Microsoft Office 365 provides a couple of great options for managing user accounts, with the most complete solution leveraging an existing on-premise Active Directory to authenticate in to Office 365 services. IMGROUP have built a multi-data centre hosted Single Sign-On (SSO) solution for Office 365 and Windows Azure, lowering the barrier to entry for this type of deployment and accelerating the deployment.
IMGROUP “ONCE” - http://www.imgrouponline.com/services/once
If we choose the route of using on-premise Active Directory to authenticate the organisation first needs to deploy new roles on to servers. Office 365 offers guaranteed high levels of availability, however this is of no comfort should the single AD FS deployed server fail. With this is mind AD FS and AD FS Proxy should be deployed using N+1, with load balancing configured between the servers for each role.
- 2x AD FS 2.0 Server (x64)
- 2x AD FS 2.0 Proxy Server (x64)
- 1x Directory Synchronisation (DirSync) Server (x64)
These are the server roles required in a single site only, to provide site resilience the server count is doubled and additional network hardware is required to provide Live-Live load balancing between locations.
The specs for an AD FS, AD FS Proxy and DirSync server vary depending on size of deployment. The Microsoft recommended minimum hardware requirements for the roles are below, add to this licencing and maintenance (support, backup, monitoring) costs for all servers.
| Hardware | Specifications |
| CPU | Dual Quad Core 2.27GHz CPU (8 cores)* |
| Memory | 4 GB |
| Disk | 70 GB (DirSync) |
*DirSync minimum CPU starts at 1.6 GHz
What we have done at IMGROUP is provide these roles as a geographically load balanced Cloud service requiring just a secure Virtual Private Network (VPN) connection to a client site containing an existing Active Directory server(s).
Authentication traffic is routed to the closest data centre to the client device, access is brokered in the usual way for Office 365 SSO and access is granted to the service. In the (much simplified) diagram below AD FS is geographically load balanced between DC1 and DC2, if DC1 should fail all traffic is routed to DC2 until service is restored.
Using the economies of scale Cloud provide we can get this up and running in a short time frame, with a low impact to the existing IT staff workload.
We initially built the solution to support our own dispersed work force in the UK, India and New York. We had SSO in the UK, but if it was unavailable our workers in other time zones cloud not access services until someone in the UK had resolved the issue. From the start we identified this would fit the needs of other organisations and have built the robust solution to cater for large and small deployments.
You can request more information via our web site, http://www.imgrouponline.com/services/once.
We have submitted the solution to Microsoft Pinpoint, http://pinpoint.microsoft.com/en-GB/PartnerDetails.aspx?PartnerId=4295517315.
Feel free to add comments, ask a question or contact me directly about this.