+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 34
Cloud Services Thread, Office 365 with SSO availability question in Technical; Just a quick one, If I setup Office 365 with the AD FS services and single sign-on, what happens to ...
  1. #1
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72

    Office 365 with SSO availability question

    Just a quick one,

    If I setup Office 365 with the AD FS services and single sign-on, what happens to people being able to access emails from home if there is a powercut in school?

    The way I am reading things, with SSO users would be authenticated against the school Active Directory via the FS proxies. If the school itself is down, is email also unavailable from home?

    Does that make sense?

    Cheers

  2. #2
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    524
    Thank Post
    26
    Thanked 229 Times in 159 Posts
    Rep Power
    86
    You're correct - once you deploy AD FS you become the single point of failure, so if your AD FS servers go down for whatever reason, your users will be locked out.

    There are partner solutions, such as IAM Cloud, that can help mitigate against this, but your summary above is accurate.

  3. Thanks to jamesbmarshall from:

    themightymrp (13th March 2013)

  4. #3
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    Just been looking at the IAM Cloud you mentioned, do you have any clue how much it costs? I can find no pricing structure anywhere!

  5. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    This is why for Primary schools I've not rolled out the SSO option. Generally they have one or two servers at most. You also have to consider that sometimes LAs have a habbit of performing maintenance on weekends or holidays, cutting the link between your servers and the outside world. Again this would prevent your users signing into their e-mail accounts.

  6. Thanks to Michael from:

    themightymrp (14th March 2013)

  7. #5
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    A very valid point. But we are looking to move away from our LA supplier and go-it-alone as it were.

    I'm getting there with the actual setup of 365, its just this downside of SSO which is bugging me. Powers that be would prefer it but I don't really see a need for SSO. Management is straight-forward using online tools....

  8. #6

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Bulk import users with a CSV, then using PowerShell you can reset user passwords to something different, then force them to change it. That's how I've gone about it and it's been absolutely fine.

    It basically means if users cannot login, odds are there may be an issue with Office 365 as a service anyway, rather than trying to work out where in the chain things are broken.

  9. Thanks to Michael from:

    themightymrp (14th March 2013)

  10. #7
    Cache's Avatar
    Join Date
    Apr 2008
    Location
    Cumbria
    Posts
    1,214
    Thank Post
    454
    Thanked 176 Times in 173 Posts
    Blog Entries
    3
    Rep Power
    64
    If I was going to roll out Office 365 I would want the SSO as well which is the main thing holding me back currently unfortunately (that and time).

    I did go to a Microsoft Hybrid IT Roadshow the other week and while it was pitched way way above any level I could possibly want to achieve, it did give me an idea. One of the key things it was showing was Azure, SCCM and the private/public cloud. While an added cost, it did make me think one possible way arround it if it could work would be to have a vpn to an Azure server, on that server host the ADFS and a Read-Only domain controller to handle all that side of things.

    It's certainly not something I would know how to do or if it's technically possible or not, but in my mind it seemed to make sense.

  11. #8
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    What you are describing sounds a lot like the IAM Cloud service mentioned above. It's paid for (no clue how much) but does something very similar

  12. #9
    Cache's Avatar
    Join Date
    Apr 2008
    Location
    Cumbria
    Posts
    1,214
    Thank Post
    454
    Thanked 176 Times in 173 Posts
    Blog Entries
    3
    Rep Power
    64
    Your right, reading through IAM cloud it seems to do what I was suggesting. Guess it would just be matching the costs up between doing it yourself and the price they charge (FAQ on their site suggests the pricelist should be up there somewhere but can't find it)

  13. #10

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,140
    Thank Post
    403
    Thanked 622 Times in 568 Posts
    Rep Power
    181
    I'm not sure I understand how this IAMCloud works. It looks to still need to be contacting Active Directory?

  14. #11
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    I received this in my Inbox from @paulgreeniamcloud

    Code:
    Hi,
    
    I'm one of the identity specialists at IAM Cloud.  You're right in thinking that the solution contacts Active Directory, but only to periodically (every 2 hours) refresh the information which is sync's to the IAM Cloud hosted directory, from which authentication requests are performed.  That means the school/organisation's directory/Internet connection can be completely unavailable but authentication can still happen, so long as IAM Cloud's service is available.  Although the identity sync is two-hourly, password resets are immediate.  All this is done with virtually no on-premises component: only a password filter is needed to be installed on each domain controller for password transmission.
    
    To make the service as resilient as possible, we provide multiple servers for every mission-critical aspect of the solution (so multiple directory/federation servers), and for added resilience, load balance the solution geographically by hosting it in two Azure data centres, but ensure data never leaves a geographic region: i.e. European customers have data hosted in, and which never leaves Europe.
    
    Please contact me privately or log a 'contact us' request on the website if you'd like some more information; the cost for education is typically under £2000 for all students, including set up, customisation and support for both the hosted identity and SSO service.  We're UK-headquartered and me and my colleagues would be delighted to explain more about the solution.
    
    Many thanks,
    Paul

  15. #12
    Cache's Avatar
    Join Date
    Apr 2008
    Location
    Cumbria
    Posts
    1,214
    Thank Post
    454
    Thanked 176 Times in 173 Posts
    Blog Entries
    3
    Rep Power
    64
    I was doing some more research yesterday and actually came across this: http://activedirectory.windowsazure.com

    Still in preview at the moment, but looks like they might be offering it for free, would be a way of achieving the IAM cloud/the method I roughly outline without any cost I think..... Access Control Service 2.0 & Identity: Windows Azure Active Directory

    Edit: actually never mind with that, think I've got completely the wrong end of the stick with it.
    Last edited by Cache; 24th March 2013 at 01:10 PM.

  16. Thanks to Cache from:

    nadeem (24th March 2013)

  17. #13

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    I've been quite hung up on the SSO side of Office 365 too, but after a conversation with another local school who are using it without SSO, I'm coming around to the idea. Points to consider are:

    1. Outlook users have their credentials saved so don't have to re-enter them for day-to-day email access.
    2. If you tick 'Keep me signed in' on the Office 365 portal, you don't have to re-enter credentials every session.
    3. Unless your current email system is already very good, the improvement brought by Office 365 may well offset the inconvenience of a separate sign-in.
    4. Users these days generally have at least a couple of other accounts that don't have synchronised passwords anyway (even our Year 5s have Edmodo accounts with separate passwords)
    5. There's nothing to stop users from setting their password to be the same as their on-premises one to help them remember it.


    I've just set up the AD Directory Sync part to at least get that part working (and it was relatively painless, even on Windows Server 2012 Core), and will be trying it out without SSO to see how we get on.

  18. #14
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    524
    Thank Post
    26
    Thanked 229 Times in 159 Posts
    Rep Power
    86
    Quote Originally Posted by Cache View Post
    I was doing some more research yesterday and actually came across this: http://activedirectory.windowsazure.com

    Still in preview at the moment, but looks like they might be offering it for free, would be a way of achieving the IAM cloud/the method I roughly outline without any cost I think..... Access Control Service 2.0 & Identity: Windows Azure Active Directory
    Windows Azure Active Directory is the identity platform that underpins Office 365; it's an extensible service that allows customers and partners to develop solutions that can hook into the WAAD identities to use with other services. It isn't the same as your traditional AD, hosted in the cloud, but I think you've figured that out!

    Every existing, and new, Office 365 tenant has WAAD at the core.

  19. #15
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    If you have setup AD synchronisation with the Azure system, does that not then have the ability to authenticate users when they try to sign on? So that, in the event of the schools AD system being down, people can still log into email?

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Office 365 and high availability
    By vikpaw in forum Cloud Services
    Replies: 7
    Last Post: 19th November 2012, 11:13 AM
  2. Office 365 and SSO
    By Simcfc73 in forum Cloud Services
    Replies: 1
    Last Post: 10th November 2012, 12:31 AM
  3. Office 365 Preview file management question
    By gshaw in forum Cloud Services
    Replies: 0
    Last Post: 6th November 2012, 12:15 PM
  4. Office 365 for education - available now!
    By jamesbmarshall in forum Cloud Services
    Replies: 76
    Last Post: 20th July 2012, 09:13 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •