Agenda: St. Louis : Agenda: St. Louis
Agenda: Minneapolis : Agenda: Minneapolis
Agenda: Des Moines : Agenda: Des Moines
Agenda: Omaha : Agenda: Omaha
Slide5 : Identity Management in Windows Server R2: Active Directory Federation Services
Identity Management Solutions : Identity Management Solutions Mike Kellogg
Technology Specialist – Microsoft Corporation
mike.kellogg@microsoft.com
Blain Checkley
Unisys – Sr. Architect
Blain.checkley@unisys.com
The Business Cost : On average, users are provisioned in 16 systems and de-provisioned in 12.
The Business Cost Enterprises have 68 internal and 12 external account stores. 75% of internal users and 38% of external users are in multiple stores. Password resets cost $57-$147. Security Risks Increased IT Cost Lost Productivity
Identity and Access Management : Active Directory – Global
Distributed and scalable architecture
Strong Authentication
User and desktop management
Exchange Server integration
Subsystem for UNIX Applications – UNIX Identity Management
AD Application Mode – Local to App
Application specific information
Runs as a LDAP service
Integrates with AD for services such as SSO
UNIX Identity Management
Server for Network Information Service (NIS) helps integrate Windows and UNIX domains
Password synchronization simplifies password maintenance across platforms
Benefit: Efficient multi-platform identity management
Active Directory Federation Service (ADFS)
Enables secure, appropriate access to web applications outside their domain/forest
Extranet authentication and single sign-on for customer, partner, employee
Identity federation
Can be based on Roles, Groups, etc
MIIS/IIFP – Integration/Business Process
Synchronizes identity across enterprise stores
Provides state-based view of the user across the enterprise
Simplifies the management of the identity lifecycle Identity and Access Management Windows Server 2003 R2 Solution
Vision for IAM�Connected Systems : Vision for IAM Connected Systems Past Present Future Connected Systems
Federated
Built to Extend
Low cost to value Application Silos
ID for Each System
Internally Focused
Limit to Biz Value Custom Integration
Identity Integration
Internal & External
High cost to value Identity Integration Identity Platform Exposed
Through Web Services AD
ADAM
MIIS ADFS
Identity and Access Management : Identity and Access Management Active Directory
Active Directory® Application Mode (ADAM)
Lightweight, domain-independent mode of Active Directory for application directory scenarios
Interoperability with Domain Mode for authentication
Benefit: Tailor directory services infrastructure for local control/autonomy or shared services
UNIX Identity Management
Server for Network Information Service (NIS) helps integrate Windows and UNIX domains
Password synchronization simplifies password maintenance across platforms
Benefit: Efficient multi-platform identity management
Active Directory Federation Services (ADFS)
Microsoft Identity Integration Server 2003 (MIIS) Windows Server 2003 Solution
Windows Integrated Authentication : Windows Integrated Authentication Logon to Windows Flexible Authentication
Kerberos
X509 v3/Smartcard/PKI
VPN/802.1x/RADIUS
LDAP
Passport/Digest/Basic (Web)
SSPI/SPNEGO Single Sign-on to:
Windows File/Print servers
Microsoft applications
390/AS400 (Host Integration Server)
ERP (BizTalk, SharePoint ESSO)
3rd Party Integrated Apps
Web Applications via IIS
Unix/J2EE (Services for Unix, Vintela/Centrify)
Active Directory Application Mode : Active Directory Application Mode Lightweight, domain-independent mode of Active Directory for application directory scenarios
Same code as Active Directory = same programming model, admin tools, replication model
Simple wizard-based install; no DCPROMO
Schema flexibility; synchronization with Active Directory possible via Identity Integration Feature Pack
Free web download
Authentication in Active Directory, authorization in ADAM for increased security
ADAM Usage Scenarios�Application-specific local directory : ADAM Usage Scenarios Application-specific local directory Example: Web portal with personalization
Store personalization info in ADAM
Use Active Directory for authentication Infrastructure Active Directory Store/
retrieve
data Client Authentication Server
UNIX Password Synchronization : UNIX Password Synchronization Pull NIS schema into Active Directory
Bidirectional Password Sync, user name mapping, supported on:
HP-UX 11i
Sun Solaris 8 & 9
IBM AIX 5L 5.2
Red Hat Linux 9.0
Mapping Server
Map Windows® User and Group Accounts to UNIX
SFU functionality in Windows Server R2 : User/Name Mapping SFU functionality in Windows Server R2 SUA NIS Server Password Sync Telnet Server NFS Server/Client Optional Install: Other Network File & Print Services 2004 2006 Already ships in windows Server 2003 SP1 NFS Admin & Utils Optional Install: Identity Management 64 bit support+ Oracle/SQL ODBC Connectors Optional Install: Windows Subsystem for UNIX Applications Retired; Supported in SFU 3.5 until 2011 (2014) GNU, BSD & SCO tools, VS integration available via separate download package Visual Studio Integration (compile/build/debug)
UNIX Identity Management : UNIX Identity Management Consolidation of administration and monitoring across platforms
Remotely monitor and administer Windows-based systems in the same fashion and with the same tools as UNIX-based systems Efficient Cross-platform User Management UNIX Server Windows Server Windows Workstation UNIX Workstation Windows Server UNIX Server UNIX Workstation UNIX Workstation Windows Workstation Windows Workstation
R2 UNIX Application Portability : R2 UNIX Application Portability Customer Situation
Dependancy on custom-developed legacy code
WS2003R2 provides UNIX to Windows Application Portability
Application usage across environments
Complete UNIX subsystem on the Windows Kernel
Integration Methods
Direct invocation
Pipes
Sockets
Shared memory
COM
XML web service
Federated Identity Management : Federated Identity Management A set of standards-based technology & IT processes to facilitate distributed identification, authentication & authorization across boundaries (security, departmental, organizational or platform).
Orgs Have To Extend Access : Your COMPANY and your EMPLOYEES Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization Collaboration
Outsourcing
Faster business cycles; process automation
Value chain M&A
Mobile/global workforce
Flexible/temp workforce Orgs Have To Extend Access
Active Directory Federation Services�Integrating the Browser and metasystem : Active Directory Federation Services Integrating the Browser and metasystem Extends AD to Internet scenarios
Internet and Federated Web Single Sign-on
Works with existing AD deployments
Leverages Digital Identities and WS* Standards
Extensible and interoperable
Uses WS-Trust to enable token translation
Uses WS-Federation for cross-platform interoperability
Supports Kerberos and SAML 1.1 tokens
Great example of identity metasystem
Third Party Support
Centrify, Vintela, Ping, …
Availability
Included with Windows Server 2003 R2
Security Tokens & Claims�Raw materials for distributed access management : Security Tokens & Claims Raw materials for distributed access management Security tokens assert claims
Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc). Signed X.509 Kerberos XrML SAML Secret Key Password Proof of
Possession Security Token Service Security token services (STS) issue security tokens
STS – Similar to a Kerberos Key Distribution Center (KDC)
What Is A Digital Identity? : What Is A Digital Identity? A set of claims that characterize a person or thing in the digital world
A Claim is a statement made about someone/something by someone/something
Claims are packaged in Security Tokens
Using Claims : Using Claims Use Security Tokens
Associate Claims with
Application Messages Acquire Security Tokens
Tokens Contains Claims Get Service Policy
Describes the Required Claims 1 2 3
Federated IAM in Action �X-organization, X-platform Web SSO : Federated IAM in Action X-organization, X-platform Web SSO User clicks BF & T portal link to Worms-R-Us order processing application Worms-R-Us Bob’s Fish & Tackle User redirected to Bob’s Fish & Tackle STS
Seamlessly authenticated via Kerberos (Windows integrated AuthN & AD) User obtains SAML security token from BF & T STS for Worms-R-Us STS
Federation claims per business agreement User obtains SAML security token from Worms-R-Us STS for application
Federation + application-specific claims
User accesses Worms-R-Us order processing application SIDs Federation Claims Application
Claims
Identity Federation in Action : A. Datum
Account Forest Trey Research
Resource Forest Identity Federation in Action Federation Trust
Slide26 : Identity Management in Windows Server R2: Active Directory Federation Services
OK … so what do I need �To make this work? : OK … so what do I need To make this work?
ADFS Architecture : ADFS Architecture Active Directory (2K, 2K3, ADAM)
Authenticates users
Manages attributes
Federation Service (FS)
STS (security token service)
Issues security tokens
Populates claims
Statements an authority makes about security principals
Manages federation trust policy
FS Proxy (FS-P)
Client proxy for token requests
Provides UI for browser clients
Web Server SSO Agent
Enforces user authentication
Creates user authorization context
HTTPS LPC/Web Methods Windows Authentication/LDAP Application (authorization)
Windows NT® Impersonation and ACLs
ASP.NET IsInRole()
AzMan RBAC integration
ASP.NET Raw Claims API
ADFS: Supported Claim Types : ADFS: Supported Claim Types WS-Federation interoperable claim types
Identity
User Principal Name (UPN)
Email Address
Common Name (any string value)
Group
Custom
name/value pair (eg SSN / 123-45-6789)
ADFS-to-ADFS only authZ data
SIDs
Sent to avoid employee shadow accounts in extranet DMZ
Sent in SAML token Advice element (not a standard claim type)
Organizational claims
Common set of claims across account stores and partners
Mark organizational claims as sensitive (not audited/logged)
Good idea, but what is necessary on the other end? : Good idea, but what is necessary on the other end?
ADFS: Standards-Based Solution : ADFS: Standards-Based Solution Active Directory Federation Services IBM PingID BMC Oracle CA Quest
RSA Centrify + others… Multi-vendor, multi-platform interoperability via Web Services WS-Federation
WS-* Architecture�An architecture for an identity metasystem : WS-* Architecture An architecture for an identity metasystem Composable Architecture for Web Services
Broad participation across the industry
Open, published, standards-track architecture
Available royalty free
Security token format neutral
OASIS WS-Security specification is the basis
x509, Kerberos, SAML 1.1, 1.2, 2.0, XrML …
Dynamic system for exchanging claims
WS-MetadataExchange, WS-SecurityPolicy, …
Token and claim translation
WS-Trust defines Security Token Services (STS)
All major specs are on track to OASIS
WS-Federation : WS-Federation Web Services Federation Language
Defines messages to enable security realms to federate & exchange security tokens
Built upon WS-Security, WS-Trust
Wide industry support
Authors: BEA, IBM, Microsoft, RSA, VeriSign
3/04 Workshop: IBM, OpenNetwork, Oblix, Netegrity, RSA, PingID
Two “profiles” of the model defined
Passive (web browser) clients – HTTP/S
Active (smart/rich) clients – SOAP ADFS v2 ADFS v1 Cross-organization, multi-vendor interoperability
Passive Requestor Profile �Supported by ADFSv1 in W2K03 R2 : Passive Requestor Profile Supported by ADFSv1 in W2K03 R2 Binding of WS-Federation & WS-Trust for browser (passive) clients
Implicitly adhere to policy by following redirects
Implicitly acquire tokens via HTTP msgs
Authentication Requires secure transport (HTTPS)
Cannot provide “proof of possession” for tokens
Limited (time based) token caching
Tokens can be replayed
Active Requestor Profile�Future ADFS release in Longhorn wave : Active Requestor Profile Future ADFS release in Longhorn wave Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients
Explicitly determine token needs from policy
Explicitly request tokens via SOAP msgs
Strong authentication of all requests
Can provide “proof of possession” for tokens
Supports delegation
Client can provide token for web service to use on its behalf
Allows rich token caching at client
Improved user experience & performance
ADFS Scenario: Web SSO : ADFS Scenario: Web SSO User credentials and attributes managed in Active Directory/ADAM at the application
Benefits:
Single sign-on to farm of IISv6 web apps
Stronger authentication via forms, client-side certs
ADAM support: LDAP user store in perimeter
Support for “road warrior” applications
Windows Integrated Auth for internal users
ADFS auth for external users
ADFS Scenario: Identity Federation : User credentials and attributes managed in “home realm” by partner organization
Benefits:
Single sign-on to internal and partner web applications
Fewer passwords for users to forget
Lower password reset costs
Centralized administration, delegated to partners
Automated restriction of partner app access
Logging of inbound and outbound access requests ADFS Scenario: Identity Federation
ADFS Benefits : ADFS Benefits Extend value of Active Directory deployments to facilitate secure collaboration with partners
More user efficiency – fewer passwords, single sign-on
More IT efficiency – centralized admin of extranet accounts
Better security – automated restriction of access, no “in the clear”
Better regulatory compliance – logging/auditing of all user activity
Interop with heterogeneous application environments via WS-Federation
Extend value of Windows Server identity services in internet-facing web environments
Stronger authentication for extranet deployments (AD, ADAM)
Extranet and federated SSO
“Native” delegated administration
Tight integration with MS authorization technologies
Interop with heterogeneous user management environments via WS-Federation
ADFS Promotes Organizational Efficiency : ADFS Promotes Organizational Efficiency
ADFS Improves Security & Regulatory Compliance : ADFS Improves Security & Regulatory Compliance
ID Lifecycle Management : Consolidate ID Lifecycle Management Synchronize Integrate Standardize Microsoft Identity Integration Server
Identity Aggregation
Support for over 20 different repositories
Provides a single, enterprise view of a user
Uses SQL Server as the information repository
User Provisioning
Automate account create/delete
Group & distribution list management
Workflow
Self-Service
Self-service password change
Helpdesk password reset
Web-based, extensible for building self-serve
MIIS: The Components : MIIS: The Components
Network Architecture : Network Architecture
Attribute Flow Scenario : HR
System MIIS iPlanet
Directory Lotus
Notes Active
Directory FirstName
LastName
EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone Klarek Cenntt 008 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 867-5309 Clark Kent 007 Reporter Clark@contoso.com 867-5309 Clark Kent Reporter Clark@contoso.com 007 Identity
Data
Aggregation Attribute Flow Scenario
Attribute Flow Scenario (cont’d) : HR
System MIIS iPlanet
Directory Lotus
Notes Active
Directory FirstName
LastName
EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone Klarek Cenntt 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 givenName sn title mail employeeID telephone 867-5309 Clark Kent 007 Reporter 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Clark Kent Reporter Clark@contoso.com 867-5309 Reporter Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 Identity
Data
Brokering
(Convergence) Attribute Flow Scenario (cont’d)
Attribute Flow Scenario (cont’d) : HR
System MIIS iPlanet
Directory Lotus
Notes Active
Directory FirstName
LastName
EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark 007 givenName sn title mail employeeID telephone Kent 007 givenName sn title mail employeeID telephone 867-5309 Clark Kent Clark@contoso.com 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Kent Reporter 867-5309 Reporter Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 007 Superhero Superhero Superhero Superhero Reporter Superhero Attribute Flow Scenario (cont’d)
Identity Data Integrity Enforcement : HR
System MIIS iPlanet
Directory Lotus
Notes Active
Directory FirstName
LastName
EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark 007 givenName sn title mail employeeID telephone Kent 007 givenName sn title mail employeeID telephone 867-5309 Clark Kent Clark@contoso.com 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Kent Publisher 867-5309 Publisher Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 Identity
Data
Integrity
Enforcement 007 Reporter Superhero Reporter Reporter Reporter Reporter Identity Data Integrity Enforcement
Slide49 : Identity Management in Windows Server R2: Active Directory Federation Services
Summary: MIIS Helpful Features : Summary: MIIS Helpful Features Preview Mode
MIIS offers the ability to test what will happen to objects and the system as management agents are changed
This makes it very easy to test changes to the system without affecting production data
Data Lineage
MIIS offers the ability to see what identity data changed in a user’s record, which management agent changed it and when it occurred.
Enables easy audit of identity changes
Based on SQL Server
Some solutions store identity information in a directory or do not store it at all. MIIS stores identity information in SQL tables. SQL is more scalable, reliable, fault-tolerant and is transactional (roll-back, event logging)
Enables easy reporting through SQL rather than by complicated LDAP programming. Greater number of people to draw from that understand SQL programming, more tools available for SQL than LDAP.
Summary : Summary Orgs need to extend access – but it’s challenging
MIIS simplifies provisioning, password management and aggregates Identities
ADFS extends AD beyond the domain
Web SSO and Identity Federation
Windows Server provides comprehensive cross-boundary access management/SSO services
Windows Integrated Auth/Kerberos
AD/ADAM
Microsoft Identity Integration Server
ADFS
IIS
ISA
ASP.Net
Authorization Manager
Additional Resources : Additional Resources Visit Microsoft.com
Identity Management - http://www.microsoft.com/IDM
AD - http://www.microsoft.com/AD
Windows Server System - http://www.microsoft.com/windowsserversystem
View Microsoft’s .NET Show on ADFS
http://msdn.microsoft.com/theshow/episode047/default.asp
Get familiar with Web Services security and identity model
http://msdn.microsoft.com/webservices/
Attend WS-* workshops
http://msdn.microsoft.com/webservices/community/workshops/default.aspx
Get started with WS-* using Web Services Enhancements
http://msdn.microsoft.com/webservices/building/security/
Resources and Links : Resources and Links Federation –
Identity Management
http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx
http://www.microsoft.com/IDM
View Microsoft’s .NET Show on ADFS
http://msdn.microsoft.com/theshow/episode047/default.asp
WebCast Training:
http://technet2.microsoft.com/windowsserver/en/webcasts.mspx
DEMO
Identity and Access Management Demo See how identity federation in ADFS enables single sign-on to web applications hosted by business partners.
Get familiar with Web Services security and identity model
http://msdn.microsoft.com/webservices/
Attend WS-* workshops
http://msdn.microsoft.com/webservices/community/workshops/default.aspx
Get started with WS-* using Web Services Enhancements
http://msdn.microsoft.com/webservices/building/security/
AD:
http://www.microsoft.com/AD
Windows Server System:
http://www.microsoft.com/windowsserver2003/default.mspx
http://www.microsoft.com/windowsserversystem
IBM+Microsoft Paper
http://msdn.microsoft.com/webservices/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-federation-strategy.asp
Federation Interoperability:
http://msdn.microsoft.com/webservices/webservices/understanding/specs/default.aspx?pull=/library/en-us/dnwebsrv/html/wsfedinterop.asp
Case Studies:
RSA Security:
http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=166&LanguageID=1
Webridge Extranet Solution:
http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=732&LanguageID=1
Law Firm Case Study:
http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=472&LanguageID=1
Case Study Search Results from Microsoft.com
http://members.microsoft.com/CustomerEvidence/Search/AdvancedSearchResults.aspx?Flag=0&Keyword=extranet
Identity Management Case Studies
http://msdn.microsoft.com/webservices/webservices/understanding/specs/default.aspx?pull=/library/en-us/dnwebsrv/html/wsfedinterop.asp
Resources and Links : Resources and Links The entire Identity and Access Management Series:
http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/P3Extran_0.mspx
Extranet and Web Single SignOn document (from links listed in the above document):
http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/P3Extran_0.mspx
The design and planning collection is also an excellent set of resource documents:
http://www.microsoft.com/downloads/details.aspx?FamilyId=DADC5021-222B-4AF7-8C58-2227C358756F&displaylang=en
The Webcast Training consists of several 1 to 2 hour sessions covering everything from basic functionality to complex Management Agent configuration.
http://www.microsoft.com/windowsserversystem/miis2003/techinfo/training/default.mspx
MIIS Scenario Walkthroughs (Step-by-Step guide for specific scenarios)
http://www.microsoft.com/downloads/details.aspx?FamilyId=15032653-D78E-4D9D-9E48-6CF0AE0C369C&displaylang=en
MIIS Technical Reference (Update Aug 2005)
http://www.microsoft.com/downloads/details.aspx?FamilyID=d7894cc9-eeeb-40d9-8f5f-573050624f67&DisplayLang=en
MIIS Developers Reference
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mmsdev/mms/portal.asp
General MIIS Link
http://www.microsoft.com/miis
http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/default.mspx
Slide56 : © 2003-2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Slide57 : © 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.