Upload
joel-reed
View
216
Download
0
Embed Size (px)
Citation preview
Copyright Microsoft Corp. 2006
Sandeep KatyalSandeep KatyalTechnologistTechnologistMicrosoftMicrosoft
Solving the Identity Management problem Solving the Identity Management problem using MIIS and ADFSusing MIIS and ADFS
Copyright Microsoft Corp. 2006
Session Objectives And Session Objectives And Key TakeawaysKey Takeaways
Session Objective's: Session Objective's:
Introduce Concepts in Microsoft Identity Introduce Concepts in Microsoft Identity Integration ServerIntegration Server
Provisioning, Group Management, Lifecycle Provisioning, Group Management, Lifecycle management, and consistency enforcementmanagement, and consistency enforcement
Introduce the Web SSO scenario with ADFSIntroduce the Web SSO scenario with ADFS
Copyright Microsoft Corp. 2006
SituationSituation
Increasingly connected systemsIncreasingly connected systemsConnections span technical, org boundariesConnections span technical, org boundaries
Distinctions blur - customer, partner, employee, Distinctions blur - customer, partner, employee, intranet, Internetintranet, Internet
Demand for business process integrationDemand for business process integrationClear business drivers around security, cost efficiency, Clear business drivers around security, cost efficiency, regulatory complianceregulatory compliance
Issues around policy, assessment, reportingIssues around policy, assessment, reporting
Rapid rise of threats to online safetyRapid rise of threats to online safetyConcerns over privacy, trackingConcerns over privacy, tracking
Copyright Microsoft Corp. 2006
Identity and Lifecycle Management ScenariosIdentity and Lifecycle Management Scenarios
Provisioning and Group Management with Provisioning and Group Management with MIIS 2003MIIS 2003
Password ManagementPassword Management
MIIS RoadmapMIIS Roadmap
Agenda - MIISAgenda - MIIS
Copyright Microsoft Corp. 2006
The ID LifecycleThe ID Lifecycle
New User- User ID Creation- Credential Issuance- Access Rights
Account Changes- Promotions- Transfers- New Privileges- Attribute Changes
Password Mgmt- Strong Passwords- “Lost” Password- Password Reset
Retire User- Delete/Freeze Accounts- Delete/Freeze Entitlements
Synchronize Identity- Extend lifecycle information
across all identity stores
Entitlement Reporting- Audit/log any ILM changes- Keep track of Entitlements
Copyright Microsoft Corp. 2006
MIIS – Identity BrokerMIIS – Identity Broker
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
ContractorContractorSystemSystem
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Identi
ty Inte
gra
tion
Identi
ty Inte
gra
tion
““Identity Integration” Identity Integration” Rock solid software to integrate identityRock solid software to integrate identity
Enterprise Directory
•Authentication•Authorization•Identity Data
Copyright Microsoft Corp. 2006
MIIS Identity Broker ScenariosMIIS Identity Broker Scenarios
Hire ScenarioHire Scenario
Fire ScenarioFire Scenario
Join ScenarioJoin Scenario
Identity Data AggregationIdentity Data Aggregation
Identity Data Brokering Identity Data Brokering (Identity Convergence)(Identity Convergence)
Identity Data Integrity EnforcementIdentity Data Integrity Enforcement
Copyright Microsoft Corp. 2006
Hire ScenarioHire ScenarioHRHRSystemSystem MIIS
Notes
ContractorContractorSystemSystem
ADADApp ModeApp Mode
SQLSQLServerServer
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
File
LDAP
LDAP
SQL
LDAP
Copyright Microsoft Corp. 2006
Fire ScenarioFire ScenarioHRHRSystemSystem MIIS
Notes
ContractorContractorSystemSystem
ADADApp ModeApp Mode
SQLSQLServerServer
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
File
LDAP
LDAP
SQL
LDAP
Copyright Microsoft Corp. 2006
Identity Joining ScenarioIdentity Joining Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
867-5309
ClarkKent
007
Reporter
867-5309
ClarkKent
Reporter
007Project to Metaverse
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
007
007Join on employeeIDJOINED
PROJECTED
007
007
Join on employeeIDJOINED
Join on employeeIDJOINED
Copyright Microsoft Corp. 2006
Attribute Flow ScenarioAttribute Flow Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
givenNamesntitlemailemployeeIDtelephone
867-5309
ClarkKent
007
Reporter
867-5309
ClarkKent
Reporter
007
IdentityData
Aggregation
givenNamesntitlemailemployeeIDtelephone
007
ClarkKent
007
Reporter
867-5309
Copyright Microsoft Corp. 2006
Attribute Flow ScenarioAttribute Flow Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
givenNamesntitlemailemployeeIDtelephone 867-5309
ClarkKent
007
Reporter
867-5309
ClarkKent
Reporter
007
867-5309
867-5309
ClarkKent
Clark
Reporter
867-5309
IdentityData
Brokering
(Convergence)
Copyright Microsoft Corp. 2006
Attribute Flow ScenarioAttribute Flow Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
Clark
007
givenNamesntitlemailemployeeIDtelephone
Kent
007
givenNamesntitlemailemployeeIDtelephone 867-5309
ClarkKent
007
867-5309
ClarkKent
Reporter
007
KentReporter
867-5309
Reporter
867-5309
Clark
Kent
Clark
Reporter
867-5309
IdentityData
IntegrityEnforcem
ent
007Superhero
SuperheroSuperheroSuperheroReporterSuperhero
Copyright Microsoft Corp. 2006
Identity Data Integrity EnforcementIdentity Data Integrity Enforcement
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
LotusLotusNotesNotes
ActiveActiveDirectoryDirectory
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
Clark
007
givenNamesntitlemailemployeeIDtelephone
Kent
007
givenNamesntitlemailemployeeIDtelephone 867-5309
ClarkKent
007
867-5309
ClarkKent
Reporter
007
KentPublisher
867-5309
Publisher
867-5309
Clark
Kent
Clark
Reporter
867-5309
IdentityData
IntegrityEnforcem
ent
007Reporter
SuperheroReporterReporterReporterReporter
Copyright Microsoft Corp. 2006
Identity and Lifecycle Management ScenariosIdentity and Lifecycle Management Scenarios
Provisioning and Group Management with Provisioning and Group Management with MIIS 2003MIIS 2003
Password ManagementPassword Management
MIIS RoadmapMIIS Roadmap
Agenda - MIISAgenda - MIIS
Copyright Microsoft Corp. 2006
Provisioning ScenariosProvisioning Scenarios
Dataflow driven provisioningDataflow driven provisioningProvisioning data mastered from an upstream system (like SAP)Provisioning data mastered from an upstream system (like SAP)
MIIS 2003 scenarioMIIS 2003 scenario
Self-Service entry point with workflowSelf-Service entry point with workflowAllow delegated users to trigger provisioning actions through web Allow delegated users to trigger provisioning actions through web applicationsapplications
Personal information changes, password resetsPersonal information changes, password resets
Approval processes can be requiredApproval processes can be requiredAccount requests, group membership requestsAccount requests, group membership requests
Dataflow driven provisioning with workflowDataflow driven provisioning with workflowAdd approval processes to provisioning processes initiated by Add approval processes to provisioning processes initiated by upstream system (like SAP)upstream system (like SAP)
New employee joins, manager needs to approve DL membershipNew employee joins, manager needs to approve DL membership
Copyright Microsoft Corp. 2006
MIIS 2003 SP1 ProvisioningMIIS 2003 SP1 Provisioning
MIIS 2003MIIS 2003
Administrator had to write code for provisioningAdministrator had to write code for provisioning
MIIS SP1 Resource KitMIIS SP1 Resource Kit
Additional toolsAdditional tools
Provisioning code generatorProvisioning code generatorDeclarative UI for provisioningDeclarative UI for provisioning
Generates provisioning codeGenerates provisioning code
Enables provisioning and registers provisioning DLLEnables provisioning and registers provisioning DLL
Source code can be extended with custom code Source code can be extended with custom code
Copyright Microsoft Corp. 2006
Group ManagementGroup Management
Manage group membership across Manage group membership across heterogeneous systemsheterogeneous systems
Use of the built in capabilities for managing Use of the built in capabilities for managing reference attributesreference attributes
Authoritative data for group membership Authoritative data for group membership can be can be
a connected directory (e.g. AD)a connected directory (e.g. AD)
calculated based on attributes; results imported calculated based on attributes; results imported into MIIS by using a Management Agentinto MIIS by using a Management Agent
Copyright Microsoft Corp. 2006
Group Populator Group Populator
MIISMIIS
HR DatabaseHR Database
Query against the Query against the integrated viewintegrated view
Active DirectoryActive Directory
Import group definition Import group definition and membersand members
Copyright Microsoft Corp. 2006
Workflow with MIIS 2003Workflow with MIIS 2003
Workflow not integrated in MIIS 2003Workflow not integrated in MIIS 2003
Easy to extend MIIS with workflowEasy to extend MIIS with workflowMIIS 2003 SP1 Resource KitMIIS 2003 SP1 Resource Kit
Workflow application (account request application)Workflow application (account request application)http://www.microsoft.com/downloads/http://www.microsoft.com/downloads/details.aspx?FamilyIddetails.aspx?FamilyId
=D3C7BD7A-E8D5-43CF-AD4D-4F1F0AE00D79&displaylang=en=D3C7BD7A-E8D5-43CF-AD4D-4F1F0AE00D79&displaylang=en
Identity and Access Management SeriesIdentity and Access Management SeriesHR driven provisioning with workflowHR driven provisioning with workflow
http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspxhttp://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspx
Partner tools – MIIS AlliancePartner tools – MIIS Alliance
Complex workflowComplex workflowIntegrate BizTalk with MIISIntegrate BizTalk with MIIS
Future MIIS versionsFuture MIIS versionsPowerful workflow engine fully integrated in MIISPowerful workflow engine fully integrated in MIIS
Copyright Microsoft Corp. 2006
Identity and Lifecycle Management ScenariosIdentity and Lifecycle Management Scenarios
Provisioning and Group Management with Provisioning and Group Management with MIIS 2003MIIS 2003
Password ManagementPassword Management
MIIS RoadmapMIIS Roadmap
Agenda - MIISAgenda - MIIS
Copyright Microsoft Corp. 2006
MIIS Password ManagementMIIS Password ManagementA Complete SolutionA Complete Solution
Accounts secure from provisioning to de-Accounts secure from provisioning to de-provisioningprovisioning
Initial password set featureInitial password set feature
Guarantees strong passwordsGuarantees strong passwords
Reduced sign-on capabilitiesReduced sign-on capabilitiesPassword sync initiated from Windows desktopPassword sync initiated from Windows desktop
Ability for end user to manage passwords in Ability for end user to manage passwords in systems that do not participate in password systems that do not participate in password synchronizationsynchronization
Web portal allows end uses to manage passwords in Web portal allows end uses to manage passwords in connected identity stores connected identity stores
Forgotten passwordsForgotten passwordsSelf-service password reset solutionSelf-service password reset solution
Copyright Microsoft Corp. 2006
Identity and Lifecycle Management ScenariosIdentity and Lifecycle Management Scenarios
Provisioning and Group Management with Provisioning and Group Management with MIIS 2003MIIS 2003
Password ManagementPassword Management
MIIS RoadmapMIIS Roadmap
Agenda - MIISAgenda - MIIS
Copyright Microsoft Corp. 2006
MIIS RoadmapMIIS Roadmap
Extending MA Reach and password capabilities Done
Additional MAs MA SDK
Password ExtensionsPassword synchronization
Extending MA Reach - Ongoing Started June ’05Additional MAs
Improving password management capabilities
MIIS 2003 SP2 CY06
End-user self-service password reset
Further lowering the cost and risks of Identity Management
MIIS - Gemini
Codeless provisioningEntitlement reporting
Self-service platformAdditional MAs
Tools to simplify MIIS deployments Done
Provisioning Wizard
Workflow sample app
Copyright Microsoft Corp. 2006
MIIS RoadmapMIIS Roadmap
Extending MA Reach and password capabilities Done
Additional MAs MA SDK
Password ExtensionsPassword synchronization
Extending MA Reach - Ongoing Started June ’05Additional MAs
Improving password management capabilities
MIIS 2003 SP2 CY06
End-user self-service password reset
Further lowering the cost and risks of Identity Management
MIIS - Gemini
Codeless provisioningEntitlement reporting
Self-service platformAdditional MAs
Tools to simplify MIIS deployments Done
Provisioning Wizard
Workflow sample app
Copyright Microsoft Corp. 2006
MIIS 2003 SP1 – Management AgentsMIIS 2003 SP1 – Management Agents
New MAsNew MAsIBM DB2IBM DB2
Version 7 or 8.1Version 7 or 8.1
Windows OS, Linux and OS/400Windows OS, Linux and OS/400
IBM DSIBM DSVersion 4.1, 5.1 and 5.2Version 4.1, 5.1 and 5.2
Windows OS only at this timeWindows OS only at this time
Improved MA supportImproved MA supportSun One 5.2Sun One 5.2
eDirectory 8.73eDirectory 8.73
Copyright Microsoft Corp. 2006
MIIS ReachMIIS Reach
Identity DataIdentity Data
LDAPLDAP SQLSQL
Wide range of connectivityWide range of connectivityActive Directory & ADAMActive Directory & ADAM
Sun/iPlanet DirectorySun/iPlanet Directory
IBM DSIBM DS
Novell eDirectoryNovell eDirectory
Microsoft SQL 2000 & SQL 7Microsoft SQL 2000 & SQL 7
Oracle 9i/8iOracle 9i/8i
IBM DB2IBM DB2
Lotus Notes 5.x/6.xLotus Notes 5.x/6.x
Microsoft Exchange 5.5, 2K, 2K3Microsoft Exchange 5.5, 2K, 2K3
Microsoft NT 4.xMicrosoft NT 4.x
RACFRACF
DSML, LDIF, CSV, fixed widthDSML, LDIF, CSV, fixed width
……others to followothers to follow
MA SDK allows ISVs and MA SDK allows ISVs and corporate developers to build corporate developers to build custom MAscustom MAs
NOSNOS
LOB AppsLOB Apps
Copyright Microsoft Corp. 2006
Agenda - ADFSAgenda - ADFS
Problem: High cost of extending your Problem: High cost of extending your network for eBusinessnetwork for eBusiness
Solution: Identity Federation is the KeySolution: Identity Federation is the Key
Product: Microsoft Active Directory Product: Microsoft Active Directory Federation Services (ADFS)Federation Services (ADFS)
Copyright Microsoft Corp. 2006
Active Directory
Logon to Windows
Flexible Authentication Kerberos X509 v3/Smartcard/PKI VPN/802.1x/RADIUS LDAP Passport/Digest/Basic (Web) SSPI/SPNEGO
Single Sign-on to: Windows File/Print servers Microsoft applications 390/AS400 (Host Integration Server) ERP (BizTalk, SharePoint ESSO) 3rd Party Integrated Apps Web Applications via IIS Unix/J2EE (Services for Unix, Vintela)
Exchange
Web APPS
File Share
Windows IntegratedApplications
Windows SSO to your Internal NetworkWindows SSO to your Internal Network
Copyright Microsoft Corp. 2006
Identity IntegrationIdentity IntegrationEnsure consistency of digital identity dataEnsure consistency of digital identity data
Active Directory & ADAMActive Directory & ADAMSingle store for users, Single store for users, computers, services, groups, etc.computers, services, groups, etc.
Distributed, replicated for Distributed, replicated for availabilityavailability
Automated security policy Automated security policy
LDAP v3 compliantLDAP v3 compliant
ADAM for app-specific dataADAM for app-specific data
Identity Integration ServerIdentity Integration ServerDigital Identity Integration (meta Digital Identity Integration (meta directory)directory)
Identity Lifecycle ManagementIdentity Lifecycle Management
Password ManagementPassword Management
Account DirectoryAccount Directory
LDAPLDAP SQLSQL
Enterprise Enterprise AppApp
ExchangeExchange
Web ServiceWeb Service
File ShareFile Share
ApplicationApplicationApplicationApplicationActiveActive
DirectoryDirectory
Copyright Microsoft Corp. 2006
eBusiness Extends your NetworkeBusiness Extends your Network
Your Your COMPANYCOMPANY and andyour your EMPLOYEESEMPLOYEES
Your Your SUPPLIERSSUPPLIERS
Your Your PARTNERSPARTNERSYour Your REMOTEREMOTE and and
VIRTUAL EMPLOYEESVIRTUAL EMPLOYEES
Your Your CUSTOMERSCUSTOMERS
Customer satisfaction & customer intimacyCost competitivenessReach, personalization
CollaborationOutsourcingFaster business cycles; process automationValue chain
M&AMobile/global workforceFlexible/temp workforce
Copyright Microsoft Corp. 2006
Existing IdM ApproachesExisting IdM ApproachesExtending your network to external usersExtending your network to external users
Expensive, custom software developmentExpensive, custom software development
Costly client software deployment for partnersCostly client software deployment for partners
Partner account management burdenPartner account management burden
Custom Solutions + Custom Solutions + Local accountsLocal accounts
Expensive 3Expensive 3rdrd party products party products
Redundant infrastructureRedundant infrastructure
Partner account management burdenPartner account management burden
Web SSO Solutions +Web SSO Solutions +
Local accountsLocal accounts
IssuesIssuesApproachApproach
Client VPN software requiredClient VPN software required
Excessive network access allowedExcessive network access allowed
Partner account management burdenPartner account management burden
VPN + VPN +
Local accounts (for Local accounts (for external users)external users)
Requires native mode Windows 2003 ForestsRequires native mode Windows 2003 Forests
Extensive firewall configurationExtensive firewall configurationWindows Forest TrustWindows Forest Trust
Copyright Microsoft Corp. 2006
Business Costs of Partner Account Business Costs of Partner Account ManagementManagement
Privacy Privacy protectionprotection
End-end End-end auditingauditing
RepudiationRepudiation
Regulatory Regulatory ComplianceCompliance
Provisioning Provisioning latencylatency
Forgotten Forgotten passwordspasswords
Logon Logon frequencyfrequency
End User End User ProductivityProductivity
Account Account provisioning provisioning requestsrequests
Password Password reset requestsreset requests
Account Account proliferationproliferation
Orphaned or Orphaned or inaccurate inaccurate accountsaccounts
Compromised Compromised passwordspasswords
Unnecessary Unnecessary accessaccess
SecuritySecurityIT/Helpdesk IT/Helpdesk EfficiencyEfficiency
Copyright Microsoft Corp. 2006
Agenda - ADFSAgenda - ADFS
Problem: High cost of extending your Problem: High cost of extending your network for eBusinessnetwork for eBusiness
Solution: Identity Federation is the KeySolution: Identity Federation is the Key
Product: Microsoft Active Directory Product: Microsoft Active Directory Federation Services (ADFS)Federation Services (ADFS)
Copyright Microsoft Corp. 2006
Identity Federation Identity Federation
Standards-basedStandards-based technology & processes … technology & processes …
ProjectingProjecting user Identity from a single logon … user Identity from a single logon …
DistributedDistributed authentication & claims-based authentication & claims-based authorization …authorization …
Across boundariesAcross boundaries (security, departmental, (security, departmental, organizational or platform boundaries)organizational or platform boundaries)
Copyright Microsoft Corp. 2006
Security Tokens & ClaimsSecurity Tokens & ClaimsDistributed authentication/authorizationDistributed authentication/authorization
Security tokens assert claimsClaims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).
SignedSigned
X.509X.509 KerberosKerberos
XrMLXrML
SAMLSAML
Secret KeySecret Key
PasswordPassword
Proof ofProof ofPossessionPossession
Copyright Microsoft Corp. 2006
Security Token ServiceSecurity Token Service
Security Security Token Token ServiceService
Key Key Distribution Distribution CenterCenter
A security token service issues security tokens
STS’s can “swap” tokens as a request crosses security domain boundaries
Copyright Microsoft Corp. 2006
Scenario: Web SSOScenario: Web SSO
User credentials and attributes managed in AD User credentials and attributes managed in AD or ADAM at “resource realm”or ADAM at “resource realm”
Authentication via Windows logon or web basedAuthentication via Windows logon or web based
Single sign-on to web farm Single sign-on to web farm
Authorization based on claims from “resource Authorization based on claims from “resource realm”realm”
Customers
BusinessPartners
Employees
STSSTS
Web Web FarmFarm
Copyright Microsoft Corp. 2006
Scenario: Identity FederationScenario: Identity Federation
User credentials and attributes managed in “home realm” User credentials and attributes managed in “home realm” by partner organizationby partner organization
Authentication via Windows logon or web-basedAuthentication via Windows logon or web-based
Single sign-on to web farm across organizational or Single sign-on to web farm across organizational or platform boundaries platform boundaries
Authorization based on claims from “home realm”Authorization based on claims from “home realm”
BusinessPartners
STSSTS STSSTSWeb Web FarmFarm
Copyright Microsoft Corp. 2006
Agenda - ADFSAgenda - ADFS
Problem: High cost of extending your Problem: High cost of extending your network for eBusinessnetwork for eBusiness
Solution: Federation is the KeySolution: Federation is the Key
Product: Microsoft Active Directory Product: Microsoft Active Directory Federation Services (ADFS)Federation Services (ADFS)
Copyright Microsoft Corp. 2006
Active Directory Federation ServicesActive Directory Federation Services
Identity FederationIdentity Federation
Extend value of Active Extend value of Active Directory deployments Directory deployments
to facilitate secure to facilitate secure collaboration with collaboration with
partnerspartners
IISIISADAD
Web SSOWeb SSO
Extend value of Windows Extend value of Windows Server application platform Server application platform
in Internet-facing in Internet-facing environmentsenvironments
Company ACompany A Company BCompany B
Copyright Microsoft Corp. 2006
OrganizationOrganizationBB
PrivatePrivateNamespaceNamespace
OrganizationOrganizationAA
PrivatePrivateNamespaceNamespace
ADFS Identity FederationADFS Identity FederationProjects AD Identities to other security realmsProjects AD Identities to other security realms
FederationFederationServer Server
FederationFederation ServerServer
Federation ServersFederation ServersManage:Manage:• Trust -- KeysTrust -- Keys• Security -- Claims requiredSecurity -- Claims required• Privacy -- Claims allowedPrivacy -- Claims allowed• Audit -- Identities , authoritiesAudit -- Identities , authorities
Copyright Microsoft Corp. 2006
ADFS ComponentsADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Copyright Microsoft Corp. 2006
ADFS ComponentsADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Windows 2000 or 2003Windows 2000 or 2003
Authenticates usersAuthenticates users
Manages attributesManages attributes
Active Directory or ADAMActive Directory or ADAM
Copyright Microsoft Corp. 2006
ADFS ComponentsADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Federation Service (FS)Federation Service (FS)
aka Security Token Service (STS) aka Security Token Service (STS)
Maps user attributes to claimsMaps user attributes to claims
Issues security tokensIssues security tokens
Manages federation trust policyManages federation trust policy
Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2
Copyright Microsoft Corp. 2006
ADFS ComponentsADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Federation Server Proxy (FSP)Federation Server Proxy (FSP)
Client proxy for token requestsClient proxy for token requests
Provides UI for browser clientsProvides UI for browser clients
Requires IISv6 Windows Requires IISv6 Windows 2003 R22003 R2
Copyright Microsoft Corp. 2006
ADFS ComponentsADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Web AgentWeb AgentWeb AgentWeb AgentEnforces user authenticationEnforces user authentication
Creates app authZ context from claimsCreates app authZ context from claimsNT Impersonation and ACLsNT Impersonation and ACLs
ASP.NET IsInRole()ASP.NET IsInRole()
AzMan RBAC integrationAzMan RBAC integration
ASP.NET Raw Claims APIASP.NET Raw Claims API
Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2
Copyright Microsoft Corp. 2006
A. DatumA. DatumAccount ForestAccount Forest
Trey ResearchTrey ResearchResource ForestResource Forest
`
Internal Client
ResourceFederation Server
AccountFederation Server
Web Server
Active Directory
Identity Federation in ActionIdentity Federation in Action
Federation TrustFederation Trust
Copyright Microsoft Corp. 2006
Active Directory Federation Active Directory Federation ServicesServices
Extends AD to Internet scenariosExtends AD to Internet scenarios
Extranet Single Sign-onExtranet Single Sign-on
Identity FederationIdentity Federation
Works with existing AD deploymentsWorks with existing AD deployments
Extensible and interoperableExtensible and interoperable
WS-Federation, Kerberos, SAML 1.1 tokensWS-Federation, Kerberos, SAML 1.1 tokens
AvailabilityAvailability
Windows Server 2003 R2Windows Server 2003 R2
Copyright Microsoft Corp. 2006
Microsoft Identity and Access Microsoft Identity and Access RoadmapRoadmap
IntegrationServices(MIIS)
DirectoryServices
(AD, ADAM)
AccessServices
(ADFS, InfoCard)
Identity and Access Platform• Smart client SSO, web SSO, claims-based access control, federation• Self service, delegated admin of identities, credentials, entitlements
• Metadata publication
Identity and Access Management• Policy authoring, compliance assessment, reporting, enforcement
• Lifecycle management• Connectivity to other systems
WebClients Smart
Clients
WebServers Server
Services
Microsoftand
Non-Microsoft
Copyright Microsoft Corp. 2006
Additional ResourcesAdditional Resources
Visit Microsoft.comVisit Microsoft.comIdentity Management -Identity Management - http://www.microsoft.com/IDMhttp://www.microsoft.com/IDMAD -AD - http://www.microsoft.com/ADhttp://www.microsoft.com/AD Windows Server System -Windows Server System - http://www.microsoft.com/windowsserversystemhttp://www.microsoft.com/windowsserversystem
View Microsoft’s .NET Show on ADFSView Microsoft’s .NET Show on ADFShttp://msdn.microsoft.com/theshow/episode047/default.asphttp://msdn.microsoft.com/theshow/episode047/default.asp
Get familiar with Web Services security and identity Get familiar with Web Services security and identity modelmodelhttp://msdn.microsoft.com/webservices/http://msdn.microsoft.com/webservices/
Attend WS-* workshops Attend WS-* workshops http://msdn.microsoft.com/webservices/community/workshops/default.aspxhttp://msdn.microsoft.com/webservices/community/workshops/default.aspx
Get started with WS-* using Web Services Get started with WS-* using Web Services Enhancements Enhancements http://msdn.microsoft.com/webservices/building/security/http://msdn.microsoft.com/webservices/building/security/
Copyright Microsoft Corp. 2006
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.