View
217
Download
0
Category
Tags:
Preview:
Citation preview
Introduction to Identity Introduction to Identity Management with MIIS 2003Management with MIIS 2003
Steve PlankSteve PlankArchitectural EngineerArchitectural Engineer
Session codeSession code
AgendaAgenda
MIIS ScenariosMIIS Scenarios
How MIIS worksHow MIIS works
MIIS FuturesMIIS Futures
Hire ScenarioHire ScenarioHRHRSystemSystem MIIS
Notes
ContractorContractorSystemSystem
ADADApp ModeApp Mode
SQLSQLServerServer
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
File
LDAP
LDAP
SQL
LDAP
Fire ScenarioFire ScenarioHRHRSystemSystem MIIS
Notes
ContractorContractorSystemSystem
ADADApp ModeApp Mode
SQLSQLServerServer
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
File
LDAP
LDAP
SQL
LDAP
Identity Joining ScenarioIdentity Joining Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
867-5309
ClarkKent
007
Reporter
Clark@contoso.com
867-5309
ClarkKent
Reporter
Clark@contoso.com
007Project to Metaverse
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
007
007Join on employeeIDJOINED
PROJECTED
007
007
Join on employeeIDJOINED
Join on employeeIDJOINEDManual Join
Attribute Flow ScenarioAttribute Flow Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
givenNamesntitlemailemployeeIDtelephone
867-5309
ClarkKent
007
Reporter
Clark@contoso.com
867-5309
ClarkKent
Reporter
Clark@contoso.com
007
IdentityData
Aggregation
givenNamesntitlemailemployeeIDtelephone
007
ClarkKent
007
Reporter
867-5309
Attribute Flow ScenarioAttribute Flow Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
007
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
givenNamesntitlemailemployeeIDtelephone 867-5309
ClarkKent
007
Reporter
867-5309
ClarkKent
Reporter
Clark@contoso.com
007
Clark@contoso.com
ClarkKentReporterClark@contoso.com
867-5309
ReporterClark@contoso.com
867-5309
ClarkKent
Clark@contoso.com
Clark
Reporter
867-5309
IdentityData
Brokering
(Convergence)
Attribute Flow ScenarioAttribute Flow Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
Clark
007
givenNamesntitlemailemployeeIDtelephone
Kent
007
givenNamesntitlemailemployeeIDtelephone 867-5309
ClarkKent
007
867-5309
ClarkKent
Reporter
Clark@contoso.com
007
Clark@contoso.com
KentReporter
867-5309
Reporter
Clark@contoso.com
867-5309
Clark
Kent
Clark@contoso.com
Clark
Reporter
867-5309
IdentityData
IntegrityEnforcem
ent
007Superhero
SuperheroSuperheroSuperheroReporterSuperhero
Identity Data Integrity EnforcementIdentity Data Integrity Enforcement
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
LotusLotusNotesNotes
ActiveActiveDirectoryDirectory
•FirstName•LastName•EmployeeID
•Title
•Telephone givenNamesntitlemailemployeeIDtelephone
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
Clark
007
givenNamesntitlemailemployeeIDtelephone
Kent
007
givenNamesntitlemailemployeeIDtelephone 867-5309
ClarkKent
007
867-5309
ClarkKent
Reporter
Clark@contoso.com
007
Clark@contoso.com
KentPublisher
867-5309
Publisher
Clark@contoso.com
867-5309
Clark
Kent
Clark@contoso.com
Clark
Reporter
867-5309
IdentityData
IntegrityEnforcem
ent
007Reporter
SuperheroReporterReporterReporterReporter
MIIS in action…MIIS in action…
DemoDemo
AgendaAgenda
MIIS ScenariosMIIS Scenarios
How MIIS worksHow MIIS works
MIIS FuturesMIIS Futures
Connector Connector SpaceSpaceConnector Connector SpaceSpace
Management Agent (MA)Management Agent (MA)Management Agent (MA)Management Agent (MA)
Connected Connected DirectoriesDirectoriesConnected Connected DirectoriesDirectories
TerminologyTerminology
MetaverseMetaverseMetaverseMetaverse
i/fi/f ““filters” filters” schemaschema
filtersfiltersrulesrules
i/fi/f ““filters” filters” schemaschema
filtersfiltersrulesrules
i/fi/f ““filters” filters” schemaschema
filtersfiltersrulesrules
StagingStaging ProjectionProjection ProvisioningProvisioning ExportExport JoinJoin
Import/Export Run ProfileImport/Export Run Profile Sync Run ProfileSync Run Profile
Connector Connector SpaceSpaceConnector Connector SpaceSpace
Management Agent (MA)Management Agent (MA)Management Agent (MA)Management Agent (MA)
Connected Connected DirectoriesDirectoriesConnected Connected DirectoriesDirectories
TerminologyTerminology
MetaverseMetaverseMetaverseMetaverse
i/fi/f ““filters” filters” schemaschema
i/fi/f ““filters” filters” schemaschema
filtersfiltersrulesrules
i/fi/f ““filters” filters” schemaschema
Rules ExtensionRules Extension
Rules ExtensionRules Extension
Import Attribute Flow Export Attribute Flow
filtersfiltersrulesrules
filtersfiltersrulesrules
MIIS – Metadirectory Functionality and ConnectivityMIIS – Metadirectory Functionality and Connectivity
Identity DataIdentity Data
LDAPLDAP SQLSQL
Wide range of connectivityWide range of connectivityActive Directory & ADAMActive Directory & ADAM
Sun/iPlanet DirectorySun/iPlanet Directory
IBM DSIBM DS
Novell eDirectoryNovell eDirectory
Microsoft SQL 2000 & SQL 7Microsoft SQL 2000 & SQL 7
Oracle 9i/8iOracle 9i/8i
IBM DB2IBM DB2
Lotus Notes 5.x/6.xLotus Notes 5.x/6.x
Microsoft Exchange 5.5, 2K, 2K3Microsoft Exchange 5.5, 2K, 2K3
Microsoft NT 4.xMicrosoft NT 4.x
RACFRACF
DSML, LDIF, CSV, fixed widthDSML, LDIF, CSV, fixed width
……others to followothers to follow
MA SDK allows ISVs and corporate MA SDK allows ISVs and corporate developers to build custom MAsdevelopers to build custom MAs
NOSNOS
LOB AppsLOB Apps
Synchronizing Identity StoresSynchronizing Identity Stores- The Management Agent SDK- The Management Agent SDK
Easy to use SDK to build Management AgentsEasy to use SDK to build Management Agents.Net hosted set of interfaces.Net hosted set of interfaces
Address IT Pro and ISV audiencesAddress IT Pro and ISV audiencesIT ProIT Pro
Fast MA development using template Fast MA development using template
Simple to configure by reusing “Extensible MA UI”Simple to configure by reusing “Extensible MA UI”
ISVsISVsAllow customizing MA configuration UI and provide customized Allow customizing MA configuration UI and provide customized look and feellook and feel
Enable packaging and redistribution of management agentsEnable packaging and redistribution of management agents
Enable Identity Manager-integrated development of MA Enable Identity Manager-integrated development of MA configuration UIconfiguration UI
Supports password synchronizationSupports password synchronization
Password Synchronization: Password Change NotificationPassword Synchronization: Password Change Notification
Password FilterPassword Filter
The password filter is extremely lightweight The password filter is extremely lightweight to minimize any impact on the DCto minimize any impact on the DC
Filter receives the change notifications and Filter receives the change notifications and securely communicates passwords to the securely communicates passwords to the serviceservice
Password Notification ServicePassword Notification Service
Service encrypts and queues the password Service encrypts and queues the password notification to be delivered to the registered notification to be delivered to the registered targets (MIIS or HIS)targets (MIIS or HIS)
Notifications are transmitted via secure Notifications are transmitted via secure RPC to targetRPC to target
Queuing and retry mechanism guards Queuing and retry mechanism guards against lost passwords due to connectivity against lost passwords due to connectivity issuesissues
PCNS and MIIS mutually authenticate to PCNS and MIIS mutually authenticate to prevent spoofingprevent spoofing
Active Directory Domain Controller
LSA Process
Password Filter
Password Notification
Service
Identity Integration Server
Password Synchronization: Identity Integration ServerPassword Synchronization: Identity Integration Server
MIIS receives notifications from PCNS and MIIS receives notifications from PCNS and locates matching object for user’s Active locates matching object for user’s Active Directory accountDirectory account
MIIS leverages metadirectory “join” MIIS leverages metadirectory “join” relationship to locate correct accounts in relationship to locate correct accounts in the target systemsthe target systems
MIIS maintains queue for each target MIIS maintains queue for each target system to optimize delivery and handle system to optimize delivery and handle systems that are less reliablesystems that are less reliable
Passwords can be synchronized to any Passwords can be synchronized to any system managed by MIIS management system managed by MIIS management agents.agents.
Password Extensions allow synchronizing Password Extensions allow synchronizing passwords to custom applications and passwords to custom applications and directoriesdirectories
Ide
ntit
y In
teg
ratio
n S
erv
er
PCNS
Connected Directories
Connector Space
Queue Queue
Metaverse
VisualizationVisualization
Different hierarchies suit different needsDifferent hierarchies suit different needs
Multiple hierarchical representations can be Multiple hierarchical representations can be discovered from datadiscovered from data
Polyarchy eliminates the requirement for fixed Polyarchy eliminates the requirement for fixed hierarchyhierarchy
Polyarchy provides multiple hierarchical views Polyarchy provides multiple hierarchical views and richer visualization of infrastructure and richer visualization of infrastructure informationinformation
MIIS ScenariosMIIS Scenarios
How MIIS worksHow MIIS works
MIIS FuturesMIIS Futures
AgendaAgenda
MIIS RoadmapMIIS Roadmap
Lowering the cost and risks of Identity Management
Extending MA Reach and password capabilities
MIIS - Gemini
MIIS 2003 SP1 Q4/CY04
Codeless provisioningEntitlement reporting
Self-service platformPassword resetadditional MAs
Additional MAs MA SDK
Password ExtensionsPassword synchronization
from Windows desktop
Providing tools for provisioning
MIIS 2003 SP1 ResKit - Q4/CY04
Code generator
Workflow
1.1. Codeless provisioningCodeless provisioning2.2. Richer logging/auditingRicher logging/auditing3.3. Self-service platformSelf-service platform4.4. Workflow for provisioning and self-serviceWorkflow for provisioning and self-service5.5. Password self-service resetPassword self-service reset6.6. Cluster supportCluster support7.7. Computed attributes (dynamic groups)Computed attributes (dynamic groups)8.8. Cross-forest group managementCross-forest group management9.9. Entitlement reportingEntitlement reporting10.10. Capacity planning documentationCapacity planning documentation11.11. Scalability improvementsScalability improvements12.12. UNIX / OpenLDAP / Generic LDAP MAUNIX / OpenLDAP / Generic LDAP MA
ReviewReview
MIIS ScenariosMIIS Scenarios
How MIIS worksHow MIIS works
MIIS FuturesMIIS Futures
Recommended