Office 365 Planning

Copy-pasted from - http://howdouc.blogspot.com/2011/04/active-directory-federation-services.html

Active Directory Federation Services (ADFS) 2.0 with Office 365: Part 1 – Planning

This subject will be looking at what ADFS is, what are the environmental requirements, and how to configure it with Office 365. Note: this post is based on the Office 365 Beta for Enterprises. The post will be split into the following two parts:

• Part 1 – Planning
• Part 2 - Configuring

Office 365 supports identity federation which allows true single sign-on capabilities. This is achieved through Active Directory Federation Services (ADFS) 2.0. With identity federation, users can enter their Active Directory credentials to access Office 365 services.
An ADFS 2.0 solution consists of the following components:

• ADFS server(s) (internal network joined to AD forest)
• ADFS Proxy Server(s) (perimeter network used to support remote users)

There are three basic ADFS 2.0 deployment options for Office 365 with differing levels of access and availability:

1. Single server configuration
2. ADFS 2.0 server farm and load-balancer
3. ADFS 2.0 Proxy server(s) for offsite users

Benefits of implementing ADFS:

• Improves user productivity by enabling true single sign-on to domain joined computers
• Reduces usability issues by allowing users to use AD credentials to access all Office 365 services and not have to remember two identities and two passwords
• Allows administrators the ability to enforce the organization’s password policies and account restrictions in both the on-premises and cloud-based organizations
• Increases security of AD credentials since passwords are never synced to the cloud, all authentication happens on-premises
• Reduces overall administration time and costs associated due to the above points

The following are different sign-on experiences when using Federated Identity depending on location and status of computer:

Environment	Sign-in Experience
Outlook 2010 on Windows 7	No prompt***
Outlook 2007 on Windows 7	Sign in each session*
Outlook 2010/2007 on Windows Vista or XP	Sign in each session**
Exchange ActiveSync	Sign in each session**
POP, IMAP	Sign in each session**
Web Experiences: Office 365 Portal, Outlook Web App, SharePoint Online, Office Web Apps	No prompt
Office 2010/2007 using SharePoint Online	No prompt
Lync Online	No prompt
Outlook for Mac 2001	Sign in each session**

* – Outlook 2007 will be updated after Office 365 has been made generally available to have same experience as Outlook 2010 on Windows 7
** – When first prompted, you can save your password for future use.  You will not receive another prompt until you change the password
*** – In beta period, you will be prompted when first accessing the services
Authentication Mechanisms when using Federated Identity:

Application	Authentication Mechanism
Web browser	Web sign in, WS-Trust and WS-Federation (ADFS 2.0)
Outlook 2010 on Windows 7	Web sign in, WS-Trust and WS-Federation (ADFS 2.0)
Outlook 2007 on Windows 7	Basic over SSL, authenticated via the ADFS 2.0 proxy
Outlook 2010/2007 on Windows Vista and XP	Basic over SSL, authenticated via the ADFS 2.0 proxy
Exchange ActiveSync	Basic over SSL, authenticated via the ADFS 2.0 proxy
POP/IMAP/SMTP client	Basic over SSL, authenticated via the ADFS 2.0 proxy
Lync Online	Web sign in, WS-Trust and WS-Federation (ADFS 2.0)

Note that Outlook 2007 is planned to be backported to support WS-Trust and WS-Federation after the beta period.
Two-Factor Authentication can be achieved for Office 365.  The Office 365 Beta Identity Service Description describes the requirements.
The following are requirements of ADFS 2.0:

• Microsoft Online Services Directory Synchronization tool (DirSync) is installed
• ADFS servers must have Windows 2008 or Windows 2008 R2 Server operating system installed
• Client computers must be running the latest updates of Windows 7, Windows Vista, or Windows XP (running the Office 365 Desktop Setup from the Office 365 portal will automatically install necessary updates)
• Public SSL certificate to secure traffic associated with ADFS
• Microsoft Online Services Identity Federation Management Tool to establish trust with Office 365

Capacity Planning
When identity federation is enabled and configured in Office 365 there is no fall-back to a different form of authentication if ADFS servers fail. This means that if ADFS servers are not available, users will not be able to authenticate with Office 365 servers. It is very important to configure a highly available ADFS solution utilizing multiple servers and hardware or software load balancing. It is also critical to implement a monitoring solution for the ADFS servers. This includes both the internal ADFS servers and the ADFS proxy servers.
Namespace Planning
ADFS currently only allows for one namespace per ADFS farm/instance. If your company will support multiple namespaces for authentication, you will need to implement an ADFS infrastructure for each. Only internet routable domains that have been validated within Office 365 can be used in an ADFS deployment. If your organization has a non-routable domain for the AD infrastructure (such as .local, .priv, etc), you will need to add a UserPrincipalName (UPN) suffix in AD and configure each user with that UPN suffix (discussed in Part 2).
Summary
Part 1 of this post introduced ADFS 2.0 in relation to Office 365 and discussed environmental requirements required to implement.  Part 2 will walk through the configuration of ADFS 2.0 and Office 365.
References:

• Office 365 Beta Service Descriptions