Identity Lifecycle ManagementIdentity Lifecycle Management

Rafal LukawieckiRafal Lukawiecki

Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd

rafal@projectbotticelli.co.ukrafal@projectbotticelli.co.uk

www.projectbotticelli.co.ukwww.projectbotticelli.co.uk

Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.presentation for acknowledgments.

22

ObjectivesObjectives

Introduce Microsoft Identity Integration Server Introduce Microsoft Identity Integration Server and related products and technologiesand related products and technologies

Explain the processes involved in lifecycle Explain the processes involved in lifecycle managementmanagement

33

Session AgendaSession Agenda

Functionality of Microsoft Identity Integration Functionality of Microsoft Identity Integration ServerServer

Scenarios and Applications of MIISScenarios and Applications of MIIS

A Few Tips on MIISA Few Tips on MIIS

44

Microsoft’s Identity ManagementMicrosoft’s Identity Management

PKI / CAPKI / CA

Extended Directory Extended Directory ServicesServices

ActiveActiveDirectory & ADAMDirectory & ADAM

EnterpriseEnterpriseSingle Sign OnSingle Sign On

Authorization Authorization ManagerManager

Active DirectoryActive DirectoryFederation ServicesFederation Services

Audit Collection Audit Collection ServicesServices

BizTalkBizTalk

Identity IntegrationIdentity IntegrationServerServer

ISAISAServerServer

SQL ServerSQL ServerReportingReporting

Services for Unix /Services for Unix /Services for NetwareServices for Netware

Directory (Store)Directory (Store)ServicesServices

AccessAccessManagementManagement

IdentityIdentityLifecycleLifecycle

ManagementManagement

55

Functionality of Microsoft Functionality of Microsoft Identity Integration ServerIdentity Integration Server

66

What is MIIS?What is MIIS?

MIIS is…MIIS is…

Rock-solid synchronization engine for identity Rock-solid synchronization engine for identity informationinformation

Software that ensures consistency of identity data Software that ensures consistency of identity data across repositoriesacross repositories

MIIS makes it radically easier to design, deploy MIIS makes it radically easier to design, deploy and manage a metadirectory across an and manage a metadirectory across an enterprise of any sizeenterprise of any size

77

IIFP - Identity Integration Feature Pack IIFP - Identity Integration Feature Pack for Windows Server 2003for Windows Server 2003

Subset of MIIS functionality available free of Subset of MIIS functionality available free of charge as downloadcharge as download

Synchronisation with Synchronisation with only only the following stores:the following stores:

Active DirectoryActive Directory

ADAMADAM

Exchange 2000/3 ServerExchange 2000/3 Server

88

New User- User ID Creation- Credential Issuance- Access Rights

Account Changes- Promotions- Transfers- New Privileges- Attribute Changes

Password Mgmt- Strong Passwords- “Lost” Password- Password Reset

Retire User- Delete/Freeze Accounts- Delete/Freeze Entitlements

MIIS: Identity Lifecycle ManagementMIIS: Identity Lifecycle Management

99

MIIS Capabilities & BenefitsMIIS Capabilities & BenefitsKey capabilities:Key capabilities:

Identity SynchronizationIdentity Synchronization

Provisioning & Provisioning & DeprovisioningDeprovisioning

Password ManagementPassword Management

““Agentless” connection to Agentless” connection to heterogeneous systemsheterogeneous systems

Key benefits:Key benefits:

Easy to deployEasy to deploy

Easy to translate business Easy to translate business rules into MIISrules into MIIS

Easy to build solution over Easy to build solution over timetime

Robust and ScalableRobust and Scalable

Low costLow cost

State BasedState Based

Identity DataIdentity Data

LDAPLDAP SQLSQL

NOSNOS

LOB AppsLOB Apps

1010

Metadirectory ConceptMetadirectory Concept

Represents all identity information from all Represents all identity information from all connected data sourcesconnected data sources

Through a mechanism of rules, allows for even Through a mechanism of rules, allows for even most intricate relationships to be maintained most intricate relationships to be maintained between seemingly incompatible identity between seemingly incompatible identity management systemsmanagement systems

The “heart” of MIIS systemThe “heart” of MIIS system

1111

LDAPLDAP

Scenario – Join/LeaveScenario – Join/Leave

Join/LeaveJoin/Leave

ProvisioningProvisioning

RBACRBAC

HRHR

ADAD

EmailEmail

MIISMIIS

Example: University of West England• 40,000 Students• 8,000 new students each year• Provisioned into 4 systems

(including AD, Exchange, NT, HR)• Immediate savings of £50k/year

Example: University of West England• 40,000 Students• 8,000 new students each year• Provisioned into 4 systems

(including AD, Exchange, NT, HR)• Immediate savings of £50k/year

1212

Scenario – PasswordScenario – Password

Join/LeaveJoin/Leave

ProvisioningProvisioning

RBACRBAC

PortalPortal

Self-service/helpdeskSelf-service/helpdesk

ID data/passwordsID data/passwords

Example: Elsevier• Passwords managed across

AD, Lotus Notes, Sun ONE

Example: Elsevier• Passwords managed across

AD, Lotus Notes, Sun ONE

ADAD

LDAPLDAPEmailEmail

MIISMIIS

UserUserChangeChange

HelpdeskHelpdeskResetReset

PCNS

UserUserReset?Reset?

Web Applications

1313

Scenario – PortalScenario – Portal

Join/LeaveJoin/Leave

ProvisioningProvisioning

RBACRBAC

PortalPortal

Self-service/helpdeskSelf-service/helpdesk

ID data/passwordsID data/passwords

PortalsPortals

ADAD

LDAPLDAP

EmailEmail

MIISMIIS

HRHR

ADAMADAMWebWeb

ApplicationApplication

1414

Most Typical ImplementationsMost Typical Implementations

White PagesWhite Pages

Directory SynchronizationDirectory Synchronization

Identity Administration / Self ServiceIdentity Administration / Self Service

1515

MIIS TermsMIIS Terms

Connected Data Source (CD)Connected Data Source (CD)Any source and/or destination containing identity dataAny source and/or destination containing identity data

Management Agent (MA)Management Agent (MA)Facilitates the communication between CD and CS and MVFacilitates the communication between CD and CS and MV

Connector Space (CS)Connector Space (CS)Staging area (SQL) for inbound or outbound synchronized attributesStaging area (SQL) for inbound or outbound synchronized attributes

Metaverse (MV)Metaverse (MV)Central (SQL) store of identity informationCentral (SQL) store of identity informationMatching CS entries to a single MV entry is called “join”Matching CS entries to a single MV entry is called “join”

CDCD

MIISMIIS

CSCS

MVMV

MAMA

1616

MV entries are linked MV entries are linked to CS entries through:to CS entries through:

ProjectionProjectionProvisioning a Provisioning a connectorconnectorJoiningJoining

CS entries represent CS entries represent objects in Connected objects in Connected Data SourcesData SourcesSynchronization is Synchronization is between MV and CSbetween MV and CSStaging is from CD to Staging is from CD to CSCSExport is from CS to Export is from CS to CDCD

MIIS ConceptsMIIS Concepts

MIISMIISMetaverseMetaverse

(MV)(MV)

ConnectorConnectorSpace Space (CS)(CS)

UserUser

ConnectedConnectedData SourcesData Sources(CD)(CD)

NotesNotes

OracleOracle

SQLSQL

SAPSAP

Let’s zoom in on what MIIS doesLet’s zoom in on what MIIS does

1717

MIIS Sequence Of EventsMIIS Sequence Of EventsOracle HR database Oracle HR database staged and staged and projectedprojected

Provision and export Provision and export to SQL-based to SQL-based approval systemapproval system

Manager approval Manager approval app causes import app causes import and delta and delta synchronizationsynchronization

Sun One and Notes Sun One and Notes connectors connectors provisioned and provisioned and exportedexported

ConnectedConnectedData SourcesData Sources(CD)(CD)

UserUser

OracleOracle

SQLSQL

MetaverseMetaverse(MV)(MV)

ConnectorConnectorSpaceSpace(CS)(CS)

NotesNotes

SAPSAP

1818

Object creationObject creation

CDCD

HRHR

MVMV

PersonPerson

ObjectObject

Provision Step Provision Step

MV RulesMV Rules

ExtensionExtension

CSCS

PersonPerson

ObjectObject

ConnectorConnector

1) HR MA 1) HR MA imports new imports new user objectuser object

2) Project new user2) Project new user

3) Create new connector3) Create new connector

4) Set Anchor Value 4) Set Anchor Value

5) Set other initial values5) Set other initial values

6) Export attribute flow 6) Export attribute flow

7) Normal MA 7) Normal MA Export Run Export Run

(creates (creates object in CD)object in CD)

1919

Object DeletionObject DeletionNote: Deprovision does not necessarily mean deleteNote: Deprovision does not necessarily mean delete

CDCD

HRHR

MVMV

PersonPerson

ObjectObject

CSCS

PersonPerson

ObjectObject

ConnectorConnector

Connector filter Connector filter

““status=terminates”status=terminates”

SatisfiedSatisfied

CS Object CS Object becomes dis-becomes dis-

connectorconnector

MV MV Object Object deleteddeleted

MMake normal disconnectorake normal disconnectorMake Make eexplicit disconnectorxplicit disconnector

DDelete Objectelete Object CCustom extensionustom extension

Disconnector cleanupDisconnector cleanup

MA Rules MA Rules

ExtensionExtension

DeprovisionDeprovision

(3)(3)(4)(4)

1) HR MA 1) HR MA imports user imports user object with object with status = status = “terminated”“terminated”

2) Object deletion rule applies2) Object deletion rule applies

5) MA Export 5) MA Export deletes CD deletes CD

object object

2020

Scenarios and Scenarios and Applications of MIISApplications of MIIS

2121

Identity Lifecycle Management with Identity Lifecycle Management with MIISMIIS

Password ManagementPassword Management

Identity ProvisioningIdentity Provisioning

SynchronisationSynchronisation

AuditAudit

Compliance AssuranceCompliance Assurance

Role Management (for Role-based Access Role Management (for Role-based Access Management)Management)

2222

Password SynchronizationPassword Synchronization

ADDomain

Controller

MIIS

Target SystemsSource System

PCNS

Encr

ypte

d Pw

d

PCNSFlt.DLL

Password R

eset

AD MA

Password Resets

MAPassw

ord Extension

Ctrl-Alt-Del

2323

Password ManagementPassword ManagementInitial password set versus password managementInitial password set versus password management

Passwords are write-onlyPasswords are write-only

Scope of password managementScope of password management

Security groupsSecurity groups

Events and password historyEvents and password history

Developing custom applicationsDeveloping custom applications

WMIWMI

HelpdeskHelpdeskWeb AppWeb App

Self-serveSelf-serveWeb AppWeb App

NT4NT4

LotusLotusNotesNotes

ADADADAD

MIISMIIS

SunSunONEONE

AD/AD/ADAMADAM

NovellNovelleDirectoryeDirectory

2424

Application-Application-based sign-onbased sign-on

InfrastructureInfrastructureDirectory (AD)Directory (AD)

LOB5LOB5 33rdrd party partyLDAPLDAP

LOB4LOB4

1.1. User changes User changes password using password using password password management web management web appappPwd mgmtPwd mgmt

2.2. Pwd mgmt app finds Pwd mgmt app finds matching accounts matching accounts in MIISin MIIS

3.3. Passwords Passwords updatedupdated

4.4. User signs-on to appUser signs-on to app

ADAMADAM

MIISMIIS

Password ManagementPassword Management

2525

ProvisioningProvisioning

Identity can be sourced from a number of directories Identity can be sourced from a number of directories through management agents (MAs):through management agents (MAs):

Database, LDAP, File-basedDatabase, LDAP, File-based

Whenever a Metaverse object is changed, Provision Whenever a Metaverse object is changed, Provision Methods runMethods run

This is code in a Metaverse rule DLLThis is code in a Metaverse rule DLL

If not catered by an existing management agent, you If not catered by an existing management agent, you can customise it to suit most unusual provisioning needscan customise it to suit most unusual provisioning needs

Deprovisioning is those operations that occur at the Deprovisioning is those operations that occur at the end of an identity life cycle (deletion, disabling)end of an identity life cycle (deletion, disabling)

2626

SynchronisationSynchronisationMIIS Out-of-the-Box ConnectivityMIIS Out-of-the-Box Connectivity

NT 4NT 4Exchange 5.5Exchange 5.5Lotus Notes Lotus Notes SQL ServerSQL ServerOracleOracleInformix and dBaseInformix and dBaseIBM RACFIBM RACFIBM DB2IBM DB2Novell eDirectoryNovell eDirectoryPeopleSoftPeopleSoftSAP SAP Partner (Extensible) Partner (Extensible) Management Agents (NEW!)Management Agents (NEW!)Other systems to followOther systems to follow

Active Directory / ExchangeActive Directory / Exchange

Active Directory Application Active Directory Application Mode (ADAM)Mode (ADAM)

SunOne Directory (iPlanet)SunOne Directory (iPlanet)

IBM Tivoli Directory Server IBM Tivoli Directory Server (SecureWay)(SecureWay)

DSML 2.0DSML 2.0

LDAP Directory Interchange LDAP Directory Interchange Format (LDIF)Format (LDIF)

Delimited TextDelimited Text

Fixed-Width TextFixed-Width Text

Attribute-Value Pair TextAttribute-Value Pair Text

2727

Audit and ComplianceAudit and Compliance

Regulatory requirements: SarbOx, Data Protection Regulatory requirements: SarbOx, Data Protection Directive/Act, Freedom of Information Acts, HIPAA…Directive/Act, Freedom of Information Acts, HIPAA…

Arguably, we have to monitor the directories, not MIIS Arguably, we have to monitor the directories, not MIIS claims. As this is very difficult today, here is an interim claims. As this is very difficult today, here is an interim suggestion:suggestion:

1.1. Centralise all tracked identity information on an MIIS metadirectoryCentralise all tracked identity information on an MIIS metadirectory

2.2. Audit MIIS eventsAudit MIIS events

3.3. Code bespoke rulesCode bespoke rules

4.4. Obtain existing compliance checking code (e.g. OCG)Obtain existing compliance checking code (e.g. OCG)

5.5. Use Microsoft Audit Collection Service (ACS) for ensuring integrity Use Microsoft Audit Collection Service (ACS) for ensuring integrity of the auditof the audit

– ACS plans to ship with next version of Microsoft Operations ACS plans to ship with next version of Microsoft Operations ManagerManager

2828

WMI

Monitored Clients

Monitored Servers

SQLCollector

Events subject to tampering Events under control of auditorsSecurity logs

Security logs

Real-Time Intrusion Detection Applications

Real-Time Intrusion Detection Applications

Forensic AnalysisForensic Analysis

Management SystemManagement System

Audit Collection ServicesAudit Collection ServicesArchitectural OverviewArchitectural OverviewAudit Collection ServicesAudit Collection ServicesArchitectural OverviewArchitectural Overview

2929

Additional Security BenefitAdditional Security Benefit

Through analysis of MIIS audit (for example, Through analysis of MIIS audit (for example, using Microsoft Operations Manager) you can using Microsoft Operations Manager) you can detect unusual and unexpected operationsdetect unusual and unexpected operations

This can become a basis for building an element This can become a basis for building an element of your automated Intrusion Detection System of your automated Intrusion Detection System (IDS)(IDS)

Please refer to “Holistic Security” seminar, Part 2, Please refer to “Holistic Security” seminar, Part 2, available on available on www.microsoft.com/www.microsoft.com/itsshowtimeitsshowtime for for more information on IDS and Active Securitymore information on IDS and Active Security

3030

A Few Tips on MIISA Few Tips on MIIS(Refer to course 2731 on MIIS for more)(Refer to course 2731 on MIIS for more)

3131

Guidelines for Securing the MIIS Guidelines for Securing the MIIS 2003 Environment2003 Environment

Use strong passwordsUse strong passwords

Ensure that only trusted people have accessEnsure that only trusted people have access

Institute checks and balancesInstitute checks and balances

Encrypt sensitive data; use secure network connectionsEncrypt sensitive data; use secure network connections

Provide appropriate training Provide appropriate training

Use Windows authentication on SQL ServersUse Windows authentication on SQL Servers

Implement RAID and UPS on SQL ServersImplement RAID and UPS on SQL Servers

If using a remote SQLServer, change TCP/IP portIf using a remote SQLServer, change TCP/IP port

Install MIIS 2003 and SQL Server behind a firewallInstall MIIS 2003 and SQL Server behind a firewall

Maintain software patches up-to-dateMaintain software patches up-to-date

3232

Encryption KeysEncryption Keys

Password information is encrypted:Password information is encrypted:

Connection passwordsConnection passwords

Passwords waiting to be synchronizedPasswords waiting to be synchronized

Newly created passwords (not yet provisioned)Newly created passwords (not yet provisioned)

Key sets should be backed up to safe placeKey sets should be backed up to safe place

miiskmumiiskmu allows backup/restore of keys, re- allows backup/restore of keys, re-encryption of new key and key abandonmentencryption of new key and key abandonment

If a new key is created, old keys are scrubbedIf a new key is created, old keys are scrubbed

3333

Security Groups and Access Security Groups and Access Control ListsControl Lists

Limit Access to Specific Users and GroupsLimit Access to Specific Users and Groups

Monitor Group Membership and Access Control ListsMonitor Group Membership and Access Control Lists

If a security breach occurs:If a security breach occurs:

Backup the MIIS database and the encryption keysBackup the MIIS database and the encryption keys

Change the MIIS service account credentialsChange the MIIS service account credentials

Delete existing MIIS security groupsDelete existing MIIS security groups

Run MIIS setup and use the new security credentialsRun MIIS setup and use the new security credentials

Obtain and deploy new connection credentials for connected Obtain and deploy new connection credentials for connected data sources; de-activate old credentialsdata sources; de-activate old credentials

3434

Maintain a Warm Standby ServerMaintain a Warm Standby Server

Clustered SQL Server

Warm Standby(Using Domain

service a/c)

Active MIIS Server(Using domain

service a/c)

Domain controller authenticates MIIS service account and groups

MIISActivate.exe

X

3535

Backup and RestoreBackup and Restore

SQLServer backup includes data, configuration and SQLServer backup includes data, configuration and extensionsextensions

Encryption keys and metadata must be backed up Encryption keys and metadata must be backed up separatelyseparately

There are two approaches to restoring on a clean There are two approaches to restoring on a clean machine:machine:

Restore then installRestore then install

Install then restoreInstall then restore

When restore on an existing installation, you should run When restore on an existing installation, you should run miisactivate to restore extensions reliablymiisactivate to restore extensions reliably

3636

SummarySummary

3737

MIIS Success & ReferencesMIIS Success & References250+ large customers since the launch (which was in Aug 2003)250+ large customers since the launch (which was in Aug 2003)

28 different countries (NA, EMEA, APAC, LTAM)28 different countries (NA, EMEA, APAC, LTAM)

25 different verticals (Gov’t, Finance, Education, .com)25 different verticals (Gov’t, Finance, Education, .com)

20,000+ Downloads of the feature pack20,000+ Downloads of the feature pack

10,000+ Downloads of the evaluation version10,000+ Downloads of the evaluation version

User Group > 1500 UserUser Group > 1500 User

3838

SummarySummary

At the heart of Identity Lifecycle Management At the heart of Identity Lifecycle Management lies a strong metadirectory server: MIISlies a strong metadirectory server: MIIS

Main functions deal with provisioning, password Main functions deal with provisioning, password management, and identity synchronisationmanagement, and identity synchronisation

Additional benefits include ability to audit and Additional benefits include ability to audit and ensure regulatory complianceensure regulatory compliance

www.microsoft.com/idm & & www.microsoft.com/itsshowtime & & www.microsoft.com/technet

3939

Special ThanksSpecial ThanksThis seminar was prepared with the help of:This seminar was prepared with the help of:

Oxford Computer Group LtdOxford Computer Group Ltd

Expertise in Identity and Access Expertise in Identity and Access Management (Microsoft Partner)Management (Microsoft Partner)

IT Service Delivery and TrainingIT Service Delivery and Training

www.oxfordcomputergroup.comwww.oxfordcomputergroup.com

MicrosoftMicrosoft, with special thanks to:, with special thanks to:

Daniel Meyer – thanks for Daniel Meyer – thanks for manymany slidesslides

Steven Adler, Ronny Bjones, Olga Steven Adler, Ronny Bjones, Olga Londer – planning and reviewingLonder – planning and reviewing

Philippe Lemmens, Detlef Eckert – Philippe Lemmens, Detlef Eckert – SponsorshipSponsorship

Bas Paumen & NGN - feedbackBas Paumen & NGN - feedback