Security Seminar ‘06. Building Identity Management Solutions Michael Kleef IT Pro Evangelist Microsoft

Security Seminar ‘06


Building Identity Building Identity Management SolutionsManagement Solutions

Michael KleefMichael KleefIT Pro EvangelistIT Pro Evangelist

MicrosoftMicrosofthttp://blogs.technet.com/mkleefhttp://blogs.technet.com/mkleef


Session OverviewSession OverviewWhats now available?Whats now available?

Has the SSO landscape changed?Has the SSO landscape changed?

Kerberos Federation with UNIX/LinuxKerberos Federation with UNIX/Linux

How to provision with MIISHow to provision with MIIS

Other stuff you should think ofOther stuff you should think ofWorkflowWorkflow

Policy CompliancePolicy Compliance

Sync’ing passwordsSync’ing passwords

InfoCardInfoCard


Access Access ManagementManagement

Directory Directory ServicesServices

Identity Identity LifecycleLifecycle

Provide access Provide access based on policybased on policy Manage identity Manage identity

lifecyclelifecycle

Ensure users are Ensure users are who they claim who they claim

to beto be

Directory ServicesDirectory Services Lifecycle ManagementLifecycle Management Strong AuthenticationStrong Authentication Federated IdentityFederated Identity Certificate ServicesCertificate Services

Role-based Access ControlRole-based Access Control Audit Collections ServicesAudit Collections Services Group Policy Management Group Policy Management

ConsoleConsole

Allow only legitimate users secure, policy-based Allow only legitimate users secure, policy-based access to machines, applications and dataaccess to machines, applications and data

Identity Management ServicesIdentity Management Services

Identity and credential data Identity and credential data Identity SelectorIdentity Selector Provisioning and workflow Provisioning and workflow Entity/relationship analyticsEntity/relationship analytics


UNIX Interop functionality in R2UNIX Interop functionality in R2

Tools/Utils/SDK

Enhanced Telnet

NFS Gateway

NFS Client

NFS Server

Server for NIS

Password Sync

User/Name Mapping

Interix Subsystem

“Services for UNIX”

Top-level OCM Components (optional install)Top-level OCM Components (optional install) Windows Subsystem for UNIX-based Applications (SUA)Windows Subsystem for UNIX-based Applications (SUA)

Next generation of Interix functionalityNext generation of Interix functionality Active Directory ServicesActive Directory Services

NIS schema and Kerberos authentication extensionsNIS schema and Kerberos authentication extensions Identity Management for UNIXIdentity Management for UNIX

Administration ComponentsAdministration Components Password SynchronizationPassword Synchronization Server For NISServer For NIS

Other Network File and Print ServicesOther Network File and Print Services Microsoft Services for NFSMicrosoft Services for NFS

Mapping ServerMapping Server NFS Auth, AdminUI, client and serverNFS Auth, AdminUI, client and server PortmapPortmap RpcXdrRpcXdr

RFC2307 Schema AttributesRFC2307 Schema Attributes

Deprecated AS PerlNFS GatewayPCNFSCDFS, FAT, FAT32 support

Web DownloadWeb Download Utilities and SDK for UNIX-based ApplicationUtilities and SDK for UNIX-based Application

Base UtilitiesBase Utilities SVR-5 UtilitiesSVR-5 Utilities Base SDKBase SDK GNU SDKGNU SDK GNU UtilitiesGNU Utilities UNIX PerlUNIX Perl Visual Studio Debugger Add-inVisual Studio Debugger Add-in


Security Tokens & ClaimsSecurity Tokens & ClaimsDistributed Distributed authentication/authorizationauthentication/authorization

Secret KeySecret Key

PasswordPassword

Proof ofProof ofPossessionPossession

Security tokens assert claimsClaims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).

SignedSigned

X.509X.509 KerberosKerberos

XrMLXrMLSAMLSAML


ADFS Federated Web SSO ADFS Federated Web SSO ExampleExample

1.1. User accesses A. Datum portal to Trey Research order processing applicationUser accesses A. Datum portal to Trey Research order processing application

Trey Research Inc.Trey Research Inc.A.Datum Corp.A.Datum Corp.

2.2. User redirected to A.Datum STSUser redirected to A.Datum STS• Seamlessly authenticated using Active Directory & Windows integrated Seamlessly authenticated using Active Directory & Windows integrated

authentication (Kerberos security token)authentication (Kerberos security token)

3.3. User obtains SAML security token from A.Datum STS for Trey Research STSUser obtains SAML security token from A.Datum STS for Trey Research STS• Federation claims per A.Datum and Trey Research business agreement Federation claims per A.Datum and Trey Research business agreement

4.4. User obtains SAML security token from Trey Research STS for application User obtains SAML security token from Trey Research STS for application • Claims specific to Trey ResearchClaims specific to Trey Research

5.5. User accesses Trey Research order processing applicationUser accesses Trey Research order processing application

ActiveActiveDirectoryDirectory

FederationFederationSTSSTS

FederationFederationSTSSTS

SIDsSIDs

FederationFederationClaimsClaims

ApplicationApplicationClaimsClaims

Order Entry ApplicationOrder Entry Application

Order EntryOrder EntryPortalPortal


Federated IdM in ActionFederated IdM in ActionX-organization, X-platform Web SSOX-organization, X-platform Web SSO

ExchangeExchange WebWeb ServiceService

CollaborationCollaboration

Intranet ApplicationsIntranet Applications

ActiveActiveDirectoryDirectory

1. Alice needs access to Plant app2. Authenticates to STS with Kerberos3. Gets security token for Plant STS4. Authenticates to Plant STS with token5. Gets security token for Plant app

Web InventoryWeb InventoryApplicationApplication

IIS + Partner IIS + Partner Web SSOWeb SSO

Web PurchasingWeb PurchasingApplicationApplication

UNIX/LinuxUNIX/LinuxPlatformPlatform

1. Alice needs access to Supplier app2. Authenticates to STS with Kerberos3. Gets security token for Supplier STS4. Authenticates to Supplier STS with token5. Gets security token for Supplier app

A.Datum CorpAssembly Plant

Trey ResearchWarehouse

Security Token ServiceSecurity Token Service

A.Datum CorpA.Datum CorpHead OfficeHead Office

Alice (Purchaser)Alice (Purchaser)


Solution Demonstration 1: Solution Demonstration 1: Kerberos Federation using Kerberos Federation using LinuxLinux Understand how Kerberos federation Understand how Kerberos federation

works and where you can use it works and where you can use it

Internal Network10.10.0.0/16

Internet

London.nwtraders.msftDomain Controller

Exchange Server 2003IIS 6.0 ServerDNS Server

Enterprise CA Server10.10.0.2/16

Vancouver.nwtraders.msftISA Server 2004

10.10.0.1/16131.107.0.1/16

Denver.nwtraders.msftWindows XP SP2

Office 2003131.107.0.1/16

Glasgow.nwtraders.msftMIIS Server

ADAM Server10.10.0.3

131.107.0.8


Office 200310.10.0.10/16

Brisbane.northwindtraders.msftDomain Controller

IIS 6.0 Server10.10.0.20


Remember the Identity Life Remember the Identity Life CycleCycle

22

Change User-Promotions-Transfers-Entitlement changes

Change User-Promotions-Transfers-Entitlement changes

11New User-User ID creation-Credential issuance-Entitlements

New User-User ID creation-Credential issuance-Entitlements

33

Help Desk-Password reset-New entitlements

Help Desk-Password reset-New entitlements

44

Retire User-Delete accounts-Remove entitlements

Retire User-Delete accounts-Remove entitlements


Identity and Access Identity and Access Management SeriesManagement Series

Lots of how to stuffLots of how to stuffPolicy CompliancePolicy Compliance

Desired Configuration MonitoringDesired Configuration MonitoringEnforcement and ReportingEnforcement and ReportingAuditing (Management and Monitoring Auditing (Management and Monitoring tools)tools)Microsoft Solutions for Security and Microsoft Solutions for Security and Compliance (MSSC)Compliance (MSSC)

WorkflowWorkflowBasic: MIISWorkflow Res Kit toolBasic: MIISWorkflow Res Kit toolAdvanced: Use Ultimus, K2 or Windows WF Advanced: Use Ultimus, K2 or Windows WF

http://www.microsoft.com/technet/security/topics/identitymanagement/http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspxidmanage/default.mspx


Understanding Identity and Access Understanding Identity and Access Management TechnologiesManagement Technologies

Directory Services

Users, AttributesCredentials, and Groups

Active DirectoryActive Directory Application Mode

Identity Life Cycle

ManagementIdentity Integration

Provisioning/DeprovisioningDelegated Administration

Self-Service AdministrationCredential and Password

Management

AccessManagement

AuthenticationAuthorizationTrust Security Auditing


Understanding Identity Understanding Identity Integration Using MIISIntegration Using MIIS

Synchronizes multiple repositories

Agentless connection to other systems

Attribute level control

Manage global address lists

Automate group and DL management

Synchronizes multiple repositories

Agentless connection to other systems

Attribute level control

Manage global address lists

Automate group and DL management

Legend

CS=Connector Space

MA=Management Agent

MV=Metaverse

Legend

CS=Connector Space

MA=Management Agent

MV=Metaverse

Intranet Active Directory

Lotus NotesMIIS 2003

Sun ONEDirectory

HR Identity Source

CS

CS

CS

CS MV MAMA

MA

MA


Solution Demonstration 2: Solution Demonstration 2: Identity Integration Using MIIS Identity Integration Using MIIS 20032003 Understand how MIIS can address the Understand how MIIS can address the

challenges of maintaining digital challenges of maintaining digital identity information among various identity information among various data stores data stores


Internet





10.10.0.1/16131.107.0.1/16


Office 2003131.107.0.1/16



131.107.0.8


Office 200310.10.0.10/16


IIS 6.0 Server10.10.0.20


Managing PasswordsManaging Passwords

MIIS 2003 provides the ability to manage passwords through:MIIS 2003 provides the ability to manage passwords through:

Help desk reset

Windows-initiated changes

Web-initiated changes

Other system–initiated changes through non-Microsoft software

Help desk reset

Windows-initiated changes

Web-initiated changes

Other system–initiated changes through non-Microsoft software


PCNSPCNSSupported by defaultSupported by default

AD/ADAMAD/ADAMIBM Directory ServerIBM Directory ServerLotus NotesLotus NotesNovell eDirectoryNovell eDirectorySun/Netscape directory (iPlanet)Sun/Netscape directory (iPlanet)

Supported through password extensionSupported through password extensionAttribute-Value Pair FilesAttribute-Value Pair FilesDelimited Text FilesDelimited Text FilesDSMLDSMLSQL, Oracle and DB2SQL, Oracle and DB2LDIFLDIFFixed Width Text FilesFixed Width Text FilesExtensible Connectivity Extensible Connectivity




Password Management10.10.0.3

Brisbane.nwtraders.msftDomain Controller

IIS 6.0 Server10.10.0.20

Brisbane.nwtraders.msftWindows XP SP2

Office 200310.10.0.10/16

Managing PasswordsManaging Passwords

Lotus NotesLotus Notes

iPlanetiPlanet


Password Portal Password Portal

PasswordPassword

ApplicationApplication

DatabaseDatabase

IdentityIdentity

IntegrationIntegration

ServerServer

AD

ADAM

SunONE

Self Self ServicServic

e e ResetReset

Help Help DeskDesk

Self Self Service Service Change Change

and and RegistratiRegistrati

onon

DB DB MAMA

AdminAdmin

PasswordPassword

PortalPortal

ServiceServiceWMIWMI


Solution Demonstration 3: Solution Demonstration 3: Password ManagementPassword Management

Understand how MIIS Password Portal Understand how MIIS Password Portal worksworks


Internet





10.10.0.1/16131.107.0.1/16


Office 2003131.107.0.1/16



131.107.0.8


Office 200310.10.0.10/16


IIS 6.0 Server10.10.0.20


InfoCard – future internet InfoCard – future internet identityidentity


BenefitsBenefitsConsistent user experience for controlling release Consistent user experience for controlling release of personal informationof personal information

Across self-issued and managed cardsAcross self-issued and managed cards

Across home and work scenarios (domain and non-domain)Across home and work scenarios (domain and non-domain)

Helps users assess risk, minimize exposureHelps users assess risk, minimize exposureValidate site identity, site reputation (optional)Validate site identity, site reputation (optional)

Distinguish first visit from return visitDistinguish first visit from return visit

Establishes mutual trust between users and Establishes mutual trust between users and servicesservices

Mitigates phishing and identity theftMitigates phishing and identity theft

Common, platform-based solutionCommon, platform-based solutionAvoid litany of per-site toolbars, app-specific solutionsAvoid litany of per-site toolbars, app-specific solutions

Predictable, spoof resistant client side UX not under control Predictable, spoof resistant client side UX not under control of attacker – raises bar on difficulty of attackof attacker – raises bar on difficulty of attack

http://msdn.microsoft.com/windowsvista/building/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/http://msdn.microsoft.com/windowsvista/building/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/identitymetasystem.aspidentitymetasystem.asp


What’s in a Card?What’s in a Card?

Name: Alice’s Book Club CardExpires: 9/15/2006ImageIssuer: FabrikamSupported Claims: {

GivenNameLastNameAddressCity… }

Issuer Token Service EPRsSupported Token Type: { SAML 1.1 }…

Identity Provider

Alice WoodwardAlice Woodward1306 - 25231306 - 2523

Exp 9/15/2006Exp 9/15/2006

Alice’s Book Club Card

Fabrikam

claim values are ownedby Identity Provider

fabrikamfabrikam


How does it work?How does it work?

Identity Provider

Relying Party

PolicyPolicy

filter cards that could satisfy RP’s requirements33

22

“I would like to receive a token which contains givenName, lastName and tokenType is SAML1.0, issued by *any*”

request for token55

66

token created

77

token presented

access a resource 11

44 user picks a card

Alice Woodward1306 - 2523

fabrikam My Card State of Victoria State of Victoria IDID

Alice WoodwardExp 6/12/2008

??Anonymous


Next StepsNext StepsCommunitiesCommunities

http://www.microsoft.com/australia/technethttp://www.microsoft.com/australia/technetCanberra and Brisbane have Windows Server User GroupsCanberra and Brisbane have Windows Server User GroupsMelbourne scheduled for April startMelbourne scheduled for April start

Identity and Access Management SeriesIdentity and Access Management Serieshttp://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspxdefault.mspxTools, Templates and How To’sTools, Templates and How To’sMy blog: http://blogs.technet.com/mkleef with “BlogCasts By Me” categoryMy blog: http://blogs.technet.com/mkleef with “BlogCasts By Me” category

MIIS websiteMIIS websitehttp://www.microsoft.com/windowsserversystem/miis2003/default.mspxhttp://www.microsoft.com/windowsserversystem/miis2003/default.mspxAt present has the info for the SAP MA betaAt present has the info for the SAP MA betaResource Toolkit 2.0 releaseResource Toolkit 2.0 release

Identity Meta SystemIdentity Meta Systemhttp://msdn.microsoft.com/windowsvista/building/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/http://msdn.microsoft.com/windowsvista/building/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/identitymetasystem.aspidentitymetasystem.asp

Quest/VintelaQuest/Vintelahttp://www.vintela.comhttp://www.vintela.comHas free trial incl VAS, VSJ and Group Policy and SMS toolsHas free trial incl VAS, VSJ and Group Policy and SMS tools


Security e-forum siteSecurity e-forum site www.microsoft.com.au/eforumwww.microsoft.com.au/eforum

View On demand web casts of all presentations View On demand web casts of all presentations from this event (tell your work colleagues!)from this event (tell your work colleagues!)Online Live chatsOnline Live chats

Have a live chat with Microsoft’s leading security experts. Have a live chat with Microsoft’s leading security experts. Check the e-forum site for the Live Chat schedule.Check the e-forum site for the Live Chat schedule.

Evaluation forms - we value your feedback!Evaluation forms - we value your feedback! Need help with your business’ security?Need help with your business’ security?

Q7 - register your interest on the eval form if you want to Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challengesdiscuss solutions to address your Security challenges

Fill in your form to go into the draw to win a HP Fill in your form to go into the draw to win a HP Media Centre PC or Xbox 360Media Centre PC or Xbox 360

Security seminar follow up… Security seminar follow up…


Questions and Questions and AnswersAnswers

Documents

Security Seminar ‘06. Building Identity Management Solutions Michael Kleef IT Pro Evangelist Microsoft