Upload
fathi
View
55
Download
2
Embed Size (px)
DESCRIPTION
Enterprise Identity. Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group. Agenda. Overview of Enterprise Identity Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”. The Digital Identity Lifecycle. Roles. - PowerPoint PPT Presentation
Citation preview
Enterprise IdentitySteve Plank – MicrosoftHugh Simpson-Wells – Oxford Computer GroupDave Nesbitt – Oxford Computer Group
Agenda
• Overview of Enterprise Identity Challenges/Solutions• Individual Group Discussions (led)• Large Group “Debate”
3
The Digital Identity Lifecycle
Roles
Director ServiceManager
ProductManager
PA
SalesPerson
CustomerService
Engineer
HR Admin
CallHandler
4
Access ManagementJoining Identities
Identity Data AggregationIdentity Data Enforcement
Identity Data Brokering Hire/Fire Scenario
The Digital Identity Lifecycle
Role 1 Role 3 Role 4 Role 5
• Roles are defined
• People are hired• People change role • People are firedThey leave of
their own accord too!Role 2
• They access critical assets
• A business owns critical assets
5
Hire ScenarioHRHRSystemSystem
ProvisioningSystem orMetadirectory
ContractorContractorSystemSystem
LOB AppLOB App
DatabaseDatabase
ApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectory
E-mailE-mail
Δ
LDAP
LDAP
SQL
API
6
Fire ScenarioHRHRSystemSystem
ProvisioningSystem orMetadirectory
ContractorContractorSystemSystem
LOB AppLOB App
DatabaseDatabase
ApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectory
E-mailE-mail
Δ
LDAP
LDAP
SQL
API
7
Metadirectory
Join on employeeID
Join on mail
Join, Attribute Flow, Enforcement…
HRHRSystemSystem
ApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectory
E-mailE-mailSystemSystem
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
givenNamesntitlemailemployeeIDtelephone
KlarkeKent
867-5309
Reporter
Reporter
givenNamesntitlemailemployeeIDtelephone
Clark
Reporter
Kent
007
JOINED
Join on employeeID
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007Project to MetadirectoryJOINED
+44 123 456 7890
Manual JoinJOINED
JOINED
+44 123 456 7890
8
Metadirectory
Identity Joining Scenario
HRHRSystemSystem
ApplicationApplicationDirectoryDirectory
InfrastructureInfrastructureDirectoryDirectory
E-mailE-mailSystemSystem
givenNamesntitlemailemployeeIDtelephone
KlarekCenntt
008
givenNamesntitlemailemployeeIDtelephone
ClarkKennttt
givenNamesntitlemailemployeeIDtelephone
KlarkeKent
867-5309
Reporter
Reporter
givenNamesntitlemailemployeeIDtelephone
Clark
Reporter
Kent
007
givenNamesntitlemailemployeeIDtelephone
ClarkKent
007
Superhero
+44 123 456 7890
givenNamesntitlemailemployeeIDtelephone +44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
Kent
007+44 123 456 7890
Clark
9
Single Sign On
• Simple SSO• Single Authentication Authority, Single Server• Single Authentication Authority, Multiple Server
• Complex SSO• Single Credential Set
• Token Based SSO• PKI Based SSO
• Multiple Credential Set• Credential Sync (Consistent Sign On)• Client-side Credential Mapping• Server-side Credential Mapping
10
Simple SSO
ResourceServer
TrustToken Validation
AuthNExchange
AuthNExchange
AuthenticationService
Credential Store(probably LDAP directory)
Replication
11
No SSO
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
12
Complex SSO: 1 Credential, Token-based
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
TempToken
TempToken
Trust
13
Consistent Sign On: Password Sync
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
PasswordCopyService
plaintext pw cyphertext pwPassword
CryptoSystem
plaintext pw
PW
trap
cyphertext pw
PasswordCrypto
System
Normalize identities - metadirectory
14
Complex SSO – Client Cache
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
PasswordCache
15
Complex SSO – Server Cache
AuthenticationService Credential Store
(probably LDAP directory)
AuthenticationService Credential Store
(probably LDAP directory)
AuthNExchange
AuthNExchange
ClientInstalledSSOAgent
password
16
Client
• SSO Agent detects login dialog
• Retrieves credentials from ID store & fills in dialog
LoginUser-id:
Password:
ID Store
User objectSSO Attributes:User-id:Password:
FSmith*****
Client-sideSSOAgent
Understands password change dialogs
Auto-generates new passwords
Single Sign-OnSingle Sign-OnComplex SSO – Server Cache
Review
• Overview of Enterprise Identity Challenges/Solutions• Individual Group Discussions (led)• Large Group “Debate”