380 likes | 511 Views
Identity & Access Management Conversation. Karlien Vanden Eynde Product Marketing Manager. Agenda. 13:30 – 14:30 Wider Identity Conversation Kim Cameron 14:30 – 15:30 Microsoft IAM: Business Needs and IT Challenges – Henk Den Baes 15:30 – 16:00 Coffee Break
E N D
Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager
Agenda • 13:30 – 14:30 Wider Identity Conversation Kim Cameron • 14:30 – 15:30 Microsoft IAM: Business Needs and IT Challenges – Henk Den Baes • 15:30 – 16:00Coffee Break • 16:00 – 17:15FIM 2010: From Identity Synchronization to Identity Management – Federico Guerrini • 17:15 – 17:20 Partner Offerings • 17:20 – 18:00 Networking & Cocktail
Digital Identity Discussion Kim Cameron Chief Architect of Identity
Identity • The stuff of Poets and Philosophers Digital Identity
Digital Identity • How the web and the world recognize us in different contexts • Foundation for personalization • The social “mouse” or “keyboard” • Foundation for interaction, collaboration and social phenomena • I can’t collaborate over time if I can’t recognize and refer to you • Foundation for digital economy
Identity is a mosaic • Disruptive ability and tendency to connect all information about individuals brings significant commercial and social risk
Architectural Problem • The Internet was not designed with any way to know who you’re connecting to • Patchwork quilt of kludges
What is the Claims-Based Model? • Claims-based model • Abstraction layer: for authenticating, authorizing, obtaining information about users, devices and services • Claim: statement that is in doubt made by one subject about another subject • Email = kcameron@microsoft.com • Age > 21 • Manager = Craig Wittenberg • Role= Architect • Primordial Claims: Passwords, Keys and Certificates • Identity: Metasystem: open standards-based architecture for exchange of claims under user control • Claims Transformer: matches impedance • Write to model, let infrastructure adapt to environment
Flow in the Claims-Based Model Claims Provider (Security Token Service) Application (requires Claims) Relationship • Application: requires, uses claims to describe users • Claims provider: supports protocols for issuing claims • Relationship: context in which meaning of claims is defined 1. Require claims 2. Get claims 3. Send claims SUBJECT
Identity, Capabilities, Authorization How the Claims Service works • Claims Transformation • New semantics at domain boundaries • Different issuer (for example “Local STS”) • Transform from Identity to Capabilities • Claims Augmentation • Not just identifiers!! Claims Evaluation and Transform New Claims Policy + Claims
Where is the industry in the process? • Standards widely accepted – OASIS • Interoperability deeply tested – OSIS Interoperability Testing and Liberty Alliance • Platforms will finally have claims as a built-in feature • Microsoft ADFS V2 Shipping now • Part of Active Directory – expect wide adoption and deployment given no marginal cost • COTS Software can count on claims “being there” • Example: Microsoft flagship applications like SharePoint • Great products by many vendors • Cloud service adoption and strong competition • Many proofs of concept by private enterprise and government
New initiatives in consumer space: OpenID • Metasystem model • Big service providers are all supporting OpenID (Yahoo, AOL, Google, Windows Live, etc) • Many small providers (e.g. universities) • US Government support • Widely available software for ISVs • Severe security issues being worked on by the industry
Architecture, Starting with the Enterprise Microsoft Services Identity Backbone An Enterprise • How does anenterprise or government department make its application available to more than just employees? Identity Store Enterprise Application ? Its Partner Identity Store Roles, Properties
Industry Standard Components Microsoft Services Identity Backbone Enterprise Identity Backbone • Claims API • Middleware or framework for building claims-aware applications • Claims Service • Security Token Service (STS) connecting to an identity store • Identity Selector • Client component allowing user to select and control identity 1 Identity Store Enterprise Application Claims API Claims Service 2 3 Claims 3 Claims Service Identity Store Roles, Properties
The Claims Service Microsoft Services Identity Backbone Enterprise Identity Backbone • Claims Service • Security Token Service (STS) • Standard across vendors • Multiple protocols • SAML • WS-Federation • WS-Trust • Multiple payloads • Multiple vendors • Open Source, Microsoft, IBM, Novell, Sun, Siemens, etc Identity Store Enterprise Application Claims API Claims Service Claims Claims Service Claims Service Partner Partner Directory Database
Architecture Works for Cloud, Too Cloud Service Identity Backbone Identity Store Cloud Application • Claims Service • “Enterprise” protocols also used by cloud providers • Additional protocol for providers in Consumer space: OpenID • Several large cloud service providers already support the model • Allows single federation agreement to access many services • No lock-in to any cloud provider Claims API Claims Service Claims Claims Service Claims Service Enterprise University Directory Database
From Architecture To Off-The-Shelf Product
Active Directory Federation Services Integrate and extend security • Shared identity with partner organizations and cloud services • Boost cross-organizational efficiency and communication with more secure access • Support the sharing of rights-protected messages between organizations • Improved support for Microsoft SharePoint Server as a claims-aware application Trey Research Account Forest Woodgrove BankResource Forest Federation Trust Business Partners Token and claims Authentication Exchange 2010 Application Access Post claims AD FS AD FS AD RMS AD DS AD DS Redirect to Security Token Service (STS) SharePoint Server Farm User Account/Credentials Security Token
Cloud Services Single Sign On with Extended Collaboration Integrate and extend security • Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services • Helps provide consistent security with a single user access model externalized from applications • Based on open, industry standard protocols for interoperability Security Token (e.g., Kerberos Ticket) Corporate User AD FS Exchange SharePoint Web App Claims-Aware Application AD DS Partner • AD FS creates SAML token • Signs it with company’s private key • Sends it back to the user • Access supplied with the token
Seamless Access to On-Premises and In-Cloud Integrate and extend security • SSO for on-premises and in-cloud applications • Native support for Web and application SSO (including multi-factor authentication) • Addresses security risks and interoperability problems caused by extending business resources beyond the corporate network and across disparate systems • Get seamless access to in-cloud and on-premises applications. SSO SSO RemoteEmployee In-Cloud Web Apps Business Partners Auth. Token AD DS AD FS SSO • External users get authentication token from AD FS. SSO Web Apps On-Premises Corporate User
Managing the Use of Claims Provisioning Claims and Resources
Identity ManagementUser provisioning Simplify security, manage compliance • Policy-based identity lifecycle management system • Built-in workflow for identity management • Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users ActiveDirectory LotusDomino • Workflow • User Enrollment LDAP • FIM SQLServer • HR System • Approval Oracle DB • Manager FIM CM User provisioned on all allowed systems
Forefront Identity Manager 2010 Simplify security, manage compliance • FIM Enables Identity-based Controls for Information Protection • Enforced through Windows Server and Active Directory Rights Management Services • FIM Enables Application and Network Access Controls • Enforced in Forefront Unified Access Gateway • FIM Enables Federation and Cloud-based Services • FIM supplies data for claims, performs user account provisioning and deprovisioning, and manages smartcards or software certificates
FIM Enables Federation and Cloud Simplify security, manage compliance • FIM supplies ADFS with data for claims • For example, construct a “role” claim based on data in FIM to use for authorization in place of security groups • FIM supplies cloud-based services with user account provisioning and de-provisioning • For services which need a copy of the directory • FIM provisions users with smartcards or software certificates • Enables users to leverage stronger authentication for access to cloud-based services than just a password
FIM Manages Primordial Claims Simplify security, manage compliance • Increase access security beyond username and password solutions • Streamline deployment by enrolling user and computer certificates without user intervention • Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) • Enhance remote access security through certificates with Network Access Protection • Stronger authentication through certificates for administrative access and management • User is validated using multi-factor authentication • FIM policy triggers request for FIM CM to issue certificate or SmartCard SmartCard • Certificate is issued to user and written to either machine or smart card • End User • End User • FIM CM • Active Directory Certificate Services (AD CS) • FIM SmartCard User ID andPassword Multi-Factor Authentication • FIM Certificate Management (CM) requests certificate creation from AD CS • HR System • User Enrollment and Authentication request sent by HR System
Workflow Management Simplify security, manage compliance • Enables IT to quickly define, automate, and enforce identity management policies • IT can use the integrated workflow in the approval/rejection process • Automatic notifications for request approvals or rejections
Directions Minimal Disclosure and Interscale Directory
Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: 23-11-1955 Important New Frontier:Minimal Disclosure Technology Identity Provider Name: Alice SmithAddress: 1234 Pine, Seattle, WAD.O.B.: 23-11-1955 Relying Party
Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: 23-11-1955 Minimal Disclosure Token Identity Provider Which adult from WA is this? ? Prove that you are over 21 and from WA Relying Party Over-21 proof
Minimal Disclosure Scenarios Birth certificate RP Prove name, DOB & address eID
Minimal Disclosure Scenarios Dating site RP Prove over-21 & gender eID
And finally… Towards a federated directory • We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices • Shared architecture, data model and semantics, protocols, publication paradigm • Policy framework for configuration • Simple APIs integrated with developer platforms