Welcome back. In this episode, we're gonna discuss a little bit more about Federation and single sign on in our azure active directory.
My learning objectives include understanding, federation configuration and understanding are single sign on configuration.
First, what is Federation Federation is a concept where different domains have established a trust relationship.
Thes trust typically include authenticating a user as well as authorization to access. Resource is we've are discussed federation as it relates to azure Active directory in your on premises Active Directory. This is where you've established a trust relationship
for users. Accessing Azure Cloud resource is to be authenticated using their own premises identities.
You can deploy Federation technology using Active Directory Federation Service's or A T. F s, which our server rolls installed on top of Windows servers.
You can also use third party federation partner called Ping Federic.
Now I want to go over some high level steps on how to configure federation using Azure 80 connect
during the installation of Azure 80 connect or by opening the program leader. You can use it. Configure your A T. F s environment in your on premises data center. First, you'll just need to open as your 80 connect.
Once you've opened it, there should be an additional option for managing federation.
Once this option is selected, you'll need to add your A T F s SSL certificate.
This will have the public name of your A d. F s environment on it. For example, a T F s dot cantos oh dot com Next in the Wizard, you'll specify your 80 if s servers and your web application Proxy server or W AP
Your Web server will sit in your D m Z and proxy authentication request from outside your network
to the 80 if S servers inside your network. The next step is to select the domain that you wanna February with, and then finally finish the configuration.
In addition to setting up your A. T. F s environment and your on premises data center, there is also some steps to convert a manage domain to a Federated domain inside of azure active directory.
First, if you haven't already download installed the M s online power show module using the install module AMS Online command a connector azure 80 tenant using a global admin account. Next, we needed the verify. The domain is currently set has managed using the git M S o L domain command.
Here in our screen shot, you can see our ese 300 tech dot com is currently set as managed for the authentication type.
Finally, will run the convert mso well, domain to Federated Command and specified of Maine. You want to convert? Once this is completed, the domain should be listed as Federated. If you rerun the get mso well, domain command, I would definitely remember the Convert Command for the exam. It's a pretty important step in configuring federation with Azure 80.
Next, let's talk about single sign on or es eso
as your 80 single sign on allows for automatically signing in users. When the user is on a corporate domain joint device and connected to the corporate network,
users will not need to re enter their password in order to access their online service is
this provides quick and easy access to cloud based applications. Single sign on can also be combined with password, hash sink or passed through authentication. Just a note federation is not required for S s, so it can be configured using these other two authentication options.
Finally, as your 80 Connect remains the central point. This is where we go and configure if we want to enable SSO for our domain.
Let's check out what this looks like in the next slide
here. We've reopened as your 80 connect in our own premises server, and we have the option to change user. Sign it
once we click next this Patiala familiar. This is where we select our sign on method, and right down here you can see we can check the box to enable single sign on.
Once we've made this change in Azure 80 Connect performs a sink to our online as your 80 tenant. We can see here that we have under user sign in that we have single sign on enabled for one of our domains.
In addition to converting our domain to single sign on, there's some additional options we need to deploy in our environment. This can be done through a group policy object or GPO. In active directory, you need to configure a group policy to add the auto log on Microsoft Azure a d. Dash sso dot com
to the Internet's own your L for Internet Explorer.
The reason we need to do this is the browser automatically determines what zone a website is when it visits it. For example, something like H T t p colon slash slash a Z Tech 300 will map to the Internet zone. But if we were to add a Z 300 tech dot com, it's gonna map to the Internet zone
because the euro has a period in it.
By adding this typically Internet address to her Internet zone, browsers will send a car bro's ticket to it to perform authentication. And this will allow our single sign on to act correctly.
That does it for this episode, where we discussed federation and single sign on configuration. Let's follow it up with a quick post assessment question.
What authentication methods can be used with single sign on
answer is password, hash sink and passed through authentication.
Coming up next, we're going to dive into several topics and how we can manage our azure active directory. See you in the next episode