1 / 44

Managing Identities Across a Heterogeneous Landscape

Managing Identities Across a Heterogeneous Landscape. Steve Plank – Architectural Engineer. The Digital Identity Lifecycle. Roles. Product Manager. Director. Service Manager. HR Admin. PA. Customer Service. Call Handler. Sales Person. Engineer. The Digital Identity Lifecycle.

rmcgrew
Download Presentation

Managing Identities Across a Heterogeneous Landscape

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Identities Across a Heterogeneous Landscape Steve Plank – Architectural Engineer

  2. The Digital Identity Lifecycle Roles Product Manager Director Service Manager HR Admin PA Customer Service Call Handler Sales Person Engineer

  3. The Digital Identity Lifecycle • A business owns critical assets Hire/Fire Scenario Access Management Joining Identities Identity Data Aggregation Identity Data Enforcement Identity Data Brokering • Roles are defined • People are hired • People change role • People are fired They leave of their own accord too! • They access critical assets Role 2 Role 3 Role 4 Role 5 Role 1

  4. Hire Scenario HR System File MIIS Contractor System Lotus Notes Notes Active Directory LDAP iPlanet Directory LDAP SQL Server SQL AD App Mode LDAP

  5. Fire Scenario HR System File MIIS Contractor System Lotus Notes Notes Active Directory LDAP iPlanet Directory LDAP SQL Server SQL AD App Mode LDAP

  6. Clark Kent 007 givenName sn title mail employeeID telephone Manual Join Identity Joining Scenario MIIS HR System givenName Clark Clark sn Kent Kent PROJECTED Project to Metaverse title mail employeeID 007 007 telephone Lotus Notes givenName Clark sn Kennttt JOINED Join on employeeID title Reporter Reporter 007 007 mail employeeID 007 007 telephone Active Directory givenName Klarke sn Kent JOINED Join on employeeID title Superhero mail Clark@contoso.com Clark@contoso.com employeeID 007 007 telephone iPlanet Directory givenName Klarek sn Cenntt JOINED Join on employeeID title mail employeeID 008 telephone 867-5309 867-5309

  7. givenName Clark sn Kent title Reporter mail 007 employeeID 007 telephone 867-5309 givenName sn title mail employeeID telephone Attribute Flow Scenario MIIS • FirstName • LastName • EmployeeID HR System givenName Clark Clark sn Kent Kent title mail employeeID 007 007 telephone • Title Lotus Notes givenName Clark sn Kennttt title Reporter Reporter mail employeeID 007 Identity Data Aggregation telephone • E-Mail Active Directory givenName Klarke sn Kent title Superhero mail Clark@contoso.com Clark@contoso.com employeeID 007 telephone • Telephone iPlanet Directory givenName Klarek sn Cenntt title mail employeeID 008 telephone 867-5309 867-5309

  8. Attribute Flow Scenario MIIS • FirstName • LastName • EmployeeID HR System givenName Clark sn Kent title mail employeeID 007 telephone givenName Clark Clark Clark Clark sn Kent Kent Kent • Title Lotus Notes title Reporter Reporter Reporter Reporter givenName Clark mail Clark@contoso.com Clark@contoso.com Clark@contoso.com Clark@contoso.com sn Kennttt employeeID 007 Incorrect or Missing Information title Reporter telephone 867-5309 867-5309 867-5309 867-5309 mail employeeID 007 Identity Data Brokering (Convergence) telephone • Email Active Directory givenName Klarke sn Kent title Superhero mail Clark@contoso.com employeeID 007 telephone • Telephone iPlanet Directory givenName Klarek sn Cenntt title mail employeeID 007 telephone 867-5309

  9. Attribute Flow Scenario MIIS • FirstName • LastName • EmployeeID HR System givenName Clark sn Kent title Reporter mail 007 employeeID 007 telephone 867-5309 givenName Clark sn Kent • Title Lotus Notes title Superhero Superhero Superhero Reporter Superhero givenName Clark mail Clark@contoso.com sn Kent employeeID 007 title Superhero Reporter telephone 867-5309 mail Clark@contoso.com employeeID 007 Identity Data Integrity Enforcement telephone 867-5309 • Email Active Directory givenName Clark sn Kent title Reporter mail Clark@contoso.com employeeID 007 telephone 867-5309 • Telephone iPlanet Directory givenName Clark sn Kent title Reporter mail Clark@contoso.com employeeID 007 telephone 867-5309

  10. Identity Data Integrity Enforcement MIIS • FirstName • LastName • EmployeeID HR System givenName Clark sn Kent title Reporter mail 007 employeeID 007 telephone 867-5309 givenName Clark sn Kent • Title Active Directory title Reporter Reporter Superhero Reporter Reporter givenName Clark mail Clark@contoso.com sn Kent employeeID 007 title Reporter Reporter telephone 867-5309 mail Clark@contoso.com employeeID 007 Identity Data Integrity Enforcement telephone 867-5309 • E-Mail Lotus Notes givenName Clark sn Kent title Publisher mail Clark@contoso.com employeeID 007 telephone 867-5309 • Telephone iPlanet Directory givenName Clark sn Kent title Publisher mail Clark@contoso.com employeeID 007 telephone 867-5309

  11. Access Control Theory (1) Relying Party Identity Provider Security token Security token Access granted Access denied Subject

  12. Access Control Theory (2) Relying Party Identity Provider Security token Subject

  13. Identity and Access Management Fabric Relying Party Identity Provider Identity and Access Management Fabric Subject

  14. Identity and Access Management Fabric (Inside the Firewall)

  15. Access Management Authentication • The truth, the whole truth, and nothing but the truth Authentication Protocol User-Id Password Certificate Smart-card PIN Biometric Credential Store Intruder

  16. Access Management Authentication • Multiple truths Multiple Authentication Protocols Multiple Credential Stores

  17. Access Management Authorisation • Are you on the guest list, sir? • What about you, madam? Security Reference Monitor Security Something Else Access Control Policy Who can do what to each application resource Application Resource Access Control List Who can do what to this application resource Security Token =“Who”

  18. Access Management Authorisation (non-Windows) • Does the ‘SSE’ understand the ‘token’ • Where does the ‘who’ come from? • Trap and redirect • Kerberisation Security Something Else Trap Who Authorisation Data

  19. Access Management Authorisation (non-Windows) • Does the ‘SSE’ understand the ‘token’ • Where does the ‘who’ come from? • Trap and redirect • Kerberisation Microsoft – ADFS – in W2003 R2 3rd Party – Quest/Vintela Centrify

  20. Access Management Authorisation Manager • Calculates ‘who’ can access a resource: • Static Security Groups • Dynamic result-set from a script or program • Dynamic LDAP query • IIS URLAuthorisation AD getGroup Other Data (&(company=MyCo)(objectcategory=user)(objectclass=user)) Application Resource Authorisation Manager Script http://myserver/myapp

  21. Single Sign-On • Simple SSO • Single Authentication Authority, Single Server • Single Authentication Authority, Multiple Server • Complex SSO • Single Credential Set • Token-based SSO • PKI-based SSO • Multiple Credential Set • Credential Sync (Consistent Sign-On) • Client-side Credential Mapping • Server-side Credential Mapping

  22. Authentication Service Token Validation Trust Simple SSO AuthN Exchange Credential Store (probably LDAP directory) Replication AuthN Exchange Resource Server

  23. Simple SSO: Product Examples • MS Windows • Novell Netware • RSA ClearTrust • HP OpenView Select Access • BMC .Net Identity Manager (Partial List!)

  24. No SSO AuthN Exchange Authentication Service Credential Store (probably LDAP directory) AuthN Exchange Authentication Service Credential Store (probably LDAP directory)

  25. Complex SSO: 1 Credential, Token-based AuthN Exchange Authentication Service Credential Store (probably LDAP directory) Temp Token Temp Token Trust Authentication Service Credential Store (probably LDAP directory)

  26. Token-Based SSO Examples • Kerberos • Microsoft Windows 2000 and higher • Cybersafe Kerberos • Unix Kerberos (HP-UX, MIT, Sun SEAM) • Federation • RSA Federated Identity Manager • Microsoft ADFS (W2003 Server R2, 2005) • Web Access Control • RSA ClearTrust • BMC .Net Identity Manager • Microsoft ADFS (W2003 Server R2, 2005) (Partial List!)

  27. Consistent Sign On: Password Sync AuthN Exchange Password Crypto System PW trap plaintext pw cyphertext pw plaintext pw Authentication Service Credential Store (probably LDAP directory) AuthN Exchange Normalise identities - metadirectory Password Crypto System Password Copy Service cyphertext pw Authentication Service Credential Store (probably LDAP directory)

  28. Password Sync Solutions • Microsoft MIIS 2003 • BMC .Net Identity Manager • M-Tech Psynch (Partial List!)

  29. Complex SSO – Client Cache AuthN Exchange Authentication Service Credential Store (probably LDAP directory) Password Cache AuthN Exchange Authentication Service Credential Store (probably LDAP directory)

  30. Complex SSO – Server Cache AuthN Exchange password Authentication Service Credential Store (probably LDAP directory) Client Installed SSO Agent AuthN Exchange Authentication Service Credential Store (probably LDAP directory)

  31. Single Sign-On Complex SSO – Server Cache • Understands password change dialogs • Auto-generates new passwords • SSO Agent detects login dialog • Retrieves credentials from ID store & fills in dialog ID Store Client Login User object User-id: Client-side SSO Agent SSO Attributes: User-id: Password: FSmith Password: *****

  32. Complex SSO – Server Cache • Passlogix v-GO SSO • RSA Sign-On Manager • Protocom Secure Login

  33. Directory Services Desktop PC RBAC LOB Applications Smartcard Logon Dumb User Primary Authentication App Logon Integrated Authentication Web Services LOB APIs Server-Side SSO Portal Identity Management Identity Workflow Identity Connectors

  34. Active Directory Desktop PC Dumb User LOB Applications Smartcard Logon Primary Authentication Logon Integrated Authentication Web Services LOB APIs SPS ESSO SPS and IIS MIIS 2003 Enterprise Edition Authorisation Manager, Quest/Vintela, Centrify, BMC .Net Identity Manager, Custom roles from MIIS 2003 Biztalk MIIS 2003 Connectors

  35. Conventional Access Control ‘Submit order’ requires [Name,Password] cred • Read policy for ‘Submit Order’ Server Client 2. Call ‘Submit Order’ including [Lana, ****]

  36. Claims-Based Access ControlDelegated Authentication ‘Submit order’ requires {Role} from STS_Authentication • Read policy for ‘Submit Order’ Server • Read policy for Request Security Token • Request Security • Token passing [Lana, ****] {Role} requires [Name,Password] cred Security Token Server STS_Authentication

  37. Claims-Based Access ControlDelegated Authentication ‘Submit order’ requires {Role} from STS_Authentication • Call ‘Submit Order’ with security token Server {Role=Purchaser}signed STS_Authentication {Role=Purchaser}signed STS_Authentication 4. Request Security Token Response Security Token Server STS_Authentication Mapping: (Lana,****)  {Role = Purchaser}

  38. Claims-Based Access ControlDelegated Authentication and Authorisation • Read policy for‘Submit Order’ ‘Submit order’ requires {Submit order} from STS_Authorization Client • Read policy for Request Security Token Server • Request Security Token passing [Lana’s Kerb ticket] • Read policy for Request Security Token {Role} requires[Kerb ticket] or [Name/Pwd] cred {Submit order} requires {Role} claim from STS_Authentication Security Token Server STS_Authentication “Identity claimsprovider” Security Token Server STS_Authorisation “Authorisation claimsprovider”

  39. Claims-Based Access Control Call ‘Submit Order’ ‘Submit order’ requires {Submit order} from STS_Authorisation {Submit order = True}signed STS_Authorisation Client Server {Submit order = True}signed STS_Authorisation {Role=Purchaser}signed STS_Authentication {Submit order} requires {Role} claim from STS_Authentication {Role=Purchaser}signed STS_Authentication Security Token Server STS_Authentication Security Token Server STS_Authorisation Mapping: Lana  {Role = Purchaser} Mapping: {Role = Purchaser}  {Submit order = True}

  40. Identity and Access Management Fabric Relying Party Identity Provider Identity and Access Management Fabric Subject

  41. Identity and Access Management Fabric (Outside the Firewall)

  42. The Identity Metasystem Relying Party Identity Provider Identity Metasystem – WS-* protcols Subject

  43. 7 Laws of Identity • User Control and Consent • Minimal Disclosure for a Constrained Use • Justifiable Parties • Directed Identity • Pluralism of Operators and Technology • Human Integration • Consistent Experience Across Contexts

  44. Infocard • Demo

More Related