ADAM James Cowling Senior Technical Architect Agenda

ADAM James Cowling Senior Technical Architect

Agenda n n n What is ADAM? Relevance to IAM Real-world Implementation Scenarios

What is ADAM? n n n LDAP Directory Based on AD technology Simple and clean to install and uninstall Without AD’s NOS and historical baggage Supports both ¨ ¨ n n DC=Microsoft, DC=COM O=Microsoft, C=US Integrates tightly with AD authentication Basically Free

Technical Matters of Interest n Installation ¨ ¨ n Password Policies ¨ n Simple to install Wizard or Unattended Multiple installs per server XP install limited to 10000 objects Complexity rules similar to AD Backup and Restore ¨ EDB and LOG files

Replication n Replication between ADAM instances on different computers ¨ ¨ using AD technology Flexible replication models possible

Administration n Technical Administration via commandline tools ¨ DSMGMT n ¨ REPLADMIN n ¨ Troubleshoot Replication DSDBUTIL n ¨ Manage partitions, FSMO roles, policies, ports Manage and troubleshoot the database DSACLS n Manage Access Control Lists

Identity Administration n n ADSIEdit and LDP supplied with ADAM Many other tools exist ¨ ¨ ¨ n Web-based Explorer-integrated Build or Buy Delegated Administration Permissions ¨ ¨ Through ADAM ACLs in user context Through 3 rd Party tools in service account context

ADAM and IAM n n Centralized Identity Storage Flexible Authentication Centralized Identity Management Centralized Role Management

Identity Storage n n n Users Groups Roles

Authentication n Primary Authentication Methods is LDAP simple bind Forwards Windows Integrated Authentication for unknown users, and Proxies LDAP Binds for Known Users ¨ ¨ to AD and NT 4 in same or trusted domains

Solutions n n n Single Sign On HR-Driven Provisioning Centralized Web-based User Management

Single Sign-On n n Publishing Company 5000 Users Identities in AD and NT Require SSO for a Web. Sphere application

Solution n Central ADAM User Directory ¨ n Synchronize with AD and NT using MIIS ADAM Proxies Authentication requests ¨ Which are routed to AD and NT appropriately

HR-Driven Provisioning n n Large Retailer 65, 000 users across multiple companies ¨ n SAP systems ¨ ¨ n Growth partly through acquisition HR Location / Facility Management Portal Workflow 34 AD Domains

Goals n Improve Internal Communication ¨ ¨ n Improve Efficiency ¨ n Reduce human intervention during provisioning / deprovisioning Maintain control ¨ n White Pages solution Improve data quality Approval workflows for account creation, assignment of portal roles Increase Security ¨ ¨ Identify and remove dormant accounts Increase confidence in security group memberships

Solution

Centralized User Admin n n Reinsurance company 5000 Users Offices around the world “Managed” Offices ¨ ¨ n Members of global domain User management provided centrally “Unmanaged” Offices ¨ ¨ Stand-alone domains Local user management

Goals n Provide global access to global applications ¨ n Minimize support costs ¨ ¨ n True Single Sign On Centralize Administration Reduced Sign On – Password Sync Improve Security ¨ Time-based deprovisioning

Solution n Centralized Web-based User Management ¨ ¨ ¨ n MIIS-based provisioning to other systems ¨ ¨ ¨ n ASP. NET application Identities in ADAM Users, Contacts, Companies, incl. Inheritance Active Directory Oracle-based LOB systems HP/UX-based LOB systems Password Synchronization ¨ ¨ AD password is authoritative Sync to ADAM & HP/UX

Implementation

Questions?

ADAM James Cowling Senior Technical Architect