Identity Lifecycle ManagementIdentity Lifecycle Management
Rafal LukawieckiRafal Lukawiecki
Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd
[email protected]@projectbotticelli.co.uk
www.projectbotticelli.co.ukwww.projectbotticelli.co.uk
Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.presentation for acknowledgments.
22
ObjectivesObjectives
Introduce Microsoft Identity Integration Server Introduce Microsoft Identity Integration Server and related products and technologiesand related products and technologies
Explain the processes involved in lifecycle Explain the processes involved in lifecycle managementmanagement
33
Session AgendaSession Agenda
Functionality of Microsoft Identity Integration Functionality of Microsoft Identity Integration ServerServer
Scenarios and Applications of MIISScenarios and Applications of MIIS
A Few Tips on MIISA Few Tips on MIIS
44
Microsoft’s Identity ManagementMicrosoft’s Identity Management
PKI / CAPKI / CA
Extended Directory Extended Directory ServicesServices
ActiveActiveDirectory & ADAMDirectory & ADAM
EnterpriseEnterpriseSingle Sign OnSingle Sign On
Authorization Authorization ManagerManager
Active DirectoryActive DirectoryFederation ServicesFederation Services
Audit Collection Audit Collection ServicesServices
BizTalkBizTalk
Identity IntegrationIdentity IntegrationServerServer
ISAISAServerServer
SQL ServerSQL ServerReportingReporting
Services for Unix /Services for Unix /Services for NetwareServices for Netware
Directory (Store)Directory (Store)ServicesServices
AccessAccessManagementManagement
IdentityIdentityLifecycleLifecycle
ManagementManagement
55
Functionality of Microsoft Functionality of Microsoft Identity Integration ServerIdentity Integration Server
66
What is MIIS?What is MIIS?
MIIS is…MIIS is…
Rock-solid synchronization engine for identity Rock-solid synchronization engine for identity informationinformation
Software that ensures consistency of identity data Software that ensures consistency of identity data across repositoriesacross repositories
MIIS makes it radically easier to design, deploy MIIS makes it radically easier to design, deploy and manage a metadirectory across an and manage a metadirectory across an enterprise of any sizeenterprise of any size
77
IIFP - Identity Integration Feature Pack IIFP - Identity Integration Feature Pack for Windows Server 2003for Windows Server 2003
Subset of MIIS functionality available free of Subset of MIIS functionality available free of charge as downloadcharge as download
Synchronisation with Synchronisation with only only the following stores:the following stores:
Active DirectoryActive Directory
ADAMADAM
Exchange 2000/3 ServerExchange 2000/3 Server
88
New User- User ID Creation- Credential Issuance- Access Rights
Account Changes- Promotions- Transfers- New Privileges- Attribute Changes
Password Mgmt- Strong Passwords- “Lost” Password- Password Reset
Retire User- Delete/Freeze Accounts- Delete/Freeze Entitlements
MIIS: Identity Lifecycle ManagementMIIS: Identity Lifecycle Management
99
MIIS Capabilities & BenefitsMIIS Capabilities & BenefitsKey capabilities:Key capabilities:
Identity SynchronizationIdentity Synchronization
Provisioning & Provisioning & DeprovisioningDeprovisioning
Password ManagementPassword Management
““Agentless” connection to Agentless” connection to heterogeneous systemsheterogeneous systems
Key benefits:Key benefits:
Easy to deployEasy to deploy
Easy to translate business Easy to translate business rules into MIISrules into MIIS
Easy to build solution over Easy to build solution over timetime
Robust and ScalableRobust and Scalable
Low costLow cost
State BasedState Based
Identity DataIdentity Data
LDAPLDAP SQLSQL
NOSNOS
LOB AppsLOB Apps
1010
Metadirectory ConceptMetadirectory Concept
Represents all identity information from all Represents all identity information from all connected data sourcesconnected data sources
Through a mechanism of rules, allows for even Through a mechanism of rules, allows for even most intricate relationships to be maintained most intricate relationships to be maintained between seemingly incompatible identity between seemingly incompatible identity management systemsmanagement systems
The “heart” of MIIS systemThe “heart” of MIIS system
1111
LDAPLDAP
Scenario – Join/LeaveScenario – Join/Leave
Join/LeaveJoin/Leave
ProvisioningProvisioning
RBACRBAC
HRHR
ADAD
EmailEmail
MIISMIIS
Example: University of West England• 40,000 Students• 8,000 new students each year• Provisioned into 4 systems
(including AD, Exchange, NT, HR)• Immediate savings of £50k/year
Example: University of West England• 40,000 Students• 8,000 new students each year• Provisioned into 4 systems
(including AD, Exchange, NT, HR)• Immediate savings of £50k/year
1212
Scenario – PasswordScenario – Password
Join/LeaveJoin/Leave
ProvisioningProvisioning
RBACRBAC
PortalPortal
Self-service/helpdeskSelf-service/helpdesk
ID data/passwordsID data/passwords
Example: Elsevier• Passwords managed across
AD, Lotus Notes, Sun ONE
Example: Elsevier• Passwords managed across
AD, Lotus Notes, Sun ONE
ADAD
LDAPLDAPEmailEmail
MIISMIIS
UserUserChangeChange
HelpdeskHelpdeskResetReset
PCNS
UserUserReset?Reset?
Web Applications
1313
Scenario – PortalScenario – Portal
Join/LeaveJoin/Leave
ProvisioningProvisioning
RBACRBAC
PortalPortal
Self-service/helpdeskSelf-service/helpdesk
ID data/passwordsID data/passwords
PortalsPortals
ADAD
LDAPLDAP
EmailEmail
MIISMIIS
HRHR
ADAMADAMWebWeb
ApplicationApplication
1414
Most Typical ImplementationsMost Typical Implementations
White PagesWhite Pages
Directory SynchronizationDirectory Synchronization
Identity Administration / Self ServiceIdentity Administration / Self Service
1515
MIIS TermsMIIS Terms
Connected Data Source (CD)Connected Data Source (CD)Any source and/or destination containing identity dataAny source and/or destination containing identity data
Management Agent (MA)Management Agent (MA)Facilitates the communication between CD and CS and MVFacilitates the communication between CD and CS and MV
Connector Space (CS)Connector Space (CS)Staging area (SQL) for inbound or outbound synchronized attributesStaging area (SQL) for inbound or outbound synchronized attributes
Metaverse (MV)Metaverse (MV)Central (SQL) store of identity informationCentral (SQL) store of identity informationMatching CS entries to a single MV entry is called “join”Matching CS entries to a single MV entry is called “join”
CDCD
MIISMIIS
CSCS
MVMV
MAMA
1616
MV entries are linked MV entries are linked to CS entries through:to CS entries through:
ProjectionProjectionProvisioning a Provisioning a connectorconnectorJoiningJoining
CS entries represent CS entries represent objects in Connected objects in Connected Data SourcesData SourcesSynchronization is Synchronization is between MV and CSbetween MV and CSStaging is from CD to Staging is from CD to CSCSExport is from CS to Export is from CS to CDCD
MIIS ConceptsMIIS Concepts
MIISMIISMetaverseMetaverse
(MV)(MV)
ConnectorConnectorSpace Space (CS)(CS)
UserUser
ConnectedConnectedData SourcesData Sources(CD)(CD)
NotesNotes
OracleOracle
SQLSQL
SAPSAP
Let’s zoom in on what MIIS doesLet’s zoom in on what MIIS does
1717
MIIS Sequence Of EventsMIIS Sequence Of EventsOracle HR database Oracle HR database staged and staged and projectedprojected
Provision and export Provision and export to SQL-based to SQL-based approval systemapproval system
Manager approval Manager approval app causes import app causes import and delta and delta synchronizationsynchronization
Sun One and Notes Sun One and Notes connectors connectors provisioned and provisioned and exportedexported
ConnectedConnectedData SourcesData Sources(CD)(CD)
UserUser
OracleOracle
SQLSQL
MetaverseMetaverse(MV)(MV)
ConnectorConnectorSpaceSpace(CS)(CS)
NotesNotes
SAPSAP
1818
Object creationObject creation
CDCD
HRHR
MVMV
PersonPerson
ObjectObject
Provision Step Provision Step
MV RulesMV Rules
ExtensionExtension
CSCS
PersonPerson
ObjectObject
ConnectorConnector
1) HR MA 1) HR MA imports new imports new user objectuser object
2) Project new user2) Project new user
3) Create new connector3) Create new connector
4) Set Anchor Value 4) Set Anchor Value
5) Set other initial values5) Set other initial values
6) Export attribute flow 6) Export attribute flow
7) Normal MA 7) Normal MA Export Run Export Run
(creates (creates object in CD)object in CD)
1919
Object DeletionObject DeletionNote: Deprovision does not necessarily mean deleteNote: Deprovision does not necessarily mean delete
CDCD
HRHR
MVMV
PersonPerson
ObjectObject
CSCS
PersonPerson
ObjectObject
ConnectorConnector
Connector filter Connector filter
““status=terminates”status=terminates”
SatisfiedSatisfied
CS Object CS Object becomes dis-becomes dis-
connectorconnector
MV MV Object Object deleteddeleted
MMake normal disconnectorake normal disconnectorMake Make eexplicit disconnectorxplicit disconnector
DDelete Objectelete Object CCustom extensionustom extension
Disconnector cleanupDisconnector cleanup
MA Rules MA Rules
ExtensionExtension
DeprovisionDeprovision
(3)(3)(4)(4)
1) HR MA 1) HR MA imports user imports user object with object with status = status = “terminated”“terminated”
2) Object deletion rule applies2) Object deletion rule applies
5) MA Export 5) MA Export deletes CD deletes CD
object object
2020
Scenarios and Scenarios and Applications of MIISApplications of MIIS
2121
Identity Lifecycle Management with Identity Lifecycle Management with MIISMIIS
Password ManagementPassword Management
Identity ProvisioningIdentity Provisioning
SynchronisationSynchronisation
AuditAudit
Compliance AssuranceCompliance Assurance
Role Management (for Role-based Access Role Management (for Role-based Access Management)Management)
2222
Password SynchronizationPassword Synchronization
ADDomain
Controller
MIIS
Target SystemsSource System
PCNS
Encr
ypte
d Pw
d
PCNSFlt.DLL
Password R
eset
AD MA
Password Resets
MAPassw
ord Extension
Ctrl-Alt-Del
2323
Password ManagementPassword ManagementInitial password set versus password managementInitial password set versus password management
Passwords are write-onlyPasswords are write-only
Scope of password managementScope of password management
Security groupsSecurity groups
Events and password historyEvents and password history
Developing custom applicationsDeveloping custom applications
WMIWMI
HelpdeskHelpdeskWeb AppWeb App
Self-serveSelf-serveWeb AppWeb App
NT4NT4
LotusLotusNotesNotes
ADADADAD
MIISMIIS
SunSunONEONE
AD/AD/ADAMADAM
NovellNovelleDirectoryeDirectory
2424
Application-Application-based sign-onbased sign-on
InfrastructureInfrastructureDirectory (AD)Directory (AD)
LOB5LOB5 33rdrd party partyLDAPLDAP
LOB4LOB4
1.1. User changes User changes password using password using password password management web management web appappPwd mgmtPwd mgmt
2.2. Pwd mgmt app finds Pwd mgmt app finds matching accounts matching accounts in MIISin MIIS
3.3. Passwords Passwords updatedupdated
4.4. User signs-on to appUser signs-on to app
ADAMADAM
MIISMIIS
Password ManagementPassword Management
2525
ProvisioningProvisioning
Identity can be sourced from a number of directories Identity can be sourced from a number of directories through management agents (MAs):through management agents (MAs):
Database, LDAP, File-basedDatabase, LDAP, File-based
Whenever a Metaverse object is changed, Provision Whenever a Metaverse object is changed, Provision Methods runMethods run
This is code in a Metaverse rule DLLThis is code in a Metaverse rule DLL
If not catered by an existing management agent, you If not catered by an existing management agent, you can customise it to suit most unusual provisioning needscan customise it to suit most unusual provisioning needs
Deprovisioning is those operations that occur at the Deprovisioning is those operations that occur at the end of an identity life cycle (deletion, disabling)end of an identity life cycle (deletion, disabling)
2626
SynchronisationSynchronisationMIIS Out-of-the-Box ConnectivityMIIS Out-of-the-Box Connectivity
NT 4NT 4Exchange 5.5Exchange 5.5Lotus Notes Lotus Notes SQL ServerSQL ServerOracleOracleInformix and dBaseInformix and dBaseIBM RACFIBM RACFIBM DB2IBM DB2Novell eDirectoryNovell eDirectoryPeopleSoftPeopleSoftSAP SAP Partner (Extensible) Partner (Extensible) Management Agents (NEW!)Management Agents (NEW!)Other systems to followOther systems to follow
Active Directory / ExchangeActive Directory / Exchange
Active Directory Application Active Directory Application Mode (ADAM)Mode (ADAM)
SunOne Directory (iPlanet)SunOne Directory (iPlanet)
IBM Tivoli Directory Server IBM Tivoli Directory Server (SecureWay)(SecureWay)
DSML 2.0DSML 2.0
LDAP Directory Interchange LDAP Directory Interchange Format (LDIF)Format (LDIF)
Delimited TextDelimited Text
Fixed-Width TextFixed-Width Text
Attribute-Value Pair TextAttribute-Value Pair Text
2727
Audit and ComplianceAudit and Compliance
Regulatory requirements: SarbOx, Data Protection Regulatory requirements: SarbOx, Data Protection Directive/Act, Freedom of Information Acts, HIPAA…Directive/Act, Freedom of Information Acts, HIPAA…
Arguably, we have to monitor the directories, not MIIS Arguably, we have to monitor the directories, not MIIS claims. As this is very difficult today, here is an interim claims. As this is very difficult today, here is an interim suggestion:suggestion:
1.1. Centralise all tracked identity information on an MIIS metadirectoryCentralise all tracked identity information on an MIIS metadirectory
2.2. Audit MIIS eventsAudit MIIS events
3.3. Code bespoke rulesCode bespoke rules
4.4. Obtain existing compliance checking code (e.g. OCG)Obtain existing compliance checking code (e.g. OCG)
5.5. Use Microsoft Audit Collection Service (ACS) for ensuring integrity Use Microsoft Audit Collection Service (ACS) for ensuring integrity of the auditof the audit
– ACS plans to ship with next version of Microsoft Operations ACS plans to ship with next version of Microsoft Operations ManagerManager
2828
WMI
Monitored Clients
Monitored Servers
SQLCollector
Events subject to tampering Events under control of auditorsSecurity logs
Security logs
Real-Time Intrusion Detection Applications
Real-Time Intrusion Detection Applications
Forensic AnalysisForensic Analysis
Management SystemManagement System
Audit Collection ServicesAudit Collection ServicesArchitectural OverviewArchitectural OverviewAudit Collection ServicesAudit Collection ServicesArchitectural OverviewArchitectural Overview
2929
Additional Security BenefitAdditional Security Benefit
Through analysis of MIIS audit (for example, Through analysis of MIIS audit (for example, using Microsoft Operations Manager) you can using Microsoft Operations Manager) you can detect unusual and unexpected operationsdetect unusual and unexpected operations
This can become a basis for building an element This can become a basis for building an element of your automated Intrusion Detection System of your automated Intrusion Detection System (IDS)(IDS)
Please refer to “Holistic Security” seminar, Part 2, Please refer to “Holistic Security” seminar, Part 2, available on available on www.microsoft.com/www.microsoft.com/itsshowtimeitsshowtime for for more information on IDS and Active Securitymore information on IDS and Active Security
3030
A Few Tips on MIISA Few Tips on MIIS(Refer to course 2731 on MIIS for more)(Refer to course 2731 on MIIS for more)
3131
Guidelines for Securing the MIIS Guidelines for Securing the MIIS 2003 Environment2003 Environment
Use strong passwordsUse strong passwords
Ensure that only trusted people have accessEnsure that only trusted people have access
Institute checks and balancesInstitute checks and balances
Encrypt sensitive data; use secure network connectionsEncrypt sensitive data; use secure network connections
Provide appropriate training Provide appropriate training
Use Windows authentication on SQL ServersUse Windows authentication on SQL Servers
Implement RAID and UPS on SQL ServersImplement RAID and UPS on SQL Servers
If using a remote SQLServer, change TCP/IP portIf using a remote SQLServer, change TCP/IP port
Install MIIS 2003 and SQL Server behind a firewallInstall MIIS 2003 and SQL Server behind a firewall
Maintain software patches up-to-dateMaintain software patches up-to-date
3232
Encryption KeysEncryption Keys
Password information is encrypted:Password information is encrypted:
Connection passwordsConnection passwords
Passwords waiting to be synchronizedPasswords waiting to be synchronized
Newly created passwords (not yet provisioned)Newly created passwords (not yet provisioned)
Key sets should be backed up to safe placeKey sets should be backed up to safe place
miiskmumiiskmu allows backup/restore of keys, re- allows backup/restore of keys, re-encryption of new key and key abandonmentencryption of new key and key abandonment
If a new key is created, old keys are scrubbedIf a new key is created, old keys are scrubbed
3333
Security Groups and Access Security Groups and Access Control ListsControl Lists
Limit Access to Specific Users and GroupsLimit Access to Specific Users and Groups
Monitor Group Membership and Access Control ListsMonitor Group Membership and Access Control Lists
If a security breach occurs:If a security breach occurs:
Backup the MIIS database and the encryption keysBackup the MIIS database and the encryption keys
Change the MIIS service account credentialsChange the MIIS service account credentials
Delete existing MIIS security groupsDelete existing MIIS security groups
Run MIIS setup and use the new security credentialsRun MIIS setup and use the new security credentials
Obtain and deploy new connection credentials for connected Obtain and deploy new connection credentials for connected data sources; de-activate old credentialsdata sources; de-activate old credentials
3434
Maintain a Warm Standby ServerMaintain a Warm Standby Server
Clustered SQL Server
Warm Standby(Using Domain
service a/c)
Active MIIS Server(Using domain
service a/c)
Domain controller authenticates MIIS service account and groups
MIISActivate.exe
X
3535
Backup and RestoreBackup and Restore
SQLServer backup includes data, configuration and SQLServer backup includes data, configuration and extensionsextensions
Encryption keys and metadata must be backed up Encryption keys and metadata must be backed up separatelyseparately
There are two approaches to restoring on a clean There are two approaches to restoring on a clean machine:machine:
Restore then installRestore then install
Install then restoreInstall then restore
When restore on an existing installation, you should run When restore on an existing installation, you should run miisactivate to restore extensions reliablymiisactivate to restore extensions reliably
3636
SummarySummary
3737
MIIS Success & ReferencesMIIS Success & References250+ large customers since the launch (which was in Aug 2003)250+ large customers since the launch (which was in Aug 2003)
28 different countries (NA, EMEA, APAC, LTAM)28 different countries (NA, EMEA, APAC, LTAM)
25 different verticals (Gov’t, Finance, Education, .com)25 different verticals (Gov’t, Finance, Education, .com)
20,000+ Downloads of the feature pack20,000+ Downloads of the feature pack
10,000+ Downloads of the evaluation version10,000+ Downloads of the evaluation version
User Group > 1500 UserUser Group > 1500 User
3838
SummarySummary
At the heart of Identity Lifecycle Management At the heart of Identity Lifecycle Management lies a strong metadirectory server: MIISlies a strong metadirectory server: MIIS
Main functions deal with provisioning, password Main functions deal with provisioning, password management, and identity synchronisationmanagement, and identity synchronisation
Additional benefits include ability to audit and Additional benefits include ability to audit and ensure regulatory complianceensure regulatory compliance
www.microsoft.com/idm & & www.microsoft.com/itsshowtime & & www.microsoft.com/technet
3939
Special ThanksSpecial ThanksThis seminar was prepared with the help of:This seminar was prepared with the help of:
Oxford Computer Group LtdOxford Computer Group Ltd
Expertise in Identity and Access Expertise in Identity and Access Management (Microsoft Partner)Management (Microsoft Partner)
IT Service Delivery and TrainingIT Service Delivery and Training
www.oxfordcomputergroup.comwww.oxfordcomputergroup.com
MicrosoftMicrosoft, with special thanks to:, with special thanks to:
Daniel Meyer – thanks for Daniel Meyer – thanks for manymany slidesslides
Steven Adler, Ronny Bjones, Olga Steven Adler, Ronny Bjones, Olga Londer – planning and reviewingLonder – planning and reviewing
Philippe Lemmens, Detlef Eckert – Philippe Lemmens, Detlef Eckert – SponsorshipSponsorship
Bas Paumen & NGN - feedbackBas Paumen & NGN - feedback