Upload
alfred-blankenship
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Microsoft Identity Microsoft Identity Integration Server 2003 Integration Server 2003 (MIIS)(MIIS)
Kim MikkelsenKim MikkelsenSenior Technology SpecialistSenior Technology SpecialistMicrosoftMicrosoft
AgendaAgenda
Overview of Microsoft Identity Overview of Microsoft Identity Integration Server 2003Integration Server 2003
Resource Kit ToolsResource Kit Tools
What’s new in SP1?What’s new in SP1?
RoadmapRoadmap
Simplify Enterprise Identity Simplify Enterprise Identity ManagementManagement
Identity DataIdentity Data
LDAPLDAP SQLSQL
Directory Directory SynchronizationSynchronization
Active Directory & ADAMActive Directory & ADAMSun/iPlanet DirectorySun/iPlanet DirectoryNovell eDirectoryNovell eDirectoryMicrosoft SQL 2000 & SQL 7Microsoft SQL 2000 & SQL 7Oracle 9i/8iOracle 9i/8iLotus Notes 5.x/6.xLotus Notes 5.x/6.xMicrosoft Exchange 5.5, 2K, Microsoft Exchange 5.5, 2K,
2K32K3Microsoft NT 4.xMicrosoft NT 4.xDSML, LDIF, CSV, fixed widthDSML, LDIF, CSV, fixed width……others to followothers to follow
Password ManagementPassword ManagementSelf-service password resetSelf-service password resetHelpdesk password resetHelpdesk password reset
User ProvisioningUser ProvisioningAutomate account Automate account
create/deletecreate/delete
NOSNOS
LOB AppsLOB Apps
Exchange 5.5Exchange 5.5
Directory SynchronizationDirectory Synchronization
Synchronizes multiple repositoriesSynchronizes multiple repositories
““Agentless” connection to other Agentless” connection to other systemssystems
Provides attribute-level controlProvides attribute-level control
Manage global address lists (GAL)Manage global address lists (GAL)
Automate group and DL managementAutomate group and DL management
Active DirectoryActive Directory
NotesNotes
iPlanetiPlanet
SQLSQL
OracleOracle
New FeaturesNew FeaturesCapabilityCapability MMS 2.2MMS 2.2
MIIS 2003MIIS 2003
EnterpriseEnterpriseStandard datastoreStandard datastore ProprietaryProprietary SQL 2000SQL 2000
MIIS extensions/ScriptingMIIS extensions/Scripting ProprietaryProprietary VS .NET languagesVS .NET languages
Fault tolerance/failoverFault tolerance/failover LimitedLimited SQL ClusteringSQL Clustering
ScalabilityScalability 1M1M 100M100M
LDAP accessLDAP access - via ADAM- via ADAM
Extensible APIsExtensible APIs NoNo WMI, SDKWMI, SDK
Easily move from test to productionEasily move from test to production NoNo Password ManagementPassword Management NoNo Support renames in connected systemsSupport renames in connected systems NoNo XML-basedXML-based NoNo Data lineageData lineage NoNo Single User View (Polyarchy)Single User View (Polyarchy) NoNo Consulting engagementConsulting engagement RequiredRequired OptionalOptional
MIIS ArchitectureMIIS Architecture
MIIS runs as MIIS runs as a servicea service
Management Management Agents (MA) Agents (MA) connect to connect to directoriesdirectories
Metadirectory data Metadirectory data stored in SQLstored in SQL
Administrative Administrative client connects to client connects to service via DCOMservice via DCOM
MA ControllerMA Controller
iPlanetiPlanetMAMA
ADADMAMA
OracleOracleMAMA
……MAMA
MIIS ServiceMIIS Service
AD/E2KAD/E2KiPlanetiPlanet OracleOracle
MIIS AdminMIIS AdminClientClient
DCOMDCOM
MIISMIISStoreStore
Extending CapabilitiesExtending Capabilities
Modify the behavior of MIISModify the behavior of MIISCall methods on the interface in response Call methods on the interface in response to changes in the systemto changes in the system
Model defines a managed interfaceModel defines a managed interfaceConfiguration set in UI determines which Configuration set in UI determines which methods are calledmethods are called
Write custom extensions in any Write custom extensions in any programming language with a compiler programming language with a compiler for the CLRfor the CLRVisual Studio projects auto-generated for Visual Studio projects auto-generated for VB or C#VB or C#
MIIS ConceptsMIIS ConceptsConnected Connected directorydirectory
Source and/or Source and/or destination for destination for synchronized synchronized attributesattributes
Connector Connector space (CS)space (CS)
Staging area for Staging area for inbound or inbound or outbound outbound synchronized synchronized attributesattributes
Metaverse Metaverse (MV)(MV)
Central (SQL) Central (SQL) store of identity store of identity informationinformationMatching CS Matching CS entries to a entries to a single MV entry single MV entry is called “join”is called “join”
iPlanetiPlanet
OracleOracle
SQLSQL
ExchangeExchange5.55.5
ConnectedConnectedDirectoriesDirectories
MetaverseMetaverse
UserUser
ConnectorSpace
Reference AttributesReference Attributes
Different systems have different DN Different systems have different DN formatsformats
Cn=Max Benson,ou=People,dc=microsoft,dc=comCn=Max Benson,ou=People,dc=microsoft,dc=com
Uid=7399,ou=development,ou=emp,dc=contoso.comUid=7399,ou=development,ou=emp,dc=contoso.com
Refer to other objects in the Refer to other objects in the namespace, e.g. employee#namespace, e.g. employee#
Reference attributes in MIIS do not Reference attributes in MIIS do not persist the persist the datadata, rather the , rather the relationshiprelationship between objects between objects
Provisioning & WorkflowProvisioning & Workflow
Simple Provisioning & De-provisioningSimple Provisioning & De-provisioningProvision users as they appear in authoritative Provision users as they appear in authoritative
systemssystemsSet initial values for attributes (including password)Set initial values for attributes (including password)Disable or delete accountsDisable or delete accounts
Complex WorkflowComplex WorkflowInitiate workflow or provisioning systemInitiate workflow or provisioning systemIntegrated with BizTalkIntegrated with BizTalkIntegrating with 3Integrating with 3rdrd party provisioning systems party provisioning systems
e.g., e.g., Blockade,Blockade, Business Layers, M-Tech, OSMBusiness Layers, M-Tech, OSM
Provisioning & de-Provisioning & de-provisioningprovisioning
SourceSource
Tel No.
Title
TitleTel No.Email
TitleTel No.Email
TitleTel No.Email
ProvisioningProvisioningEngineEngine
Provisioning & de-Provisioning & de-provisioningprovisioning
SourceSource
Tel No.
Title
TitleTel No.Email
TitleTel No.Email
TitleTel No.Email
ProvisioningProvisioningEngineEngineTitle
Tel No.Email
JoinJoinEngineEngine
CS Objects – 2 statesCS Objects – 2 states
Provisioning TypesProvisioning TypesSimple ProvisioningSimple Provisioning
MetaverseMetaverseMetaverseMetaverseObjectsObjects
ConnectorConnector
ConnectorConnector
ConnectorConnector
MetaverseMetaverseObjectsObjects
ConnectorConnector
ConnectorConnector
ConnectorConnector
MetaverseMetaverseObjectsObjects
Link to ADLink to AD
Link to SQLLink to SQL
Link to NDSLink to NDS
Connector Space “AD”Connector Space “AD”
ConnectorConnectorSpaceSpaceObjectsObjects
ConnectorConnectorSpaceSpaceObjectsObjects
ConnectorConnectorSpaceSpaceObjectsObjects
Connector Space “SQL”Connector Space “SQL”
ConnectorConnectorSpaceSpaceObjectsObjects
ConnectorConnectorSpaceSpaceObjectsObjects
ConnectorConnectorSpaceSpaceObjectsObjects
Connector Space “NDS”Connector Space “NDS”
ConnectorConnectorSpaceSpaceObjectsObjects
ConnectorConnectorSpaceSpaceObjectsObjects
ConnectorConnectorSpaceSpaceObjectsObjects
DisconnectorDisconnector
ConnectorConnectorLink to
MV
Link to MV
Link to MVLink to MV
Link to MVLink to MV
Provisioning TypesProvisioning TypesSimple ProvisioningSimple Provisioning
Name & Attribute ConstructionName & Attribute ConstructionAdvanced Import Attribute FlowAdvanced Import Attribute Flow
MetaverseMetaverse Connector SpaceConnector Space
HendrixHendrixJimiJimi
,,
cn = cn = displayName = displayName =
sn = sn = givenName = givenName =
HendrixHendrixJimiJimi
Select Case FlowRuleName Case “cn” mventry(“cn”).Value = csentry(“sn”).Value & “, “ & csentry(“givenName”).Value Case “displayName” mventry(“displayName”).Value = csentry(“givenName”).Value & “ “ & csentry(“sn”).Value Case ElseEnd Select
HR MA Connector SpaceHR MA Connector Space
MetaverseMetaverse
Provisioning TypesProvisioning TypesSimple ProvisioningSimple Provisioning
MA code modifies attributes as MA code modifies attributes as they flowthey flow
JimiJimi
cn = cn = displayName = displayName =
Surname = Hendrix Surname = Hendrix First Name = First Name = JimiJimi
Email MA Connector SpaceEmail MA Connector Space
Co
nstru
ctedC
on
structed
Attrib
utes
Attrib
utes
Jimi HendrixJimi HendrixHendrix, JimiHendrix, Jimi
cn = Hendrix, Jimicn = Hendrix, JimiMailboxName = Jimi HendrixMailboxName = Jimi Hendrix
Flo
wed
Flo
wed
Attrib
utes
Attrib
utes
MA config flows attributes intactMA config flows attributes intact
MA maps attributesMA maps attributes
MetaverseMetaverse
Select Case employeeStatus Case “active” container = Users Case “inactive” container = DisabledUsers Case ElseEnd Select
De-ProvisioningDe-ProvisioningSimple De-Provisioning with MIISSimple De-Provisioning with MIIS
Connector SpaceConnector Space
employeeStatus = employeeStatus =
UsersUsersUsersUsers DisabledDisabledUsersUsersDisabledDisabledUsersUsers
active active inactive inactive
Mail ScenariosMail Scenarios
HR add triggers HR add triggers new mail usernew mail userContacts Contacts automatically automatically generated in other generated in other systems (GAL)systems (GAL)Automated Automated DL/group DL/group managementmanagement
MIISMIIS
Exch1Exch1 Exch2Exch2
Create
Create
UserUser
SAPSAP
User
User
Ad
ded
Ad
ded
UserUser
Conta
ct
Conta
ct
Alias Alias namename
WHERE clauseWHERE clause
MMSTeamMMSTeam department=‘US-Metadirectory’department=‘US-Metadirectory’
BigDogsBigDogs personalTitle=‘Vice President’personalTitle=‘Vice President’
KevDirKevDir managerMailNickname=‘KevinmanagerMailNickname=‘KevinMil’Mil’
DLsDLs
DLsDLs
ConnectedMA adma = mventry.ConnectedMAs[“AD”];ConnectedMA adma = mventry.ConnectedMAs[“AD”];adma.Connectors.StartNewConnector(“user”);adma.Connectors.StartNewConnector(“user”);
State- vs. Event- basedState- vs. Event- basedState-based systems are more robustState-based systems are more robust
Storing state information means the system Storing state information means the system knows what to expect on the connected systemknows what to expect on the connected systemThe system can respond if things go wrong The system can respond if things go wrong
Event-based systems Event-based systems can becan be quicker to quicker to respondrespond
Events fire in response to changes in systems, Events fire in response to changes in systems, but…but………events can get lost if servers are downevents can get lost if servers are down
MIIS provides the “best of both”MIIS provides the “best of both”Our state based approach allows us to take a Our state based approach allows us to take a pessimistic view of connected system pessimistic view of connected system uptime/connectivityuptime/connectivityOur architecture allows high flexibilityOur architecture allows high flexibility
Runs can be controlled via schedules, events via WMI, Runs can be controlled via schedules, events via WMI, etc.etc.System can process only changes in the connected System can process only changes in the connected systemssystemsMicrosoft OTG runs 1500-2000 times per dayMicrosoft OTG runs 1500-2000 times per day
Preview ModePreview Mode
System is transparent in designSystem is transparent in designAllows architect/developer to preview Allows architect/developer to preview work in the metadirectory without work in the metadirectory without committing any changescommitting any changes
Allows the testing ofAllows the testing ofConfiguration changesConfiguration changes
New rulesNew rules
New connected directoriesNew connected directories
Can view all results through the UICan view all results through the UI
ProvisionProvision De-provisionDe-provisionJoin andJoin andsynchronizesynchronize
Provisioning LifetimeProvisioning Lifetime
Provisioning & de-provisioningProvisioning & de-provisioning
ProvisionProvision De-provisionDe-provisionJoin andJoin andsynchronizesynchronize
Provisioning LifetimeProvisioning Lifetime
Provisioning & de-provisioningProvisioning & de-provisioning
PasswordPasswordSynchSynch
Password ManagementPassword ManagementEncryption – the basic problemEncryption – the basic problem
““Carve99”Carve99”““Carve99”Carve99”Plaintext passwordPlaintext passwordPlaintext passwordPlaintext password
One Way One Way FunctionFunctionOne Way One Way FunctionFunction
ADADADAD
NT4 SAMNT4 SAMNT4 SAMNT4 SAM
C62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6E
One Way One Way FunctionFunctionOne Way One Way FunctionFunction
OWF passwordOWF passwordOWF passwordOWF password
C62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6EC62EAD47D82E1037A6AC12CD0CC49C6E
OWF passwordOWF passwordOWF passwordOWF password
Active DirectoryActive Directory
Password ManagementPassword ManagementInitial password setInitial password setCentralized password control via a Web Centralized password control via a Web appapp
Self-service password resetSelf-service password resetHelpdesk password resetHelpdesk password reset
Decentralized password synchronizationDecentralized password synchronization33rdrd party password sync products can easily integrate party password sync products can easily integrate
SunONE DirectorySunONE Directory
Web appWeb app
Password ManagementPassword ManagementTrue Password SyncTrue Password Sync
Requires agents on target systemsRequires agents on target systemsTrap password in plain text formatTrap password in plain text format
Securely transport back to central serverSecurely transport back to central server
Server does Password Set on other Server does Password Set on other targetstargets
PasswordPasswordAgentAgent
PasswordPasswordAgentAgent
Target SystemTarget System
Transport
Transport
Encrypted
Encrypted
Password
Password
Password Set:Password Set:Directory WriteDirectory WriteNative APIsNative APIs
Target SystemTarget SystemPassword ServerPassword Server
M-Tech P-Synch ServerM-Tech P-Synch Server
Password Set & Password Set & ResetReset
Password SynchPassword Synch
MIISMIIS
SQLSQLSQLSQL
SQL TablesSQL Tables
P-Synch TableP-Synch Table
P-Synch EngineP-Synch EngineP-Synch EngineP-Synch Engine
Persistent Join DataPersistent Join Data
Password SyncPassword SyncM-Tech P-Synch – MIIS IntegrationM-Tech P-Synch – MIIS Integration
VisualizationVisualization
Different hierarchies suit different Different hierarchies suit different needsneeds
Multiple hierarchical representations Multiple hierarchical representations can be discovered from datacan be discovered from data
Polyarchy eliminates the requirement Polyarchy eliminates the requirement for fixed hierarchyfor fixed hierarchy
Polyarchy provides multiple Polyarchy provides multiple hierarchical views and richer hierarchical views and richer visualization of infrastructure visualization of infrastructure informationinformation
PrerequisitesPrerequisites
Microsoft SQL Server 2000 Enterprise Microsoft SQL Server 2000 Enterprise EditionEdition
SP1 adds support for Standard EditionSP1 adds support for Standard Edition
Windows Server 2003 Enterprise Windows Server 2003 Enterprise EditionEdition
Visual Studio .NET 2003Visual Studio .NET 2003
Directory SynchronizationDirectory SynchronizationConnectivity in MIIS 2003, Enterprise EditionConnectivity in MIIS 2003, Enterprise Edition
Active DirectoryActive DirectoryActive Directory Application ModeActive Directory Application ModeExchange 2000 and Exchange 2003 Global Address List Exchange 2000 and Exchange 2003 Global Address List SynchronizationSynchronizationSun One Directory (formerly iPlanet) 4.x and 5.0Sun One Directory (formerly iPlanet) 4.x and 5.0SQL Server 7.0 and 2000SQL Server 7.0 and 2000Oracle 8i and 9iOracle 8i and 9iDSML 2.0DSML 2.0LDAP Directory Interchange Format (LDIF)LDAP Directory Interchange Format (LDIF)Delimited TextDelimited TextFixed-Width TextFixed-Width TextAttribute-Value Pair TextAttribute-Value Pair TextWindows NT 4.0Windows NT 4.0Exchange 5.5Exchange 5.5Lotus Notes 4.6, 5.x, and 6.xLotus Notes 4.6, 5.x, and 6.xNovell eDirectory 8.62 and 8.7Novell eDirectory 8.62 and 8.7Other LDAP-based or mainframe or RDBMS systems to Other LDAP-based or mainframe or RDBMS systems to followfollow
MIIS 2003 – Resource Kit MIIS 2003 – Resource Kit v2v2
MIIS Provisioning WizardMIIS Provisioning WizardMIIS Workflow ApplicationMIIS Workflow Application
Sample application that show how to build Sample application that show how to build workflow based on MIIS 2003workflow based on MIIS 2003
AttributeFlowViewerAttributeFlowViewerShows import and export flows of MV attributesShows import and export flows of MV attributesGenerates XML fileGenerates XML file
MIISInfoBackupMIISInfoBackupCollects all MIIS configuration into XML fileCollects all MIIS configuration into XML file
MVConfigurationViewerMVConfigurationViewerTranslates MV configuration to XML fileTranslates MV configuration to XML fileAllows viewing and documenting MV Allows viewing and documenting MV configuration in readable wayconfiguration in readable way
MIIS 2003 ResKit v2 ProvisioningMIIS 2003 ResKit v2 Provisioning
MIIS 2003MIIS 2003Administrator had to write code for Administrator had to write code for provisioningprovisioning
MIIS SP1 Resource KitMIIS SP1 Resource KitAdditional toolsAdditional tools
Provisioning code generatorProvisioning code generatorDeclarative UI for provisioningDeclarative UI for provisioning
Generates provisioning codeGenerates provisioning code
Enables provisioning and registers Enables provisioning and registers provisioning DLLprovisioning DLL
Source code can be extended with custom Source code can be extended with custom code code
Service Pack 1Service Pack 1
MIIS 2003 SP1 – Management MIIS 2003 SP1 – Management AgentsAgents
New MAsNew MAsIBM DB2IBM DB2
Version 7 or 8.1Version 7 or 8.1
Windows OS only at this timeWindows OS only at this time
IBM DSIBM DSVersion 4.1, 5.1 and 5.2Version 4.1, 5.1 and 5.2
Windows OS only at this timeWindows OS only at this time
Improved MA supportImproved MA supportSun One 5.2Sun One 5.2
eDirectory 8.73eDirectory 8.73
Lotus Notes 6.xLotus Notes 6.x
MIIS 2003 SP1 Password MIIS 2003 SP1 Password SynchronizationSynchronization
Problem: Credentials in multiple identity stores Problem: Credentials in multiple identity stores are hard to manageare hard to manageSolution: Use credentials from one store and Solution: Use credentials from one store and synchronizesynchronize
End users – convenienceEnd users – convenienceIT – security, manageabilityIT – security, manageability
Must be easy to use and integrated with desktopMust be easy to use and integrated with desktopEnd users know how to change passwords from the End users know how to change passwords from the Windows clientWindows clientNo training required No training required
Must be easy to deployMust be easy to deployPCNS Filter and Service can easily be rolled out with SMS PCNS Filter and Service can easily be rolled out with SMS or GPor GPPCNS configuration stored in AD; no need to update each PCNS configuration stored in AD; no need to update each DC for configuration changesDC for configuration changes
Password synchronization integrated in MIISPassword synchronization integrated in MIISService will forward password changes to MIISService will forward password changes to MIISMIIS uses password extensions for all connected identity MIIS uses password extensions for all connected identity storesstoresRobust implementationRobust implementation
PackagingPackaging
MIIS 2003, Enterprise EditionMIIS 2003, Enterprise EditionAvailable via Open and Select licensingAvailable via Open and Select licensing
MSDN Universal for development, testingMSDN Universal for development, testing
Includes all management agentsIncludes all management agents
Identity Integration Feature Pack for Identity Integration Feature Pack for ADAD
No cost web downloadNo cost web download
AD and ADAM management agentsAD and ADAM management agents
Supports Exchange GAL syncSupports Exchange GAL sync
1.1. Codeless provisioningCodeless provisioning2.2. Richer logging/auditingRicher logging/auditing3.3. Self-service platformSelf-service platform4.4. Workflow for provisioning and self-serviceWorkflow for provisioning and self-service5.5. Cluster supportCluster support6.6. Computed attributes (dynamic groups)Computed attributes (dynamic groups)7.7. Cross-forest group managementCross-forest group management8.8. Entitlement reportingEntitlement reporting9.9. Capacity planning documentationCapacity planning documentation10.10. Scalability improvementsScalability improvements
RoadmapRoadmapPolyarchy Beta – Target: 2H04Polyarchy Beta – Target: 2H04MIIS Gemini – Target: CY06MIIS Gemini – Target: CY06
Full Lifecycle Identity Management: Full Lifecycle Identity Management: Additional Provisioning/De-provisioningAdditional Provisioning/De-provisioningAuditAudit
Development PlatformDevelopment PlatformEven easier Deployment/Development and Even easier Deployment/Development and Ongoing AdministrationOngoing AdministrationPolyarchyPolyarchyAutogroupAutogroup
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.