Significant Identity and Access Management Improvements in Windows Server 2012 R2

Last week, Microsoft released Windows Server 2012 R2 Preview. Some information about new features like the Web Application Proxy role began to emerge from recent industry events, but there isn’t an awful lot to absorb at the moment. Having played around with the preview for a few days, I’m pleased to report that the new features look good. While there are always niggles and unsupported scenarios, the features themselves are bringing Microsoft’s Identity and Access Management (IAM) offerings nearer to parity with the industry leaders. These changes should be of particular interest for SharePoint on-premises and Office 365 customers, as a number of scenarios that were on the bleeding edge of ADFS/UAG capabilities have been brought into the fold with some important enhancements to ADFS, which isn’t just for federation anymore.

In short, we get a new Claims-Aware Reverse Proxy, Device Claims in and outside of the network, Multiple-Factor Authentication and other enhancements for making access control decisions on more than just a username and password. I’ve discussed all of these topics routinely over the last couple of years in SharePoint on-premises and Office 365 contexts, but the current provisions in ADFS and UAG are not as elegant as what we find in the preview, so I’m keenly exploring the new functionality and will try to keep the content flowing. In this post I will focus on the features themselves, as there’s a lot of new stuff and the implementation of this functionality will only be clear with a bit more information than what you’ll find online today. I’m kind of rushing this out after limited use because I know there’s a big appetite for knowledge about the Microsoft Reverse Proxy roadmap, so apologies for the incompleteness in advance.

Continue reading “Significant Identity and Access Management Improvements in Windows Server 2012 R2”

Office 365 Single Sign Out with ISA or TMG as the ADFS Proxy

Over the last year I’ve spent a decent chunk of my time shaping and delivering Identity and Access Management workshops for Office 365 projects at Content and Code. This is generally underpinned by Active Directory Federation Services v2.0 (ADFS). In fact I don’t think we’ve done a single Office 365 project without it. Along the way I’ve become acquainted with many of the nuances of the sign on and sign out experiences as they differ across Office 365 services, client applications and different (valid) network perimeter technologies. In this post I will mainly focus on the security implications of publishing ADFS through ISA or TMG Reverse Proxies in the place of ADFS Proxy servers. In the majority of our engagements we’ve considered this option (potentially allowing our clients to consolidate infrastructure) since ISA, TMG or similar Reverse Proxies are commonly deployed. Yet we need to evaluate with full awareness of how ADFS operates without a Claims-aware Reverse Proxy such as the ADFS Proxy. This gets pretty technical, so I’m assuming some high-level familiarity with ADFS, Reverse Proxies and Office 365.

Contents

Continue reading “Office 365 Single Sign Out with ISA or TMG as the ADFS Proxy”

Superflows are here, with authoring in due course

Tony Soper, a Senior Technical Writer for Microsoft, has been revealing some interesting new content recently. Both System Center Configuration Manager and Forefront Threat Management Gateway (the successor to ISA) have, “Superflows”, which are described as, “a new Content Type”. After poking around for a bit I found this 8 minute podcast from 2008, where Tony interviews Doug Eby from the SCCM team about Superflows in more detail. They’re, “an interactive flowchart”. A Superflow can ask questions (about an environment, for instance) and a resulting flow will be targeted based on those answers. In the podcast they say this will be extensible in future and that there will be authoring support of some sort, so it will be interesting to see how this sits beside Visio, Visual Studio and InfoPath as a form/flow technology. I’ve asked Tony for more information about that on his blog and was told to watch that space for an eventual release date. I’d recommend this anyway, as his blog is a trove of good information, particularly around Virtualisation.