Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management for Mid-Market Customers

Published byPeter Bishop Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Management for Mid-Market Customers"— Presentation transcript:

1 Identity Management for Mid-Market Customers
Dave Sayers Technology Specialist

2 Agenda What do we consider the mid-market?
What is Identity Management? Typical types of system The building blocks of an identity management solution Active Directory AD/AM MIIS/IIFP When a mid-market customer needs to think about Identity Management Real world

3 Microsoft Customer Segmentation
Small Business Mid-Market Enterprise Lower Small Business (LSB) Core (CSB) Mid- Market (LMM) Core Mid-Market (CMM) Upper Mid- Market (UMM) Corporate Accounts (CAS) Global, Major & Strategic Characteristics # PCs # Employees < 5 5 -24 PCs 24 – 49 PCs PCs PCs >500 PCs >2500 PCs <10 10-49 50-99 >1000 >5000 Sources: AMI data, Microsoft Internal

4 Medium Sized Businesses Today
Typically: 1-2 IT managers who are depended on to keep all aspects of the business running Technology demands often as sophisticated as a very large business, but limited IT budgets Upgrade project looks complex and they are busy Consolidation is often not a valid motivator (not enough servers)

5 Identity Management Users are represented in multiple locations within an organisation Directories, databases, proprietary apps. Identity information is fragmented No recognised ‘master directory’ Systems were not designed to work together Systems and data owned by different political units Tremendous information redundancy = management complexity and inconsistent data Often managed ‘manually’ – e.g. Help Desks

6 Identity Lifecycle Management
4/25/2017 9:32 PM Password Mgmt Strong Passwords “Lost” Password Password Reset New User User ID Creation Credential Issuance Access Rights Retire User Delete/Freeze Accounts Delete/Freeze Entitlements Account Changes Promotions Transfers New Privileges Attribute Changes

7 Identity & Access Management (IAM)
Who am I What can I do Identity & Access Management (IAM): Providing the right people with the right access at the right time Identity store Administration

8 Identity & Access Management (IAM)
Authentication Authorisation Identity & Access Management (IAM): Providing the right people with the right access at the right time Directory User / Resource Admin

9 IAM Components: Who am I ? (Authentication)
What is Authentication? Authentication is about are you who they say you are to enable business transactions. Authentication Examples: User names and Passwords PIN Numbers Digital Certificates (PKI) Tokens (SecurID) Biometrics (Hand Scans, Retinal Scans) Microsoft / Partner Products: Kerberos V5 Microsoft Passport Microsoft Credential Manager

10 IAM Components: What can I do (Authorisation)
What is Authorisation? Now you say who you are what application functionality do you have access too? What does Authorisation provide: The ability to grant access to applications and data based on “roles” An infrastructure to enable authentication into multiple applications Single Sign-on to web applications Reduces operating costs associated with user access control Microsoft / Partner Products: Authorisation Manager (included in the Server 2003 package) Oblix Net Point OpenNetwork Dir Smart

11 IAM Components: Administration (User / Resource Admin)
What is User Management? To provision the tools and applications to enable you to perform you job role What does User Management provide: Automated joiners and giving them access to applications to do their job (provisioning) Automated removal of ‘leavers’ from multiple systems (de-provisioning) Self-service and delegated management functionality Microsoft / Partner Products: Microsoft Identity Integration Server Microsoft BizTalk Server Oblix Netpoint OpenNetwork Dir Smart .

12 IAM Components: Identity Store (Directory)
What is a Directory? A directory serves as a repository for user information. What does a Directory provide: Central secure and resilient repository for user identities Able to deliver fast response times to hundreds of queries per second. Integration to major applications Key Microsoft / Partner Products: Microsoft Active Directory Microsoft Identity Integration Server Microsoft ADAM (Application Directory)

13 Microsoft Identity Management
4/25/2017 9:32 PM Microsoft Identity Management Active Directory Scalable Directory Services Foundation for Identity & Access Mgt Flexible Authentication Infrastructure Microsoft Identity Integration Server Directory Integration and Synchronization Provisioning, Deprovisioning, Management Password Management Specific Technology Solutions Host Integration Server Services for Unix Services for Netware BizTalk (Workflow & EntSSO) Technology Partners Extending Active Directory Enterprise and Web Single Sign-On Comprehensive Application Access Mgt 13

14 Typical Types of System
HR NOS Phone system Expenses system CRM

15 The Active Directory Dream
Centralized management Portal application HR/ERP application LDAP, Kerberos Generic app using single- sign-on LDAP, Kerberos Automated provisioning Whitepages/ GAL Policy-based admin, single-sign-on, for Windows-based resources “Enterprise directory” + “NOS directory” Repository of consolidated information Centralized management, provisioning Single-sign-on Data re-used by many applications

16 Where We Are Today Directories deployed per-app; little re-use
(Non-existent) Centralized management LDAP Portal application eDirectory Ad-hoc sync HR/ERP app LDAP Generic LDAP-based app Database ADAM Generic dump LDAP Whitepages iPlanet Policy & SSO for Windows MAPI Outlook/ Exchange Active Directory Directories deployed per-app; little re-use Provisioning, sync are ad-hoc

17 Getting to a Single Directory
4/25/2017 9:32 PM Getting to a Single Directory Very difficult Existing application requirements Scope of application (local vs. global) Schema requirements Control of application/identity information How to deal with multiple account stores Infrastructure Directory – Global Application Directories – Local to Application Metadirectory – Integration/Business Process

18 Active Directory Application Mode
ADAM Architecture NOS Active Directory Active Directory Application Mode LSASS ADAM LDAP MAPI REPL KDC Lanman LDAP REPL DSA DSA SAM dependencies (traditional AD minus infrastructure mgmt) DNS FRS Same code as Active Directory - just a new mode Programming model, admin tools virtually identical to NOS AD – familiarity means skill sets easily transferable

19 Availability & Components
Directory Core Contains the DSA, LDAP and Replication layers Runs as its own process/service Setup To copy binaries, install & start the service Tools Familiar AD tools to manage ADAM installations Documentation Programmers Reference in Platform SDK

20 New Capabilities Simple install and setup
No DCPROMO Wizard with defaults, just “Next” through Does not turn machine into DC Restart or reinstall without reboot Multiple instances on single machine Each instance with own schema X.500-style O=, C= naming

21 ADAM Usage Scenarios Example: web portal with personalization
Store/ retrieve data Web portal ADAM Authentication Client Server Infrastructure Active Directory Example: web portal with personalization Store personalization info in ADAM Use AD for authentication

22 ADAM Usage Scenarios AD/AM Client Server
User (right) and “shadow” (left) Web portal Store/ retrieve data AD/AM Client Server Infrastructure Directory Data specific to portal app Data shared by multiple apps Store app data without extending infrastructure directory App data keyed off identifier from infra directory

23 ADAM 23

24 Infrastructure Directory
4/25/2017 9:32 PM Where MIIS fits in 3rd-party DS DS-enabled app Centralized identity management App DS App DS ADAM DS-enabled app HR/ERP app MIIS 2003 Database App DS ADAM DS-enabled app Integration Services access sync Infrastructure Directory Active Directory

25 What is a Metadirectory?
Service that collects information from different data sources Combines all or part of that information into an integrated view Apply rules as to how information is managed Which source is authoritative How attributes flow AD Name : Dave Sayers Employee ID : Telephone No. : Name : dsayers Employee ID : Name : Dave Sayers Employee ID : Telephone No. :

26 MIIS 2003 Architecture MIIS Admin Client MIIS Store MA Controller
MIIS runs as a service Management Agents (MA) connect to systems Metadirectory data stored in SQL Admin client connects to service via DCOM MA Controller iPlanet MA AD Oracle MIIS Service DCOM iPlanet AD/E2K Oracle

27 MIIS - Concepts Connected Directory (CD) Connector Space (CS)
AD Oracle SQL Exchange 5.5 Connected Directories Metaverse User Connector Space Connected Directory (CD) Source and/or destination for synchronised attributes Connector Space (CS) Staging area for inbound or outbound synchronised attributes Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called “join”

28 Key concepts for MIIS Provisioning/Deprovisioning Synchronisation
Making a user productive immediately Role changes, planned/urgent terminations Grant and ensure appropriate access Minimize costs Increase security through strong defaults Synchronisation Attribute Flow Password Management

29 Key Scenarios Hire/Fire Integration Mergers and Acquisitions
For multiple-site and/or high staff turnover customers Integration Mergers and Acquisitions

30 GAL – The issue Forest 1 Exchange Forest 3 Exchange Forest 2
Outlook Client Exchange Server/GC ? Forest 2 No Exchange Exchange Server/GC Outlook Client msExchMasterAccountSID Outlook Client Global Address List is per Exchange Org, per forest 30

31 Identity Integration Feature Pack
Version of MIIS which contains: GALSync MA Active Directory MA ADAM MA Users are represented as contacts Distribution and Security Groups are represented as contacts Contacts are represented as contacts GAL Sync ADMA is a preconfigured Active Directory Management Agent released with MIIS 2003 Uses the LDAP DIRSYNC control Handles rename and moves of objects Detects and uses AD forest schema

32 GAL Sync Deployment Step1: Gathering data Step2: Setup GAL Sync ADMA
Determine Source and Target forest information Step2: Setup GAL Sync ADMA Setup one GAL Sync AD Management Agent per Exchange forest with source and target forest information Step3: Verify configuration Type of objects, rules, run profiles Step 4: Run Sync

33 GAL Sync - Syncing Users
Forest 1 Exchange Forest 3 Exchange Exchange Server/GC Outlook Client Outlook Client Forest 2 No Exchange Exchange Server/GC Outlook Client 33

34 GAL Sync - Syncing Users
IIFP Server Forest 1 Exchange Forest 3 Exchange Exchange Server/GC Outlook Client Outlook Client Forest 2 No Exchange Exchange Server/GC Outlook Client Set up an IIFP server 34

35 GAL Sync - Syncing Users
IIFP Server Forest 1 Exchange Forest 3 Exchange Exchange Server/GC Outlook Client Outlook Client Forest 2 No Exchange Exchange Server/GC Outlook Client IIFP will get object information for every user in a forest, 35

36 GAL Sync - Syncing Users
IIFP Server Forest 1 Exchange Forest 3 Exchange Exchange Server/GC Outlook Client Outlook Client Forest 2 No Exchange Exchange Server/GC Outlook Client For users in a forest, IIFP will create contacts in other forests 36

37 GAL Sync - Syncing Users
IIFP Server Forest 1 Exchange Forest 3 Exchange Exchange Server/GC Outlook Client Outlook Client Forest 2 No Exchange Exchange Server/GC Outlook Client Exchange will populate Address List (s) with the contacts 37

38 GAL Sync

39 Beyond GALsync IIFP will support AD to AD as well as AD to ADAM sync
Useful for integrating printing between the two forests: Use IIFP to synchronise sites, subnets and printers Allow the use of printer location tracking Meets the requirement of making it easy for roaming users to print in other offices But sometimes it’s just not enough…

40 MIIS Deployment and Management
Easy to deploy No agents to deploy on connected systems MIIS can stand-alone or share clustered SQL Migrate configuration from test to production via XML files Easy to extend existing deployment System is designed so that it’s easy to incrementally add capabilities Easily add more systems or expand business rules Easy to troubleshoot and Manage Preview Mode Data Lineage All error information stored in the database MOM Management Pack available for download

41 SSO/Access Management
Can be straightforward across Windows estates (Exchange, trust relationships) 3rd parties offer additional capabilities Access Management ACLs RBAC Access Management can be challenging in merger/acquisition scenarios Selective Authentication

42 Selective Authentication
42

43 Putting it all together
Active Directory acts as NOS and ‘network identity’ ADAM can be used for additional information or as another identity store IIFP can join these two together Start to incorporate additional systems using MIIS Single sign-on enabled through 3rd party products ADFS?

44 MIIS Projects Common Objections : Customer stories Cost
Complexity of the project Self-service AD Requirement No LDAP head Does not support real-time updates Connected Directory reach Customer stories

45 Putting it all together – a full Identity Management Solution

46 Summary/Call to Action
Identity Management is relevant to almost all customers Although in certain scenarios for mid-market customers Microsoft provides the core building blocks for building an identity management solution Examine the capability to use these solutions in your business If an acquisitive customer, have a process to use IIFP for a consolidated GAL

47 Resources Technical Chats and Webcasts
Microsoft Learning and Certification MSDN & TechNet Virtual Labs Newsgroups communities/newsgroups/en-us/default.aspx Technical Community Sites User Groups

48

49

50

51 ©. 2006 Microsoft Corporation. All rights reserved
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Identity Management for Mid-Market Customers"

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Microsoft Forefront Identity Manager 2010

Microsoft Forefront Identity Manager 2010
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
Active Directory Application Mode: Introduction And Usage Scenarios.

Active Directory Application Mode: Introduction And Usage Scenarios.
Understanding Active Directory

Understanding Active Directory
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Identity Management with Microsoft Identity Integration Server.

Identity Management with Microsoft Identity Integration Server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Identity and Access Management

Identity and Access Management
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
Microsoft Identity and Access Solutions Market Trends and Futures

Microsoft Identity and Access Solutions Market Trends and Futures
Enhanced Collaboration and other benefits of Sharepoint Technologies Kern Sutton Business Productivity Group Microsoft Corporation.

Enhanced Collaboration and other benefits of Sharepoint Technologies Kern Sutton Business Productivity Group Microsoft Corporation.

Similar presentations

Ads by Google