Access ManagementAccess Management

Rafal LukawieckiRafal Lukawiecki

Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd

rafal@projectbotticelli.co.ukrafal@projectbotticelli.co.uk

www.projectbotticelli.co.ukwww.projectbotticelli.co.uk

Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.presentation for acknowledgments.

22

ObjectivesObjectives

Discuss the challenge of coordinating access Discuss the challenge of coordinating access management in heterogeneous systemsmanagement in heterogeneous systems

Suggest several options for building Single Sign-Suggest several options for building Single Sign-On solutionsOn solutions

Overview the issue of extending corporate Overview the issue of extending corporate access management to the outside worldaccess management to the outside world

33

Session AgendaSession Agenda

Enterprise Single Sign-OnEnterprise Single Sign-On

WindowsWindows

UNIX/LinuxUNIX/Linux

Partner SolutionsPartner Solutions

Authorization ManagerAuthorization Manager

Active Directory Federation ServicesActive Directory Federation Services

44

Microsoft’s Identity ManagementMicrosoft’s Identity Management

PKI / CAPKI / CA

Extended Directory Extended Directory ServicesServices

ActiveActiveDirectory & ADAMDirectory & ADAM

EnterpriseEnterpriseSingle Sign OnSingle Sign On

Authorization Authorization ManagerManager

Active DirectoryActive DirectoryFederation ServicesFederation Services

Audit Collection Audit Collection ServicesServices

BizTalkBizTalk

Identity IntegrationIdentity IntegrationServerServer

ISAISAServerServer

SQL ServerSQL ServerReportingReporting

Services for Unix /Services for Unix /Services for NetwareServices for Netware

Directory (Store)Directory (Store)ServicesServices

AccessAccessManagementManagement

IdentityIdentityLifecycleLifecycle

ManagementManagement

55

Enterprise Single Sign-OnEnterprise Single Sign-On

66

Enterprise Single Sign-On (ESSO)Enterprise Single Sign-On (ESSO)

Single Sign-On:Single Sign-On:

Ability of a user to be given access to multiple Ability of a user to be given access to multiple resources after a single authentication operation, resources after a single authentication operation, i.e.i.e.

All further authorizations ought to happen All further authorizations ought to happen “in the “in the background” without requiring any further input from background” without requiring any further input from the userthe user

ESSOESSO

Generally easier to implement than Web-SSO, as Generally easier to implement than Web-SSO, as access to centralised metadirectory may be access to centralised metadirectory may be possible (MIIS)possible (MIIS)

77

Kerberos v5Kerberos v5

Standards-based mechanism for providing distributed Standards-based mechanism for providing distributed ESSOESSO

Used by Windows, UNIX and some LinuxUsed by Windows, UNIX and some Linux

Well-tested and resilient designWell-tested and resilient design

Most often, perfectly sufficient and Most often, perfectly sufficient and the best choicethe best choice

Why do we need anything else, then?Why do we need anything else, then?

1.1. Not everyone wants to use it, e.g. some mainframe host Not everyone wants to use it, e.g. some mainframe host systems, specialised apps etc.systems, specialised apps etc.

2.2. Disconnected, or incompatible domain forests or credential Disconnected, or incompatible domain forests or credential realms do not work without a Kerberos-to-Kerberos integration realms do not work without a Kerberos-to-Kerberos integration solution, e.g. Windows Kerberos to UNIX Kerberossolution, e.g. Windows Kerberos to UNIX Kerberos

88

Windows Server AuthorizationWindows Server AuthorizationStandards-BasedStandards-Based

KerberosKerberos

X509X509

LDAP BindLDAP Bind

PEAP (network)PEAP (network)

802.1x (network)802.1x (network)

RADIUS (network)RADIUS (network)

Integrated PKIIntegrated PKI

Multi-Factor authenticationMulti-Factor authentication

Auto-enrollment/renewalAuto-enrollment/renewal

Single Sign-onSingle Sign-on

Kerberos ApplicationsKerberos Applications

Windows Integrated AppsWindows Integrated Apps

Role-Based Access ControlRole-Based Access Control

Authorization ManagerAuthorization Manager

ActiveActiveDirectoryDirectory

Multi-Factor User/Password

WirelessInternet/Remote

99

Single Sign-onSingle Sign-onActive

Directory w/ Integrated

Kerberos KDC

Logon to Windows

Single Sign-on to:Windows File serversExchange emailSQL Server3rd Party Integrated Apps (see above)Unix / Linux OS & Integrated Apps

ExchangeExchange

Web ApplicationsWeb Applications

File File ServersServers

Windows IntegratedWindows IntegratedApplicationsApplications

Kerberos Native AuthN protocol for Windows MIT v5 Compliant Carries authorization info in PAC Windows PAC is open

Unix Services that use Kerberos Login, rlogin, telnet, ftpAlso Apache (native), J2EE possiblities> Example Partner Solution: Vintela, Centrify

Unix / Linux HostsUnix / Linux HostsOracle, SAP, etc.Oracle, SAP, etc.

Kerberos Ticket

Kerberos Ticket

1010

UNIX/LinuxUNIX/Linux

Services for UNIX included and improved in Windows Services for UNIX included and improved in Windows Server 2003 R2Server 2003 R2

Will deal with most standard UNIX ways of managing Will deal with most standard UNIX ways of managing logins/passwords such as NISlogins/passwords such as NIS

Does not deal with 3Does not deal with 3rdrd-party directory services for UNIX-party directory services for UNIX

For more complex needs, use:For more complex needs, use:

Vintela (Quest) – Vintela (Quest) – www.vintela.comwww.vintela.com

Centrify – Centrify – www.centrify.comwww.centrify.com

All of these can work with or without MIIS, but good All of these can work with or without MIIS, but good Identity Lifecycle Management is important, hence MIIS Identity Lifecycle Management is important, hence MIIS is recommendedis recommended

1111

Partners, Virtual

Employees,Customers

Resource Side Account Side

ISA Server 2004ISA Server 2004Internet Security and Acceleration ServerInternet Security and Acceleration Server

Firewall(ISA Server)

Firewall(ISA Server)

VPN

IPSec

Apart from fulfilling security and performance needs (firewall, gateway, cache etc.), ISA 2004 extends ESSO across private networks (VPN, IPSec)

ISA is, effectively, an access control gateway in this scenario

1212

Authorization Models on the Authorization Models on the Windows PlatformWindows Platform

Windows ACL modelWindows ACL model

COM+ rolesCOM+ roles

.NET roles.NET roles

ASP.NET URL AuthorizationASP.NET URL Authorization

Role Based Authorization APIs (AzMan) on Role Based Authorization APIs (AzMan) on Windows 2003, 2000Windows 2003, 2000

AccessCheck()AccessCheck()

URL Authorization in IIS 6URL Authorization in IIS 6

1313

Authorization Authorization ManagerManager

1414

Authorization Manager (AzMan)Authorization Manager (AzMan)

Microsoft tool and service for managing Role-Microsoft tool and service for managing Role-Based Access Control (RBAC)Based Access Control (RBAC)

Strong developer-oriented API, so a number of Strong developer-oriented API, so a number of partner solutions rely on itpartner solutions rely on it

Ships with Windows Server 2003 R2Ships with Windows Server 2003 R2

1515

Authorization ManagerAuthorization Manager

Role-Based Access ManagementRole-Based Access Management

Manage user access based on organizational roleManage user access based on organizational role

Integrated with Active Directory (both “normal” infrastructure AD Integrated with Active Directory (both “normal” infrastructure AD and Application Mode, ADAM)and Application Mode, ADAM)

Roles can be assigned based on business rulesRoles can be assigned based on business rules

Abstracts access logic from the applicationAbstracts access logic from the application

Roles can change w/o modifying the applicationRoles can change w/o modifying the application

URL or application level access checksURL or application level access checks

Access Management ConsoleAccess Management Console

Delegation of role and policy managementDelegation of role and policy management

Scope and business policy definitionScope and business policy definition

Static role assignmentStatic role assignment

1616

RBAC or RBRBAC?RBAC or RBRBAC?

Role Based Access Control can be implemented Role Based Access Control can be implemented using traditional methods, such as groups and using traditional methods, such as groups and ACLsACLs

Role is represented by membership in a groupRole is represented by membership in a group

However, it seems easier to represent roles in However, it seems easier to represent roles in terms of terms of rulesrules

In fact, AzMan does that In fact, AzMan does that veryvery well well

Should we call it Role Based Rule Based Should we call it Role Based Rule Based Access Control, or RBRBAC? :)Access Control, or RBRBAC? :)

1717

FIREWALLFIREWALL

AzManAzMan

ADAMADAM

Customer via InternetCustomer via Internet Employee via InternetEmployee via Internet

ADAD

Internal EmployeeInternal Employee

AuthN

AuthZ

Intranet & Extranet AppsIntranet & Extranet AppsUsing AzMan AuthzAPI & PolicyStoreUsing AzMan AuthzAPI & PolicyStoreIntranet & Extranet AppsIntranet & Extranet AppsUsing AzMan AuthzAPI & PolicyStoreUsing AzMan AuthzAPI & PolicyStore

1818

Deployment

RBAC ManagementRBAC Management

Policy StorePolicy StoreStorage in AD, ADAM, XMLStorage in AD, ADAM, XML

RoleRolePermissions needed to Permissions needed to do a jobdo a job

TaskTaskWork units that make senseWork units that make sense

to administratorsto administrators

OperationOperationApplication action thatApplication action that

developer writes dedicateddeveloper writes dedicated

code for.code for.

DatabaseOperation

WebOperation

DirectoryOperation

PaymentSystem

Operation

AuditorAcct RepBuyer

ChangeApprover

ApproveDeny

Payment

ApproveReject Report

SubmitReport

CancelReport

CheckStatus

XML

Policy Store

Design

1919

Role AssignmentBuyer: email = *@ADatum.com

Role AssignmentsRole Assignments

Buyer Auditor

Role AssignmentAcct Rep: Group = Dept01Manager

Role AssignmentAuditor: (Group = TreyAuditor) && (Status = Active)

Role DefinitionsWeb Ordering

Application

Acct Rep

2020

Authorization & AuditingAuthorization & Auditing

LOB2LOB2 LOB3LOB3HRHR LOB1LOB1

Web appWeb app

InfrastructureInfrastructureDirectory (AD)Directory (AD)

LOB4LOB4

LOB5LOB5 33rdrd party partyLDAPLDAP

33rdrd party partyLDAPLDAP

Audit collection (ACS)Audit collection (ACS)

1.1. App performs role-App performs role-based authorization based authorization via Authorization via Authorization ManagerManager

2.2. Audit Audit collection collection via ACSvia ACS

AuthorizationAuthorizationManagerManager ZZ

2121

Snap-in installed from Administrator Snap-in installed from Administrator PackPack

Works with XML, ADAM, & Active Works with XML, ADAM, & Active Directory storesDirectory stores

Multiple ApplicationsMultiple Applications

Application groupsApplication groups

Store-level (global to applications in Store-level (global to applications in store )store )

Assign store-level groups to Assign store-level groups to application rolesapplication roles

Longhorn ImprovementsLonghorn Improvements

Better Rules SupportBetter Rules Support

UI FlexibilityUI Flexibility

Perf/Query OptimizationsPerf/Query Optimizations

Authorization Manager (AzMan) GUIAuthorization Manager (AzMan) GUI

2222

Active Directory Active Directory Federation ServicesFederation Services

2323

ADFS. Why?ADFS. Why?

Obviously, this is Web-SSO (Single Sign-On)Obviously, this is Web-SSO (Single Sign-On)

Less obviously, much more importantly:Less obviously, much more importantly:

Step towards Step towards Identity MetasystemIdentity Metasystem

Today, ADFS makes your system compliant with Today, ADFS makes your system compliant with WS-* Security Guidelines, and, as such, WS-* Security Guidelines, and, as such, interoperable with almost anything else!interoperable with almost anything else!

Perhaps the most important IAM development of Perhaps the most important IAM development of recent yearsrecent years

2424

AD Federation ServicesAD Federation ServicesFormally Coded Name “TrustBridge”Formally Coded Name “TrustBridge”

Makes Active Directory available externallyMakes Active Directory available externally

Single solution for Web SSO and Federated IDSingle solution for Web SSO and Federated ID

Ships with Windows Server 2003 R2Ships with Windows Server 2003 R2

Built using the WS-* StandardsBuilt using the WS-* Standards

WS-FederationWS-Federation

WS-TrustWS-Trust

WS-SecurityWS-Security

Key ScenariosKey Scenarios

B2C Web SSO B2C Web SSO

Internal Federated IdentityInternal Federated Identity

B2B Federated IdentityB2B Federated Identity

2525

Single Sign-on across security boundaries (internal & external)Single Sign-on across security boundaries (internal & external)

Support for browser-based clients (future support of smart clients)Support for browser-based clients (future support of smart clients)

Interoperable through WS-* StandardsInteroperable through WS-* Standards

Credentials are managed at the “Account Side”Credentials are managed at the “Account Side”

BusinessPartners

Cross Organization NamespaceManages:

• Trust -- Keys• Security -- Claims required• Privacy -- Claims allowed• Audit -- Identities , authorities

Resource Side Account Side

Active Directory Federation ServicesActive Directory Federation ServicesScenario: Federated IdentityScenario: Federated IdentityActive Directory Federation ServicesActive Directory Federation ServicesScenario: Federated IdentityScenario: Federated Identity

2626

ADFS ArchitectureADFS Architecture

Active Directory Active Directory ((2K, 2K3, ADAM2K, 2K3, ADAM))

Authenticates users Authenticates users

Manages attributesManages attributes

Federation Service (FS)Federation Service (FS)

STSSTS (security token service) (security token service)

Issues security tokensIssues security tokens

Populates Populates claimsclaims

Statements an authority makes about security Statements an authority makes about security principalsprincipals

Manages federation trust policyManages federation trust policy

FS Proxy (FS-P)FS Proxy (FS-P)

Client proxy for token requestsClient proxy for token requests

Provides UI for browser clientsProvides UI for browser clients

Web Server SSO AgentWeb Server SSO Agent Enforces user authenticationEnforces user authentication

Creates user authorization contextCreates user authorization context

FS

browser

WebServer

FS-PAD or ADAM

ApplicationSSO Agent

FS

browser

WebServer

FS-PAD or ADAM

ApplicationSSO Agent

HTTPS

LPC/Web Methods

Windows Authentication/LDAP

Application (authorization)Application (authorization)

NT Impersonation and ACLsNT Impersonation and ACLs

ASP.NET IsInRole()ASP.NET IsInRole()

AzMan RBAC integrationAzMan RBAC integration

ASP.NET Raw Claims APIASP.NET Raw Claims API

2828

SecurityToken

Service

HTTPReceiver

HTTP messages

WS-FederationWS-FederationCross-organization, multi-vendor interoperabilityCross-organization, multi-vendor interoperability

Web Services Federation LanguageWeb Services Federation Language

Defines messages to enable security realms to federate & exchange Defines messages to enable security realms to federate & exchange security tokenssecurity tokens

Built upon WS-Security, WS-TrustBuilt upon WS-Security, WS-Trust

Wide industry supportWide industry support

Authors: BEA, IBM, Microsoft, RSA, VeriSignAuthors: BEA, IBM, Microsoft, RSA, VeriSign

Participants: OpenNetwork, Oblix, Netegrity, PingIDParticipants: OpenNetwork, Oblix, Netegrity, PingID

Two “profiles” of the model definedTwo “profiles” of the model defined

Passive (web browser) clients – HTTP/SPassive (web browser) clients – HTTP/S

Active (smart/rich) clients – SOAPActive (smart/rich) clients – SOAP

SOAP messagesSOAP

Receiver

future

now

2929

Single Sign-on to a Farm of Web ApplicationsSingle Sign-on to a Farm of Web Applications

Support for browser-based (future smart client support)Support for browser-based (future smart client support)

Access managed by IT via roles (RBAC)Access managed by IT via roles (RBAC)

Uses AD in domain mode or application modeUses AD in domain mode or application mode

Credentials managed in AD at the resource sideCredentials managed in AD at the resource side

Customers

BusinessPartners

Employees

Resource Side

Active Directory Federation ServicesActive Directory Federation ServicesScenario: Enterprise Scenario: Enterprise WebWeb Single Sign-on Single Sign-onActive Directory Federation ServicesActive Directory Federation ServicesScenario: Enterprise Scenario: Enterprise WebWeb Single Sign-on Single Sign-on

3030

Benefits of ADFSBenefits of ADFS

Extends the value of your AD infrastructureExtends the value of your AD infrastructure

Step towards AD as a service for SOAStep towards AD as a service for SOA

Enables Web Single Sign-onEnables Web Single Sign-on

B2B/B2C Commerce and CollaborationB2B/B2C Commerce and Collaboration

Interoperable with Existing Security SystemsInteroperable with Existing Security Systems

Based on WS-* specificationsBased on WS-* specifications

Supports multiple security tokens (eg SAML, Kerberos, x509, etc)Supports multiple security tokens (eg SAML, Kerberos, x509, etc)

Improves SecurityImproves Security

Accounts are managed by the user organization Accounts are managed by the user organization

Cross organizational trust management and auditingCross organizational trust management and auditing

Lower partner/supplier adoption risks Lower partner/supplier adoption risks

Standards based infrastructureStandards based infrastructure

Broad interoperability with other IdM VendorsBroad interoperability with other IdM Vendors

3131

Identity Chaining and Referral?Identity Chaining and Referral?

Vision:Vision:If, and when, technologies such as ADFS become more If, and when, technologies such as ADFS become more widely used, perhaps with an Identity Metasystem widely used, perhaps with an Identity Metasystem emerging…emerging…

……it may become possible for an organisation to rely on it may become possible for an organisation to rely on identity claims issued by another organisation…identity claims issued by another organisation…

……thus removing need to create yet-another-authentication-thus removing need to create yet-another-authentication-systemsystem

ExamplesExamples

1.1. A bank relying on another bank’s issued digital ID, because A bank relying on another bank’s issued digital ID, because those banks trust each otherthose banks trust each other

2.2. Small and medium organisations with a web presence can rely Small and medium organisations with a web presence can rely on identities provided by a government or, perhaps, another on identities provided by a government or, perhaps, another respected public bodyrespected public body

3232

InfoCardInfoCard

Microsoft project for introducing a Windows-based Microsoft project for introducing a Windows-based common user interface, developer API and subsystem common user interface, developer API and subsystem for handling multiple digital identitiesfor handling multiple digital identities

Part of the Identity Metasystem visionPart of the Identity Metasystem vision

Planned for Windows Vista/Longhorn Server timeframePlanned for Windows Vista/Longhorn Server timeframe

Part of WinFXPart of WinFX

GoalGoal: make it easy for the user to engage in identity : make it easy for the user to engage in identity authenticationauthentication

BenefitBenefit: no more end-user confusion, hence phishing : no more end-user confusion, hence phishing attacks mitigated attacks mitigated

3333

SummarySummary

3434

IAM in Windows Server 2003 R2IAM in Windows Server 2003 R2Identity ManagementIdentity Management

Extend value of Active Directory Extend value of Active Directory deployments to facilitate secure deployments to facilitate secure collaboration with partnerscollaboration with partners

IISIISADAD

Application PlatformApplication Platform

Extend value of Windows Server Extend value of Windows Server identity services in internet-facing identity services in internet-facing web environmentsweb environments

Company ACompany A Company BCompany B

SSO to partner appsSSO to partner apps

Centralized, policy-based access Centralized, policy-based access control to partner appscontrol to partner apps

Secure tokens replace passwords Secure tokens replace passwords “in the clear”“in the clear”

Interoperability with heterogeneous Interoperability with heterogeneous systems via WS-*systems via WS-*

Extranet authentication & SSOExtranet authentication & SSO

Delegated user admin to trusted Delegated user admin to trusted partnerspartners

RBAC with AzMan extranet RBAC with AzMan extranet authorizationauthorization

AD Application Mode (LDAP)AD Application Mode (LDAP)

Federated SharePointFederated SharePoint

3535

SummarySummary

Achieving Single Sign-On requires a number of Achieving Single Sign-On requires a number of specialised technologies, some older (Kerberos, specialised technologies, some older (Kerberos, RAS, ISA…) and some newer, like ADFS and RAS, ISA…) and some newer, like ADFS and AzManAzMan

The way to the future lies in building standards-The way to the future lies in building standards-based Identity Metasystems, outside and across based Identity Metasystems, outside and across enterprise boundariesenterprise boundaries

Access Management becomes easier if Access Management becomes easier if integrated with Identity Lifecycle Managementintegrated with Identity Lifecycle Management

www.microsoft.com/idm & & www.microsoft.com/itsshowtime & & www.microsoft.com/technet

3636

Special ThanksSpecial ThanksThis seminar was prepared with the help of:This seminar was prepared with the help of:

Oxford Computer Group LtdOxford Computer Group Ltd

Expertise in Identity and Access Expertise in Identity and Access Management (Microsoft Partner)Management (Microsoft Partner)

IT Service Delivery and TrainingIT Service Delivery and Training

www.oxfordcomputergroup.comwww.oxfordcomputergroup.com

MicrosoftMicrosoft, with special thanks to:, with special thanks to:

Daniel Meyer – thanks for Daniel Meyer – thanks for manymany slidesslides

Steven Adler, Ronny Bjones, Olga Steven Adler, Ronny Bjones, Olga Londer – planning and reviewingLonder – planning and reviewing

Philippe Lemmens, Detlef Eckert – Philippe Lemmens, Detlef Eckert – SponsorshipSponsorship

Bas Paumen & NGN - feedbackBas Paumen & NGN - feedback