DEP 311 Identity Management with Microsoft Identity Integration

Скачать презентацию DEP 311 Identity Management with Microsoft Identity Integration

102b34846b574026afbdaa73c2823a44.ppt

Количество слайдов: 42

DEP 311 Identity Management with Microsoft Identity Integration Server (formerly MMS) Steve Plank Architectural Engineer |Microsoft UK Visit http: //www. microsoft. com/MIIS for more metadirectory information Visit http: //www. MIIS. com for a tasty treat that won't melt in your hands

Agenda Diversity and the Identity Crisis Identity Integration Metadirectory Concepts Demos Anybody for more demos?

Diversity Is The Reality Identity information is fragmented across multiple systems Average major corporation has 150 sources of identity‡ Most is NOT stored in “The Directory” Not integrated with business processes Systems never designed to work together ‡ Gartner Group

The Identity Crisis

Agenda Diversity and the Identity Crisis Identity Integration Metadirectory Concepts

The Enterprise Directory Dream Identity Platform • Authe • Author nticatio • Identit ization n Data y “Enterprise directory” HR System Contractor System Lotus Notes Apps Infra Application COTS Application In-House Application Single repository of identity information Reuse by many applications Centralized management, provisioning, schema

What Really Happens Flat Files And Sneaker-net • Authentication • Authorization • Identity Data Enterprise Directory • Authentication • Authorization • Identity Data “Identity Chaos” • Authentication • Authorization • Identity Data Multiple repositories of identity information Multiple user IDs, multiple passwords HR System Contractor System Lotus Notes Apps Infra Application COTS Application In-House Application

Ideal Identity Management • Authentication • Authorization • Identity Data Identity Platform • Authe • Author nticatio • Identit ization n Data y IDENTITY • Authentication • Authorization • Identity Data • Authentication • Authorization • Identity Data “Unified Identity” • Authentication • Authorization • Identity Data Single source of identity information Single “Authentication system” HR System Contractor System Lotus Notes Apps Infra Application COTS Application In-House Application

Opportunities For Improvement: Identity Data • Authentication • Authorization • Identity Data Enterprise Directory • Authe • Author nticatio • Identit ization n Data y Identity Integration • Authentication • Authorization • Identity Data • Authentication • Authorization • Identity Data “Identity Integration” Rock solid software to integrate identity HR System Contractor System Lotus Notes Apps Infra Application COTS Application In-House Application

Scenarios Hire Scenario Fire Scenario Join Scenario Identity Data Aggregation Identity Data Brokering (Identity Convergence) Identity Data Integrity Enforcement

Hire Scenario HR System File Contractor System Lotus Notes Active Directory i. Planet Directory SQL Server AD App Mode Notes LDAP SQL LDAP Metadirectory

Fire Scenario HR System File Contractor System Lotus Notes Active Directory i. Planet Directory SQL Server AD App Mode Notes LDAP SQL LDAP Metadirectory

Identity Joining Scenario HR System Lotus Notes Active Directory i. Planet Directory given. Name Clark sn Kent title mail employee. ID 007 telephone given. Name sn title mail employee. ID telephone Clark Kennttt Reporter given. Name sn title mail employee. ID telephone Klarke Kent Superhero Clark@contoso. com 007 given. Name sn title mail employee. ID telephone Metadirectory JOINED Project to Metaverse Klarek Cenntt 007 JOINED Join on employee. ID JOINED Join. Manual Join on employee. ID 008 867 -5309 given. Name Clark sn Kent title mail employee. ID 007 telephone

Attribute Flow Scenario • First. Name • Last. Name • Employee. ID • Title HR System Lotus Notes given. Name Clark sn Kent title mail employee. ID 007 telephone given. Name sn title mail employee. ID telephone Clark Kennttt Reporter 007 • E-Mail Active Directory given. Name sn title mail employee. ID telephone Klarke Kent Superhero Clark@contoso. com 007 • Telephone i. Planet Directory given. Name sn title mail employee. ID telephone Klarek Cenntt 008 867 -5309 Metadirectory given. Name sn title mail employee. ID telephone Clark Kent Reporter 007 867 -5309 Identity Data Aggregation

Attribute Flow Scenario • First. Name • Last. Name • Employee. ID • Title HR System Lotus Notes given. Name Clark sn Kent title mail employee. ID 007 telephone given. Name sn title mail employee. ID telephone Clark Kennttt Reporter 007 • E-Mail Active Directory given. Name sn title mail employee. ID telephone Klarke Kent Superhero Clark@contoso. com 007 • Telephone i. Planet Directory given. Name sn title mail employee. ID telephone Klarek Cenntt 007 867 -5309 Metadirectory given. Name sn title mail employee. ID telephone Clark Kent Reporter Clark@contoso. com 007 867 -5309 Identity Data Brokering (Convergence)

Attribute Flow Scenario • First. Name • Last. Name • Employee. ID • Title HR System Lotus Notes given. Name sn title mail employee. ID telephone Clark Kent Reporter 007 867 -5309 given. Name sn title mail employee. ID telephone Clark Kent Superhero Reporter Clark@contoso. com 007 867 -5309 • E-Mail Active Directory given. Name sn title mail employee. ID telephone Clark Kent Reporter Clark@contoso. com 007 867 -5309 • Telephone i. Planet Directory given. Name sn title mail employee. ID telephone Clark Kent Reporter Clark@contoso. com 007 867 -5309 Metadirectory given. Name sn title mail employee. ID telephone Clark Kent Reporter Superhero Clark@contoso. com 007 867 -5309 Identity Data Integrity Enforcement

Password Management Initial password set Centralized password control via a Web app Self-service password reset Helpdesk password reset Metadirectory Active Directory Web app i. Planet Decentralized password synchronization 3 rd party password sync products can easily integrate

demo Identity Management Overview

The Scenario Active Directory MIIS 2003 OU=Admin. Staff OU=Disabled Users OU=Groups OU=Users OU=Staff OU=Disabled Users OU=Groups OU=Users HR System SQL Expenses System SQL NT 4. 0 i. Planet Directory Server Exchange 5. 5

Agenda Diversity and the Identity Crisis Identity Integration Metadirectory Concepts

Metadirectory Concepts MIIS MV CS CD MA Connected Data Source (CD) Any source and/or destination containing identity data Management Agent (MA) Facilitates the communication between MIIS and the CD Connector Space (CS) Staging area for inbound or outbound synchronized attributes Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called “join”

Metadirectory Architecture Metadirectory Identity Repositories CS CS MV Network CS CS SQL Server 2000

Status RTM happened on 24 th June Two live internal Microsoft deployments Scale and performance testing Currently at >1. 5 million objects for all MAs Targeting 5 million objects for next phase Releasing at Catalyst on 8 th July Select – August Select CD shipment

Agenda Diversity and the Identity Crisis Identity Integration Metadirectory Concepts Demos Getting Started

demo User Interface

Metadirectory Connectors AD/Exchange 2000/Exchange “Titanium” ADAM Sun. One Directory (i. Planet) SQL Oracle DSML 2. 0 LDAP Directory Interchange Format (LDIF) Delimited Text Fixed-Width Text Attribute-Value Pair Text NT 4 Exchange 5. 5 Lotus Notes 4. 6 and 5. 0 Novell e. Directory 8. 62/8. 7 Other LDAP-based and RDBMS systems to follow

demo Creating Management Agents

demo Running Management Agents

demo Identity Aggregation

demo Simple Provisioning and De-Provisioning

demo Extending MIIS using Visual Studio. NET

Preview Mode System is transparent in design Allows architect/developer to preview work in the metadirectory without committing any changes Allows the testing of Configuration changes New rules New connected directories Can view all results through the UI

demo Preview Mode

Password Sync Encryption – the basic problem MD 4/MD 5 Demo C 62 EAD 47 D 82 E 1037 A 6 AC 12 CD 0 CC 49 C 6 E AD OWF password One Way Function “Carve 99” Plaintext password One Way Function OWF password C 62 EAD 47 D 82 E 1037 A 6 AC 12 CD 0 CC 49 C 6 E NT 4 SAM

Password Sync Password Set & Reset P assw o rd S et “Carve 99” MMS Self Service Password Reset Web Applicaiton

Visualization Different hierarchies suit different needs Multiple hierarchical representations can be discovered from data Polyarchy eliminates the requirement for fixed hierarchy Polyarchy provides multiple hierarchical views and richer visualization of infrastructure information

Identity Management Virtual Track For the IT Pro SEC 400: UNIX & Kerberos Interop to Achieve Identity Mgmt DEP 311: Identity Management with Microsoft Metadirectory Services WIN 310: AD Branch Office with Windows Server 2003 ADM 313: Managing Active Directory with MOM ADM 314: Delegating Administrative Tasks in Active Directory For the Developer SEC 320/402: Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1& 2) OFC 333: EAI Using Share. Point Portal Server WEB 311: Windows Platform Security Services for Web Services

Review Diversity and the Identity Crisis Identity Integration Metadirectory Concepts Training: SQLSoft: www. sqlsoft. com/promo/mms 30. asp

Community Resources http: //www. microsoft. com/communities/default. mspx Most Valuable Professional (MVP) http: //www. mvp. support. microsoft. com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http: //www. microsoft. com/communities/newsgroups/default. mspx User Groups Meet and learn with your peers http: //www. microsoft. com/communities/usergroups/default. mspx

evaluations