access management rafal lukawiecki strategic consultant, project botticelli ltd...
TRANSCRIPT
Access ManagementAccess Management
Rafal LukawieckiRafal Lukawiecki
Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd
[email protected]@projectbotticelli.co.uk
www.projectbotticelli.co.ukwww.projectbotticelli.co.uk
Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.presentation for acknowledgments.
22
ObjectivesObjectives
Discuss the challenge of coordinating access Discuss the challenge of coordinating access management in heterogeneous systemsmanagement in heterogeneous systems
Suggest several options for building Single Sign-Suggest several options for building Single Sign-On solutionsOn solutions
Overview the issue of extending corporate Overview the issue of extending corporate access management to the outside worldaccess management to the outside world
33
Session AgendaSession Agenda
Enterprise Single Sign-OnEnterprise Single Sign-On
WindowsWindows
UNIX/LinuxUNIX/Linux
Partner SolutionsPartner Solutions
Authorization ManagerAuthorization Manager
Active Directory Federation ServicesActive Directory Federation Services
44
Microsoft’s Identity ManagementMicrosoft’s Identity Management
PKI / CAPKI / CA
Extended Directory Extended Directory ServicesServices
ActiveActiveDirectory & ADAMDirectory & ADAM
EnterpriseEnterpriseSingle Sign OnSingle Sign On
Authorization Authorization ManagerManager
Active DirectoryActive DirectoryFederation ServicesFederation Services
Audit Collection Audit Collection ServicesServices
BizTalkBizTalk
Identity IntegrationIdentity IntegrationServerServer
ISAISAServerServer
SQL ServerSQL ServerReportingReporting
Services for Unix /Services for Unix /Services for NetwareServices for Netware
Directory (Store)Directory (Store)ServicesServices
AccessAccessManagementManagement
IdentityIdentityLifecycleLifecycle
ManagementManagement
55
Enterprise Single Sign-OnEnterprise Single Sign-On
66
Enterprise Single Sign-On (ESSO)Enterprise Single Sign-On (ESSO)
Single Sign-On:Single Sign-On:
Ability of a user to be given access to multiple Ability of a user to be given access to multiple resources after a single authentication operation, resources after a single authentication operation, i.e.i.e.
All further authorizations ought to happen All further authorizations ought to happen “in the “in the background” without requiring any further input from background” without requiring any further input from the userthe user
ESSOESSO
Generally easier to implement than Web-SSO, as Generally easier to implement than Web-SSO, as access to centralised metadirectory may be access to centralised metadirectory may be possible (MIIS)possible (MIIS)
77
Kerberos v5Kerberos v5
Standards-based mechanism for providing distributed Standards-based mechanism for providing distributed ESSOESSO
Used by Windows, UNIX and some LinuxUsed by Windows, UNIX and some Linux
Well-tested and resilient designWell-tested and resilient design
Most often, perfectly sufficient and Most often, perfectly sufficient and the best choicethe best choice
Why do we need anything else, then?Why do we need anything else, then?
1.1. Not everyone wants to use it, e.g. some mainframe host Not everyone wants to use it, e.g. some mainframe host systems, specialised apps etc.systems, specialised apps etc.
2.2. Disconnected, or incompatible domain forests or credential Disconnected, or incompatible domain forests or credential realms do not work without a Kerberos-to-Kerberos integration realms do not work without a Kerberos-to-Kerberos integration solution, e.g. Windows Kerberos to UNIX Kerberossolution, e.g. Windows Kerberos to UNIX Kerberos
88
Windows Server AuthorizationWindows Server AuthorizationStandards-BasedStandards-Based
KerberosKerberos
X509X509
LDAP BindLDAP Bind
PEAP (network)PEAP (network)
802.1x (network)802.1x (network)
RADIUS (network)RADIUS (network)
Integrated PKIIntegrated PKI
Multi-Factor authenticationMulti-Factor authentication
Auto-enrollment/renewalAuto-enrollment/renewal
Single Sign-onSingle Sign-on
Kerberos ApplicationsKerberos Applications
Windows Integrated AppsWindows Integrated Apps
Role-Based Access ControlRole-Based Access Control
Authorization ManagerAuthorization Manager
ActiveActiveDirectoryDirectory
Multi-Factor User/Password
WirelessInternet/Remote
99
Single Sign-onSingle Sign-onActive
Directory w/ Integrated
Kerberos KDC
Logon to Windows
Single Sign-on to:Windows File serversExchange emailSQL Server3rd Party Integrated Apps (see above)Unix / Linux OS & Integrated Apps
ExchangeExchange
Web ApplicationsWeb Applications
File File ServersServers
Windows IntegratedWindows IntegratedApplicationsApplications
Kerberos Native AuthN protocol for Windows MIT v5 Compliant Carries authorization info in PAC Windows PAC is open
Unix Services that use Kerberos Login, rlogin, telnet, ftpAlso Apache (native), J2EE possiblities> Example Partner Solution: Vintela, Centrify
Unix / Linux HostsUnix / Linux HostsOracle, SAP, etc.Oracle, SAP, etc.
Kerberos Ticket
Kerberos Ticket
1010
UNIX/LinuxUNIX/Linux
Services for UNIX included and improved in Windows Services for UNIX included and improved in Windows Server 2003 R2Server 2003 R2
Will deal with most standard UNIX ways of managing Will deal with most standard UNIX ways of managing logins/passwords such as NISlogins/passwords such as NIS
Does not deal with 3Does not deal with 3rdrd-party directory services for UNIX-party directory services for UNIX
For more complex needs, use:For more complex needs, use:
Vintela (Quest) – Vintela (Quest) – www.vintela.comwww.vintela.com
Centrify – Centrify – www.centrify.comwww.centrify.com
All of these can work with or without MIIS, but good All of these can work with or without MIIS, but good Identity Lifecycle Management is important, hence MIIS Identity Lifecycle Management is important, hence MIIS is recommendedis recommended
1111
Partners, Virtual
Employees,Customers
Resource Side Account Side
ISA Server 2004ISA Server 2004Internet Security and Acceleration ServerInternet Security and Acceleration Server
Firewall(ISA Server)
Firewall(ISA Server)
VPN
IPSec
Apart from fulfilling security and performance needs (firewall, gateway, cache etc.), ISA 2004 extends ESSO across private networks (VPN, IPSec)
ISA is, effectively, an access control gateway in this scenario
1212
Authorization Models on the Authorization Models on the Windows PlatformWindows Platform
Windows ACL modelWindows ACL model
COM+ rolesCOM+ roles
.NET roles.NET roles
ASP.NET URL AuthorizationASP.NET URL Authorization
Role Based Authorization APIs (AzMan) on Role Based Authorization APIs (AzMan) on Windows 2003, 2000Windows 2003, 2000
AccessCheck()AccessCheck()
URL Authorization in IIS 6URL Authorization in IIS 6
1313
Authorization Authorization ManagerManager
1414
Authorization Manager (AzMan)Authorization Manager (AzMan)
Microsoft tool and service for managing Role-Microsoft tool and service for managing Role-Based Access Control (RBAC)Based Access Control (RBAC)
Strong developer-oriented API, so a number of Strong developer-oriented API, so a number of partner solutions rely on itpartner solutions rely on it
Ships with Windows Server 2003 R2Ships with Windows Server 2003 R2
1515
Authorization ManagerAuthorization Manager
Role-Based Access ManagementRole-Based Access Management
Manage user access based on organizational roleManage user access based on organizational role
Integrated with Active Directory (both “normal” infrastructure AD Integrated with Active Directory (both “normal” infrastructure AD and Application Mode, ADAM)and Application Mode, ADAM)
Roles can be assigned based on business rulesRoles can be assigned based on business rules
Abstracts access logic from the applicationAbstracts access logic from the application
Roles can change w/o modifying the applicationRoles can change w/o modifying the application
URL or application level access checksURL or application level access checks
Access Management ConsoleAccess Management Console
Delegation of role and policy managementDelegation of role and policy management
Scope and business policy definitionScope and business policy definition
Static role assignmentStatic role assignment
1616
RBAC or RBRBAC?RBAC or RBRBAC?
Role Based Access Control can be implemented Role Based Access Control can be implemented using traditional methods, such as groups and using traditional methods, such as groups and ACLsACLs
Role is represented by membership in a groupRole is represented by membership in a group
However, it seems easier to represent roles in However, it seems easier to represent roles in terms of terms of rulesrules
In fact, AzMan does that In fact, AzMan does that veryvery well well
Should we call it Role Based Rule Based Should we call it Role Based Rule Based Access Control, or RBRBAC? :)Access Control, or RBRBAC? :)
1717
FIREWALLFIREWALL
AzManAzMan
ADAMADAM
Customer via InternetCustomer via Internet Employee via InternetEmployee via Internet
ADAD
Internal EmployeeInternal Employee
AuthN
AuthZ
Intranet & Extranet AppsIntranet & Extranet AppsUsing AzMan AuthzAPI & PolicyStoreUsing AzMan AuthzAPI & PolicyStoreIntranet & Extranet AppsIntranet & Extranet AppsUsing AzMan AuthzAPI & PolicyStoreUsing AzMan AuthzAPI & PolicyStore
1818
Deployment
RBAC ManagementRBAC Management
Policy StorePolicy StoreStorage in AD, ADAM, XMLStorage in AD, ADAM, XML
RoleRolePermissions needed to Permissions needed to do a jobdo a job
TaskTaskWork units that make senseWork units that make sense
to administratorsto administrators
OperationOperationApplication action thatApplication action that
developer writes dedicateddeveloper writes dedicated
code for.code for.
DatabaseOperation
WebOperation
DirectoryOperation
PaymentSystem
Operation
AuditorAcct RepBuyer
ChangeApprover
ApproveDeny
Payment
ApproveReject Report
SubmitReport
CancelReport
CheckStatus
XML
Policy Store
Design
1919
Role AssignmentBuyer: email = *@ADatum.com
Role AssignmentsRole Assignments
Buyer Auditor
Role AssignmentAcct Rep: Group = Dept01Manager
Role AssignmentAuditor: (Group = TreyAuditor) && (Status = Active)
Role DefinitionsWeb Ordering
Application
Acct Rep
2020
Authorization & AuditingAuthorization & Auditing
LOB2LOB2 LOB3LOB3HRHR LOB1LOB1
Web appWeb app
InfrastructureInfrastructureDirectory (AD)Directory (AD)
LOB4LOB4
LOB5LOB5 33rdrd party partyLDAPLDAP
33rdrd party partyLDAPLDAP
Audit collection (ACS)Audit collection (ACS)
1.1. App performs role-App performs role-based authorization based authorization via Authorization via Authorization ManagerManager
2.2. Audit Audit collection collection via ACSvia ACS
AuthorizationAuthorizationManagerManager ZZ
2121
Snap-in installed from Administrator Snap-in installed from Administrator PackPack
Works with XML, ADAM, & Active Works with XML, ADAM, & Active Directory storesDirectory stores
Multiple ApplicationsMultiple Applications
Application groupsApplication groups
Store-level (global to applications in Store-level (global to applications in store )store )
Assign store-level groups to Assign store-level groups to application rolesapplication roles
Longhorn ImprovementsLonghorn Improvements
Better Rules SupportBetter Rules Support
UI FlexibilityUI Flexibility
Perf/Query OptimizationsPerf/Query Optimizations
Authorization Manager (AzMan) GUIAuthorization Manager (AzMan) GUI
2222
Active Directory Active Directory Federation ServicesFederation Services
2323
ADFS. Why?ADFS. Why?
Obviously, this is Web-SSO (Single Sign-On)Obviously, this is Web-SSO (Single Sign-On)
Less obviously, much more importantly:Less obviously, much more importantly:
Step towards Step towards Identity MetasystemIdentity Metasystem
Today, ADFS makes your system compliant with Today, ADFS makes your system compliant with WS-* Security Guidelines, and, as such, WS-* Security Guidelines, and, as such, interoperable with almost anything else!interoperable with almost anything else!
Perhaps the most important IAM development of Perhaps the most important IAM development of recent yearsrecent years
2424
AD Federation ServicesAD Federation ServicesFormally Coded Name “TrustBridge”Formally Coded Name “TrustBridge”
Makes Active Directory available externallyMakes Active Directory available externally
Single solution for Web SSO and Federated IDSingle solution for Web SSO and Federated ID
Ships with Windows Server 2003 R2Ships with Windows Server 2003 R2
Built using the WS-* StandardsBuilt using the WS-* Standards
WS-FederationWS-Federation
WS-TrustWS-Trust
WS-SecurityWS-Security
Key ScenariosKey Scenarios
B2C Web SSO B2C Web SSO
Internal Federated IdentityInternal Federated Identity
B2B Federated IdentityB2B Federated Identity
2525
Single Sign-on across security boundaries (internal & external)Single Sign-on across security boundaries (internal & external)
Support for browser-based clients (future support of smart clients)Support for browser-based clients (future support of smart clients)
Interoperable through WS-* StandardsInteroperable through WS-* Standards
Credentials are managed at the “Account Side”Credentials are managed at the “Account Side”
BusinessPartners
Cross Organization NamespaceManages:
• Trust -- Keys• Security -- Claims required• Privacy -- Claims allowed• Audit -- Identities , authorities
Resource Side Account Side
Active Directory Federation ServicesActive Directory Federation ServicesScenario: Federated IdentityScenario: Federated IdentityActive Directory Federation ServicesActive Directory Federation ServicesScenario: Federated IdentityScenario: Federated Identity
2626
ADFS ArchitectureADFS Architecture
Active Directory Active Directory ((2K, 2K3, ADAM2K, 2K3, ADAM))
Authenticates users Authenticates users
Manages attributesManages attributes
Federation Service (FS)Federation Service (FS)
STSSTS (security token service) (security token service)
Issues security tokensIssues security tokens
Populates Populates claimsclaims
Statements an authority makes about security Statements an authority makes about security principalsprincipals
Manages federation trust policyManages federation trust policy
FS Proxy (FS-P)FS Proxy (FS-P)
Client proxy for token requestsClient proxy for token requests
Provides UI for browser clientsProvides UI for browser clients
Web Server SSO AgentWeb Server SSO Agent Enforces user authenticationEnforces user authentication
Creates user authorization contextCreates user authorization context
FS
browser
WebServer
FS-PAD or ADAM
ApplicationSSO Agent
FS
browser
WebServer
FS-PAD or ADAM
ApplicationSSO Agent
HTTPS
LPC/Web Methods
Windows Authentication/LDAP
Application (authorization)Application (authorization)
NT Impersonation and ACLsNT Impersonation and ACLs
ASP.NET IsInRole()ASP.NET IsInRole()
AzMan RBAC integrationAzMan RBAC integration
ASP.NET Raw Claims APIASP.NET Raw Claims API
2828
SecurityToken
Service
HTTPReceiver
HTTP messages
WS-FederationWS-FederationCross-organization, multi-vendor interoperabilityCross-organization, multi-vendor interoperability
Web Services Federation LanguageWeb Services Federation Language
Defines messages to enable security realms to federate & exchange Defines messages to enable security realms to federate & exchange security tokenssecurity tokens
Built upon WS-Security, WS-TrustBuilt upon WS-Security, WS-Trust
Wide industry supportWide industry support
Authors: BEA, IBM, Microsoft, RSA, VeriSignAuthors: BEA, IBM, Microsoft, RSA, VeriSign
Participants: OpenNetwork, Oblix, Netegrity, PingIDParticipants: OpenNetwork, Oblix, Netegrity, PingID
Two “profiles” of the model definedTwo “profiles” of the model defined
Passive (web browser) clients – HTTP/SPassive (web browser) clients – HTTP/S
Active (smart/rich) clients – SOAPActive (smart/rich) clients – SOAP
SOAP messagesSOAP
Receiver
future
now
2929
Single Sign-on to a Farm of Web ApplicationsSingle Sign-on to a Farm of Web Applications
Support for browser-based (future smart client support)Support for browser-based (future smart client support)
Access managed by IT via roles (RBAC)Access managed by IT via roles (RBAC)
Uses AD in domain mode or application modeUses AD in domain mode or application mode
Credentials managed in AD at the resource sideCredentials managed in AD at the resource side
Customers
BusinessPartners
Employees
Resource Side
Active Directory Federation ServicesActive Directory Federation ServicesScenario: Enterprise Scenario: Enterprise WebWeb Single Sign-on Single Sign-onActive Directory Federation ServicesActive Directory Federation ServicesScenario: Enterprise Scenario: Enterprise WebWeb Single Sign-on Single Sign-on
3030
Benefits of ADFSBenefits of ADFS
Extends the value of your AD infrastructureExtends the value of your AD infrastructure
Step towards AD as a service for SOAStep towards AD as a service for SOA
Enables Web Single Sign-onEnables Web Single Sign-on
B2B/B2C Commerce and CollaborationB2B/B2C Commerce and Collaboration
Interoperable with Existing Security SystemsInteroperable with Existing Security Systems
Based on WS-* specificationsBased on WS-* specifications
Supports multiple security tokens (eg SAML, Kerberos, x509, etc)Supports multiple security tokens (eg SAML, Kerberos, x509, etc)
Improves SecurityImproves Security
Accounts are managed by the user organization Accounts are managed by the user organization
Cross organizational trust management and auditingCross organizational trust management and auditing
Lower partner/supplier adoption risks Lower partner/supplier adoption risks
Standards based infrastructureStandards based infrastructure
Broad interoperability with other IdM VendorsBroad interoperability with other IdM Vendors
3131
Identity Chaining and Referral?Identity Chaining and Referral?
Vision:Vision:If, and when, technologies such as ADFS become more If, and when, technologies such as ADFS become more widely used, perhaps with an Identity Metasystem widely used, perhaps with an Identity Metasystem emerging…emerging…
……it may become possible for an organisation to rely on it may become possible for an organisation to rely on identity claims issued by another organisation…identity claims issued by another organisation…
……thus removing need to create yet-another-authentication-thus removing need to create yet-another-authentication-systemsystem
ExamplesExamples
1.1. A bank relying on another bank’s issued digital ID, because A bank relying on another bank’s issued digital ID, because those banks trust each otherthose banks trust each other
2.2. Small and medium organisations with a web presence can rely Small and medium organisations with a web presence can rely on identities provided by a government or, perhaps, another on identities provided by a government or, perhaps, another respected public bodyrespected public body
3232
InfoCardInfoCard
Microsoft project for introducing a Windows-based Microsoft project for introducing a Windows-based common user interface, developer API and subsystem common user interface, developer API and subsystem for handling multiple digital identitiesfor handling multiple digital identities
Part of the Identity Metasystem visionPart of the Identity Metasystem vision
Planned for Windows Vista/Longhorn Server timeframePlanned for Windows Vista/Longhorn Server timeframe
Part of WinFXPart of WinFX
GoalGoal: make it easy for the user to engage in identity : make it easy for the user to engage in identity authenticationauthentication
BenefitBenefit: no more end-user confusion, hence phishing : no more end-user confusion, hence phishing attacks mitigated attacks mitigated
3333
SummarySummary
3434
IAM in Windows Server 2003 R2IAM in Windows Server 2003 R2Identity ManagementIdentity Management
Extend value of Active Directory Extend value of Active Directory deployments to facilitate secure deployments to facilitate secure collaboration with partnerscollaboration with partners
IISIISADAD
Application PlatformApplication Platform
Extend value of Windows Server Extend value of Windows Server identity services in internet-facing identity services in internet-facing web environmentsweb environments
Company ACompany A Company BCompany B
SSO to partner appsSSO to partner apps
Centralized, policy-based access Centralized, policy-based access control to partner appscontrol to partner apps
Secure tokens replace passwords Secure tokens replace passwords “in the clear”“in the clear”
Interoperability with heterogeneous Interoperability with heterogeneous systems via WS-*systems via WS-*
Extranet authentication & SSOExtranet authentication & SSO
Delegated user admin to trusted Delegated user admin to trusted partnerspartners
RBAC with AzMan extranet RBAC with AzMan extranet authorizationauthorization
AD Application Mode (LDAP)AD Application Mode (LDAP)
Federated SharePointFederated SharePoint
3535
SummarySummary
Achieving Single Sign-On requires a number of Achieving Single Sign-On requires a number of specialised technologies, some older (Kerberos, specialised technologies, some older (Kerberos, RAS, ISA…) and some newer, like ADFS and RAS, ISA…) and some newer, like ADFS and AzManAzMan
The way to the future lies in building standards-The way to the future lies in building standards-based Identity Metasystems, outside and across based Identity Metasystems, outside and across enterprise boundariesenterprise boundaries
Access Management becomes easier if Access Management becomes easier if integrated with Identity Lifecycle Managementintegrated with Identity Lifecycle Management
www.microsoft.com/idm & & www.microsoft.com/itsshowtime & & www.microsoft.com/technet
3636
Special ThanksSpecial ThanksThis seminar was prepared with the help of:This seminar was prepared with the help of:
Oxford Computer Group LtdOxford Computer Group Ltd
Expertise in Identity and Access Expertise in Identity and Access Management (Microsoft Partner)Management (Microsoft Partner)
IT Service Delivery and TrainingIT Service Delivery and Training
www.oxfordcomputergroup.comwww.oxfordcomputergroup.com
MicrosoftMicrosoft, with special thanks to:, with special thanks to:
Daniel Meyer – thanks for Daniel Meyer – thanks for manymany slidesslides
Steven Adler, Ronny Bjones, Olga Steven Adler, Ronny Bjones, Olga Londer – planning and reviewingLonder – planning and reviewing
Philippe Lemmens, Detlef Eckert – Philippe Lemmens, Detlef Eckert – SponsorshipSponsorship
Bas Paumen & NGN - feedbackBas Paumen & NGN - feedback