Enterprise Identity

Enterprise IdentitySteve Plank – MicrosoftHugh Simpson-Wells – Oxford Computer GroupDave Nesbitt – Oxford Computer Group

Agenda

• Overview of Enterprise Identity Challenges/Solutions• Individual Group Discussions (led)• Large Group “Debate”

3

The Digital Identity Lifecycle

Roles

Director ServiceManager

ProductManager

PA

SalesPerson

CustomerService

Engineer

HR Admin

CallHandler

4

Access ManagementJoining Identities

Identity Data AggregationIdentity Data Enforcement

Identity Data Brokering Hire/Fire Scenario

The Digital Identity Lifecycle

Role 1 Role 3 Role 4 Role 5

• Roles are defined

• People are hired• People change role • People are firedThey leave of

their own accord too!Role 2

• They access critical assets

• A business owns critical assets

5

Hire ScenarioHRHRSystemSystem

ProvisioningSystem orMetadirectory

E-mail

ContractorContractorSystemSystem

LOB AppLOB App

DatabaseDatabase

ApplicationApplicationDirectoryDirectory

InfrastructureInfrastructureDirectoryDirectory

E-mailE-mail

Δ

LDAP

LDAP

SQL

API

6

Fire ScenarioHRHRSystemSystem

ProvisioningSystem orMetadirectory

E-mail

ContractorContractorSystemSystem

LOB AppLOB App

DatabaseDatabase



E-mailE-mail

Δ

LDAP

LDAP

SQL

API

7

Metadirectory

Join on employeeID

Join on mail

Join, Attribute Flow, Enforcement…

HRHRSystemSystem



E-mailE-mailSystemSystem

givenNamesntitlemailemployeeIDtelephone

KlarekCenntt

008


ClarkKennttt

[email protected]


KlarkeKent

867-5309

Reporter

[email protected]

Reporter


Clark

Reporter

Kent

007

JOINED

Join on employeeID


ClarkKent

007Project to MetadirectoryJOINED

[email protected]

[email protected]

+44 123 456 7890

Manual JoinJOINED

JOINED

+44 123 456 7890

8

Metadirectory

Identity Joining Scenario

HRHRSystemSystem



E-mailE-mailSystemSystem


KlarekCenntt

008


ClarkKennttt

[email protected]


KlarkeKent

867-5309

Reporter

[email protected]

Reporter


Clark

Reporter

Kent

007


ClarkKent

007

[email protected]

Superhero

+44 123 456 7890

givenNamesntitlemailemployeeIDtelephone +44 123 456 7890

Clark

[email protected]

Kent

007+44 123 456 7890

Clark

[email protected]

Kent

007+44 123 456 7890

Clark

[email protected]

Kent

007+44 123 456 7890

Clark

[email protected]

Kent

007+44 123 456 7890

Clark

[email protected]

Kent

007+44 123 456 7890

Clark

9

Single Sign On

• Simple SSO• Single Authentication Authority, Single Server• Single Authentication Authority, Multiple Server

• Complex SSO• Single Credential Set

• Token Based SSO• PKI Based SSO

• Multiple Credential Set• Credential Sync (Consistent Sign On)• Client-side Credential Mapping• Server-side Credential Mapping

10

Simple SSO

ResourceServer

TrustToken Validation

AuthNExchange

AuthNExchange

AuthenticationService

Credential Store(probably LDAP directory)

Replication

11

No SSO

AuthenticationService Credential Store

(probably LDAP directory)



AuthNExchange

AuthNExchange

12

Complex SSO: 1 Credential, Token-based





AuthNExchange

TempToken

TempToken

Trust

13

Consistent Sign On: Password Sync





AuthNExchange

AuthNExchange

PasswordCopyService

plaintext pw cyphertext pwPassword

CryptoSystem

plaintext pw

PW

trap

cyphertext pw

PasswordCrypto

System

Normalize identities - metadirectory

14

Complex SSO – Client Cache





AuthNExchange

AuthNExchange

PasswordCache

15

Complex SSO – Server Cache





AuthNExchange

AuthNExchange

ClientInstalledSSOAgent

password

16

Client

• SSO Agent detects login dialog

• Retrieves credentials from ID store & fills in dialog

LoginUser-id:

Password:

ID Store

User objectSSO Attributes:User-id:Password:

FSmith*****

Client-sideSSOAgent

Understands password change dialogs

Auto-generates new passwords

Single Sign-OnSingle Sign-OnComplex SSO – Server Cache

Review

• Overview of Enterprise Identity Challenges/Solutions• Individual Group Discussions (led)• Large Group “Debate”

Documents

Enterprise Identity