VMware Identity Manager and Office 365 Integration
welcome to this vmware video in this video we will discuss the integration of microsoft office 365 with vmware identity manager first we will discuss the microsoft office 365 identity bottles then we’ll do a technical overview a high-level integration followed by defining the prerequisites then identity manager and office 365 application configurations that office 365 is your domain creation validation and conversion and then we will test and validate the process before we get started we will briefly discuss the microsoft office 365 identity models in order to allow viewers to understand what is required at why Microsoft has three office 365 identity models which are in use today the first is the cloud identity model in this model a user is created and managed in office 365 and stored in Azure Active Directory and the password is verified by is your active directory as your active directory is the cloud directory which is used by office 365 there is no equivalent user account on premises and there is nothing that needs to be configured to use this other than to create users in the office 365 admin Center under this model customers basically have a silent set of identities inside an integer Active Directory tenant which comes with office 365 the second model is the synchronized identity model in this model the user identity is managing an on-premises server and the accounts and password hashes are synchronized to the cloud the user enters the same password on premises as they do in the cloud and that sign in the password is verified by asher Active Directory this model uses the Microsoft Azure Active Directory sync tool which is a replacement of the older singh tool this model can be a one-way sync between your on-premises active directory and office 365 or can sink password updates back to the premises directory as well this option is the better choice over cloud identity for established larger or enterprise customers with existing on-premises user directories has this allows full synchronization of user accounts but users must still reenter their credentials a second time to authenticate to the cloud finally there’s the federated identity model this model requires a synchronized identity but with one change to that model the user password is verified by the identity provider this means the password hash does not need to be synchronized to Azure Active Directory this model uses Active Directory federated services or ad FS or a third-party identity provider in this model Active Directory stores and control security policies only when users are authenticating there’s a real-time check against Active Directory vmware identity manager supports microsoft office 365 integration with the measure Active Directory federated identity model we will now begin working through the specific details of integrating office 365 applications with vmware identity manager here we will show how the two products work together to provide the user a single sign-on experience first the administrator configures office 365 to synchronize with the local Active Directory it’s creates the office 365 user accounts with their user principal name and object good user attributes next the administrator configures office 365 applications within vmware identity manager to talk to the same office 365 or as your domain with necessary user principal name and object good user attributes this provides office 365 or the insurer active directory with the vmware identity manager Sam Mele signing certificate to trust the user then login to view more identity manager with their standard credentials just once identity manager then validates those credentials with active directory and provides a list of applications the user is authorized to execute among them are the office 365 application the user then selects the office 365 application they wish to launch an identity manager provides the users attributes such as the user principal named an object good along with the other values to determine the application and domain via a sam’l assertion this authenticates the user to the office 365 domain automatically by use of the values within the sam’l assertion the office 365 application launches and the user can now start working these are the high-level requirements and features provided when delivering office 365 applications through vmware identity manager specifically integration of identity manager and office 365 require the use of web services Federation deployment model or WS fed integration as well as the user principal name and object good user attributes for authentication and authorization purposes the benefit of this is now end users have a single sign-on from vmware identity manager and workspace 12 both web and native office 365 applications including mobile office 365 applications as well now let’s walk through the high-level integration steps it should be noted these high-level steps may be performed in various sequences so long as they are completed appropriately first the administrator must configure user attributes in identity manager for use next the administrator must synchronize local Active Directory users to vmware identity manager by defining the proper user attributes for use then creating the local directory within identity manager and finally selecting and synchronizing the user accounts from Active Directory to identity manager the administrator must now obtain the office 365 or as your tenant ID and immutable ID values for use in identity manager these values are then used when setting up the office 365 applications within identity manager too . identity manager to the proper office 365 tenant next if not already accomplished the administrator must create an office 365 orange your Active Directory domain once the domain is created the administrators must synchronize the local active directory to the newly created office 365 or is your domain the administrator now needs to convert the office 365 or as your domain to a federated mode it should be noted at this time the office 365 or Azure Active Directory domain creation validation synchronization conversion to WS fed and trust with identity manager can all be done in a variety of different ways finally users must be entitled to use the office 365 applications within identity manager the following our identity manager prerequisites the user principal name value must be set as required within the user attributes of identity manager directory synchronization settings prior to directory creation additionally the object good value must be created within the user attributes of identity manager directory synchronization settings prior to directory creation other values which are required during initial setup of identity manager are the service fully qualified domain name the connector fully qualified domain name is a separate value needed only if the customers using the SAS offering of identity manager as this denotes the public fully qualified domain name of the identity manager connector appliance which is hosted on the customer Network this value would be the same as the service fully qualified domain name if the customers using the on-premises offering of identity manager the specific application parameters needed are the office 365 tenant domain and office 365 tenant issuer the tenant domain is the office 365 domain which is created and configured as a federated domain within the office 365 or is your Active Directory admin consoles the tenant issuer is a value which needs to be a globally unique identifier across all of microsoft office 365 or Azure Active Directory environment because the vmware identity manager tenant namespace must be a global unique name amongst the internet we can utilize this same value here for example SAS . via more identity . com or my vmware . workspace air.com among the listed prerequisites for office 365 integration you will want to have both a working identity manager configuration and admin access into office 365 or sure ABT consoles additionally the following values are also needed such as the issuer uri which is the identity manager tenant named the Federation brand name which is essentially the customer named the active and passive log on your eyes which are specific deep links listed here and in identity manager documentation on vmware com the log-off uri which is a deep link to microsoft online log out page the metadata exchange your eye which is another specific deep link to the identity manager tenant and finally a properly formatted Samuel signing certificate for creating a trust between office 365 and identity manager to add an application to identity manager select the catalog tab click the add application button and from the drop-down menu select web application from the cloud application catalog under the configuration section of the office 365 application you may modify the application configuration as needed if domain password credentials verification is desired then change the credential verification drop-down value accordingly note the default per app password setting is actually more secure as it allows end users to not utilize their domain credentials as the cash credentials in the locally installed copies of office applications when creating an office 365 application the only to application parameters needing to be defined are the office 365 tenant domain and office 365 tenant issuer the tenant domain is the office 365 domain which is configured as a federated domain within the office 365 forager Active Directory admin consoles 0the tenant issuer is a value which needs to be a globally unique identifier 4across all of microsoft office 365 or is your Active Directory environment.