![Page 1: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/1.jpg)
Enterprise IdentitySteve Plank – Microsoft
Hugh Simpson-Wells – Oxford Computer Group
Dave Nesbitt – Oxford Computer Group
![Page 2: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/2.jpg)
Agenda
• Overview of Enterprise Identity Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”
![Page 3: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/3.jpg)
3
The Digital Identity Lifecycle
RolesRoles
DirectorDirector ServiceManagerServiceManager
ProductManagerProductManager
PAPA
SalesPersonSalesPerson
CustomerServiceCustomerService
EngineerEngineer
HR AdminHR Admin
CallHandlerCallHandler
![Page 4: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/4.jpg)
4
Access ManagementJoining Identities
Identity Data AggregationIdentity Data Enforcement
Identity Data Brokering Hire/Fire Scenario
The Digital Identity Lifecycle
Role 1Role 1 Role 3Role 3 Role 4Role 4 Role 5Role 5
• Roles are defined
• People are hired• People change role • People are firedThey leave of
their own accord too!
Role 2Role 2
• They access critical assets
• A business owns critical assets
![Page 5: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/5.jpg)
5
Hire Scenario
HRHRSystemSystemHRHRSystemSystem
ProvisioningSystem orMetadirectory
ProvisioningSystem orMetadirectory
E-mailE-mail
ContractorContractorSystemSystemContractorContractorSystemSystem
LOB AppLOB AppLOB AppLOB App
DatabaseDatabaseDatabaseDatabase
ApplicationApplicationDirectoryDirectoryApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectoryInfrastructureInfrastructureDirectoryDirectory
E-mailE-mailE-mailE-mail
ΔΔ
LDAPLDAP
LDAPLDAP
SQLSQL
APIAPI
![Page 6: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/6.jpg)
6
Fire Scenario
HRHRSystemSystemHRHRSystemSystem
ProvisioningSystem orMetadirectory
ProvisioningSystem orMetadirectory
E-mailE-mail
ContractorContractorSystemSystemContractorContractorSystemSystem
LOB AppLOB AppLOB AppLOB App
DatabaseDatabaseDatabaseDatabase
ApplicationApplicationDirectoryDirectoryApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectoryInfrastructureInfrastructureDirectoryDirectory
E-mailE-mailE-mailE-mail
ΔΔ
LDAPLDAP
LDAPLDAP
SQLSQL
APIAPI
![Page 7: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/7.jpg)
7
MetadirectoryMetadirectory
Join on employeeID
Join on mail
Join, Attribute Flow, Enforcement…
HRHRSystemSystemHRHRSystemSystem
ApplicationApplicationDirectoryDirectoryApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectoryInfrastructureInfrastructureDirectoryDirectory
E-mailE-mailSystemSystemE-mailE-mailSystemSystem
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
givenNamesntitlemailemployeeIDtelephone
KlarkeKent
867-5309
Reporter
Reporter
givenNamesntitlemailemployeeIDtelephone
Clark
Reporter
Kent
007
JOINEDJOINED
Join on employeeIDJoin on employeeID
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
Project to MetadirectoryJOINEDJOINED
+44 123 456 7890
Manual JoinJOINEDJOINED
JOINEDJOINED
+44 123 456 7890
![Page 8: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/8.jpg)
8
MetadirectoryMetadirectory
Identity Joining Scenario
HRHRSystemSystemHRHRSystemSystem
ApplicationApplicationDirectoryDirectoryApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectoryInfrastructureInfrastructureDirectoryDirectory
E-mailE-mailSystemSystemE-mailE-mailSystemSystem
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
givenNamesntitlemailemployeeIDtelephone
KlarkeKent
867-5309
Reporter
Reporter
givenNamesntitlemailemployeeIDtelephone
Clark
Reporter
Kent
007
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
Superhero
+44 123 456 7890
givenNamesntitlemailemployeeIDtelephone +44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
![Page 9: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/9.jpg)
9
Single Sign On
• Simple SSO• Single Authentication Authority, Single Server
• Single Authentication Authority, Multiple Server
• Complex SSO• Single Credential Set
• Token Based SSO
• PKI Based SSO
• Multiple Credential Set
• Credential Sync (Consistent Sign On)
• Client-side Credential Mapping
• Server-side Credential Mapping
![Page 10: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/10.jpg)
10
Simple SSO
ResourceServer
Trust
Token Validation
AuthNExchange
AuthNExchange
AuthenticationService
Credential Store(probably LDAP directory)
Replication
![Page 11: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/11.jpg)
11
No SSO
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
![Page 12: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/12.jpg)
12
Complex SSO: 1 Credential, Token-based
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
TempToken
TempToken
Trust
![Page 13: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/13.jpg)
13
Consistent Sign On: Password Sync
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
PasswordCopyService
plaintext pw cyphertext pwPassword
CryptoSystem
plaintext pw
PW
trap
cyphertext pw
PasswordCrypto
System
Normalize identities - metadirectory
![Page 14: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/14.jpg)
14
Complex SSO – Client Cache
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
PasswordCache
![Page 15: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/15.jpg)
15
Complex SSO – Server Cache
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
ClientInstalledSSOAgent
password
![Page 16: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/16.jpg)
16
ClientClient
• SSO Agent detects login dialog
• Retrieves credentials from ID store & fills in dialog
Login
User-id:
Password:
ID StoreID Store
User objectSSO Attributes:User-id:Password:
FSmith
*****
Client-sideSSOAgent
Client-sideSSOAgent
Understands password change dialogs
Auto-generates new passwords
Single Sign-OnSingle Sign-OnComplex SSO – Server Cache
![Page 17: Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group](https://reader036.vdocuments.us/reader036/viewer/2022081514/5697bf791a28abf838c8222c/html5/thumbnails/17.jpg)
Review
• Overview of Enterprise Identity Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”