SOL 214 Microsofts Identity Management Strategy and Roadmap

  • Slides: 45
Download presentation
SOL 214 Microsoft’s Identity Management Strategy and Roadmap John Pritchard Microsoft Corporation johnpr@microsoft. com

SOL 214 Microsoft’s Identity Management Strategy and Roadmap John Pritchard Microsoft Corporation johnpr@microsoft. com

Agenda Situation Strategy Federated identity Process-driven identity and entitlement management Evolution of directory services

Agenda Situation Strategy Federated identity Process-driven identity and entitlement management Evolution of directory services Next generation digital identity Roadmap

Situation Increasingly connected systems Connections span technical, org boundaries Distinctions blur - customer, partner,

Situation Increasingly connected systems Connections span technical, org boundaries Distinctions blur - customer, partner, employee, intranet, Internet Demand for business process integration Clear business drivers around security, cost efficiency, regulatory compliance Issues around policy, compliance, reporting Rapid rise of threats to online safety Phishing, pharming, phraud Concerns over privacy, tracking

Technology Areas User Experience Logon & credentials Self-service Developer Experience Directory APIs Access APIs

Technology Areas User Experience Logon & credentials Self-service Developer Experience Directory APIs Access APIs Integration APIs IT Pro Experience Management Delegated admin Identity and Access Platform Integration Services Process automation Process control Directory Services Distributed publication Access Services Authentication Authorization Audit Credential management Connectors Integration with non-Windows integrated applications and systems

Microsoft’s Strategy Add native support for interoperable federated identity to Active Directory using web

Microsoft’s Strategy Add native support for interoperable federated identity to Active Directory using web services Build on Microsoft Identity Integration Server as platform for process-driven management of identities and entitlements Evolve and refine Active Directory directory services

Federated Identity and Web Services

Federated Identity and Web Services

What is a Digital Identity? A set of claims one subject makes about another

What is a Digital Identity? A set of claims one subject makes about another Many identities for many uses Required for transactions in real world and online

Claims-Based Access Control “Submit order” requires {Purchaser} claim 1. Read policy for “Submit Order”

Claims-Based Access Control “Submit order” requires {Purchaser} claim 1. Read policy for “Submit Order” Server Client {Purchaser=True} 2. Call “Submit Order” including Security Token with {Purchaser=True} claim

Claims-Based Access Control “Submit order” requires {Role} from STS_A 1. Read policy for “Submit

Claims-Based Access Control “Submit order” requires {Role} from STS_A 1. Read policy for “Submit Order” Server 2. Read policy for Request Security Token {Role} requires [Name, Password] cred Client 3. Request Security Token passing [Ryan, ****] Security Token Server STS_A

Claims-Based Access Control “Submit order” requires {Role} from STS_A 5. Call “Submit Order” with

Claims-Based Access Control “Submit order” requires {Role} from STS_A 5. Call “Submit Order” with security token {Role=Purchaser} signed STS_A Server {Role} requires [Name, Password] cred Client {Role=Purchaser} signed STS_A 4. Request Security Token Response Security Token Server STS_A Mapping: (Ryan, ****) {Role = Purchaser}

Claims-Based Access Control 1. Read policy for “Submit Order” Client 2. Read policy for

Claims-Based Access Control 1. Read policy for “Submit Order” Client 2. Read policy for Request Security Token “Submit order” requires {Submit order} from STS_Auth. Z Server 4. Request Security Token passing [Ryan’s Kerb ticket] {Role} requires [Kerb ticket] or [Name/Pwd] cred Security Token Server STS_Identity “Identity claims provider” 3. Read policy for Request Security Token {Submit order} requires {Role} claim from STS_Identity Security Token Server STS_Auth. Z “Authorization claims provider”

Claims-Based Access Control Call “Submit Order” 8 {Submit order = True} signed STS_Auth. Z

Claims-Based Access Control Call “Submit Order” 8 {Submit order = True} signed STS_Auth. Z “Submit order” requires {Submit order} from STS_Auth. Z 7 Client 6 5 Server {Submit order = True} signed STS_Auth. Z {Role=Purchaser} signed STS_Identity Security Token Server STS_Identity {Role=Purchaser} signed STS_Identity Mapping: Ryan {Role = Purchaser} {Submit order} requires {Role} claim from STS_Identity Security Token Server STS_Auth. Z Mapping: {Role = Purchaser} {Submit order = True}

WS-* Architecture Composable architecture for Web services Broad participation across the industry Published, standards-track

WS-* Architecture Composable architecture for Web services Broad participation across the industry Published, standards-track architecture Available royalty-free Security token format neutral OASIS WS-Security specification is the basis Supports x 509, Kerb, SAML 1. 1, 1. 2, 2. 0, Xr. ML … Dynamic system for exchanging claims WS-Metadata. Exchange, WS-Security. Policy Token and claim translation WS-Trust defines Security Token Services (STS)

Active Directory Federation Services Federated web single sign on WS-Federation Passive Requestor Profile Support

Active Directory Federation Services Federated web single sign on WS-Federation Passive Requestor Profile Support SAML token, claims as SAML assertions Integrated with Windows SSO Support Windows Integrated Security and native claims-based identity Transform claims into SIDs for Windows apps Enable web apps to natively consume claims Authorization Manager integration Delivered in Windows Server 2003 R 2

ADFS Experience

ADFS Experience

Process-driven management of identities and entitlements

Process-driven management of identities and entitlements

Integration Services Process automation for managing identity and entitlement lifecycle Fully automated add/update/delete Delegated

Integration Services Process automation for managing identity and entitlement lifecycle Fully automated add/update/delete Delegated administration End user self-service Process control for reporting, assessment and enforcement Metadirectory “closed-loop” enforcement State auditing and reporting

Integration Services MIIS 2003 SP 1 Automated provisioning, de-provisioning Enforce consistency of data Password

Integration Services MIIS 2003 SP 1 Automated provisioning, de-provisioning Enforce consistency of data Password change management Management agents for common directories, databases, flat file formats Management agent SDK Windows Server 2003 R 2 wave RACF, ACF 2, Top Secret, SAP, Peoplesoft

Longhorn Wave: “Gemini” Integration of workflow with metadirectory Declarative authoring Advanced auditing and reporting

Longhorn Wave: “Gemini” Integration of workflow with metadirectory Declarative authoring Advanced auditing and reporting Computed attributes Automated group membership management Identity and entitlement management platform Make your application manageable via MIIS Self-service applications: user, group, and password management

The Evolution of Directory Services

The Evolution of Directory Services

Active Directory Broad usage 86% of US, 57% of enterprises >500 PCs worldwide running

Active Directory Broad usage 86% of US, 57% of enterprises >500 PCs worldwide running Active Directory * Performance at scale Scale out: 1000+ servers Scale up: deployments at 20 M+ users Flexibility: AD and ADAM Centralized or distributed physical deployment Centralized or distributed logical management Shared across applications or dedicated to a specific application Interop: Unix/Linux SSO via Vintela, Centrify * Source: Microsoft internal survey, spring 2005

Domain Mode Windows Server 2003 R 2 Unix compatibility schema ADMT v 3 (web

Domain Mode Windows Server 2003 R 2 Unix compatibility schema ADMT v 3 (web download) Longhorn Server Read-only DC: reduced physical security requirements, simplified manageability Restartable AD: reduce DC reboots DC on Server Core: minimize surface area DC/Domain Admin role separation

Application Mode Windows Server 2003 ADAM download LDAP-only mode of Active Directory with independent

Application Mode Windows Server 2003 ADAM download LDAP-only mode of Active Directory with independent configuration Identical performance at scale Windows Server 2003 R 2 ADAM included in OS distribution One-way AD-to-ADAM sync: eliminate need for MIIS (or IIFP) in simple scenarios Longhorn Server: same as R 2

The Next Generation of Digital Identity

The Next Generation of Digital Identity

Threats to Online Safety The Internet was built without a way to know who

Threats to Online Safety The Internet was built without a way to know who and what you are connecting to Everyone offering Internet service has come up with workaround – a patchwork of one-offs Inadvertently taught people to be phished Greater use and greater value attract professional international criminal fringe Understand exploit weaknesses in patchwork Phishing and pharming at 1000% CAGR Add “Stash attacks” reported as “Identity losses”

From Patchwork to Fabric Little agreement on what identity layer is, or how it

From Patchwork to Fabric Little agreement on what identity layer is, or how it should be run Digital identity related to contexts Partial success in specific domains (SSL, Kerberos) Enterprises, governments, verticals prefer one-offs to loss of control Individual is also a key player No simplistic solution is realistic Consider cross cultural, international issues Diverse needs of players means need to integrate multiple constituent technologies

“The Laws of Identity” 1. User control and consent 2. Minimal disclosure for a

“The Laws of Identity” 1. User control and consent 2. Minimal disclosure for a defined use 3. Justifiable parties 4. Directional identity 5. Pluralism of operators and technologies 6. Human integration 7. Consistent experience across contexts Join the discussion at www. identityblog. com

Identity Metasystem We need a unifying “Identity metasystem” Protect applications from identity complexities Allow

Identity Metasystem We need a unifying “Identity metasystem” Protect applications from identity complexities Allow digital identity to be loosely coupled: multiple operators, technologies, and implementations Not first time we’ve seen this in computing Abstract display services made possible through device drivers Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X. 25, even the not-yetinvented wireless protocols

Empowers the User… Applications Existing & New Technologies X 509, Kerberos, SAML Governments Devices

Empowers the User… Applications Existing & New Technologies X 509, Kerberos, SAML Governments Devices PCs, Mobile, Phone Individuals Work & Consumer You Organizations Private Businesses

Brings Technologies Together… ü ü ü ü Smartcards Self-issued identities Corporate identities Government identities

Brings Technologies Together… ü ü ü ü Smartcards Self-issued identities Corporate identities Government identities Passport identities Liberty identities Client applications Operating systems ü Network access systems ü Governments ü Organizations ü Companies ü Individuals ü Mobile phones ü Computers ü Hard ID tokens ü … and everything else

Metasystem Characteristics Requirements for the Identity Metasystem Negotiation Driven Enable participants to negotiate technical

Metasystem Characteristics Requirements for the Identity Metasystem Negotiation Driven Enable participants to negotiate technical policy requirements Encapsulation Technology-agnostic way to exchange policies and claims Claims Transformation Trusted way to change one set of claims into another regardless of format User Experience Consistent user interface across multiple systems and technologies

WS-* Metasystem Architecture ID Provider Relying Party Kerberos SAML x 509 … WS-Security. Policy

WS-* Metasystem Architecture ID Provider Relying Party Kerberos SAML x 509 … WS-Security. Policy Security Token Service WS-Trust, WS-Metadata. Exchange Identity Selector Subject

Microsoft Support for Identity Metasystem “Indigo” Runtime for building distributed applications supporting identity metasystem

Microsoft Support for Identity Metasystem “Indigo” Runtime for building distributed applications supporting identity metasystem “Info. Card” End-Users “Info. Card” Developers “Indigo” WS-* Identity selector for Windows to visualize user’s digital identity Active Directory Infrastructure for identity and access Active Directory IT Organizations

Preview – “Info. Card”

Preview – “Info. Card”

Preview – “Info. Card”

Preview – “Info. Card”

Microsoft’s Implementation Data stored for each card in card collection Name, logo, names of

Microsoft’s Implementation Data stored for each card in card collection Name, logo, names of claims available (not values) Address of identity provider Reference to required credential (e. g. smartcard) Data stored in simple identity provider Name, address, email, telephone, age, gender User must opt-in Info. Card data not visible to applications Stored in files encrypted under system key User interface runs on separate desktop No information stored in online service

Summary

Summary

Product Offering User Experience Logon & credentials Self-service Developer Experience Directory APIs Access APIs

Product Offering User Experience Logon & credentials Self-service Developer Experience Directory APIs Access APIs Integration APIs IT Pro Experience Management consoles MOM integration Identity and Access Platform Integration Services Metadirectory Workflow Audit and Reporting Enterprise SSO Directory Services Active Directory ADAM UDDI Access Services Federated SSO Integrated PKI CBAC & RBAC Rights Management Connectors Directory, Database, Flat file, Mainframe, ERP, and SDK to build more

Roadmap Windows Server 2003 R 2 Active Directory Federation Services ADAM with one-way sync

Roadmap Windows Server 2003 R 2 Active Directory Federation Services ADAM with one-way sync from AD Additional management agents for MIIS Longhorn wave Continued directory services refinements PKI, credential management and usability enhancements “Gemini” automation and control platform

Call to Action Build on Active Directory Single sign on and directory consolidation Intranet

Call to Action Build on Active Directory Single sign on and directory consolidation Intranet and extranet We will help you build on this investment Use MIIS 2003 for provisioning, deprovisioning, and policy enforcement Try ADFS in R 2 Beta 2 Learn about WS-* Web services Join identity metasystem discussion

Resources “The Laws of Identity” and the Identity Metasystem: http: //msdn. microsoft. com/webservices/ Identity

Resources “The Laws of Identity” and the Identity Metasystem: http: //msdn. microsoft. com/webservices/ Identity Management: http: //www. microsoft. com/idm Kim Cameron’s Identity Blog: http: //www. identityblog. com

We invite you to participate in our online evaluation on Comm. Net, accessible Friday

We invite you to participate in our online evaluation on Comm. Net, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.