Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Management Rafal Lukawiecki

Published byAndra Martin Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Management Rafal Lukawiecki"— Presentation transcript:

1 Access Management Rafal Lukawiecki
Strategic Consultant, Project Botticelli Ltd Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.

2 Objectives Discuss the challenge of coordinating access management in heterogeneous systems Suggest several options for building Single Sign-On solutions Overview the issue of extending corporate access management to the outside world

3 Session Agenda Enterprise Single Sign-On Authorization Manager
Windows UNIX/Linux Partner Solutions Authorization Manager Active Directory Federation Services

4 Microsoft’s Identity Management
Lifecycle Management Directory (Store) Services Access Management Active Directory & ADAM Active Directory Federation Services Identity Integration Server Extended Directory Services Authorization Manager BizTalk PKI / CA Enterprise Single Sign On Audit Collection Services Services for Unix / Services for Netware ISA Server SQL Server Reporting

5 Enterprise Single Sign-On

6 Enterprise Single Sign-On (ESSO)
Ability of a user to be given access to multiple resources after a single authentication operation, i.e. All further authorizations ought to happen “in the background” without requiring any further input from the user ESSO Generally easier to implement than Web-SSO, as access to centralised metadirectory may be possible (MIIS)

7 Kerberos v5 Standards-based mechanism for providing distributed ESSO
Used by Windows, UNIX and some Linux Well-tested and resilient design Most often, perfectly sufficient and the best choice Why do we need anything else, then? Not everyone wants to use it, e.g. some mainframe host systems, specialised apps etc. Disconnected, or incompatible domain forests or credential realms do not work without a Kerberos-to-Kerberos integration solution, e.g. Windows Kerberos to UNIX Kerberos

8 Windows Server Authorization
Standards-Based Kerberos X509 LDAP Bind PEAP (network) 802.1x (network) RADIUS (network) Integrated PKI Multi-Factor authentication Auto-enrollment/renewal Single Sign-on Kerberos Applications Windows Integrated Apps Role-Based Access Control Authorization Manager User/Password Multi-Factor Active Directory Internet/Remote Wireless

9 Directory w/ Integrated
Single Sign-on Exchange File Servers Active Directory w/ Integrated Kerberos KDC Web Applications Logon to Windows Windows Integrated Applications Kerberos Ticket Kerberos Native AuthN protocol for Windows MIT v5 Compliant Carries authorization info in PAC Windows PAC is open Unix / Linux Hosts Oracle, SAP, etc. Single Sign-on to: Windows File servers Exchange SQL Server 3rd Party Integrated Apps (see above) Unix / Linux OS & Integrated Apps Unix Services that use Kerberos Login, rlogin, telnet, ftp Also Apache (native), J2EE possiblities > Example Partner Solution: Vintela, Centrify

10 UNIX/Linux Services for UNIX included and improved in Windows Server 2003 R2 Will deal with most standard UNIX ways of managing logins/passwords such as NIS Does not deal with 3rd-party directory services for UNIX For more complex needs, use: Vintela (Quest) – Centrify – All of these can work with or without MIIS, but good Identity Lifecycle Management is important, hence MIIS is recommended

11 ISA Server 2004 Internet Security and Acceleration Server
Resource Side Account Side VPN IPSec Firewall (ISA Server) Firewall (ISA Server) Partners, Virtual Employees, Customers Apart from fulfilling security and performance needs (firewall, gateway, cache etc.), ISA 2004 extends ESSO across private networks (VPN, IPSec) ISA is, effectively, an access control gateway in this scenario

12 Authorization Models on the Windows Platform
Windows ACL model COM+ roles .NET roles ASP.NET URL Authorization Role Based Authorization APIs (AzMan) on Windows 2003, 2000 AccessCheck() URL Authorization in IIS 6

13 Authorization Manager

14 Authorization Manager (AzMan)
Microsoft tool and service for managing Role-Based Access Control (RBAC) Strong developer-oriented API, so a number of partner solutions rely on it Ships with Windows Server 2003 R2

15 Authorization Manager
Role-Based Access Management Manage user access based on organizational role Integrated with Active Directory (both “normal” infrastructure AD and Application Mode, ADAM) Roles can be assigned based on business rules Abstracts access logic from the application Roles can change w/o modifying the application URL or application level access checks Access Management Console Delegation of role and policy management Scope and business policy definition Static role assignment

16 RBAC or RBRBAC? Role Based Access Control can be implemented using traditional methods, such as groups and ACLs Role is represented by membership in a group However, it seems easier to represent roles in terms of rules In fact, AzMan does that very well Should we call it Role Based Rule Based Access Control, or RBRBAC? :)

17 Intranet & Extranet Apps Using AzMan AuthzAPI & PolicyStore
ADAM Customer via Internet Employee via Internet AD Internal Employee FIREWALL AuthN AuthZ

18 RBAC Management Deployment Design XML Policy Store Role Policy Store
Storage in AD, ADAM, XML Role Permissions needed to do a job Task Work units that make sense to administrators Operation Application action that developer writes dedicated code for. Policy Store Auditor Acct Rep Buyer Change Approver Approve Deny Payment Reject Report Submit Cancel Check Status Design Web Operation Database Operation Payment System Operation Directory Operation

19 Role Assignments Role Definitions Web Ordering Application Buyer
Acct Rep Auditor Role Assignment Buyer: = Role Assignment Acct Rep: Group = Dept01Manager Role Assignment Auditor: (Group = TreyAuditor) && (Status = Active)

20 Authorization & Auditing
Web app 3rd party LDAP LOB4 Authorization Manager Z App performs role-based authorization via Authorization Manager 3rd party LDAP LOB5 Infrastructure Directory (AD) Audit collection via ACS HR LOB1 LOB2 LOB3 Audit collection (ACS)

21 Authorization Manager (AzMan) GUI
Snap-in installed from Administrator Pack Works with XML, ADAM, & Active Directory stores Multiple Applications Application groups Store-level (global to applications in store ) Assign store-level groups to application roles Longhorn Improvements Better Rules Support UI Flexibility Perf/Query Optimizations

22 Active Directory Federation Services

23 ADFS. Why? Obviously, this is Web-SSO (Single Sign-On)
Less obviously, much more importantly: Step towards Identity Metasystem Today, ADFS makes your system compliant with WS-* Security Guidelines, and, as such, interoperable with almost anything else! Perhaps the most important IAM development of recent years

24 AD Federation Services Formally Coded Name “TrustBridge”
Makes Active Directory available externally Single solution for Web SSO and Federated ID Ships with Windows Server 2003 R2 Built using the WS-* Standards WS-Federation WS-Trust WS-Security Key Scenarios B2C Web SSO Internal Federated Identity B2B Federated Identity

25 Active Directory Federation Services Scenario: Federated Identity
Resource Side Cross Organization Namespace Manages: Trust -- Keys Security -- Claims required Privacy -- Claims allowed Audit -- Identities , authorities Account Side Business Partners Single Sign-on across security boundaries (internal & external) Support for browser-based clients (future support of smart clients) Interoperable through WS-* Standards Credentials are managed at the “Account Side”

26 ADFS Architecture Active Directory (2K, 2K3, ADAM)
Authenticates users Manages attributes Federation Service (FS) STS (security token service) Issues security tokens Populates claims Statements an authority makes about security principals Manages federation trust policy FS Proxy (FS-P) Client proxy for token requests Provides UI for browser clients Web Server SSO Agent Enforces user authentication Creates user authorization context Windows Authentication/LDAP LPC/Web Methods HTTPS Application (authorization) NT Impersonation and ACLs ASP.NET IsInRole() AzMan RBAC integration ASP.NET Raw Claims API

27 Identity Federation in Action
A. Datum Account Forest Trey Research Resource Forest Federation Trust

28 WS-Federation Cross-organization, multi-vendor interoperability
Web Services Federation Language Defines messages to enable security realms to federate & exchange security tokens Built upon WS-Security, WS-Trust Wide industry support Authors: BEA, IBM, Microsoft, RSA, VeriSign Participants: OpenNetwork, Oblix, Netegrity, PingID Two “profiles” of the model defined Passive (web browser) clients – HTTP/S Active (smart/rich) clients – SOAP now future Security Token Service HTTP Receiver HTTP messages SOAP messages SOAP Receiver

29 Active Directory Federation Services Scenario: Enterprise Web Single Sign-on
Resource Side Customers Business Partners Single Sign-on to a Farm of Web Applications Support for browser-based (future smart client support) Access managed by IT via roles (RBAC) Uses AD in domain mode or application mode Credentials managed in AD at the resource side Employees

30 Benefits of ADFS Extends the value of your AD infrastructure
Step towards AD as a service for SOA Enables Web Single Sign-on B2B/B2C Commerce and Collaboration Interoperable with Existing Security Systems Based on WS-* specifications Supports multiple security tokens (eg SAML, Kerberos, x509, etc) Improves Security Accounts are managed by the user organization Cross organizational trust management and auditing Lower partner/supplier adoption risks Standards based infrastructure Broad interoperability with other IdM Vendors

31 Identity Chaining and Referral?
Vision: If, and when, technologies such as ADFS become more widely used, perhaps with an Identity Metasystem emerging… …it may become possible for an organisation to rely on identity claims issued by another organisation… …thus removing need to create yet-another-authentication-system Examples A bank relying on another bank’s issued digital ID, because those banks trust each other Small and medium organisations with a web presence can rely on identities provided by a government or, perhaps, another respected public body

32 InfoCard Microsoft project for introducing a Windows-based common user interface, developer API and subsystem for handling multiple digital identities Part of the Identity Metasystem vision Planned for Windows Vista/Longhorn Server timeframe Part of WinFX Goal: make it easy for the user to engage in identity authentication Benefit: no more end-user confusion, hence phishing attacks mitigated

33 Summary

34 IAM in Windows Server 2003 R2 Company A Company B Identity Management
Extend value of Active Directory deployments to facilitate secure collaboration with partners Application Platform Extend value of Windows Server identity services in internet-facing web environments SSO to partner apps Centralized, policy-based access control to partner apps Secure tokens replace passwords “in the clear” Interoperability with heterogeneous systems via WS-* Extranet authentication & SSO Delegated user admin to trusted partners RBAC with AzMan extranet authorization AD Application Mode (LDAP) Federated SharePoint AD IIS Company A Company B

35 Summary Achieving Single Sign-On requires a number of specialised technologies, some older (Kerberos, RAS, ISA…) and some newer, like ADFS and AzMan The way to the future lies in building standards-based Identity Metasystems, outside and across enterprise boundaries Access Management becomes easier if integrated with Identity Lifecycle Management & &

36 Special Thanks This seminar was prepared with the help of:
Oxford Computer Group Ltd Expertise in Identity and Access Management (Microsoft Partner) IT Service Delivery and Training Microsoft, with special thanks to: Daniel Meyer – thanks for many slides Steven Adler, Ronny Bjones, Olga Londer – planning and reviewing Philippe Lemmens, Detlef Eckert – Sponsorship Bas Paumen & NGN - feedback

Download ppt "Access Management Rafal Lukawiecki"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.

Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Active Directory Federation Services Architecture Drilldown

Active Directory Federation Services Architecture Drilldown
Microsoft Identity Solutions

Microsoft Identity Solutions
Implementing and Administering AD FS

Implementing and Administering AD FS
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Understanding Active Directory

Understanding Active Directory
Dobrodošli!. Dobrodošli Peter Novak EPG Manager, Microsoft Slovenija Copyright 2006 © Microsoft.

Dobrodošli!. Dobrodošli Peter Novak EPG Manager, Microsoft Slovenija Copyright 2006 © Microsoft.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Identity and Access Management: Overview Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd

Identity and Access Management: Overview Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Identity and Access Management

Identity and Access Management
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Similar presentations

Ads by Google