WIN 220 Identity and Access Management IAM Feifei

WIN 220 Identity and Access Management 微软统一身份管理和访问控制 解决方案(IAM)和产品路线介绍 Feifei Qian Technical Solution Professional Microsoft China ffqian@microsoft. com

企业业务 扩展 Windows 单一登录 登录到 活动目录 Kerberos 应用程序 活动目录 UNIX Kerberos Ø Ø 内置的验证协议 兼容 MIT v 5 支持 PAC 组信息 Windows PAC 开放 Services for UNIX Host Integration Server NIS Server for AD NIS-AD 目录同步 Ø 口令同步 Ø 用户名映射 Ø Ø 390/AS 400 Windows to RACF 账户 Windows to AS/400 安全系统 Ø 双向口令同步

微软IAM解决方案框架 Web Clients Smart Clients Web Servers Server Services Microsoft and Non-Microsoft 微� 身份管理和�� 控制平台 l Smart client SSO, web SSO, claims-based access control, federation l 自服� 和管理授� l Metadata publication Integration Services (MIIS) Directory Services (AD, ADAM) Access Services (ADFS) 身份管理和�� 控制 l Policy management, compliance assessment, reporting, enforcement l 生命周期管理 l 与其它系� 的� 接和互操作

解决方案结构图 Sync Web portal Store / retrieve Data ADAM Authentication Server Infrastructure Active Directory Sync Web Client Rich Client Other Directories and User Info Store

需求: 身份生命周期管理 生命周期(Lifecycle)管理: Manage data through various phases during its useful life 应用需求: Automated provisioning and de-provisioning Keep data in ADAM in sync with corporate AD installation Simple setup and maintenance

可选方案：身份生命周期管理 ADAM Sync One way, incremental sync of configurable subset of data from AD to ADAM Limited transformations (users to proxy) IIFP Same features as MIIS 2003 Works with AD, ADAM and Exchange MIIS 2003 Provisioning, de-provisioning, aggregation and sync solution Can work with 30+ data stores

解决方案: 身份生命周期管理 ADAM Sync/IIFP Web portal Store/ Retrieve Data Az Man App Data ADAM Server Authentication Infrastructure Active Directory MIIS Web Client Rich Client Other Directories and User Info Store

需求: 身份验证 Authentication 身份验证: Means to verify the person is who they say they are 应用需求: Must not require new user ID and password for this application, adding to Identity Management problems Must be flexible and extensible to allow new users access to the app

可选方案: 身份验证 Authentication SSO from workstation logon Basic/Digest HTTP specific authentication methods Basic sends clear passwords Forms-based User types in name and password in app form Cookie written back to browser LDAP binds

集成身份验证 Strong authentication support Single Sign On: Windows OS built-in features allow single sign on (SSO) when client and server joined to domain or forest. Non-windows clients can also get single sign on using partner products Extends effect of Windows Integrated Authentication and Authorization across domains or forests Ability to federate identity across organizations thru ADFS. 法 做 荐 推 Thick clients as well as web apps can take advantage IIS integrated No coding needed - Simple checkbox

解决方案: 身份验证 Authentication Sync Web portal Store / retrieve Data ADAM Server Integrated Authentication 集成身份�� Infrastructure Active Directory Sync Web Client Rich Client Other Directories and User Info Store

需求: 授权 Authorization 授权: grant or deny permission to perform tasks based on identity 应用需求: Entitlements not hard-coded in apps Admin must be able to grant/deny access Both apps must use the same scheme

可选方案: 授权 Authorization Manager (Az. Man) ADFS claims Windows ACL model Fine grained access control LDAP authorization Authorization info is stored as data in store The app server makes sense of the data and provides appropriate access COM+ and ASP. NET roles

Authorization Manager authorization Web portal Bob Mary (User) (Admin) Az Man ADAM Authentication 法 做 荐 推 Server Roles based Authorization API Az. Man Infrastructure Directory Manage roles, not object ACLs Simplify entitlement reporting & auditing Query-based groups capture business dynamics App does authorization using roles defined in Az. Man Establish role-policy at app design time

解决方案: 授权 Authorization Sync Auth. Z Az Man Web portal App Data ADAM Server Authentication Infrastructure Active Directory Sync Web Client Rich Client Other Directories and User Info Store

应用集成和SSO Sync Web portal Store / retrieve Data ADAM Authentication on ti ica Server nt e on h i t & t a Au riz o th Au Infrastructure Active Directory Sync Web Client Rich Client Web SSO Agent Enterprise SSO Agent APIs Authentication & Authorization Other Directories and User Info Store

AD Federation Services (ADFS) 将目录基础架构扩展到企业/组织(Domain)之外 Extranet authentication, authorization, web single sign-on (SSO) B 2 B/B 2 C Commerce and Collaboration First step towards AD as a service for SOA 增强安全性，提升IT效率 Delegated user administration, from inside Windows Robust trust management, reusability, and auditing tools Control exactly what data is shared, and with whom Leverages Az. Man for extranet-based RBAC 基于标准的互操作性 Based on WS-* specifications (notably WS-Federation) Broad interoperability with other Id. M vendors Supports multiple security tokens (e. g. SAML, Kerberos, x 509, etc. )

应用场景: Web单点登陆 Resource Side Customers Business Partners Single Sign-on to a Farm of Web Applications Support for browser-based & Smart SOAP Clients Access managed through Authorization Manager Credentials managed in AD at the resource side Employees

应用场景: 身份联合(Federation) Resource Side Cross Organization Namespace Manages: Account Side • Trust -- Keys • Security -- Claims required • Privacy -- Claims allowed • Audit -- Identities , authorities Single Sign-on across security boundaries (internal & external) Support for browser-based and SOAP clients Interoperable through WS-* Standards Credentials are managed at the “Account Side” Business Partners

基于ADFS的Web SSO

产品历史和未来发展 Windows Server 2003 Active Directory - Windows Single Sign-On - Enterprise Directory Active Directory Application Mode - Application Directory MIIS 2003 - Directory synchronization - User Lifecycle management - Password management HIS 2004 - Extend SSO - Bi-directional password sync Authorization Manager Web. SSO w/Partner Products Windows Server 2003 R 2 AD Federation Services in R 2 (2 H 05) - Cross-organizational Identity Federation - Web SSO ADAM Synchronizer MIIS 2003 SP 1 (CY 04) - Broader reach - Password Synchronization - MA SDK - Workflow & Approvals MIIS 3. 5 (CY 05) - Declarative Provisioning - User Self-service - Audit/Reporting Module Audit Collection System (CY 04) Windows Longhorn Server AD manageability, security enhancements Deploy AD alongside rather than upgrade replacement Begin transition to claims-based access management model Simplified and secure digital identity consumer experience

Microsoft Identity & Access Series: http: //www. microsoft. com/technet/security/to pics/identitymanagement/idmanage/default. m spx Microsoft Identity Integration Server 2003: http: //microsoft. com/miis Active Directory & ADAM http: //microsoft. com/adam Microsoft Id. M Portal: http: //www. microsoft. com/idm MSDN: http: //msdn. microsoft. com

使用Active Directory和ADAM构建企业目 录基础架构 使用MIIS和其它系统连接 开发基于. Net和IAM架构的应用 参加微软IAM在线社区： http: //www. microsoft. com/windowsserv er 2003/community/centers/directoryser vices/default. mspx