enterprise identity steve plank – microsoft hugh simpson-wells – oxford computer group dave...
TRANSCRIPT
Enterprise IdentitySteve Plank – Microsoft
Hugh Simpson-Wells – Oxford Computer Group
Dave Nesbitt – Oxford Computer Group
Agenda
• Overview of Enterprise Identity Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”
3
The Digital Identity Lifecycle
RolesRoles
DirectorDirector ServiceManagerServiceManager
ProductManagerProductManager
PAPA
SalesPersonSalesPerson
CustomerServiceCustomerService
EngineerEngineer
HR AdminHR Admin
CallHandlerCallHandler
4
Access ManagementJoining Identities
Identity Data AggregationIdentity Data Enforcement
Identity Data Brokering Hire/Fire Scenario
The Digital Identity Lifecycle
Role 1Role 1 Role 3Role 3 Role 4Role 4 Role 5Role 5
• Roles are defined
• People are hired• People change role • People are firedThey leave of
their own accord too!
Role 2Role 2
• They access critical assets
• A business owns critical assets
5
Hire Scenario
HRHRSystemSystemHRHRSystemSystem
ProvisioningSystem orMetadirectory
ProvisioningSystem orMetadirectory
E-mailE-mail
ContractorContractorSystemSystemContractorContractorSystemSystem
LOB AppLOB AppLOB AppLOB App
DatabaseDatabaseDatabaseDatabase
ApplicationApplicationDirectoryDirectoryApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectoryInfrastructureInfrastructureDirectoryDirectory
E-mailE-mailE-mailE-mail
ΔΔ
LDAPLDAP
LDAPLDAP
SQLSQL
APIAPI
6
Fire Scenario
HRHRSystemSystemHRHRSystemSystem
ProvisioningSystem orMetadirectory
ProvisioningSystem orMetadirectory
E-mailE-mail
ContractorContractorSystemSystemContractorContractorSystemSystem
LOB AppLOB AppLOB AppLOB App
DatabaseDatabaseDatabaseDatabase
ApplicationApplicationDirectoryDirectoryApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectoryInfrastructureInfrastructureDirectoryDirectory
E-mailE-mailE-mailE-mail
ΔΔ
LDAPLDAP
LDAPLDAP
SQLSQL
APIAPI
7
MetadirectoryMetadirectory
Join on employeeID
Join on mail
Join, Attribute Flow, Enforcement…
HRHRSystemSystemHRHRSystemSystem
ApplicationApplicationDirectoryDirectoryApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectoryInfrastructureInfrastructureDirectoryDirectory
E-mailE-mailSystemSystemE-mailE-mailSystemSystem
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
givenNamesntitlemailemployeeIDtelephone
KlarkeKent
867-5309
Reporter
Reporter
givenNamesntitlemailemployeeIDtelephone
Clark
Reporter
Kent
007
JOINEDJOINED
Join on employeeIDJoin on employeeID
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
Project to MetadirectoryJOINEDJOINED
+44 123 456 7890
Manual JoinJOINEDJOINED
JOINEDJOINED
+44 123 456 7890
8
MetadirectoryMetadirectory
Identity Joining Scenario
HRHRSystemSystemHRHRSystemSystem
ApplicationApplicationDirectoryDirectoryApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectoryInfrastructureInfrastructureDirectoryDirectory
E-mailE-mailSystemSystemE-mailE-mailSystemSystem
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
givenNamesntitlemailemployeeIDtelephone
KlarkeKent
867-5309
Reporter
Reporter
givenNamesntitlemailemployeeIDtelephone
Clark
Reporter
Kent
007
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
Superhero
+44 123 456 7890
givenNamesntitlemailemployeeIDtelephone +44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
9
Single Sign On
• Simple SSO• Single Authentication Authority, Single Server
• Single Authentication Authority, Multiple Server
• Complex SSO• Single Credential Set
• Token Based SSO
• PKI Based SSO
• Multiple Credential Set
• Credential Sync (Consistent Sign On)
• Client-side Credential Mapping
• Server-side Credential Mapping
10
Simple SSO
ResourceServer
Trust
Token Validation
AuthNExchange
AuthNExchange
AuthenticationService
Credential Store(probably LDAP directory)
Replication
11
No SSO
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
12
Complex SSO: 1 Credential, Token-based
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
TempToken
TempToken
Trust
13
Consistent Sign On: Password Sync
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
PasswordCopyService
plaintext pw cyphertext pwPassword
CryptoSystem
plaintext pw
PW
trap
cyphertext pw
PasswordCrypto
System
Normalize identities - metadirectory
14
Complex SSO – Client Cache
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
PasswordCache
15
Complex SSO – Server Cache
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
ClientInstalledSSOAgent
password
16
ClientClient
• SSO Agent detects login dialog
• Retrieves credentials from ID store & fills in dialog
Login
User-id:
Password:
ID StoreID Store
User objectSSO Attributes:User-id:Password:
FSmith
*****
Client-sideSSOAgent
Client-sideSSOAgent
Understands password change dialogs
Auto-generates new passwords
Single Sign-OnSingle Sign-OnComplex SSO – Server Cache
Review
• Overview of Enterprise Identity Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”