Identity Management for Mid- Market Customers Dave Sayers Technology Specialist

Identity Management for Mid-Market Customers

Dave Sayers

Technology Specialist

AgendaAgenda

• What do we consider the mid-market?What do we consider the mid-market?

• What is Identity Management?What is Identity Management?

• Typical types of systemTypical types of system

• The building blocks of an identity management solutionThe building blocks of an identity management solution

• Active DirectoryActive Directory

• AD/AMAD/AM

• MIIS/IIFPMIIS/IIFP

• When a mid-market customer needs to think about When a mid-market customer needs to think about Identity ManagementIdentity Management

• Real worldReal world

Microsoft Customer SegmentationMicrosoft Customer Segmentation

Small BusinessSmall Business Mid-MarketMid-Market EnterpriseEnterprise

LowerLowerSmallSmall

BusinessBusiness((LSBLSB))

CoreCoreSmallSmall

BusinessBusiness((CSBCSB))

Lower Lower Mid- Mid-

MarketMarket((LMMLMM))

Core Core Mid-Mid-

MarketMarket((CMMCMM))

Upper Upper Mid-Mid-

MarketMarket((UMMUMM))

CorporateCorporateAccountsAccounts

((CASCAS))

Global, Global, Major &Major &

StrategicStrategicAccountsAccounts

CharacteristicCharacteristicss

# PCs# PCs

# Employees# Employees

< 5< 5 5 -24 PCs5 -24 PCs 24 – 49 24 – 49 PCsPCs

50-250 50-250 PCsPCs

250-250-500 500 PCsPCs

>500 PCs>500 PCs >2500 >2500 PCsPCs

<10<10 10-4910-49 50-99 50-99 100-500 100-500 500-500-10001000 >1000>1000 >5000>5000

Sources: AMI data, Microsoft InternalSources: AMI data, Microsoft Internal

Medium Sized Businesses TodayMedium Sized Businesses Today

• Typically:Typically:• 1-2 IT managers who are depended 1-2 IT managers who are depended

on to keep all aspects of the on to keep all aspects of the business runningbusiness running

• Technology demands often as Technology demands often as sophisticated as a very large sophisticated as a very large business, but limited IT budgetsbusiness, but limited IT budgets

• Upgrade project looks complex and Upgrade project looks complex and they are busy they are busy

• Consolidation is often not a valid Consolidation is often not a valid motivator (not enough servers)motivator (not enough servers)

Identity ManagementIdentity Management

• Users are represented in multiple locations within an Users are represented in multiple locations within an organisationorganisation

• Directories, databases, proprietary apps.Directories, databases, proprietary apps.

• Identity information is fragmentedIdentity information is fragmented

• No recognised ‘master directory’No recognised ‘master directory’

• Systems were not designed to work togetherSystems were not designed to work together

• Systems and data owned by different political unitsSystems and data owned by different political units

• Tremendous information redundancyTremendous information redundancy

• = management complexity and inconsistent data= management complexity and inconsistent data

• Often managed ‘manually’ – e.g. Help DesksOften managed ‘manually’ – e.g. Help Desks

Identity Lifecycle ManagementIdentity Lifecycle Management

New UserNew User- User ID CreationUser ID Creation- Credential IssuanceCredential Issuance- Access RightsAccess Rights

Account ChangesAccount Changes- PromotionsPromotions- TransfersTransfers- New PrivilegesNew Privileges- Attribute ChangesAttribute Changes

Password MgmtPassword Mgmt- Strong PasswordsStrong Passwords- ““Lost” PasswordLost” Password- Password ResetPassword Reset

Retire UserRetire User- Delete/Freeze AccountsDelete/Freeze Accounts- Delete/Freeze EntitlementsDelete/Freeze Entitlements

Identity & Access Management (IAM)Identity & Access Management (IAM)

Who am IWho am I

What can I doWhat can I do

Identity storeIdentity store

AdministrationAdministration

Identity & Access Management Identity & Access Management (IAM):(IAM):

Providing the right people with the Providing the right people with the right access at the right timeright access at the right time

Identity & Access Management (IAM)Identity & Access Management (IAM)

AuthenticationAuthentication

AuthorisationAuthorisation

DirectoryDirectory

User / Resource AdminUser / Resource Admin

Identity & Access Management Identity & Access Management (IAM):(IAM):

Providing the right people with the Providing the right people with the right access at the right timeright access at the right time

IAM Components: Who am I ? (Authentication)IAM Components: Who am I ? (Authentication)

What is Authentication?What is Authentication?

• Authentication is about are you Authentication is about are you who they say you are to enable who they say you are to enable business transactions.business transactions.

Authentication Examples:Authentication Examples:

• User names and PasswordsUser names and Passwords

• PIN NumbersPIN Numbers

• Digital Certificates (PKI)Digital Certificates (PKI)

• Tokens (SecurID)Tokens (SecurID)

• BiometricsBiometrics(Hand Scans, Retinal Scans)(Hand Scans, Retinal Scans)

• Microsoft / Partner Products:Microsoft / Partner Products:

• Kerberos V5Kerberos V5

• Microsoft PassportMicrosoft Passport

• Microsoft Credential ManagerMicrosoft Credential Manager

IAM Components: What can I do (Authorisation)IAM Components: What can I do (Authorisation)

What is Authorisation?What is Authorisation?

• Now you say who you are what Now you say who you are what application functionality do you application functionality do you have access too?have access too?

What does Authorisation provide:What does Authorisation provide:

• The ability to grant access to The ability to grant access to applications and data based on applications and data based on “roles”“roles”

• An infrastructure to enable An infrastructure to enable authentication into multiple authentication into multiple applicationsapplications

• Single Sign-on to web applicationsSingle Sign-on to web applications

• Reduces operating costs Reduces operating costs associated with user access controlassociated with user access control

Microsoft / Partner Products:Microsoft / Partner Products:

• Authorisation Manager (included in Authorisation Manager (included in the Server 2003 package)the Server 2003 package)

• Oblix Net PointOblix Net Point

• OpenNetworkOpenNetwork Dir SmartDir Smart

IAM Components: Administration IAM Components: Administration (User / Resource Admin(User / Resource Admin))

What is User Management?What is User Management?

• To provision the tools and To provision the tools and applications to enable you to applications to enable you to perform you job roleperform you job role

What does User Management What does User Management provide: provide:

• Automated joiners and giving them Automated joiners and giving them access to applications to do their access to applications to do their job (provisioning)job (provisioning)

• Automated removal of ‘leavers’ Automated removal of ‘leavers’ from multiple systems (de-from multiple systems (de-provisioning)provisioning)

• Self-service and delegatedSelf-service and delegatedmanagement functionalitymanagement functionality

Microsoft / Partner Products:Microsoft / Partner Products:

• Microsoft Identity Integration ServerMicrosoft Identity Integration Server

• Microsoft BizTalk ServerMicrosoft BizTalk Server

• OblixOblix NetpointNetpoint

• OpenNetworkOpenNetwork Dir SmartDir Smart

.

IAM Components: Identity Store (DirectoryIAM Components: Identity Store (Directory))

What is a Directory?What is a Directory?

• A directory serves as a repository A directory serves as a repository for user information.for user information.

What does a Directory provide:What does a Directory provide:

• Central secure and resilient Central secure and resilient repository for user identitiesrepository for user identities

• Able to deliver fast response times Able to deliver fast response times to hundreds of queries per second. to hundreds of queries per second.

• Integration to major applicationsIntegration to major applications

• Key Microsoft / Partner Key Microsoft / Partner Products:Products:

• Microsoft Active DirectoryMicrosoft Active Directory

• Microsoft Identity Integration ServerMicrosoft Identity Integration Server

• Microsoft ADAM (Application Microsoft ADAM (Application Directory)Directory)

Microsoft Identity ManagementMicrosoft Identity Management

Active DirectoryActive DirectoryActive DirectoryActive Directory

Scalable Directory Services Scalable Directory Services Foundation for Identity & Access MgtFoundation for Identity & Access Mgt Flexible Authentication InfrastructureFlexible Authentication Infrastructure

Scalable Directory Services Scalable Directory Services Foundation for Identity & Access MgtFoundation for Identity & Access Mgt Flexible Authentication InfrastructureFlexible Authentication Infrastructure

Technology Technology PartnersPartners

Technology Technology PartnersPartners

Extending Active DirectoryExtending Active Directory Enterprise and Web Single Sign-OnEnterprise and Web Single Sign-On Comprehensive Application Access MgtComprehensive Application Access Mgt

Extending Active DirectoryExtending Active Directory Enterprise and Web Single Sign-OnEnterprise and Web Single Sign-On Comprehensive Application Access MgtComprehensive Application Access Mgt

Microsoft Identity Microsoft Identity Integration ServerIntegration ServerMicrosoft Identity Microsoft Identity Integration ServerIntegration Server

Directory Integration and SynchronizationDirectory Integration and Synchronization Provisioning, Deprovisioning, ManagementProvisioning, Deprovisioning, Management Password ManagementPassword Management

Directory Integration and SynchronizationDirectory Integration and Synchronization Provisioning, Deprovisioning, ManagementProvisioning, Deprovisioning, Management Password ManagementPassword Management

Specific Technology Specific Technology SolutionsSolutions

Specific Technology Specific Technology SolutionsSolutions

Host Integration ServerHost Integration Server Services for UnixServices for Unix Services for NetwareServices for Netware BizTalk (Workflow & EntSSO)BizTalk (Workflow & EntSSO)

Host Integration ServerHost Integration Server Services for UnixServices for Unix Services for NetwareServices for Netware BizTalk (Workflow & EntSSO)BizTalk (Workflow & EntSSO)

Typical Types of SystemTypical Types of System

• HR HR

• NOS NOS

• EmailEmail

• Phone systemPhone system

• Expenses systemExpenses system

• CRMCRM

The Active Directory DreamThe Active Directory Dream

• ““Enterprise directory” + “NOS directory”Enterprise directory” + “NOS directory”• Repository of consolidated informationRepository of consolidated information• Centralized management, provisioningCentralized management, provisioning• Single-sign-onSingle-sign-on• Data re-used by many applicationsData re-used by many applications

Active Directory Portal Portal applicationapplication

Whitepages/Whitepages/GALGAL

Generic appGeneric appusing single-using single-sign-onsign-on

HR/ERP HR/ERP applicationapplication

Automated provisioningAutomated provisioning

LDAP,LDAP,KerberosKerberos

Centralized Centralized managementmanagement

LDAP,LDAP,KerberosKerberos

Policy-based admin,Policy-based admin,single-sign-on, forsingle-sign-on, forWindows-based resourcesWindows-based resources

Where We Are TodayWhere We Are Today

• Directories deployed per-app; little re-useDirectories deployed per-app; little re-use

• Provisioning, sync are ad-hocProvisioning, sync are ad-hoc

Active Directory

Portal Portal applicationapplication

WhitepagesWhitepages

GenericGenericLDAP-basedLDAP-basedappapp

HR/ERP HR/ERP appapp

LDAPLDAP

Centralized Centralized managementmanagement

Policy & SSOPolicy & SSOfor Windowsfor Windows

DatabaseDatabase

LDAPLDAP

Generic Generic dumpdump

(Non-existent)(Non-existent)

Ad-hoc Ad-hoc syncsync

ADAMADAM

eDirectoryeDirectory

Outlook/Outlook/ExchangeExchange

LDAPLDAP

iPlanetiPlanetMAPIMAPI

Getting to a Single DirectoryGetting to a Single Directory• Very difficultVery difficult

• Existing application requirementsExisting application requirements

• Scope of application (local vs. global)Scope of application (local vs. global)

• Schema requirementsSchema requirements

• Control of application/identity informationControl of application/identity information

• How to deal with multiple account storesHow to deal with multiple account stores

• Infrastructure Directory – GlobalInfrastructure Directory – Global

• Application Directories – Local to ApplicationApplication Directories – Local to Application

• Metadirectory – Integration/Business ProcessMetadirectory – Integration/Business Process

ADAM ArchitectureADAM Architecture

• Same code as Active Directory - just a new modeSame code as Active Directory - just a new mode

• Programming model, admin tools virtually identical to Programming model, admin tools virtually identical to NOS AD – familiarity means skill sets easily NOS AD – familiarity means skill sets easily transferabletransferable

NOS Active Directory Active Directory Application Mode

LSASSLSASS

DSADSA

LDAPLDAP

SAMSAM

MAPIMAPI REPLREPL KDCKDC LanmanLanman

DNSDNS FRSFRS

dependencies

ADAMADAM

DSADSA

LDAPLDAP REPLREPL

(traditional AD minus infrastructure mgmt)

Availability & ComponentsAvailability & Components

• Directory Core Directory Core • Contains the DSA, LDAP and Replication layersContains the DSA, LDAP and Replication layers

• Runs as its own process/serviceRuns as its own process/service

• SetupSetup• To copy binaries, install & start the serviceTo copy binaries, install & start the service

• ToolsTools• Familiar AD tools to manage ADAM installationsFamiliar AD tools to manage ADAM installations

• DocumentationDocumentation• Programmers Reference in Platform SDKProgrammers Reference in Platform SDK

New CapabilitiesNew Capabilities

• Simple install and setup Simple install and setup

• No DCPROMONo DCPROMO

• Wizard with defaults, just “Next” throughWizard with defaults, just “Next” through

• Does not turn machine into DCDoes not turn machine into DC

• Restart or reinstall without rebootRestart or reinstall without reboot

• Multiple instances on single machineMultiple instances on single machine

• Each instance with own schemaEach instance with own schema

• X.500-style O=, C= namingX.500-style O=, C= naming

ADAM Usage ScenariosADAM Usage Scenarios

• Example: web portal with personalizationExample: web portal with personalization

• Store personalization info in ADAMStore personalization info in ADAM

• Use AD for authenticationUse AD for authentication

ADAMADAM

Infrastructure Active DirectoryInfrastructure Active Directory

WebWebportalportal

Store/Store/retrieveretrievedatadata

ClientClient

AuthenticationAuthentication

ServerServer

• Store app data without extending infrastructure directoryStore app data without extending infrastructure directory• App data keyed off identifier from infra directoryApp data keyed off identifier from infra directory

AD/AMAD/AM

InfrastructureInfrastructure DirectoryDirectory

WebWebportalportal

Store/Store/retrieveretrievedatadata

ClientClient

ServerServer

Data specific Data specific to portal appto portal app

Data shared Data shared by multiple appsby multiple apps

User (right) User (right) and “shadow” (left)and “shadow” (left)

ADAM Usage ScenariosADAM Usage Scenarios

ADAM

Where MIIS fits in

DS-enabledDS-enabledappapp

HR/ERP HR/ERP appapp

CentralizedCentralizedidentity identity

managementmanagement

DatabaseDatabase

MIIS 2003MIIS 2003

IntegrationIntegrationServicesServices

App DSApp DS

App DSApp DSADAMADAM

Infrastructure Directory

ActiveActiveDirectoryDirectory

DS-enabledDS-enabledappapp

App DSApp DSADAMADAM

DS-enabledDS-enabledappapp33rdrd-party DS-party DS

accessaccess

syncsync

What is a Metadirectory?What is a Metadirectory?

• Service that collects information from Service that collects information from different data sourcesdifferent data sources

• Combines all or part of that information Combines all or part of that information into an integrated viewinto an integrated view

• Apply rules as to how information is Apply rules as to how information is managedmanaged

• Which source is authoritativeWhich source is authoritative

• How attributes flowHow attributes flow

ADAD

Metadirectory

Name : Dave SayersEmployee ID : 100100Telephone No. : 111222

Name : dsayersEmployee ID : 100100

Email : [email protected]

Name : Dave SayersEmployee ID : 100100

Telephone No. : 111222Email : [email protected]

MIIS 2003 Architecture

• MIIS runs as a service

• Management Agents (MA) connect to systems

• Metadirectory data stored in SQL

• Admin client connects to service via DCOM

MA ControllerMA Controller

iPlanetiPlanetMAMA

ADADMAMA

OracleOracleMAMA

……MAMA

MIIS ServiceMIIS Service

AD/E2KAD/E2KiPlanetiPlanet OracleOracle

MIIS AdminMIIS AdminClientClient

DCOMDCOM

MIISMIISStoreStore

MIIS - ConceptsMIIS - Concepts

• Connected Directory Connected Directory (CD)(CD)

• Source and/or Source and/or destination for destination for synchronisedsynchronised attributesattributes

• Connector Space (CS)Connector Space (CS)• Staging area for Staging area for

inbound or outbound inbound or outbound synchronised synchronised attributesattributes

• Metaverse (MV)Metaverse (MV)• Central (SQL) store of Central (SQL) store of

identity informationidentity information• Matching CS entries to Matching CS entries to

a single MV entry is a single MV entry is called “join”called “join”

ADAD

OracleOracle

SQLSQL

ExchangeExchange5.55.5

ConnectedConnectedDirectoriesDirectories

MetaverseMetaverse

UserUser

ConnectorSpace

Key concepts for MIIS

• Provisioning/Deprovisioning

• Making a user productive immediatelyMaking a user productive immediately

• Role changes, planned/urgent terminationsRole changes, planned/urgent terminations

• Grant and ensure appropriate accessGrant and ensure appropriate access

• Minimize costsMinimize costs

• Increase security through strong defaultsIncrease security through strong defaults

• SynchronisationSynchronisation

• Attribute FlowAttribute Flow

• Password ManagementPassword Management

Key Scenarios

• Hire/Fire

• For multiple-site and/or high staff turnover customers

• Integration

• Mergers and Acquisitions

GAL – The issueGAL – The issue

Forest 1Forest 1ExchangeExchange


Forest 2Forest 2No ExchangeNo Exchange

Global Address List is per Exchange Org, per forestGlobal Address List is per Exchange Org, per forest

Outlook Outlook ClientClient

Exchange Exchange Server/GCServer/GCOutlook Outlook

ClientClient

Exchange Exchange Server/GCServer/GC


??

msExchMasterAccountSID

Identity Integration Feature PackIdentity Integration Feature Pack

• Version of MIIS which contains:

• GALSync MA

• Active Directory MA

• ADAM MA

• Users are represented as contacts

• Distribution and Security Groups are represented as contacts

• Contacts are represented as contacts

• GAL Sync ADMA is a preconfigured Active Directory Management Agent released with MIIS 2003

• Uses the LDAP DIRSYNC control

• Handles rename and moves of objects

• Detects and uses AD forest schema

GAL Sync DeploymentGAL Sync Deployment

• Step1: Gathering dataStep1: Gathering data

• Determine Source and Target forest informationDetermine Source and Target forest information

• Step2: Setup GAL Sync ADMAStep2: Setup GAL Sync ADMA

• Setup one GAL Sync AD Management Agent per Exchange Setup one GAL Sync AD Management Agent per Exchange forest with source and target forest information forest with source and target forest information

• Step3: Verify configurationStep3: Verify configuration

• Type of objects, rules, run profilesType of objects, rules, run profiles

• Step 4: Run SyncStep 4: Run Sync

GAL Sync - Syncing UsersGAL Sync - Syncing Users













IIFP Server

Set up an IIFP serverSet up an IIFP server










IIFP Server

IIFP will get object information for every user in a forest, IIFP will get object information for every user in a forest,










IIFP Server

For users in a forest, IIFP will create contacts in other forestsFor users in a forest, IIFP will create contacts in other forests










IIFP Server

Exchange will populate Address List (s) with the contactsExchange will populate Address List (s) with the contacts






GAL SyncGAL Sync

Beyond GALsyncBeyond GALsync

• IIFP will support AD to AD as well as AD to ADAM syncIIFP will support AD to AD as well as AD to ADAM sync

• Useful for integrating printing between the two forests:Useful for integrating printing between the two forests:

• Use IIFP to synchronise sites, subnets and printersUse IIFP to synchronise sites, subnets and printers

• Allow the use of printer location trackingAllow the use of printer location tracking

• Meets the requirement of making it easy for roaming users to Meets the requirement of making it easy for roaming users to print in other officesprint in other offices

• But sometimes it’s just not enough…But sometimes it’s just not enough…

MIIS Deployment and ManagementMIIS Deployment and Management

• Easy to deployEasy to deploy• No agents to deploy on connected systemsNo agents to deploy on connected systems

• MIIS can stand-alone or share clustered SQLMIIS can stand-alone or share clustered SQL

• Migrate configuration from test to production via XML filesMigrate configuration from test to production via XML files

• Easy to extend existing deploymentEasy to extend existing deployment• System is designed so that it’s easy to incrementally add capabilitiesSystem is designed so that it’s easy to incrementally add capabilities

• Easily add more systems or expand business rulesEasily add more systems or expand business rules

• Easy to troubleshoot and ManageEasy to troubleshoot and Manage• Preview ModePreview Mode

• Data LineageData Lineage

• All error information stored in the databaseAll error information stored in the database

• MOM Management Pack available for downloadMOM Management Pack available for download

SSO/Access ManagementSSO/Access Management

• SSOSSO

• Can be straightforward across Windows estates (Exchange, Can be straightforward across Windows estates (Exchange, trust relationships)trust relationships)

• 33rdrd parties offer additional capabilities parties offer additional capabilities

• Access ManagementAccess Management

• ACLsACLs

• RBACRBAC

• Access Management can be challenging in Access Management can be challenging in merger/acquisition scenariosmerger/acquisition scenarios

• Selective AuthenticationSelective Authentication

Selective AuthenticationSelective Authentication

Putting it all togetherPutting it all together

• Active Directory acts as NOS and ‘network identity’Active Directory acts as NOS and ‘network identity’

• ADAM can be used for additional information or as ADAM can be used for additional information or as another identity storeanother identity store

• IIFP can join these two togetherIIFP can join these two together

• Start to incorporate additional systems using MIISStart to incorporate additional systems using MIIS

• Single sign-on enabled through 3Single sign-on enabled through 3rdrd party products party products

• ADFS?ADFS?

MIIS ProjectsMIIS Projects

• Common Objections :Common Objections :

• CostCost

• Complexity of the projectComplexity of the project

• Self-service Self-service

• AD RequirementAD Requirement

• No LDAP headNo LDAP head

• Does not support real-time updatesDoes not support real-time updates

• Connected Directory reachConnected Directory reach

• Customer storiesCustomer stories

Putting it all together – a full Identity Management Solution

Summary/Call to ActionSummary/Call to Action

• Identity Management is relevant to almost all customersIdentity Management is relevant to almost all customers

• Although in certain scenarios for mid-market customersAlthough in certain scenarios for mid-market customers

• Microsoft provides the core building blocks for building Microsoft provides the core building blocks for building an identity management solutionan identity management solution

• Examine the capability to use these solutions in your Examine the capability to use these solutions in your businessbusiness

• If an acquisitive customer, have a process to use IIFP for If an acquisitive customer, have a process to use IIFP for a consolidated GALa consolidated GAL

ResourcesResources• Technical Chats and WebcastsTechnical Chats and Webcasts• http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/communities/chats/default.mspx

• http://www.microsoft.com/usa/webcasts/default.asphttp://www.microsoft.com/usa/webcasts/default.asp

• Microsoft Learning and CertificationMicrosoft Learning and Certification• http://www.microsoft.com/learning/default.mspxhttp://www.microsoft.com/learning/default.mspx

• MSDN & TechNet MSDN & TechNet • http://microsoft.com/msdnhttp://microsoft.com/msdn

• http://microsoft.com/technethttp://microsoft.com/technet

• Virtual LabsVirtual Labs• http://www.microsoft.com/technet/traincert/virtuallab/rms.mspxhttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx

• NewsgroupsNewsgroups• http://communities2.microsoft.com/http://communities2.microsoft.com/

• communities/newsgroups/en-us/default.aspxcommunities/newsgroups/en-us/default.aspx

• Technical Community SitesTechnical Community Sites• http://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx

• User GroupsUser Groups• http://www.microsoft.com/communities/usergroups/default.mspxhttp://www.microsoft.com/communities/usergroups/default.mspx

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Documents

Identity Management for Mid- Market Customers Dave Sayers Technology Specialist