- Getting Started
- Recommended Integration & Registration Flow
- Admin Console Overview
- User Onboarding and Management
- User Registration and Login
- Enterprise Applications
- Microsoft Integration
- Installing TraitWare PAM Module for SSH and SFTP
Overview of Azure Forest Architecture with TraitWare
Posted on June 3, 2019
Assumptions:
- At least one verified root domain
- Forests exist on subdomain of a verified domain or on a verified domain
- Hybrid Environment (Domain Controller using Microsoft AD Sync Tool)
Overview:
- TraitWare is applied as a SAML authentication method when a domain is federated using Powershell.
- A script is run which federates a root domain. Microsoft will automatically federate all subdomains as well. We do not control this
- If you wish to setup an environment for testing that will not disrupt your users/flow, a different root domain must be used
- TraitWare lives outside of the trusts and claims setup. It simply uses the existing Microsoft claims to apply the authentication (MFA) to what they provide
- Your user roles, rules, claims, trusts, etc. will need to exist as they are in the live environment to make sure that nothing needs modification in terms of the setup as it currently is with TraitWare/Azure
- There is an option for an on-prem version of TraitWare’s Authentication server, which would then be managed on-site rather than through TraitWare’s cloud.
Good to Know:
- A domain must be federated in order to assign a SAML authentication method
- Once the domain is federated, users must be managed from within their Domain Controller Active Directory (changes cannot be made within portal.azure.com or portal.office.com).
- TraitWare has provided a method for users that are managed as cloud users (created within portal.azure.com/portal.office.com). We have also built in a way to create new users from our admin.traitware.com console LDAP management
- Once a root domain is federated, a forest can only be added as a verified domain by running a powershell script.
New-MsolDomain -Authentication Federated -Name sub.domain.com
- Users are synced across forests to Azure using the Microsoft AD Sync Tool.
- This is completed by signing in as a global user that exists in the directory you are managing on Azure (sync will remain on unless there is an error or the machine is turned off)
- Syncs will happen automatically every 30 minutes, but can be manually forced
- More on that can be found here. This also includes a much deeper level of insight for federating a single forest
- This is completed by signing in as a global user that exists in the directory you are managing on Azure (sync will remain on unless there is an error or the machine is turned off)