Identity Management mit MIIS, ADAM, & AzMan

Uwe HoffmannSolution Specialist, Directory & IdentityMicrosoft Deutschland GmbHuhoffman@microsoft.com

Rüdiger BerndtArchitekt & GeschäftsführerOxford Computer GroupRuediger.Berndt@oxfordcomputergroup.com

Identity and Access Platform

Technology Areas

Process Integration• Synchronization• Workflow• Business rules• Auditing

Directory Services•Users and credentials• Computers, services• Policy and licenses

Access Services•Single Sign-on•Federation•Certificate Services•Access Control

Developer Experience IT Professional ExperienceUser Experience

ConnectorsIntegration with non-Windows integrated applications and systems

(ex: Directories, Databases, ERP, Mainframe, etc)

Windows IntegrationOffice IntegrationSelf Service Portal

Business rule authoring (e.g. provisioning rules) Access policy managementCompliance reporting

Directory and Identity APIsAccess APIsProcess integration APIs

Identity Management Platform

User Management

InfrastructureManagement

NetworkSecurity

AccessControl

NetworkManagement

ServiceManagement

Directory ServicesDirectory Services

Automated Synch.

AutomatedProvisioning

PasswordManagement

Self-ServiceInterface

IDMWorkflow

Auditing &Reporting

PolicyManagement

EnterpriseRole-Man.

EnterpriseUser-Man.

WebSSO

FederatedSSO

Unix/LinuxSSO

HostSSO

RemoteAccess

AccessAudit&Rep

Provisioning ServicesProvisioning Services

FrontendFrontend ServicesServicesAccess ServicesAccess Services

SmardcardManagement

Certificate Management

InformationRights Mgmt.

Extended Directory ServicesExtended Directory ServicesDesktopIDM Env.

Identity Management Platform

User Management

InfrastructureManagement

NetworkSecurity

AccessControl

NetworkManagement

ServiceManagement

Directory ServicesDirectory Services

Automated Synch.

AutomatedProvisioning

PasswordManagement

Self-ServiceInterface

IDMWorkflow

Auditing &Reporting

PolicyManagement

EnterpriseRole-Man.

EnterpriseUser-Man.

Provisioning ServicesProvisioning Services

FrontendFrontend ServicesServicesAccess ServicesAccess Services

Windows Server(Active Directory/ADAM,

PKI, AzMan)

Directory ServicesDirectory Services

Partner

Microsoft Identity Integration Server

Provisioning & Password Management ServicesProvisioning & Password Management Services

ActiveDirectory

FederationServer

Quest /Centrify

HIS & ESSO

ISAServer

MOM & ACS

InfoCard MS

AlacrisWindows

PKIRMS

Server

Extended Directory ServicesExtended Directory Services

Enterprise Identity ManagementProviding the right people or devices with the right access at the right time

Picture: Courtesy of PricewaterhouseCoopers LLP

Who am I • User Identity, Device Identity, Code Identity• Sign-On using Security Tokens, such as

Kerberos, SAP LogonTicket, SAML, WebSSO, SmartCard, RSA token, x509, InfoCard, etc.

What can I Do• ACL/ACEs, Groups, Roles, & User Rights for

Authorization of Tasks, Operations, etc.

Where Identities are Stored• Security Credentials: User Names, Passwords,

Certificates, Roles, etc.• Examples: AD, LDAP, MIIS, SAP, DBs

How Identities are Managed• Identity Lifecycle Management• Central User & Role-based Provisioning and

Access-Rights Management • Workflow, Reporting, Auditing, Self-Service

1. ComponentIdentity Store - Secure LDAP repository forIdentities and Roles

MIIS

ADAM(Identity- Data Store)

Dedicated store for app dataStandalone or replicatedIndependent of domain setupLocal control and autonomyMultiple instances on a single machineSchema and naming flexibilityIntegration with applicationsStore for central Access RolesChoices:

Active Directory (AD) Infrastructure ModeActive Directory Application Mode (ADAM) **Database: SQL Server, etc.

Consolidate

ID Lifecycle Management

Synchronize

Integrate

Standardize Microsoft Identity Integration Microsoft Identity Integration Server (MIIS)Server (MIIS)Identity Aggregation

Support for over 20 different repositories Provides a single, enterprise view of a userUses SQL Server as the information repository

User ProvisioningAutomate account create/manage/deleteGroup & distribution list managementWorkflow

Self-ServiceSelf-service password changeHelpdesk password resetWeb-based, extensible for building self-serve

MIIS Intern

E-Mail Connected Data SourceExchange, Notes, Groupwise, etc

Database Connected Data SourceSQL, DB2, Oracle, etc

Directory Connected Data SourceActive Directory, LDAP, eDirectory, etc

Directory logical area

(object attributes)

Database logical area

(object attributes)

E-Mail logical area

(object attributes)

Connector Space Metaverse

Microsoft Identity Integration Server 2003(MIIS)

Directory MA

Database MA

E-Mail MA

AD & SAP – End to End SolutionPassword Synchronization Example

Active Directory

ADSAP R/3

SAP

HR

SAP

EP6

MIIS

PCNS/OCG-PWS

UME

Capture Password Change

Change PW

PWManagement

Send new PW

Change PW

MIIS 2003 SP2 Password Self Service Reset

Self Service Password Reset planned for MIIS SP2Leverages MIIS

System connectivityAccount management

User RegistrationProactive enrollment or help desk can force users to enroll whenpassword is forgotten

Q&A authentication configuration is very flexible to accommodate different organizations security requirement

Q&A can be exposed to Help Desk to authenticate callersSignificant update to web applications shipped with MIIS 2003Working with Speech Server team to enable phone password reset

MIIS Physical ArchitectureHigh-Availability Configuration

MIIS Management AgentsActive Directory®supporting Windows 2000/2003, Exchange 2000/2003Active Directory Application Mode (ADAM)Global Address List (GAL) Synch—supporting Exchange 2000 and Exchange 2003Netscape/iPlanet/Sun ONE Directory—(up to 5.2 - includes "changelog" support)IBM DB2 Universal Database (7 or 8.1 on Windows or Linux)IBM Directory Server (4.x/5.x on Windows 2000/2003)SQL Server™—supporting SQL Server 7 and SQL Server 2000Oracle Databases—supporting version 8i and 9iDirectory Services Markup Language (DSML)—supporting DSML version 2.0LDAP Interchange Format (LDIF) / De-Limited Text, Fixed-Width Text, Attribute-Value Pair TextOpenLDAP (planned, end of 2005) Windows NT® 4.0 Domains and Exchange Server 5.5, Exchange Server 5.5 BridgeheadLotus Notes—supporting versions 4.6, 5.0, 6.xNovell eDirectory—supporting versions 8.6.x and 8.7.xHost RACF systems (ACF, TS, OS400 planned, 2006+)SAP, Peoplesoft – planned end of 2005Oxford Computer Group add-ons, available today:

Unix systems (VMS, HPUX, SUN, Linux, SCO, other)SAP R3 / SAP HR / CUA (Central User Administration)additional HR systems (Paisy, Peoplesoft)different LDAP based telephone systems (Alcatel, HICOM, …)web based Admin Interfaces for ADAMSharepoint, Vintela, RSA SecurID

2. ComponentAuthentication - Proving you are who you say you are

Verifying a digital identityAccount + Credentials

Identify yourselfTell me something you know or show me something that you have

Check this against our identity storeADAM Authentication:

Primary Authentication Methods is LDAP simple bindForwards Windows Integrated Authentication for AD users, andProxies LDAP Binds for Known Users

to AD and NT4 in same or trusted domains

Secure Token Integration with RSA SecurID

Application Mode (ADAM)Windows Server 2003 (ADAM web download)

LDAP-only mode of AD with independent configIdentical performance at scaleIn use as extranet and app-specific directory

Windows Server 2003 R2ADAM included in OS distributionOne-way AD-to-ADAM sync, eliminate need for MIIS/IIFP in simple scenarios

Longhorn Server: same as R2

3. ComponentAdministration and Life Cycle Management

New UserUser ID CreationCredential IssuanceEntitlements

Change UserPromotionsTransfersEntitlement Changes

Help Desk“Lost” CredentialsPassword ResetNew Entitlements

Retire UserDelete AccountsRemove Entitlements

ReportingComplianceAuditSecurity

Integration

Integration

Workflow

Workflow

Self-ServePassword KioskIdentity New Entitlements

Role-based Administrationwith .NET-based Web Front-End (GUI)

Web FE:NakisaOCGBMCAvanade

4. Component:Authorization - What each person can and can’t do

Most systems have rules or policies that dictate what a digital ID can or cannot do (Access control)Based on attributes of digital identity (Retrieved from a directory)Comparing policy to the attributes of a digital identity is known as authorization (AuthZ)

Enterprise Roles

User

User

App RoleEnterpriseRole

OU, O, Group Task Operation / Action

Task Operation / Action

Task Operation / Action

Task Operation / Action

Task Operation / Action

App Role

User Lifecycle Mgt (MIIS) Role Design (AzMan)

Flexible Role Mappingwith MIIS/ADAM

Multiple users can be direct mapped to multiple RolesMultiple Organizational Units (OU‘s) or Organizations (O‘s) can mapped to multiple RolesThe IAM Systems calculates all User specific Roles from the parent OU‘s and mapped OU‘s/O‘s

Multiple Views to Userswith MIIS/ADAM

Support multiple views to the Directory (like Admin related, HR related, SAP business views)Flexible Role assignment to multiple viewsViews and user mappings are visible in the Admin Console

Organization Object 1 in ADAMocgOrgMember (multiValue):

User Object in ADAMocgOrgView (multiValue):(managed by Admin Console)

DN Ref to OrganizationUnit 1

DN Ref to Organization 1

DN Ref to User 1

DN Ref to User ...

Automatic back linked

Organization Unit Object 1 in ADAMocgOrgMember (multiValue):

DN Ref to User 1

DN Ref to User ...

Automatic back linked

DN Ref to Organization / OU ...

DN Ref to User ... DN Ref to User ...

Flexible Role Managementwith MIIS/ADAM

Using ADAM for calculating back link attributesReporting on User and Role Level

OU Object 1 in ADAM

(User 2 is assigned to OU 1)

User Object 1 in ADAM

Target Applications after ExportRole Objects in ADAM(assigned to group object)

Enterprise Role A

Ora Roles (ORA1-activ,Ora2)SAP Roles (SAP1, SAP4, SAP6)APP Roles ...

Enterprise Role B

Ora Roles (ORA5-activ,Ora7)SAP Roles (SAP1, SAP3, SAP9)App Roles ...

Role M

apping

SAP SystemUser 1: SAP1,SAP3, SAP4, SAP6, SAP9User 2:SAP1, SAP4, SAP6, SAP8, SAP9

EntRoleA

EntRoleB memberof

memberof

MIIS

Calculation of the summary Role assignment (OU + User)Split Enterprise Roles into Application Roles for each target system

EntRoleA

EntRoleCEnterprise Role C

Ora Roles (ORA7-activ,Ora2)SAP Roles (SAP1, SAP8, SAP9)

Member, sapRoles, OracleRoles

Oracle SystemUser 1: ORA1-activ, Ora2, ORA7, ORA5-activUser 2:ORA1-activ, ORA2, ORA7-activ

Link: ocgRolesListBack Link: ocgRoleMember

other SystemUser 1: …User 2:...

Business Benefits of central Authorization

Cost savings:Central user to Role Mapping in User Help Desk via Web Admin Interface, no application-specific and coordination efforts Increased process automation by creation/deletion of users in the Application store, based on their RolesAssignment of Enterprise Roles is more effective than Application RolesLess exceptions in roles management will decrease Help Desk calls

Faster provisioning processCentral authorization control for connected offices or companiespossibleCompliance with security regulations:

Quality and Consistency of Authorization is improvedCentral audit over all User Roles can be done in the Identity Store (ADAM)

Enables Federation Services

IdM Project Release Phases

1. Build / (Migrate) Identity Store

2. Connect primary user repositories (Init Load/Join)

3. Integration of Workflow systems

4. Reporting, Logging

5. Connect additional user repositories

IdM Architektur Beispiele

IdM Project Example 1

Single Point of AdministrationApplication integration with Corp DirectoryWorkflow / Rules for automatic admin processesPassword Synchronization over MIISRole-Based Application Provisioning

CentralizedCentralizedmanagement,management,ProvisioningProvisioning

DataDataWarehouseWarehouse

White pages/White pages/Global Global

Address bookAddress book

Self Self SerivesSerives

Infrastructure AD

Non-LDAPsync

Non-LDAPsync

LDAP /Web Services

Phonesystem

Service + HelpDesk

Corporate Directory(ADAM)

Appon Unix

SAP/HRsystems

ManagementAgents

Microsoft Microsoft Identity Identity

Integration Integration Server 2003Server 2003

Reporting Reporting Logging DBLogging DB

BizTalk

Workflow - Benutzerantrag / Freigabe Prozess

z.B. InfoPath, Mail, WebPart

IAM Project Example 2 with SAP CUA

SAP CUA

LDAP Queries

SAP MA’s

SAP R/3 SAP R/3 SAP R/3 SAP R/3 Active Directory Forests

Active Directory MA

ADAM(Identity- Data Store)

MIIS

ADAM MA

Web Admin GUI

Business DB

Oracle MA

LDAP Queries

SAP EP 6.0

Intranets member companies

LDAP Queries

AutoGroupMIIS Modul

AG MA

LDAP

Active Directory MA

ZusammenfassungZentrale Benutzer Verwaltung

Mehr als nur Active Directory Benutzer ManagementIdentity Store: Active Directory Application ModeIdentity Synchronization: MIISRollen-basiertes Provisioning mit Hilfe von MIIS

Weitere Identity Management WebcastsVertiefung von weiteren IAM Themen

IdM TechNet Webcast Serie21.OKT.2005Zentrale Benutzer Verwaltung - IntroTeil 1

Geplant Jan. 2006

Microsoft Windows Server R2 Federation ServicesWebSSO mit Active Directory Federation Services

Teil 5

9.Dez. 200511:00 Uhr

Microsoft / SAP Identity Integration & Single-Sign-OnAD und MIIS Anbindungsmöglichkeiten mit SAP R/3 und Enterprise Portal

Teil 4

16.Nov.2005, 15:30

Identity Workflow & Reporting mit MIIS, BizTalk, & SQL Server

Teil 3

28.OKT.2005, 11:00 Uhr

Microsoft Identity Integration Server (MIIS)

Teil 2

Questions and Answers

Mehr InformationenOCG Identity Management Websites

www.miis-alliance.comwww.miis-experts.orgwww.oxfordcomputergroup.com

Microsoft Identity Management Solutionwww.microsoft.com/idmwww.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspxwww.microsoft.com/mmsug

MIIS Product Websitewww.microsoft.com/miis

GlossarADAM: Active Directory Application Mode (LDAPv3)ADFS: Active Directory Federation ServicesAuthN: AutheNticationAuthZ: AuthoriZationAzMan: Authorization ManagerMA: MIIS Management AgentMIIS: Microsoft Identity Integration ServerIdM: Identity ManagementIIFP: Identity Integration Feature Pack (MIIS forAD/ADAM Sync only)IIS: Microsoft Internet Information ServerRBAC: Role-Based Access Control

MIIS Future: GeminiAdd core functionality required for Process Integration Services

Rich workflowCentralized auditingSelf-service application platform with integrated workflow and auditingComputed attributesEntitlement management based on organizational roles

Expose new functionalities to IT Pros and end usersIdentity manager console for declarative entitlement managementSelf-service applications

Expose self-service application interfaces for ISVs and corporate developers

Ihr Potenzial. Unser Antrieb.