Embed Size (px)
Citation preview
Identity and Access Identity and Access Management:Management:
Strategy and SolutionStrategy and SolutionSandeep SinhaSandeep Sinha
[email protected]@microsoft.comLead Product ManagerLead Product Manager
Windows Server Product ManagementWindows Server Product ManagementRedmond, USARedmond, USA
AgendaAgenda
Business Drivers The Challenge Identity and Access Management
Framework Identity and Access Management
Solutions
The IssuesThe Issues
Password Password ManagementManagement
Provisioning and Provisioning and De-provisioningDe-provisioning
Customer PortalCustomer Portal Partner IntegrationPartner Integration SecuritySecurity Regulatory Regulatory
ComplianceCompliance
Business DriversBusiness Drivers
Strategic InitiativeStrategic InitiativeStrategic InitiativeStrategic Initiative Connecting with customers and partnersConnecting with customers and partners Employee Portal/PersonalizationEmployee Portal/Personalization Externalization of business processesExternalization of business processes
Connecting with customers and partnersConnecting with customers and partners Employee Portal/PersonalizationEmployee Portal/Personalization Externalization of business processesExternalization of business processes
Improve SecurityImprove SecurityImprove SecurityImprove Security
Secure data and network access Secure data and network access Assure authentication across platformsAssure authentication across platforms Manage cross-platform environment centrallyManage cross-platform environment centrally
Secure data and network access Secure data and network access Assure authentication across platformsAssure authentication across platforms Manage cross-platform environment centrallyManage cross-platform environment centrally
Regulatory Regulatory ComplianceComplianceRegulatory Regulatory ComplianceCompliance
HIPAAHIPAA Gramm-Leach-BlaileyGramm-Leach-Blailey FDICFDIC
HIPAAHIPAA Gramm-Leach-BlaileyGramm-Leach-Blailey FDICFDIC
Lower Operations Lower Operations CostCost
Lower Operations Lower Operations CostCost
Decrease administrative/help desk overhead Decrease administrative/help desk overhead Reduce number of logins/passwords Reduce number of logins/passwords Lower cost for high-turnover environmentsLower cost for high-turnover environments
Decrease administrative/help desk overhead Decrease administrative/help desk overhead Reduce number of logins/passwords Reduce number of logins/passwords Lower cost for high-turnover environmentsLower cost for high-turnover environments
The ChallengeThe Challenge
ProvisioningProvisioning
Single Sign OnSingle Sign On
InteroperabilityInteroperability
AuthenticationAuthentication
Authorization
Authorization
PasswordsPasswords
DirectoriesDirectories
Microsoft’s FrameworkMicrosoft’s Framework
Directory Services
Federation
Authentication Authorization
Applications Provisioning
The SolutionThe Solution Active Directory – The foundation Windows Integrated Applications Network Single Sign-on with Windows Server
Extending to non-integrated applications Using Active Directory for LDAP authentication The role of Microsoft Metadirectory Server (MMS)
Win
do
ws
Win
do
ws
Sin
gle
S
ing
le
Sig
n-o
nS
ign
-on
B2E using Active Directory and IIS B2C using Active Directory and Passport Extranet Access Management using Active
Directory
Web
S
ing
le
Sig
n-o
n
Red
uce
d
En
terp
rise
S
ign
-on
Windows Single Sign-onWindows Single Sign-onIntegrated Windows Sign-onIntegrated Windows Sign-on
Active Active DirectoryDirectory
Logon to WindowsLogon to Windows
Flexible AuthenticationFlexible AuthenticationKerberosKerberosX509 v3/SmartcardX509 v3/SmartcardBiometricsBiometricsPassport (Web)Passport (Web)Basic (Web)Basic (Web)Digest (Web)Digest (Web)
Single Sign-on to:Single Sign-on to:Windows File serversWindows File serversWindows Web applicationsWindows Web applicationsExchange emailExchange emailSQL ServerSQL ServerBizTalk ServerBizTalk ServerOther Microsoft applicationsOther Microsoft applications33rdrd Party Integrated Apps Party Integrated Apps
ExchangeExchange
Web ServiceWeb Service
File ShareFile Share
Windows IntegratedWindows IntegratedApplicationsApplications
Reduced Enterprise Sign-OnReduced Enterprise Sign-OnExtending Windows SSOExtending Windows SSO
ActiveActiveDirectoryDirectory
Logon to ADLogon to AD
Services for UNIXServices for UNIX NIS Server for ADNIS Server for AD NIS-AD directory syncNIS-AD directory sync Password synchronizationPassword synchronization User name mappingUser name mapping
UNIXUNIX
Host Integration ServerHost Integration Server Windows to RACF accountsWindows to RACF accounts Windows to AS/400 Security SystemWindows to AS/400 Security System Bi-Directional Password SynchronizationBi-Directional Password Synchronization
390/AS400390/AS400
Kerberos Kerberos ApplicationApplication
KerberosKerberos Native AuthN protocolNative AuthN protocol MIT v5 CompliantMIT v5 Compliant Carries group info in PACCarries group info in PAC Windows PAC is openWindows PAC is open
Reduced Enterprise Sign-onReduced Enterprise Sign-onLDAP Authentication & Directory IntegrationLDAP Authentication & Directory Integration
Account DirectoryAccount Directory
LDAPLDAP SQLSQL
Enterprise Enterprise AppApp
Integrate LDAP with ADIntegrate LDAP with AD LDAP v3 compliantLDAP v3 compliant Single AD and LDAP user accountSingle AD and LDAP user account AD/AM for personalization dataAD/AM for personalization data
Microsoft Metadirectory ServerMicrosoft Metadirectory Server Directory synchronizationDirectory synchronization
LDAP (eg iPlanet & others)LDAP (eg iPlanet & others) Relational databasesRelational databases Application specificApplication specific
Account ProvisioningAccount Provisioning Automate account creationAutomate account creation Automate account de-Automate account de-
provisioningprovisioning Password Management (MMS 2003)Password Management (MMS 2003)
Self-service password resetSelf-service password reset
ExchangeExchange
Web ServiceWeb Service
File ShareFile Share
ApplicationApplicationApplicationApplicationActiveActive
DirectoryDirectory
Web Single Sign-onWeb Single Sign-onB2C Using Active Directory and PassportB2C Using Active Directory and Passport
Windows Server 2003IIS Web Server
(Step 1) Customer accesses a Web site using any standards-based browser
(Step 4) User is authorized based AD account.
(Step 2) Passport verifies the user’s credentials and sends a PUID back to the Web site
(Step 3) Web app verifies activation code & maps PUID to AD account.
ActiveActiveDirectoryDirectory
ApplicationsApplications
Passport manages user credentialsPassport manages user credentialsPassport manages user authenticationPassport manages user authenticationYou manage user access controlsYou manage user access controls
Web Single Sign-onWeb Single Sign-onExtranet Access Management using ADExtranet Access Management using AD
Web App 1
SSO Agent
SSO Agent
SSO Agent
Web App 2
DelegatedAdmin
ActiveActiveDirectoryDirectory
EAMWeb SSO
AuthenticationLDAP Bind
SSLSession
Cookie
CorporateIdentities
Authorization Check
PartnerIdentities
Enterprise Extranet “Trusted” Business Partner
ActiveActiveDirectoryDirectory
Microsoft ProductsMicrosoft Products
Windows Server 2003Windows Server 2003 Active Directory, PKI, IASActive Directory, PKI, IAS
Microsoft Metadirectory Server 2003Microsoft Metadirectory Server 2003 Host Integration ServerHost Integration Server Services for UNIXServices for UNIX
Identity and Access Management SolutionIdentity and Access Management Solution
Prescriptive GuidancePrescriptive Guidance ProvenProven ActionableActionable RelevantRelevant
BenefitsBenefits Faster Time to MarketFaster Time to Market Lower Implementation CostLower Implementation Cost Lower implementation RisksLower implementation Risks
Identity and Access Management SolutionIdentity and Access Management Solution
AvailabilityAvailability Partners ready to deliver today.Partners ready to deliver today. Early July – Customer documentsEarly July – Customer documents
CostCost FreeFree
Development PartnersDevelopment Partners PricewaterhouseCoopers LLPPricewaterhouseCoopers LLP OblixOblix OpenNetworks OpenNetworks
Global Service PartnersGlobal Service Partners PricewaterhouseCoopers LLPPricewaterhouseCoopers LLP UnisysUnisys Hewlett PackardHewlett Packard Cap Gemini Ernst and YoungCap Gemini Ernst and Young
DemoDemo Available at Microsoft BoothAvailable at Microsoft Booth
Call to ActionCall to Action
Call Microsoft or Partner Sales Call Microsoft or Partner Sales RepsReps
Create Vision and StrategyCreate Vision and Strategy Start small and focus on ROIStart small and focus on ROI Leverage Microsoft’s SolutionLeverage Microsoft’s Solution Engage Partners and MCSEngage Partners and MCS
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Questions!!!!Questions!!!!
[email protected]@microsoft.com
