Single Sign On | What it is How it works Why you need it

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thanks for joining us again at the azure academy today we're digging into single sign-on what is it how it works why you need it i'm Dean Cefola and this is The Azure Academy if you want to master the azure cloud you can start right now by clicking the subscribe button and the notification bell so you don't miss anything! i'm going to go to an internal web page in my company ms azureacademy.sharepoint.com and when i do i am asked to sign in so to understand this we need to first cover how passwords actually work now in a structure like a domain active directory handles all this for us that's its whole purpose and the clients are joined to that domain environment so they trust the domain server as the identity provider so when you submit your password it goes into the system validates that you are who you are because you've met the criteria and it authenticates you when we move to the cloud things are a little bit different in the cloud azure active directory functions as our identity provider and this works on a different authentication mechanism azure active directory we use OAuth and modern authentication protocols so what would happen is you would try to authenticate to the identity provider azure ad you would get a authorization token and that would be what's given back to your client in order to grant you the authentication then we use something called claims and those claims get tokens that you pass around to different systems in a single sign-on implementation you sign in once hence the name and then they don't need to sign in again until their tokens expire now our identities will be kept in sync from active directory to azure active directory using azure ad connect which is also the tool we're going to be looking at today as that's what's going to help us implement single sign-on ad connect will also give us the benefits of doing password hash sync or something else that we'll discuss in a moment called pass through authentication and the two really have to do with who is responding to your password request so over in the azure portal if i go to azure active directory and we go down to azure ad connect in the blade you see we've already got azure ad connect setup and if you missed our video on setting up azure ad connect go check that out in the top right and we have password hash sync enabled at the present and this is the minimum thing that's recommended and now underneath that we have the user sign in section this is where you can add federation if you're using ADFS or some other third-party federation service also we see seamless single sign-on and pass-through authentication now these are currently not enabled in the environment and we're going to fix that today from the start menu under azure ad connect we want to open the azure ad connect tool which is gonna let us make some changes so on the first page in the wizard we'll hit the configure button and to make a change to how our user sign-ins function we'll just click change user sign in and hit next and now we need to authenticate using a azure ad global administrator account which gives us the permissions to talk to azure i'll hit next and now we can change how our sign ins function everything from password hash sync to pass through authentication or configure with federation and ADFS and if you missed our video on federation go check that out in the top right ping federate is a third-party federation service and then do not configure which you should pretty much never use so currently i'm at password hash sync which is the lowest level of something that you should have running now when i have password hash sync i can check the box to enable single sign-on and that will all totally work the other thing i can do is select pass through authentication and watch the single sign-on box it gets checked automatically the idea being since you're already sending your authentications back to ad why not enable single sign-on you can choose of course to not do that if you so desire and each of these methods will work for single sign-on so consult the azure documentation as to which is right for you for today right now i'm going to set up password hash sync with single sign-on and hit next and i have to enter my ad credentials and my creds have been verified so i'll hit next we'll click configure and that'll set up everything for us now in active directory there's our computer object AZUREADSSOACC that'll always be the name of the computer object and that'll handle the brokering of single sign-on we'll close out of the wizard and now we have to edit our group policies i'm going to create a new group policy for this and i'll call it single sign-on and hit ok and we'll go to edit the policy what we need is under the user configuration policies administrative templates windows components internet explorer internet control panel security pages and in there we'll go to site to zone assignment list click enabled and click the show button and the value that we're going to put in here is auto login dot microsoft azure ad dash sso.com with a value of one and all of this is in the documentation and you can find the links to all the azure docs in the description area below the video so i'll hit ok on that one and over on the left we'll want to go to the intranet zone and the policy we want is allow updates to status bar via script we'll change that to enabled and hit ok there and we'll scroll back up for this last one and this will be under preferences windows settings and the registry and we'll right click over here to add a new registry item and we'll click the ellipse to get a view of the registry which will be under hkey current user software microsoft windows current version internet settings zone map domains and then the microsoft azure ad sso and finally auto login now down here we've got the https key and that should be set to 1 which will enable it and then hit ok so close the new group policy and then check it out and there you go site to zone assignment enabling the allow status update bar via script and adding our registry key so three gpo components that go along with enabling sso in azure ad connect now we just need to test it and i'll open my web browser and go to myapps.microsoft.com forward slash ms azureacademy.com and i am auto signed in thanks to single sign-on now this works because i'm on a domain joined system and i have line of sight to my domain controller and i'm logged in with the user that has the policies that is enabling sso so if you're on a separate device say a work from home device then you will not be able to have seamless single sign-on because you're not joined to the domain and you can't see the domain controller from where you are now if we go back to the azure portal and we click refresh on the azure id connect window now we have single sign-on enabled and that's done for the one domain that i have and we can click on it and see that's for the ms azure academy domain and when this was all set up now one important security feature that i'll tell you about is that you need to do a kerberos decryption key rollover in order to keep your environment secure about every 30 days that's going to make sure that all your tokens have to be refreshed that nothing leaks out of your environment and keeps everything running secure so how in the world do we do any of that on the server that you have azure ad connect installed on the c drive program files microsoft azure active directory connect there will be a file in here called azure adsso.psd1 we're going to need to import that file into powershell as a module which would look just like this import module and then you put in the path to the file hit enter now the first command we have to do is going to authenticate us to talk to the sso service and that is new dash azure adsso authentication context and then you hit enter and it'll prompt you for a login and you're going to need to put in your azure ad global admin credentials for this and hit next and once you're authenticated the next command we want to do is get dash azure ad sso status and to make it easier to read i'll pipe that to convert from json sso is currently enabled it exists in this environment for the ms azure academy domain and it is currently working successfully now what we're going to need to do is capture the domain admins credentials so that we can update the kerberos decryption key for that i'll use the variable dollar creds and do the get credentials command and this needs to be imported in the domain name slash sam account format and then hit ok and the last command that'll actually do the update for us here is update dash azure ad sso forest dash on-prem credentials and you pass it the variable threads now this can all be automated so that it runs once a month and keeps your sso key rolling over hence more security going back to the azure ad connect tool we're going to change our user sign in again and we'll authenticate with our global admin credentials and when we open the tool you can see that enable single sign-on is turned on and we want to now switch to pass through authentication so now instead of azure ad being our identity broker it's going to pass those credential requests back to active directory so this happens locally how in the world do we do this well we're going to need a agent and the agent is going to sit there and handle those authentications much like the sso computer account we'll hit next and we're already authenticated to our domain and hit next and we're ready to start this process so i'll click configure and while that's going on we'll go back to the azure portal and click the refresh button here and we see that pass-through authentication is now enabled and we have one agent so the main benefit of pass-through authentication we don't send the passwords out to the cloud because authentication happens on-prem and our domain controllers adfs could do something similar but adfs requires other infrastructure to do its magic pass-through authentication just gets a little agent that sits on a system that can handle that for us our first agent gets installed wherever azure ad connect is set up and then it's recommended that you have at least three agents in your environment for high availability so here in azure we can download the agent and then install that onto other member servers to handle authentication requests and i've copied that agent up to another system that i have and i'll install the agent and now we've got to authenticate out to azure and in just a few seconds we're done and now in azure ad connect we've got two agents set up so we can handle some amount of high availability again three is the recommended amount if you want to do this so you can handle all your authentications and if you have a whole lot of users you may want more agents so go back to myapps.microsoft.com ms azure academy and it goes to sign me in again happening all seamlessly thanks to azure ad connect seamless single sign-on pass-through authentication and all of that good stuff just to make your life a lot easier so thanks very much for joining us for this quick video on single sign-on and don't forget to turn over your kerberos decryption key every 30 days or sooner just to keep everything running nice and secure so if you like this video and learned something new today go ahead and smash the thumbs up we do appreciate that lets me know that you enjoyed our content as well as it lets youtube know so that they should promote our videos and share the azure academy with others we do want to hear from you so please give me some comments down below on things that we can improve or things that you're looking for that we don't have yet on the channel so we can get them created as for all the stuff that we do have on the channel over here on the top right you can find our latest video and at the bottom another one that we've picked out just for you so that you can keep on learning about azure thanks very much again for joining us and we will catch you at the same time next week happy learning

Info

Channel: Azure Academy

Views: 7,842

Rating: undefined out of 5

Keywords: Single Sign On What it is How it works Why you need it, single sign on azure ad connect, what is single sign on, single sign on, sso, what is single sign on and how it works, azure sso, azure single sign on, single sign-on, azure single sign-on, azure ad, azure ad connect, azure active directory, active directory, single sign on with azure ad, azure, microsoft, microsoft azure, Windows Virtual Desktop, WVD, Azure Academy, The Azure Academy, Cloud PC, yt:cc=on

Id: pVO30oYK0AM

Channel Id: undefined

Length: 12min 21sec (741 seconds)

Published: Sun Oct 11 2020