dep311 identity management with microsoft identity integration server (formerly mms) steve plank...
TRANSCRIPT
DEP311Identity Management with Microsoft Identity Integration Server (formerly MMS)
Steve Plank
Architectural Engineer |Microsoft UK Visit http://www.microsoft.com/MIIS for more metadirectory informationVisit http://www.MIIS.com for a tasty treat that won't melt in your hands
Agenda
Diversity and the Identity Crisis
Identity Integration
Metadirectory Concepts
Demos
Demos
Demos
Demos
Anybody for more demos?
Diversity Is The Reality
Identity information is fragmented across multiple systems
Average major corporation has 150 sources of identity‡
Most is NOT stored in “The Directory”
Not integrated with business processes
Systems never designed to work together
‡ Gartner Group
The Identity Crisis
Agenda
Diversity and the Identity Crisis
Identity Integration
Metadirectory Concepts
The Enterprise Directory Dream
“Enterprise directory” Single repository of identity information
Reuse by many applications
Centralized management, provisioning, schema
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
ContractorContractorSystemSystem
In-HouseIn-HouseApplicationApplication
Identity Platform•Authentication
•Authorization
•Identity Data
What Really Happens
“Identity Chaos” Multiple repositories of identity information
Multiple user IDs, multiple passwords
Decentralized management, ad hoc data sharing
Flat FilesAnd
Sneaker-net
Enterprise Directory
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
ContractorContractorSystemSystem
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Ideal Identity ManagementHRHR
SystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
ContractorContractorSystemSystem
In-HouseIn-HouseApplicationApplication
Identity Platform•Authentication
•Authorization
•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
IDEN
TIT
Y
“Unified Identity” Single source of identity information
Single “Authentication system”
Centralized management
Opportunities For Improvement: Identity Data
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
ContractorContractorSystemSystem
In-HouseIn-HouseApplicationApplication
Enterprise Directory•Authentication
•Authorization
•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Identi
ty Inte
gra
tion
Identi
ty Inte
gra
tion
“Identity Integration” Rock solid software to integrate identity
Scenarios
Hire Scenario
Fire Scenario
Join Scenario
Identity Data AggregationIdentity Data Brokering (Identity Convergence)
Identity Data Integrity Enforcement
Hire ScenarioHRHRSystemSystem Metadirectory
Notes
ContractorContractorSystemSystem
ADADApp ModeApp Mode
SQLSQLServerServer
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
File
LDAP
LDAP
SQL
LDAP
Fire ScenarioHRHRSystemSystem Metadirectory
Notes
ContractorContractorSystemSystem
ADADApp ModeApp Mode
SQLSQLServerServer
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
File
LDAP
LDAP
SQL
LDAP
Identity Joining ScenarioHRHRSystemSystem
Metadirectory
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
867-5309
ClarkKent
007
Reporter
867-5309
ClarkKent
Reporter
007Project to Metaverse
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
007
007Join on employeeIDJOINED
JOINED
007
007
Join on employeeIDJOINED
Join on employeeIDJOINEDManual Join
Attribute Flow Scenario
HRHRSystemSystem
Metadirectory
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
givenNamesntitlemailemployeeIDtelephone
867-5309
ClarkKent
007
Reporter
867-5309
ClarkKent
Reporter
007
IdentityData
Aggregation
givenNamesntitlemailemployeeIDtelephone
007
ClarkKent
007
Reporter
867-5309
Attribute Flow Scenario
HRHRSystemSystem
Metadirectory
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
givenNamesntitlemailemployeeIDtelephone 867-5309
ClarkKent
007
Reporter
867-5309
ClarkKent
Reporter
007
867-5309
867-5309
ClarkKent
Clark
Reporter
867-5309
IdentityData
Brokering
(Convergence)
Attribute Flow Scenario
HRHRSystemSystem
Metadirectory
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
Clark
007
givenNamesntitlemailemployeeIDtelephone
Kent
007
givenNamesntitlemailemployeeIDtelephone 867-5309
ClarkKent
007
867-5309
ClarkKent
Reporter
007
KentReporter
867-5309
Reporter
867-5309
Clark
Kent
Clark
Reporter
867-5309
IdentityData
IntegrityEnforcem
ent
007Superhero
SuperheroSuperheroSuperheroReporterSuperhero
Active DirectoryActive Directory
Password Management
Initial password setCentralized password control via a Web app
Self-service password resetHelpdesk password reset
Decentralized password synchronization3rd party password sync products can easily integrate
iPlanetiPlanet
Web appWeb app
MetadirectoryMetadirectory
Identity ManagementIdentity ManagementOverviewOverview
demodemo
Active Directory
OU=AdminStaff OU=Disabled Users OU=Groups OU=UsersOU=Staff OU=Disabled Users OU=Groups OU=Users
The Scenario
MIIS 2003
Expenses SystemSQL
HR SystemSQL
NT 4.0
Exchange 5.5
iPlanetDirectory Server
Agenda
Diversity and the Identity Crisis
Identity Integration
Metadirectory Concepts
Metadirectory Concepts
Connected Data Source (CD)Any source and/or destination containing identity data
Management Agent (MA)Facilitates the communication between MIIS and the CD
Connector Space (CS)Staging area for inbound or outbound synchronized attributes
Metaverse (MV)Central (SQL) store of identity informationMatching CS entries to a single MV entry is called “join”
CDCD
MIISMIIS
CSCS
MVMV
MAMA
Metadirectory Architecture
MetadirectoryMetadirectory
MVMV
CSCS
CSCS
CSCS
SQL Server 2000SQL Server 2000
Identity RepositoriesIdentity Repositories
NetworkNetwork
CSCS
StatusRTM happened on 24th June
Two live internal Microsoft deployments
Scale and performance testingCurrently at >1.5 million objects for all MAs
Targeting 5 million objects for next phase
Releasing at Catalyst on 8th July
Select – August Select CD shipment
Agenda
Diversity and the Identity Crisis
Identity Integration
Metadirectory Concepts
Demos
Getting Started
User InterfaceUser Interface
demodemo
Metadirectory ConnectorsAD/Exchange 2000/Exchange “Titanium”ADAMSunOne Directory (iPlanet)SQLOracleDSML 2.0LDAP Directory Interchange Format (LDIF)Delimited TextFixed-Width TextAttribute-Value Pair TextNT4Exchange 5.5Lotus Notes 4.6 and 5.0Novell eDirectory 8.62/8.7Other LDAP-based and RDBMS systems to follow
Creating Creating Management AgentsManagement Agents
demodemo
Running Running Management AgentsManagement Agents
demodemo
Identity AggregationIdentity Aggregation
demodemo
Simple Provisioning Simple Provisioning and De-Provisioningand De-Provisioning
demodemo
Extending MIIS Extending MIIS using using Visual Studio .NETVisual Studio .NET
demodemo
Preview Mode
System is transparent in designAllows architect/developer to preview work in the metadirectory without committing any changes
Allows the testing ofConfiguration changes
New rules
New connected directories
Can view all results through the UI
Preview ModePreview Mode
demodemo
Password SyncEncryption – the basic problem
““Carve99”Carve99”““Carve99”Carve99”Plaintext passwordPlaintext passwordPlaintext passwordPlaintext password
One Way One Way FunctionFunctionOne Way One Way FunctionFunction
ADADADAD
NT4 SAMNT4 SAMNT4 SAMNT4 SAM
C62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6E
One Way One Way FunctionFunctionOne Way One Way FunctionFunction
OWF passwordOWF passwordOWF passwordOWF password
C62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6E
OWF passwordOWF passwordOWF passwordOWF password
MD4/MD5 DemoMD4/MD5 DemoMD4/MD5 DemoMD4/MD5 Demo
Password SyncPassword Set & Reset
Passw
ord
Set
Passw
ord
Set
Passw
ord
Set
Passw
ord
Set
““Carve99”Carve99”MMS Self ServiceMMS Self ServicePassword ResetPassword ResetWeb ApplicaitonWeb Applicaiton
MMS Self ServiceMMS Self ServicePassword ResetPassword ResetWeb ApplicaitonWeb Applicaiton
Visualization
Different hierarchies suit different needs
Multiple hierarchical representations can be discovered from data
Polyarchy eliminates the requirement for fixed hierarchy
Polyarchy provides multiple hierarchical views and richer visualization of infrastructure information
Identity Management Virtual Track
For the IT ProSEC400: UNIX & Kerberos Interop to Achieve Identity Mgmt
DEP311: Identity Management with Microsoft Metadirectory Services
WIN310: AD Branch Office with Windows Server 2003
ADM313: Managing Active Directory with MOM
ADM314: Delegating Administrative Tasks in Active Directory
For the DeveloperSEC320/402: Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1& 2)
OFC333: EAI Using SharePoint Portal Server
WEB311: Windows Platform Security Services for Web Services
Review
Diversity and the Identity Crisis
Identity Integration
Metadirectory Concepts
Training: SQLSoft: www.sqlsoft.com/promo/mms30.asp
Identity Management Virtual Track
For the IT ProSEC400: UNIX & Kerberos Interop to Achieve Identity Mgmt
DEP311: Identity Management with Microsoft Metadirectory Services
WIN310: AD Branch Office with Windows Server 2003
ADM313: Managing Active Directory with MOM
ADM314: Delegating Administrative Tasks in Active Directory
For the DeveloperSEC320/402: Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1& 2)
OFC333: EAI Using SharePoint Portal Server
WEB311: Windows Platform Security Services for Web Services
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.