1 / 38

Identity & Access Management Conversation

Identity & Access Management Conversation. Karlien Vanden Eynde Product Marketing Manager. Agenda. 13:30 – 14:30 Wider Identity Conversation Kim Cameron 14:30 – 15:30 Microsoft IAM: Business Needs and IT Challenges – Henk Den Baes 15:30 – 16:00 Coffee Break

ull
Download Presentation

Identity & Access Management Conversation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager

  2. Agenda • 13:30 – 14:30 Wider Identity Conversation Kim Cameron • 14:30 – 15:30 Microsoft IAM: Business Needs and IT Challenges – Henk Den Baes • 15:30 – 16:00Coffee Break • 16:00 – 17:15FIM 2010: From Identity Synchronization to Identity Management – Federico Guerrini • 17:15 – 17:20 Partner Offerings • 17:20 – 18:00 Networking & Cocktail

  3. Digital Identity Discussion Kim Cameron Chief Architect of Identity

  4. Identity • The stuff of Poets and Philosophers Digital Identity

  5. Digital Identity • How the web and the world recognize us in different contexts • Foundation for personalization • The social “mouse” or “keyboard” • Foundation for interaction, collaboration and social phenomena • I can’t collaborate over time if I can’t recognize and refer to you • Foundation for digital economy

  6. Identity is a mosaic • Disruptive ability and tendency to connect all information about individuals brings significant commercial and social risk

  7. Architectural Problem • The Internet was not designed with any way to know who you’re connecting to • Patchwork quilt of kludges

  8. www.identityblog.com

  9. The Claims Based Model

  10. What is the Claims-Based Model? • Claims-based model • Abstraction layer: for authenticating, authorizing, obtaining information about users, devices and services • Claim: statement that is in doubt made by one subject about another subject • Email = kcameron@microsoft.com • Age > 21 • Manager = Craig Wittenberg • Role= Architect • Primordial Claims: Passwords, Keys and Certificates • Identity: Metasystem: open standards-based architecture for exchange of claims under user control • Claims Transformer: matches impedance • Write to model, let infrastructure adapt to environment

  11. Flow in the Claims-Based Model Claims Provider (Security Token Service) Application (requires Claims) Relationship • Application: requires, uses claims to describe users • Claims provider: supports protocols for issuing claims • Relationship: context in which meaning of claims is defined 1. Require claims 2. Get claims 3. Send claims SUBJECT

  12. Identity, Capabilities, Authorization How the Claims Service works • Claims Transformation • New semantics at domain boundaries • Different issuer (for example “Local STS”) • Transform from Identity to Capabilities • Claims Augmentation • Not just identifiers!! Claims Evaluation and Transform New Claims Policy + Claims

  13. Where is the industry in the process? • Standards widely accepted – OASIS • Interoperability deeply tested – OSIS Interoperability Testing and Liberty Alliance • Platforms will finally have claims as a built-in feature • Microsoft ADFS V2 Shipping now • Part of Active Directory – expect wide adoption and deployment given no marginal cost • COTS Software can count on claims “being there” • Example: Microsoft flagship applications like SharePoint • Great products by many vendors • Cloud service adoption and strong competition • Many proofs of concept by private enterprise and government

  14. New initiatives in consumer space: OpenID • Metasystem model • Big service providers are all supporting OpenID (Yahoo, AOL, Google, Windows Live, etc) • Many small providers (e.g. universities) • US Government support • Widely available software for ISVs • Severe security issues being worked on by the industry

  15. Identity selector for OpenID

  16. The Claims Architecture

  17. Architecture, Starting with the Enterprise Microsoft Services Identity Backbone An Enterprise • How does anenterprise or government department make its application available to more than just employees? Identity Store Enterprise Application ? Its Partner Identity Store Roles, Properties

  18. Industry Standard Components Microsoft Services Identity Backbone Enterprise Identity Backbone • Claims API • Middleware or framework for building claims-aware applications • Claims Service • Security Token Service (STS) connecting to an identity store • Identity Selector • Client component allowing user to select and control identity 1 Identity Store Enterprise Application Claims API Claims Service 2 3 Claims 3 Claims Service Identity Store Roles, Properties

  19. The Claims Service Microsoft Services Identity Backbone Enterprise Identity Backbone • Claims Service • Security Token Service (STS) • Standard across vendors • Multiple protocols • SAML • WS-Federation • WS-Trust • Multiple payloads • Multiple vendors • Open Source, Microsoft, IBM, Novell, Sun, Siemens, etc Identity Store Enterprise Application Claims API Claims Service Claims Claims Service Claims Service Partner Partner Directory Database

  20. Architecture Works for Cloud, Too Cloud Service Identity Backbone Identity Store Cloud Application • Claims Service • “Enterprise” protocols also used by cloud providers • Additional protocol for providers in Consumer space: OpenID • Several large cloud service providers already support the model • Allows single federation agreement to access many services • No lock-in to any cloud provider Claims API Claims Service Claims Claims Service Claims Service Enterprise University Directory Database

  21. From Architecture To Off-The-Shelf Product

  22. Active Directory Federation Services Integrate and extend security • Shared identity with partner organizations and cloud services • Boost cross-organizational efficiency and communication with more secure access • Support the sharing of rights-protected messages between organizations • Improved support for Microsoft SharePoint Server as a claims-aware application Trey Research Account Forest Woodgrove BankResource Forest Federation Trust Business Partners Token and claims Authentication Exchange 2010 Application Access Post claims AD FS AD FS AD RMS AD DS AD DS Redirect to Security Token Service (STS) SharePoint Server Farm User Account/Credentials Security Token

  23. Cloud Services Single Sign On with Extended Collaboration Integrate and extend security • Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services • Helps provide consistent security with a single user access model externalized from applications • Based on open, industry standard protocols for interoperability Security Token (e.g., Kerberos Ticket) Corporate User AD FS Exchange SharePoint Web App Claims-Aware Application AD DS Partner • AD FS creates SAML token • Signs it with company’s private key • Sends it back to the user • Access supplied with the token

  24. Seamless Access to On-Premises and In-Cloud Integrate and extend security • SSO for on-premises and in-cloud applications • Native support for Web and application SSO (including multi-factor authentication) • Addresses security risks and interoperability problems caused by extending business resources beyond the corporate network and across disparate systems • Get seamless access to in-cloud and on-premises applications. SSO SSO RemoteEmployee In-Cloud Web Apps Business Partners Auth. Token AD DS AD FS SSO • External users get authentication token from AD FS. SSO Web Apps On-Premises Corporate User

  25. Managing the Use of Claims Provisioning Claims and Resources

  26. Identity ManagementUser provisioning Simplify security, manage compliance • Policy-based identity lifecycle management system • Built-in workflow for identity management • Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users ActiveDirectory LotusDomino • Workflow • User Enrollment LDAP • FIM SQLServer • HR System • Approval Oracle DB • Manager FIM CM User provisioned on all allowed systems

  27. Forefront Identity Manager 2010 Simplify security, manage compliance • FIM Enables Identity-based Controls for Information Protection • Enforced through Windows Server and Active Directory Rights Management Services • FIM Enables Application and Network Access Controls • Enforced in Forefront Unified Access Gateway • FIM Enables Federation and Cloud-based Services • FIM supplies data for claims, performs user account provisioning and deprovisioning, and manages smartcards or software certificates

  28. FIM Enables Federation and Cloud Simplify security, manage compliance • FIM supplies ADFS with data for claims • For example, construct a “role” claim based on data in FIM to use for authorization in place of security groups • FIM supplies cloud-based services with user account provisioning and de-provisioning • For services which need a copy of the directory • FIM provisions users with smartcards or software certificates • Enables users to leverage stronger authentication for access to cloud-based services than just a password

  29. FIM Manages Primordial Claims Simplify security, manage compliance • Increase access security beyond username and password solutions • Streamline deployment by enrolling user and computer certificates without user intervention • Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) • Enhance remote access security through certificates with Network Access Protection • Stronger authentication through certificates for administrative access and management • User is validated using multi-factor authentication • FIM policy triggers request for FIM CM to issue certificate or SmartCard SmartCard • Certificate is issued to user and written to either machine or smart card • End User • End User • FIM CM • Active Directory Certificate Services (AD CS) • FIM SmartCard User ID andPassword Multi-Factor Authentication • FIM Certificate Management (CM) requests certificate creation from AD CS • HR System • User Enrollment and Authentication request sent by HR System

  30. Workflow Management Simplify security, manage compliance • Enables IT to quickly define, automate, and enforce identity management policies • IT can use the integrated workflow in the approval/rejection process • Automatic notifications for request approvals or rejections

  31. Directions Minimal Disclosure and Interscale Directory

  32. Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: 23-11-1955 Important New Frontier:Minimal Disclosure Technology Identity Provider Name: Alice SmithAddress: 1234 Pine, Seattle, WAD.O.B.: 23-11-1955 Relying Party

  33. Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: 23-11-1955 Minimal Disclosure Token Identity Provider Which adult from WA is this? ? Prove that you are over 21 and from WA Relying Party Over-21 proof

  34. Minimal Disclosure Scenarios Birth certificate RP Prove name, DOB & address eID

  35. Ordering a New Birth Certificate

  36. Minimal Disclosure Scenarios Dating site RP Prove over-21 & gender eID

  37. Visiting a Social Website

  38. And finally… Towards a federated directory • We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices • Shared architecture, data model and semantics, protocols, publication paradigm • Policy framework for configuration • Simple APIs integrated with developer platforms

More Related