1 / 23

Introduction to Identity Management with MIIS 2003

Session code. Introduction to Identity Management with MIIS 2003. Steve Plank Architectural Engineer. Agenda. MIIS Scenarios How MIIS works MIIS Futures. Hire Scenario. HR System. File. MIIS. Contractor System. Lotus Notes. Notes. Active Directory. LDAP. iPlanet Directory.

will
Download Presentation

Introduction to Identity Management with MIIS 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session code Introduction to Identity Management with MIIS 2003 Steve PlankArchitectural Engineer

  2. Agenda • MIIS Scenarios • How MIIS works • MIIS Futures

  3. Hire Scenario HR System File MIIS Contractor System Lotus Notes Notes Active Directory LDAP iPlanet Directory LDAP SQL Server SQL AD App Mode LDAP

  4. Fire Scenario HR System File MIIS Contractor System Lotus Notes Notes Active Directory LDAP iPlanet Directory LDAP SQL Server SQL AD App Mode LDAP

  5. Clark Kent 007 givenName sn title mail employeeID telephone Manual Join Identity Joining Scenario MIIS HR System givenName Clark Clark sn Kent Kent PROJECTED Project to Metaverse title mail employeeID 007 007 telephone Lotus Notes givenName Clark sn Kennttt JOINED Join on employeeID title Reporter Reporter 007 007 mail employeeID 007 007 telephone Active Directory givenName Klarke sn Kent JOINED Join on employeeID title Superhero mail Clark@contoso.com Clark@contoso.com employeeID 007 007 telephone iPlanet Directory givenName Klarek sn Cenntt JOINED Join on employeeID title mail employeeID 008 telephone 867-5309 867-5309

  6. givenName Clark sn Kent title Reporter mail 007 employeeID 007 telephone 867-5309 givenName sn title mail employeeID telephone Attribute Flow Scenario MIIS • FirstName • LastName • EmployeeID HR System givenName Clark Clark sn Kent Kent title mail employeeID 007 007 telephone • Title Lotus Notes givenName Clark sn Kennttt title Reporter Reporter mail employeeID 007 Identity Data Aggregation telephone • E-Mail Active Directory givenName Klarke sn Kent title Superhero mail Clark@contoso.com Clark@contoso.com employeeID 007 telephone • Telephone iPlanet Directory givenName Klarek sn Cenntt title mail employeeID 008 telephone 867-5309 867-5309

  7. Attribute Flow Scenario MIIS • FirstName • LastName • EmployeeID HR System givenName Clark sn Kent title mail employeeID 007 telephone givenName Clark Clark Clark Clark sn Kent Kent Kent • Title Lotus Notes title Reporter Reporter Reporter Reporter givenName Clark mail Clark@contoso.com Clark@contoso.com Clark@contoso.com Clark@contoso.com sn Kennttt employeeID 007 Incorrect or Missing Information title Reporter telephone 867-5309 867-5309 867-5309 867-5309 mail employeeID 007 Identity Data Brokering (Convergence) telephone • E-Mail Active Directory givenName Klarke sn Kent title Superhero mail Clark@contoso.com employeeID 007 telephone • Telephone iPlanet Directory givenName Klarek sn Cenntt title mail employeeID 007 telephone 867-5309

  8. Attribute Flow Scenario MIIS • FirstName • LastName • EmployeeID HR System givenName Clark sn Kent title Reporter mail 007 employeeID 007 telephone 867-5309 givenName Clark sn Kent • Title Lotus Notes title Superhero Superhero Superhero Reporter Superhero givenName Clark mail Clark@contoso.com sn Kent employeeID 007 title Superhero Reporter telephone 867-5309 mail Clark@contoso.com employeeID 007 Identity Data Integrity Enforcement telephone 867-5309 • E-Mail Active Directory givenName Clark sn Kent title Reporter mail Clark@contoso.com employeeID 007 telephone 867-5309 • Telephone iPlanet Directory givenName Clark sn Kent title Reporter mail Clark@contoso.com employeeID 007 telephone 867-5309

  9. Identity Data Integrity Enforcement MIIS • FirstName • LastName • EmployeeID HR System givenName Clark sn Kent title Reporter mail 007 employeeID 007 telephone 867-5309 givenName Clark sn Kent • Title Active Directory title Reporter Reporter Superhero Reporter Reporter givenName Clark mail Clark@contoso.com sn Kent employeeID 007 title Reporter Reporter telephone 867-5309 mail Clark@contoso.com employeeID 007 Identity Data Integrity Enforcement telephone 867-5309 • E-Mail Lotus Notes givenName Clark sn Kent title Publisher mail Clark@contoso.com employeeID 007 telephone 867-5309 • Telephone iPlanet Directory givenName Clark sn Kent title Publisher mail Clark@contoso.com employeeID 007 telephone 867-5309

  10. MIIS in action… Demo

  11. Agenda • MIIS Scenarios • How MIIS works • MIIS Futures

  12. i/f “filters” schema filters rules i/f “filters” schema filters rules Terminology Connected Directories Connector Space Metaverse Management Agent (MA) i/f “filters” schema filters rules Import/Export Run Profile Sync Run Profile Staging Projection Provisioning Export Join

  13. i/f “filters” schema filters rules Terminology Connected Directories Connector Space Metaverse Management Agent (MA) Rules Extension filters rules i/f “filters” schema i/f “filters” schema filters rules Rules Extension Import Attribute Flow Export Attribute Flow

  14. NOS SQL LDAP MIIS – Metadirectory Functionality and Connectivity • Wide range of connectivity Active Directory & ADAM Sun/iPlanet Directory IBM DS Novell eDirectory Microsoft SQL 2000 & SQL 7 Oracle 9i/8i IBM DB2 Lotus Notes 5.x/6.x Microsoft Exchange 5.5, 2K, 2K3 Microsoft NT 4.x RACF DSML, LDIF, CSV, fixed width …others to follow • MA SDK allows ISVs and corporate developers to build custom MAs LOB Apps Identity Data

  15. Synchronizing Identity Stores- The Management Agent SDK • Easy to use SDK to build Management Agents • .Net hosted set of interfaces • Address IT Pro and ISV audiences • IT Pro • Fast MA development using template • Simple to configure by reusing “Extensible MA UI” • ISVs • Allow customizing MA configuration UI and provide customized look and feel • Enable packaging and redistribution of management agents • Enable Identity Manager-integrated development of MA configuration UI • Supports password synchronization

  16. Password Synchronization: Password Change Notification Active Directory Domain Controller Password Filter • The password filter is extremely lightweight to minimize any impact on the DC • Filter receives the change notifications and securely communicates passwords to the service Password Notification Service • Service encrypts and queues the password notification to be delivered to the registered targets (MIIS or HIS) • Notifications are transmitted via secure RPC to target • Queuing and retry mechanism guards against lost passwords due to connectivity issues • PCNS and MIIS mutually authenticate to prevent spoofing LSA Process Password Filter Password Notification Service Identity Integration Server

  17. Password Synchronization: Identity Integration Server PCNS • MIIS receives notifications from PCNS and locates matching object for user’s Active Directory account • MIIS leverages metadirectory “join” relationship to locate correct accounts in the target systems • MIIS maintains queue for each target system to optimize delivery and handle systems that are less reliable • Passwords can be synchronized to any system managed by MIIS management agents. • Password Extensions allow synchronizing passwords to custom applications and directories Connector Space Metaverse Identity Integration Server Queue Queue Connected Directories

  18. Visualization • Different hierarchies suit different needs • Multiple hierarchical representations can be discovered from data • Polyarchy eliminates the requirement for fixed hierarchy • Polyarchy provides multiple hierarchical views and richer visualization of infrastructure information

  19. Agenda • MIIS Scenarios • How MIIS works • MIIS Futures

  20. MIIS Roadmap Additional MAs MA SDK Extending MA Reach and password capabilities MIIS 2003 SP1 Q4/CY04 Password Extensions Password synchronization from Windows desktop Code generator Providing tools for provisioning MIIS 2003 SP1 ResKit - Q4/CY04 Workflow Codeless provisioning Entitlement reporting Lowering the cost and risks of Identity Management MIIS - Gemini Self-service platform Password reset additional MAs

  21. Codeless provisioning • Richer logging/auditing • Self-service platform • Workflow for provisioning and self-service • Password self-service reset • Cluster support • Computed attributes (dynamic groups) • Cross-forest group management • Entitlement reporting • Capacity planning documentation • Scalability improvements • UNIX / OpenLDAP / Generic LDAP MA

  22. Review • MIIS Scenarios • How MIIS works • MIIS Futures

More Related