User Provisioning for the Microsoft Office 365 Cloud Service
by Manfred Chan
To exploit the cloud computing technologies, CityU has decided to adopt the Microsoft Office 365 (Office 365 hereafter) for Education. Office 365 is the cloud computing solution offered by the Microsoft for academic institutions. As an initial step, the Computing Services Centre (CSC) will replace the existing UNIX-based email system for students by the Exchange Online of the Office 365 in the coming Semester in 2013, and staff is optional to join Office 365 as a supplementary email service.
To set up Office 365 for CityU, the CSC needs to decide on a common and easy-to-remember namespace for Office 365 so that users can easily set up access from their email clients on their desktop PCs and mobile devices. With this in mind, the CSC has assigned my.cityu.edu.hk to be the primary SMTP namespace for this new email service.
The Office 365 platform supports two different directory configurations for user authentication, namely Microsoft Online Identity and Federated Identity. To secure user account provisioning in the cloud, the CSC adopted the latter so that user identity, account, and password management can be retained in CityU, i.e. within the CityU Active Directory domain (ad.cityu.edu.hk). To create user accounts on Office 365, directory synchronization is used to automatically provision users from our on-premises Active Directory to the cloud.
Each CityU student and staff already has an EID as a domain account for logging into CityU’s LAN. Another domain account will be created by adding a suffix "-c" (which stands for cloud service) to the EID for using Office 365. As such, the Office 365 email address format will be EIDfirstname.lastname@example.org. To enable users to authenticate to Office 365 via the on-premises Active Directory, the Active Directory Federation Service (ADFS) is deployed. The ADFS is an enterprise-class tool for federating Active Directory Identities amongst Microsoft services. It acts as a bridge between Office 365 and CityU's Active Directory domain so that user authentication can be achieved seamlessly. ADFS proxy servers have also been installed to secure the bridging between client access and the federation network infrastructure as shown in the diagram below.
To cope with an enormous number of users accessing Office 365, the hardware infrastructure for Office 365 user authentication must be robust, reliable and scalable. Our design includes three federation servers and three federation proxy servers where two servers of each are located in the main campus and the rest are located in the Disaster Recovery (DR) site in order to be fault tolerance in the ADFS environment. Windows network load balancing technology has been adopted to establish the ADFS and ADFS proxy server farm. The following diagram shows the federation network infrastructure for CityU Office 365.
With the above user provisioning, HA and DR infrastructure in place, all user accounts created in the on-premises Active Directory will be synchronized to Office 365 according to our account management policy and aligned with the life-cycle management of our IT service provisioning. Thus, a secure and seamless user authentication is achieved.