Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 218 times |
Download: | 1 times |
Identity & Access Management ConversationKarlien Vanden EyndeProduct Marketing Manager
Agenda
• 13:30 – 14:30 Wider Identity ConversationKim Cameron
• 14:30 – 15:30 Microsoft IAM: Business Needs and IT Challenges – Henk Den Baes
• 15:30 – 16:00 Coffee Break
• 16:00 – 17:15 FIM 2010: From Identity Synchronization to Identity Management – Federico Guerrini
• 17:15 – 17:20 Partner Offerings
• 17:20 – 18:00 Networking & Cocktail
Digital Identity Discussion
Kim CameronChief Architect of Identity
Identity
The stuff of Poets and Philosophers
Digital Identity
Digital Identity
How the web and the world recognize us in different contexts• Foundation for personalization
• The social “mouse” or “keyboard”
• Foundation for interaction, collaboration and social phenomena I can’t collaborate over time if I can’t recognize and refer to you
• Foundation for digital economy
Identity is a mosaic
Disruptive ability and tendency to connect all information about individuals brings significant commercial and social risk
Person’s need to traverse
silos
Person’s need for “contextual
separation”
Architectural Problem
The Internet was not designed with any way to know who you’re connecting to
Patchwork quilt of kludges
www.identityblog.com
8
The Claims Based Model
Claims-based model
Abstraction layer: for authenticating, authorizing, obtaining information about users, devices and services
Claim: statement that is in doubt made by one subject about another subject
• Email = [email protected]
• Age > 21
• Manager = Craig Wittenberg
• Role= Architect
• Primordial Claims: Passwords, Keys and Certificates
Identity: Metasystem: open standards-based architecture for exchange of claims under user control
Claims Transformer: matches impedance
What is the Claims-Based Model?
Write to model, let infrastructure adapt to environment
Flow in the Claims-Based Model
•Application: requires, uses claims to describe users
•Claims provider: supports protocols for issuing claims
•Relationship: context in which meaning of claims is defined
Relationship
2. Get claims 3. Send
claims
1. Require claims
Claims Provider(Security Token
Service)
SUBJECT
Application(requires Claims)
New
Claim
s
Identity, Capabilities, Authorization
Claims Transformation
New semantics at domain boundaries
Different issuer (for example “Local STS”)
Transform from Identity to Capabilities
Claims Augmentation
Not just identifiers!!
ClaimsEvaluatio
n and Transform
Polic
y +
Cla
ims
How the Claims Service works
13
Where is the industry in the process?
• Standards widely accepted – OASIS
• Interoperability deeply tested – OSIS Interoperability Testing and Liberty Alliance
• Platforms will finally have claims as a built-in feature
• Microsoft ADFS V2 Shipping now
• Part of Active Directory – expect wide adoption and deployment given no marginal cost
• COTS Software can count on claims “being there”
Example: Microsoft flagship applications like SharePoint
• Great products by many vendors
• Cloud service adoption and strong competition
• Many proofs of concept by private enterprise and government
New initiatives in consumer space: OpenID
14
• Metasystem model
• Big service providers are all supporting OpenID (Yahoo, AOL, Google, Windows Live, etc)
• Many small providers (e.g. universities)
• US Government support
• Widely available software for ISVs
• Severe security issues being worked on by the industry
Identity selector for OpenID
15
The Claims Architecture
Architecture, Starting with the Enterprise
How does an enterprise or government department make its application available to more than just employees?
Microsoft Services Identity Backbone
IdentityStore
EnterpriseApplicatio
n
An Enterprise
Roles,Properties
Its Partner
?
IdentityStore
Industry Standard Components
Claims API Middleware or
framework for building claims-aware applications
Claims Service Security Token Service
(STS) connecting to an identity store
Identity Selector Client component
allowing user to select and control identity
Claims
Microsoft Services Identity Backbone
IdentityStore
IdentityStore
ClaimsService
ClaimsService
Enterprise Identity Backbone
Roles,Properties
33
2
1EnterpriseApplicatio
nClaimsAPI
The Claims Service
Claims Service
Security Token Service (STS)
Standard across vendors
Multiple protocols
SAML
WS-Federation
WS-Trust
Multiple payloads
Multiple vendors
Open Source, Microsoft, IBM, Novell, Sun, Siemens, etc
Claims
Microsoft Services Identity Backbone
Directory
IdentityStore
EnterpriseApplicatio
nClaimsAPI
ClaimsService
ClaimsService
Enterprise Identity Backbone
Database
ClaimsService
Part
ner
Part
ner
Architecture Works for Cloud, Too
Claims Service “Enterprise” protocols also
used by cloud providers
Additional protocol for providers in Consumer space: OpenID
Several large cloud service providers already support the model
Allows single federation agreement to access many services
No lock-in to any cloud provider
Claims
Directory
IdentityStore
CloudApplicatio
nClaimsAPI
ClaimsService
ClaimsService
Cloud Service Identity Backbone
Database
ClaimsService
En
terp
rise
Un
ivers
ity
From ArchitectureTo Off-The-Shelf Product
Integrate and
extendsecurity
SharePoint Server Farm
Exchange 2010
AD DSAD FS
Business Partners
AD DS AD FS
AD RMS
FederationTrust
Application Access
Redirect to Security Token Service (STS)
Auth
entica
tion
Toke
n a
nd
clai
ms
Post claims
Trey ResearchAccount Forest
Woodgrove BankResource Forest
User Account/Credentials Security Token
• Shared identity with partner organizations and cloud services
• Boost cross-organizational efficiency and communication with more secure access
− Support the sharing of rights-protected messages between organizations
− Improved support for Microsoft SharePoint Server as a claims-aware application
Active Directory Federation Services
AD DS
AD FS
• Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services
• Helps provide consistent security with a single user access model externalized from applications
• Based on open, industry standard protocols for interoperability
Security Token(e.g., Kerberos Ticket)
• AD FS creates SAML token
• Signs it with company’s private key
• Sends it back to the user
• Access supplied with the token
Partner
Exchange SharePoint
Web App
Claims-Aware
Application
Corporate User
Integrate and
extendsecurity
Single Sign On with Extended Collaboration
CLOUD SERVIC
ES
• SSO for on-premises and in-cloud applications
• Native support for Web and application SSO (including multi-factor authentication)
• Addresses security risks and interoperability problems caused by extending business resources beyond the corporate network and across disparate systems
Seamless Access to On-Premises and In-Cloud
Integrate and
extendsecurity
Web Apps
AD DS
RemoteEmployee
Business Partners
Web Apps
Corporate User
Auth. Token
SSO SSO
SSO
SS
O
In-Cloud
On-Premises
AD FS
External users get authentication token from AD FS.
Get seamless access to in-cloud and on-premises applications.
Managing the Use of ClaimsProvisioning Claims and Resources
ActiveDirectory
LotusDomino
LDAP
SQLServer
Oracle DB
HR SystemFIM
Workflow
Manager
• Policy-based identity lifecycle management system
• Built-in workflow for identity management
• Automatically synchronize all user information to different directories across the enterprise
• Automates the process of on-boarding users
User Enrollment
Approval
User provisioned on all allowed systems
Identity ManagementUser provisioning
FIM CM
Simplify security,manage
compliance
Forefront Identity Manager 2010
FIM Enables Identity-based Controls for Information Protection• Enforced through Windows Server and Active Directory Rights Management Services
FIM Enables Application and Network Access Controls• Enforced in Forefront Unified Access Gateway
FIM Enables Federation and Cloud-based Services• FIM supplies data for claims, performs user account provisioning and deprovisioning,
and manages smartcards or software certificates
Simplify security,manage
compliance
FIM Enables Federation and Cloud
FIM supplies ADFS with data for claims• For example, construct a “role” claim based on data in FIM to use for authorization in
place of security groups
FIM supplies cloud-based services with user account provisioning and de-provisioning• For services which need a copy of the directory
FIM provisions users with smartcards or software certificates • Enables users to leverage stronger authentication for access to cloud-based services
than just a password
Simplify security,manage
compliance
• Increase access security beyond username and password solutions
• Streamline deployment by enrolling user and computer certificates without user intervention
• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)
• Enhance remote access security through certificates with Network Access Protection
• Stronger authentication through certificates for administrative access and management
FIM Manages Primordial Claims
HR System
Active Directory Certificate Services (AD
CS)
FIM CM
FIM
User Enrollment and Authentication request sent by HR System
FIM policy triggers request for FIM CM to issue certificate or SmartCard
User is validated using multi-factor authentication
FIM Certificate Management (CM) requests certificate creation from AD CS
Certificate is issued to user and written to either machine or smart card
End User
SmartCard
User ID andPassword
SmartCard
End User
Simplify security,manage
compliance
Workflow Management Simplify security,manage
compliance
• Enables IT to quickly define, automate, and enforce identity management policies
• IT can use the integrated workflow in the approval/rejection process
• Automatic notifications for request approvals or rejections
DirectionsMinimal Disclosure and Interscale Directory
Identity Provider
Name: Alice Smith
Address: 1234 Pine, Seattle, WA
D.O.B: 23-11-1955
Name: Alice Smith
Address: 1234 Pine, Seattle, WA
D.O.B.: 23-11-1955
Important New Frontier:Minimal Disclosure Technology
Relying Party
Identity Provider
Relying Party
Prove that you are
over 21 and from WA
Name: Alice Smith
Address: 1234 Pine, Seattle, WA
D.O.B: 23-11-1955
Which adult
from WA is this?
Over-21 proof
?
Minimal Disclosure Token
Minimal Disclosure Scenarios
eID
Birth certificate RP
Prove name, DOB & address
Ordering a New Birth Certificate
35
Minimal Disclosure Scenarios
eID
Dating site RP
Prove over-21 &
gender
Visiting a Social Website
37
And finally… Towards a federated directory
We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices• Shared architecture, data model and semantics, protocols, publication paradigm
• Policy framework for configuration
• Simple APIs integrated with developer platforms