Organizations in the process of migrating to Office 365, particularly those that run Active Directory in-house and leverage it to provide single-sign-on to Microsoft applications, quickly learn that moving to the cloud-based productivity suite means extra identity management work. Specifically, in order to use Office 365:
- a user must have an account in the organization's Office 365 tenant, and
- that tenant account is going to have its own user name and password to manage (or forget, or write down, etc.).
Microsoft provides APIs and tools to lighten this additional identity management burden. Their Dirsync and ADFS technologies, respectively, facilitate synchronization of on-premises Active Directory accounts to the cloud, and single sign-on (SSO) from an on-premises AD to the cloud using identity federation technology. With federated SSO in place, an organization's users don't need to type a user name or password to access the Office 365 applications form within their corporate networks, and organizations con control access to Office 365 through their local AD deployments.
To Microsoft's credit, they have listened to their customers who have wanted to leverage existing investments in federated SSO solutions (which often have more capability than ADFS) by creating the Works with Office 365 - Identity certification program. Quest One Identity Cloud Access Manager is a participant in the program, which tests interoperability between third-party solutions and Office 365, and creates communications channels for joint support troubleshooting and resolution.
During the certification process, I learned a lot about Office 365, and how Cloud Access Manager's Office 365 support compares to alternatives. Here is a short list of considerations to keep in mind when looking at Office 365 single sign-on solutions:
- Support for all application types
Office 365 can be accessed through a web browser (SharePoint Online, the Office web applications, Exchange Web Access); through desktop clients, such as Word/Excel, Outlook, Lync desktop clients; or through mobile clients, including native email clients on mobile devices, Microsoft native mobile apps. Each of the clients use a different method of accessing Office 365. Cloud Access Manager supports Office 365 access through all of these application types.
- Integrated Windows Authentication (IWA) support
Federated SSO can make it so users never have to type a user name or password to access Office 365 using web or desktop clients (except for Outlook, which must cache credentials). But desktop client IWA support requires that the federation solution support a specific federation endpoint for scenarios where a user has an existing Kerberos session, as might be the case when logged into a corporate network. Cloud Access Manager supports this "windowstransport" endpoint.
- Remote access scenarios
When users are noton the corporate network (e.g. accessing email using a mobile device over WiFi), how do they access the federation server to get the security tokens which enable Office 365 access? A federation should be deployed so that it can be accessed from the internet through a DMZ-based proxy that protects the private keys being used to sign the security tokens. Cloud Access Manager comes with an embedded reverse proxy that enables secure access to the federation server, as well as internally-hosted applications, from anywhere.
- Multiple forest support
Lots of organizations have users in multiple forests. It can be difficult to use one Office 365 tenant to service customers in multiple forests using ADFS, since ADFS is built to connect only to the AD forest in which it is installed. Cloud Access Manager can be deployed in various configurations to support multiple-forest deployments, including those that share a single Cloud Access Manager instance and/or can enable IWA for users in all forests.
- Account provisioning
Microsoft does not operate an equivalent to the Works for Office 365 - Identitycertification program for third-party solutions that can execute the Office 365 directory synchronization functions Dirsync (and Microsoft Forefront Identity Manager, and more recently Azure Active Directory Sync). But the Azure AD Graph API makes possible programmatic creation of Office 365 identities - Cloud Access Manager does it! In some cases, we recommend using Microsoft technology and have made it easy to turn on/off the native provisioning logic.
Office 365 is just one of the growing number of application supporting identity federation technology to extend authentication form the enterprise to the cloud. If your organization is struggling with password management issues after employing SaaS applications, federation solutions like Cloud Access Manager can help address those issues.