The Identity Jigsaw Puzzle

Carol Wapshere, MVPIdentity Management SpecialistUNIFY Solutions@miss_miis

ARC312

SecurityPolicy

Governance

Audit Reporting

Analysis DataQuality

Directory

Logon

Mobility

Provisioning

Development

AccessControl

Authentication

Authorization

Includes create, update and delete of objects; Granting

and revoking of access

Access management – initial and ongoing

The Identity Jigsaw PuzzleImportant for every

component!

Anywhere that digital identities live

Mobile devices, remote access for mobile users

Logon method, password management, MFA

Identity standards and toolkits for developers

Security

Policy

Governance

Audit

Reporting

Analysis Data

Quality

Directory

Logon

Mobility

Provisioning

Development

AccessControl

Authentication

Authorization

Directory

Identity Trends:• IdaaS –

Identity as a Service

A look at:• Windows

Azure Active Directory

Windows Azure AD

On premise

DirSync

WindowsAzure ADOr FIM with

Azure MA for multi-

forest

ExchangeOnline

LyncOnlineSharePoin

tOnline

Dynamics CRM Online

Intune

AzureApp

AzureApp

AzureApp

Inhouse or 3rd party apps written for

Azure

Other Saas Applications

Now sync’ing password

hash

ADFS

Azure Application AccessSSO to SaaS applications

Depending on application: Federated SSO

using Azure account

SSO by saving app credentials• Requires browser plugin

Identity Trends:• Federated

SSO OAuth or SAML

• Multi-factor using mobile phone

• Variable based on Context/Risk

A look at:• Web Application

Proxy • Windows Azure

AD Multi-Factor AuthN

Logon

About AD FSBrowse application

Redirect to IdP ADFS

Authenticate

Construct Claims

Token Id

Validated Is Member

of Group Redirect to SP ADFS

Verified Token

Access application

Web API, all works through browser redirections

SSO with local account to remote application

Claims transmit minimum required infoService ProviderIdentity Provider

Token

Web Application Proxy – Windows 2012 R2

Conditional access with multi-factor authentication is provided on a per-application basis

Logon to SaaS applications in Windows Azure and other providers

Enhancements to ADFS include simplified deployment and management

Published applications

Firewall

Firewall

Web App Proxy conditional authentication

Web Application Proxy

• Part of Remote Access Server role in Windows Server 2012 R2

• Replaces ADFS Proxy• Publish applications for external use (like TMG/UAG)• Multi-Factor Authentication• Variable authentication based on device and

location

Windows Azure AD Multi-Factor AuthenticationVoice callSMSSmartphone App

IIS Windows LDAP RADIUS

Combined with AD FS: Per-application control MFA enabled on

context:• Intranet/extranet• AD Group• Device

Identity Trends:• Cloud focussed• Identity Sync as

important as ever

A look at:• Forefront

Identity Manager

• Azure Account Sync

Provisioning

Forefront Identity Manager 2010 R2User provisioning, de-provisioning, and role updates

Built-in workflow for identity management

Automatically synchronize all user information to different directories across the enterprise

Automate the process of on-boarding new users

Real-time de-provisioning from all systems to prevent unauthorized access and information leakage LDAP

Certificate Management

Custom

Azure Application Account Sync

Identity Trends:• Context-based

authorization• Access

Governance

A look at:• BHOLD - part of

Forefront Identity Manager 2010 R2

AccessControl

BHOLD – RBAC Solution• Part of Forefront Identity Manager 2010 R2

• Modules:• Model Generator - Analyse

existing permissions against Org structure and Attributes

• Analytics - Preview how a rule change will effect users

• Attestation - Periodic review of permissions

• Self-service – in the FIM Portal• Reporting

• Roles are:• Organisational,• Inherited,• Directly assigned,• Separation of Duties

BHOLD Attestation Module• Run Attestation Campaigns to review and validate

access permissions,

• Campaigns may be one-off or periodic,

• Based on “has account” or specific rights/memberships in application,

• Validation done by “Stewards” – may be related to user (eg, Manager), application-based, uploaded from CSV,

• Can over-ride Steward’s decision,

• If connected to FIM Sync, permission changes can flow to end system.

BHOLD Attestation CampaignDefine a Campaign

BHOLD Attestation CampaignDefine a Campaign

BHOLD Attestation CampaignNotification Templates

BHOLD Attestation CampaignNotification Templates

BHOLD Attestation CampaignAttestation Portal

Identity Trends:• BYOD• Device

identification

A look at:• Workplace Join

Mobility

Workplace Join – Windows Server 2012 R2• AD includes a new “device” object class for

registering mobile devices.• Registration does not make the device

“managed”, only “known”. • Certificate dropped on the device – this

becomes the second authentication factor.• Workplace Join end point is published using the

Web Application Proxy

Workplace Join - Windows 2012 R2

Registration end point published on the Web Application Proxy.

Registered device then works as a second factor for authentication when accessing applications and services.

Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device

AD with 2012 R2 schema

extensions including device

object class

Device Registration

Service

Web App Proxy and Joined Devices

Identity Trends:• RESTful APIs• Application should

use providers rather than control identity

A look at:• Graph API for

Azure ADDevelopment

Graph API• Standards-based web API for writing

applications that work with Azure AD• Focus on:

• CRUD Operations• Search Operations

• Native support for OAuth and SAML• Designed from the ground-up for query

speed and accessibility

POSThttps://graph.windows.net/contoso.com/users?api-version=2013-04-05

HEADERSContent-Type: application/jsonAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….BODY{ "accountEnabled":true, "userPrincipalName":"NewUser@contoso.com", "displayName":"New User", "passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser"}RESPONSE: 201 Created

Notes: (1)the password must meet the tenant’s Accepted password complexity requirements.(2 )the minimum set of properties to create a user is shown in the example above.

Graph API Example - User Creation

https://graph.windows.net/contoso.com/users?api-version=2013-04-05&$filter=state eq ‘WA’

Graph URL

(static)

Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc.

Tenant of interest – can be tenant’s verified domain or objectId.

API version

Graph Query – return identity data

OData filter on particular attribute valuesFollow relationships – memberOf, manager …Differential Query – changes since last query

SecurityPolicy

Governance

Audit Reporting

Analysis DataQuality

Identity Trends:• Reporting increasingly

a first class citizen• No single technology

or practice• Standards should lead

to better methodologies

Use Case: Internal/External Users accessing one application

Accepted Cloud Identity Providers

AuthN

AuthZ

Dir

ProvLogon

AC

Dev

Mob Internal NetworkPerimeter Network

Internal: Corporate AD

External: DMZ Domain Trusted Partner IdP Providers

Application: Own Id Store

Internal: FIM

External: Self-Reg Portal External: Trusted IdP

Managed IdP + Password Reset

Extranet: Web App Proxy ADFS

Application managed Claims based Device Join

Windows Identity Foundation

References – Channel9 recorded sessions

WAD-B308 Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and MoreWCA-B333 Enable work from anywhere without losing sleep: Remote Access with Web Application ProxyWCA-B334 Secure anywhere access to corporate resources such as Windows Server Work Folders using ADFSWindows Azure Multi-Factor Authentication Overview

Related contentAZR209 Identity and Windows Azure

Find Me Later At the Unify/Optimal IDM stand

Evaluate this session and you could win instantly!

Head to...aka.ms/te

© 2013 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.