Office 365 – Manage identity federation by using ADFS 2.0

Configure Directory Synchronisation

Directory synchronisation must be activated within the Office 365 portal; the activation can take 24 hours to complete.

Directory Synchronisation requires:

  • A domain joined computer.
  • Enterprise administrator credentials (it uses these to create a user object in the forest root domain).
  • Global administrative rights within the Office 365 online environment.
  • Computer hardware depends on no. of objects within ADDS but as a rough guide
    • 1.6Ghz CPU
    • minimum of 4GB RAM up to 32GB RAM
    • minimum 70GB hard disk space up to 500GB hard disk space

See this post for more details on deployment and configuration of directory sync.

Configuring and Managing Identity federation using ADFS 2.0

Single sign -on requirements using AD FS 2.0

  • Single Active Directory forest
  • AD FS 2.0
  • Latest client operating system and service packs
  • Public SSL certificate
  • PowerShell 2.0

Relying party trust between federation servers and Office 365 is required the relying trust acts as a secure channel where authentication tokens can pass.

The AD FS 2.0 install wizard will check for and install all the prerequisites with the exception of Microsoft .NET Framework 3.5 SP1 on Microsoft Windows Server 2008.

The federation server(s) requires a public SSL certificate for server authentication purposes. If federation proxies are also implemented then this public certificate should also be installed on them too. The federation servers also require a x.509 token-signing certificate which by default is a self signed certificate created by AD FS and will be sufficient in most scenarios.

It goes without saying but DNS resolution and TCP/IP are fundamental to the operations of AD FS.

Network Load Balancing (NLB) is recommended too to provide fault tolerance at the federation servers and federation proxies.

AD FS Installation

See this post for more details on deployment and configuration of ADFS 2.0.

Implementing single sign-on and two-factor authentication

Office 365 can utilise two-factor authentication but requires single sign-on be implemented first.

Microsoft recommends either using SecurID or using Forefront UAG and it supported two-factor authentication providers.

Two-factor authentication is only supported by Lync, SharePoint and OWA and the computer being used must be joined to a domain.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.