Microsoft’s Identity and Access - KuppingerCole · PDF fileMicrosoft’s Identity and Access Management Strategy ... SAP Integration SSO / PW Sync ... Password Synchronization over

Microsoft’s Identity and Access

Management Strategy

Rüdiger BerndtChef Architect / CEO

Oxford Computer Group Deutschland

[email protected]

www.oxfordcomputergroup.de

Oxford Computer Group

Offices:

Munich

Oxford

Seattle

Toronto

Vienna

The leading Microsoft partner for IDA Pure Microsoft-based IDA solutions

Build and buy approaches

We partner with Microsoft-focused ISVs

Currently involved with 40 projects worldwide

Focus: Execution of Planning, Design, Build and Test

through to final implementation

Enterprise IDA Management solutions

Enterprise SSO / Strong AuthN Solutions

Microsoft IDA Training Programmes

Identity Management Support (24x7)

Agenda

IDA Architectures

Components

Identity Store

Role Management

Workflow

Audit / Reporting

SAP Integration

SSO / PW Sync

Summary

Product Overview

Guidance

Developer

SystemsManagementActive Directory

Federation Services (ADFS)

IdentityManagement

Services

Information Protection

Client and Server OS

Server Applications

Edge

Identity Lifecycle

Manager 2007

Certificate Lifecycle

Manager 2007

Identity Lifecycle Manager

2007

Identity Synchronization (MIIS)Provides single view of a user across enterprise systemsAutomatically keeps identity information consistent

Brings together metadirectory, certificate management, and user provisioning across Windows and enterprise systems into a single packaged offering.

User ProvisioningAutomates the process of on-boarding and off-boarding usersSimplifies compliance through automated IDA enforcement

Enforces consistent credentials across systems

Certificate and Smart Card Management (CLM)Reduces cost of managing certificate-based credentialsAutomates workflow-driven certificate issuance and revocationVastly simplifies deployment of smart cards

IDA Solution from MSFT/OCG

Single Point of Administration

Application integration with Corp Directory

Workflow / Rules for automatic admin processes

Password Synchronization over MIIS

Role-Based Application Provisioning

Compliance Reporting via SRS Plugins

Centralizedmanagement,Provisioning

DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

Phone

system

Novell/

Notes

Identity Store

Unix/

RACF

SAP/HR

systems

Management

Agents

Microsoft

Identity

Integration

Server 2003

Audit &

Reporting DB

OCG

Role Calc

Centralizedmanagement,

Role ManagementOCG

Event

Workflow –

User Request /

Approval Process

Infopath, Mail

WebPart/Website OCG

WF Module

MIIS Terms

Connected Data Source (CD) Any source and/or destination containing identity data

Management Agent (MA) Facilitates the communication between MIIS and the CD

Connector Space (CS) Staging area (SQL) for inbound or outbound synchronized attributes

Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called ―join‖

CD

MIIS

CS

MV

MA

MV entries are linked to CS entries through: Projection Provisioning a

connector Joining

CS entries represent objects in Connected Data Sources

Synchronization is between MV and CS

Staging is from CD to CS

Export is from CS to CD

MIIS Concepts

MIISMetaverse

(MV)

Connector

Space

(CS)

User

Connected

Data Sources

(CD)

Notes

Oracle

SQL

SAP

Let’s zoom in on what MIIS

does

MIIS Sequence Of Events

SAP HR database staged and projected

Provision and export to SQL-based approval system

Manager approval app causes import and delta synchronization

Sun One and Notes connectors provisioned and exported

Connected

Data Sources

(CD)

User

Oracle

SQL

Metaverse

(MV)

Connector

Space

(CS)

Notes

SAP

ILM as Provisioning System

10

E-Mail Connected Data SourceExchange, Notes, Groupwise, etc

Database Connected Data SourceSQL, DB2, Oracle, etc

Directory Connected Data SourceActive Directory, LDAP, eDirectory, etc

Directory

logical area

(object

attributes)

Database

logical area

(object

attributes)

E-Mail

logical area

(object

attributes)

Connector Space Metaverse

Microsoft Identity Integration Server 2003

(MIIS)

Directory MA

Database MA

E-Mail MA

Identity Lifecycle Manager 2007

Object creation

CD

HR

MV

Person

Object

Provision Step

MV Rules

Extension

CS

Person

Object

Connector

1) HR MA imports new user object

2) Project new user

3) Create new connector

4) Set Anchor Value

5) Set other initial values

6) Export attribute flow

7) Normal MA Export Run

(creates object in CD)

Object Deletion

CD

HR

MV

Person

Object

CS

Person

Object

Connector

Connector filter

“status=terminates”

Satisfied

CS Object becomes dis-

connector

MV Object deleted

Make normal disconnector

Make explicit disconnector

Delete Object

Custom extension

Make normal disconnector

Disconnector cleanup

MA Rules

Extension

Deprovision

(3)(4)

1) HR MA imports user object with status = “terminated”

2) Object deletion rule applies

5) MA Export deletes CD

object

MIIS Management AgentsSelection of the main system connections: Active Directory®supporting Windows 2000/2003, Exchange 2000/2003/(12)

Active Directory Application Mode (ADAM) (R2)

Global Address List (GAL) Synch—supporting Exchange 2000 and Exchange 2003 / (12)

Netscape/iPlanet/Sun ONE Directory

IBM DB2 Universal Database (7 or 8.1 on Windows or Linux)

IBM Directory Server (4.x/5.x on Windows 2000/2003)

SQL Server™— (7/2000/2005)

Oracle Databases—supporting version 8i, 9i, 10, 10g

Directory Services Markup Language (DSML)—supporting DSML version 2.0

LDAP Interchange Format (LDIF) / De-Limited Text, Attribute-Value Pair Text

Open-LDAP

Windows NT® 4.0 Domains and Exchange Server 5.5, Exchange Server 5.5 Bridgehead

Lotus Notes—supporting versions 4.6, 5.0, 6.0, 7.x

Novell eDirectory—supporting versions > 8.6.x

Host RACF, TS, ACF systems

Microsoft SAP HR + SAP R3 > V4.6d

Management AgentsAdditions to Standard Agents (Selection)

Highly Scalable SAP MA for HR

CUA

UM

OM, PDORG

Workflow integration

Host RACF via LDAP

Unix systems (VMS, HPUX, SUN, Linux, SCO, other)

additional HR systems (e.g. Peoplesoft, Paisy,…)

Various telephone systems (Alcatel, HICOM, AVAYA, …)

Sharepoint, Biztalk

Live ID, Office Live

Vintela/Quest/Omada/bHold

RSA SecurID

Other LDAP Servers e.g. Siemens DirX, CP, Syntegra, …

CLM

IDA Lösung von MSFT/OCG V2

Zentrale rollenbasierte Administration

Applikations Integration ins Corporate Directory

Workflows für automatische Admin prozesse

Password Synchronisation über ILM

Compliance Reporting / Audit über SRS Plugins


DataWarehouse

SAP EP

Self Services

Infrastruktur AD

Phone

system

Novell/

Notes

Unix/

RACF

SAP/HR

systems

Management

Agents

Identity

Lifecycle

Manager

2007

Audit &

Reporting DB


Role ManagementMIISMIIS

Workflow + Rollenmanagement + AR

User

Job Profile 2

Job Profile 1 Role A

Role B

Role C

OMADA

Identity

Manager

Omada Identity Manager + MIIS/ILM

ADAM as Identity StoreFlexible & automatic User Administration

Flexible Schema – simple extensibility without

changes to the NOS AD

Administration at Org structure level

Inheritance of attributes from OUs to users

Better performance than AD

Integration of Vendors / other companies / External

people possible

Single Point for Authentication for all applications

IDA Architektur




Password Synchronization over ILM




DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

Phone

system

Novell/

Notes

Identity Store

Unix/

RACF

SAP/HR

systems

Management

Agents

Identity

Lifecycle

Manager

2007

Audit &

Reporting DB

OCG

Role Calc


Role ManagementOCG

Event

Workflow –

Benutzerantrag /

Freigabe Prozess

Infopath, Mail

WebPart/Website OCG

WF Modul

Enterprise Roles

User

User

App RoleEnterprise

Role

OU, O, Group Task Operation / Action

Task Operation / Action




App Role

User Lifecycle Mgmt Role Design

ADAM

(Identity- Data Store)

OCG

Role Calc

OU Object 1 in ADAM

(User 2 is assigned to OU 1)

User Object 1 in ADAM

Role Objects in ADAM

(assigned to group object)

Enterprise Role A

Ora Roles (ORA1-activ,Ora2)

SAP Roles (SAP1, SAP4, SAP6)

Enterprise Role B



Ro

le M

ap

pin

g

EntRoleA

EntRoleB

EntRoleA

EntRoleC

Enterprise Role C



OCG

Role Calc

Flexible Role Assignment

Roles can be assigned directly or rules

based to:

User

Goups

Organizational

Structures

Views

Organization Object 1 in ADAM

ocgOrgMember (multiValue):

User Object in ADAM

ocgOrgView (multiValue):(managed by Admin Console)

DN Ref to OrganizationUnit 1

DN Ref to Organization 1

DN Ref to User 1

DN Ref to User ...

Automatic back linked

Organization Unit Object 1 in ADAM

ocgOrgMember (multiValue):

DN Ref to User 1

DN Ref to User ...

Automatic back linked

DN Ref to Organization / OU ...

DN Ref to User ... DN Ref to User ...

OCG

Role Calc

Multiple Views on Users

Flexible Rights Management through

multiple views

User can be assigned to multiple

Organizational structures (e.g. Projects)

Views can be automatically imported

(e.g. SAP-OM)

IDA Architecture






Compliance Reporting over SRS Plugins


DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

Phone

system

Novell/

Notes

Identity Store

Unix/

RACF

SAP/HR

systems

Management

Agents

Identity

Lifecycle

Manager

2007

Audit &

Reporting DB

OCG

Role Calc


Role ManagementOCG

Event

Workflow –

Benutzerantrag /

Freigabe Prozess

Infopath, Mail

WebPart/Website OCG

WF Modul

Persistence

DBADAM

Workflow Runtime

(Microsoft

Windows Workflow

Foundation)

Microsoft

Identity

Integration

Server 2003

Based on WWF

State is stored in

ADAM

Event based WF

start

Compatible with

SP2007 WF

Designer

No licence costs!

Complex and high

available WF

OCG

WF Module

Workflow IntegrationTechnical Implementation

1) Joiner Process Example

A Joiner Process initiated via Self Service from Microsoft SharePoint

Configuration by AdministratorRequest for a new employee Role assignment ApprovalUser Provisioning through MIIS

IDA Solution Architecture








DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

Phone

system

Novell/

Notes

Identity Store

Unix/

RACF

SAP/HR

systems

Management

Agents

Microsoft

Identity

Integration

Server 2003

Audit &

Reporting DB

OCG

Role Calc


Role ManagementOCG

Event

Workflow –

Benutzerantrag /

Freigabe Prozess

Infopath, Mail

WebPart/Website OCG

WF Module

The MIIS Reporting Module uses its own MIIS Reporting

Database

Automatic Configuration of the Report Interface on

schema changes

Multiple pre-defined Reports available for

Changelog (who changed what when)

Management Log (Number of accounts, changes per system,

newly created accounts, …)

Who is in what kind of Role (Enterprise / Application)

MIIS Reporting

Reporting IDA Workflow Events

MIIS

Identity

Integration

Identity Management Store

Corporate Directory

SQL

Reporting

Services

IdM Event Logging

ADAM

LDAP

IdM Events sent

to MIIS

Event Archiving

2

ILM ReportingExamples

2

Reports of Role Membership

ILM Reporting / Changelog









DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

Phone

system

Novell/

Notes

Identity Store

Unix/

RACF

SAP/HR

systems

Management

Agents

Microsoft

Identity

Integration

Server 2003

Audit &

Reporting DB

OCG

Role Calc


Role ManagementOCG

Event

Workflow –

User Request /

Approval Process

Infopath, Mail

WebPart/Website OCG

WF Module

SAP Identity IntegrationMIIS/ADAM supported Scenarios

User Account Creation (UM, CUA)

Password Sync to SAP Systems

Read/write employee data in the HR

System

Read Organizational structures

Read SAP Roles

Assignment of Roles to Users

High Scalability

SAP Concentrator supports > 100 SAP

Systems per MIIS MA

SAP IntegrationILM SAP MA (Version 1.0)

OCG MA (Version 2.3)

No changes on the target SAP Systems necessary

Delta if supported SAP BAPI/RFC Functions

Detailed Error Reporting on object and attribute level

OCG Version only: Can run on different Servers (via

optional SQL Interface)

Can connect multiple (>100) SAP systems/clients with one ILM MA

ILM Sync

Engine

BAPISAP

ILM Server

SAP

MA

SAP CUA

SAP MA

SAP MA (PW Sync)

SAP R/3 SAP R/3 SAP R/3 SAP R/3Active Directory

Forests

Active Directory MA

ADAM

(Identity- Data Store)

MIIS

ADAM MA

Web Admin GUI

LDAP Queries

SAP EP 6.0

Intranets

member

companies

LDAP Queries

LDAP

Active Directory MA

IDA Architecture with SAP

IDA Architecture






Compliance Reporting over SRS Plugins


DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

Phone

system

CLM

Identity Store

Unix/

RACF

SAP/HR

systems

Management

Agents

Identity

Lifecycle

Manager

2007

Audit &

Reporting DB

OCG

Role Calc


Role ManagementOCG

Event

Workflow –

Benutzerantrag /

Freigabe Prozess

Infopath, Mail

WebPart/Website OCG

WF Modul

Certificate Lifecycle Manager (CLM)

Single administration point for digital certificates and

smart cards

Configurable policy-based workflows for common tasks

Enroll/renew/update

Recover/card replacement

Revoke

Retire/disable smart card

Issue temporary/duplicate smart card

Personalize smart card

Detailed auditing and reporting

Support for both centralized and self-service scenarios

Integration with existing infrastructure investments

Windows Active Directory; Windows Certificate Services

CLM - Komponenten

CLM Server (Web Portal)

Email Server

SQL Server

Partners Users Customers

Certification

Authority

AD

MIIS

Server

CLM Interface

CLM Middleware / Smart Cards CLM supported smart card middleware

Microsoft Smart Card Base CSP

Axalto Client Software (ACS) v 5.2

AET SafeSign v2.2

Aladdin eToken RTE 3.65

Gemplus GemSafe v4.2 Sp 3

Siemens HiPath SIcurity Card API v3.1.026

Supported smart cards

Palmera, Cyberflex Access, e-gate lines of cards by Axalto

Java Card 2.1.1+ compliant smart cards by G&D, GemPlus, IBM,

MartSoft, Oberthur, ORGA and Axalto

eToken Pro, eToken NG-OTP, eToken Pro (Smart card) by Aladdin

GemXpresso Pro3.2 and GemSafe GPK lines of cards by Gemplus

CardOS and CardOS/M4 lines of cards by Siemens

Other smart cards and tokens that are supported through the AET

SafeSign v2.1 middleware









DataWarehouse

SAP EP

Self Services

Infrastructure AD

LDAP /

Web Services

Phone

system

Novell/

Notes

Identity Store

Unix/

RACF

SAP/HR

systems

Management

Agents

Microsoft

Identity

Integration

Server 2003

Audit &

Reporting DB

OCG

Role Calc


Role ManagementOCG

Event

Workflow –

User Request /

Approval process

Infopath, Mail

WebPart/Website OCG

WF Module

MIIS

Employee Data

Passwords

SAP, Unix, RACF

Provision /

Deprovision

Users

+ Sync Password

Active Directory Application Mode

(ADAM)

Application server

Provision /

Deprovision

Users + Sync^Password

Authorization /

Role Mapping

Source

Active Directory Infrastructure

Target


Provision /

Deprovision

Users + Sync Password

• SSO

• Kerberos Integration (native / VAS)

• Token Translation (Proxy)

(SAP2KERB, RSA2SAP, …)

• Client based SSO (Evidian, …)

• Password Synchronization

• PCNS

• OCG PCNS + OCG Password Policy

• MIIS Management Agents

• Password Self Services

• Passwort Portal (Evidian, Quest, …)

Password Management / SSOModule:

ILM

Employee Data

Passwords

SAP, Unix, RACF

Provision /

Deprovision

Users

+ Sync Password

Active Directory Application Mode

(ADAM)

Application server

Provision /

Deprovision

Users + Sync^Password

Authorization /

Role Mapping

Source


Target


Provision /

Deprovision

Users + Sync Password

1. User changed

Password in AD

(Ctrl+Alt+Del)

2. Password will be

checked for

additional Policies

(SAP/Unix)

3. Password will be

encrypted and send

to the ILM Server

4. The ILM Server set

the Password of this

user in each target

system

Passwort Sync via ILM

Password Sync scenarios

Function Microsoft PCNS + OCG Add

On

OCG PCNS

Prerequisites for

Installation

An Active Directory Trust is

required

No AD trust is required

Consequences

for the Source

AD

An extension of the AD

Schema is performed

during installation

No AD schema extension

is required

Ability to set

additional

password

policies

Additional password policies are configurable:

Maximum/Minimum PW Len

Exclusion wordlists (like “SAP”)

Exclusion characterlists, to specify prohibited

characters (e.g. *, @, #)

Include + Exclude Filter for samaccountname

Configuration of

the target MIIS

system

The user objects in MIIS

must be directly joined

with both the source AD

and the target system.

Various search criteria can

be configured

EMS Ticket Translation OCG EMTT

RSA ACE

Reverse

Proxy (IIS)

192.168.5.86

RSA ACE

Reverse

Proxy (IIS)

192.168.5.87

ISA

Server

ISA

Server

F5 Load Balancer

HT

TP

S

HT

TP

S

HTTP

SecurID SecurID

HTTP

(RSA Cookie)

HTTP

(RSA Cookie)

ADAM

LDAP

F5 Load Balancer

HTTP

(SAP Cookie)

HTTP (Header:

REMOTE_USER2)

HTTP

(SAP Cookie)

HTTP

(RSA Cookie

SAP Cookie)

HTTP

(RSA Cookie

SAP Cookie)

HTTP

(RSA Cookie

SAP Cookie)

HTTP

ADAM

LDAP

HTTP

(RSA Cookie

SAP Cookie)

HTTP

(SAP Cookie)

HTTP (Header:

REMOTE_USER2)

1

SAP EP SAP EP...

LDAP LDAP

HTTP HTTP

2

3

4

5

6

7

8

9

10

11

Demo

https://portal.bhw.de/

EMS Ticket Translation

SSO durch einmalige Anmeldung mit RSA

Token (Strong Auth)

Ticket Umwandlung (RSA2Kerb,

RSA2SAPLT) durch OCG Module

ADAM Integration für Vendoren / Externe

Automatisches Erstellen der RSA Tokens

Über SAP2Kerb auch Weiterleitung von

SAP Portal auf OWA möglich

EMS Logistic

ILM 2007

ADAM

RSA Token

XML File

1) Import der

RSA Token

Import Daten

Tokenzuweisungen (CSV)

3) Import der Tokenzuweisungen:

Zugewiesene TokenId, Kostenstelle des Token

RSA

Sync

Tabelle

5) Export User

+ Tokenzuweisung RSA ACE6) Import des

Token Status

(„New Pin― Mode

oder nicht)

2) Neue Token exportieren

4) Tokenzuweisungen exportieren

7) Export des Token Status

Benutzer

RSA Token

RSA Token

RSA Token Benutzer

Benutzer

Benutzer

1) Import der

RSA Token

RSA Token

Geräteverwaltung

XML File

RSA Token

8) Export aller Token,

die zugewiesen wurden

und eine Kostenstelle besitzen

EMS Logistic

ISA/RSA/SAP Portal Integration

Abschottung RSA Server durch ISA Server in einem Extrasegment

Flexibles Handling durch RSA Ticket Wandler (simple WebSSO)

RSA Auth einzig notwendige Authentifizierung

ILM/RSA/ externer Shop (SAP EBP)

Universelles Interface für Tokenmanagement

* Auslagerung Tokenlogistik an externen Dienstleister

* Automatischer Import der Tokenzuweisunge

Automatische Benutzer (De-) Provisionierung

* Rollenbasiert Aktualisierung des RSA Systems ohne manuellen Eingriff

* keine Systemleichen (Sicherheit)

* Sofortige Arbeitsfähig nach Token Auslieferung

Trennung RSA Token Zulieferwege möglich (Mandantenfähigkeit)

z.B. für unterschiedliche Mandaten oder interne und externe Benutzer

schnellen Massenimport von Benutzern & Tokenzuweisungen

Batchschnittstelle Entlastung der Administraton / Reduktion Kosten

Summary technical OCG Assets

Flexible Role Management

Event Trigger for real-time sync scenarios

Graphical admin interface for ADAM (OUM)

PCNS Add Ons to support Password policies

from SAP, RACF, Unix, …

Kerberos Ticket Translations for RSA, SAP, …

Additional System Connections like Unix (ssh),

RSA ACE, SSO Systems, Telephone systems,

SAP Integration for enterprise environments

Made in Germany

IDA Project Release Phases

1. Build / (Migrate) Identity Store

2. Connect primary user repositories (Init Load/Join)

3. Integration of Workflow systems

4. Reporting, Logging

5. Connect additional user repositories

Web App

- Admin UI

Zentrale Benutzer

Directory

- Identity Store

Active Directory

(inkl. MS Exchange)

AbfragenAnwendung

z.B. Intranet

Benutzter / Admin- Authentifiziert im AD

Weitere Ausbau-Stufen

- Weitere Systeme Anschliessen

AD/AM

SAP 4.6C

SAP BW

Email

SAP ISU

SAP EBP

PSFT

Portale

Zeiterfass.

ADAM Management Agent

MIIS

Web GUI

Release 1

- Identity Store Aufbau

- Integration Quell Systeme

- Enterprise Rollen &

Berechtigungen

AD AgentOCG SAP HR Agent

SAP HR (4.6)

Weitere MIIS

Management Agents

DMS

Unsw...SAP R/3 (4.6c)

OCG SAP R3 Agent

SAP EP

Web

Applications

Telefonanlage

HiCom

RSA

LDAP / File Agent

IBM iSeries

Host / RACF Agent

Workflow System

- Workflow Foundation

Benefits Summary Benefits from the 1. Implementation Phase

Create the Identity Store Consolidated View to all relevant user data

Single Log On with Password Synchronization

Central Reporting / Auditing (who has what kind of

rights/Roles)

Increase the data quality in all connected systems

Lower amount of Help Desk Calls (regarding Password

Sync + Reset Portal)

Automatic User Provisioning Cost savings in the user management!

Benefits Summary Benefits from the 2nd Implementation Phase

Workflow Integration Easy Electronic Processes in the user management

Self Registration Scenarios

Role based Rights Management Easy Administration trough global consolidated Enterprise

Roles (Employee, Vendor, Student, …)

No User to Role assignment in the connected Systems

(cost savings)

Central reporting of Roles

Questions and Answers

Rüdiger BerndtGeschäftsführer

Oxford Computer Group Deutschland

[email protected]

Winterlestraße 10b

85435 Erding

WWW.OXFORDCOMPUTERGROUP.DE

Identity Lifecycle Manager

Roadmap

User Management

AccessManagement

Credential Management

PolicyManagement

MIIS 2003

CLM

Today Mid 2007Single Product for

Identity SynchronizationCertificate & Smart Card MgmtUser Provisioning

Microsoft IdentityLifecycle Manager 2007

ILM “2“

2H 2008Builds on the ’07 Release

Empowers information workersProvides IT control with less effortImproves operational efficiency

Omada Identity Manager

A solution for Identity Management, empowering MIIS and enabling Clients to: Manage Access Requests and Approvals

Configure Role Based Access Control

Manage Segregation of Duties (SOD)

Maintain Audit Trail on all events

User

Job Profile 2

Job Profile 1Role A

Role B

Role C

Role-Based Access Control

Identity Management Processes

MIISMIIS

Omada Key Differentiators

Elegant and highly flexible process solution

Customers can maintain and configure the Identity Management

processes, roles and reporting without the need for programming

Integrated process management solution

Customers can design, document, execute and monitor the

Identity Management processes in one solution

Low cost of maintenance

The solution can be deployed to support the current processes

Can grown with the Customer as the business and organization

changes

Documents

Microsoft’s Identity and Access - KuppingerCole · PDF fileMicrosoft’s Identity and Access Management Strategy ... SAP Integration SSO / PW Sync ... Password Synchronization over