[MUSIC]
Corissa Koopmans: Welcome back to the Azure AD Architecture
Deep Dive Series. So far, we’ve covered cloud authentication
with PHS and PTA. Now, we should cover the federation to
complete this part of the series.
Ramiro Calderon: So now, let’s say that we have Alice
here and she wants to go to check her email in Exchange,
and she’s using Outlook with modern authentication, of
course. And now, when she opens Outlook she will see a
popup window, and that’s pretty much a browser for our
purposes today. In that case, Exchange Online will say, I
don’t know who you are, go to Azure AD. And we will redirect
the user to Azure AD. Azure AD then needs to know first how
to authenticate Alice, so it renders a login page, so she
can type in the username, which we call in identity the
user principle name or UPN, so that’s step number one
here. This is where this diagram starts. Azure AD has a lot
of services under the covers, and we’re seeing here the
authentication services which is the system that implements
the different authentication protocols and the user experiences
for credential gathering and validation. Since we are using
federation, those experiences are not going to be used, but
this is the same component. Now, the left side here, we have
on-premises identity provider infrastructure. We also call it
IDP and that can be AD FS or any other federation product
that implements XAML or WS-Federation protocols.
Corissa: It’s important to note here that identity provider
is in the critical path and is also receiving traffic from
public internet. How should we advise our customers to
run this infrastructure at scale?
Ramiro: Right. As any other piece of critical infrastructure,
that needs to be monitored, patched, and highly available.
This means that we have to have some sort of load
balancing in the infrastructure. And federation services
also rely quite a bit on certificates. They need to be rolled
periodically for talking encryption, talking signing, etc.,
etc.
As you point out, it requires to reach back both to on-premises
directory over here but also needs to be available for
requests coming from the public internet. For example,
in AD FS, that requires deploying a federation service
server inside the corporate network and a verification
proxy server in the DMZ. It’s definitely a significant
investment infrastructure. Only mention like service,
server, but there are multiple servers to make it highly
reliable and rock solid for deployment in production.
Corissa: That sounds great. Let’s look at the flow.
Ramiro: Alright. So, Alice types the UPN here and submits
the form to Azure AD. Let’s say that her UPN is
alice@wingtiptoys.com. Azure AD needs to discover
what tenant does she belong to and the configuration.
The authentication service then with the user principal
name that she types in queries the core store. And the
core store will return an answer saying that she needs to
use federation, and this is again determined by the domain
configuration in this scenario is wingtiptoys.com. As part
of the request to the core store, the authentication service
also retrieves the URL of the identity provider; the federation
protocol that should be used can be either XAML or WS-
federation and the token signing certificates to validate
the federated token that it will be received at the end.
The Azure AD authentication service then redirects the
user to the identity provider in step three and the federation
system takes over the interaction from that point onwards
in step four. Like the previous flows, the interaction is
always requiring some sort of credential gathering, here
in step five, on credential validation, step six. And finally,
an authentication token is issued to the user in step
number seven. In password hash sync, we happen to
use the hashes in the cloud and in PTA, we use agents with
a fundamental steps of gathering a credential and validating
that credential won’t change. And step eight here, Azure
Active Directory receives a token from the identity provider
and validates a few things in step nine. The token should
be signed with the certificates that Azure AD knows ahead
of time per the domain configuration. Second, it should
also have an Azure AD, since you have the audience mark
as Azure AD. And third, the name identifier of the SAML
assertion should match the immutable ID of Alice that
is also stored in the core store. So, if those things are
successful, then the authentication is successful. The
authentication service also remembers pieces of data based
on the claims in the token, in this case, the SAML assertion
token. We need to remember the authentication methods.
So, for example, if Alice used multi-factor authentication
on-premises, then Azure AD will remember that she did it,
so that if there’s a policy later or an application that
requires MFA, then the policy will be satisfied without
prompting the user again. Similarly, we have another
claim called inside corporate network, same thing. These
will help with conditional access policies that require the
request coming from a trusted location.
Corissa: This is super helpful, Ramiro.
This wraps up our miniseries on hybrid authentication
methods. Now that we’ve seen all the methods on how to
authenticate, I want to summarize a few points.
The original AD hashes never leave on-prem. We send a
hash of the hash to the cloud with PHS. PHS authentication
has the least latency because it is a geo load balance by
Azure AD. PHS is also resilient to on-prem outages because
it all happens in the cloud. PHS also enables customers to
discover leaked credentials compromised in the public
or a dark web. Customers can enable PHS and keep
federation. PTA does not require you to synchronize the
hashes, but we really encourage customers to turn it on.
With PTA, the on-prem agents are in the critical
authentication path. For federated customers, all the
servers in the federation infrastructure are in the critical
path. Customers can gradually migrate from federation to
either PHS or PTA using staged rollout.
And finally, I want to leave you with this decision tree that
can help you to find out what method works best for you.
You can find it if you follow the link here.
We hope you found these videos useful. We’ll be adding
videos on different topics, like more authentication
scenarios, provisioning governance, and many, many more.
If you want to get a copy of the diagrams we used today
or want to give us feedback and help us figure out what to
cover in the future, please follow the link on the screen.
[MUSIC]
