Identity Lifecycle Management Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.
2Objectives Introduce Microsoft Identity Integration Server and related products and technologies Explain the processes involved in lifecycle management
3 Session Agenda Functionality of Microsoft Identity Integration Server Scenarios and Applications of MIIS A Few Tips on MIIS
4 Microsoft’s Identity Management PKI / CA Extended Directory Services Active Directory & ADAM Enterprise Single Sign On AuthorizationManager Active Directory Federation Services Audit Collection Services BizTalk Identity Integration Server ISAServer SQL Server Reporting Services for Unix / Services for Netware Directory (Store) Services AccessManagement IdentityLifecycleManagement
5 Functionality of Microsoft Identity Integration Server
6 What is MIIS? MIIS is… Rock-solid synchronization engine for identity information Software that ensures consistency of identity data across repositories MIIS makes it radically easier to design, deploy and manage a metadirectory across an enterprise of any size
7 IIFP - Identity Integration Feature Pack for Windows Server 2003 Subset of MIIS functionality available free of charge as download Synchronisation with only the following stores: Active Directory ADAM Exchange 2000/3 Server
8 New User -User ID Creation -Credential Issuance -Access Rights Account Changes -Promotions -Transfers -New Privileges -Attribute Changes Password Mgmt -Strong Passwords -“Lost” Password -Password Reset Retire User -Delete/Freeze Accounts -Delete/Freeze Entitlements MIIS: Identity Lifecycle Management
9 MIIS Capabilities & Benefits Key capabilities: Identity Synchronization Provisioning & Deprovisioning Password Management “Agentless” connection to heterogeneous systems Key benefits: Easy to deploy Easy to translate business rules into MIIS Easy to build solution over time Robust and Scalable Low cost State Based Identity Data LDAPSQL NOS LOB Apps
10 Metadirectory Concept Represents all identity information from all connected data sources Through a mechanism of rules, allows for even most intricate relationships to be maintained between seemingly incompatible identity management systems The “heart” of MIIS system
11LDAP Scenario – Join/Leave Join/LeaveProvisioningRBAC HR AD MIIS Example: University of West England 40,000 Students 8,000 new students each year Provisioned into 4 systems (including AD, Exchange, NT, HR) Immediate savings of £50k/year Example: University of West England 40,000 Students 8,000 new students each year Provisioned into 4 systems (including AD, Exchange, NT, HR) Immediate savings of £50k/year
12 Scenario – Password Join/LeaveProvisioningRBACPortalSelf-service/helpdesk ID data/passwords Example: Elsevier Passwords managed across AD, Lotus Notes, Sun ONE Example: Elsevier Passwords managed across AD, Lotus Notes, Sun ONE AD LDAP MIIS UserChange HelpdeskReset PCNS UserReset? Web Applications
13 Scenario – Portal Join/LeaveProvisioningRBACPortalSelf-service/helpdesk ID data/passwords Portals AD LDAP MIIS HR ADAM WebApplication
14 Most Typical Implementations White Pages Directory Synchronization Identity Administration / Self Service
15 MIIS Terms Connected Data Source (CD) Any source and/or destination containing identity data Management Agent (MA) Facilitates the communication between CD and CS and MV Connector Space (CS) Staging area (SQL) for inbound or outbound synchronized attributes Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called “join” CD MIIS CS MV MA
16 MV entries are linked to CS entries through: Projection Provisioning a connector Joining CS entries represent objects in Connected Data Sources Synchronization is between MV and CS Staging is from CD to CS Export is from CS to CD MIIS Concepts MIIS Metaverse(MV) ConnectorSpace(CS) User Connected Data Sources (CD) Notes Oracle SQL SAP Let’s zoom in on what MIIS does
17 MIIS Sequence Of Events Oracle HR database staged and projected Provision and export to SQL-based approval system Manager approval app causes import and delta synchronization Sun One and Notes connectors provisioned and exported Connected Data Sources (CD) User Oracle SQL Metaverse(MV) ConnectorSpace(CS) Notes SAP
18 Object creation CD HR MV PersonObject Provision Step MV Rules Extension CS PersonObject Connector 1) HR MA imports new user object 2) Project new user 3) Create new connector 4) Set Anchor Value 5) Set other initial values 6) Export attribute flow 7) Normal MA Export Run (creates object in CD)
19 Object Deletion Note: Deprovision does not necessarily mean delete CD HR MV PersonObject CS PersonObject Connector Connector filter “status=terminates”Satisfied CS Object becomes dis- connector MV Object deleted Make normal disconnector Make explicit disconnector Delete Object Delete Object Custom extension Custom extension Disconnector cleanup MA Rules ExtensionDeprovision (3)(4) 1) HR MA imports user object with status = “terminated” 2) Object deletion rule applies 5) MA Export deletes CD object
20 Scenarios and Applications of MIIS
21 Identity Lifecycle Management with MIIS Password Management Identity Provisioning SynchronisationAudit Compliance Assurance Role Management (for Role-based Access Management)
22 Password Synchronization AD Domain Controller MIIS Target Systems Source System PCNS Encrypted Pwd PCNSFlt.DLL Password Reset AD MA Password Resets MA Password Extension Ctrl-Alt-Del
23 Password Management Initial password set versus password management Passwords are write-only Scope of password management Security groups Events and password history Developing custom applications WMI Helpdesk Web App Self-serve NT4 Lotus Notes AD AD MIIS Sun ONE AD/ ADAM Novell eDirectory
24Application- based sign-on Infrastructure Directory (AD) LOB5 3 rd party LDAP LOB4 1.User changes password using password management web app Pwd mgmt 2.Pwd mgmt app finds matching accounts in MIIS 3.Passwords updated 4.User signs-on to app ADAM MIIS Password Management
25Provisioning Identity can be sourced from a number of directories through management agents (MAs): Database, LDAP, File-based Whenever a Metaverse object is changed, Provision Methods run This is code in a Metaverse rule DLL If not catered by an existing management agent, you can customise it to suit most unusual provisioning needs Deprovisioning is those operations that occur at the end of an identity life cycle (deletion, disabling)
26 Synchronisation MIIS Out-of-the-Box Connectivity NT 4 Exchange 5.5 Lotus Notes SQL Server Oracle Informix and dBase IBM RACF IBM DB2 Novell eDirectory PeopleSoftSAP Partner (Extensible) Management Agents (NEW!) Other systems to follow Active Directory / Exchange Active Directory Application Mode (ADAM) SunOne Directory (iPlanet) IBM Tivoli Directory Server (SecureWay) DSML 2.0 LDAP Directory Interchange Format (LDIF) Delimited Text Fixed-Width Text Attribute-Value Pair Text
27 Audit and Compliance Regulatory requirements: SarbOx, Data Protection Directive/Act, Freedom of Information Acts, HIPAA… Arguably, we have to monitor the directories, not MIIS claims. As this is very difficult today, here is an interim suggestion: 1. Centralise all tracked identity information on an MIIS metadirectory 2. Audit MIIS events 3. Code bespoke rules 4. Obtain existing compliance checking code (e.g. OCG) 5. Use Microsoft Audit Collection Service (ACS) for ensuring integrity of the audit – ACS plans to ship with next version of Microsoft Operations Manager
28 WMI Monitored Clients Monitored Servers SQLCollector Events subject to tamperingEvents under control of auditors Security logs Real-Time Intrusion Detection Applications Forensic Analysis Management System Audit Collection Services Architectural Overview
29 Additional Security Benefit Through analysis of MIIS audit (for example, using Microsoft Operations Manager) you can detect unusual and unexpected operations This can become a basis for building an element of your automated Intrusion Detection System (IDS) Please refer to “Holistic Security” seminar, Part 2, available on for more information on IDS and Active Security
30 A Few Tips on MIIS (Refer to course 2731 on MIIS for more)
31 Guidelines for Securing the MIIS 2003 Environment Use strong passwords Ensure that only trusted people have access Institute checks and balances Encrypt sensitive data; use secure network connections Provide appropriate training Use Windows authentication on SQL Servers Implement RAID and UPS on SQL Servers If using a remote SQLServer, change TCP/IP port Install MIIS 2003 and SQL Server behind a firewall Maintain software patches up-to-date
32 Encryption Keys Password information is encrypted: Connection passwords Passwords waiting to be synchronized Newly created passwords (not yet provisioned) Key sets should be backed up to safe place miiskmu allows backup/restore of keys, re- encryption of new key and key abandonment If a new key is created, old keys are scrubbed
33 Security Groups and Access Control Lists Limit Access to Specific Users and Groups Monitor Group Membership and Access Control Lists If a security breach occurs: Backup the MIIS database and the encryption keys Change the MIIS service account credentials Delete existing MIIS security groups Run MIIS setup and use the new security credentials Obtain and deploy new connection credentials for connected data sources; de-activate old credentials
34 Maintain a Warm Standby Server Clustered SQL Server Warm Standby (Using Domain service a/c) Active MIIS Server (Using domain service a/c) Domain controller authenticates MIIS service account and groups MIISActivate.exe X
35 Backup and Restore SQLServer backup includes data, configuration and extensions Encryption keys and metadata must be backed up separately There are two approaches to restoring on a clean machine: Restore then install Install then restore When restore on an existing installation, you should run miisactivate to restore extensions reliably
37 MIIS Success & References 250+ large customers since the launch (which was in Aug 2003) 28 different countries (NA, EMEA, APAC, LTAM) 25 different verticals (Gov’t, Finance, Education,.com) 20,000+ Downloads of the feature pack 10,000+ Downloads of the evaluation version User Group > 1500 User
38Summary At the heart of Identity Lifecycle Management lies a strong metadirectory server: MIIS Main functions deal with provisioning, password management, and identity synchronisation Additional benefits include ability to audit and ensure regulatory compliance & &
39 Special Thanks This seminar was prepared with the help of: Oxford Computer Group Ltd Expertise in Identity and Access Management (Microsoft Partner) IT Service Delivery and Training Microsoft, with special thanks to: Daniel Meyer – thanks for many slides Steven Adler, Ronny Bjones, Olga Londer – planning and reviewing Philippe Lemmens, Detlef Eckert – Sponsorship Bas Paumen & NGN - feedback