enterprise identity
DESCRIPTION
Enterprise Identity. Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group. Agenda. Overview of Enterprise Identity Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”. The Digital Identity Lifecycle. Roles. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/1.jpg)
Enterprise IdentitySteve Plank – MicrosoftHugh Simpson-Wells – Oxford Computer GroupDave Nesbitt – Oxford Computer Group
![Page 2: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/2.jpg)
Agenda
• Overview of Enterprise Identity Challenges/Solutions• Individual Group Discussions (led)• Large Group “Debate”
![Page 3: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/3.jpg)
3
The Digital Identity Lifecycle
Roles
Director ServiceManager
ProductManager
PA
SalesPerson
CustomerService
Engineer
HR Admin
CallHandler
![Page 4: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/4.jpg)
4
Access ManagementJoining Identities
Identity Data AggregationIdentity Data Enforcement
Identity Data Brokering Hire/Fire Scenario
The Digital Identity Lifecycle
Role 1 Role 3 Role 4 Role 5
• Roles are defined
• People are hired• People change role • People are firedThey leave of
their own accord too!Role 2
• They access critical assets
• A business owns critical assets
![Page 5: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/5.jpg)
5
Hire ScenarioHRHRSystemSystem
ProvisioningSystem orMetadirectory
ContractorContractorSystemSystem
LOB AppLOB App
DatabaseDatabase
ApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectory
E-mailE-mail
Δ
LDAP
LDAP
SQL
API
![Page 6: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/6.jpg)
6
Fire ScenarioHRHRSystemSystem
ProvisioningSystem orMetadirectory
ContractorContractorSystemSystem
LOB AppLOB App
DatabaseDatabase
ApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectory
E-mailE-mail
Δ
LDAP
LDAP
SQL
API
![Page 7: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/7.jpg)
7
Metadirectory
Join on employeeID
Join on mail
Join, Attribute Flow, Enforcement…
HRHRSystemSystem
ApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectory
E-mailE-mailSystemSystem
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
givenNamesntitlemailemployeeIDtelephone
KlarkeKent
867-5309
Reporter
Reporter
givenNamesntitlemailemployeeIDtelephone
Clark
Reporter
Kent
007
JOINED
Join on employeeID
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007Project to MetadirectoryJOINED
+44 123 456 7890
Manual JoinJOINED
JOINED
+44 123 456 7890
![Page 8: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/8.jpg)
8
Metadirectory
Identity Joining Scenario
HRHRSystemSystem
ApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectory
E-mailE-mailSystemSystem
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
givenNamesntitlemailemployeeIDtelephone
KlarkeKent
867-5309
Reporter
Reporter
givenNamesntitlemailemployeeIDtelephone
Clark
Reporter
Kent
007
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
Superhero
+44 123 456 7890
givenNamesntitlemailemployeeIDtelephone +44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
![Page 9: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/9.jpg)
9
Single Sign On
• Simple SSO• Single Authentication Authority, Single Server• Single Authentication Authority, Multiple Server
• Complex SSO• Single Credential Set
• Token Based SSO• PKI Based SSO
• Multiple Credential Set• Credential Sync (Consistent Sign On)• Client-side Credential Mapping• Server-side Credential Mapping
![Page 10: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/10.jpg)
10
Simple SSO
ResourceServer
TrustToken Validation
AuthNExchange
AuthNExchange
AuthenticationService
Credential Store(probably LDAP directory)
Replication
![Page 11: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/11.jpg)
11
No SSO
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
![Page 12: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/12.jpg)
12
Complex SSO: 1 Credential, Token-based
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
TempToken
TempToken
Trust
![Page 13: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/13.jpg)
13
Consistent Sign On: Password Sync
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
PasswordCopyService
plaintext pw cyphertext pwPassword
CryptoSystem
plaintext pw
PW
trap
cyphertext pw
PasswordCrypto
System
Normalize identities - metadirectory
![Page 14: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/14.jpg)
14
Complex SSO – Client Cache
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
PasswordCache
![Page 15: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/15.jpg)
15
Complex SSO – Server Cache
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
ClientInstalledSSOAgent
password
![Page 16: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/16.jpg)
16
Client
• SSO Agent detects login dialog
• Retrieves credentials from ID store & fills in dialog
LoginUser-id:
Password:
ID Store
User objectSSO Attributes:User-id:Password:
FSmith*****
Client-sideSSOAgent
Understands password change dialogs
Auto-generates new passwords
Single Sign-OnSingle Sign-OnComplex SSO – Server Cache
![Page 17: Enterprise Identity](https://reader035.vdocuments.us/reader035/viewer/2022062502/56813d4f550346895da709d3/html5/thumbnails/17.jpg)
Review
• Overview of Enterprise Identity Challenges/Solutions• Individual Group Discussions (led)• Large Group “Debate”