Brjann Brekkan Sr. Technical Product Manager Microsoft Corporation SESSION CODE: SIA321
Across on-premises & cloud Integrate and extend security across the enterprise Block from: Enable CostValue SiloedSeamless to: Simplify the security experience, manage compliance Protect everywhere, access anywhere Highly Secure & Interoperable Platform
Password reset and access requests handled through help desk Contoso managing Fabrikam accounts Multiple identities and limited sign-on help Different sign–on requirements for applications Remote access solution w/ separate identities Fabrikam managing Contoso accounts
Identity and Access Management Secure Messaging Secure Endpoint Secure Collaboration Information Protection
Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device Provide more secure, always- on access Provide more secure, always- on access Enable access from virtually any device Enable access from virtually any device Extend powerful self-service capabilities to users Extend powerful self-service capabilities to users Automate and simplify management tasks Automate and simplify management tasks PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance Control access across organizations Control access across organizations Provide standards-based interoperability Provide standards-based interoperability
Empower Business Self-service profile, credential, and group management Password and PIN reset from Windows login Group management from within Microsoft Office Single identity across heterogeneous applications Empower IT End-to-end, workflow-driven user provisioning Policy-controlled self-service capabilities Automatic, attribute-based group membership for simplified resource access GOVERNED SELF-SERVICE AND AUTOMATION With Forefront Identity Manager and Active Directory, we have the comprehensive identity and access management solution that we need to support our banking operations. René Chevremont, Head of Access Management, Banque de Luxembourg With Forefront Identity Manager and Active Directory, we have the comprehensive identity and access management solution that we need to support our banking operations. René Chevremont, Head of Access Management, Banque de Luxembourg Source: / /
Policy-based identity lifecycle management system Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users Active Directory Lotus Domino LDAP SQL Server Oracle DB HR System FIM Workflow Manager User Enrollment Approval User provisioned FIM CM With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution. Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution. Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company Source: / /
HR System Identity Manager LDAP Active Directory/ Exchange SQL Server DB givenName sn title mail employeeID telephone Sammy Dearling 008 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Samara Darling 007 givenName sn title mail employeeID telephone Sam Dearing Intern 007 givenName sn title mail employeeID telephone Samantha Dearing 007 Coordinator Samantha Dearing Coordinator 007 Identity Data Aggregation GivenName sn title mail employeeID telephone Samantha Dearing 007 Coordinator Attribute Ownership FirstNameLastNameEmployeeID Title Telephone
FirstNameLastNameEmployeeID Title Telephone Identity Manager HR System LDAP Active Directory / Exchange SQL Server DB Identity Data Brokering (Convergence) givenName sn title mail employeeID telephone Sammy Dearling 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Samara Darling 007 givenName sn title mail employeeID telephone Sam Dearing Intern 007 givenName sn title mail employeeID telephone Bob Dearing 007 Coordinator Samantha Dearing Coordinator 007 Samantha Dearing Coordinator Coordinator Samantha Dearing Samantha Coordinator
Increase access security beyond username and password solutions Streamline deployment by enrolling user and computer certificates without user intervention Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) Enhance remote access security through certificates with Network Access Protection Stronger authentication through certificates for administrative access and management Were confident that we have a security infrastructure that will help protect … our customers data while logging every user action, for a more flexible and adaptive IT infrastructure. Thomas Pfeifer, Solution Engineer, T-Systems Were confident that we have a security infrastructure that will help protect … our customers data while logging every user action, for a more flexible and adaptive IT infrastructure. Thomas Pfeifer, Solution Engineer, T-Systems Source: / / HR System Active Directory Certificate Services (AD CS) FIM CM FIM User Enrollment and Authentication request sent by HR System FIM policy triggers request for FIM CM to issue certificate or SmartCard FIM Certificate Management (CM) requests certificate creation from AD CS Certificate is issued to user and written to either machine or smart card End User SmartCard
SharePoint-Based Management Console FIM Add-in for Outlook Self-service group and distribution list management with the FIM 2010 Web portal Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on users attributes
Self-service group management Integrated approval Integrates with Exchange and Outlook Manages distribution and security groups Criteria-based group membership
Enables IT to quickly define, automate, and enforce identity management policies IT can use the integrated workflow in the approval/rejection process Automatic notifications for request approvals or rejections
Enables users to reset their own passwords through both Windows logon and FIM password reset portal Controls helpdesk costs by enabling end users to manage certain parts of their own identities Improves security and compliance with minimal errors while managing multiple identities and passwords End User Active Directory Oracle SQL Server IBM DS LDAP User requests password reset FIM Server Passwords updated Reset Password
Integrated SSL VPN capabilities for both managed and non-managed clients Simplified remote access by non-Windows, down-level, or non-trusted endpoints UAG 2010 extends the benefits of DirectAccess to down-level servers and applications across your infrastructure DirectAccess HTTPS (443) Layer3 VPN Data Center/Corporate Network Employees/ Partners (non-managed) Home/Kiosk Employees (managed) Mobile Terminal Services Remote Desktop Citrix HTTPS / HTTP AUTHENTICATION AND POLICY SmartCard, RADIUS, LDAP…. CRM IBM, SAP, Oracle Non-Web, Legacy Down-level
Empower Business Consolidated secure portal to simplify remote access to resources Simplified sign-on Empower IT Policy-based resource access Empower Business Seamless and more secure access Simplified, always-on access Empower IT Policy-based network access Ability to manage machines anywhere Empower Business Access from virtually any device Empower IT Policy-based restricted access DIRECT ACCESS SSL VPN
We will have more granular control over identity and access, so we can start providing users with self-service capabilities and extend secure collaboration to our partners. Armand Martin, Enterprise Architect, Security, Dow Corning We will have more granular control over identity and access, so we can start providing users with self-service capabilities and extend secure collaboration to our partners. Armand Martin, Enterprise Architect, Security, Dow Corning Source: / / Empower Business Ability to move seamlessly between applications using a single identity Collaboration across organizations Empower IT No need to manage external accounts Simplified and flexible claims-based federation Common authentication controls for building custom applications
Shared identity with partner organizations and cloud services Boost cross-organizational efficiency and communication with more secure access Support the sharing of rights-protected messages between organizations Improved support for Microsoft SharePoint Server as a claims-aware application SharePoint Server Farm Exchange 2010 AD DS AD FS Business Partners AD DS AD FS AD RMS Federation Trust Application Access Redirect to Security Token Service (STS) Authentication Token and claims Post claims Trey Research Account Forest Woodgrove Bank Resource Forest User Account/Credentials Security Token
Implements a single user access model with native single sign on (SSO) and easier federation to on- premise and cloud services Helps provide consistent security with a single user access model externalized from applications Based on open, industry standard protocols for interoperability AD DSAD FS Security Token (e.g., Kerberos Ticket) Shared identity with partners and cloud services Boost cross-organizational efficiency Share rights-protected messages Improved support for SharePoint as a claims-aware application Partner ExchangeSharePointInternal App Claims-Aware Application Corporate User CLOUD SERVICE S Claims- Aware app
Federated Identity Cloud Datacenter
Windows Integrated/Kerberos/ADFS HR System FIM Other user Data stores Self Service Workflow ADDS Phone Title Department Manager Group Exchange GAL & DL SharePoint Profiles and Access SAP and other apps AD FS 2.0 WS-* and SAML Claims Partner Claims-Aware Applications Claims- Aware Applications SQL Server Role Client List CLOUD SERVICES
Customer ID is used in the cloud
SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production * SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager * SIA06-INT | Identity and Access Management Solution Demos SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution
Learn more about our solutions: Try our products:
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year