Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager
Agenda 13:30 – 14:30Wider Identity Conversation Kim Cameron 14:30 – 15:30Microsoft IAM: Business Needs and IT Challenges – Henk Den Baes 15:30 – 16:00Coffee Break 16:00 – 17:15FIM 2010: From Identity Synchronization to Identity Management – Federico Guerrini 17:15 – 17:20 Partner Offerings 17:20 – 18:00Networking & Cocktail
Digital Identity Discussion Kim Cameron Chief Architect of Identity
Identity The stuff of Poets and Philosophers Digital Identity
How the web and the world recognize us in different contexts Foundation for personalization The social “mouse” or “keyboard” Foundation for interaction, collaboration and social phenomena I can’t collaborate over time if I can’t recognize and refer to you Foundation for digital economy
Identity is a mosaic Disruptive ability and tendency to connect all information about individuals brings significant commercial and social risk Person’s need to traverse silos Person’s need for “contextual separation”
Architectural Problem The Internet was not designed with any way to know who you’re connecting to Patchwork quilt of kludges
8
The Claims Based Model
Claims-based model Abstraction layer: for authenticating, authorizing, obtaining information about users, devices and services Claim : statement that is in doubt made by one subject about another subject = Age > 21 Manager = Craig Wittenberg Role= Architect Primordial Claims: Passwords, Keys and Certificates Identity: Metasystem: open standards-based architecture for exchange of claims under user control Claims Transformer: matches impedance What is the Claims-Based Model? Write to model, let infrastructure adapt to environment
Flow in the Claims-Based Model Application: requires, uses claims to describe users Claims provider: supports protocols for issuing claims Relationship: context in which meaning of claims is defined Relationship 2. Get claims 3. Send claims 1. Require claims Claims Provider (Security Token Service) Claims Provider (Security Token Service) SUBJECT Application (requires Claims) Application (requires Claims)
New Claims Identity, Capabilities, Authorization Claims Transformation New semantics at domain boundaries Different issuer (for example “Local STS”) Transform from Identity to Capabilities Claims Augmentation Not just identifiers!! Claims Evaluation and Transform Policy + Claims How the Claims Service works
Where is the industry in the process? 13 Standards widely accepted – OASIS Interoperability deeply tested – OSIS Interoperability Testing and Liberty Alliance Platforms will finally have claims as a built-in feature Microsoft ADFS V2 Shipping now Part of Active Directory – expect wide adoption and deployment given no marginal cost COTS Software can count on claims “being there” Example: Microsoft flagship applications like SharePoint Great products by many vendors Cloud service adoption and strong competition Many proofs of concept by private enterprise and government
New initiatives in consumer space: OpenID 14 Metasystem model Big service providers are all supporting OpenID (Yahoo, AOL, Google, Windows Live, etc) Many small providers (e.g. universities) US Government support Widely available software for ISVs Severe security issues being worked on by the industry
Identity selector for OpenID 15
The Claims Architecture
Architecture, Starting with the Enterprise Microsoft Services Identity Backbone Identity Store Identity Store Enterprise Application Enterprise Application An Enterprise Roles, Properties Its Partner ? Identity Store Identity Store
Industry Standard Components Claims Microsoft Services Identity Backbone Identity Store Identity Store Identity Store Identity Store Claims Service Claims Service Claims Service Claims Service Enterprise Identity Backbone Roles, Properties Enterprise Application Enterprise Application Claims API Claims API
The Claims Service Claims Microsoft Services Identity Backbone Directory Identity Store Identity Store Enterprise Application Enterprise Application Claims API Claims API Claims Service Claims Service Claims Service Claims Service Enterprise Identity Backbone Database Claims Service Claims Service Partner
Architecture Works for Cloud, Too Claims Directory Identity Store Identity Store Cloud Application Cloud Application Claims API Claims API Claims Service Claims Service Claims Service Claims Service Cloud Service Identity Backbone Database Claims Service Claims Service Enterprise University
From Architecture To Off-The-Shelf Product
SharePoint Server Farm Exchange 2010 AD DS AD FS Business Partners AD DS AD FS AD RMS Federation Trust Application Access Redirect to Security Token Service (STS) Authentication Token and claims Post claims Trey Research Account Forest Woodgrove Bank Resource Forest User Account/Credentials Security Token Shared identity with partner organizations and cloud services Boost cross-organizational efficiency and communication with more secure access − Support the sharing of rights-protected messages between organizations − Improved support for Microsoft SharePoint Server as a claims-aware application Active Directory Federation Services
AD DSAD FS Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services Helps provide consistent security with a single user access model externalized from applications Based on open, industry standard protocols for interoperability Security Token (e.g., Kerberos Ticket) AD FS creates SAML token Signs it with company’s private key Sends it back to the user Access supplied with the token Partner ExchangeSharePointWeb AppClaims-Aware Application Corporate User Single Sign On with Extended Collaboration CLOUD SERVICES
SSO for on-premises and in-cloud applications Native support for Web and application SSO (including multi-factor authentication) Addresses security risks and interoperability problems caused by extending business resources beyond the corporate network and across disparate systems Seamless Access to On-Premises and In-Cloud Web Apps AD DS Remote Employee Business Partners Web Apps Corporate User Auth. Token SSO In-Cloud On-Premises AD FS External users get authentication token from AD FS. Get seamless access to in-cloud and on-premises applications.
Managing the Use of Claims Provisioning Claims and Resources
Active Directory Lotus Domino LDAP SQL Server Oracle DB HR System FIM Workflow Manager Policy-based identity lifecycle management system Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users User Enrollment Approval User provisioned on all allowed systems Identity Management User provisioning FIM CM
Forefront Identity Manager 2010 FIM Enables Identity-based Controls for Information Protection Enforced through Windows Server and Active Directory Rights Management Services FIM Enables Application and Network Access Controls Enforced in Forefront Unified Access Gateway FIM Enables Federation and Cloud-based Services FIM supplies data for claims, performs user account provisioning and deprovisioning, and manages smartcards or software certificates
FIM Enables Federation and Cloud FIM supplies ADFS with data for claims For example, construct a “role” claim based on data in FIM to use for authorization in place of security groups FIM supplies cloud-based services with user account provisioning and de-provisioning For services which need a copy of the directory FIM provisions users with smartcards or software certificates Enables users to leverage stronger authentication for access to cloud-based services than just a password
Increase access security beyond username and password solutions Streamline deployment by enrolling user and computer certificates without user intervention Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) Enhance remote access security through certificates with Network Access Protection Stronger authentication through certificates for administrative access and management FIM Manages Primordial Claims HR System Active Directory Certificate Services (AD CS) FIM CM FIM User Enrollment and Authentication request sent by HR System FIM policy triggers request for FIM CM to issue certificate or SmartCard User is validated using multi- factor authentication FIM Certificate Management (CM) requests certificate creation from AD CS Certificate is issued to user and written to either machine or smart card End User SmartCard User ID and Password SmartCard End User
Workflow Management Enables IT to quickly define, automate, and enforce identity management policies IT can use the integrated workflow in the approval/rejection process Automatic notifications for request approvals or rejections
Directions Minimal Disclosure and Interscale Directory
Identity Provider Name:Alice Smith Address:1234 Pine, Seattle, WA D.O.B: Name:Alice Smith Address:1234 Pine, Seattle, WA D.O.B.: Important New Frontier: Minimal Disclosure Technology Relying Party
Identity Provider Relying Party Prove that you are over 21 and from WA Name:Alice Smith Address:1234 Pine, Seattle, WA D.O.B: Which adult from WA is this? Over-21 proof ? Minimal Disclosure Token
Minimal Disclosure Scenarios eID Birth certificate RP
Ordering a New Birth Certificate 35
Minimal Disclosure Scenarios eID Dating site RP
Visiting a Social Website 37
And finally … Towards a federated directory We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices Shared architecture, data model and semantics, protocols, publication paradigm Policy framework for configuration Simple APIs integrated with developer platforms