Password Sync and ADFS
Sorry to keep hassling you James!
If I implement Password Sync using Dir Sync, what are the implications for my ADFS setup. Will I be able to do away with my ADFS Proxy Server?
Can users then login to the O365 Services without going through the ADFS Proxy server (this would be ideal).
Internally I still need SSO, So I assume that I'll have to keep ADFS?
How would I go about it?
Thanks as always, Ben
There's a few different things going on there!
First, the ADFS bit.
ADFS at a minimum needs an ADFS server internally to provide SSO into Office 365. If you don't make that available to the outside world (which you shouldn't!) then nobody outside of your network will be able to authenticate with Office 365 since your ADFS server is unavailable to them.
To support external users you can do one of two things:
1) Deploy an ADFS proxy (or as many as you need, load balanced) to sit in your DMZ. This provides ADFS access to your external users (i.e. from home) and also allows you to offer integrated authentication internally, and forms-based authentication externally.
2) Expose your internal ADFS server's endpoints via your firewall. Again, this provides access from external networks but you lose the flexibility of integrated vs. forms-based auth since an ADFS server can only really support one type at once. (Obviously, hacks are available but not recommended).
So, to your question about whether or not you can get rid of your proxy: it depends. If SSO is a requirement (read on), then I would say that best practice says no.
Second, the Password Sync bit.
Password sync is not ADFS. They're not even closely related. Not even distant cousins! :)
ADFS = Single Sign-On
Password Sync = Same Sign-On
If you deploy ADFS then password sync is irrelevant since all credentials and authentication are managed by your local AD. Passwords are not stored in the cloud, and users in your federated domain namespace will be required to authenticate against your ADFS server every time.
What you could do is move away from ADFS and only have Password Sync. This then keeps your AD and AAD users in sync, but removes the need for any ADFS infrastructure.
To your last point about needing SSO internally I say this: really?
I'm going to be really honest and say that in schools, 99% of the time, I think ADFS is not what's needed. The two use cases are typically staff and students.
Staff: usually use the same machine all the time, or have a dedicated device they take with them everywhere. In this scenario they're probably using Outlook client, and even if they're not they can always tick the "remember me" box in both OWA and Outlook client.
Students: usually use multiple devices throughout the day. Unlikely (not impossible) to be using Outlook client, so probably using OWA. *generalisation warning* Students these days are very used to entering credentials (think Twitter, Facebook, MyFace, FriendFace, myFriend, and so on...) so as long as their credentials are the same (i.e. using Password Sync) I'm going to put my neck on the line and say that the few seconds it takes them to log in is worth not having the headache and infrastructure burden of running full-blown ADFS.
Just my two cents though - and I understand most IT folks are in an un-winnable battle with the SMT, so don't take that ranty bit above personally. I've just needed to say it for a while now! :)
Says it all :-) - This is why I have an ADFS infrastructure set up, (Proxy as well, all is working fine). I was wondering if the two could work side by side - As we are quite a large secondary, but very rural, so we get plenty of power cuts = no ADFS = no Email :-(
Originally Posted by jamesbmarshall
If I could run both side by side it would have been fantastic, but alas we 'need' single sign on (I refer you to your own point :-), so that takes precedence.
Still, O365 is still miles better than having exchange on site (which was overkill for just 1600 accounts + the £10k cost for servers and storage every few years)
When we open up our wireless to guests next year, I'm hoping that we may get past the 'need' for SSO.
Thanks again @jamesbmarshall !
Check out: Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure - UK Education Cloud Blog - Site Home - MSDN Blogs
Originally Posted by Mr.Ben
Depending on your budget (and how well you can spin it to those who control the purse strings) you could always look at the Office 365 Adapter to use the VM roles in Windows Azure to remove the dependency on your local AD availability.*
Obviously, if your power goes out during the school day everyone is stuffed (except those on 3G), but outside hours or over holiday periods this could be more of a problem. The Office 365 Adapter side-steps the issue by hosting enough infrastructure components in Windows Azure VMs.
Obviously it's not a free solution, but it's a solution. :)
*Assuming you can't otherwise convince them that you don't need ADFS in the first place! ;)
We will wait until the first power outage. Then spinning will be easy :-)
Originally Posted by jamesbmarshall
Hi, have I missed something? Is there a password sync for Office 365 now?
Seems i have. Almost a month ago. Damn.