1 / 17

Enterprise Identity

Enterprise Identity. Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group. Agenda. Overview of Enterprise Identity Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”. The Digital Identity Lifecycle. Roles.

fathi
Download Presentation

Enterprise Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group

  2. Agenda • Overview of Enterprise Identity Challenges/Solutions • Individual Group Discussions (led) • Large Group “Debate”

  3. The Digital Identity Lifecycle Roles Product Manager Director Service Manager HR Admin PA Customer Service Call Handler Sales Person Engineer

  4. The Digital Identity Lifecycle Hire/Fire Scenario Access Management Joining Identities Identity Data Aggregation Identity Data Enforcement Identity Data Brokering • A business owns critical assets • Roles are defined • People are hired • People change role • People are fired • They access critical assets They leave of their own accord too! Role 1 Role 2 Role 3 Role 4 Role 5

  5. Hire Scenario HR System Δ Provisioning System or Metadirectory Contractor System E-mail E-mail Infrastructure Directory LDAP Application Directory LDAP Database SQL LOB App API

  6. Fire Scenario HR System Δ Provisioning System or Metadirectory Contractor System E-mail E-mail Infrastructure Directory LDAP Application Directory LDAP Database SQL LOB App API

  7. givenName givenName Clark Clark sn sn Kent Kent title title mail mail Reporter employeeID employeeID 007 007 telephone telephone Manual Join Join, Attribute Flow, Enforcement… Metadirectory HR System JOINED Project to Metadirectory E-mail System givenName Clark sn Kennttt JOINED Join on employeeID title Reporter Reporter Clark@contoso.com mail Clark@contoso.com employeeID 007 007 telephone Infrastructure Directory givenName Klarke sn Kent Join on mail JOINED title Superhero mail Clark@contoso.com Clark@contoso.com employeeID telephone Application Directory givenName Klarek JOINED sn Cenntt Join on employeeID title mail employeeID 008 telephone +44 123 456 7890 867-5309 +44 123 456 7890

  8. givenName givenName Clark Clark sn sn Kent Kent title title mail mail Reporter employeeID employeeID 007 007 telephone telephone givenName Clark sn Kent title Superhero mail Clark@contoso.com employeeID 007 telephone +44 123 456 7890 Identity Joining Scenario Metadirectory HR System E-mail System givenName Clark sn Kennttt Clark Clark Clark Clark Clark title Reporter Reporter Kent Kent Kent Kent Clark@contoso.com mail Clark@contoso.com Superhero Superhero Superhero Superhero employeeID 007 Clark@contoso.com Clark@contoso.com Clark@contoso.com Clark@contoso.com telephone 007 007 007 007 +44 123 456 7890 +44 123 456 7890 +44 123 456 7890 +44 123 456 7890 +44 123 456 7890 Infrastructure Directory givenName Klarke sn Kent title Superhero mail Clark@contoso.com employeeID telephone Application Directory givenName Klarek sn Cenntt title mail employeeID 008 telephone +44 123 456 7890 867-5309

  9. Single Sign On • Simple SSO • Single Authentication Authority, Single Server • Single Authentication Authority, Multiple Server • Complex SSO • Single Credential Set • Token Based SSO • PKI Based SSO • Multiple Credential Set • Credential Sync (Consistent Sign On) • Client-side Credential Mapping • Server-side Credential Mapping

  10. Authentication Service Token Validation Trust Simple SSO AuthN Exchange Credential Store (probably LDAP directory) Replication AuthN Exchange Resource Server

  11. No SSO AuthN Exchange Authentication Service Credential Store (probably LDAP directory) AuthN Exchange Authentication Service Credential Store (probably LDAP directory)

  12. Complex SSO: 1 Credential, Token-based AuthN Exchange Authentication Service Credential Store (probably LDAP directory) Temp Token Temp Token Trust Authentication Service Credential Store (probably LDAP directory)

  13. Consistent Sign On: Password Sync AuthN Exchange Password Crypto System PW trap plaintext pw cyphertext pw plaintext pw Authentication Service Credential Store (probably LDAP directory) AuthN Exchange Normalize identities - metadirectory Password Crypto System Password Copy Service cyphertext pw Authentication Service Credential Store (probably LDAP directory)

  14. Complex SSO – Client Cache AuthN Exchange Authentication Service Credential Store (probably LDAP directory) Password Cache AuthN Exchange Authentication Service Credential Store (probably LDAP directory)

  15. Complex SSO – Server Cache AuthN Exchange password Authentication Service Credential Store (probably LDAP directory) Client Installed SSO Agent AuthN Exchange Authentication Service Credential Store (probably LDAP directory)

  16. Single Sign-On Complex SSO – Server Cache • Understands password change dialogs • Auto-generates new passwords • SSO Agent detects login dialog • Retrieves credentials from ID store & fills in dialog ID Store Client Login User object User-id: Client-side SSO Agent SSO Attributes: User-id: Password: FSmith Password: *****

  17. Review • Overview of Enterprise Identity Challenges/Solutions • Individual Group Discussions (led) • Large Group “Debate”

More Related