Active directory service with office 365 - active-directory

I run a small business with 3 employees and dont want to spend a fortune on this IT solution. But I would like to have an active directory service so that I can admin the users from a central place. Get benefits with domain policys like password lengt requirment and so that they need to update the passwords evry now and then. I would also love if its some how integrated with our office365 so that users doesnt need to sign-in specifically to office 365 (Single sign on?).
Is there an easy way to setup this either with office365 so that I can use the active directory service in office 365 or with a realtive easy way with some other directory service ?
The employees in the business are not located in an office, they travel quite much, so an internal active directory installation is not an option.
If someone can point me to a tutorial I would be very greatfull.
Thanks in advance!

Here is the very common solution i had done the same http://thecloudmouth.com/wp-content/uploads/2012/12/wp-adfs-o365-iaas.pdf
or the best alternative is
https://process.st/2014/04/small-business-in-the-cloud-google-apps-or-microsoft-office-365/

Related

Best way to store users to allow single sign-on for multiple asp.net mvc websites

I have multiple asp.net mvc websites hosted in sub folders of a main domain. Each website has its own sql server database. Currently users need to sign up to each individual website if they want access but I am looking for a sso solution. I guess a little bit like how ebay works where you can sign up in one country's domain but can log into ebay from any other of the domains ebay has sites for.
I am looking for the best architectural design to achieve this. After a lot of googling this seems to be the only solution that fits the bill but wanted to check first (http://arunendapally.com/post/implementation-of-single-sign-on-(sso)-in-asp.net-mvc). If this is the right approach how does that effect the database design, would the users now only get stored in their own database all of the other websites have access to?
I think that maybe moving the authentication part of your application somewhere else would be a better option.
You could try the approach suggested in your link.
Another option would be to look at external providers.
I'm thinking here about azure active directory (https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/ with this example http://www.asp.net/identity/overview/getting-started/developing-aspnet-apps-with-windows-azure-active-directory) or auth0 (https://auth0.com/) for example.
That way you have a separate place for your user accounts which are in a database on the cloud which you don't have to manage. Somthing like azure active directory allows you to also set which users are allowed to access which app, which is also something you need to take into account.

Restricting URLs using Active Directory in Weblogic 10.3 - where to start?

We are looking to use an Active Directory server to restrict access to certain URLs in our Spring application on a Weblogic server and I have no idea where to start. The problem should be quite simple as I understand it, we have a simple app which has a number of URLs:
<root>/page1.do
<root>/page2.do
<root>/page3.do
etc.
And an Active Directory servers which lists the users in two groups, such as "Admin" and "User". We would like it so that based on the login information provided (no SSO required), anyone in "Admin" can access all pages, anyone in "User" can only access page2.do and page3.do.
I have absolutely no idea where to start and Google isn't being very forthcoming. I would have hoped that this is an easy task (add AD server to weblogic, set up a config file). Anyone have any experience with this and links to good places to get started or a summary of what we will need to do to get it working in this fashion?
Cheers
You should be able to easily use your AD as an Authentication Provider in your Weblogic server(s). Here is some documentation to get started on how to do the configuration:
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1198953
After that, you can configure security roles and security policies in order to control access to your server's resources. Again, some docs to get started: http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secintro/concepts.html#1083616
If you prefer a good book to start with, here goes my suggestion: http://onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index.html. Although somewhat old, this chapter covers pretty much everything you need to know.

Webservice that handles 1 million user accounts

Imagine you're writing a web app that will have 1 million users (they all grow that big, right!)
How would you handle user accounts? I can imagine a few scenarios:
Roll your own (database tables, salted/hashed passwords stored in a user profile table)
If written with ASP.NET, use the login/role provider (which falls back to the database)
Use Active Directory if in a Windows environment
Use some other LDAP server
A 3rd party provider like OpenID or .NET Passport
Stability and scalability are of course important.
I guess this is really a question of whether Active Directory and other LDAP servers scale well and easily. What do Facebook, Twitter and Gmail use as their backend account provider?
What got me thinking about this is the Google App Engine. Really cool looking. But users would need to get a Google Account if I used the built-in authentication stuff. Or with #5 above, users would need to go get an OpenID. I'm trying to make it so they can just do a simple sign up with my site without needing to visit other sites -- for the non-geeks of the world :)
I would ask someone who had actually worked on a system which caters for that many users.
I'd find out about other systems like this, and look at case studies that have been written about them. (Ask Microsoft, Oracle, IBM etc.).
But, for usability you either need to implement a single sign on solution, so users don't need to know their login details. (Perfect for the corporate world.)
or
You have to go with what users know, which is an email address/username, and password.
OpenID or similiar systems are horrible for non technical users.
(Note, anyone looking at this is a technical user.).
OpenID.
If you must give the users a choice to create an account on your site, become an OP.

How do you use Active Directory in a "hosted solution"?

Yesterday I got a call from a Microsoft representative asking if we supply "hosted solutions", presumably as part of the big Windows Azure push. As soon as I got off that call, our marketing director came into my office and said the majority of our customers are demanding Active Directory integration in the next version. Then it occurred to me: how does one use Active Directory in a "hosted solution" if the application does not live on the customer's network?
As a more general question about Active Directory integration, what kind of functional changes does that usually imply for an app? Does it mean a user is signed into the app just by authenticating to Active Directory or does it mean the app gets its list of users from Active Directory or does the creation of new users or groups in the app create new users or groups in Active Directory?
Am I just caught in the crossfire of a war of buzzwords?
You're not. Active Directory can be run across the public Internet, though this complicates the security and setup of the network rather considerably.
Generally, authenticating an app against Active Directory means that your membership provider (for example) would call into Active Directory to do the authentication and, after that, the user is simply logged in; you don't keep active credentials, etc, in your own database. However I would consider it smart to cache that information as well, and be prepared to authenticate against that cache in addition to the directory, in case the domain controller is unavailable for authentication (an especially large risk if you're running the directory across the Internet).
You can use Active Directory Federated Services to enable authentication using AD over the internet between two organizations. See: http://technet.microsoft.com/en-us/library/cc786469.aspx
I've never used it only read about it. Hope it helps.
The accepted answer explains the role of Active Directory and I agree that caching basic user information may be useful in many instances.
Active Directory can be expanded outside of a corporate network, to the internet and connected web services. As another user mentioned, this is achieved through ADFS (Active Directory Federation Services) which allows "trusted" connections to be set up between separate authentication services. There were a number of scenarios explained as part of the "Office 365 Jump Start" webinars:
http://technet.microsoft.com/en-us/edge/office-365-jump-start-04-microsoft-office-365-identity-and-access-solutions
After viewing these, I immediately thought that a "hosted" AD and ADFS service would be useful, where a customer doesn't want to maintain the AD servers internally (Microsoft don't recommend running less than 5 seperate servers if you're doing this!) Recently, Microsoft have also launched their Azure cloud platform. One of the services they provide is labelled "Identity" which you can see here:
http://www.windowsazure.com/en-us/services/identity/
This is Microsoft's own solution to hosted AD services. In fact, they even mention using their "Identity" hosted service as a solution for SSO (Single Sign-On) for Office 356 and even Google web apps.
I am still learning about AD and Microsoft's cloud offerings, but I hope this points you in the right direction.
There's an article here: http://www.developerfusion.com/article/121561/integrating-active-directory-into-azure/ which describes in-depth how to integrate Active Directory with Azure - hope that helps.
Active Directory can be run across the public internet but you will experience lag times which may cause your app to time out or crash depending on your bandwidth. In the past, I have setup accounts with another company called ultradns.com who specializes in these types of scenarios. hope that helps.
You'd be best off going with a true hosting framework if you would like any support from MS.
I'm sure you'd like some links so:
HMC (Hosted Messaging and Collaboration)
The ONLY true blog I know about on the framework is from Kip Ng
The ASP.NET forums are a good resource for questions on the Framework as well.
An example of the work that goes into configuring AD for Exchange multitenancy is here, though it is based on an older version of the framework a lot of the same principles apply.
Also, try searching on the keyword multitenancy for some articles.

Is it a good idea to use Active Directory user login to your application

I am developing a web based intranet for my company. I just want to know is it a good thing for users to login the application using the active directory login details or shall i create a login together with the application db.
If there is anything better that this please suggest. This is my first application development so need help from experienced people.
Generally it's a good idea to try and minimize the number of accounts people need to have.
So I'd definately try and use their active directory login.
Also if desireable, you can automatically log people into your application using various single sign on methods. (Either integrated into IIS, or other.).
This makes for a very usable application, as people always forget login details, and hate to login again to other systems.
Only use Active directory for your intranet, if you infrastructure supports it.
You question is phrased as if you think the user to type there password in again to login to the intranet site - they should not do this! have windows pass on the credentials automatically. This is pretty much built in to dotnet/iis/etc.
Also AD will add group management a privledges so you can restrict areas of you intranet to members of certain groups.
And you support team already have the tools to manage all this.
PS you can enable FireFox to auto log on via NTLM and it is one of the most requested features for Chrome too so don't let browser issues put you off
There are several pros using Active Directory authentication in the intranet.
Thoses are the main ones:
You want to to keep authentication stores number as low as possible
Using Active Directory, users who have their desktop in the domain (as they should) will be able to use Integrated Windows Authentication. They will be able to log in without having to type their password.
An Active Directory authentication mechanism probably exists for your language
More information:
http://msdn.microsoft.com/en-us/library/ms998358.aspx
If you create a separate login system, then your users have to remember 2 different logins. Why bother, when their "real" login is right at hand?
Less code for you to write and better integration into the wider system. And, who doesn't want FEWER passwords to remember.
Definitely go for the Active Directory option, or use Active Directory as an LDAP server if whatever language you're using doesn't directly support AD. Active Directory actually makes a pretty good LDAP server.
If there is anything better that this please suggest.
OpenID?...

Resources