificate Supports Alternate Login ID Does not support Azure AD Identity protection Unless password hash is enabled as a backup*

Active Directory Federation Services Demo

Migrating from ADFS to PTA Demo

Back to the Scoreboard! Password Sync + Seamless SSO PTA + Seamless SSO ADFS (2019) Ease of Implementation Security Customizations Features Usability Maintenance & Reliability Score 00 00 00

Ease of Implementation Password Sync + Seamless SSO PTA + Seamless SSO ADFS 2019 Wizard based install and configuration Wizard based initial install and configuration Minimum of 4 servers required GPO required for Seamless SSO Agent deployment manual or script based Wizard based configuration of basic features GPO required for Seamless SSO Manual configuration for many items

Security Password Sync + Seamless SSO PTA + Seamless SSO ADFS 2019 Triple hashed passwords synced to the cloud Authentication remains on premises Authentication remains on premises

Customizations Password Sync + Seamless SSO PTA + Seamless SSO ADFS 2019 Limited login screen customization Limited login screen customization Detailed login screen customizations available with CSS Intermediate rule customizations and transformations Intermediate rule customizations and transformations Advanced rule customizations and transformations

Features Password Sync + Seamless SSO PTA + Seamless SSO ADFS 2019 Supports all Azure AD features Supports most Azure AD features Limited support for Azure AD features SSO support for most clients SSO support for most clients SSO support for more clients Lack of support for instant account lockouts and expirations Support for alternate login methods

Usability Password Sync + Seamless SSO PTA + Seamless SSO ADFS 2019 Simple end user experience, consistent with other Azure AD experiences Simple end user experience, consistent with other Azure AD experiences End user experience depends on customizations

Maintenance & Reliability Password Sync + Seamless SSO PTA + Seamless SSO ADFS 2019 Can go down with minimal impact At least 1 PTA agent must be available at all times At least 1 Federation and 1 Proxy server must be available at all times Seamless SSO requires manual Kerberos rollover No automated failover Seamless SSO requires manual Kerberos rollover Agents can go on existing servers, avoiding additional maintenance Requires certificate renewal More servers required for maintenance

Scoreboard Results Password Sync + Seamless SSO PTA + Seamless SSO ADFS (2019) Ease of Implementation Security Customizations Features Usability Maintenance & Reliability Score 21 23 22

WINNER! Pass-through Authentication!

Taking a closer look Everyone s environment is different, and the winner will be different from everyone The takeaway is that you should carefully consider your authentication method based on your organization s priorities It s not too late to change your method

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback