Live@edu Authentication Scenarios
Applies to: Live@edu
By default, users with cloud-based mailboxes sign in with their Windows Live ID. However, if your users already have credentials that they use to authenticate to an on-premises directory service, you have several options. Let's take a look at the various scenarios.
| Authentication scenario | Description | Other considerations |
|---|---|---|
Windows Live ID only |
Users don't have authentication credentials that they use to access on-premises resources. Users authenticate using Windows Live ID. |
None |
Separate credentials |
Users have on-premises credentials that they use to access on-premises resources, and they have a Windows Live ID that they use to authenticate. User names and passwords have to be managed separately. |
This scenario is appropriate when users authenticate to only a few on-premises resources, or when their on-premises user name is a standardized format, such as a student identification number. The Windows Live ID can provide a personalized identity. |
Single sign-on (SSO) |
A single sign-on solution lets users move between on-premises resources and the cloud-based service without having to sign in multiple times. You can use the single sign-on software development kit (SSO SDK) that is provided by the Microsoft Live@edu program to add a single sign-on solution to an existing Web portal. You customize your Web portal to enable pre-authentication of users by mapping on-premises credentials to Windows Live ID and to add an e-mail entry point. Then, users can access their cloud-based mailbox from your Web portal without having to provide a different set of credentials. |
Users have to know their Windows Live ID and password to authenticate the first time that they use instant messaging in Outlook Web App. You may want to provide their Windows Live ID and password to new users even if the primary access to the cloud-based service is through your Web portal. If you provision user accounts by using Microsoft Forefront Identity Manager (FIM) 2010 or Microsoft Identity Lifecycle Manager (ILM) 2007 FP1 or Outlook Live Directory Sync (OLSync), you can set up the Password Change Notification Service (PCNS) to synchronize Windows Live ID and on-premises passwords. |
Password synchronization |
This option is available if you are using ILM or OLSync to provision user accounts. User account names are typically created to match on-premises credentials, and you use PCNS to synchronize passwords. Password changes that originate in your directory service are propagated to the cloud-based service. |
Although the password used to access both on-premises resources and the cloud-based service is the same, users have to re-enter their credentials when they move between environments. For the most seamless user authentication experience, you can combine SSO and PCNS. |
Next steps
After you decide how to authenticate users, you're ready to generate a deployment guide. Go to Outlook Live for Live@edu.