identity management mit miis, adam, &...
TRANSCRIPT
Identity Management mit MIIS, ADAM, & AzMan
Uwe HoffmannSolution Specialist, Directory & IdentityMicrosoft Deutschland [email protected]
Rüdiger BerndtArchitekt & GeschäftsführerOxford Computer [email protected]
Identity and Access Platform
Technology Areas
Process Integration• Synchronization• Workflow• Business rules• Auditing
Directory Services•Users and credentials• Computers, services• Policy and licenses
Access Services•Single Sign-on•Federation•Certificate Services•Access Control
Developer Experience IT Professional ExperienceUser Experience
ConnectorsIntegration with non-Windows integrated applications and systems
(ex: Directories, Databases, ERP, Mainframe, etc)
Windows IntegrationOffice IntegrationSelf Service Portal
Business rule authoring (e.g. provisioning rules) Access policy managementCompliance reporting
Directory and Identity APIsAccess APIsProcess integration APIs
Identity Management Platform
User Management
InfrastructureManagement
NetworkSecurity
AccessControl
NetworkManagement
ServiceManagement
Directory ServicesDirectory Services
Automated Synch.
AutomatedProvisioning
PasswordManagement
Self-ServiceInterface
IDMWorkflow
Auditing &Reporting
PolicyManagement
EnterpriseRole-Man.
EnterpriseUser-Man.
WebSSO
FederatedSSO
Unix/LinuxSSO
HostSSO
RemoteAccess
AccessAudit&Rep
Provisioning ServicesProvisioning Services
FrontendFrontend ServicesServicesAccess ServicesAccess Services
SmardcardManagement
Certificate Management
InformationRights Mgmt.
Extended Directory ServicesExtended Directory ServicesDesktopIDM Env.
Identity Management Platform
User Management
InfrastructureManagement
NetworkSecurity
AccessControl
NetworkManagement
ServiceManagement
Directory ServicesDirectory Services
Automated Synch.
AutomatedProvisioning
PasswordManagement
Self-ServiceInterface
IDMWorkflow
Auditing &Reporting
PolicyManagement
EnterpriseRole-Man.
EnterpriseUser-Man.
Provisioning ServicesProvisioning Services
FrontendFrontend ServicesServicesAccess ServicesAccess Services
Windows Server(Active Directory/ADAM,
PKI, AzMan)
Directory ServicesDirectory Services
Partner
Microsoft Identity Integration Server
Provisioning & Password Management ServicesProvisioning & Password Management Services
ActiveDirectory
FederationServer
Quest /Centrify
HIS & ESSO
ISAServer
MOM & ACS
InfoCard MS
AlacrisWindows
PKIRMS
Server
Extended Directory ServicesExtended Directory Services
Enterprise Identity ManagementProviding the right people or devices with the right access at the right time
Picture: Courtesy of PricewaterhouseCoopers LLP
Who am I • User Identity, Device Identity, Code Identity• Sign-On using Security Tokens, such as
Kerberos, SAP LogonTicket, SAML, WebSSO, SmartCard, RSA token, x509, InfoCard, etc.
What can I Do• ACL/ACEs, Groups, Roles, & User Rights for
Authorization of Tasks, Operations, etc.
Where Identities are Stored• Security Credentials: User Names, Passwords,
Certificates, Roles, etc.• Examples: AD, LDAP, MIIS, SAP, DBs
How Identities are Managed• Identity Lifecycle Management• Central User & Role-based Provisioning and
Access-Rights Management • Workflow, Reporting, Auditing, Self-Service
1. ComponentIdentity Store - Secure LDAP repository forIdentities and Roles
MIIS
ADAM(Identity- Data Store)
Dedicated store for app dataStandalone or replicatedIndependent of domain setupLocal control and autonomyMultiple instances on a single machineSchema and naming flexibilityIntegration with applicationsStore for central Access RolesChoices:
Active Directory (AD) Infrastructure ModeActive Directory Application Mode (ADAM) **Database: SQL Server, etc.
Consolidate
ID Lifecycle Management
Synchronize
Integrate
Standardize Microsoft Identity Integration Microsoft Identity Integration Server (MIIS)Server (MIIS)Identity Aggregation
Support for over 20 different repositories Provides a single, enterprise view of a userUses SQL Server as the information repository
User ProvisioningAutomate account create/manage/deleteGroup & distribution list managementWorkflow
Self-ServiceSelf-service password changeHelpdesk password resetWeb-based, extensible for building self-serve
MIIS Intern
E-Mail Connected Data SourceExchange, Notes, Groupwise, etc
Database Connected Data SourceSQL, DB2, Oracle, etc
Directory Connected Data SourceActive Directory, LDAP, eDirectory, etc
Directory logical area
(object attributes)
Database logical area
(object attributes)
E-Mail logical area
(object attributes)
Connector Space Metaverse
Microsoft Identity Integration Server 2003(MIIS)
Directory MA
Database MA
E-Mail MA
AD & SAP – End to End SolutionPassword Synchronization Example
Active Directory
ADSAP R/3
SAP
HR
SAP
EP6
MIIS
PCNS/OCG-PWS
UME
Capture Password Change
Change PW
PWManagement
Send new PW
Change PW
MIIS 2003 SP2 Password Self Service Reset
Self Service Password Reset planned for MIIS SP2Leverages MIIS
System connectivityAccount management
User RegistrationProactive enrollment or help desk can force users to enroll whenpassword is forgotten
Q&A authentication configuration is very flexible to accommodate different organizations security requirement
Q&A can be exposed to Help Desk to authenticate callersSignificant update to web applications shipped with MIIS 2003Working with Speech Server team to enable phone password reset
MIIS Physical ArchitectureHigh-Availability Configuration
MIIS Management AgentsActive Directory®supporting Windows 2000/2003, Exchange 2000/2003Active Directory Application Mode (ADAM)Global Address List (GAL) Synch—supporting Exchange 2000 and Exchange 2003Netscape/iPlanet/Sun ONE Directory—(up to 5.2 - includes "changelog" support)IBM DB2 Universal Database (7 or 8.1 on Windows or Linux)IBM Directory Server (4.x/5.x on Windows 2000/2003)SQL Server™—supporting SQL Server 7 and SQL Server 2000Oracle Databases—supporting version 8i and 9iDirectory Services Markup Language (DSML)—supporting DSML version 2.0LDAP Interchange Format (LDIF) / De-Limited Text, Fixed-Width Text, Attribute-Value Pair TextOpenLDAP (planned, end of 2005) Windows NT® 4.0 Domains and Exchange Server 5.5, Exchange Server 5.5 BridgeheadLotus Notes—supporting versions 4.6, 5.0, 6.xNovell eDirectory—supporting versions 8.6.x and 8.7.xHost RACF systems (ACF, TS, OS400 planned, 2006+)SAP, Peoplesoft – planned end of 2005Oxford Computer Group add-ons, available today:
Unix systems (VMS, HPUX, SUN, Linux, SCO, other)SAP R3 / SAP HR / CUA (Central User Administration)additional HR systems (Paisy, Peoplesoft)different LDAP based telephone systems (Alcatel, HICOM, …)web based Admin Interfaces for ADAMSharepoint, Vintela, RSA SecurID
2. ComponentAuthentication - Proving you are who you say you are
Verifying a digital identityAccount + Credentials
Identify yourselfTell me something you know or show me something that you have
Check this against our identity storeADAM Authentication:
Primary Authentication Methods is LDAP simple bindForwards Windows Integrated Authentication for AD users, andProxies LDAP Binds for Known Users
to AD and NT4 in same or trusted domains
Secure Token Integration with RSA SecurID
Application Mode (ADAM)Windows Server 2003 (ADAM web download)
LDAP-only mode of AD with independent configIdentical performance at scaleIn use as extranet and app-specific directory
Windows Server 2003 R2ADAM included in OS distributionOne-way AD-to-ADAM sync, eliminate need for MIIS/IIFP in simple scenarios
Longhorn Server: same as R2
3. ComponentAdministration and Life Cycle Management
New UserUser ID CreationCredential IssuanceEntitlements
Change UserPromotionsTransfersEntitlement Changes
Help Desk“Lost” CredentialsPassword ResetNew Entitlements
Retire UserDelete AccountsRemove Entitlements
ReportingComplianceAuditSecurity
Integration
Integration
Workflow
Workflow
Self-ServePassword KioskIdentity New Entitlements
Role-based Administrationwith .NET-based Web Front-End (GUI)
Web FE:NakisaOCGBMCAvanade
4. Component:Authorization - What each person can and can’t do
Most systems have rules or policies that dictate what a digital ID can or cannot do (Access control)Based on attributes of digital identity (Retrieved from a directory)Comparing policy to the attributes of a digital identity is known as authorization (AuthZ)
Enterprise Roles
User
User
App RoleEnterpriseRole
OU, O, Group Task Operation / Action
Task Operation / Action
Task Operation / Action
Task Operation / Action
Task Operation / Action
App Role
User Lifecycle Mgt (MIIS) Role Design (AzMan)
Flexible Role Mappingwith MIIS/ADAM
Multiple users can be direct mapped to multiple RolesMultiple Organizational Units (OU‘s) or Organizations (O‘s) can mapped to multiple RolesThe IAM Systems calculates all User specific Roles from the parent OU‘s and mapped OU‘s/O‘s
Multiple Views to Userswith MIIS/ADAM
Support multiple views to the Directory (like Admin related, HR related, SAP business views)Flexible Role assignment to multiple viewsViews and user mappings are visible in the Admin Console
Organization Object 1 in ADAMocgOrgMember (multiValue):
User Object in ADAMocgOrgView (multiValue):(managed by Admin Console)
DN Ref to OrganizationUnit 1
DN Ref to Organization 1
DN Ref to User 1
DN Ref to User ...
Automatic back linked
Organization Unit Object 1 in ADAMocgOrgMember (multiValue):
DN Ref to User 1
DN Ref to User ...
Automatic back linked
DN Ref to Organization / OU ...
DN Ref to User ... DN Ref to User ...
Flexible Role Managementwith MIIS/ADAM
Using ADAM for calculating back link attributesReporting on User and Role Level
OU Object 1 in ADAM
(User 2 is assigned to OU 1)
User Object 1 in ADAM
Target Applications after ExportRole Objects in ADAM(assigned to group object)
Enterprise Role A
Ora Roles (ORA1-activ,Ora2)SAP Roles (SAP1, SAP4, SAP6)APP Roles ...
Enterprise Role B
Ora Roles (ORA5-activ,Ora7)SAP Roles (SAP1, SAP3, SAP9)App Roles ...
Role M
apping
SAP SystemUser 1: SAP1,SAP3, SAP4, SAP6, SAP9User 2:SAP1, SAP4, SAP6, SAP8, SAP9
EntRoleA
EntRoleB memberof
memberof
MIIS
Calculation of the summary Role assignment (OU + User)Split Enterprise Roles into Application Roles for each target system
EntRoleA
EntRoleCEnterprise Role C
Ora Roles (ORA7-activ,Ora2)SAP Roles (SAP1, SAP8, SAP9)
Member, sapRoles, OracleRoles
Oracle SystemUser 1: ORA1-activ, Ora2, ORA7, ORA5-activUser 2:ORA1-activ, ORA2, ORA7-activ
Link: ocgRolesListBack Link: ocgRoleMember
other SystemUser 1: …User 2:...
Business Benefits of central Authorization
Cost savings:Central user to Role Mapping in User Help Desk via Web Admin Interface, no application-specific and coordination efforts Increased process automation by creation/deletion of users in the Application store, based on their RolesAssignment of Enterprise Roles is more effective than Application RolesLess exceptions in roles management will decrease Help Desk calls
Faster provisioning processCentral authorization control for connected offices or companiespossibleCompliance with security regulations:
Quality and Consistency of Authorization is improvedCentral audit over all User Roles can be done in the Identity Store (ADAM)
Enables Federation Services
IdM Project Release Phases
1. Build / (Migrate) Identity Store
2. Connect primary user repositories (Init Load/Join)
3. Integration of Workflow systems
4. Reporting, Logging
5. Connect additional user repositories
IdM Architektur Beispiele
IdM Project Example 1
Single Point of AdministrationApplication integration with Corp DirectoryWorkflow / Rules for automatic admin processesPassword Synchronization over MIISRole-Based Application Provisioning
CentralizedCentralizedmanagement,management,ProvisioningProvisioning
DataDataWarehouseWarehouse
White pages/White pages/Global Global
Address bookAddress book
Self Self SerivesSerives
Infrastructure AD
Non-LDAPsync
Non-LDAPsync
LDAP /Web Services
Phonesystem
Service + HelpDesk
Corporate Directory(ADAM)
Appon Unix
SAP/HRsystems
ManagementAgents
Microsoft Microsoft Identity Identity
Integration Integration Server 2003Server 2003
Reporting Reporting Logging DBLogging DB
BizTalk
Workflow - Benutzerantrag / Freigabe Prozess
z.B. InfoPath, Mail, WebPart
IAM Project Example 2 with SAP CUA
SAP CUA
LDAP Queries
SAP MA’s
SAP R/3 SAP R/3 SAP R/3 SAP R/3 Active Directory Forests
Active Directory MA
ADAM(Identity- Data Store)
MIIS
ADAM MA
Web Admin GUI
Business DB
Oracle MA
LDAP Queries
SAP EP 6.0
Intranets member companies
LDAP Queries
AutoGroupMIIS Modul
AG MA
LDAP
Active Directory MA
ZusammenfassungZentrale Benutzer Verwaltung
Mehr als nur Active Directory Benutzer ManagementIdentity Store: Active Directory Application ModeIdentity Synchronization: MIISRollen-basiertes Provisioning mit Hilfe von MIIS
Weitere Identity Management WebcastsVertiefung von weiteren IAM Themen
IdM TechNet Webcast Serie21.OKT.2005Zentrale Benutzer Verwaltung - IntroTeil 1
Geplant Jan. 2006
Microsoft Windows Server R2 Federation ServicesWebSSO mit Active Directory Federation Services
Teil 5
9.Dez. 200511:00 Uhr
Microsoft / SAP Identity Integration & Single-Sign-OnAD und MIIS Anbindungsmöglichkeiten mit SAP R/3 und Enterprise Portal
Teil 4
16.Nov.2005, 15:30
Identity Workflow & Reporting mit MIIS, BizTalk, & SQL Server
Teil 3
28.OKT.2005, 11:00 Uhr
Microsoft Identity Integration Server (MIIS)
Teil 2
Questions and Answers
Mehr InformationenOCG Identity Management Websites
www.miis-alliance.comwww.miis-experts.orgwww.oxfordcomputergroup.com
Microsoft Identity Management Solutionwww.microsoft.com/idmwww.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspxwww.microsoft.com/mmsug
MIIS Product Websitewww.microsoft.com/miis
GlossarADAM: Active Directory Application Mode (LDAPv3)ADFS: Active Directory Federation ServicesAuthN: AutheNticationAuthZ: AuthoriZationAzMan: Authorization ManagerMA: MIIS Management AgentMIIS: Microsoft Identity Integration ServerIdM: Identity ManagementIIFP: Identity Integration Feature Pack (MIIS forAD/ADAM Sync only)IIS: Microsoft Internet Information ServerRBAC: Role-Based Access Control
MIIS Future: GeminiAdd core functionality required for Process Integration Services
Rich workflowCentralized auditingSelf-service application platform with integrated workflow and auditingComputed attributesEntitlement management based on organizational roles
Expose new functionalities to IT Pros and end usersIdentity manager console for declarative entitlement managementSelf-service applications
Expose self-service application interfaces for ISVs and corporate developers
Ihr Potenzial. Unser Antrieb.