microsoft’s identity management strategy and roadmap john pritchard microsoft corporation...
TRANSCRIPT
Microsoft’s Identity Microsoft’s Identity Management Strategy Management Strategy and Roadmapand Roadmap
John PritchardJohn PritchardMicrosoft CorporationMicrosoft [email protected]@microsoft.com
SOL214
AgendaAgenda
SituationSituation
StrategyStrategyFederated identityFederated identity
Process-driven identity and Process-driven identity and entitlement managemententitlement management
Evolution of directory servicesEvolution of directory services
Next generation digital identityNext generation digital identity
RoadmapRoadmap
SituationSituation
Increasingly connected systemsIncreasingly connected systemsConnections span technical, org boundariesConnections span technical, org boundaries
Distinctions blur - customer, partner, employee, Distinctions blur - customer, partner, employee, intranet, Internetintranet, Internet
Demand for business process integrationDemand for business process integrationClear business drivers around security, cost Clear business drivers around security, cost efficiency, regulatory complianceefficiency, regulatory compliance
Issues around policy, compliance, reportingIssues around policy, compliance, reporting
Rapid rise of threats to online safetyRapid rise of threats to online safetyPhishing, pharming, Phishing, pharming, phraudphraud
Concerns over privacy, trackingConcerns over privacy, tracking
Technology AreasTechnology Areas
ConnectorsConnectorsIntegration with non-Windows integrated applications and systemsIntegration with non-Windows integrated applications and systems
Identity and Access PlatformIdentity and Access Platform
User ExperienceUser ExperienceLogon & credentialsLogon & credentials
Self-serviceSelf-service
Developer ExperienceDeveloper ExperienceDirectory APIsDirectory APIsAccess APIsAccess APIs
Integration APIsIntegration APIs
IT Pro ExperienceIT Pro ExperienceManagementManagement
Delegated adminDelegated admin
Integration ServicesIntegration ServicesProcess automationProcess automation
Process controlProcess control
Directory ServicesDirectory ServicesDistributedDistributedpublicationpublication
Access ServicesAccess ServicesAuthenticationAuthenticationAuthorizationAuthorization
AuditAuditCredential managementCredential management
Microsoft’s StrategyMicrosoft’s Strategy
Add native support for interoperable Add native support for interoperable federated identity to Active Directory federated identity to Active Directory using web servicesusing web services
Build on Microsoft Identity Integration Build on Microsoft Identity Integration Server as platform for process-driven Server as platform for process-driven management of identities management of identities and entitlementsand entitlements
Evolve and refine Active Directory Evolve and refine Active Directory directory servicesdirectory services
Federated Identity and Federated Identity and Web ServicesWeb Services
What is a Digital Identity?What is a Digital Identity?
A set of A set of claims claims one one subject makes subject makes about anotherabout another
Many identities for Many identities for many usesmany uses
Required for Required for transactions in real transactions in real world and onlineworld and online
1. Read policy for “Submit Order”
Claims-Based Access ControlClaims-Based Access Control
Client
Server
2. Call “Submit Order” including Security Token with {Purchaser=True} claim
{Purchaser=True}{Purchaser=True}
““Submit order” requires Submit order” requires {Purchaser} claim{Purchaser} claim
1. Read policy for “Submit Order”
Claims-Based Access ControlClaims-Based Access Control
Client
Server
2. Read policy for Request Security Token
3. Request Security Token passing [Ryan, ****]
““Submit order” requires Submit order” requires {Role} from STS_A{Role} from STS_A
{Role} requires {Role} requires [Name,Password] cred[Name,Password] cred
Security TokenServerSTS_A
5. Call “Submit Order” with security token
Claims-Based Access ControlClaims-Based Access Control
Client
Server
Security TokenServerSTS_A4. Request Security Token Response
{Role=Purchaser}{Role=Purchaser}signed STS_Asigned STS_A
{Role=Purchaser}{Role=Purchaser}signed STS_Asigned STS_A
Mapping:Mapping: (Ryan,****) (Ryan,****) {Role = Purchaser} {Role = Purchaser}
““Submit order” requires Submit order” requires {Role} from STS_A{Role} from STS_A
{Role} requires {Role} requires [Name,Password] cred[Name,Password] cred
1. Read policy for“Submit Order”
Server
Security Token ServerSTS_AuthZ“Authorization claimsprovider”
Security Token ServerSTS_Identity“Identity claimsprovider”
2. Read policy for Request Security
Token
4. Request Security Token passing [Ryan’s Kerb ticket]
3. Read policy for Request Security
Token
““Submit order” requires Submit order” requires {Submit order} from {Submit order} from
STS_AuthZSTS_AuthZ
{Submit order} requires {Submit order} requires {Role} claim from {Role} claim from
STS_IdentitySTS_Identity
{Role} requires{Role} requires[Kerb ticket] or [Kerb ticket] or
[Name/Pwd] cred[Name/Pwd] cred
Claims-Based Access ControlClaims-Based Access Control
Client
Call “Submit Order”
Client Server
Security TokenServerSTS_AuthZ
Security TokenServerSTS_Identity
Mapping:Mapping: Ryan Ryan {Role = Purchaser} {Role = Purchaser}
Mapping:Mapping: {Role = Purchaser} {Role = Purchaser} {Submit order = True} {Submit order = True}
{Role=Purchaser}{Role=Purchaser}signed STS_Identitysigned STS_Identity
{Submit order = True}{Submit order = True}signed STS_AuthZsigned STS_AuthZ
{Submit order = True}{Submit order = True}signed STS_AuthZsigned STS_AuthZ
{Role=Purchaser}{Role=Purchaser}signed STS_Identitysigned STS_Identity
““Submit order” requires Submit order” requires {Submit order} from {Submit order} from
STS_AuthZSTS_AuthZ
{Submit order} requires {Submit order} requires {Role} claim from {Role} claim from
STS_IdentitySTS_Identity
Claims-Based Access ControlClaims-Based Access Control
55
66
77
88
WS-* ArchitectureWS-* Architecture
Composable architecture for Web Composable architecture for Web servicesservices
Broad participation across the industryBroad participation across the industryPublished, standards-track architecturePublished, standards-track architectureAvailable royalty-freeAvailable royalty-free
Security token format neutralSecurity token format neutralOASIS WS-Security specification is the basisOASIS WS-Security specification is the basisSupports x509, Kerb, SAML 1.1, 1.2, 2.0, XrML …Supports x509, Kerb, SAML 1.1, 1.2, 2.0, XrML …
Dynamic system for exchanging claimsDynamic system for exchanging claimsWS-MetadataExchange, WS-SecurityPolicyWS-MetadataExchange, WS-SecurityPolicy
Token and claim translationToken and claim translationWS-Trust defines Security Token Services (STS)WS-Trust defines Security Token Services (STS)
Active Directory Federation ServicesActive Directory Federation Services
Federated web single sign onFederated web single sign onWS-Federation Passive Requestor ProfileWS-Federation Passive Requestor Profile
Support SAML token, claims as SAML assertionsSupport SAML token, claims as SAML assertions
Integrated with Windows SSOIntegrated with Windows SSO
Support Windows Integrated Security and Support Windows Integrated Security and native claims-based identitynative claims-based identity
Transform claims into SIDs for Windows appsTransform claims into SIDs for Windows apps
Enable web apps to natively consume claimsEnable web apps to natively consume claims
Authorization Manager integrationAuthorization Manager integration
Delivered in Windows Server 2003 R2Delivered in Windows Server 2003 R2
ADFS ExperienceADFS Experience
Process-driven Process-driven management of identities management of identities and entitlementsand entitlements
Integration ServicesIntegration Services
Process automation for managing Process automation for managing identity and entitlement lifecycleidentity and entitlement lifecycle
Fully automated add/update/deleteFully automated add/update/delete
Delegated administrationDelegated administration
End user self-serviceEnd user self-service
Process control for reporting, Process control for reporting, assessment and enforcementassessment and enforcement
Metadirectory “closed-loop” enforcementMetadirectory “closed-loop” enforcement
State auditing and reportingState auditing and reporting
Integration ServicesIntegration Services
MIIS 2003 SP1MIIS 2003 SP1Automated provisioning, de-provisioningAutomated provisioning, de-provisioning
Enforce consistency of dataEnforce consistency of data
Password change managementPassword change management
Management agents for common Management agents for common directories, databases, flat file formatsdirectories, databases, flat file formats
Management agent SDKManagement agent SDK
Windows Server 2003 R2 waveWindows Server 2003 R2 waveRACF, ACF2, Top Secret, SAP, PeoplesoftRACF, ACF2, Top Secret, SAP, Peoplesoft
Longhorn Wave: “Gemini”Longhorn Wave: “Gemini”
Integration of workflow with metadirectoryIntegration of workflow with metadirectory
Declarative authoringDeclarative authoring
Advanced auditing and reportingAdvanced auditing and reporting
Computed attributesComputed attributesAutomated group membership managementAutomated group membership management
Identity and entitlement Identity and entitlement management platformmanagement platform
Make your application manageable via MIISMake your application manageable via MIIS
Self-service applications: user, group, and Self-service applications: user, group, and password managementpassword management
The Evolution of The Evolution of Directory ServicesDirectory Services
Active DirectoryActive Directory
Broad usageBroad usage86% of US, 57% of enterprises >500 PCs 86% of US, 57% of enterprises >500 PCs worldwide running Active Directory *worldwide running Active Directory *
Performance at scalePerformance at scaleScale out: 1000+ serversScale out: 1000+ serversScale up: deployments at 20M+ usersScale up: deployments at 20M+ users
Flexibility: AD and ADAMFlexibility: AD and ADAMCentralized or distributed physical deploymentCentralized or distributed physical deploymentCentralized or distributed logical managementCentralized or distributed logical managementShared across applications or dedicated to a Shared across applications or dedicated to a specific applicationspecific application
Interop: Unix/Linux SSO via Vintela, CentrifyInterop: Unix/Linux SSO via Vintela, Centrify
* Source: Microsoft internal survey, spring 2005* Source: Microsoft internal survey, spring 2005
Domain ModeDomain Mode
Windows Server 2003 R2Windows Server 2003 R2Unix compatibility schemaUnix compatibility schema
ADMT v3 (web download)ADMT v3 (web download)
Longhorn ServerLonghorn ServerRead-only DC: reduced physical security Read-only DC: reduced physical security requirements, simplified manageabilityrequirements, simplified manageability
Restartable AD: reduce DC rebootsRestartable AD: reduce DC reboots
DC on Server Core: minimize surface areaDC on Server Core: minimize surface area
DC/Domain Admin role separationDC/Domain Admin role separation
Application ModeApplication Mode
Windows Server 2003 ADAM downloadWindows Server 2003 ADAM downloadLDAP-only mode of Active Directory with LDAP-only mode of Active Directory with independent configurationindependent configuration
Identical performance at scaleIdentical performance at scale
Windows Server 2003 R2Windows Server 2003 R2ADAM included in OS distributionADAM included in OS distribution
One-way AD-to-ADAM sync: eliminate One-way AD-to-ADAM sync: eliminate need for MIIS (or IIFP) in simple scenariosneed for MIIS (or IIFP) in simple scenarios
Longhorn Server: same as R2Longhorn Server: same as R2
The Next Generation of The Next Generation of Digital IdentityDigital Identity
Threats to Online SafetyThreats to Online Safety
The Internet was built without a way to know The Internet was built without a way to know who and what you are connecting towho and what you are connecting to
Everyone offering Internet service has come up Everyone offering Internet service has come up with workaround – a patchwork of one-offswith workaround – a patchwork of one-offs
Inadvertently taught people to be phished Inadvertently taught people to be phished
Greater use and greater value attract Greater use and greater value attract professional international criminal fringeprofessional international criminal fringe
Understand and exploit weaknesses in patchworkUnderstand and exploit weaknesses in patchwork
Phishing and pharming at 1000% CAGRPhishing and pharming at 1000% CAGR
Add “Stash attacks” reported as “Identity losses”Add “Stash attacks” reported as “Identity losses”
From Patchwork to FabricFrom Patchwork to Fabric
Little agreement on what identity layer is, or Little agreement on what identity layer is, or how it should be runhow it should be run
Digital identity related to contextsDigital identity related to contexts
Partial success in specific domains Partial success in specific domains (SSL, Kerberos)(SSL, Kerberos)
Enterprises, governments, verticals prefer Enterprises, governments, verticals prefer one-offs to loss of controlone-offs to loss of control
Individual is also a key playerIndividual is also a key player
No simplistic solution is realisticNo simplistic solution is realisticConsider cross cultural, international issuesConsider cross cultural, international issues
Diverse needs of players means need to integrate Diverse needs of players means need to integrate multiple constituent technologiesmultiple constituent technologies
““The Laws of Identity”The Laws of Identity”
1.1. User control and consentUser control and consent
2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use
3.3. Justifiable partiesJustifiable parties
4.4. Directional identityDirectional identity
5.5. Pluralism of operators and technologiesPluralism of operators and technologies
6.6. Human integrationHuman integration
7.7. Consistent experience across contextsConsistent experience across contexts
Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com
Identity MetasystemIdentity Metasystem
We need a unifying “Identity metasystem”We need a unifying “Identity metasystem”Protect applications from identity complexitiesProtect applications from identity complexities
Allow digital identity to be loosely coupled: Allow digital identity to be loosely coupled: multiple operators, technologies, and multiple operators, technologies, and implementationsimplementations
Not first time we’ve seen this in computingNot first time we’ve seen this in computingAbstract display services made possible through Abstract display services made possible through device driversdevice drivers
Emergence of TCP/IP unified Ethernet, Token Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the not-yet-Ring, Frame Relay, X.25, even the not-yet-invented wireless protocolsinvented wireless protocols
Empowers the User…Empowers the User…
GovernmentsGovernments
IndividualsIndividualsWork & ConsumerWork & Consumer
PrivatePrivateBusinessesBusinesses
TechnologiesTechnologiesX509, Kerberos, SAMLX509, Kerberos, SAML
ApplicationsApplicationsExisting & NewExisting & New
OrganizationsOrganizations
DevicesDevicesPCs, Mobile, PhonePCs, Mobile, Phone YouYou
Brings Technologies Together…Brings Technologies Together…
SmartcardsSmartcards Self-issued Self-issued
identitiesidentities Corporate identitiesCorporate identities Government Government
identitiesidentities Passport identitiesPassport identities Liberty identitiesLiberty identities Client applicationsClient applications Operating systemsOperating systems
Network access Network access systemssystems
GovernmentsGovernments OrganizationsOrganizations CompaniesCompanies IndividualsIndividuals Mobile phonesMobile phones ComputersComputers Hard ID tokensHard ID tokens … … and everything elseand everything else
Metasystem CharacteristicsMetasystem CharacteristicsRequirements for the Identity MetasystemRequirements for the Identity Metasystem
NegotiationNegotiationDrivenDriven
EncapsulationEncapsulation
ClaimsClaimsTransformationTransformation
UserUserExperienceExperience
Enable participants to negotiate Enable participants to negotiate technical policy requirementstechnical policy requirements
Technology-agnosticTechnology-agnostic way to way to exchange policies and claimsexchange policies and claims
Trusted way to change one set of Trusted way to change one set of claims into another regardless of claims into another regardless of formatformat
Consistent user interface across Consistent user interface across multiple systems and multiple systems and technologiestechnologies
WS-Trust, WS-MetadataExchange
WS-* Metasystem ArchitectureWS-* Metasystem Architecture
SecurityToken
Service
Kerberos
WS-SecurityPolicy
SAML
SecurityToken
ServiceWS-SecurityPolicy
…
ID ProviderID Provider
x509
ID ProviderID Provider
SubjectSubject
Relying PartyRelying Party Relying PartyRelying Party
Identity Selector
Microsoft Support for Microsoft Support for Identity MetasystemIdentity Metasystem
““Indigo”Indigo”
Runtime for building Runtime for building distributed applications distributed applications supporting identity supporting identity metasystemmetasystem
““InfoCard”InfoCard”
Identity selector for Identity selector for Windows to visualize Windows to visualize user’s digital identityuser’s digital identity
Active DirectoryActive Directory
Infrastructure for identity Infrastructure for identity and accessand access
“InfoCard” “Indigo”
Active Directory
WS-*
End-UsersEnd-Users DevelopersDevelopers
IT OrganizationsIT Organizations
Preview – “InfoCard”Preview – “InfoCard”
Preview – “InfoCard”Preview – “InfoCard”
Microsoft’s ImplementationMicrosoft’s Implementation
Data stored for each card in card collectionData stored for each card in card collectionName, logo, names of claims available (not Name, logo, names of claims available (not values)values)
Address of identity providerAddress of identity provider
Reference to required credential (e.g. smartcard)Reference to required credential (e.g. smartcard)
Data stored in simple identity providerData stored in simple identity providerName, address, email, telephone, age, genderName, address, email, telephone, age, gender
User must opt-inUser must opt-in
InfoCard data not visible to applicationsInfoCard data not visible to applicationsStored in files encrypted under system keyStored in files encrypted under system key
User interface runs on separate desktopUser interface runs on separate desktop
No information stored in online serviceNo information stored in online service
SummarySummary
Product OfferingProduct Offering
ConnectorsConnectorsDirectory, Database, Flat file, Mainframe, ERP, and SDK to build moreDirectory, Database, Flat file, Mainframe, ERP, and SDK to build more
Identity and Access PlatformIdentity and Access Platform
User ExperienceUser ExperienceLogon & credentialsLogon & credentials
Self-serviceSelf-service
Developer ExperienceDeveloper ExperienceDirectory APIsDirectory APIsAccess APIsAccess APIs
Integration APIsIntegration APIs
IT Pro ExperienceIT Pro ExperienceManagement consolesManagement consoles
MOM integrationMOM integration
Integration ServicesIntegration ServicesMetadirectoryMetadirectory
WorkflowWorkflowAudit and ReportingAudit and Reporting
Enterprise SSOEnterprise SSO
Directory ServicesDirectory ServicesActive DirectoryActive Directory
ADAMADAMUDDIUDDI
Access ServicesAccess ServicesFederated SSOFederated SSOIntegrated PKIIntegrated PKICBAC & RBACCBAC & RBAC
Rights ManagementRights Management
RoadmapRoadmap
Windows Server 2003 R2Windows Server 2003 R2Active Directory Federation ServicesActive Directory Federation Services
ADAM with one-way sync from ADADAM with one-way sync from AD
Additional management agents for MIISAdditional management agents for MIIS
Longhorn waveLonghorn waveContinued directory services refinementsContinued directory services refinements
PKI, credential management and PKI, credential management and usability enhancementsusability enhancements
““Gemini” automation and control platformGemini” automation and control platform
Call to ActionCall to Action
Build on Active DirectoryBuild on Active DirectorySingle sign on and directory consolidationSingle sign on and directory consolidation
Intranet and extranetIntranet and extranet
We will help you build on this investmentWe will help you build on this investment
Use MIIS 2003 for provisioning, de-Use MIIS 2003 for provisioning, de-provisioning, and policy enforcementprovisioning, and policy enforcement
Try ADFS in R2 Beta 2Try ADFS in R2 Beta 2
Learn about WS-* Web servicesLearn about WS-* Web services
Join identity metasystem discussionJoin identity metasystem discussion
ResourcesResources
“The Laws of Identity” and the Identity Metasystem: http://msdn.microsoft.com/webservices/
Identity Management: http://www.microsoft.com/idm
Kim Cameron’s Identity Blog: http://www.identityblog.com
We invite you to participate in ourWe invite you to participate in our online evaluationonline evaluation on CommNet,on CommNet,
accessible Friday onlyaccessible Friday only
If you choose to complete the evaluation online, If you choose to complete the evaluation online, there isthere is no need to complete the paper evaluationno need to complete the paper evaluation
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
