was sent. The match can be on UPN, email, or SIP Address, and this is the reason you would want those values to be populated in the UPA. Also in the on-premises farm, the Subscription Settings Service and App Management Service Applications are required to support the SharePoint Apps infrastructure and are a prerequisite for SharePoint Online to be a registered as a high-trust app in SharePoint Server 2013. In the Microsoft datacenter, the components needed to support search-based hybrid scenarios with SharePoint on-premises are the Office 365 tenancy including SharePoint Online and the Microsoft Azure Active Directory service. For some hybrid search functionality, an Enterprise subscription will be required for the Office 365 tenant. There are several other components that come into play when deploying a search-based hybrid experience.
Azure Active Directory Connect (AD Connect) This is deployed on a member server in the onpremises domain and is used to synchronize users and groups to the Azure Active Directory service to support the user authentication and the rehydration process.
Trust broker A Trust must be configured between the on-premises farm and Azure Access Control Services (ACS) to make it possible for ACS to act as a trust broker to validate an outbound request from the on-premises farm. This is generally referred to as an S2S trust. Azure Active Directory Access Control is a cloud-based federation service that provides an easy way to authenticate users against identity providers and, most important of all, Azure Active Directory. An Azure service is used to establish and broker trusted connections between two endpoints. ACS, in very simple terms, can be referred to as an authorization server. Office 365 already has a trust with ACS. However, for the on-premises SharePoint farm, you need to configure an ACS trust. ACS as an Azure service does provide Identity provider services (Idp); However, for a hybrid search deployment, ACS acts purely as an “invisible” trust broker for applications.
Active Directory Federation Services (AD FS) The AD FS infrastructure provides the federation services to make single sign-on (SSO) possible for users in the Office 365 tenancy. This is an optional component of a hybrid deployment when Password Sync has been turned on in Azure AD Connect but is recommended for a seamless user experience.
Reverse proxy component Last, but by no means least, is the reverse proxy component, which has two key roles to play. In the inbound search scenario, it provides a route for the call from SharePoint Online to be routed to the on-premises search service. It is also used to ensure that the incoming request is from a trusted source by validating the certificate used to authenticate the query.
The following table shows the required and optional components for each of the four hybrid search scenarios: Component AD FS Azure AD Connect ACS trust Reverse proxy
Outbound Optional Required Required Not required
Inbound Optional Required Required Required
Bi-directional Optional Required Required Required
Cloud SSA Optional Required Required Not Required
For all of the scenarios in this chapter, we assume the following:
The company’s on-premises domain has been added to the Office 365 tenant.
Azure AD Connect has been configured with or without password synchronization.
15
CHAP TER 2 | SharePoint Server hybrid search