Microsoft’s Identity and Access - KuppingerCole · PDF fileMicrosoft’s Identity...

Microsoft’s Identity and Access

Management Strategy

Rüdiger BerndtChef Architect / CEO

Oxford Computer Group Deutschland

Ruediger.Berndt@oxfordcomputergroup.com

www.oxfordcomputergroup.de

Oxford Computer Group

Offices:

Munich

Oxford

Seattle

Toronto

Vienna

The leading Microsoft partner for IDA Pure Microsoft-based IDA solutions

Build and buy approaches

We partner with Microsoft-focused ISVs

Currently involved with 40 projects worldwide

Focus: Execution of Planning, Design, Build and Test

through to final implementation

Enterprise IDA Management solutions

Enterprise SSO / Strong AuthN Solutions

Microsoft IDA Training Programmes

Identity Management Support (24x7)

Agenda

IDA Architectures

Components

Identity Store

Role Management

Workflow

Audit / Reporting

SAP Integration

SSO / PW Sync

Summary

Product Overview

Guidance

Developer

SystemsManagementActive Directory

Federation Services (ADFS)

IdentityManagement

Services

Information Protection

Client and Server OS

Server Applications

Identity Lifecycle

Manager 2007

Certificate Lifecycle

Manager 2007

Identity Lifecycle Manager

Identity Synchronization (MIIS)Provides single view of a user across enterprise systemsAutomatically keeps identity information consistent

Brings together metadirectory, certificate management, and user provisioning across Windows and enterprise systems into a single packaged offering.

User ProvisioningAutomates the process of on-boarding and off-boarding usersSimplifies compliance through automated IDA enforcement

Enforces consistent credentials across systems

Certificate and Smart Card Management (CLM)Reduces cost of managing certificate-based credentialsAutomates workflow-driven certificate issuance and revocationVastly simplifies deployment of smart cards

IDA Solution from MSFT/OCG

Single Point of Administration

Application integration with Corp Directory

Workflow / Rules for automatic admin processes

Password Synchronization over MIIS

Role-Based Application Provisioning

Compliance Reporting via SRS Plugins

Centralizedmanagement,Provisioning

DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

system

Novell/

Identity Store

SAP/HR

systems

Management

Agents

Microsoft

Identity

Integration

Server 2003

Audit &

Reporting DB

Role Calc

Centralizedmanagement,

Role ManagementOCG

Workflow –

User Request /

Approval Process

Infopath, Mail

WebPart/Website OCG

WF Module

MIIS Terms

Connected Data Source (CD) Any source and/or destination containing identity data

Management Agent (MA) Facilitates the communication between MIIS and the CD

Connector Space (CS) Staging area (SQL) for inbound or outbound synchronized attributes

Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called ―join‖

MV entries are linked to CS entries through: Projection Provisioning a

connector Joining

CS entries represent objects in Connected Data Sources

Synchronization is between MV and CS

Staging is from CD to CS

Export is from CS to CD

MIIS Concepts

MIISMetaverse

Connector

Connected

Data Sources

Oracle

Let’s zoom in on what MIIS

MIIS Sequence Of Events

SAP HR database staged and projected

Provision and export to SQL-based approval system

Manager approval app causes import and delta synchronization

Sun One and Notes connectors provisioned and exported

Connected

Data Sources

Oracle

Metaverse

Connector

ILM as Provisioning System

E-Mail Connected Data SourceExchange, Notes, Groupwise, etc

Database Connected Data SourceSQL, DB2, Oracle, etc

Directory Connected Data SourceActive Directory, LDAP, eDirectory, etc

Directory

logical area

(object

attributes)

Database

logical area

(object

attributes)

E-Mail

logical area

(object

attributes)

Connector Space Metaverse

Microsoft Identity Integration Server 2003

(MIIS)

Directory MA

Database MA

E-Mail MA

Identity Lifecycle Manager 2007

Object creation

Person

Object

Provision Step

MV Rules

Extension

Person

Object

Connector

1) HR MA imports new user object

2) Project new user

3) Create new connector

4) Set Anchor Value

5) Set other initial values

6) Export attribute flow

7) Normal MA Export Run

(creates object in CD)

Object Deletion

Person

Object

Person

Object

Connector

Connector filter

“status=terminates”

Satisfied

CS Object becomes dis-

connector

MV Object deleted

Make normal disconnector

Make explicit disconnector

Delete Object

Custom extension

Make normal disconnector

Disconnector cleanup

MA Rules

Extension

Deprovision

(3)(4)

1) HR MA imports user object with status = “terminated”

2) Object deletion rule applies

5) MA Export deletes CD

object

MIIS Management AgentsSelection of the main system connections: Active Directory®supporting Windows 2000/2003, Exchange 2000/2003/(12)

Active Directory Application Mode (ADAM) (R2)

Global Address List (GAL) Synch—supporting Exchange 2000 and Exchange 2003 / (12)

Netscape/iPlanet/Sun ONE Directory

IBM DB2 Universal Database (7 or 8.1 on Windows or Linux)

IBM Directory Server (4.x/5.x on Windows 2000/2003)

SQL Server™— (7/2000/2005)

Oracle Databases—supporting version 8i, 9i, 10, 10g

Directory Services Markup Language (DSML)—supporting DSML version 2.0

LDAP Interchange Format (LDIF) / De-Limited Text, Attribute-Value Pair Text

Open-LDAP

Windows NT® 4.0 Domains and Exchange Server 5.5, Exchange Server 5.5 Bridgehead

Lotus Notes—supporting versions 4.6, 5.0, 6.0, 7.x

Novell eDirectory—supporting versions > 8.6.x

Host RACF, TS, ACF systems

Microsoft SAP HR + SAP R3 > V4.6d

Management AgentsAdditions to Standard Agents (Selection)

Highly Scalable SAP MA for HR

OM, PDORG

Workflow integration

Host RACF via LDAP

Unix systems (VMS, HPUX, SUN, Linux, SCO, other)

additional HR systems (e.g. Peoplesoft, Paisy,…)

Various telephone systems (Alcatel, HICOM, AVAYA, …)

Sharepoint, Biztalk

Live ID, Office Live

Vintela/Quest/Omada/bHold

RSA SecurID

Other LDAP Servers e.g. Siemens DirX, CP, Syntegra, …

IDA Lösung von MSFT/OCG V2

Zentrale rollenbasierte Administration

Applikations Integration ins Corporate Directory

Workflows für automatische Admin prozesse

Password Synchronisation über ILM

Compliance Reporting / Audit über SRS Plugins

DataWarehouse

SAP EP

Self Services

Infrastruktur AD

system

Novell/

SAP/HR

systems

Management

Agents

Identity

Lifecycle

Manager

Audit &

Reporting DB

Role ManagementMIISMIIS

Workflow + Rollenmanagement + AR

Job Profile 2

Job Profile 1 Role A

Role B

Role C

Identity

Manager

Omada Identity Manager + MIIS/ILM

ADAM as Identity StoreFlexible & automatic User Administration

Flexible Schema – simple extensibility without

changes to the NOS AD

Administration at Org structure level

Inheritance of attributes from OUs to users

Better performance than AD

Integration of Vendors / other companies / External

people possible

Single Point for Authentication for all applications

IDA Architektur

Password Synchronization over ILM

DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

system

Novell/

Identity Store

SAP/HR

systems

Management

Agents

Identity

Lifecycle

Manager

Audit &

Reporting DB

Role Calc

Role ManagementOCG

Workflow –

Benutzerantrag /

Freigabe Prozess

Infopath, Mail

WebPart/Website OCG

WF Modul

Enterprise Roles

App RoleEnterprise

OU, O, Group Task Operation / Action

Task Operation / Action

App Role

User Lifecycle Mgmt Role Design

(Identity- Data Store)

Role Calc

OU Object 1 in ADAM

(User 2 is assigned to OU 1)

User Object 1 in ADAM

Role Objects in ADAM

(assigned to group object)

Enterprise Role A

Ora Roles (ORA1-activ,Ora2)

SAP Roles (SAP1, SAP4, SAP6)

Enterprise Role B

EntRoleA

EntRoleB

EntRoleA

EntRoleC

Enterprise Role C

Role Calc

Flexible Role Assignment

Roles can be assigned directly or rules

based to:

Organizational

Structures

Organization Object 1 in ADAM

ocgOrgMember (multiValue):

User Object in ADAM

ocgOrgView (multiValue):(managed by Admin Console)

DN Ref to OrganizationUnit 1

DN Ref to Organization 1

DN Ref to User 1

DN Ref to User ...

Automatic back linked

Organization Unit Object 1 in ADAM

ocgOrgMember (multiValue):

DN Ref to User 1

DN Ref to User ...

Automatic back linked

DN Ref to Organization / OU ...

DN Ref to User ... DN Ref to User ...

Role Calc

Multiple Views on Users

Flexible Rights Management through

multiple views

User can be assigned to multiple

Organizational structures (e.g. Projects)

Views can be automatically imported

(e.g. SAP-OM)

IDA Architecture

Compliance Reporting over SRS Plugins

DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

system

Novell/

Identity Store

SAP/HR

systems

Management

Agents

Identity

Lifecycle

Manager

Audit &

Reporting DB

Role Calc

Role ManagementOCG

Workflow –

Benutzerantrag /

Freigabe Prozess

Infopath, Mail

WebPart/Website OCG

WF Modul

Persistence

DBADAM

Workflow Runtime

(Microsoft

Windows Workflow

Foundation)

Microsoft

Identity

Integration

Server 2003

Based on WWF

State is stored in

Event based WF

Compatible with

SP2007 WF

Designer

No licence costs!

Complex and high

available WF

WF Module

Workflow IntegrationTechnical Implementation

1) Joiner Process Example

A Joiner Process initiated via Self Service from Microsoft SharePoint

Configuration by AdministratorRequest for a new employee Role assignment ApprovalUser Provisioning through MIIS

IDA Solution Architecture

DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

system

Novell/

Identity Store

SAP/HR

systems

Management

Agents

Microsoft

Identity

Integration

Server 2003

Audit &

Reporting DB

Role Calc

Role ManagementOCG

Workflow –

Benutzerantrag /

Freigabe Prozess

Infopath, Mail

WebPart/Website OCG

WF Module

The MIIS Reporting Module uses its own MIIS Reporting

Database

Automatic Configuration of the Report Interface on

schema changes

Multiple pre-defined Reports available for

Changelog (who changed what when)

Management Log (Number of accounts, changes per system,

newly created accounts, …)

Who is in what kind of Role (Enterprise / Application)

MIIS Reporting

Reporting IDA Workflow Events

Identity

Integration

Identity Management Store

Corporate Directory

Reporting

Services

IdM Event Logging

IdM Events sent

to MIIS

Event Archiving

ILM ReportingExamples

Reports of Role Membership

ILM Reporting / Changelog

DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

system

Novell/

Identity Store

SAP/HR

systems

Management

Agents

Microsoft

Identity

Integration

Server 2003

Audit &

Reporting DB

Role Calc

Role ManagementOCG

Workflow –

User Request /

Approval Process

Infopath, Mail

WebPart/Website OCG

WF Module

SAP Identity IntegrationMIIS/ADAM supported Scenarios

User Account Creation (UM, CUA)

Password Sync to SAP Systems

Read/write employee data in the HR

System

Read Organizational structures

Read SAP Roles

Assignment of Roles to Users

High Scalability

SAP Concentrator supports > 100 SAP

Systems per MIIS MA

SAP IntegrationILM SAP MA (Version 1.0)

OCG MA (Version 2.3)

No changes on the target SAP Systems necessary

Delta if supported SAP BAPI/RFC Functions

Detailed Error Reporting on object and attribute level

OCG Version only: Can run on different Servers (via

optional SQL Interface)

Can connect multiple (>100) SAP systems/clients with one ILM MA

ILM Sync

Engine

BAPISAP

ILM Server

SAP CUA

SAP MA

SAP MA (PW Sync)

SAP R/3 SAP R/3 SAP R/3 SAP R/3Active Directory

Forests

Active Directory MA

(Identity- Data Store)

ADAM MA

Web Admin GUI

LDAP Queries

SAP EP 6.0

Intranets

member

companies

LDAP Queries

Active Directory MA

IDA Architecture with SAP

IDA Architecture

Compliance Reporting over SRS Plugins

DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

system

Identity Store

SAP/HR

systems

Management

Agents

Identity

Lifecycle

Manager

Audit &

Reporting DB

Role Calc

Role ManagementOCG

Workflow –

Benutzerantrag /

Freigabe Prozess

Infopath, Mail

WebPart/Website OCG

WF Modul

Certificate Lifecycle Manager (CLM)

Single administration point for digital certificates and

smart cards

Configurable policy-based workflows for common tasks

Enroll/renew/update

Recover/card replacement

Revoke

Retire/disable smart card

Issue temporary/duplicate smart card

Personalize smart card

Detailed auditing and reporting

Support for both centralized and self-service scenarios

Integration with existing infrastructure investments

Windows Active Directory; Windows Certificate Services

CLM - Komponenten

CLM Server (Web Portal)

Email Server

SQL Server

Partners Users Customers

Certification

Authority

Server

CLM Interface

CLM Middleware / Smart Cards CLM supported smart card middleware

Microsoft Smart Card Base CSP

Axalto Client Software (ACS) v 5.2

AET SafeSign v2.2

Aladdin eToken RTE 3.65

Gemplus GemSafe v4.2 Sp 3

Siemens HiPath SIcurity Card API v3.1.026

Supported smart cards

Palmera, Cyberflex Access, e-gate lines of cards by Axalto

Java Card 2.1.1+ compliant smart cards by G&D, GemPlus, IBM,

MartSoft, Oberthur, ORGA and Axalto

eToken Pro, eToken NG-OTP, eToken Pro (Smart card) by Aladdin

GemXpresso Pro3.2 and GemSafe GPK lines of cards by Gemplus

CardOS and CardOS/M4 lines of cards by Siemens

Other smart cards and tokens that are supported through the AET

SafeSign v2.1 middleware

DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

system

Novell/

Identity Store

SAP/HR

systems

Management

Agents

Microsoft

Identity

Integration

Server 2003

Audit &

Reporting DB

Role Calc

Role ManagementOCG

Workflow –

User Request /

Approval process

Infopath, Mail

WebPart/Website OCG

WF Module

Employee Data

Passwords

SAP, Unix, RACF

Provision /

Deprovision

+ Sync Password

Active Directory Application Mode

(ADAM)

Application server

Provision /

Deprovision

Users + Sync^Password

Authorization /

Role Mapping

Source

Active Directory Infrastructure

Target

Provision /

Deprovision

Users + Sync Password

• SSO

• Kerberos Integration (native / VAS)

• Token Translation (Proxy)

(SAP2KERB, RSA2SAP, …)

• Client based SSO (Evidian, …)

• Password Synchronization

• PCNS

• OCG PCNS + OCG Password Policy

• MIIS Management Agents

• Password Self Services

• Passwort Portal (Evidian, Quest, …)

Password Management / SSOModule:

Employee Data

Passwords

SAP, Unix, RACF

Provision /

Deprovision

+ Sync Password

Active Directory Application Mode

(ADAM)

Application server

Provision /

Deprovision

Users + Sync^Password

Authorization /

Role Mapping

Source

Target

Provision /

Deprovision

Users + Sync Password

1. User changed

Password in AD

(Ctrl+Alt+Del)

2. Password will be

checked for

additional Policies

(SAP/Unix)

3. Password will be

encrypted and send

to the ILM Server

4. The ILM Server set

the Password of this

user in each target

system

Passwort Sync via ILM

Password Sync scenarios

Function Microsoft PCNS + OCG Add

OCG PCNS

Prerequisites for

Installation

An Active Directory Trust is

required

No AD trust is required

Consequences

for the Source

An extension of the AD

Schema is performed

during installation

No AD schema extension

is required

Ability to set

additional

password

policies

Additional password policies are configurable:

Maximum/Minimum PW Len

Exclusion wordlists (like “SAP”)

Exclusion characterlists, to specify prohibited

characters (e.g. *, @, #)

Include + Exclude Filter for samaccountname

Configuration of

the target MIIS

system

The user objects in MIIS

must be directly joined

with both the source AD

and the target system.

Various search criteria can

be configured

EMS Ticket Translation OCG EMTT

RSA ACE

Reverse

Proxy (IIS)

192.168.5.86

RSA ACE

Reverse

Proxy (IIS)

192.168.5.87

Server

F5 Load Balancer

SecurID SecurID

(RSA Cookie)

F5 Load Balancer

(SAP Cookie)

HTTP (Header:

REMOTE_USER2)

(SAP Cookie)

(RSA Cookie

SAP Cookie)

(RSA Cookie

SAP Cookie)

(RSA Cookie

SAP Cookie)

(RSA Cookie

SAP Cookie)

(SAP Cookie)

HTTP (Header:

REMOTE_USER2)

SAP EP SAP EP...

LDAP LDAP

HTTP HTTP

EMS Ticket Translation

SSO durch einmalige Anmeldung mit RSA

Token (Strong Auth)

Ticket Umwandlung (RSA2Kerb,

RSA2SAPLT) durch OCG Module

ADAM Integration für Vendoren / Externe

Automatisches Erstellen der RSA Tokens

Über SAP2Kerb auch Weiterleitung von

SAP Portal auf OWA möglich

EMS Logistic

ILM 2007

RSA Token

XML File

1) Import der

RSA Token

Import Daten

Tokenzuweisungen (CSV)

3) Import der Tokenzuweisungen:

Zugewiesene TokenId, Kostenstelle des Token

Tabelle

5) Export User

+ Tokenzuweisung RSA ACE6) Import des

Token Status

(„New Pin― Mode

oder nicht)

2) Neue Token exportieren

4) Tokenzuweisungen exportieren

7) Export des Token Status

Benutzer

RSA Token

RSA Token Benutzer

Benutzer

1) Import der

RSA Token

Geräteverwaltung

XML File

RSA Token

8) Export aller Token,

die zugewiesen wurden

und eine Kostenstelle besitzen

EMS Logistic

ISA/RSA/SAP Portal Integration

Abschottung RSA Server durch ISA Server in einem Extrasegment

Flexibles Handling durch RSA Ticket Wandler (simple WebSSO)

RSA Auth einzig notwendige Authentifizierung

ILM/RSA/ externer Shop (SAP EBP)

Universelles Interface für Tokenmanagement

* Auslagerung Tokenlogistik an externen Dienstleister

* Automatischer Import der Tokenzuweisunge

Automatische Benutzer (De-) Provisionierung

* Rollenbasiert Aktualisierung des RSA Systems ohne manuellen Eingriff

* keine Systemleichen (Sicherheit)

* Sofortige Arbeitsfähig nach Token Auslieferung

Trennung RSA Token Zulieferwege möglich (Mandantenfähigkeit)

z.B. für unterschiedliche Mandaten oder interne und externe Benutzer

schnellen Massenimport von Benutzern & Tokenzuweisungen

Batchschnittstelle Entlastung der Administraton / Reduktion Kosten

Summary technical OCG Assets

Flexible Role Management

Event Trigger for real-time sync scenarios

Graphical admin interface for ADAM (OUM)

PCNS Add Ons to support Password policies

from SAP, RACF, Unix, …

Kerberos Ticket Translations for RSA, SAP, …

Additional System Connections like Unix (ssh),

RSA ACE, SSO Systems, Telephone systems,

SAP Integration for enterprise environments

Made in Germany

IDA Project Release Phases

1. Build / (Migrate) Identity Store

2. Connect primary user repositories (Init Load/Join)

3. Integration of Workflow systems

4. Reporting, Logging

5. Connect additional user repositories

Web App

- Admin UI

Zentrale Benutzer

Microsoft’s Identity and Access - KuppingerCole · PDF fileMicrosoft’s Identity...

Documents

Identity Access Management: Beyond Convenienceresources.onelogin.com/WP-Identity-and-Access-Management-Beyond... · INTRODUCTION Identity and Access Management (IAM) is the official

KuppingerCole Report LEADERSHIP June 15, 2021 COMPASS

Gartner Identity & Access Management summit 2014 · 3 Gartner Identity & Access Management Summit 2014 ... 2 Gartner Identity & Access Management Summit 2014 ... SailPoint’s …

KuppingerCole Report LEADERSHIP August 31, 2021 COMPASS

Controlsoftcontrolsoft.com/downloads/Identity_Access_Software_Guide... · 2018-11-20 · V8 Software Guide Identity Access Software Identity Access Identity Access Software (Part

Cloud User and Access Managementdownload.microsoft.com/download/B/8/3/B8354005-8AED-452A... · 2018-10-16 · KuppingerCole Leadership Compass Page 5 of 31 Cloud User and Access Management

Streamline Physical Identity and Access Management€¦ · By integrating identity access management (IAM) and physical identity access management (PIAM) solutions, organizations

Market Overview: Customer Identity And Access … · Market Overview: Customer Identity And Access ... Customer identity and access management ... better and help with mapping out

identity & Data Access Governance - PwC · Data life cycle focus Digital Identity Identity & Data Access Governance PwC has over 20 years of experience in the field of Identity Access

Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7

Identity and Access Management - ISACA China HK Chapter and access management.pdf · Identity and Access Management By Dave Yip ... Access Management Identity Management User Management

KuppingerCole Report LEADERSHIP COMPASS...covering various general aspects of network or physical server security, identity and access management ... Data-centric security – this

Oracle Identity and Access Management Introduction · PDF fileOracle Identity and Access Management Introduction 10g (10.1.4.0.1) B31291-01 ... Oracle Identity and Access Management

Symantec Identity: Access Manager - Zones, Incmedia.zones.com/images/pdf/symantec-identity-access-manager.pdf · Symantec Identity: Access Manager A next generation control platform

IDENTITY AND ACCESS GOVERNANCE (IAG) · IDENTITY AND ACCESS GOVERNANCE (IAG) For any business, controlling who has access to information is a complex task. IDENTITY AND ACCESS GOVERNANCE

KuppingerCole Report LEADERSHIP COMPASS - Evidian · KuppingerCole Leadership Compass Identity Provisioning Report No.: 71139 Page 7 of 71 1 Introduction The KuppingerCole Leadership

Identity Access - Controlsoftcontrolsoft.com/downloads/Identity-Access-Software-Guide.pdf · Identity Access Software Identity Access IA-STD IA-PRO Database Platform Microsoft SQL

Craig Burton Distinguished Analyst , KuppingerCole cb@kuppingercole

Identity & Access Governance

Craig Burton Distinguished Analyst, KuppingerCole cb@kuppingercole.com Date: Sept. 14, 2012| Time: 10:00 am MDT Identity in an API Economy