+ Post New Thread
Results 1 to 7 of 7
Cloud Services Thread, Password Sync and ADFS in Technical; @ jamesbmarshall Sorry to keep hassling you James! If I implement Password Sync using Dir Sync, what are the implications ...
  1. #1
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    942
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65

    Password Sync and ADFS

    @jamesbmarshall

    Sorry to keep hassling you James!

    If I implement Password Sync using Dir Sync, what are the implications for my ADFS setup. Will I be able to do away with my ADFS Proxy Server?

    Can users then login to the O365 Services without going through the ADFS Proxy server (this would be ideal).

    Internally I still need SSO, So I assume that I'll have to keep ADFS?

    How would I go about it?

    Thanks as always, Ben

  2. #2
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    533
    Thank Post
    26
    Thanked 232 Times in 162 Posts
    Rep Power
    87
    There's a few different things going on there!

    First, the ADFS bit.

    ADFS at a minimum needs an ADFS server internally to provide SSO into Office 365. If you don't make that available to the outside world (which you shouldn't!) then nobody outside of your network will be able to authenticate with Office 365 since your ADFS server is unavailable to them.

    To support external users you can do one of two things:

    1) Deploy an ADFS proxy (or as many as you need, load balanced) to sit in your DMZ. This provides ADFS access to your external users (i.e. from home) and also allows you to offer integrated authentication internally, and forms-based authentication externally.

    2) Expose your internal ADFS server's endpoints via your firewall. Again, this provides access from external networks but you lose the flexibility of integrated vs. forms-based auth since an ADFS server can only really support one type at once. (Obviously, hacks are available but not recommended).

    So, to your question about whether or not you can get rid of your proxy: it depends. If SSO is a requirement (read on), then I would say that best practice says no.

    Second, the Password Sync bit.

    Password sync is not ADFS. They're not even closely related. Not even distant cousins!

    ADFS = Single Sign-On
    Password Sync = Same Sign-On

    If you deploy ADFS then password sync is irrelevant since all credentials and authentication are managed by your local AD. Passwords are not stored in the cloud, and users in your federated domain namespace will be required to authenticate against your ADFS server every time.

    What you could do is move away from ADFS and only have Password Sync. This then keeps your AD and AAD users in sync, but removes the need for any ADFS infrastructure.

    To your last point about needing SSO internally I say this: really?

    I'm going to be really honest and say that in schools, 99% of the time, I think ADFS is not what's needed. The two use cases are typically staff and students.

    Staff: usually use the same machine all the time, or have a dedicated device they take with them everywhere. In this scenario they're probably using Outlook client, and even if they're not they can always tick the "remember me" box in both OWA and Outlook client.

    Students: usually use multiple devices throughout the day. Unlikely (not impossible) to be using Outlook client, so probably using OWA. *generalisation warning* Students these days are very used to entering credentials (think Twitter, Facebook, MyFace, FriendFace, myFriend, and so on...) so as long as their credentials are the same (i.e. using Password Sync) I'm going to put my neck on the line and say that the few seconds it takes them to log in is worth not having the headache and infrastructure burden of running full-blown ADFS.

    Just my two cents though - and I understand most IT folks are in an un-winnable battle with the SMT, so don't take that ranty bit above personally. I've just needed to say it for a while now!

  3. #3
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    942
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    Quote Originally Posted by jamesbmarshall View Post
    Just my two cents though - and I understand most IT folks are in an un-winnable battle with the SMT, so don't take that ranty bit above personally. I've just needed to say it for a while now!
    Says it all :-) - This is why I have an ADFS infrastructure set up, (Proxy as well, all is working fine). I was wondering if the two could work side by side - As we are quite a large secondary, but very rural, so we get plenty of power cuts = no ADFS = no Email :-(

    If I could run both side by side it would have been fantastic, but alas we 'need' single sign on (I refer you to your own point :-), so that takes precedence.

    Still, O365 is still miles better than having exchange on site (which was overkill for just 1600 accounts + the £10k cost for servers and storage every few years)

    When we open up our wireless to guests next year, I'm hoping that we may get past the 'need' for SSO.

    Thanks again @jamesbmarshall !
    Last edited by Mr.Ben; 26th June 2013 at 05:14 PM.

  4. #4
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    533
    Thank Post
    26
    Thanked 232 Times in 162 Posts
    Rep Power
    87
    Quote Originally Posted by Mr.Ben View Post
    As we are quite a large secondary, but very rural, so we get plenty of power cuts = no ADFS = no Email :-(
    Check out: Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure - UK Education Cloud Blog - Site Home - MSDN Blogs

    Depending on your budget (and how well you can spin it to those who control the purse strings) you could always look at the Office 365 Adapter to use the VM roles in Windows Azure to remove the dependency on your local AD availability.*

    Obviously, if your power goes out during the school day everyone is stuffed (except those on 3G), but outside hours or over holiday periods this could be more of a problem. The Office 365 Adapter side-steps the issue by hosting enough infrastructure components in Windows Azure VMs.

    Obviously it's not a free solution, but it's a solution.

    *Assuming you can't otherwise convince them that you don't need ADFS in the first place!

  5. #5
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    942
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    Quote Originally Posted by jamesbmarshall View Post
    Depending on your budget (and how well you can spin it to those who control the purse strings) you could always look at the Office 365 Adapter to use the VM roles in Windows Azure to remove the dependency on your local AD availability.*
    We will wait until the first power outage. Then spinning will be easy :-)

  6. #6

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    Hi, have I missed something? Is there a password sync for Office 365 now?

  7. #7

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    Seems i have. Almost a month ago. Damn.

SHARE:
+ Post New Thread

Similar Threads

  1. Office 365 and ADFS
    By Simcfc73 in forum Cloud Services
    Replies: 12
    Last Post: 19th February 2013, 05:04 PM
  2. Google Apps Password Sync GAPS Oauth question
    By IT_Man_Dan in forum Cloud Services
    Replies: 1
    Last Post: 6th December 2012, 10:40 AM
  3. live@edu AD sync and distribution groups
    By ihaveaproblem in forum Cloud Services
    Replies: 4
    Last Post: 1st February 2012, 05:17 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •