1. Brian Puhl Principal Technology Architect MSIT Identity & Access Management Microsoft Corporation SESSION CODE: SIA302

9. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource)

10. LOB Application 1 LOB Application …2 LOB Application …N SharePoint Sites File Servers Authorization Components Authentication Infrastructure Services

11. LOB Application 1 LOB Application …2 LOB Application …N SharePoint Sites File Servers Authentication and Authorization Infrastructure Services

12. Contract IDRegionCountryAccount Mgr.Sales Mgr. 101NAUSJasonJohn 102EUUKJoeSam 103EUFRArielJorge 104EUFRArielLinda 105EUDEJonSarah Business Policy Acct Mgrs: Read contracts in their region Edit contracts their country Create new contracts Sales Rep: Edit contracts they own Application Roles: Create Read Update How do you build the token for Ariel? Read ??? This doesn’t work Create - doesn’t reflect the policy Read Create~102/Read~103/Update~104/Update~105/Read Token bloat with too many values

13. Identity STS - Authentication - Partner Federation - Identity Normalization - Immutable Identifiers App Suite STS - Augmented claims - Authorization tokens

14. ADFS issues authentication tickets to the PARTNER REALM, not to any specific application Once a user is authenticated by ADFS, the PARTNER ADFS SERVER will issue tokens for any application which trusts it without going back for authorization

17. Policy does not allow service to issue a token based on the SERVICE PROVIDERS policy (ex. Subscription to services) X X

18. X X

19. Microsoft BPOS Policy must reflect the application access CONTOSO has for it’s users, but is enforced at the federation broker STS

20. Loss of personal/confidential data –Recoverability after termination –The enterprise should not have to provide access to corporate ID’s –Users should not have to find and re-permission their data to a new account

24. http://www.google.com/a/cpanel/premier/new

25. Microsoft Federation Gateway Exchange Online Corporate Network

26. Microsoft Federation Gateway Exchange Online Corporate Network ID: 12345 UPN: joe@foo.local ID: 12345 UPN: joe@foo.local PUID: E0A178 PUID: E0A178 MAIL: joe@corp.com

27. Microsoft Federation Gateway Exchange Online Corporate Network ID: 12345 UPN: joe@foo.local ID: 12345 UPN: joe@foo.local PUID: E0A178 PUID: E0A178 MAIL: joe@corp.com

28. Microsoft Federation Gateway Exchange Online Corporate Network ID: 12345 UPN: joe@foo.local ID: 12345 UPN: joe@foo.local PUID: E0A178 PUID: E0A178 MAIL: joe@corp.com SSL TUNNEL Basic Auth - UPN & PW

29. Microsoft Federation Gateway Exchange Online Corporate Network ID: 12345 UPN: joe@foo.local ID: 12345 UPN: joe@foo.local PUID: E0A178 PUID: E0A178 MAIL: joe@corp.com Home Realm Discovery UPN & PW STS URL

30. Microsoft Federation Gateway Exchange Online Corporate Network ID: 12345 UPN: joe@foo.local ID: 12345 UPN: joe@foo.local PUID: E0A178 PUID: E0A178 MAIL: joe@corp.com UPN & PW joe@foo.local & 12345

31. Microsoft Federation Gateway Exchange Online Corporate Network ID: 12345 UPN: joe@foo.local ID: 12345 UPN: joe@foo.local PUID: E0A178 PUID: E0A178 MAIL: joe@corp.com Joe@foo.local & 12345 E0A178

32. Microsoft Federation Gateway Exchange Online Corporate Network ID: 12345 UPN: joe@foo.local ID: 12345 UPN: joe@foo.local PUID: E0A178 ID: 12345 UPN: joe@foo.local PUID: E0A178 PWD: P@ssword UPN: joe@foo.local PUID: E0A178 MAIL: joe@corp.com

33. Microsoft Federation Gateway Exchange Online Corporate Network ID: 12345 UPN: joe@foo.local ID: 12345 UPN: joe@foo.local PUID: E0A178 ID: 12345 UPN: joe@foo.local PUID: E0A178 PWD: P@ssword PUID: E0A178 MAIL: joe@corp.com RPC/HTTPS

36. Breakout Sessions SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos Hands-On Labs SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Product Demo Stations Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

37. Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

38. www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn

40. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year