1 / 20

Microsoft Identity Solutions

Microsoft Identity Solutions. Microsoft Services. Anthony Witecki, Microsoft Consulting Services. Access Control Layers Brokered at multiple layers in a system Moves from fine-grained access (data and application layer) to coarse-grained access (network and OS layer). Enterprise Identity.

Download Presentation

Microsoft Identity Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Microsoft Identity Solutions Microsoft Services Anthony Witecki, Microsoft Consulting Services

  2. Access Control Layers Brokered at multiple layers in a system Moves from fine-grained access (data and application layer) to coarse-grained access (network and OS layer) Enterprise Identity An identity is the sole item connecting an individual to a variety of services both on and off premises. In order to be viewed holistically, there needs to be two main elements. 4 Pillars of Identity Each pillar needs to be accounted for at each access control layer Network Operating System Auditing Administration Authentication Authorization Application Data

  3. The Identity Pillars • Administration • Single View • Automated Provisioning and De-provisioning • Synchronization • Manual Administration • Self-Service • Entitlement management • Requests • Manage business identity rules at the enterprise-level • Central IdM system brokers requests and approvals • Align business processes to workflows • Approvals • For coarse-grained access, assign application owners as approvers • For fine-grained access, leverage the RBAC/ABAC/PBAC system in place • Authentication • Security • Authentication Strength • Multi-Factor Authentication • Authentication Delegation • Experience • Disjoint Sign On • Global Sign On • Reduced Sign On • Single Sign On • To Achieve SSO • Central Issuer • Credential Forwarding • Protocol Transition • Authorization • Abstraction • Authorization hard coded into the app • Abstract authorization away from the app • Coarse-Grained • Similar to locking your front door • Works well at the Network and Operating System layers • Fine-Grained • Role-Based • Define tasks based on your job and group them together • Attribute-Based • Application owns the decision based on claims about you • Policy-Based • Decision made centrally by the enterprise • Auditing • Many Places • Needs to happen at every layer • Network > VPN, SSL VPN, Access Gateway • OS > Servers and clients • Application > App-specific logs / web server logs • Resources > Various • Many Systems • At the decision maker • At the application • At the entitlement source • Decentralization • Collect logs from various systems • Normalize the data • Analyze data / Generate reports

  4. Administration Build an accurate view of the identity single view requests • The #1 goal of the administration pillar is to establish that “single view” of an identity • There are many solutions to this when dealing with on-premise identities: • Automated Provisioning and De-provisioning • Synchronization • Manual Administration • Self-Service • Entitlement management Manage business identity rules at the enterprise-level Use a central identity management system as the request and approval broker Ensure that your business processes can to the request and approval workflows approvals For coarse-grained access, assign application owners as approvers For fine-grained access, leverage the RBAC/ABAC/PBAC system in place

  5. Authentication experience How much assurance is “enough”? security • Disjoint Sign On • Multiple credentials • Multiple authenticators • Global Sign On • Single set of credentials • Multiple authenticators • Reduced Sign On • Single or Multiple credentials • Multiple authenticators • Single Sign On • Central token issuer • Credential forwarding • Protocol transition • Authentication Strength • Directory binds • Challenge / Response • Asymmetric Cryptography • Multi-Factor Authentication • Assurance levels • Cost • Authentication Delegation

  6. Authorization role-based Make the best decision possible abstraction Based on your job function Define tasks and group them together • Authorization hard-coded into the app • Expensive and Slow • Abstract authorization away from the app • Modularized operations • Flexibility attribute-based Based on something about you Application owns the decision - ties attributes to operations Claims-based access coarse-grained policy-based Similar to locking your front door Works well at the Network and Operating System layers Externalize the authorization decision Fits nicely into a SOA-based approach Centralized

  7. Auditing Who did what, when, and how did they get access to it? many places many systems • Auditing needs to be comprehensive and occur at every layer in the access control model • Network • VPN, SSL VPN, Access Gateway • Operating System • Servers and potentially clients • Application • App-specific logs and web server logs • Resources • At the decision maker • What was the decision and how was it made? • At the application • What did the identity do? • At the entitlement source • How long did the identity have this attribute?

  8. Auditing Who did what, when, and how did they get access to it? many things decentralization • Ability to illustrate who approved: • A new or deleted identity • Addition or subtraction of entitlements from an identity • Who, or which, identities had access to what service or resource and when (also who approved that access) • Any changes related to the identity object and associated approval/rejection processes • Ability to show auditors information surrounding an identities overall lifecycle • Ability to create and provide reports on the above Collect logs from various systems Normalize the data Analyze data / Generate reports

  9. What is Microsoft Doing About My Identity Crisis? 15 POINT INSPECTION

  10. Implementation Roadmap • Provide customers with an roadmap based on customer goals and technology capabilities • Gives an end-state visionwith incremental success • Leverage Offerings: • Enterprise Identity Management • Enterprise Federated Identity • Some work may require a custom Services engagement • Fill in the gap over time with new offerings

  11. Services Offering:Security, Identity & Access Management (SIAM) • Mail Protection Gateway • Federated Identity • Identity Management • Malware Protection • Remote Access • Data Protection • Web Protection • Mail Protection and Filtering • Document Library Protection and Filtering • Rights Management • Secure Remote Access • Federated Identity • Malware Protection • Remote Access • Data Protection • Identity Management • Federated Identity • Public Key Infrastructure • Network Protection Cloud Desktop Productivity Datacenter Secured by SIAM

  12. Enterprise Deployment Model

  13. Case Study in Washington State Identity Provider Resource Provider Person Table Retirement Systems Trust Trust Public Authentication Enterprise Active Directory Federation Server Federation Server Federation Server HRMS Redirect De-provisioning Browse Trust Browse Identity Provisioning PUBLIC Redirect Web Application Browse Constituent Data

  14. General Requirements - Authentication • Active Directory used for authentication • Can authenticate users in the same forest as the AD FS servers • Can authenticate users in trusted forests, but there must be a forest-level two-way trust in place • Non-Microsoft Identity Providers can be used • Only Identity Providers that Microsoft has published a federation step-by-step guide for • Partner agreements and paperwork must be in place prior to deployment of the solution • Home Realm Discovery page will not be customized as part of this engagement • User authentication over the Internet • Forms-based authentication only • Certificate-based authentication can be used, but configuring it is outside the scope of this engagement • Customer can configure certificate authentication post-engagement if they wish

  15. General Requirements - Certificates • Customer must supply SSL certificates for the federation service • Each AD FS 2.0 server and AD FS 2.0 proxy server requires an SSL certificate: • Same DNS name must be used for the subject name on every cert • Each server must have a public/private key pair • Each server is not required to use the same certificate, but they can if the issuer allows it • Can purchase the necessary certificates from a third party issuing authority • May need to purchase multiple certificates, depending on the issuer’s policies • Wildcard or SAN certificates can be used, but are not necessary • Can issue the certificates from the customer’s Certificate Authority • The issuing CA must be trusted by all clients logging on to the federation service • Ideal if your clients are all “managed clients” • Not ideal if users are connecting over the internet with non-corporate computers • Hybrid Approach Possible • Use internally-issued certificates for the internal federation servers • Purchase trusted certificates for Proxy federation servers

  16. Solution Requirements for Federation Which Scenarios Apply? • Internal employee access • Allow employees to achieve SSO to federated applications when on the network • Allow employees to achieve SSO to federated applications when working remotely • Internal organization may be a large, complex multi-forest infrastructure, looking to simplify access without trusts • Sharing applications with another organization • Allow partners to use their own accounts for accessing SharePoint 2007 • Allow partners to use their own accounts for accessing data protected with Active Directory Rights Management Services • Increase security by leveraging partner’s de-provisioning process • Access applications hosted by another organization • Use domain credentials for SSO and access to Office 365 applications • Use domain credentials for SSO and access to partner-hosted applications

  17. Application Requirements for Federation • Applications must be claims-aware • .Net applications must use Windows Identity Foundation • Non-Microsoft applications must use SAML 2.0 or WS-Federation protocols • Customer will configure relying party trusts outside of this engagement • Except for Office 365, SharePoint 2007, or AD RMS relying parties • Microsoft will not modify existing applications to make them claims-aware

  18. Requirements for Identity Synchronization • Identity repositories must be identified and classified by integrity level • Identity attributes must be identified and matched to authoritative repositories • This becomes the Metaverse or Metadirectory • Security and distribution groups must be classified by security level • User provisioning must be mapped out • What systems are used during the entry and exit processes? • What approvals are necessary for each system? • Certificate management requirements must be defined

  19. Questions?

More Related