Single Sign On | What it is How it works Why you need it

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
thanks for joining us again at the  azure academy today we're digging into   single sign-on what is it  how it works why you need it i'm Dean Cefola and this is The Azure Academy if  you want to master the azure cloud you can start   right now by clicking the subscribe button and  the notification bell so you don't miss anything!   i'm going to go to an internal web page in my  company ms azureacademy.sharepoint.com and when   i do i am asked to sign in so to understand this  we need to first cover how passwords actually work   now in a structure like a domain active directory  handles all this for us that's its whole purpose   and the clients are joined to that domain  environment so they trust the domain server   as the identity provider so when you submit  your password it goes into the system validates   that you are who you are because you've met the  criteria and it authenticates you when we move   to the cloud things are a little bit different in  the cloud azure active directory functions as our   identity provider and this works on a different  authentication mechanism azure active directory we   use OAuth and modern authentication protocols so  what would happen is you would try to authenticate   to the identity provider azure ad you would get  a authorization token and that would be what's   given back to your client in order to grant you  the authentication then we use something called   claims and those claims get tokens that you pass  around to different systems in a single sign-on   implementation you sign in once hence the name and  then they don't need to sign in again until their   tokens expire now our identities will be kept  in sync from active directory to azure active   directory using azure ad connect which is also  the tool we're going to be looking at today as   that's what's going to help us implement single  sign-on ad connect will also give us the benefits   of doing password hash sync or something else  that we'll discuss in a moment called pass through   authentication and the two really have to  do with who is responding to your password   request so over in the azure portal if i go to  azure active directory and we go down to azure   ad connect in the blade you see we've already got  azure ad connect setup and if you missed our video   on setting up azure ad connect go check that out  in the top right and we have password hash sync   enabled at the present and this is the minimum  thing that's recommended and now underneath that   we have the user sign in section this is where  you can add federation if you're using ADFS   or some other third-party federation service also  we see seamless single sign-on and pass-through   authentication now these are currently not enabled  in the environment and we're going to fix that   today from the start menu under azure ad connect  we want to open the azure ad connect tool which   is gonna let us make some changes so on the first  page in the wizard we'll hit the configure button   and to make a change to how our user sign-ins  function we'll just click change user sign in and   hit next and now we need to authenticate using a  azure ad global administrator account which gives   us the permissions to talk to azure i'll hit next  and now we can change how our sign ins function   everything from password hash sync to pass through  authentication or configure with federation and   ADFS and if you missed our video on federation go  check that out in the top right ping federate is   a third-party federation service and then do not  configure which you should pretty much never use   so currently i'm at password hash sync which is  the lowest level of something that you should have   running now when i have password hash sync i can  check the box to enable single sign-on and that   will all totally work the other thing i can do is  select pass through authentication and watch the   single sign-on box it gets checked automatically  the idea being since you're already sending your   authentications back to ad why not enable single  sign-on you can choose of course to not do that   if you so desire and each of these methods  will work for single sign-on so consult the   azure documentation as to which is right for you  for today right now i'm going to set up password   hash sync with single sign-on and hit next and  i have to enter my ad credentials and my creds   have been verified so i'll hit next we'll click  configure and that'll set up everything for us   now in active directory there's our computer  object AZUREADSSOACC that'll always be the   name of the computer object and that'll handle the  brokering of single sign-on we'll close out of the   wizard and now we have to edit our group policies  i'm going to create a new group policy for this   and i'll call it single sign-on and hit ok and  we'll go to edit the policy what we need is under   the user configuration policies administrative  templates windows components internet explorer   internet control panel security pages and in there  we'll go to site to zone assignment list click   enabled and click the show button and the value  that we're going to put in here is auto login dot   microsoft azure ad dash sso.com with a value  of one and all of this is in the documentation   and you can find the links to all the azure docs  in the description area below the video so i'll   hit ok on that one and over on the left we'll  want to go to the intranet zone and the policy   we want is allow updates to status bar via script  we'll change that to enabled and hit ok there and   we'll scroll back up for this last one and this  will be under preferences windows settings and   the registry and we'll right click over here  to add a new registry item and we'll click the   ellipse to get a view of the registry which will  be under hkey current user software microsoft   windows current version internet settings zone  map domains and then the microsoft azure ad sso   and finally auto login now down here we've  got the https key and that should be set to   1 which will enable it and then hit ok so close  the new group policy and then check it out and   there you go site to zone assignment enabling the  allow status update bar via script and adding our   registry key so three gpo components that go  along with enabling sso in azure ad connect   now we just need to test it and i'll open my web  browser and go to myapps.microsoft.com forward   slash ms azureacademy.com and i am auto signed in  thanks to single sign-on now this works because   i'm on a domain joined system and i have line of  sight to my domain controller and i'm logged in   with the user that has the policies that is  enabling sso so if you're on a separate device   say a work from home device then you will not  be able to have seamless single sign-on because   you're not joined to the domain and you can't  see the domain controller from where you are   now if we go back to the azure portal and we  click refresh on the azure id connect window   now we have single sign-on enabled and that's done  for the one domain that i have and we can click on   it and see that's for the ms azure academy domain  and when this was all set up now one important   security feature that i'll tell you about is  that you need to do a kerberos decryption key   rollover in order to keep your environment secure  about every 30 days that's going to make sure that   all your tokens have to be refreshed that nothing  leaks out of your environment and keeps everything   running secure so how in the world do we do any of  that on the server that you have azure ad connect   installed on the c drive program files microsoft  azure active directory connect there will be a   file in here called azure adsso.psd1 we're going  to need to import that file into powershell as   a module which would look just like this import  module and then you put in the path to the file   hit enter now the first command we have to  do is going to authenticate us to talk to   the sso service and that is new dash azure adsso  authentication context and then you hit enter and   it'll prompt you for a login and you're going  to need to put in your azure ad global admin   credentials for this and hit next and once you're  authenticated the next command we want to do is   get dash azure ad sso status and to make it  easier to read i'll pipe that to convert from   json sso is currently enabled it exists in this  environment for the ms azure academy domain and it   is currently working successfully now what we're  going to need to do is capture the domain admins   credentials so that we can update the kerberos  decryption key for that i'll use the variable   dollar creds and do the get credentials command  and this needs to be imported in the domain   name slash sam account format and then hit ok and  the last command that'll actually do the update   for us here is update dash azure ad sso forest  dash on-prem credentials and you pass it the   variable threads now this can all be automated so  that it runs once a month and keeps your sso key   rolling over hence more security going back to  the azure ad connect tool we're going to change   our user sign in again and we'll authenticate  with our global admin credentials and when we   open the tool you can see that enable single  sign-on is turned on and we want to now switch   to pass through authentication so now instead  of azure ad being our identity broker it's going   to pass those credential requests back to active  directory so this happens locally how in the world   do we do this well we're going to need a agent and  the agent is going to sit there and handle those   authentications much like the sso computer account  we'll hit next and we're already authenticated   to our domain and hit next and we're ready  to start this process so i'll click configure   and while that's going on we'll go back to the  azure portal and click the refresh button here   and we see that pass-through authentication is now  enabled and we have one agent so the main benefit   of pass-through authentication we don't send the  passwords out to the cloud because authentication   happens on-prem and our domain controllers adfs  could do something similar but adfs requires   other infrastructure to do its magic pass-through  authentication just gets a little agent that sits   on a system that can handle that for us our first  agent gets installed wherever azure ad connect is   set up and then it's recommended that you have  at least three agents in your environment for   high availability so here in azure we can download  the agent and then install that onto other member   servers to handle authentication requests and i've  copied that agent up to another system that i have   and i'll install the agent and now we've got  to authenticate out to azure and in just a few   seconds we're done and now in azure ad connect  we've got two agents set up so we can handle   some amount of high availability again three is  the recommended amount if you want to do this so   you can handle all your authentications and if you  have a whole lot of users you may want more agents   so go back to myapps.microsoft.com ms  azure academy and it goes to sign me in   again happening all seamlessly thanks to azure  ad connect seamless single sign-on pass-through   authentication and all of that good stuff just to  make your life a lot easier so thanks very much   for joining us for this quick video on single  sign-on and don't forget to turn over your   kerberos decryption key every 30 days or sooner  just to keep everything running nice and secure   so if you like this video and learned something  new today go ahead and smash the thumbs up we do   appreciate that lets me know that you enjoyed our  content as well as it lets youtube know so that   they should promote our videos and share the azure  academy with others we do want to hear from you so   please give me some comments down below on things  that we can improve or things that you're looking   for that we don't have yet on the channel so we  can get them created as for all the stuff that we   do have on the channel over here on the top right  you can find our latest video and at the bottom   another one that we've picked out just for you so  that you can keep on learning about azure thanks   very much again for joining us and we will catch  you at the same time next week happy learning
Info
Channel: Azure Academy
Views: 7,842
Rating: undefined out of 5
Keywords: Single Sign On What it is How it works Why you need it, single sign on azure ad connect, what is single sign on, single sign on, sso, what is single sign on and how it works, azure sso, azure single sign on, single sign-on, azure single sign-on, azure ad, azure ad connect, azure active directory, active directory, single sign on with azure ad, azure, microsoft, microsoft azure, Windows Virtual Desktop, WVD, Azure Academy, The Azure Academy, Cloud PC, yt:cc=on
Id: pVO30oYK0AM
Channel Id: undefined
Length: 12min 21sec (741 seconds)
Published: Sun Oct 11 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.