Identity Management Identity Management with with
Microsoft Identity Microsoft Identity Integration ServerIntegration Server
How Integration HappensHow Integration Happens
““Identity Chaos” Identity Chaos” Multiple repositories of identity informationMultiple repositories of identity information Multiple user IDs, multiple passwordsMultiple user IDs, multiple passwords Decentralized management, ad hoc data sharingDecentralized management, ad hoc data sharing
Flat FilesAnd
Sneaker-net
Enterprise Directory
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
ContractorContractorSystemSystem
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Opportunity For Improvement:Opportunity For Improvement:
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
ContractorContractorSystemSystem
In-HouseIn-HouseApplicationApplication
Enterprise Directory•Authentication•Authorization
•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Meta
dir
ect
ory
Meta
dir
ect
ory
““Identity Integration” Identity Integration” Rock solid software to integrate identityRock solid software to integrate identity
What is Identity Integration?What is Identity Integration?
Identity DataIdentity Data
LDAPLDAP SQLSQL
Directory Directory SynchronizationSynchronization
Password Password ManagementManagement
Provisioning and Provisioning and WorkflowWorkflow
NOSNOS
Mainframe/Mainframe/UnixUnix
MetadirectoryMetadirectory
Exchange 5.5Exchange 5.5
Directory SynchronizationDirectory Synchronization
Synchronizes multiple repositoriesSynchronizes multiple repositories ““Agentless” connection to other systemsAgentless” connection to other systems Provides attribute-level controlProvides attribute-level control Manage global address lists (GAL)Manage global address lists (GAL) Automate group and DL managementAutomate group and DL management
Active DirectoryActive Directory
NotesNotes
iPlanetiPlanet
SQLSQL
OracleOracle
MetadirectoryMetadirectory
Active DirectoryActive Directory
Password ManagementPassword Management
Initial password setInitial password set Centralized password control via a Web appCentralized password control via a Web app
Self-service password resetSelf-service password resetHelpdesk password resetHelpdesk password reset
Decentralized password synchronizationDecentralized password synchronization33rdrd party password sync products can easily integrate party password sync products can easily integrate
iPlanetiPlanet
Web appWeb app
MetadirectoryMetadirectory
Provisioning & WorkflowProvisioning & Workflow
Simple Provisioning & De-provisioningSimple Provisioning & De-provisioning Provision users as they appear in authoritative Provision users as they appear in authoritative
systemssystems Set initial values for attributes (including password)Set initial values for attributes (including password) Disable or delete accountsDisable or delete accounts
Complex WorkflowComplex Workflow Initiate workflow or provisioning systemInitiate workflow or provisioning system Integrate with BizTalkIntegrate with BizTalk Planning to add support for SPML when finalizedPlanning to add support for SPML when finalized Integrate with 3Integrate with 3rdrd party provisioning systems party provisioning systems
Business Layers, WaveSet, Access360Business Layers, WaveSet, Access360
What Is Microsoft Identity What Is Microsoft Identity Integration Server?Integration Server?
Microsoft Identity Integration Server is…Microsoft Identity Integration Server is… The next version of Microsoft’s MetadirectoryThe next version of Microsoft’s Metadirectory A flexible synchronization and identity A flexible synchronization and identity
integration frameworkintegration framework Software that ensures consistency of identity Software that ensures consistency of identity
data across repositoriesdata across repositories
Microsoft Identity Integration Server makes it radically Microsoft Identity Integration Server makes it radically easier to easier to
designdesign, , deploydeploy and and managemanage a metadirectory a metadirectory
across an enterprise of any sizeacross an enterprise of any size
Metadirectory ConceptsMetadirectory Concepts
Connected Data Source (CD)Connected Data Source (CD) Any source and/or destination containing identity dataAny source and/or destination containing identity data
Management Agent (MA)Management Agent (MA) Facilitates the communication between Microsoft Identity Integration Facilitates the communication between Microsoft Identity Integration
Server and the CDServer and the CD Connector Space (CS)Connector Space (CS)
Staging area for inbound or outbound synchronized attributesStaging area for inbound or outbound synchronized attributes Metaverse (MV)Metaverse (MV)
Central (SQL) store of identity informationCentral (SQL) store of identity information Matching CS entries to a single MV entry is called “join”Matching CS entries to a single MV entry is called “join”
CDCD
Microsoft Identity Integration ServerMicrosoft Identity Integration Server
CSCS
MVMV
MAMA
Metadirectory ArchitectureMetadirectory Architecture
MetadirectoryMetadirectory
MVMV
CSCS
CSCS
CSCS
SQL Server 2000SQL Server 2000
Identity RepositoriesIdentity Repositories
NetworkNetwork
CSCS
New Metadirectory FeaturesNew Metadirectory FeaturesCapabilityCapability MMS 2.2MMS 2.2 MIIS 2003MIIS 2003
Standard datastoreStandard datastore ProprietaryProprietary SQL 2000SQL 2000
Microsoft Identity Integration Server Microsoft Identity Integration Server extensions/Scriptingextensions/Scripting ProprietaryProprietary VS .NET languagesVS .NET languages
Fault tolerance/failoverFault tolerance/failover LimitedLimited SQL ClusteringSQL Clustering
ScalabilityScalability 1M1M 100M100M
LDAP accessLDAP access - via ADAM- via ADAM
Extensible APIsExtensible APIs NoNo WMI, SDKWMI, SDK
Easily move from test to productionEasily move from test to production NoNo Password ManagementPassword Management NoNo Support renames in connected systemsSupport renames in connected systems NoNo XML-basedXML-based NoNo Data lineageData lineage NoNo Single User View (Polyarchy)Single User View (Polyarchy) NoNo Consulting engagementConsulting engagement RequiredRequired OptionalOptional
InstallationInstallation
demodemo
User InterfaceUser Interface
demodemo
Metadirectory ConnectorsMetadirectory Connectors AD/Exchange 2000/Exchange 2003AD/Exchange 2000/Exchange 2003 ADAMADAM SunOne Directory (iPlanet)SunOne Directory (iPlanet) SQLSQL OracleOracle DSML 2.0DSML 2.0 LDAP Directory Interchange Format (LDIF)LDAP Directory Interchange Format (LDIF) Delimited TextDelimited Text Fixed-Width TextFixed-Width Text Attribute-Value Pair TextAttribute-Value Pair Text NT4NT4 Exchange 5.5Exchange 5.5 Lotus Notes 4.6 and 5.0Lotus Notes 4.6 and 5.0 Novell eDirectory 8.62/8.7Novell eDirectory 8.62/8.7 Other LDAP-based and RDBMS systems to followOther LDAP-based and RDBMS systems to follow
Management AgentsManagement Agents
HRHRSystemSystem
Metadirectory
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
File
LDAP
LDAP
Creating Creating Management AgentsManagement Agents
demodemo
Running Running Management AgentsManagement Agents
demodemo
Identity AggregationIdentity Aggregation
HRHRSystemSystem
Metadirectory
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
•FirstName•LastName•EmployeeID
•Telephone givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
KlarkeKentSuperhero
007
givenNamesntitlemailemployeeIDtelephone
867-5309
ClarkKent
007
867-5309
ClarkKent
007
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
Reporter
867-5309
Identity AggregationIdentity Aggregation
demodemo
Provisioning/WorkflowProvisioning/Workflow
1.1. Simple Provisioning/DeprovisioningSimple Provisioning/Deprovisioning Create accounts when new users appear in Create accounts when new users appear in
authoritative systemsauthoritative systems Set initial values for attributes (including password)Set initial values for attributes (including password) Disable or delete accounts in response to change in Disable or delete accounts in response to change in
authoritative systemsauthoritative systems
2.2. Complex WorkflowComplex Workflow Initiate workflow or provisioning system (ex: BizTalk Initiate workflow or provisioning system (ex: BizTalk
Orchestration) for long-running or multi-part Orchestration) for long-running or multi-part workflowworkflow
Integrate with ISV ProductsIntegrate with ISV Products
Provisioning ScenarioProvisioning Scenario
HRHRSystemSystem
Metadirectory
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
File
LDAP
LDAP
De-Provisioning ScenarioDe-Provisioning Scenario
HRHRSystemSystem
Metadirectory
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
File
LDAP
LDAP
Simple Provisioning Simple Provisioning and De-Provisioningand De-Provisioning
demodemo
Extending CapabilitiesExtending Capabilities Modify the behavior of Microsoft Identity Modify the behavior of Microsoft Identity
Integration ServerIntegration ServerCall methods on the interface in response to Call methods on the interface in response to changes in the systemchanges in the system
Model defines a managed interfaceModel defines a managed interfaceConfiguration set in UI determines which Configuration set in UI determines which methods are calledmethods are called
Write custom extensions in any Write custom extensions in any programming language with a compiler programming language with a compiler for the CLRfor the CLRVisual Studio projects auto-generated for VB Visual Studio projects auto-generated for VB or C#or C#
Extending Microsoft Extending Microsoft Identity Integration Identity Integration Server Server using using Visual Studio .NETVisual Studio .NET
demodemo
Preview ModePreview Mode
System is transparent in designSystem is transparent in design Allows architect/developer to preview Allows architect/developer to preview
work in the metadirectory without work in the metadirectory without committing any changescommitting any changes
Allows the testing ofAllows the testing of Configuration changesConfiguration changes New rulesNew rules New connected directoriesNew connected directories
Can view all results through the UICan view all results through the UI
Preview ModePreview Mode
demodemo
PasswordsPasswords1.1. Initial password setInitial password set
Core functionalityCore functionality
2.2. Centralized password controlCentralized password control Web-based, extensible application for building Web-based, extensible application for building
self-serve or helpdesk support applicationsself-serve or helpdesk support applications
3.3. Decentralized password synchronizationDecentralized password synchronization Integrate with ISV ProductsIntegrate with ISV Products
Web Web AppApp
Web Web AppApp MIIS 2003MIIS 2003MIIS 2003MIIS 2003
iPlanetiPlanetiPlanetiPlanet
ADADADAD
VisualizationVisualization
Different hierarchies suit different needsDifferent hierarchies suit different needs Multiple hierarchical representations can Multiple hierarchical representations can
be discovered from databe discovered from data Polyarchy eliminates the requirement for Polyarchy eliminates the requirement for
fixed hierarchyfixed hierarchy Polyarchy provides multiple hierarchical Polyarchy provides multiple hierarchical
views and richer visualization of views and richer visualization of infrastructure informationinfrastructure information
SummarySummary
Reduce administration costReduce administration costGAL managementGAL management
DL/group managementDL/group management
Helpdesk password resetHelpdesk password reset
Improved productivityImproved productivityUser self-serviceUser self-service
Faster access to systemsFaster access to systems
Increased securityIncreased securityFast de-provisioningFast de-provisioning
iPlanetiPlanet
SQLSQL
OracleOracle
Active DirectoryActive Directory
Exchange 5.5Exchange 5.5
NotesNotes
MetadirectoryMetadirectory
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.