Enterprise Identity Steve Plank Microsoft Hugh SimpsonWells Oxford

  • Slides: 17
Download presentation
Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt

Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group

Agenda • Overview of Enterprise Identity Challenges/Solutions • Individual Group Discussions (led) • Large

Agenda • Overview of Enterprise Identity Challenges/Solutions • Individual Group Discussions (led) • Large Group “Debate”

The Digital Identity Lifecycle Roles 3 Product Manager Director Service Manager HR Admin PA

The Digital Identity Lifecycle Roles 3 Product Manager Director Service Manager HR Admin PA Customer Service Call Handler Sales Person Engineer

The Digital Identity Lifecycle • A business owns critical assets • Roles are defined

The Digital Identity Lifecycle • A business owns critical assets • Roles are defined • People are hired • People change role • People are fired • They access critical They leave of their assets own accord too! Role 1 Role 2 Role 3 Access Management Joining Identities Identity Data Aggregation Identity Data Enforcement Identity Data Brokering 4 Role 5 Hire/Fire Scenario

Hire Scenario HR System Δ Contractor System E-mail Infrastructure Directory Application Directory Database LOB

Hire Scenario HR System Δ Contractor System E-mail Infrastructure Directory Application Directory Database LOB App 5 E-mail LDAP SQL API Provisioning System or Metadirectory

Fire Scenario HR System Δ Contractor System E-mail Infrastructure Directory Application Directory Database LOB

Fire Scenario HR System Δ Contractor System E-mail Infrastructure Directory Application Directory Database LOB App 6 E-mail LDAP SQL API Provisioning System or Metadirectory

Join, Attribute Flow, Enforcement… HR System given. Name sn title mail employee. ID telephone

Join, Attribute Flow, Enforcement… HR System given. Name sn title mail employee. ID telephone Clark Kent given. Name sn title mail employee. ID telephone Clark Kennttt Reporter Clark@contoso. com 007 Infrastructure given. Name sn Directory Klarke Kent Superhero Clark@contoso. com E-mail System title mail employee. ID telephone Application Directory 7 given. Name sn title mail employee. ID telephone Reporter 007 JOINED Project to Metadirectory JOINED Join on employee. ID JOINED Join on mail Klarek Cenntt JOINED Join on employee. ID Manual Join 008 867 -5309 +44 123 456 7890 Metadirectory

Identity Joining Scenario HR System given. Name sn title mail employee. ID telephone Clark

Identity Joining Scenario HR System given. Name sn title mail employee. ID telephone Clark Kent given. Name sn title mail employee. ID telephone Clark Kennttt Reporter Clark@contoso. com 007 Infrastructure given. Name sn Directory Klarke Kent Superhero Clark@contoso. com Application Directory Klarek Cenntt E-mail System title mail employee. ID telephone 8 given. Name sn title mail employee. ID telephone Reporter 007 008 +44 867 -5309 123 456 7890 given. Name sn title mail employee. ID telephone Clark Kent Superhero Clark@contoso. com 007 +44 123 456 7890 Metadirectory

Single Sign On • Simple SSO • Single Authentication Authority, Single Server • Single

Single Sign On • Simple SSO • Single Authentication Authority, Single Server • Single Authentication Authority, Multiple Server • Complex SSO • Single Credential Set • Token Based SSO • PKI Based SSO • Multiple Credential Set • Credential Sync (Consistent Sign On) • Client-side Credential Mapping • Server-side Credential Mapping 9

Simple SSO Auth. N Exchange Authentication Service Trust Auth. N Exchange Resource Server 1

Simple SSO Auth. N Exchange Authentication Service Trust Auth. N Exchange Resource Server 1 Token Validation Credential Store (probably LDAP directory) Replication

No SSO Auth. N Exchange Authentication Service Credential Store (probably LDAP directory) Auth. N

No SSO Auth. N Exchange Authentication Service Credential Store (probably LDAP directory) Auth. N Exchange Authentication Service 1 Credential Store (probably LDAP directory)

Complex SSO: 1 Credential, Token-based Auth. N Exchange Authentication Service Temp Token Credential Store

Complex SSO: 1 Credential, Token-based Auth. N Exchange Authentication Service Temp Token Credential Store (probably LDAP directory) Temp Token Trust Authentication Service 1 Credential Store (probably LDAP directory)

Consistent Sign On: Password Sync Auth. N Exchange Authentication Service PW trap plaintext pw

Consistent Sign On: Password Sync Auth. N Exchange Authentication Service PW trap plaintext pw Password cyphertext pw Crypto System Credential Store (probably LDAP directory) Auth. N Exchange Normalize identities - metadirectory Authentication Service 1 Password Crypto cyphertext pw System Credential Store (probably LDAP directory) Password Copy Service

Complex SSO – Client Cache Auth. N Exchange Authentication Service Credential Store (probably LDAP

Complex SSO – Client Cache Auth. N Exchange Authentication Service Credential Store (probably LDAP directory) Password Cache Auth. N Exchange Authentication Service 1 Credential Store (probably LDAP directory)

Complex SSO – Server Cache Auth. N Exchange password Authentication Service Client Installed SSO

Complex SSO – Server Cache Auth. N Exchange password Authentication Service Client Installed SSO Agent Credential Store (probably LDAP directory) Auth. N Exchange Authentication Service 1 Credential Store (probably LDAP directory)

Complex SSO – Server Cache • SSO Agent detects login dialog • Retrieves credentials

Complex SSO – Server Cache • SSO Agent detects login dialog • Retrieves credentials from ID store & fills in dialog Single Sign-On Understands password change dialogs Auto-generates new passwords Client ID Store Login User-id: Password: 1 Client-side SSO Agent User object SSO Attributes: User-id: FSmith Password: *****

Review • Overview of Enterprise Identity Challenges/Solutions • Individual Group Discussions (led) • Large

Review • Overview of Enterprise Identity Challenges/Solutions • Individual Group Discussions (led) • Large Group “Debate”

Enterprise Identity Steve Plank Microsoft Ivor Bright CharterisEnterprise Identity Steve Plank Microsoft Ivor Bright Charteris
Enterprise Identity Steve Plank Microsoft Ivor Bright CharterisEnterprise Identity Steve Plank Microsoft Ivor Bright Charteris
Plank How to do this Plank How toPlank How to do this Plank How to
Microsoft Azure Microsoft Microsoft Azure Microsoft Azure MicrosoftMicrosoft Azure Microsoft Microsoft Azure Microsoft Azure Microsoft
Microsoft identity platform Microsoft identity platform The restMicrosoft identity platform Microsoft identity platform The rest
An Introduction to Learning Technology Hugh Davis HughAn Introduction to Learning Technology Hugh Davis Hugh
The Father by Hugh Garner The Father HughThe Father by Hugh Garner The Father Hugh
HUGH HEFNER FIRST PLAYBOY CURRENT PLAYBOY HUGH HEFNERHUGH HEFNER FIRST PLAYBOY CURRENT PLAYBOY HUGH HEFNER
THE STORY TELLER Hector Hugh Munro Hector HughTHE STORY TELLER Hector Hugh Munro Hector Hugh
Microsoft Office Microsoft Word Microsoft Excel Microsoft PowerMicrosoft Office Microsoft Word Microsoft Excel Microsoft Power
Identity Identity Personal identity what it means toIdentity Identity Personal identity what it means to
Identity What is identity Identity consist of theIdentity What is identity Identity consist of the
Collective Identity and Citizenship Collective Identity Shared identityCollective Identity and Citizenship Collective Identity Shared identity
Corporate Identity Stationery Kit Corporate identity corporate identityCorporate Identity Stationery Kit Corporate identity corporate identity
Identity in Cyberspace What is identity Identity isIdentity in Cyberspace What is identity Identity is
Phylgenetic tree 70 identity 85 identity 60 identityPhylgenetic tree 70 identity 85 identity 60 identity