Microsoft Identity and Access Management with ILM "2"Christian JäggliPrincipal ConsultantMicrosoft Corporation

Agenda

IDA management today; a burden on ITAlign IDA with the right peopleMicrosoft Identity and Access ManagementMicrosoft Identity Lifecycle Manager (ILM)How ILM “2” addresses the challengesILM “2” featuresILM “2” @ workTechnology behind the sceneRelease scheduleResourcesQuestions & Answers

Today, the management burden is on IT

Information WorkersCall help desk for passwordand access requestsWait up to weeks for accessDefine business policies

DevelopersBusiness rule developmentCustom application developmentSystems integration

Wrong PeopleWrong ContextsGreater ComplexityHigher Cost

IT ProfessionalsRespond to the businessRespond to usersArchitecture & deploymentSystem adminGovernance & securityManaging permissionsCreating & deleting user accountsPolicy implementation & enforcement

Business rules & policyPermissionsGroup & role membershipDistribution listsPasswords & PINs

Aligning Experiences with the right People

ArchitectureDeploymentSystem administrationGovernance Security

System & application integrationCustom application development

Users

Access Credentials

Policy

IT Professionals Information Workers

Developers

Add

UpdateRevokeAud

it

Enter Microsoft IDA Management

Integrates identity, credential, and access managementImplements a rich permissions and delegation modelEnables system auditing and compliance

Provides Office-based self-service toolsSharePoint admin console to manage identitiesGreater productivity through faster time to resolution

Reduces costs through automation and self-serviceMaximizes existing investments in Identity InfrastructureIntegrates with familiar developer tools to enable new scenarios

Empowers People

Delivers Agility and Efficiency

Increases Security

and Compliance

Software for policy-based management of identities,credentials, and resources across heterogeneous environments

Microsoft's Technology for IDA

DirectoryServices

StrongAuthentication

FederatedIdentity

InformationProtection

Microsoft SolutionFocus Areas

IdentityLifecycle

Mgmt

Extensibility

20+ Connectors WS-*

PlatformComponents

.NET Workflow Foundation Windows Services

AD Domain Services & AD Lightweight Directory Services

Active DirectoryFederation Services

Rights ManagementServices

CertificateServices

MicrosoftOffice Windows Web

Sites Visual StudioUser andDeveloperExperiences

Identity Lifecycle Manager IDAManagement

Microsoft Identity Lifecycle Manager

Identity SynchronizationUser ProvisioningCertificate and Smartcard Management

Office Integration for Self-ServiceSupport for 3rd Party CAsCodeless ProvisioningGroup & DL ManagementWorkflow and Policy

User Management

GroupManagement

Credential Management

Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization

PolicyManagement

Identity Lifecycle Manager “2” Features

Credential Management

Heterogeneous certificate management with 3rd party CAsManagement of multiple credential types, including One Time PasswordsSelf-service password reset integrated with Windows logon

GroupManagement

Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates

UserManagement

Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management

PolicyManagement

SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency

ILM 2 @ workOn-boarding Joe Miller

HR registers Joe’s information in SAPILM imports information into IAM data baseJoe’s profile is available in ILM portalJoe’s manager receives email with link to profile

Manager assigns System roles and profiles for Joe’s roleSystem Owner approves system access and profilesJoe’s user accounts and mail box are provisionedAn email with initial password is sent to Joe’s manager

Joe’s first day at workJoe logs on to his new workstationRegisters for password reset self serviceModifies his profileOpens Outlook and requests group/DL membershipGroup Owner approves/denies request

Joe forgot his passwordJoe has logged out and forgot his password. Reset password self service

Onboarding: HR and Accounts

Onboarding: Self Service

Password Self Management

ILM Administrator Interface

Technology behind the scene

ILM “2” Server:Windows Server 2008, 64-bit

Only supported server platformInternet Information Services 7 (IIS).NET Framework 3.0Windows Workflow FoundationWindows PowershellWeb Services (WS*)

MS SQL Server 2008SharePoint Services 3.0Visual Studio 2008 (for customizing)

Clients Modules:Windows XP, Windows Vista or Windows 732- and 64-BitOffice 2007 (for Office integration)

ILM "2" ArchitectureSolutions Group

MgmtCredential

MgmtPolicy Mgmt

CustomUser Mgmt

Outlook Portal Windows Custom

ILM Clients

ILM PlatformILM SyncILM Web

Service

AuthZWorkflow

AuthN Workflow

Delegation& Permissions

Action Workflow

AppDB

Adapters

Request Processor

SyncDB

Directories Databases E-Mail SystemsApplications

Identity Stores

Cert Mgmt

CLMDB

CLM

Portal

ILM "2" Web Services

Service on the ILM ServerProviding Web services interfaces for WS* requests by clients and Web interfaceHandles Authentication, Authorization, Workflows through Management Policy RulesAll Requests performed are logged and reportedBased on .NET and Windows Workflow foundation

ILM Web Service

AuthZWorkflow

AuthN Workflow

Delegation& Permissions

AppDB

Request Processor

ILM "2" Sync Engine Management Agent Connector Space Metaverse

ILM "2" User Portal

SharePoint Web Portal (SharePoint Services) for

ILM AdministratorEnd users for self serviceResource and group administratorsWorkflow requestors and approversPassword Management

User sees only what they are entitled to see and managePredefined page layout

But can be customized and branded to user needs trough interface (no coding)

ILM "2" Clients

ILM can use different Clients to access the functionality:

SharePoint portal via Internet ExplorerWindows XP or Windows Vista for Credential Management (Passwords and Smart Cards)Office Outlook for Group management, approvals and request handlingAny application which can send WS* requests to the ILM Service (for example Helpdesk application)

Outlook Portal Windows Custom

ILM Clients

Beta 3June 2008New Features Include

Codeless ProvisioningPolicy ManagementSelf-service password reset

Release CandidateNov 2008Updates Include

Support for scaleoutCross forest group managementEmail notification enhancements3rd party CA support

RTMQ1 CY 2010Includes

Customer reported updates Experience and guidance from lengthy RC 1 deployment validation

Release Candidate 1Q3 2009Updates Include

Management Policy Rules ExplorerPortal updates for usabilityHistorical Data is stored in separated DBRC1 to RTM Migration support

ILM “2” Release Schedule

Resources

Learn more about Identity Lifecycle ManagerILM “2” Product Page: http://www.microsoft.com/ilm2 ILM 2007 Product Page: www.microsoft.com/ILM 2007

Learn About Microsoft Identity and Access (IDA)IDA Solutions Home Page: www.microsoft.com/IDAIDA Partners: www.microsoft.com/IDA

Evaluate the ILM “2” Release CandidateVisit http://www.microsoft.com/ilm2

Questions & Answers

Your MSDN resourcescheck out these websites, blogs & more!

PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx

MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin

MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx

MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx

Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch

Your TechNet resourcescheck out these websites, blogs & more!

PresentationsTechDays: www.techdays.ch

TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin

TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx

Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/

IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.ch NT Anwendergruppe Schweiz: www.nt-ag.ch PASS (Professional Association for SQL Server): www.sqlpass.ch

Save the date for tech·days next year!

7. – 8. April 2010Congress Center Basel

Classic Sponsoring Partners

Media Partner

Premium Sponsoring Partners

Backup Slides

Available Connectors (Management Agents)Type of System Management Agents

Network Operating Systems and Directory Services

• Microsoft Active Directory Windows Server 2003 R2, 2003, and 2000

• Microsoft Active Directory Application Mode Windows Server 2003 R2 and 2003

• Microsoft Windows NT 4.0 • IBM Tivoli Directory Server • Novell eDirectory 8.6.2, 8.7, and 8.7.x • Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x

Mainframe • IBM Resource Access Control Facility (RACF)• Computer Associates eTrust ACF2 • Computer Associates eTrust Top Secret

Email and Messaging • Microsoft Exchange 2007, 2003, 2000, and 5.5 • Lotus Notes 6.x, 5.0, and 4.6

Applications • SAP 5.0 and 4.7 • Telephone switches • XML-based systems • DSML-based systems

Databases • Microsoft SQL Server 2005, 2000, and 7 • IBM DB2 • Oracle 10g, 9i, and 8i

File-Based • Attribute value Pairs • CSV • Delimited • Fixed Width • Directory Services Markup Language (DSML) 2.0 • LDAP Interchange Format (LDIF)

All Other • Extensible Management Agent for connectivity to all other systems