Univention Bugzilla – Attachment 9328 Details for
Bug 45608
English version: Add documentation about Microsoft Office 365 Connector to manual
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
idm-cloud-en-complete.xml
idm-cloud-en-complete.xml (text/plain), 7.85 KB, created by
Stefan Gohmann
on 2017-12-27 07:40:02 CET
(
hide
)
Description:
idm-cloud-en-complete.xml
Filename:
MIME Type:
Creator:
Stefan Gohmann
Created:
2017-12-27 07:40:02 CET
Size:
7.85 KB
patch
obsolete
><?xml version="1.0" encoding="UTF-8" standalone="no"?> ><!DOCTYPE chapter [ > <!ENTITY % extensions SYSTEM "../stylesheets/macros.ent" > > <!ENTITY % DocBookDTD PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" > "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> > <!ENTITY % entities SYSTEM "../stylesheets/macros-de.ent" > > %extensions; > %DocBookDTD; > %entities; >]> ><chapter id="idmcloud"> ><title>Identity Management Connection to cloud services</title> ><section id="idmcloud:general"> > <title>Introduction</title> > <para> > UCS offers an integrated Identity Management System.Through the Univention Management Console, users and groups among others >can easily be administered.Depending on the installed services, these identities are made available through different interfaces e.g.via LDAP. > </para> > > <para> > The management system can be extended With the help of provided extensions, also called Apps.Thus users or groups can also be replicated in cloud services.In the App center there are also among others extensions for Microsoft Office 365 or G suit. > </para> > > <para> > Thanks to Single Sign-On (SSO), users can log in with their usual password and immediately get to work online in the cloud.The password remains in the company's network and is not transferred to the cloud service. > > </para> > > <para> > The following chapter describes how to set up the Microsoft Office 365 Connector. > </para> > ></section> ><section id="idmcloud:o365"> > <title>Microsoft Office 365 Connector</title> > > <para> > The synchronization of users and groups to an Azure Directory Domain, which will then be used by Office 365, is made possible by the Microsoft Office connector.Therefore making it possible to control which of the users created in UCS can use Office 365. The selected users will be provisioned accordingly by UCS into the Azure Active Directory domain. There configurations on which attributes are to be synchronized and which are to be anonymized are made. > </para> > > <para> > The Single Sign-On log-in to Office 365 is via the UCS integrated SAML implementation.Authentication takes place against the UCS server, and no password hashes are transmitted to Microsoft Azure Cloud.The user's authentication is done exclusively via the client's Web browser.This(the web-browser) should however be able to resolve the DNS names of the UCS domain,this is a particularly important point to note for mobile devices. > </para> > > <section id="idmcloud:o365:setup"> > <title>Setup</title> > <para> > To use Microsoft Office 365 Connector the following are needed; a Microsoft Office 365 Administrator account, a corresponding Account in the Azure Active Directory, as well as one from Microsoft <ulink url="https://azure.microsoft.com/en-us/documentation/articles/active-directory-add-domain/"> verified Domain </ulink> are needed. The first two are provided for test purposes by Microsoft for free.However to configure the SSO, a separate Internet domain where TXT records can be created is required. > </para> > > <para> > In case there is no Microsoft Office 365 subscription available, it can be done via <ulink >url="http:www.office.com"/> and configured in the <guimenu>,and for free trial for business </guimenu> section. A connection is not possible with a private Microsoft account. > </para> > > <para> > You should then log in with a <guimenu>Office 365 Administrator Account</guimenu>. In the <guimenu>Office 365 Admin Center</guimenu>,at the bottom left of the navigation bar select <guimenu>Azure AD</guimenu>.This opens <guimenu> Azure Management Portal </guimenu> in a new window. > > </para> > > <para> > Under the menu item <guimenu>Domains </guimenu>, your own domain can now be added and verified. For this it is >necessary to create a TXT record in the DNS of your own domain. This process can take up to several minutes.After which the <guimenu>status</guimenu> of the configured domain will be displayed as <guimenu>checked</guimenu>. > </para> > > <para> > Now the Microsoft Office 365 App can be installed from the App Center on the UCS system. The installation takes >a few minutes. There is a setup wizard available for the facility. The installation completes with the completion of the wizard thus the connector is ready for use. > </para> > > <figure id="idmcloud:o365:wizard"> > <title>Office 365 Setup assistant</title> > <graphic scalefit="1" width="100%" fileref="illustrations42/office_wizard1_de.png"/> > </figure> > </section> > > <section id="idmcloud:o365:config"> > <title>Configuration</title> > <para> > At the end of the installation through the setup wizard,Users can be provisioned or configured to use office 365. This configuration can be done through the user module on each user object on the<guimenu>Office 365</guimenu> tab.Usage and allocation of Licenses are acknowledged in the <guimenu> Office 365 Admin Center</guimenu>. > </para> > > <para> > If a change is made to the user, the changes are likewise replicated to the Azure Active Directory domain. There is no synchronization from the Azure Active Directory to the UCS system. This means changes made in Azure Active Directory or Office Portal may be overridden by changes to the same attributes in UCS. > </para> > > <para> > Due to Azure Active Directory security policies, users or groups in the Azure AD can't be deleted during synchronization.They are merely disabled and renamed. The licenses are revoked in the Azure Active Directory so that they become available to other users.Users and groups whose names start with <guimenu>ZZZ_deleted</guimenu> can be deleted in <guimenu> Office 365 Admin Center</guimenu>. > </para> > > <para> > It is necessary to configure a country for the user in Office 365. The connector uses the specification of the >Country from the contact data of the user if not set, it uses the setting of the server. With the help of &ucsUCRV; ><envar>office365/attributes/usageLocation</envar> can be used to specify a 2-character abbreviation, eg DE. > </para> > <para> > Through &ucsUCRV; <envar>office365/attributes/sync</envar>,the LDAP attributes (eg first name, last name, etc.) of a user's account which is to be synchronized are configured.This deals with a comma-separated list of LDAP attributes.Thus making adaptation to personal needs easily possible. > </para> > > <para> > With the &ucsUCRV;<envar>office365/attributes/anonymize</envar>, you can specify comma-separated LDAP attributes that are created in the Azure Active Directory but filled with random values. The Univention Configuration Registry variables <envar>office365/attributes/static/.*</envar> allows the filling of attributes on the Microsoft side with a predefined value. > </para> > > <para> > The &ucsUCRV;<envar>office365/attributes/never</envar> can be used to specify comma separated LDAP attributes that should not be synchronized even when they appear in <envar>office365/attributes/sync</envar> or <envar>office365/attributes/anonymize</envar>. > </para> > > <para> > The Univention Configuration Registry variable<envar>office365/attributes/mapping/.*</envar> defines a mapping of the UCS LDAP attributes to Azure Attributes.Actually these variables don't need to be changed.The synchronization of the groups of >Office 365 user can be enabled with the &ucsUCRV;<envar>office365/groups/sync</envar> > </para> > > <para> > Changes to UCR variables are implemented only after restarting the Univention Directory Listener. > </para> > > </section> > > <section id="idmcloud:o365:debug"> > <title>Troubleshooting/Debugging</title> > > <para> > Messages during the Setup are logged in <filename>/var/log/univention/management-console-module-office365.log</filename> file. > </para> > > <para> > In case of synchronization problems, the log file of the Univention Directory Listener should be examined: ><Filename>/var/log/univention/listener.log</filename>. With the help of &ucsUCRV;<Envar>Office365/debug/werror</envar>. >More debug output can also be activated. > </para> > > </section> > </section> ></section> ></chapter> > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9328">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 45608
:
9313
| 9328