Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | marsha-goodwin |
View: | 214 times |
Download: | 1 times |
The Identity Jigsaw Puzzle
Carol Wapshere, MVPIdentity Management SpecialistUNIFY Solutions@miss_miis
ARC312
SecurityPolicy
Governance
Audit Reporting
Analysis DataQuality
Directory
Logon
Mobility
Provisioning
Development
AccessControl
Authentication
Authorization
Includes create, update and delete of objects; Granting
and revoking of access
Access management – initial and ongoing
The Identity Jigsaw PuzzleImportant for every
component!
Anywhere that digital identities live
Mobile devices, remote access for mobile users
Logon method, password management, MFA
Identity standards and toolkits for developers
Security
Policy
Governance
Audit
Reporting
Analysis Data
Quality
Directory
Logon
Mobility
Provisioning
Development
AccessControl
Authentication
Authorization
Directory
Identity Trends:• IdaaS –
Identity as a Service
A look at:• Windows
Azure Active Directory
Windows Azure AD
On premise
DirSync
WindowsAzure ADOr FIM with
Azure MA for multi-
forest
ExchangeOnline
LyncOnlineSharePoin
tOnline
Dynamics CRM Online
Intune
AzureApp
AzureApp
AzureApp
Inhouse or 3rd party apps written for
Azure
Other Saas Applications
Now sync’ing password
hash
ADFS
Azure Application AccessSSO to SaaS applications
Depending on application: Federated SSO
using Azure account
SSO by saving app credentials• Requires browser plugin
Identity Trends:• Federated
SSO OAuth or SAML
• Multi-factor using mobile phone
• Variable based on Context/Risk
A look at:• Web Application
Proxy • Windows Azure
AD Multi-Factor AuthN
Logon
About AD FSBrowse application
Redirect to IdP ADFS
Authenticate
Construct Claims
Token Id
Validated Is Member
of Group Redirect to SP ADFS
Verified Token
Access application
Web API, all works through browser redirections
SSO with local account to remote application
Claims transmit minimum required infoService ProviderIdentity Provider
Token
Web Application Proxy – Windows 2012 R2
Conditional access with multi-factor authentication is provided on a per-application basis
Logon to SaaS applications in Windows Azure and other providers
Enhancements to ADFS include simplified deployment and management
Published applications
Firewall
Firewall
Web App Proxy conditional authentication
Web Application Proxy
• Part of Remote Access Server role in Windows Server 2012 R2
• Replaces ADFS Proxy• Publish applications for external use (like TMG/UAG)• Multi-Factor Authentication• Variable authentication based on device and
location
Windows Azure AD Multi-Factor AuthenticationVoice callSMSSmartphone App
IIS Windows LDAP RADIUS
Combined with AD FS: Per-application control MFA enabled on
context:• Intranet/extranet• AD Group• Device
Identity Trends:• Cloud focussed• Identity Sync as
important as ever
A look at:• Forefront
Identity Manager
• Azure Account Sync
Provisioning
Forefront Identity Manager 2010 R2User provisioning, de-provisioning, and role updates
Built-in workflow for identity management
Automatically synchronize all user information to different directories across the enterprise
Automate the process of on-boarding new users
Real-time de-provisioning from all systems to prevent unauthorized access and information leakage LDAP
Certificate Management
Custom
Azure Application Account Sync
Identity Trends:• Context-based
authorization• Access
Governance
A look at:• BHOLD - part of
Forefront Identity Manager 2010 R2
AccessControl
BHOLD – RBAC Solution• Part of Forefront Identity Manager 2010 R2
• Modules:• Model Generator - Analyse
existing permissions against Org structure and Attributes
• Analytics - Preview how a rule change will effect users
• Attestation - Periodic review of permissions
• Self-service – in the FIM Portal• Reporting
• Roles are:• Organisational,• Inherited,• Directly assigned,• Separation of Duties
BHOLD Attestation Module• Run Attestation Campaigns to review and validate
access permissions,
• Campaigns may be one-off or periodic,
• Based on “has account” or specific rights/memberships in application,
• Validation done by “Stewards” – may be related to user (eg, Manager), application-based, uploaded from CSV,
• Can over-ride Steward’s decision,
• If connected to FIM Sync, permission changes can flow to end system.
BHOLD Attestation CampaignDefine a Campaign
BHOLD Attestation CampaignDefine a Campaign
BHOLD Attestation CampaignNotification Templates
BHOLD Attestation CampaignNotification Templates
BHOLD Attestation CampaignAttestation Portal
Identity Trends:• BYOD• Device
identification
A look at:• Workplace Join
Mobility
Workplace Join – Windows Server 2012 R2• AD includes a new “device” object class for
registering mobile devices.• Registration does not make the device
“managed”, only “known”. • Certificate dropped on the device – this
becomes the second authentication factor.• Workplace Join end point is published using the
Web Application Proxy
Workplace Join - Windows 2012 R2
Registration end point published on the Web Application Proxy.
Registered device then works as a second factor for authentication when accessing applications and services.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
AD with 2012 R2 schema
extensions including device
object class
Device Registration
Service
Web App Proxy and Joined Devices
Identity Trends:• RESTful APIs• Application should
use providers rather than control identity
A look at:• Graph API for
Azure ADDevelopment
Graph API• Standards-based web API for writing
applications that work with Azure AD• Focus on:
• CRUD Operations• Search Operations
• Native support for OAuth and SAML• Designed from the ground-up for query
speed and accessibility
POSThttps://graph.windows.net/contoso.com/users?api-version=2013-04-05
HEADERSContent-Type: application/jsonAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….BODY{ "accountEnabled":true, "userPrincipalName":"[email protected]", "displayName":"New User", "passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser"}RESPONSE: 201 Created
Notes: (1)the password must meet the tenant’s Accepted password complexity requirements.(2 )the minimum set of properties to create a user is shown in the example above.
Graph API Example - User Creation
https://graph.windows.net/contoso.com/users?api-version=2013-04-05&$filter=state eq ‘WA’
Graph URL
(static)
Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc.
Tenant of interest – can be tenant’s verified domain or objectId.
API version
Graph Query – return identity data
OData filter on particular attribute valuesFollow relationships – memberOf, manager …Differential Query – changes since last query
SecurityPolicy
Governance
Audit Reporting
Analysis DataQuality
Identity Trends:• Reporting increasingly
a first class citizen• No single technology
or practice• Standards should lead
to better methodologies
Use Case: Internal/External Users accessing one application
Accepted Cloud Identity Providers
AuthN
AuthZ
Dir
ProvLogon
AC
Dev
Mob Internal NetworkPerimeter Network
Internal: Corporate AD
External: DMZ Domain Trusted Partner IdP Providers
Application: Own Id Store
Internal: FIM
External: Self-Reg Portal External: Trusted IdP
Managed IdP + Password Reset
Extranet: Web App Proxy ADFS
Application managed Claims based Device Join
Windows Identity Foundation
References – Channel9 recorded sessions
WAD-B308 Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and MoreWCA-B333 Enable work from anywhere without losing sleep: Remote Access with Web Application ProxyWCA-B334 Secure anywhere access to corporate resources such as Windows Server Work Folders using ADFSWindows Azure Multi-Factor Authentication Overview
Related contentAZR209 Identity and Windows Azure
Find Me Later At the Unify/Optimal IDM stand
Evaluate this session and you could win instantly!
Head to...aka.ms/te
© 2013 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.