Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager.

Similar presentations


Presentation on theme: "Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager."— Presentation transcript:

1 Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager

2 Agenda 13:30 – 14:30Wider Identity Conversation Kim Cameron 14:30 – 15:30Microsoft IAM: Business Needs and IT Challenges – Henk Den Baes 15:30 – 16:00Coffee Break 16:00 – 17:15FIM 2010: From Identity Synchronization to Identity Management – Federico Guerrini 17:15 – 17:20 Partner Offerings 17:20 – 18:00Networking & Cocktail

3 Digital Identity Discussion Kim Cameron Chief Architect of Identity

4 Identity The stuff of Poets and Philosophers Digital Identity

5 How the web and the world recognize us in different contexts Foundation for personalization The social “mouse” or “keyboard” Foundation for interaction, collaboration and social phenomena I can’t collaborate over time if I can’t recognize and refer to you Foundation for digital economy

6 Identity is a mosaic Disruptive ability and tendency to connect all information about individuals brings significant commercial and social risk Person’s need to traverse silos Person’s need for “contextual separation”

7 Architectural Problem The Internet was not designed with any way to know who you’re connecting to Patchwork quilt of kludges

8 www.identityblog.com 8

9 The Claims Based Model

10 Claims-based model Abstraction layer: for authenticating, authorizing, obtaining information about users, devices and services Claim : statement that is in doubt made by one subject about another subject Email = kcameron@microsoft.comkcameron@microsoft.com Age > 21 Manager = Craig Wittenberg Role= Architect Primordial Claims: Passwords, Keys and Certificates Identity: Metasystem: open standards-based architecture for exchange of claims under user control Claims Transformer: matches impedance What is the Claims-Based Model? Write to model, let infrastructure adapt to environment

11 Flow in the Claims-Based Model Application: requires, uses claims to describe users Claims provider: supports protocols for issuing claims Relationship: context in which meaning of claims is defined Relationship 2. Get claims 3. Send claims 1. Require claims Claims Provider (Security Token Service) Claims Provider (Security Token Service) SUBJECT Application (requires Claims) Application (requires Claims)

12 New Claims Identity, Capabilities, Authorization Claims Transformation New semantics at domain boundaries Different issuer (for example “Local STS”) Transform from Identity to Capabilities Claims Augmentation Not just identifiers!! Claims Evaluation and Transform Policy + Claims How the Claims Service works

13 Where is the industry in the process? 13 Standards widely accepted – OASIS Interoperability deeply tested – OSIS Interoperability Testing and Liberty Alliance Platforms will finally have claims as a built-in feature Microsoft ADFS V2 Shipping now Part of Active Directory – expect wide adoption and deployment given no marginal cost COTS Software can count on claims “being there” Example: Microsoft flagship applications like SharePoint Great products by many vendors Cloud service adoption and strong competition Many proofs of concept by private enterprise and government

14 New initiatives in consumer space: OpenID 14 Metasystem model Big service providers are all supporting OpenID (Yahoo, AOL, Google, Windows Live, etc) Many small providers (e.g. universities) US Government support Widely available software for ISVs Severe security issues being worked on by the industry

15 Identity selector for OpenID 15

16 The Claims Architecture

17 Architecture, Starting with the Enterprise Microsoft Services Identity Backbone Identity Store Identity Store Enterprise Application Enterprise Application An Enterprise Roles, Properties Its Partner ? Identity Store Identity Store

18 Industry Standard Components Claims Microsoft Services Identity Backbone Identity Store Identity Store Identity Store Identity Store Claims Service Claims Service Claims Service Claims Service Enterprise Identity Backbone Roles, Properties 3 3 2 1 Enterprise Application Enterprise Application Claims API Claims API

19 The Claims Service Claims Microsoft Services Identity Backbone Directory Identity Store Identity Store Enterprise Application Enterprise Application Claims API Claims API Claims Service Claims Service Claims Service Claims Service Enterprise Identity Backbone Database Claims Service Claims Service Partner

20 Architecture Works for Cloud, Too Claims Directory Identity Store Identity Store Cloud Application Cloud Application Claims API Claims API Claims Service Claims Service Claims Service Claims Service Cloud Service Identity Backbone Database Claims Service Claims Service Enterprise University

21 From Architecture To Off-The-Shelf Product

22 SharePoint Server Farm Exchange 2010 AD DS AD FS Business Partners AD DS AD FS AD RMS Federation Trust Application Access Redirect to Security Token Service (STS) Authentication Token and claims Post claims Trey Research Account Forest Woodgrove Bank Resource Forest User Account/Credentials Security Token Shared identity with partner organizations and cloud services Boost cross-organizational efficiency and communication with more secure access − Support the sharing of rights-protected messages between organizations − Improved support for Microsoft SharePoint Server as a claims-aware application Active Directory Federation Services

23 AD DSAD FS Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services Helps provide consistent security with a single user access model externalized from applications Based on open, industry standard protocols for interoperability Security Token (e.g., Kerberos Ticket) AD FS creates SAML token Signs it with company’s private key Sends it back to the user Access supplied with the token Partner ExchangeSharePointWeb AppClaims-Aware Application Corporate User Single Sign On with Extended Collaboration CLOUD SERVICES

24 SSO for on-premises and in-cloud applications Native support for Web and application SSO (including multi-factor authentication) Addresses security risks and interoperability problems caused by extending business resources beyond the corporate network and across disparate systems Seamless Access to On-Premises and In-Cloud Web Apps AD DS Remote Employee Business Partners Web Apps Corporate User Auth. Token SSO In-Cloud On-Premises AD FS External users get authentication token from AD FS. Get seamless access to in-cloud and on-premises applications.

25 Managing the Use of Claims Provisioning Claims and Resources

26 Active Directory Lotus Domino LDAP SQL Server Oracle DB HR System FIM Workflow Manager Policy-based identity lifecycle management system Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users User Enrollment Approval User provisioned on all allowed systems Identity Management User provisioning FIM CM

27 Forefront Identity Manager 2010 FIM Enables Identity-based Controls for Information Protection Enforced through Windows Server and Active Directory Rights Management Services FIM Enables Application and Network Access Controls Enforced in Forefront Unified Access Gateway FIM Enables Federation and Cloud-based Services FIM supplies data for claims, performs user account provisioning and deprovisioning, and manages smartcards or software certificates

28 FIM Enables Federation and Cloud FIM supplies ADFS with data for claims For example, construct a “role” claim based on data in FIM to use for authorization in place of security groups FIM supplies cloud-based services with user account provisioning and de-provisioning For services which need a copy of the directory FIM provisions users with smartcards or software certificates Enables users to leverage stronger authentication for access to cloud-based services than just a password

29 Increase access security beyond username and password solutions Streamline deployment by enrolling user and computer certificates without user intervention Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) Enhance remote access security through certificates with Network Access Protection Stronger authentication through certificates for administrative access and management FIM Manages Primordial Claims HR System Active Directory Certificate Services (AD CS) FIM CM FIM User Enrollment and Authentication request sent by HR System FIM policy triggers request for FIM CM to issue certificate or SmartCard User is validated using multi- factor authentication FIM Certificate Management (CM) requests certificate creation from AD CS Certificate is issued to user and written to either machine or smart card End User SmartCard User ID and Password SmartCard End User

30 Workflow Management Enables IT to quickly define, automate, and enforce identity management policies IT can use the integrated workflow in the approval/rejection process Automatic notifications for request approvals or rejections

31 Directions Minimal Disclosure and Interscale Directory

32 Identity Provider Name:Alice Smith Address:1234 Pine, Seattle, WA D.O.B:23-11-1955 Name:Alice Smith Address:1234 Pine, Seattle, WA D.O.B.:23-11-1955 Important New Frontier: Minimal Disclosure Technology Relying Party

33 Identity Provider Relying Party Prove that you are over 21 and from WA Name:Alice Smith Address:1234 Pine, Seattle, WA D.O.B:23-11-1955 Which adult from WA is this? Over-21 proof ? Minimal Disclosure Token

34 Minimal Disclosure Scenarios eID Birth certificate RP

35 Ordering a New Birth Certificate 35

36 Minimal Disclosure Scenarios eID Dating site RP

37 Visiting a Social Website 37

38 And finally … Towards a federated directory We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices Shared architecture, data model and semantics, protocols, publication paradigm Policy framework for configuration Simple APIs integrated with developer platforms


Download ppt "Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager."

Similar presentations


Ads by Google