R2 Solutions

60 %
40 %
Information about R2 Solutions
Education

Published on February 20, 2008

Author: Marco1

Source: authorstream.com

Agenda: St. Louis:  Agenda: St. Louis Agenda: Minneapolis:  Agenda: Minneapolis Agenda: Des Moines:  Agenda: Des Moines Agenda: Omaha:  Agenda: Omaha Slide5:  Identity Management in Windows Server R2: Active Directory Federation Services Identity Management Solutions:  Identity Management Solutions Mike Kellogg Technology Specialist – Microsoft Corporation mike.kellogg@microsoft.com Blain Checkley Unisys – Sr. Architect Blain.checkley@unisys.com The Business Cost:  On average, users are provisioned in 16 systems and de-provisioned in 12. The Business Cost Enterprises have 68 internal and 12 external account stores. 75% of internal users and 38% of external users are in multiple stores. Password resets cost $57-$147. Security Risks Increased IT Cost Lost Productivity Identity and Access Management:  Active Directory – Global Distributed and scalable architecture Strong Authentication User and desktop management Exchange Server integration Subsystem for UNIX Applications – UNIX Identity Management AD Application Mode – Local to App Application specific information Runs as a LDAP service Integrates with AD for services such as SSO UNIX Identity Management Server for Network Information Service (NIS) helps integrate Windows and UNIX domains Password synchronization simplifies password maintenance across platforms Benefit: Efficient multi-platform identity management Active Directory Federation Service (ADFS) Enables secure, appropriate access to web applications outside their domain/forest Extranet authentication and single sign-on for customer, partner, employee Identity federation Can be based on Roles, Groups, etc MIIS/IIFP – Integration/Business Process Synchronizes identity across enterprise stores Provides state-based view of the user across the enterprise Simplifies the management of the identity lifecycle Identity and Access Management Windows Server 2003 R2 Solution Vision for IAM Connected Systems:  Vision for IAM Connected Systems Past Present Future Connected Systems Federated Built to Extend Low cost to value Application Silos ID for Each System Internally Focused Limit to Biz Value Custom Integration Identity Integration Internal & External High cost to value Identity Integration Identity Platform Exposed Through Web Services AD ADAM MIIS ADFS Identity and Access Management:  Identity and Access Management Active Directory Active Directory® Application Mode (ADAM) Lightweight, domain-independent mode of Active Directory for application directory scenarios Interoperability with Domain Mode for authentication Benefit: Tailor directory services infrastructure for local control/autonomy or shared services UNIX Identity Management Server for Network Information Service (NIS) helps integrate Windows and UNIX domains Password synchronization simplifies password maintenance across platforms Benefit: Efficient multi-platform identity management Active Directory Federation Services (ADFS) Microsoft Identity Integration Server 2003 (MIIS) Windows Server 2003 Solution Windows Integrated Authentication:  Windows Integrated Authentication Logon to Windows Flexible Authentication Kerberos X509 v3/Smartcard/PKI VPN/802.1x/RADIUS LDAP Passport/Digest/Basic (Web) SSPI/SPNEGO Single Sign-on to: Windows File/Print servers Microsoft applications 390/AS400 (Host Integration Server) ERP (BizTalk, SharePoint ESSO) 3rd Party Integrated Apps Web Applications via IIS Unix/J2EE (Services for Unix, Vintela/Centrify) Active Directory Application Mode:  Active Directory Application Mode Lightweight, domain-independent mode of Active Directory for application directory scenarios Same code as Active Directory = same programming model, admin tools, replication model Simple wizard-based install; no DCPROMO Schema flexibility; synchronization with Active Directory possible via Identity Integration Feature Pack Free web download Authentication in Active Directory, authorization in ADAM for increased security ADAM Usage Scenarios Application-specific local directory:  ADAM Usage Scenarios Application-specific local directory Example: Web portal with personalization Store personalization info in ADAM Use Active Directory for authentication Infrastructure Active Directory Store/ retrieve data Client Authentication Server UNIX Password Synchronization:  UNIX Password Synchronization Pull NIS schema into Active Directory Bidirectional Password Sync, user name mapping, supported on: HP-UX 11i Sun Solaris 8 & 9 IBM AIX 5L 5.2 Red Hat Linux 9.0 Mapping Server Map Windows® User and Group Accounts to UNIX SFU functionality in Windows Server R2:  User/Name Mapping SFU functionality in Windows Server R2 SUA NIS Server Password Sync Telnet Server NFS Server/Client Optional Install: Other Network File & Print Services 2004 2006 Already ships in windows Server 2003 SP1 NFS Admin & Utils Optional Install: Identity Management 64 bit support+ Oracle/SQL ODBC Connectors Optional Install: Windows Subsystem for UNIX Applications Retired; Supported in SFU 3.5 until 2011 (2014) GNU, BSD & SCO tools, VS integration available via separate download package Visual Studio Integration (compile/build/debug) UNIX Identity Management:  UNIX Identity Management Consolidation of administration and monitoring across platforms Remotely monitor and administer Windows-based systems in the same fashion and with the same tools as UNIX-based systems Efficient Cross-platform User Management UNIX Server Windows Server Windows Workstation UNIX Workstation Windows Server UNIX Server UNIX Workstation UNIX Workstation Windows Workstation Windows Workstation R2 UNIX Application Portability:  R2 UNIX Application Portability Customer Situation Dependancy on custom-developed legacy code WS2003R2 provides UNIX to Windows Application Portability Application usage across environments Complete UNIX subsystem on the Windows Kernel Integration Methods Direct invocation Pipes Sockets Shared memory COM XML web service Federated Identity Management:  Federated Identity Management A set of standards-based technology & IT processes to facilitate distributed identification, authentication & authorization across boundaries (security, departmental, organizational or platform). Orgs Have To Extend Access:  Your COMPANY and your EMPLOYEES Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain M&A Mobile/global workforce Flexible/temp workforce Orgs Have To Extend Access Active Directory Federation Services Integrating the Browser and metasystem:  Active Directory Federation Services Integrating the Browser and metasystem Extends AD to Internet scenarios Internet and Federated Web Single Sign-on Works with existing AD deployments Leverages Digital Identities and WS* Standards Extensible and interoperable Uses WS-Trust to enable token translation Uses WS-Federation for cross-platform interoperability Supports Kerberos and SAML 1.1 tokens Great example of identity metasystem Third Party Support Centrify, Vintela, Ping, … Availability Included with Windows Server 2003 R2 Security Tokens & Claims Raw materials for distributed access management:  Security Tokens & Claims Raw materials for distributed access management Security tokens assert claims Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc). Signed X.509 Kerberos XrML SAML Secret Key Password Proof of Possession Security Token Service Security token services (STS) issue security tokens STS – Similar to a Kerberos Key Distribution Center (KDC) What Is A Digital Identity?:  What Is A Digital Identity? A set of claims that characterize a person or thing in the digital world A Claim is a statement made about someone/something by someone/something Claims are packaged in Security Tokens Using Claims:  Using Claims Use Security Tokens Associate Claims with Application Messages Acquire Security Tokens Tokens Contains Claims Get Service Policy Describes the Required Claims 1 2 3 Federated IAM in Action X-organization, X-platform Web SSO:  Federated IAM in Action X-organization, X-platform Web SSO User clicks BF & T portal link to Worms-R-Us order processing application Worms-R-Us Bob’s Fish & Tackle User redirected to Bob’s Fish & Tackle STS Seamlessly authenticated via Kerberos (Windows integrated AuthN & AD) User obtains SAML security token from BF & T STS for Worms-R-Us STS Federation claims per business agreement User obtains SAML security token from Worms-R-Us STS for application Federation + application-specific claims User accesses Worms-R-Us order processing application SIDs Federation Claims Application Claims Identity Federation in Action:  A. Datum Account Forest Trey Research Resource Forest Identity Federation in Action Federation Trust Slide26:  Identity Management in Windows Server R2: Active Directory Federation Services OK … so what do I need To make this work?:  OK … so what do I need To make this work? ADFS Architecture:  ADFS Architecture Active Directory (2K, 2K3, ADAM) Authenticates users Manages attributes Federation Service (FS) STS (security token service) Issues security tokens Populates claims Statements an authority makes about security principals Manages federation trust policy FS Proxy (FS-P) Client proxy for token requests Provides UI for browser clients Web Server SSO Agent Enforces user authentication Creates user authorization context HTTPS LPC/Web Methods Windows Authentication/LDAP Application (authorization) Windows NT® Impersonation and ACLs ASP.NET IsInRole() AzMan RBAC integration ASP.NET Raw Claims API ADFS: Supported Claim Types:  ADFS: Supported Claim Types WS-Federation interoperable claim types Identity User Principal Name (UPN) Email Address Common Name (any string value) Group Custom name/value pair (eg SSN / 123-45-6789) ADFS-to-ADFS only authZ data SIDs Sent to avoid employee shadow accounts in extranet DMZ Sent in SAML token Advice element (not a standard claim type) Organizational claims Common set of claims across account stores and partners Mark organizational claims as sensitive (not audited/logged) Good idea, but what is necessary on the other end?:  Good idea, but what is necessary on the other end? ADFS: Standards-Based Solution:  ADFS: Standards-Based Solution Active Directory Federation Services IBM PingID BMC Oracle CA Quest RSA Centrify + others… Multi-vendor, multi-platform interoperability via Web Services WS-Federation WS-* Architecture An architecture for an identity metasystem:  WS-* Architecture An architecture for an identity metasystem Composable Architecture for Web Services Broad participation across the industry Open, published, standards-track architecture Available royalty free Security token format neutral OASIS WS-Security specification is the basis x509, Kerberos, SAML 1.1, 1.2, 2.0, XrML … Dynamic system for exchanging claims WS-MetadataExchange, WS-SecurityPolicy, … Token and claim translation WS-Trust defines Security Token Services (STS) All major specs are on track to OASIS WS-Federation:  WS-Federation Web Services Federation Language Defines messages to enable security realms to federate & exchange security tokens Built upon WS-Security, WS-Trust Wide industry support Authors: BEA, IBM, Microsoft, RSA, VeriSign 3/04 Workshop: IBM, OpenNetwork, Oblix, Netegrity, RSA, PingID Two “profiles” of the model defined Passive (web browser) clients – HTTP/S Active (smart/rich) clients – SOAP ADFS v2 ADFS v1 Cross-organization, multi-vendor interoperability Passive Requestor Profile Supported by ADFSv1 in W2K03 R2:  Passive Requestor Profile Supported by ADFSv1 in W2K03 R2 Binding of WS-Federation & WS-Trust for browser (passive) clients Implicitly adhere to policy by following redirects Implicitly acquire tokens via HTTP msgs Authentication Requires secure transport (HTTPS) Cannot provide “proof of possession” for tokens Limited (time based) token caching Tokens can be replayed Active Requestor Profile Future ADFS release in Longhorn wave:  Active Requestor Profile Future ADFS release in Longhorn wave Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients Explicitly determine token needs from policy Explicitly request tokens via SOAP msgs Strong authentication of all requests Can provide “proof of possession” for tokens Supports delegation Client can provide token for web service to use on its behalf Allows rich token caching at client Improved user experience & performance ADFS Scenario: Web SSO:  ADFS Scenario: Web SSO User credentials and attributes managed in Active Directory/ADAM at the application Benefits: Single sign-on to farm of IISv6 web apps Stronger authentication via forms, client-side certs ADAM support: LDAP user store in perimeter Support for “road warrior” applications Windows Integrated Auth for internal users ADFS auth for external users ADFS Scenario: Identity Federation:  User credentials and attributes managed in “home realm” by partner organization Benefits: Single sign-on to internal and partner web applications Fewer passwords for users to forget Lower password reset costs Centralized administration, delegated to partners Automated restriction of partner app access Logging of inbound and outbound access requests ADFS Scenario: Identity Federation ADFS Benefits:  ADFS Benefits Extend value of Active Directory deployments to facilitate secure collaboration with partners More user efficiency – fewer passwords, single sign-on More IT efficiency – centralized admin of extranet accounts Better security – automated restriction of access, no “in the clear” Better regulatory compliance – logging/auditing of all user activity Interop with heterogeneous application environments via WS-Federation Extend value of Windows Server identity services in internet-facing web environments Stronger authentication for extranet deployments (AD, ADAM) Extranet and federated SSO “Native” delegated administration Tight integration with MS authorization technologies Interop with heterogeneous user management environments via WS-Federation ADFS Promotes Organizational Efficiency:  ADFS Promotes Organizational Efficiency ADFS Improves Security & Regulatory Compliance:  ADFS Improves Security & Regulatory Compliance ID Lifecycle Management:  Consolidate ID Lifecycle Management Synchronize Integrate Standardize Microsoft Identity Integration Server Identity Aggregation Support for over 20 different repositories Provides a single, enterprise view of a user Uses SQL Server as the information repository User Provisioning Automate account create/delete Group & distribution list management Workflow Self-Service Self-service password change Helpdesk password reset Web-based, extensible for building self-serve MIIS: The Components:  MIIS: The Components Network Architecture:  Network Architecture Attribute Flow Scenario:  HR System MIIS iPlanet Directory Lotus Notes Active Directory FirstName LastName EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone Klarek Cenntt 008 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 867-5309 Clark Kent 007 Reporter Clark@contoso.com 867-5309 Clark Kent Reporter Clark@contoso.com 007 Identity Data Aggregation Attribute Flow Scenario Attribute Flow Scenario (cont’d):  HR System MIIS iPlanet Directory Lotus Notes Active Directory FirstName LastName EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone Klarek Cenntt 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark Kennttt 007 givenName sn title mail employeeID telephone Klarke Kent Superhero 007 givenName sn title mail employeeID telephone 867-5309 Clark Kent 007 Reporter 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Clark Kent Reporter Clark@contoso.com 867-5309 Reporter Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 Identity Data Brokering (Convergence) Attribute Flow Scenario (cont’d) Attribute Flow Scenario (cont’d):  HR System MIIS iPlanet Directory Lotus Notes Active Directory FirstName LastName EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark 007 givenName sn title mail employeeID telephone Kent 007 givenName sn title mail employeeID telephone 867-5309 Clark Kent Clark@contoso.com 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Kent Reporter 867-5309 Reporter Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 007 Superhero Superhero Superhero Superhero Reporter Superhero Attribute Flow Scenario (cont’d) Identity Data Integrity Enforcement:  HR System MIIS iPlanet Directory Lotus Notes Active Directory FirstName LastName EmployeeID Title E-Mail Telephone givenName sn title mail employeeID telephone 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Clark 007 givenName sn title mail employeeID telephone Kent 007 givenName sn title mail employeeID telephone 867-5309 Clark Kent Clark@contoso.com 867-5309 Clark Kent Reporter Clark@contoso.com 007 Clark@contoso.com Kent Publisher 867-5309 Publisher Clark@contoso.com 867-5309 Clark Kent Clark@contoso.com Clark Reporter 867-5309 Identity Data Integrity Enforcement 007 Reporter Superhero Reporter Reporter Reporter Reporter Identity Data Integrity Enforcement Slide49:  Identity Management in Windows Server R2: Active Directory Federation Services Summary: MIIS Helpful Features:  Summary: MIIS Helpful Features Preview Mode MIIS offers the ability to test what will happen to objects and the system as management agents are changed This makes it very easy to test changes to the system without affecting production data Data Lineage MIIS offers the ability to see what identity data changed in a user’s record, which management agent changed it and when it occurred. Enables easy audit of identity changes Based on SQL Server Some solutions store identity information in a directory or do not store it at all. MIIS stores identity information in SQL tables. SQL is more scalable, reliable, fault-tolerant and is transactional (roll-back, event logging) Enables easy reporting through SQL rather than by complicated LDAP programming. Greater number of people to draw from that understand SQL programming, more tools available for SQL than LDAP. Summary:  Summary Orgs need to extend access – but it’s challenging MIIS simplifies provisioning, password management and aggregates Identities ADFS extends AD beyond the domain Web SSO and Identity Federation Windows Server provides comprehensive cross-boundary access management/SSO services Windows Integrated Auth/Kerberos AD/ADAM Microsoft Identity Integration Server ADFS IIS ISA ASP.Net Authorization Manager Additional Resources:  Additional Resources Visit Microsoft.com Identity Management - http://www.microsoft.com/IDM AD - http://www.microsoft.com/AD Windows Server System - http://www.microsoft.com/windowsserversystem View Microsoft’s .NET Show on ADFS http://msdn.microsoft.com/theshow/episode047/default.asp Get familiar with Web Services security and identity model http://msdn.microsoft.com/webservices/ Attend WS-* workshops http://msdn.microsoft.com/webservices/community/workshops/default.aspx Get started with WS-* using Web Services Enhancements http://msdn.microsoft.com/webservices/building/security/ Resources and Links:  Resources and Links Federation – Identity Management http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx http://www.microsoft.com/IDM View Microsoft’s .NET Show on ADFS http://msdn.microsoft.com/theshow/episode047/default.asp WebCast Training: http://technet2.microsoft.com/windowsserver/en/webcasts.mspx DEMO Identity and Access Management Demo See how identity federation in ADFS enables single sign-on to web applications hosted by business partners. Get familiar with Web Services security and identity model http://msdn.microsoft.com/webservices/ Attend WS-* workshops http://msdn.microsoft.com/webservices/community/workshops/default.aspx Get started with WS-* using Web Services Enhancements http://msdn.microsoft.com/webservices/building/security/ AD: http://www.microsoft.com/AD Windows Server System: http://www.microsoft.com/windowsserver2003/default.mspx http://www.microsoft.com/windowsserversystem IBM+Microsoft Paper http://msdn.microsoft.com/webservices/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnglobspec/html/ws-federation-strategy.asp Federation Interoperability: http://msdn.microsoft.com/webservices/webservices/understanding/specs/default.aspx?pull=/library/en-us/dnwebsrv/html/wsfedinterop.asp Case Studies: RSA Security: http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=166&LanguageID=1 Webridge Extranet Solution: http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=732&LanguageID=1 Law Firm Case Study: http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=472&LanguageID=1 Case Study Search Results from Microsoft.com http://members.microsoft.com/CustomerEvidence/Search/AdvancedSearchResults.aspx?Flag=0&Keyword=extranet Identity Management Case Studies http://msdn.microsoft.com/webservices/webservices/understanding/specs/default.aspx?pull=/library/en-us/dnwebsrv/html/wsfedinterop.asp Resources and Links:  Resources and Links The entire Identity and Access Management Series: http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/P3Extran_0.mspx Extranet and Web Single SignOn document (from links listed in the above document): http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/P3Extran_0.mspx The design and planning collection is also an excellent set of resource documents: http://www.microsoft.com/downloads/details.aspx?FamilyId=DADC5021-222B-4AF7-8C58-2227C358756F&displaylang=en The Webcast Training consists of several 1 to 2 hour sessions covering everything from basic functionality to complex Management Agent configuration. http://www.microsoft.com/windowsserversystem/miis2003/techinfo/training/default.mspx   MIIS Scenario Walkthroughs (Step-by-Step guide for specific scenarios) http://www.microsoft.com/downloads/details.aspx?FamilyId=15032653-D78E-4D9D-9E48-6CF0AE0C369C&displaylang=en   MIIS Technical Reference (Update Aug 2005) http://www.microsoft.com/downloads/details.aspx?FamilyID=d7894cc9-eeeb-40d9-8f5f-573050624f67&DisplayLang=en MIIS Developers Reference http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mmsdev/mms/portal.asp General MIIS Link http://www.microsoft.com/miis http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/default.mspx Slide56:  © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Slide57:  © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Add a comment

Related presentations

Related pages

SERI - Sustainable Electronics Recycling International

Who is R2 Certified? What are the solutions? Who is on board? SERI - Responsible electronics recycling. Sustainable Electronics Recycling International ...
Read more

R2 Solutions - Software Solutions Experts

R2 Solutions is a custom software solutions company. We are experts in Mobile, Cloud, Web, and Desktop Technology. Our unique skills and process ...
Read more

R2 Solutions - Medientechnik | Licht | Audio | Video

Rondo Bar. Installation des r2 touch Systems in einer bestehenden DMX-fähigen Anlage. Die vorhandene Steuerung wurde ...
Read more

R2 Solutions Ltd | Nuneaton | Manufacture and installation ...

R2 Solutions Limited is a UK furniture manufacturer specialising in furniture for nurseries, schools, colleges, universities and academies.
Read more

R2 Solutions Inc. | LinkedIn

Learn about working at R2 Solutions Inc.. Join LinkedIn today for free. See who you know at R2 Solutions Inc., leverage your professional network, and get ...
Read more

R2 Solutions | R2 Solutions is IT provider and technical ...

R2 Solutions providing superior IT and technical support to Flathead Valley businesses and residents for over 15 years. Serving Kalispell, Whitefish and ...
Read more

Windows Server 2008 R2 Solutions

Windows Server 2008 R2 solutions describe how to design and deploy advanced and integrated configurations that use multiple features included with Windows ...
Read more

R2 Solutions Inc | We are the solution

We are The Solution. R2 Solutions, Inc. specializes in two main areas: roofing and gutter replacement. We believe that these projects require expertise and ...
Read more

R2 Solutions

R2 SOLUTIONS. Robert Henkel founded R2 Solutions in March 2011 which will operate as a separate and independent Service-Disabled Veteran-Owned Small ...
Read more

Contact Us - R2 Solutions - Software Solutions Experts

Custom Software Development Experts ... Get in Touch. Contact us and we will help. Calgary Technology Centre. Address: 300 1015 4th Street SW, Calgary ...
Read more