Copyright Microsoft Corp. 2006 Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS

Copyright Microsoft Corp. 2006

Sandeep KatyalSandeep KatyalTechnologistTechnologistMicrosoftMicrosoft

Solving the Identity Management problem Solving the Identity Management problem using MIIS and ADFSusing MIIS and ADFS


Session Objectives And Session Objectives And Key TakeawaysKey Takeaways

Session Objective's: Session Objective's:

Introduce Concepts in Microsoft Identity Introduce Concepts in Microsoft Identity Integration ServerIntegration Server

Provisioning, Group Management, Lifecycle Provisioning, Group Management, Lifecycle management, and consistency enforcementmanagement, and consistency enforcement

Introduce the Web SSO scenario with ADFSIntroduce the Web SSO scenario with ADFS


SituationSituation

Increasingly connected systemsIncreasingly connected systemsConnections span technical, org boundariesConnections span technical, org boundaries

Distinctions blur - customer, partner, employee, Distinctions blur - customer, partner, employee, intranet, Internetintranet, Internet

Demand for business process integrationDemand for business process integrationClear business drivers around security, cost efficiency, Clear business drivers around security, cost efficiency, regulatory complianceregulatory compliance

Issues around policy, assessment, reportingIssues around policy, assessment, reporting

Rapid rise of threats to online safetyRapid rise of threats to online safetyConcerns over privacy, trackingConcerns over privacy, tracking


Identity and Lifecycle Management ScenariosIdentity and Lifecycle Management Scenarios

Provisioning and Group Management with Provisioning and Group Management with MIIS 2003MIIS 2003

Password ManagementPassword Management

MIIS RoadmapMIIS Roadmap

Agenda - MIISAgenda - MIIS


The ID LifecycleThe ID Lifecycle

New User- User ID Creation- Credential Issuance- Access Rights

Account Changes- Promotions- Transfers- New Privileges- Attribute Changes

Password Mgmt- Strong Passwords- “Lost” Password- Password Reset

Retire User- Delete/Freeze Accounts- Delete/Freeze Entitlements

Synchronize Identity- Extend lifecycle information

across all identity stores

Entitlement Reporting- Audit/log any ILM changes- Keep track of Entitlements


MIIS – Identity BrokerMIIS – Identity Broker

HRHRSystemSystem

InfraInfraApplicationApplication

LotusLotusNotes AppsNotes Apps

In-HouseIn-HouseApplicationApplication

COTSCOTSApplicationApplication

ContractorContractorSystemSystem

In-HouseIn-HouseApplicationApplication

•Authentication•Authorization•Identity Data




•Authorization•Identity Data

•Authentication



Identi

ty Inte

gra

tion

Identi

ty Inte

gra

tion

““Identity Integration” Identity Integration” Rock solid software to integrate identityRock solid software to integrate identity

Enterprise Directory



MIIS Identity Broker ScenariosMIIS Identity Broker Scenarios

Hire ScenarioHire Scenario

Fire ScenarioFire Scenario

Join ScenarioJoin Scenario

Identity Data AggregationIdentity Data Aggregation

Identity Data Brokering Identity Data Brokering (Identity Convergence)(Identity Convergence)

Identity Data Integrity EnforcementIdentity Data Integrity Enforcement


Hire ScenarioHire ScenarioHRHRSystemSystem MIIS

Notes


ADADApp ModeApp Mode

SQLSQLServerServer

iPlanetiPlanetDirectoryDirectory

ActiveActiveDirectoryDirectory

LotusLotusNotesNotes

File

LDAP

LDAP

SQL

LDAP


Fire ScenarioFire ScenarioHRHRSystemSystem MIIS

Notes


ADADApp ModeApp Mode

SQLSQLServerServer




File

LDAP

LDAP

SQL

LDAP


Identity Joining ScenarioIdentity Joining Scenario

HRHRSystemSystem

MIIS




givenNamesntitlemailemployeeIDtelephone

KlarekCenntt

008



ClarkKennttt

007


KlarkeKentSuperhero

007

867-5309

ClarkKent

007

Reporter

[email protected]

867-5309

ClarkKent

Reporter

[email protected]

007Project to Metaverse


ClarkKent

007

007

007Join on employeeIDJOINED

PROJECTED

007

007

Join on employeeIDJOINED

Join on employeeIDJOINED


Attribute Flow ScenarioAttribute Flow Scenario

HRHRSystemSystem

MIIS




•FirstName•LastName•EmployeeID

•Title

•E-Mail

•Telephone givenNamesntitlemailemployeeIDtelephone

KlarekCenntt

008



ClarkKennttt

007


KlarkeKentSuperhero

007


867-5309

ClarkKent

007

Reporter

[email protected]

867-5309

ClarkKent

Reporter

[email protected]

007

IdentityData

Aggregation


007

ClarkKent

007

Reporter

867-5309



HRHRSystemSystem

MIIS





•Title

•E-Mail


KlarekCenntt

007



ClarkKennttt

007


KlarkeKentSuperhero

007

givenNamesntitlemailemployeeIDtelephone 867-5309

ClarkKent

007

Reporter

867-5309

ClarkKent

Reporter

[email protected]

007

[email protected]

[email protected]

867-5309

[email protected]

867-5309

ClarkKent

[email protected]

Clark

Reporter

867-5309

IdentityData

Brokering

(Convergence)



HRHRSystemSystem

MIIS





•Title

•E-Mail


007



Clark

007


Kent

007


ClarkKent

007

867-5309

ClarkKent

Reporter

[email protected]

007

[email protected]

KentReporter

867-5309

Reporter

[email protected]

867-5309

Clark

Kent

[email protected]

Clark

Reporter

867-5309

IdentityData

IntegrityEnforcem

ent

007Superhero

SuperheroSuperheroSuperheroReporterSuperhero


Identity Data Integrity EnforcementIdentity Data Integrity Enforcement

HRHRSystemSystem

MIIS





•Title

•E-Mail


007



Clark

007


Kent

007


ClarkKent

007

867-5309

ClarkKent

Reporter

[email protected]

007

[email protected]

KentPublisher

867-5309

Publisher

[email protected]

867-5309

Clark

Kent

[email protected]

Clark

Reporter

867-5309

IdentityData

IntegrityEnforcem

ent

007Reporter

SuperheroReporterReporterReporterReporter








Provisioning ScenariosProvisioning Scenarios

Dataflow driven provisioningDataflow driven provisioningProvisioning data mastered from an upstream system (like SAP)Provisioning data mastered from an upstream system (like SAP)

MIIS 2003 scenarioMIIS 2003 scenario

Self-Service entry point with workflowSelf-Service entry point with workflowAllow delegated users to trigger provisioning actions through web Allow delegated users to trigger provisioning actions through web applicationsapplications

Personal information changes, password resetsPersonal information changes, password resets

Approval processes can be requiredApproval processes can be requiredAccount requests, group membership requestsAccount requests, group membership requests

Dataflow driven provisioning with workflowDataflow driven provisioning with workflowAdd approval processes to provisioning processes initiated by Add approval processes to provisioning processes initiated by upstream system (like SAP)upstream system (like SAP)

New employee joins, manager needs to approve DL membershipNew employee joins, manager needs to approve DL membership


MIIS 2003 SP1 ProvisioningMIIS 2003 SP1 Provisioning

MIIS 2003MIIS 2003

Administrator had to write code for provisioningAdministrator had to write code for provisioning

MIIS SP1 Resource KitMIIS SP1 Resource Kit

Additional toolsAdditional tools

Provisioning code generatorProvisioning code generatorDeclarative UI for provisioningDeclarative UI for provisioning

Generates provisioning codeGenerates provisioning code

Enables provisioning and registers provisioning DLLEnables provisioning and registers provisioning DLL

Source code can be extended with custom code Source code can be extended with custom code


Group ManagementGroup Management

Manage group membership across Manage group membership across heterogeneous systemsheterogeneous systems

Use of the built in capabilities for managing Use of the built in capabilities for managing reference attributesreference attributes

Authoritative data for group membership Authoritative data for group membership can be can be

a connected directory (e.g. AD)a connected directory (e.g. AD)

calculated based on attributes; results imported calculated based on attributes; results imported into MIIS by using a Management Agentinto MIIS by using a Management Agent


Group Populator Group Populator

MIISMIIS

HR DatabaseHR Database

Query against the Query against the integrated viewintegrated view

Active DirectoryActive Directory

Import group definition Import group definition and membersand members


Workflow with MIIS 2003Workflow with MIIS 2003

Workflow not integrated in MIIS 2003Workflow not integrated in MIIS 2003

Easy to extend MIIS with workflowEasy to extend MIIS with workflowMIIS 2003 SP1 Resource KitMIIS 2003 SP1 Resource Kit

Workflow application (account request application)Workflow application (account request application)http://www.microsoft.com/downloads/http://www.microsoft.com/downloads/details.aspx?FamilyIddetails.aspx?FamilyId

=D3C7BD7A-E8D5-43CF-AD4D-4F1F0AE00D79&displaylang=en=D3C7BD7A-E8D5-43CF-AD4D-4F1F0AE00D79&displaylang=en

Identity and Access Management SeriesIdentity and Access Management SeriesHR driven provisioning with workflowHR driven provisioning with workflow

http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspxhttp://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspx

Partner tools – MIIS AlliancePartner tools – MIIS Alliance

Complex workflowComplex workflowIntegrate BizTalk with MIISIntegrate BizTalk with MIIS

Future MIIS versionsFuture MIIS versionsPowerful workflow engine fully integrated in MIISPowerful workflow engine fully integrated in MIIS








MIIS Password ManagementMIIS Password ManagementA Complete SolutionA Complete Solution

Accounts secure from provisioning to de-Accounts secure from provisioning to de-provisioningprovisioning

Initial password set featureInitial password set feature

Guarantees strong passwordsGuarantees strong passwords

Reduced sign-on capabilitiesReduced sign-on capabilitiesPassword sync initiated from Windows desktopPassword sync initiated from Windows desktop

Ability for end user to manage passwords in Ability for end user to manage passwords in systems that do not participate in password systems that do not participate in password synchronizationsynchronization

Web portal allows end uses to manage passwords in Web portal allows end uses to manage passwords in connected identity stores connected identity stores

Forgotten passwordsForgotten passwordsSelf-service password reset solutionSelf-service password reset solution









Extending MA Reach and password capabilities Done

Additional MAs MA SDK

Password ExtensionsPassword synchronization

Extending MA Reach - Ongoing Started June ’05Additional MAs

Improving password management capabilities

MIIS 2003 SP2 CY06

End-user self-service password reset

Further lowering the cost and risks of Identity Management

MIIS - Gemini

Codeless provisioningEntitlement reporting

Self-service platformAdditional MAs

Tools to simplify MIIS deployments Done

Provisioning Wizard

Workflow sample app



Extending MA Reach and password capabilities Done

Additional MAs MA SDK

Password ExtensionsPassword synchronization

Extending MA Reach - Ongoing Started June ’05Additional MAs

Improving password management capabilities

MIIS 2003 SP2 CY06

End-user self-service password reset

Further lowering the cost and risks of Identity Management

MIIS - Gemini

Codeless provisioningEntitlement reporting

Self-service platformAdditional MAs

Tools to simplify MIIS deployments Done

Provisioning Wizard

Workflow sample app


MIIS 2003 SP1 – Management AgentsMIIS 2003 SP1 – Management Agents

New MAsNew MAsIBM DB2IBM DB2

Version 7 or 8.1Version 7 or 8.1

Windows OS, Linux and OS/400Windows OS, Linux and OS/400

IBM DSIBM DSVersion 4.1, 5.1 and 5.2Version 4.1, 5.1 and 5.2

Windows OS only at this timeWindows OS only at this time

Improved MA supportImproved MA supportSun One 5.2Sun One 5.2

eDirectory 8.73eDirectory 8.73


MIIS ReachMIIS Reach

Identity DataIdentity Data

LDAPLDAP SQLSQL

Wide range of connectivityWide range of connectivityActive Directory & ADAMActive Directory & ADAM

Sun/iPlanet DirectorySun/iPlanet Directory

IBM DSIBM DS

Novell eDirectoryNovell eDirectory

Microsoft SQL 2000 & SQL 7Microsoft SQL 2000 & SQL 7

Oracle 9i/8iOracle 9i/8i

IBM DB2IBM DB2

Lotus Notes 5.x/6.xLotus Notes 5.x/6.x

Microsoft Exchange 5.5, 2K, 2K3Microsoft Exchange 5.5, 2K, 2K3

Microsoft NT 4.xMicrosoft NT 4.x

RACFRACF

DSML, LDIF, CSV, fixed widthDSML, LDIF, CSV, fixed width

……others to followothers to follow

MA SDK allows ISVs and MA SDK allows ISVs and corporate developers to build corporate developers to build custom MAscustom MAs

NOSNOS

LOB AppsLOB Apps


Agenda - ADFSAgenda - ADFS

Problem: High cost of extending your Problem: High cost of extending your network for eBusinessnetwork for eBusiness

Solution: Identity Federation is the KeySolution: Identity Federation is the Key

Product: Microsoft Active Directory Product: Microsoft Active Directory Federation Services (ADFS)Federation Services (ADFS)


Active Directory

Logon to Windows

Flexible Authentication Kerberos X509 v3/Smartcard/PKI VPN/802.1x/RADIUS LDAP Passport/Digest/Basic (Web) SSPI/SPNEGO

Single Sign-on to: Windows File/Print servers Microsoft applications 390/AS400 (Host Integration Server) ERP (BizTalk, SharePoint ESSO) 3rd Party Integrated Apps Web Applications via IIS Unix/J2EE (Services for Unix, Vintela)

Exchange

Web APPS

File Share

Windows IntegratedApplications

Windows SSO to your Internal NetworkWindows SSO to your Internal Network


Identity IntegrationIdentity IntegrationEnsure consistency of digital identity dataEnsure consistency of digital identity data

Active Directory & ADAMActive Directory & ADAMSingle store for users, Single store for users, computers, services, groups, etc.computers, services, groups, etc.

Distributed, replicated for Distributed, replicated for availabilityavailability

Automated security policy Automated security policy

LDAP v3 compliantLDAP v3 compliant

ADAM for app-specific dataADAM for app-specific data

Identity Integration ServerIdentity Integration ServerDigital Identity Integration (meta Digital Identity Integration (meta directory)directory)

Identity Lifecycle ManagementIdentity Lifecycle Management


Account DirectoryAccount Directory

LDAPLDAP SQLSQL

Enterprise Enterprise AppApp

ExchangeExchange

Web ServiceWeb Service

File ShareFile Share

ApplicationApplicationApplicationApplicationActiveActive

DirectoryDirectory


eBusiness Extends your NetworkeBusiness Extends your Network

Your Your COMPANYCOMPANY and andyour your EMPLOYEESEMPLOYEES

Your Your SUPPLIERSSUPPLIERS

Your Your PARTNERSPARTNERSYour Your REMOTEREMOTE and and

VIRTUAL EMPLOYEESVIRTUAL EMPLOYEES

Your Your CUSTOMERSCUSTOMERS

Customer satisfaction & customer intimacyCost competitivenessReach, personalization

CollaborationOutsourcingFaster business cycles; process automationValue chain

M&AMobile/global workforceFlexible/temp workforce


Existing IdM ApproachesExisting IdM ApproachesExtending your network to external usersExtending your network to external users

Expensive, custom software developmentExpensive, custom software development

Costly client software deployment for partnersCostly client software deployment for partners

Partner account management burdenPartner account management burden

Custom Solutions + Custom Solutions + Local accountsLocal accounts

Expensive 3Expensive 3rdrd party products party products

Redundant infrastructureRedundant infrastructure


Web SSO Solutions +Web SSO Solutions +

Local accountsLocal accounts

IssuesIssuesApproachApproach

Client VPN software requiredClient VPN software required

Excessive network access allowedExcessive network access allowed


VPN + VPN +

Local accounts (for Local accounts (for external users)external users)

Requires native mode Windows 2003 ForestsRequires native mode Windows 2003 Forests

Extensive firewall configurationExtensive firewall configurationWindows Forest TrustWindows Forest Trust


Business Costs of Partner Account Business Costs of Partner Account ManagementManagement

Privacy Privacy protectionprotection

End-end End-end auditingauditing

RepudiationRepudiation

Regulatory Regulatory ComplianceCompliance

Provisioning Provisioning latencylatency

Forgotten Forgotten passwordspasswords

Logon Logon frequencyfrequency

End User End User ProductivityProductivity

Account Account provisioning provisioning requestsrequests

Password Password reset requestsreset requests

Account Account proliferationproliferation

Orphaned or Orphaned or inaccurate inaccurate accountsaccounts

Compromised Compromised passwordspasswords

Unnecessary Unnecessary accessaccess

SecuritySecurityIT/Helpdesk IT/Helpdesk EfficiencyEfficiency




Solution: Identity Federation is the KeySolution: Identity Federation is the Key



Identity Federation Identity Federation

Standards-basedStandards-based technology & processes … technology & processes …

ProjectingProjecting user Identity from a single logon … user Identity from a single logon …

DistributedDistributed authentication & claims-based authentication & claims-based authorization …authorization …

Across boundariesAcross boundaries (security, departmental, (security, departmental, organizational or platform boundaries)organizational or platform boundaries)


Security Tokens & ClaimsSecurity Tokens & ClaimsDistributed authentication/authorizationDistributed authentication/authorization

Security tokens assert claimsClaims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).

SignedSigned

X.509X.509 KerberosKerberos

XrMLXrML

SAMLSAML

Secret KeySecret Key

PasswordPassword

Proof ofProof ofPossessionPossession


Security Token ServiceSecurity Token Service

Security Security Token Token ServiceService

Key Key Distribution Distribution CenterCenter

A security token service issues security tokens

STS’s can “swap” tokens as a request crosses security domain boundaries


Scenario: Web SSOScenario: Web SSO

User credentials and attributes managed in AD User credentials and attributes managed in AD or ADAM at “resource realm”or ADAM at “resource realm”

Authentication via Windows logon or web basedAuthentication via Windows logon or web based

Single sign-on to web farm Single sign-on to web farm

Authorization based on claims from “resource Authorization based on claims from “resource realm”realm”

Customers

BusinessPartners

Employees

STSSTS

Web Web FarmFarm


Scenario: Identity FederationScenario: Identity Federation

User credentials and attributes managed in “home realm” User credentials and attributes managed in “home realm” by partner organizationby partner organization

Authentication via Windows logon or web-basedAuthentication via Windows logon or web-based

Single sign-on to web farm across organizational or Single sign-on to web farm across organizational or platform boundaries platform boundaries

Authorization based on claims from “home realm”Authorization based on claims from “home realm”

BusinessPartners

STSSTS STSSTSWeb Web FarmFarm




Solution: Federation is the KeySolution: Federation is the Key



Active Directory Federation ServicesActive Directory Federation Services

Identity FederationIdentity Federation

Extend value of Active Extend value of Active Directory deployments Directory deployments

to facilitate secure to facilitate secure collaboration with collaboration with

partnerspartners

IISIISADAD

Web SSOWeb SSO

Extend value of Windows Extend value of Windows Server application platform Server application platform

in Internet-facing in Internet-facing environmentsenvironments

Company ACompany A Company BCompany B


OrganizationOrganizationBB

PrivatePrivateNamespaceNamespace

OrganizationOrganizationAA

PrivatePrivateNamespaceNamespace

ADFS Identity FederationADFS Identity FederationProjects AD Identities to other security realmsProjects AD Identities to other security realms

FederationFederationServer Server

FederationFederation ServerServer

Federation ServersFederation ServersManage:Manage:• Trust -- KeysTrust -- Keys• Security -- Claims requiredSecurity -- Claims required• Privacy -- Claims allowedPrivacy -- Claims allowed• Audit -- Identities , authoritiesAudit -- Identities , authorities


ADFS ComponentsADFS Components

`

Client Web Browser

Federation Service

Web Server

Active Directoryor ADAM

Federation ServiceProxy

HTTPS



`

Client Web Browser

Federation Service

Web Server



HTTPS

Windows 2000 or 2003Windows 2000 or 2003

Authenticates usersAuthenticates users

Manages attributesManages attributes

Active Directory or ADAMActive Directory or ADAM



`

Client Web Browser

Federation Service

Web Server



HTTPS

Federation Service (FS)Federation Service (FS)

aka Security Token Service (STS) aka Security Token Service (STS)

Maps user attributes to claimsMaps user attributes to claims

Issues security tokensIssues security tokens

Manages federation trust policyManages federation trust policy

Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2



`

Client Web Browser

Federation Service

Web Server



HTTPS

Federation Server Proxy (FSP)Federation Server Proxy (FSP)

Client proxy for token requestsClient proxy for token requests

Provides UI for browser clientsProvides UI for browser clients

Requires IISv6 Windows Requires IISv6 Windows 2003 R22003 R2



`

Client Web Browser

Federation Service

Web Server



HTTPS

Web AgentWeb AgentWeb AgentWeb AgentEnforces user authenticationEnforces user authentication

Creates app authZ context from claimsCreates app authZ context from claimsNT Impersonation and ACLsNT Impersonation and ACLs

ASP.NET IsInRole()ASP.NET IsInRole()

AzMan RBAC integrationAzMan RBAC integration

ASP.NET Raw Claims APIASP.NET Raw Claims API

Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2


A. DatumA. DatumAccount ForestAccount Forest

Trey ResearchTrey ResearchResource ForestResource Forest

`

Internal Client

ResourceFederation Server

AccountFederation Server

Web Server

Active Directory

Identity Federation in ActionIdentity Federation in Action

Federation TrustFederation Trust


Active Directory Federation Active Directory Federation ServicesServices

Extends AD to Internet scenariosExtends AD to Internet scenarios

Extranet Single Sign-onExtranet Single Sign-on

Identity FederationIdentity Federation

Works with existing AD deploymentsWorks with existing AD deployments

Extensible and interoperableExtensible and interoperable

WS-Federation, Kerberos, SAML 1.1 tokensWS-Federation, Kerberos, SAML 1.1 tokens

AvailabilityAvailability

Windows Server 2003 R2Windows Server 2003 R2


Microsoft Identity and Access Microsoft Identity and Access RoadmapRoadmap

IntegrationServices(MIIS)

DirectoryServices

(AD, ADAM)

AccessServices

(ADFS, InfoCard)

Identity and Access Platform• Smart client SSO, web SSO, claims-based access control, federation• Self service, delegated admin of identities, credentials, entitlements

• Metadata publication

Identity and Access Management• Policy authoring, compliance assessment, reporting, enforcement

• Lifecycle management• Connectivity to other systems

WebClients Smart

Clients

WebServers Server

Services

Microsoftand

Non-Microsoft


Additional ResourcesAdditional Resources

Visit Microsoft.comVisit Microsoft.comIdentity Management -Identity Management - http://www.microsoft.com/IDMhttp://www.microsoft.com/IDMAD -AD - http://www.microsoft.com/ADhttp://www.microsoft.com/AD Windows Server System -Windows Server System - http://www.microsoft.com/windowsserversystemhttp://www.microsoft.com/windowsserversystem

View Microsoft’s .NET Show on ADFSView Microsoft’s .NET Show on ADFShttp://msdn.microsoft.com/theshow/episode047/default.asphttp://msdn.microsoft.com/theshow/episode047/default.asp

Get familiar with Web Services security and identity Get familiar with Web Services security and identity modelmodelhttp://msdn.microsoft.com/webservices/http://msdn.microsoft.com/webservices/

Attend WS-* workshops Attend WS-* workshops http://msdn.microsoft.com/webservices/community/workshops/default.aspxhttp://msdn.microsoft.com/webservices/community/workshops/default.aspx

Get started with WS-* using Web Services Get started with WS-* using Web Services Enhancements Enhancements http://msdn.microsoft.com/webservices/building/security/http://msdn.microsoft.com/webservices/building/security/


© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

Copyright Microsoft Corp. 2006 Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS