Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager.

Identity & Access Management ConversationKarlien Vanden EyndeProduct Marketing Manager

Agenda

• 13:30 – 14:30 Wider Identity ConversationKim Cameron

• 14:30 – 15:30 Microsoft IAM: Business Needs and IT Challenges – Henk Den Baes

• 15:30 – 16:00 Coffee Break

• 16:00 – 17:15 FIM 2010: From Identity Synchronization to Identity Management – Federico Guerrini

• 17:15 – 17:20 Partner Offerings

• 17:20 – 18:00 Networking & Cocktail

Digital Identity Discussion

Kim CameronChief Architect of Identity

Identity

The stuff of Poets and Philosophers

Digital Identity

Digital Identity

How the web and the world recognize us in different contexts• Foundation for personalization

• The social “mouse” or “keyboard”

• Foundation for interaction, collaboration and social phenomena I can’t collaborate over time if I can’t recognize and refer to you

• Foundation for digital economy

Identity is a mosaic

Disruptive ability and tendency to connect all information about individuals brings significant commercial and social risk

Person’s need to traverse

silos

Person’s need for “contextual

separation”

Architectural Problem

The Internet was not designed with any way to know who you’re connecting to

Patchwork quilt of kludges

www.identityblog.com

8

The Claims Based Model

Claims-based model

Abstraction layer: for authenticating, authorizing, obtaining information about users, devices and services

Claim: statement that is in doubt made by one subject about another subject

• Email = [email protected]

• Age > 21

• Manager = Craig Wittenberg

• Role= Architect

• Primordial Claims: Passwords, Keys and Certificates

Identity: Metasystem: open standards-based architecture for exchange of claims under user control

Claims Transformer: matches impedance

What is the Claims-Based Model?

Write to model, let infrastructure adapt to environment

Flow in the Claims-Based Model

•Application: requires, uses claims to describe users

•Claims provider: supports protocols for issuing claims

•Relationship: context in which meaning of claims is defined

Relationship

2. Get claims 3. Send

claims

1. Require claims

Claims Provider(Security Token

Service)

SUBJECT

Application(requires Claims)

New

Claim

s

Identity, Capabilities, Authorization

Claims Transformation

New semantics at domain boundaries

Different issuer (for example “Local STS”)

Transform from Identity to Capabilities

Claims Augmentation

Not just identifiers!!

ClaimsEvaluatio

n and Transform

Polic

y +

Cla

ims

How the Claims Service works

13

Where is the industry in the process?

• Standards widely accepted – OASIS

• Interoperability deeply tested – OSIS Interoperability Testing and Liberty Alliance

• Platforms will finally have claims as a built-in feature

• Microsoft ADFS V2 Shipping now

• Part of Active Directory – expect wide adoption and deployment given no marginal cost

• COTS Software can count on claims “being there”

Example: Microsoft flagship applications like SharePoint

• Great products by many vendors

• Cloud service adoption and strong competition

• Many proofs of concept by private enterprise and government

New initiatives in consumer space: OpenID

14

• Metasystem model

• Big service providers are all supporting OpenID (Yahoo, AOL, Google, Windows Live, etc)

• Many small providers (e.g. universities)

• US Government support

• Widely available software for ISVs

• Severe security issues being worked on by the industry

Identity selector for OpenID

15

The Claims Architecture

Architecture, Starting with the Enterprise

How does an enterprise or government department make its application available to more than just employees?

Microsoft Services Identity Backbone

IdentityStore

EnterpriseApplicatio

n

An Enterprise

Roles,Properties

Its Partner

?

IdentityStore

Industry Standard Components

Claims API Middleware or

framework for building claims-aware applications

Claims Service Security Token Service

(STS) connecting to an identity store

Identity Selector Client component

allowing user to select and control identity

Claims

Microsoft Services Identity Backbone

IdentityStore

IdentityStore

ClaimsService

ClaimsService

Enterprise Identity Backbone

Roles,Properties

33

2

1EnterpriseApplicatio

nClaimsAPI

The Claims Service

Claims Service

Security Token Service (STS)

Standard across vendors

Multiple protocols

SAML

WS-Federation

WS-Trust

Multiple payloads

Multiple vendors

Open Source, Microsoft, IBM, Novell, Sun, Siemens, etc

Claims

Microsoft Services Identity Backbone

Directory

IdentityStore

EnterpriseApplicatio

nClaimsAPI

ClaimsService

ClaimsService

Enterprise Identity Backbone

Database

ClaimsService

Part

ner

Part

ner

Architecture Works for Cloud, Too

Claims Service “Enterprise” protocols also

used by cloud providers

Additional protocol for providers in Consumer space: OpenID

Several large cloud service providers already support the model

Allows single federation agreement to access many services

No lock-in to any cloud provider

Claims

Directory

IdentityStore

CloudApplicatio

nClaimsAPI

ClaimsService

ClaimsService

Cloud Service Identity Backbone

Database

ClaimsService

En

terp

rise

Un

ivers

ity

From ArchitectureTo Off-The-Shelf Product

Integrate and

extendsecurity

SharePoint Server Farm

Exchange 2010

AD DSAD FS

Business Partners

AD DS AD FS

AD RMS

FederationTrust

Application Access

Redirect to Security Token Service (STS)

Auth

entica

tion

Toke

n a

nd

clai

ms

Post claims

Trey ResearchAccount Forest

Woodgrove BankResource Forest

User Account/Credentials Security Token

• Shared identity with partner organizations and cloud services

• Boost cross-organizational efficiency and communication with more secure access

− Support the sharing of rights-protected messages between organizations

− Improved support for Microsoft SharePoint Server as a claims-aware application

Active Directory Federation Services

AD DS

AD FS

• Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services

• Helps provide consistent security with a single user access model externalized from applications

• Based on open, industry standard protocols for interoperability

Security Token(e.g., Kerberos Ticket)

• AD FS creates SAML token

• Signs it with company’s private key

• Sends it back to the user

• Access supplied with the token

Partner

Exchange SharePoint

Web App

Claims-Aware

Application

Corporate User

Integrate and

extendsecurity

Single Sign On with Extended Collaboration

CLOUD SERVIC

ES

• SSO for on-premises and in-cloud applications

• Native support for Web and application SSO (including multi-factor authentication)

• Addresses security risks and interoperability problems caused by extending business resources beyond the corporate network and across disparate systems

Seamless Access to On-Premises and In-Cloud

Integrate and

extendsecurity

Web Apps

AD DS

RemoteEmployee

Business Partners

Web Apps

Corporate User

Auth. Token

SSO SSO

SSO

SS

O

In-Cloud

On-Premises

AD FS

External users get authentication token from AD FS.

Get seamless access to in-cloud and on-premises applications.

Managing the Use of ClaimsProvisioning Claims and Resources

ActiveDirectory

LotusDomino

LDAP

SQLServer

Oracle DB

HR SystemFIM

Workflow

Manager

• Policy-based identity lifecycle management system

• Built-in workflow for identity management

• Automatically synchronize all user information to different directories across the enterprise

• Automates the process of on-boarding users

User Enrollment

Approval

User provisioned on all allowed systems

Identity ManagementUser provisioning

FIM CM

Simplify security,manage

compliance

Forefront Identity Manager 2010

FIM Enables Identity-based Controls for Information Protection• Enforced through Windows Server and Active Directory Rights Management Services

FIM Enables Application and Network Access Controls• Enforced in Forefront Unified Access Gateway

FIM Enables Federation and Cloud-based Services• FIM supplies data for claims, performs user account provisioning and deprovisioning,

and manages smartcards or software certificates

Simplify security,manage

compliance

FIM Enables Federation and Cloud

FIM supplies ADFS with data for claims• For example, construct a “role” claim based on data in FIM to use for authorization in

place of security groups

FIM supplies cloud-based services with user account provisioning and de-provisioning• For services which need a copy of the directory

FIM provisions users with smartcards or software certificates • Enables users to leverage stronger authentication for access to cloud-based services

than just a password

Simplify security,manage

compliance

• Increase access security beyond username and password solutions

• Streamline deployment by enrolling user and computer certificates without user intervention

• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)

• Enhance remote access security through certificates with Network Access Protection

• Stronger authentication through certificates for administrative access and management

FIM Manages Primordial Claims

HR System

Active Directory Certificate Services (AD

CS)

FIM CM

FIM

User Enrollment and Authentication request sent by HR System

FIM policy triggers request for FIM CM to issue certificate or SmartCard

User is validated using multi-factor authentication

FIM Certificate Management (CM) requests certificate creation from AD CS

Certificate is issued to user and written to either machine or smart card

End User

SmartCard

User ID andPassword

SmartCard

End User

Simplify security,manage

compliance

Workflow Management Simplify security,manage

compliance

• Enables IT to quickly define, automate, and enforce identity management policies

• IT can use the integrated workflow in the approval/rejection process

• Automatic notifications for request approvals or rejections

DirectionsMinimal Disclosure and Interscale Directory

Identity Provider

Name: Alice Smith

Address: 1234 Pine, Seattle, WA

D.O.B: 23-11-1955

Name: Alice Smith

Address: 1234 Pine, Seattle, WA

D.O.B.: 23-11-1955

Important New Frontier:Minimal Disclosure Technology

Relying Party

Identity Provider

Relying Party

Prove that you are

over 21 and from WA

Name: Alice Smith

Address: 1234 Pine, Seattle, WA

D.O.B: 23-11-1955

Which adult

from WA is this?

Over-21 proof

?

Minimal Disclosure Token

Minimal Disclosure Scenarios

eID

Birth certificate RP

Prove name, DOB & address

Ordering a New Birth Certificate

35

Minimal Disclosure Scenarios

eID

Dating site RP

Prove over-21 &

gender

Visiting a Social Website

37

And finally… Towards a federated directory

We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices• Shared architecture, data model and semantics, protocols, publication paradigm

• Policy framework for configuration

• Simple APIs integrated with developer platforms