Saturday, September 19, 2015

Office 365 with OneLogin: Part 1

Now that I have defederated my Office 365 account and disabled DirSync (see my two previous blog posts), I will replace these functions with OneLogin's serivces.

These are some of the primary tasks to be completed for the implementation of OneLogin for Office 365:
  1. Create a OneLogin account and purchase a plan based on your needs.
  2. Install the Active Directory Connector (this component constitutes the link between on-premise Active Directory and Azure Active Directory which is the directory service for Office 365 and Exchange Online in particular).
  3. Configure "Desktop SSO".
  4. Install the OneLogin browser extensions for Internet Explorer (or whatever browser your prefer). This will allow Single Sign On (SSO) for access to Office 365 via the web interface. For Outlook, we must adjust the Outlook profile.

I will present the first two tasks in this blog post and the others later. You may have other tasks to complete based on your requirements.


***


Purchase a OneLogin plan

We can view current OneLogin plans and pricing with this link:

OneLogin - Products and Pricing

However, there are other options. If Office 365 is the only "application" (that is what it is considered in this context), we can contact OneLogin and pay only for Office 365. In my case, it was 50 cents per user, per month, with a minimum of 5 users. I will not present a step-by-step procedure to purchase this option but rather recommend that the reader contact OneLogin directly for more information. If you have multiple applications (Office 365, Google Apps, Salesforce, etc.), you would probably want to puchase one of the four basic plans presented at the link above.

I will say that when OneLogin makes the custom plan available, you can view the plan's details in the "Manage Subscription" section of your OneLogin account. This is where you would purchase the plan (if you make the purchase with a credit card).







You would select the number of users at the bottom of the page and then click on "Select this plan"







Installation and Configuration of the Active Directory Connector


First, I'll attempt a high-level overview (without all the technical details) of the process by which OneLogin constitutes the link between on-premises Active Directory and Office 365.
  1. The client first logs on to OneLogin (yes, OneLogin) using their on-premises Active Directory credentials.
  2. OneLogin verifies these credentials with the on-premises Active Directory domain controllers.
  3. If the credentials are valid, OneLogin opens a session with Office 365.

Yes, I have omitted many of the technical details for brevity. However, I will explain how OneLogin can query onsite Active Directory. It is the Active Directory Connector (ADC) that makes this possible. The ADC establishes on outbound connection to OneLogin on port 443 and any query related to authentication takes place in the context of this pre-established connection. A useful comparison (or useless - depending on your past technical experience) would be the connection established by the Blackberry Enterprise Server (BES) with Blackberry, allowing users to connect to their mailbox from outside the coporate LAN. All we need, as far as the firewall goes, is outbound access on port 443 which is often allowed by default.


***

Now I will install the OneLogin Active Directory Connector (ADC) on a member server. Once again, this component will provide Single Sign On services with Office 365 (or with other applications). It can be used as a replacement for ADFS.

Here is a summary of the prerequisites. We need:
  • .NET 3.5 (only supported version at the time I compose these lines).
  • Windows 2003 Server and above
  • Open Outbound TCP port 443

We also need a supported web browser for administration. For Internet Explorer this is 10 or 11 (9 is acceptable for end-users).

We can install the ADC on the domain controllers themselves but it is recommended to install it on member services, avoiding in particular the domain controller that holds the PDC emulator role.

Complete details can be found in the official OneLogin instructions.

Installing an Active Directory Connector

First, we logon to our OneLogin account:




We then go to Users > Directories:



We will see the directories at our disposition. I have Active Directory. Once I purchased the licenses, Active Directory was made available with the collaboration of OneLogin tech support on the vendor side.

I click on the Active Directory icon and the "Active Directory Setup" wizard opens



There are 3 simple steps:
  • I name the directory (I'll name mine "MYNET Active Directory")
  • Download and execute the ADC application
  • Enter the token when requested.

So I download the ADC application and execute it:







And here is the step where I enter (copy and paste) the Directory Token provided above:



The ADC service must run as either the LocalSystem account or a custom account. Although I could use the LocalSystem account (having only one domain in my forest), I created a service account "OneLogin" that I will use instead:



I will use the default port:



And click "Install":





At the end of the process, we are prompted to run the ADC Config Wizard. This is optional if we have only one AD forest. I will click on "Auto Populate". The wizard finds my single AD domain which I check:








We finish (by default) on the Connector Instances tab. Status should be "Connected":





The OU Selection tab allows us to adjust our choice of OUs to synchronize with OneLogin:





The Directory Attributes tab shows the user attributes that are imported into OneLogin. We can add more if necessary:





The "Avanced" tab offers some additional configuration options:



For example, we can "Synchronize disabled users". If I disable a user (so they no longer can access onsite resources), I would probably also want to limit their access to Cloud-based resources (O365 in this case) as well.

And the "Logon username attribute"? Users can use their email address, sAMAccount name or UPN to logon on (followed by their password, of course). If I want users deleted in AD to be deleted in OneLogin as well, there is an option to check (they can also be merely suspended).


No comments:

Post a Comment