Identity Management with Office 365 // IT Management Solutions

Identity Management with Office 365

Paul Andrew is a Technical Product Manager on the Office 365 team working on identity and commerce.

Office 365 uses Windows Azure Active Directory (Azure AD) for managing user login and storing user profiles. The Directory Sync tool (DirSync) is provided to synchronize user profiles between on-premises Active Directory implementations and Azure AD in the cloud. This means all of the same user profiles from the on-premises Active Directory will be available in Office 365.

Recently, a new version of DirSync was released that includes synchronization of user password hashes. This avoids the need for users having separate passwords for on-premises login and cloud based login. Prior to this, having the same password required deployment of identity federation servers which is a more significant implementation project. The password hash which is synchronized to the cloud is a one way mathematical computation based on the users password which is not reversible to discover the users plaintext password. Synchronizing the password hash means the user can log into Office 365 using their on-premises password.

This blog post describes directory synchronization and password hash synchronization in the context of Office 365.

User Identity in the Cloud

For a moment let me take you back to a time before cloud computing and SAAS applications. Back when software predominantly ran on PCs connected to networks with Active Directory as the identity provider. When you ran software on a PC in this environment you are= already logged onto the PC. When the software needs to look up your name or do some other kind of personalization it just asks the PC who you are using API calls. There isn’t any additional login required to run new applications as all applications share the same identity provider (Active Directory).

SAAS applications are a little different. They are not installed on the local machine and they do not get access to the local Active Directory domain controller. Because of this, SAAS applications often use disjoint identity providers. As a result users will have to maintain separate usernames and passwords across multiple cloud based applications. Single Sign-On (SSO) is the common answer to resolving this. SSO is defined as the ability for two disjoint identity providers (IDP) to trust one another so that as a user, you log in once against your IDP, and then when you try to access resources secured by the second IDP, you don’t need to login again. This trust relationship is called federation. SSO is implemented using federation and provides the same benefit to users as when all software used to run on your PC and it inherently knew who is logged in.

Directory synchronization does not provide SSO because a user logged in on-premises will still have to log in separately to Office 365. But synchronization does provide that the username will be the same, and now with password hash synchronization also that the password will be the same. Since directory synchronization is much simpler to configure than SSO the benefit of having password hash synchronization makes this a great choice for many customer scenarios.

You might also like

Government issued internet ID?

by causeimthesquid

Most people identify themselves online by juggling a long list user names and passwords. Most industry experts agree that this approach is hopelessly broken.
A few technologies have been invented to address the problem of online account overload, for example, the open standard OpenID, which lets people use a single credential to log in to multiple sites. Companies are also vying to fill the gap--Facebook, for instance, offers technology that lets people log into other Web sites using their Facebook credentials.
Now the U.S. government is hoping to step in and improve the state of online identity management

Government has an identity plan for you!

by causeimthesquid

Most people identify themselves online by juggling a long list user names and passwords. Most industry experts agree that this approach is hopelessly broken.
A few technologies have been invented to address the problem of online account overload, for example, the open standard OpenID, which lets people use a single credential to log in to multiple sites. Companies are also vying to fill the gap--Facebook, for instance, offers technology that lets people log into other Web sites using their Facebook credentials.
Now the U.S. government is hoping to step in and improve the state of online identity management

Part 3

by pollopox

The degree of technical competence is inversely proportional to the level of management.
A difficult task will be halted near completion by one tiny, previously insignificant detail.
There is never time to do it right, but always time to do it over.
The remaining work to finish in order to reach your goal increases as the deadline approaches.
If there is ever the possibility of several things to go wrong, the one that will cause the most damage will be the one to go wrong.
If something breaks, and it stops you from doing something, it will be fixed when you no longer need it; are in the middle of something else; or don't want it to be fixed because now you don't want to do what you were supposed to do

Dateline Washington: EXTRA!!!

by yeah-its-true

WASHINGTON (The Borowitz Report)—In an impressive white-knuckle performance on live television today, members of Congress spent several hours in a hearing room pretending to understand the Internet.
Beginning this morning, members of the House Energy and Commerce Committee devoted four hours to grilling Web-site contractors about site architecture, Web traffic, software, and other I.T. concepts about which their ignorance is nearly complete.
“As members of this committee, we are supposed to have a deep understanding of the technology involved in the health-care Web site,” said Chairman Fred Upton (R-Michigan)

ZKTeco Brings Identity Management To Office Building in Jakarta  — findBIOMETRICS
Access control all around the world needs upgrading, and thanks to innovations in identity management technology it is finally able to reach the next step.

Related Posts



Copyright © . All Rights Reserved