430 likes | 621 Views
SIM205. Identity and Access and Cloud: Better Together. Brjann Brekkan Sr Technical Product Manager Identity and Access Microsoft Corporation. Agenda. Framing the Cloud opportunity Supporting Technologies Private Cloud Public Cloud – PaaS Public Cloud – SaaS Summary.
E N D
SIM205 Identity and Access and Cloud:Better Together BrjannBrekkan Sr Technical Product Manager Identity and Access Microsoft Corporation
Agenda • Framing the Cloud opportunity • Supporting Technologies • Private Cloud • Public Cloud – PaaS • Public Cloud – SaaS • Summary
What is the Cloud? Delivering IT as a Standardized Service Microsoft datacenter Partner datacenter Customer datacenter
Opportunities Challenges • Performing IT more cheaply • Capitalizing on new ways to address customers • Benefitting from further democratization of IT • Operating a business without IT limits • Leveraging the cloud for competitive advantage • Developing transformative experiences and solutions • Existing internal applications remain critical in foreseeable future • Need to integrate with applications across organizations and cloud • Borderless collaboration across on-premises, partners, and cloud • Partners and customers will bring their own identities • Identity platform needs to support range of developers • Identity needs to be more extensible, more flexible Enabling the Hybrid Enterprise
Types of Cloud ServicesIdentity consistent (On-Premises) Infrastructure (as a Service) Platform (as a Service) Software (as a Service) Applications Applications Applications Applications You manage Data Data Data Data You manage Runtime Runtime Runtime Runtime Middleware Middleware Middleware Middleware Other Manages You manage Other Manages O/S O/S O/S O/S Virtualization Virtualization Virtualization Virtualization Other Manages Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking
Compliance and Security in the Cloud • An organization's current identity management gaps extend to the cloud and become more complex • Failure to disable accounts in a timely manner when people’s employment is terminated • Failure to adjust rights and permissions when people transfer to new roles • Enabling self-service capabilities without having control of user identities can result in access problems and lack of productivity
Identity and the Cloud SaaS PaaS SaaS PaaS Public Cloud Public Cloud Private Cloud Partners User On-Premises
Microsoft Identity Components SaaS PaaS AppFabric Access Control service Public Cloud OAUTH WS-Trust, SAML Private Cloud AD Federation Services SAML Claims based applications Partners AD Certificate Services AD Rights Management Services User On-Premises
Some of Our Cloud/Federation Players Active Directory Domain Service • a claims store and so much more Windows Identity Foundation • the developer experience AppFabric Access Control Service • cloud hosted STS Active Directory Federation Service • on-premises STS Forefront Identity Manager • on-premises identity management Windows Live ID • cloud identity provider + much more Office 365 / BPOS • SaaS - Exchange Online, SharePoint Online… Windows Azure • PaaS - a cloud-OS offering a development, service-hosting and service-management environment
Claims-Based Access Basics • Resource provider: requires, uses claims to define users • Claims provider: supports protocols for issuing claims • Relationship: context in which meaning of claims defined Claims Provider (Security Token Service) Resource Provider Relationship 1. Require claims 2. Get claims 3. Send claims SUBJECT
Microsoft Claims-Based Access Model • Security Token Service • (AD FS) • Directory • (AD DS) Configure: Establish Relationship / Trust (Signing key) Configure: Claims Rules (Federation Metadata) 2. AuthN (Creds) 3. Get claims End User Claims Framework (WIF) 1. Get policy 4. AuthN (Claims) App Business Logic 5. Grant/deny access • Resource Provider • Claims-aware application
Federation: Claims Sources • Authentication comes from AD • Attributes can come from AD, other LDAP directories, SQL, custom sources • Consider whether to put claim values in AD, or create SQL tables for new claims • When should AD schema be extended? • If using SQL in ADFS, identify a unique key for users as an AD attribute and table column • FIM manages attributes in AD and SQL
Forefront Identity Manager 2010 On-Premises UserManagement • Policy and workflows help with controlling access to cloud services • Ensure accurate data used in federation scenarios Credential Management • Enable 2 factor auth on-premises and manage Smart Cards with FIM • Password Reset on-premises GroupManagement • Add additional data needed in AD with provisioning and synchronization • Directory clean up and ensure data quality PolicyManagement • Automated security and distribution group memberships • Self service management of security and distribution groups
Scenarios • Private Cloud • Self service management of virtualization is based on providing delegated access empowering users • Access application in Windows Azure • Build app. With WIF • Access app via Azure AppFabric ACS • Federate with id-providers • Enable BPOS / Office 365 • Identity synchronization • Single Sign on and Authentication
Hyper-V Authorization ManagerCommon identity in Private Cloud • Default role allows access to all operations • Additional roles with desired rights can be created • 33 different operations OOB grouped under • Hyper-V Service Operations • Hyper-V Networks Operations • Hyper-V Virtual Machine Operations
Virtual Machine ManagerCommon identity in Private Cloud • The Administrator profile • Complete administrative access to all the hosts, virtual machines, and library servers in VMM 2008 • The Delegated Administrator profile • Grants administrative access to a defined set of host groups and library servers • The Self-Service User profile • Administrative access to a defined set of virtual machines through the Web-based Virtual Machine Manager Self-Service Portal • Additional delegation capabilities in Self service portal
Enhancing Private Cloud with FIMCommon identity • Hyper-V and SC Virtual Machine Manager uses roles • Roles can contain users or groups from AD • Delegation of datacenter management • Forefront Identity Manager securely manages membership in AD groups
Public Cloud Identity Management Options • Use cloud service provider’s (CSP’s) identity management system • Synchronize on-premises identity store with CSP’s identity store • Federate identity in trusted third-party provider with CSP • Federate identity in on-premises directory with CSP
Cloud Identity Management OptionUseCSP’s System Pros Cons Difficult to keep identities synchronized between on-premises and cloud Terminations and transfers most problematic Might not work with hybrid clouds Worse, might require dangerous integration practices • Easy to set up, requiring no work with existing identity management system
Cloud Identity Management OptionSynchronization of On-Premises Identity Pros Cons More difficult to set up than CSP identity management system User names might not be identical CSPs usually default to email address as user name Passwords often not synchronized May be possible with additional client software • Not as difficult to set up as federation • Synchronization can be scheduled or event-driven • Terminations and transfers easier to manage • Works with existing on-premises Identity Lifecycle solutions
Cloud Identity Management OptionFederate with third-party identity providers Pros Cons End users may still have multiple identities Can be most difficult to set up and operate of all options Taking dependency on third-party identity provider • Allows integration with existing cloud-based identity • Potentially services and data, and hybrid clouds • Integration of third-party with on-premises identity possible • Useful approach if not possible to federate with on-premises identity store
Cloud Identity Management OptionFederate with On-Premises Identity Pros Cons Can be difficult to set up Requires compatible on-premises identity store Can magnify existing identity management problems • Integrates seamlessly with on-premises identity • Terminations and transfers can be handled with ease • User names are usually identical • No need to synchronize passwords • Works well with hybrid clouds
Public Cloud Platform as a Service
Windows Azure Identity Management Options • Use cloud service provider’s (CSP’s) identity management system • Applications built in Windows Azure can have own ID store • Synchronize on-premises identity store with CSP’s identity store • Load application user profiles from on-premises AD • Federate identity in trusted third-party provider with CSP • Access Control service using public identity providers • Federate identity in on-premises directory with CSP • Federate directly with application • Federate with Access Control service
Identity and Access OptionsCommon Identity Across Applications Use of Active Directory identities and groups through federation In the next release of AppFabric Access Control Services (ACS 2.0), single sign-on with popular Internet identity providers Integration with 3rd party systems through WS-* and SAML 2.0 open standards • WS-* and SAML Enable seamless access experience with other corporate applications tied to AD Other Providers Active Directory On Premises
How ACS works 3. Map input claims to output claims based on access control rules 1. Define access control rules for an identity provider Access Control Service 4. Return token (receive output claims) 0. Establish trust via key exchange 2. Request token (pass input claims) 6. Process token Your Service Customer 5. Send message with token
Fabrikam Shipping Example of Software as a Service in Windows Azure Sign up experience with Access Control service demo
Public Cloud Software as a Service
PaaS Identity Management Options • Use cloud service provider’s (CSP’s) identity management system • Smaller customers using Office 365 ID • Synchronize on-premises identity store with CSP’s identity store • Directory Sync required by appl in Office 365 • Federate identity in trusted third-party provider with CSP • Federate identity in on-premises directory with CSP • Office 365 enables single sign on via federation
Office 365 Identity and Access OptionsIdentity synchronization and authentication Small/Medium Customer Identity services Trust Exchange Authentication platform On Premises IdP Active Directory Federation Services SharePoint IdP Provisioning platform Online Directory Sync AD Directory Store Lync Forefront Identity Manager 2010 Admin portal
What Does DirSync Do? • Enables “Identity” and “Application” coexistence • Identities are managed on premise • Syncs users, groups and contacts • Enables easy identity federation • Enables Application coexistence (Exchange and OC) • Application coexistence – On premise Mail and OC services work with their corresponding cloud services (OC users on premise IM cloud users and Mail on premise routes to the cloud and vice versa) • Enabler for Exchange “Rich Coexistence” features • Involves a write-back of cloud data to on-premises customer directory
Enhancing MS Online Services with FIM • FIM manages on-premises AD DS • Simplify and clean up AD • Necessary attributes for Office 365 maintained • Managing groups on-premises • MS Online Directory Synchronization tool keeps on-premises directory in sync with MS Online Directory • FIM supplies AD FS with additional data for claims • Construct a “role”-claim based on data in Active Directory populated by FIM to use for authorizing access to Office 365 • FIM provisions users with smartcards or software certificates • Enables users to leverage stronger authentication for access to cloud-based services
Managing Common Identity Partner Windows Integrated/Kerberos • WS-* and SAML Claims Self Service MS Online Directory Synchronization Claims-Aware Applications • Workflow • AD FS 2.0 • SharePoint Profiles and Access • SAP and other apps • Identity directories • FIM 2010 • HR System Phone Title Department Manager Group • Claims-Aware • Applications • Exchange GAL & DL Role Client List • ADDS SQL Server
Next Steps Prepare for and embrace cloud by • Improving quality and enhancing data in AD • Leveraging Forefront Identity Manager to prepare for cloud and ongoing management on-premises • Learning more about identity federation • Understanding how claims based identity can assist developers
Resources • Forefront Identity Manager • www.microsoft.com/fim, • technet.microsoft.com/ilm • blogs.technet.com/identitymanagement • Claims Based Identity: • Whitepaper and Architecture Guide on www.microsoft.com/wif • Programming WIF from MSPress • www.microsoft.com/adfs • Identity Developer Training • Windows Azure Training Kit • www.microsoft.com/cloud • www.microsoft.com/online
Related Content • SIM203 | Microsoft Identity and Access Strategy • SIM358 Preparing Identities for the Cloud with FIM • SIM324 | Using Windows Azure Access Control Service 2.0 with Your Cloud Application • OSP215 | Microsoft Office 365: Identity and Access Solutions\ • SIM322 | Developer's View on Single Sign-On for Applications Using Windows Azure • SIM377-INT Claims-Based Identity • SIM399-HOL Managing Claims AuthN using FIM 2010 • MID274-HOL | Introduction to the Windows Azure AppFabric Access Control Service V2 • TLC: Identity Federation, Identity Management, Directory Services
Track Resources • Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. • You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/
Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.