Hybrid Identity Options
Today, many corporations are using SaaS applications. Leveraging the cloud can be a better option from both a cost and maintenance standpoint. This post is not about the pros and cons of SaaS, but rather about hybrid identity. Maintaining a common user for on-premise and cloud-based application access is known as hybrid identity.
Using a hybrid identity is beneficial in multiple ways:
- Allows access — with the same credentials — to both on-premise and cloud-based applications
- Syncs up joiner/leaver/mover changes between on-premise applications and cloud applications
- Simplifies use of personal devices to access cloud applications outside the office (if approved and required)
A Common Hybrid Identity Scenario
An organization wants its employees to use the same credentials when accessing both on-premise and cloud-based applications. With Active Directory (AD) as their standard authentication method for those applications, its IT team choses Microsoft Azure as their cloud vendor. To use the same credentials across applications, the on-premise AD must sync up with the Azure AD. This is done with Azure AD Connect.
With an Azure subscription and Azure AD configured, Azure AD Connect is installed on-premise and connects to both the on-premise AD and the Azure AD. It is configured to sync one way (on-premise to Azure) or two-way.
Here is a logical representation:
The AD Sync Service in AD Connect will keep Azure AD in sync with the on-premise AD. A built-in scheduler controls the frequency of these syncs.
Two Simple Hybrid Identity Implementation Options
Azure AD Password Hash Synchronization In this option, AD domain data and the on-premise password hash are uploaded to Azure AD. Cloud-based applications can then authenticate with Azure AD, and on-premise applications can continue to be authenticated using the local AD.
Azure Active Directory Passthrough Authentication In this option, passwords are not synced to Azure. When a user attempts to sign into a cloud-based application, Azure encrypts the entered password with a public key, and places the username and encrypted password in an Azure queue. The on-premise Authentication Agent listens to the queue and receives the queued credentials. It decrypts the password with a private key and validates the credentials against the on-premise AD. It then responds to Azure AD with the results. This option is best when there are security rules or concerns with storing the password off-premise.
There are several advantages to these two methods:
- They have a small on-premise footprint
- No new servers are needed
- The only required components are the Azure AD Connect application and the passthrough agent that connects to the queue
- All connections are outbound to the Azure subscription, so the connection is less of a security concern
Upcoming: I’ll discuss more complex methods to implement hybrid identity — federation and seamless single-sign-on using Azure AD and on-premise AD.