Enterprise Identity

Tags:

Preview:

Click to see full reader

DESCRIPTION

Enterprise Identity. Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group. Agenda. Overview of Enterprise Identity Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”. The Digital Identity Lifecycle. Roles. - PowerPoint PPT Presentation

Citation preview

Enterprise IdentitySteve Plank – MicrosoftHugh Simpson-Wells – Oxford Computer GroupDave Nesbitt – Oxford Computer Group

Agenda

• Overview of Enterprise Identity Challenges/Solutions• Individual Group Discussions (led)• Large Group “Debate”

3

The Digital Identity Lifecycle

Roles

Director ServiceManager

ProductManager

PA

SalesPerson

CustomerService

Engineer

HR Admin

CallHandler

4

Access ManagementJoining Identities

Identity Data AggregationIdentity Data Enforcement

Identity Data Brokering Hire/Fire Scenario

The Digital Identity Lifecycle

Role 1 Role 3 Role 4 Role 5

• Roles are defined

• People are hired• People change role • People are firedThey leave of

their own accord too!Role 2

• They access critical assets

• A business owns critical assets

5

Hire ScenarioHRHRSystemSystem

ProvisioningSystem orMetadirectory

E-mail

ContractorContractorSystemSystem

LOB AppLOB App

DatabaseDatabase

ApplicationApplicationDirectoryDirectory

InfrastructureInfrastructureDirectoryDirectory

E-mailE-mail

Δ

LDAP

LDAP

SQL

API

6

Fire ScenarioHRHRSystemSystem

ProvisioningSystem orMetadirectory

E-mail

ContractorContractorSystemSystem

LOB AppLOB App

DatabaseDatabase

ApplicationApplicationDirectoryDirectory

InfrastructureInfrastructureDirectoryDirectory

E-mailE-mail

Δ

LDAP

LDAP

SQL

API

7

Metadirectory

Join on employeeID

Join on mail

Join, Attribute Flow, Enforcement…

HRHRSystemSystem

ApplicationApplicationDirectoryDirectory

InfrastructureInfrastructureDirectoryDirectory

E-mailE-mailSystemSystem

givenNamesntitlemailemployeeIDtelephone

KlarekCenntt

008

givenNamesntitlemailemployeeIDtelephone

ClarkKennttt

Clark@contoso.com007

givenNamesntitlemailemployeeIDtelephone

KlarkeKent

867-5309

Reporter

Clark@contoso.com

Reporter

givenNamesntitlemailemployeeIDtelephone

Clark

Reporter

Kent

007

JOINED

Join on employeeID

givenNamesntitlemailemployeeIDtelephone

ClarkKent

007Project to MetadirectoryJOINED

007Clark@contoso.com

Clark@contoso.comSuperhero

+44 123 456 7890

Manual JoinJOINED

JOINED

+44 123 456 7890

8

Metadirectory

Identity Joining Scenario

HRHRSystemSystem

ApplicationApplicationDirectoryDirectory

InfrastructureInfrastructureDirectoryDirectory

E-mailE-mailSystemSystem

givenNamesntitlemailemployeeIDtelephone

KlarekCenntt

008

givenNamesntitlemailemployeeIDtelephone

ClarkKennttt

Clark@contoso.com007

givenNamesntitlemailemployeeIDtelephone

KlarkeKent

867-5309

Reporter

Clark@contoso.com

Reporter

givenNamesntitlemailemployeeIDtelephone

Clark

Reporter

Kent

007

givenNamesntitlemailemployeeIDtelephone

ClarkKent

007

Clark@contoso.com

Superhero

+44 123 456 7890

givenNamesntitlemailemployeeIDtelephone +44 123 456 7890

Clark

SuperheroClark@contoso.com

Kent

007+44 123 456 7890

Clark

SuperheroClark@contoso.com

Kent

007+44 123 456 7890

Clark

SuperheroClark@contoso.com

Kent

007+44 123 456 7890

Clark

SuperheroClark@contoso.com

Kent

007+44 123 456 7890

Clark

SuperheroClark@contoso.com

Kent

007+44 123 456 7890

Clark

9

Single Sign On

• Simple SSO• Single Authentication Authority, Single Server• Single Authentication Authority, Multiple Server

• Complex SSO• Single Credential Set

• Token Based SSO• PKI Based SSO

• Multiple Credential Set• Credential Sync (Consistent Sign On)• Client-side Credential Mapping• Server-side Credential Mapping

10

Simple SSO

ResourceServer

TrustToken Validation

AuthNExchange

AuthNExchange

AuthenticationService

Credential Store(probably LDAP directory)

Replication

11

No SSO

AuthenticationService Credential Store

(probably LDAP directory)

AuthenticationService Credential Store

(probably LDAP directory)

AuthNExchange

AuthNExchange

12

Complex SSO: 1 Credential, Token-based

AuthenticationService Credential Store

(probably LDAP directory)

AuthenticationService Credential Store

(probably LDAP directory)

AuthNExchange

TempToken

TempToken

Trust

13

Consistent Sign On: Password Sync

AuthenticationService Credential Store

(probably LDAP directory)

AuthenticationService Credential Store

(probably LDAP directory)

AuthNExchange

AuthNExchange

PasswordCopyService

plaintext pw cyphertext pwPassword

CryptoSystem

plaintext pw

PW

trap

cyphertext pw

PasswordCrypto

System

Normalize identities - metadirectory

14

Complex SSO – Client Cache

AuthenticationService Credential Store

(probably LDAP directory)

AuthenticationService Credential Store

(probably LDAP directory)

AuthNExchange

AuthNExchange

PasswordCache

15

Complex SSO – Server Cache

AuthenticationService Credential Store

(probably LDAP directory)

AuthenticationService Credential Store

(probably LDAP directory)

AuthNExchange

AuthNExchange

ClientInstalledSSOAgent

password

16

Client

• SSO Agent detects login dialog

• Retrieves credentials from ID store & fills in dialog

LoginUser-id:

Password:

ID Store

User objectSSO Attributes:User-id:Password:

FSmith*****

Client-sideSSOAgent

Understands password change dialogs

Auto-generates new passwords

Single Sign-OnSingle Sign-OnComplex SSO – Server Cache

Review

• Overview of Enterprise Identity Challenges/Solutions• Individual Group Discussions (led)• Large Group “Debate”

Recommended

Updates and Overview of Enterprise Identity Management
Documents
Enterprise Identity Management 101 - Windley
Documents
Enterprise Security and Identity Management Use Cases with WSO2 Identity Server
Documents
ENTERPRISE SECURITY MEETS EMPLOYEE ... - Ping Identity...Ping Identity is the leader in Identity Defined Security for the borderless enterprise, allowing employees, customers and partners
Documents
Using Identity to Empower the Enterprise: Identity Relationship Management
Software
Template per le presentazioni Enterprise - Corporate Identity
Documents
Evolution of Enterprise Identity
Technology
Enterprise Identity Management (EIDM) Account Setup for
Documents
Salesforce on Salesforce: Deploying Identity at Enterprise Scale
Technology
Identity mediation for enterprise identity bus
Software
System i: Enterprise Identity Mapping
Documents
Managing Oracle Identity Management with Enterprise ... · Managing Oracle Identity Management with Enterprise Manager 12c Cloud Control 4 Once your Oracle Identity Management systems
Documents
System i: Enterprise Identity Mappingpublic.dhe.ibm.com/systems/power/docs/systemi/v5r4/en_US/... · 2014. 6. 9. · Contract with IBM Corp. Contents Enterprise Identity application
Documents
Enterprise Architecture's Identity Crisis: Caution Sign ...mitiq.mit.edu/IQIS/Documents/CDOIQS_201077/Papers/01_05_T2C.pdf · Enterprise Architecture's Identity Crisis: Caution Sign
Documents
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to the Cloud
Software
Identity Management in the Enterprise - Novell...Identity Management Evolution Today's organizations require Identity Management solutions that securely manage identity and access
Documents
iSeries: Security -- Enterprise Identity Mapping (EIM) APIspublic.dhe.ibm.com/.../docs/systemi/v5r3/en_US/sec5.pdf · 2014. 6. 9. · iSeries Security--Enterprise Identity Mapping
Documents
Next-gen Enterprise Identity Services with Brainwave Identity GRC
Software
The Future of Enterprise Identity Management
Technology
Providing Single Signon (SSO) with Enterprise Identity ... Live 2015 Melbourne/Cisco Live... · #clmel Providing Single Signon (SSO) with Enterprise Identity Services and Directory
Documents