Copyright Microsoft Corp. 2006 Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS.

Slides:



Advertisements
Similar presentations
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Advertisements

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.
Microsoft Forefront Identity Manager 2010
Active Directory Federation Services Architecture Drilldown
Implementing and Administering AD FS
Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Understanding Active Directory
Identity Management with Microsoft Identity Integration Server.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Identity and Access Management
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Understanding Active Directory
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
EToken TMS 5.0 CA June 09. eToken TMS 5.0 Agenda  The challenge: Authenticator life-cycle management  eToken TMS (Token Management System)  eToken.
Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Overview of Access and Information Protection
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management Identity and Access - MIIS Microsoft Corporation.
Sudha Iyer Principal Product Manager Oracle Corporation.
Tech Ed North America /24/2017 1:59 AM SESSION CODE: SIA327
Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
James Akrigg Microsoft Ltd Integrating InfoPath Forms Into Workflow Solutions And Business Processes.
DEP311 Identity Management with Microsoft Identity Integration Server (formerly MMS) Steve Plank Architectural Engineer |Microsoft UK Visit
The explosion of devices is eroding the standards-based approach to corporate IT. Devices Deploying and managing applications across platforms is.
Windows Role-Based Access Control Longhorn Update
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management.
Identity Management and Enterprise Single Sign-On (ESSO)
Web Services Security Patterns Alex Mackman CM Group Ltd
Introduction to Identity Management with MIIS 2003 Steve Plank Architectural Engineer Session code.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Microsoft Identity Integration Server & Role Base Access Theo Kostelijk Consultant Microsoft BV
Security Insights: Identity Theft & Management. The Identity Theft Problem What is Identity Theft? Dumpster diving Low tech Phishing/Pharming Targets.
Brian Puhl Technology Architect Microsoft IT Session Code: ITS212.
Microsoft Identity Integration Server 2003 Overview Microsoft Corporation April 2004.
Chris Louloudakis Solution Specialist Identity & Access Management Microsoft Corporation SVR302.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Today’s challenges Data Users Apps Devices
Introduction to the Microsoft Identity Integration Server and Roadmap
Secure Connected Infrastructure
SaaS Application Deep Dive
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Access and Information Protection Product Overview October 2013
TechEd /9/2018 1:09 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Office 365 Identity Management
System Center Marketing
TechEd /6/ :24 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Microsoft Virtual Academy
Presentation transcript:

Copyright Microsoft Corp Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS

Copyright Microsoft Corp Session Objectives And Key Takeaways Session Objective's: Introduce Concepts in Microsoft Identity Integration Server Provisioning, Group Management, Lifecycle management, and consistency enforcement Introduce the Web SSO scenario with ADFS

Copyright Microsoft Corp Situation Increasingly connected systems Connections span technical, org boundaries Distinctions blur - customer, partner, employee, intranet, Internet Demand for business process integration Clear business drivers around security, cost efficiency, regulatory compliance Issues around policy, assessment, reporting Rapid rise of threats to online safety Concerns over privacy, tracking

Copyright Microsoft Corp Identity and Lifecycle Management Scenarios Provisioning and Group Management with MIIS 2003 Password Management MIIS Roadmap Agenda - MIIS

Copyright Microsoft Corp The ID Lifecycle New User -User ID Creation -Credential Issuance -Access Rights Account Changes -Promotions -Transfers -New Privileges -Attribute Changes Password Mgmt -Strong Passwords -“Lost” Password -Password Reset Retire User -Delete/Freeze Accounts -Delete/Freeze Entitlements Synchronize Identity -Extend lifecycle information across all identity stores Entitlement Reporting -Audit/log any ILM changes -Keep track of Entitlements

Copyright Microsoft Corp MIIS – Identity Broker HRSystem InfraApplication Lotus Notes Apps In-HouseApplication COTSApplication ContractorSystem In-HouseApplication Authentication Authorization Identity Data Authentication Authorization Identity Data Authentication Authorization Identity Data Authentication Authorization Identity Data Authorization Identity Data Authentication Authorization Identity Data Authentication Authorization Identity Data Identity Integration “Identity Integration” Rock solid software to integrate identity Enterprise Directory Authentication Authorization Identity Data

Copyright Microsoft Corp MIIS Identity Broker Scenarios Hire Scenario Fire Scenario Join Scenario Identity Data Aggregation Identity Data Brokering (Identity Convergence) Identity Data Integrity Enforcement

Copyright Microsoft Corp Hire Scenario HRSystem MIIS Notes ContractorSystem AD App Mode SQLServer iPlanetDirectory ActiveDirectory LotusNotes File LDAP SQL LDAP

Copyright Microsoft Corp Fire Scenario HRSystem MIIS Notes ContractorSystem AD App Mode SQLServer iPlanetDirectory ActiveDirectory LotusNotes File LDAP SQL LDAP

Copyright Microsoft Corp Identity Joining Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory LotusNotes givenName sn title mail employeeID telephone Klarek Cenntt 008 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero Clark Kent 007 Reporter Clark Kent Reporter 007 Project to Metaverse givenName sn title mail employeeID telephone Clark Kent 007 Join on employeeID JOINED PROJECTED 007 Join on employeeID JOINED Join on employeeID JOINED Manual Join

Copyright Microsoft Corp Attribute Flow Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory LotusNotes FirstName LastName EmployeeID Title Telephone givenName sn title mail employeeID telephone Klarek Cenntt 008 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 givenName sn title mail employeeID telephone Clark Kent 007 Reporter Clark Kent Reporter 007 Identity Data Aggregation givenName sn title mail employeeID telephone 007 Clark Kent 007 Reporter

Copyright Microsoft Corp Attribute Flow Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory LotusNotes FirstName LastName EmployeeID Title Telephone givenName sn title mail employeeID telephone Klarek Cenntt 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 givenName sn title mail employeeID telephone Clark Kent 007 Reporter Clark Kent Reporter 007 Clark Kent Reporter Reporter Clark Kent Clark Reporter Identity Data Brokering (Convergence)

Copyright Microsoft Corp Attribute Flow Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory LotusNotes FirstName LastName EmployeeID Title Telephone givenName sn title mail employeeID telephone 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark 007 givenName sn title mail employeeID telephone Kent 007 givenName sn title mail employeeID telephone Clark Kent Clark Kent Reporter 007 Kent Reporter Reporter Clark Kent Clark Reporter Identity Data Integrity Enforcement 007 Superhero ReporterSuperhero

Copyright Microsoft Corp Identity Data Integrity Enforcement HRSystem MIIS iPlanetDirectory LotusNotes ActiveDirectory FirstName LastName EmployeeID Title Telephone givenName sn title mail employeeID telephone 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark 007 givenName sn title mail employeeID telephone Kent 007 givenName sn title mail employeeID telephone Clark Kent Clark Kent Reporter 007 Kent Publisher Publisher Clark Kent Clark Reporter Identity Data Integrity Enforcement 007 Reporter SuperheroReporter

Copyright Microsoft Corp Identity and Lifecycle Management Scenarios Provisioning and Group Management with MIIS 2003 Password Management MIIS Roadmap Agenda - MIIS

Copyright Microsoft Corp Provisioning Scenarios Dataflow driven provisioning Provisioning data mastered from an upstream system (like SAP) MIIS 2003 scenario Self-Service entry point with workflow Allow delegated users to trigger provisioning actions through web applications Personal information changes, password resets Approval processes can be required Account requests, group membership requests Dataflow driven provisioning with workflow Add approval processes to provisioning processes initiated by upstream system (like SAP) New employee joins, manager needs to approve DL membership

Copyright Microsoft Corp MIIS 2003 SP1 Provisioning MIIS 2003 Administrator had to write code for provisioning MIIS SP1 Resource Kit Additional tools Provisioning code generator Declarative UI for provisioning Generates provisioning code Enables provisioning and registers provisioning DLL Source code can be extended with custom code

Copyright Microsoft Corp Group Management Manage group membership across heterogeneous systems Use of the built in capabilities for managing reference attributes Authoritative data for group membership can be a connected directory (e.g. AD) calculated based on attributes; results imported into MIIS by using a Management Agent

Copyright Microsoft Corp Group Populator MIIS HR Database Query against the integrated view Active Directory Import group definition and members

Copyright Microsoft Corp Workflow with MIIS 2003 Workflow not integrated in MIIS 2003 Easy to extend MIIS with workflow MIIS 2003 SP1 Resource Kit Workflow application (account request application) 4F1F0AE00D79&displaylang=en 4F1F0AE00D79&displaylang=en Identity and Access Management Series HR driven provisioning with workflow Partner tools – MIIS Alliance Complex workflow Integrate BizTalk with MIIS Future MIIS versions Powerful workflow engine fully integrated in MIIS

Copyright Microsoft Corp Identity and Lifecycle Management Scenarios Provisioning and Group Management with MIIS 2003 Password Management MIIS Roadmap Agenda - MIIS

Copyright Microsoft Corp MIIS Password Management A Complete Solution Accounts secure from provisioning to de- provisioning Initial password set feature Guarantees strong passwords Reduced sign-on capabilities Password sync initiated from Windows desktop Ability for end user to manage passwords in systems that do not participate in password synchronization Web portal allows end uses to manage passwords in connected identity stores Forgotten passwords Self-service password reset solution

Copyright Microsoft Corp Identity and Lifecycle Management Scenarios Provisioning and Group Management with MIIS 2003 Password Management MIIS Roadmap Agenda - MIIS

Copyright Microsoft Corp MIIS Roadmap Extending MA Reach and password capabilities Done Additional MAs MA SDK Password Extensions Password synchronization Extending MA Reach - Ongoing Started June ’05 Additional MAs Improving password management capabilities MIIS 2003 SP2 CY06 End-user self-service password reset Further lowering the cost and risks of Identity Management MIIS - Gemini Codeless provisioning Entitlement reporting Self-service platform Additional MAs Tools to simplify MIIS deployments Done Provisioning Wizard Workflow sample app

Copyright Microsoft Corp MIIS Roadmap Extending MA Reach and password capabilities Done Additional MAs MA SDK Password Extensions Password synchronization Extending MA Reach - Ongoing Started June ’05 Additional MAs Improving password management capabilities MIIS 2003 SP2 CY06 End-user self-service password reset Further lowering the cost and risks of Identity Management MIIS - Gemini Codeless provisioning Entitlement reporting Self-service platform Additional MAs Tools to simplify MIIS deployments Done Provisioning Wizard Workflow sample app

Copyright Microsoft Corp MIIS 2003 SP1 – Management Agents New MAs IBM DB2 Version 7 or 8.1 Windows OS, Linux and OS/400 IBM DS Version 4.1, 5.1 and 5.2 Windows OS only at this time Improved MA support Sun One 5.2 eDirectory 8.73

Copyright Microsoft Corp MIIS Reach Identity Data LDAPSQL Wide range of connectivity Active Directory & ADAM Sun/iPlanet Directory IBM DS Novell eDirectory Microsoft SQL 2000 & SQL 7 Oracle 9i/8i IBM DB2 Lotus Notes 5.x/6.x Microsoft Exchange 5.5, 2K, 2K3 Microsoft NT 4.x RACF DSML, LDIF, CSV, fixed width …others to follow MA SDK allows ISVs and corporate developers to build custom MAs NOS LOB Apps

Copyright Microsoft Corp Agenda - ADFS Problem: High cost of extending your network for eBusiness Solution: Identity Federation is the Key Product: Microsoft Active Directory Federation Services (ADFS)

Copyright Microsoft Corp Active Directory Logon to Windows Flexible Authentication Kerberos X509 v3/Smartcard/PKI VPN/802.1x/RADIUS LDAP Passport/Digest/Basic (Web) SSPI/SPNEGO Single Sign-on to: Windows File/Print servers Microsoft applications 390/AS400 (Host Integration Server) ERP (BizTalk, SharePoint ESSO) 3rd Party Integrated Apps Web Applications via IIS Unix/J2EE (Services for Unix, Vintela) Exchange Web APPS File Share Windows Integrated Applications Windows SSO to your Internal Network

Copyright Microsoft Corp Identity Integration Ensure consistency of digital identity data Active Directory & ADAM Single store for users, computers, services, groups, etc. Distributed, replicated for availability Automated security policy LDAP v3 compliant ADAM for app-specific data Identity Integration Server Digital Identity Integration (meta directory) Identity Lifecycle Management Password Management Account Directory LDAP SQL Enterprise App Exchange Web Service File Share Application Application ActiveDirectory

Copyright Microsoft Corp eBusiness Extends your Network Your COMPANY and your EMPLOYEES Your SUPPLIERS Your PARTNERS Your REMOTE and VIRTUAL EMPLOYEES Your CUSTOMERS Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain M&A Mobile/global workforce Flexible/temp workforce

Copyright Microsoft Corp Existing IdM Approaches Extending your network to external users Expensive, custom software development Costly client software deployment for partners Partner account management burden Custom Solutions + Local accounts Expensive 3 rd party products Redundant infrastructure Partner account management burden Web SSO Solutions + Local accounts Local accounts IssuesApproach Client VPN software required Excessive network access allowed Partner account management burden VPN + Local accounts (for external users) Requires native mode Windows 2003 Forests Extensive firewall configuration Windows Forest Trust

Copyright Microsoft Corp Business Costs of Partner Account Management Privacy protection End-end auditing Repudiation Regulatory Compliance Provisioning latency Forgotten passwords Logon frequency End User Productivity Account provisioning requests Password reset requests Account proliferation Orphaned or inaccurate accounts Compromised passwords Unnecessary access Security IT/Helpdesk Efficiency

Copyright Microsoft Corp Agenda - ADFS Problem: High cost of extending your network for eBusiness Solution: Identity Federation is the Key Product: Microsoft Active Directory Federation Services (ADFS)

Copyright Microsoft Corp Identity Federation Standards-based technology & processes … Projecting user Identity from a single logon … Distributed authentication & claims-based authorization … Across boundaries (security, departmental, organizational or platform boundaries)

Copyright Microsoft Corp Security Tokens & Claims Distributed authentication/authorization Security tokens assert claims Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).SignedX.509 Kerberos XrML SAML Secret Key Password Proof of Possession

Copyright Microsoft Corp Security Token Service Key Distribution Center A security token service issues security tokens STS’s can “swap” tokens as a request crosses security domain boundaries

Copyright Microsoft Corp Scenario: Web SSO User credentials and attributes managed in AD or ADAM at “resource realm” Authentication via Windows logon or web based Single sign-on to web farm Authorization based on claims from “resource realm” Customers Business Partners Employees STS Web Farm

Copyright Microsoft Corp Scenario: Identity Federation User credentials and attributes managed in “home realm” by partner organization Authentication via Windows logon or web-based Single sign-on to web farm across organizational or platform boundaries Authorization based on claims from “home realm” Business Partners STS STS Web Farm

Copyright Microsoft Corp Agenda - ADFS Problem: High cost of extending your network for eBusiness Solution: Federation is the Key Product: Microsoft Active Directory Federation Services (ADFS)

Copyright Microsoft Corp Active Directory Federation Services Identity Federation Extend value of Active Directory deployments to facilitate secure collaboration with partners IIS IIS AD Web SSO Extend value of Windows Server application platform in Internet-facing environments Company A Company B

Copyright Microsoft Corp OrganizationB PrivateNamespace OrganizationA PrivateNamespace ADFS Identity Federation Projects AD Identities to other security realms FederationServer Federation Server Server Federation Servers Manage: Trust -- Keys Trust -- Keys Security -- Claims required Security -- Claims required Privacy -- Claims allowed Privacy -- Claims allowed Audit -- Identities, authorities Audit -- Identities, authorities

Copyright Microsoft Corp ADFS Components

Copyright Microsoft Corp ADFS Components Windows 2000 or 2003 Authenticates users Manages attributes Active Directory or ADAM

Copyright Microsoft Corp ADFS Components Federation Service (FS) aka Security Token Service (STS) Maps user attributes to claims Issues security tokens Manages federation trust policy Requires IISv6 Windows 2003 R2

Copyright Microsoft Corp ADFS Components Federation Server Proxy (FSP) Client proxy for token requests Provides UI for browser clients Requires IISv6 Windows 2003 R2

Copyright Microsoft Corp ADFS Components Web Agent Enforces user authentication Creates app authZ context from claims NT Impersonation and ACLs ASP.NET IsInRole() AzMan RBAC integration ASP.NET Raw Claims API Requires IISv6 Windows 2003 R2

Copyright Microsoft Corp A. Datum Account Forest Trey Research Resource Forest Identity Federation in Action Federation Trust

Copyright Microsoft Corp Active Directory Federation Services Extends AD to Internet scenarios Extranet Single Sign-on Identity Federation Works with existing AD deployments Extensible and interoperable WS-Federation, Kerberos, SAML 1.1 tokens Availability Windows Server 2003 R2

Copyright Microsoft Corp Microsoft Identity and Access Roadmap Integration Services (MIIS) Directory Services (AD, ADAM) Access Services (ADFS, InfoCard) Identity and Access Platform Smart client SSO, web SSO, claims-based access control, federation Self service, delegated admin of identities, credentials, entitlements Metadata publication Identity and Access Management Policy authoring, compliance assessment, reporting, enforcement Lifecycle management Connectivity to other systems Web Clients Smart Clients Web Servers Server Services Microsoft and Non-Microsoft

Copyright Microsoft Corp Additional Resources Visit Microsoft.com Identity Management AD Windows Server System View Microsoft’s.NET Show on ADFS Get familiar with Web Services security and identity model Attend WS-* workshops Get started with WS-* using Web Services Enhancements

Copyright Microsoft Corp © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.