51CTO blog address: https://blog.51cto.com/14669127blog
garden blog address: https://www.cnblogs.com/Nancy1983
Cloud computing technology has always been one of the more popular technologies, and it is currently adopted by many companies, because the use of cloud computing can bring huge returns to companies. It is safer than traditional computing, and it actually faces fewer problems. , But out of consideration of other factors, such as the security protection of confidential data, possible regulatory requirements, prohibition of storing data in remote locations, etc., many companies currently adopt a mixed use model of local applications and cloud applications to ensure normal business operations. In this case, managing users both locally and in the cloud faces some challenges.
Microsoft identity authentication can solve this problem faced by enterprise users by creating a universal user ID so that no matter where the resource is located, all resources can be authenticated and authorized.
Compared with the directory and password synchronization scheme, federation authentication is more complicated, because it introduces more dependencies so that users can access cloud services. The main implementation methods are:
- Perform all Azure AD authentication against the local directory through Active Directory Federation Service (ADFS) or another federated identity provider
- Use a non-Microsoft identity provider
- Password hash synchronization will add the function as a login backup for federated login (if the federated identity scheme fails)
In the following cases, use federated authentication:
- ADFS deployed
- Use a third-party identity provider
- There are locally integrated smart cards or other MFA solutions
- Need to log in for audit or disable account
- Compliance with Federal Information Processing Standards (FIPS)
Federated identity verification needs to ensure on the local infrastructure:
- The local server must be able to access the Internet through the company firewall. Microsoft recommends using a joint proxy server deployed in the perimeter network, perimeter subnet or DMZ
- Ensure that the ADFS server, ADFS proxy server or web application proxy server, firewall and load balancer are running
If you are using federated authentication, make sure to create an online management account, so that you can manage Azure AD if a local identity solution is not available.
more info: