Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Microsoft Corp. 2006 Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS.

Published byJoel Reed Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright Microsoft Corp. 2006 Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS."— Presentation transcript:

1 Copyright Microsoft Corp. 2006 Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS

2 Copyright Microsoft Corp. 2006 Session Objectives And Key Takeaways Session Objective's: Introduce Concepts in Microsoft Identity Integration Server Provisioning, Group Management, Lifecycle management, and consistency enforcement Introduce the Web SSO scenario with ADFS

3 Copyright Microsoft Corp. 2006 Situation Increasingly connected systems Connections span technical, org boundaries Distinctions blur - customer, partner, employee, intranet, Internet Demand for business process integration Clear business drivers around security, cost efficiency, regulatory compliance Issues around policy, assessment, reporting Rapid rise of threats to online safety Concerns over privacy, tracking

4 Copyright Microsoft Corp. 2006 Identity and Lifecycle Management Scenarios Provisioning and Group Management with MIIS 2003 Password Management MIIS Roadmap Agenda - MIIS

5 Copyright Microsoft Corp. 2006 The ID Lifecycle New User -User ID Creation -Credential Issuance -Access Rights Account Changes -Promotions -Transfers -New Privileges -Attribute Changes Password Mgmt -Strong Passwords -“Lost” Password -Password Reset Retire User -Delete/Freeze Accounts -Delete/Freeze Entitlements Synchronize Identity -Extend lifecycle information across all identity stores Entitlement Reporting -Audit/log any ILM changes -Keep track of Entitlements

6 Copyright Microsoft Corp. 2006 MIIS – Identity Broker HRSystem InfraApplication Lotus Notes Apps In-HouseApplication COTSApplication ContractorSystem In-HouseApplication Authentication Authorization Identity Data Authentication Authorization Identity Data Authentication Authorization Identity Data Authentication Authorization Identity Data Authorization Identity Data Authentication Authorization Identity Data Authentication Authorization Identity Data Identity Integration “Identity Integration” Rock solid software to integrate identity Enterprise Directory Authentication Authorization Identity Data

7 Copyright Microsoft Corp. 2006 MIIS Identity Broker Scenarios Hire Scenario Fire Scenario Join Scenario Identity Data Aggregation Identity Data Brokering (Identity Convergence) Identity Data Integrity Enforcement

8 Copyright Microsoft Corp. 2006 Hire Scenario HRSystem MIIS Notes ContractorSystem AD App Mode SQLServer iPlanetDirectory ActiveDirectory LotusNotes File LDAP SQL LDAP

9 Copyright Microsoft Corp. 2006 Fire Scenario HRSystem MIIS Notes ContractorSystem AD App Mode SQLServer iPlanetDirectory ActiveDirectory LotusNotes File LDAP SQL LDAP

10 Copyright Microsoft Corp. 2006 Identity Joining Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory LotusNotes givenName sn title mail employeeID telephone Klarek Cenntt 008 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 867-5309 Clark Kent 007 Reporter Clark@contoso.com 867-5309 Clark Kent Reporter Clark@contoso.com 007 Project to Metaverse givenName sn title mail employeeID telephone Clark Kent 007 Join on employeeID JOINED PROJECTED 007 Join on employeeID JOINED Join on employeeID JOINED Manual Join

11 Copyright Microsoft Corp. 2006 Attribute Flow Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory LotusNotes FirstName LastName EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone Klarek Cenntt 008 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 givenName sn title mail employeeID telephone 867-5309 Clark Kent 007 Reporter Clark@contoso.com 867-5309 Clark Kent Reporter Clark@contoso.com 007 Identity Data Aggregation givenName sn title mail employeeID telephone 007 Clark Kent 007 Reporter 867-5309

12 Copyright Microsoft Corp. 2006 Attribute Flow Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory LotusNotes FirstName LastName EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone Klarek Cenntt 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 givenName sn title mail employeeID telephone867-5309 Clark Kent 007 Reporter 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Clark Kent Reporter Clark@contoso.com 867-5309 Reporter Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 Identity Data Brokering (Convergence)

13 Copyright Microsoft Corp. 2006 Attribute Flow Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory LotusNotes FirstName LastName EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark 007 givenName sn title mail employeeID telephone Kent 007 givenName sn title mail employeeID telephone867-5309 Clark Kent 007 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Kent Reporter 867-5309 Reporter Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 Identity Data Integrity Enforcement 007 Superhero ReporterSuperhero

14 Copyright Microsoft Corp. 2006 Identity Data Integrity Enforcement HRSystem MIIS iPlanetDirectory LotusNotes ActiveDirectory FirstName LastName EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark 007 givenName sn title mail employeeID telephone Kent 007 givenName sn title mail employeeID telephone867-5309 Clark Kent 007 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Kent Publisher 867-5309 Publisher Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 Identity Data Integrity Enforcement 007 Reporter SuperheroReporter

15 Copyright Microsoft Corp. 2006 Identity and Lifecycle Management Scenarios Provisioning and Group Management with MIIS 2003 Password Management MIIS Roadmap Agenda - MIIS

16 Copyright Microsoft Corp. 2006 Provisioning Scenarios Dataflow driven provisioning Provisioning data mastered from an upstream system (like SAP) MIIS 2003 scenario Self-Service entry point with workflow Allow delegated users to trigger provisioning actions through web applications Personal information changes, password resets Approval processes can be required Account requests, group membership requests Dataflow driven provisioning with workflow Add approval processes to provisioning processes initiated by upstream system (like SAP) New employee joins, manager needs to approve DL membership

17 Copyright Microsoft Corp. 2006 MIIS 2003 SP1 Provisioning MIIS 2003 Administrator had to write code for provisioning MIIS SP1 Resource Kit Additional tools Provisioning code generator Declarative UI for provisioning Generates provisioning code Enables provisioning and registers provisioning DLL Source code can be extended with custom code

18 Copyright Microsoft Corp. 2006 Group Management Manage group membership across heterogeneous systems Use of the built in capabilities for managing reference attributes Authoritative data for group membership can be a connected directory (e.g. AD) calculated based on attributes; results imported into MIIS by using a Management Agent

19 Copyright Microsoft Corp. 2006 Group Populator MIIS HR Database Query against the integrated view Active Directory Import group definition and members

20 Copyright Microsoft Corp. 2006 Workflow with MIIS 2003 Workflow not integrated in MIIS 2003 Easy to extend MIIS with workflow MIIS 2003 SP1 Resource Kit Workflow application (account request application) http://www.microsoft.com/downloads/details.aspx?FamilyId=D3C7BD7A-E8D5-43CF-AD4D- 4F1F0AE00D79&displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyId=D3C7BD7A-E8D5-43CF-AD4D- 4F1F0AE00D79&displaylang=en Identity and Access Management Series HR driven provisioning with workflow http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspx Partner tools – MIIS Alliance Complex workflow Integrate BizTalk with MIIS Future MIIS versions Powerful workflow engine fully integrated in MIIS

21 Copyright Microsoft Corp. 2006 Identity and Lifecycle Management Scenarios Provisioning and Group Management with MIIS 2003 Password Management MIIS Roadmap Agenda - MIIS

22 Copyright Microsoft Corp. 2006 MIIS Password Management A Complete Solution Accounts secure from provisioning to de- provisioning Initial password set feature Guarantees strong passwords Reduced sign-on capabilities Password sync initiated from Windows desktop Ability for end user to manage passwords in systems that do not participate in password synchronization Web portal allows end uses to manage passwords in connected identity stores Forgotten passwords Self-service password reset solution

23 Copyright Microsoft Corp. 2006 Identity and Lifecycle Management Scenarios Provisioning and Group Management with MIIS 2003 Password Management MIIS Roadmap Agenda - MIIS

24 Copyright Microsoft Corp. 2006 MIIS Roadmap Extending MA Reach and password capabilities Done Additional MAs MA SDK Password Extensions Password synchronization Extending MA Reach - Ongoing Started June ’05 Additional MAs Improving password management capabilities MIIS 2003 SP2 CY06 End-user self-service password reset Further lowering the cost and risks of Identity Management MIIS - Gemini Codeless provisioning Entitlement reporting Self-service platform Additional MAs Tools to simplify MIIS deployments Done Provisioning Wizard Workflow sample app

25 Copyright Microsoft Corp. 2006 MIIS Roadmap Extending MA Reach and password capabilities Done Additional MAs MA SDK Password Extensions Password synchronization Extending MA Reach - Ongoing Started June ’05 Additional MAs Improving password management capabilities MIIS 2003 SP2 CY06 End-user self-service password reset Further lowering the cost and risks of Identity Management MIIS - Gemini Codeless provisioning Entitlement reporting Self-service platform Additional MAs Tools to simplify MIIS deployments Done Provisioning Wizard Workflow sample app

26 Copyright Microsoft Corp. 2006 MIIS 2003 SP1 – Management Agents New MAs IBM DB2 Version 7 or 8.1 Windows OS, Linux and OS/400 IBM DS Version 4.1, 5.1 and 5.2 Windows OS only at this time Improved MA support Sun One 5.2 eDirectory 8.73

27 Copyright Microsoft Corp. 2006 MIIS Reach Identity Data LDAPSQL Wide range of connectivity Active Directory & ADAM Sun/iPlanet Directory IBM DS Novell eDirectory Microsoft SQL 2000 & SQL 7 Oracle 9i/8i IBM DB2 Lotus Notes 5.x/6.x Microsoft Exchange 5.5, 2K, 2K3 Microsoft NT 4.x RACF DSML, LDIF, CSV, fixed width …others to follow MA SDK allows ISVs and corporate developers to build custom MAs NOS LOB Apps

28 Copyright Microsoft Corp. 2006 Agenda - ADFS Problem: High cost of extending your network for eBusiness Solution: Identity Federation is the Key Product: Microsoft Active Directory Federation Services (ADFS)

29 Copyright Microsoft Corp. 2006 Active Directory Logon to Windows Flexible Authentication Kerberos X509 v3/Smartcard/PKI VPN/802.1x/RADIUS LDAP Passport/Digest/Basic (Web) SSPI/SPNEGO Single Sign-on to: Windows File/Print servers Microsoft applications 390/AS400 (Host Integration Server) ERP (BizTalk, SharePoint ESSO) 3rd Party Integrated Apps Web Applications via IIS Unix/J2EE (Services for Unix, Vintela) Exchange Web APPS File Share Windows Integrated Applications Windows SSO to your Internal Network

30 Copyright Microsoft Corp. 2006 Identity Integration Ensure consistency of digital identity data Active Directory & ADAM Single store for users, computers, services, groups, etc. Distributed, replicated for availability Automated security policy LDAP v3 compliant ADAM for app-specific data Identity Integration Server Digital Identity Integration (meta directory) Identity Lifecycle Management Password Management Account Directory LDAP SQL Enterprise App Exchange Web Service File Share Application Application ActiveDirectory

31 Copyright Microsoft Corp. 2006 eBusiness Extends your Network Your COMPANY and your EMPLOYEES Your SUPPLIERS Your PARTNERS Your REMOTE and VIRTUAL EMPLOYEES Your CUSTOMERS Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain M&A Mobile/global workforce Flexible/temp workforce

32 Copyright Microsoft Corp. 2006 Existing IdM Approaches Extending your network to external users Expensive, custom software development Costly client software deployment for partners Partner account management burden Custom Solutions + Local accounts Expensive 3 rd party products Redundant infrastructure Partner account management burden Web SSO Solutions + Local accounts Local accounts IssuesApproach Client VPN software required Excessive network access allowed Partner account management burden VPN + Local accounts (for external users) Requires native mode Windows 2003 Forests Extensive firewall configuration Windows Forest Trust

33 Copyright Microsoft Corp. 2006 Business Costs of Partner Account Management Privacy protection End-end auditing Repudiation Regulatory Compliance Provisioning latency Forgotten passwords Logon frequency End User Productivity Account provisioning requests Password reset requests Account proliferation Orphaned or inaccurate accounts Compromised passwords Unnecessary access Security IT/Helpdesk Efficiency

34 Copyright Microsoft Corp. 2006 Agenda - ADFS Problem: High cost of extending your network for eBusiness Solution: Identity Federation is the Key Product: Microsoft Active Directory Federation Services (ADFS)

35 Copyright Microsoft Corp. 2006 Identity Federation Standards-based technology & processes … Projecting user Identity from a single logon … Distributed authentication & claims-based authorization … Across boundaries (security, departmental, organizational or platform boundaries)

36 Copyright Microsoft Corp. 2006 Security Tokens & Claims Distributed authentication/authorization Security tokens assert claims Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).SignedX.509 Kerberos XrML SAML Secret Key Password Proof of Possession

37 Copyright Microsoft Corp. 2006 Security Token Service Key Distribution Center A security token service issues security tokens STS’s can “swap” tokens as a request crosses security domain boundaries

38 Copyright Microsoft Corp. 2006 Scenario: Web SSO User credentials and attributes managed in AD or ADAM at “resource realm” Authentication via Windows logon or web based Single sign-on to web farm Authorization based on claims from “resource realm” Customers Business Partners Employees STS Web Farm

39 Copyright Microsoft Corp. 2006 Scenario: Identity Federation User credentials and attributes managed in “home realm” by partner organization Authentication via Windows logon or web-based Single sign-on to web farm across organizational or platform boundaries Authorization based on claims from “home realm” Business Partners STS STS Web Farm

40 Copyright Microsoft Corp. 2006 Agenda - ADFS Problem: High cost of extending your network for eBusiness Solution: Federation is the Key Product: Microsoft Active Directory Federation Services (ADFS)

41 Copyright Microsoft Corp. 2006 Active Directory Federation Services Identity Federation Extend value of Active Directory deployments to facilitate secure collaboration with partners IIS IIS AD Web SSO Extend value of Windows Server application platform in Internet-facing environments Company A Company B

42 Copyright Microsoft Corp. 2006 OrganizationB PrivateNamespace OrganizationA PrivateNamespace ADFS Identity Federation Projects AD Identities to other security realms FederationServer Federation Server Server Federation Servers Manage: Trust -- Keys Trust -- Keys Security -- Claims required Security -- Claims required Privacy -- Claims allowed Privacy -- Claims allowed Audit -- Identities, authorities Audit -- Identities, authorities

43 Copyright Microsoft Corp. 2006 ADFS Components

44 Copyright Microsoft Corp. 2006 ADFS Components Windows 2000 or 2003 Authenticates users Manages attributes Active Directory or ADAM

45 Copyright Microsoft Corp. 2006 ADFS Components Federation Service (FS) aka Security Token Service (STS) Maps user attributes to claims Issues security tokens Manages federation trust policy Requires IISv6 Windows 2003 R2

46 Copyright Microsoft Corp. 2006 ADFS Components Federation Server Proxy (FSP) Client proxy for token requests Provides UI for browser clients Requires IISv6 Windows 2003 R2

47 Copyright Microsoft Corp. 2006 ADFS Components Web Agent Enforces user authentication Creates app authZ context from claims NT Impersonation and ACLs ASP.NET IsInRole() AzMan RBAC integration ASP.NET Raw Claims API Requires IISv6 Windows 2003 R2

48 Copyright Microsoft Corp. 2006 A. Datum Account Forest Trey Research Resource Forest Identity Federation in Action Federation Trust

49 Copyright Microsoft Corp. 2006 Active Directory Federation Services Extends AD to Internet scenarios Extranet Single Sign-on Identity Federation Works with existing AD deployments Extensible and interoperable WS-Federation, Kerberos, SAML 1.1 tokens Availability Windows Server 2003 R2

50 Copyright Microsoft Corp. 2006 Microsoft Identity and Access Roadmap Integration Services (MIIS) Directory Services (AD, ADAM) Access Services (ADFS, InfoCard) Identity and Access Platform Smart client SSO, web SSO, claims-based access control, federation Self service, delegated admin of identities, credentials, entitlements Metadata publication Identity and Access Management Policy authoring, compliance assessment, reporting, enforcement Lifecycle management Connectivity to other systems Web Clients Smart Clients Web Servers Server Services Microsoft and Non-Microsoft

51 Copyright Microsoft Corp. 2006 Additional Resources Visit Microsoft.com Identity Management - http://www.microsoft.com/IDM http://www.microsoft.com/IDM AD - http://www.microsoft.com/AD http://www.microsoft.com/AD Windows Server System - http://www.microsoft.com/windowsserversystem http://www.microsoft.com/windowsserversystem View Microsoft’s.NET Show on ADFS http://msdn.microsoft.com/theshow/episode047/default.asp Get familiar with Web Services security and identity model http://msdn.microsoft.com/webservices/ Attend WS-* workshops http://msdn.microsoft.com/webservices/community/workshops/default.aspx Get started with WS-* using Web Services Enhancements http://msdn.microsoft.com/webservices/building/security/

52 Copyright Microsoft Corp. 2006 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Copyright Microsoft Corp. 2006 Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS."

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.

Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.
Microsoft Forefront Identity Manager 2010

Microsoft Forefront Identity Manager 2010
Active Directory Federation Services Architecture Drilldown

Active Directory Federation Services Architecture Drilldown
Implementing and Administering AD FS

Implementing and Administering AD FS
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Understanding Active Directory

Understanding Active Directory
Identity Management with Microsoft Identity Integration Server.

Identity Management with Microsoft Identity Integration Server.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Identity and Access Management

Identity and Access Management
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ

EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Understanding Active Directory

Understanding Active Directory
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
EToken TMS 5.0 CA June 09. eToken TMS 5.0 Agenda  The challenge: Authenticator life-cycle management  eToken TMS (Token Management System)  eToken.

EToken TMS 5.0 CA June 09. eToken TMS 5.0 Agenda  The challenge: Authenticator life-cycle management  eToken TMS (Token Management System)  eToken.
Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland

Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Similar presentations

Ads by Google