iam
DESCRIPTION
TRANSCRIPT
Identity and Access Management
Rune [email protected] Solution Manager
Business Ready Security Solutions
Password reset and access requests
handled through help desk
Contoso managing Fabrikam accounts
Multiple identities and limited sign-on
help
Different sign–on requirements for applications
Separate Remote access solution w/ separate
identities
Fabrikam managing Contoso accounts
Current SituationTime and labor intensive process
Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device
• Provide more secure, always-on access
• Enable access from virtually any device
• Extend powerful self-service capabilities to users
• Automate and simplify management tasks
PROTECT everywhere ACCESS anywhere
INTEGRATE and EXTEND security
SIMPLIFY security,MANAGE compliance
• Control access across organizations
• Provide standards-based interoperability
Identity and Access Management Strategy
Business Ready Security Solutions
Information Protection
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Active Directory® Federation Services
Information Protection
Business Ready Security Solutions
PROTECT Everywhere, ACCESS Anywhere
• Provides seamless, always-on, secure connectivity to on-premises and remote users
• Eliminates the need to connect explicitly to corporate network while remote
• Facilitates more secure, end-to-end communication and collaboration
• Uses a policy-based network access approach
• Enables IT to easily service, secure, update, and provision mobile machines, whether they are inside or outside the network
DirectAccess Client
Internet Servers
DirectAccess Server
Internal traffic
Internet traffic
Corporate Resources
Intranet
Internet
Windows DirectAccess
IPv6 Devices IPv4 Devices
WinSrv 2008R2 DirectAccess
Role
Windows 7 Client
Native IPv6 with IPSec
IPv6 Transition Services
Supports variety of remote network protocols
DirectAccess in Windows 7
IT desktop manageme
nt
AD Group Policy, NAP,
software updates
Internet
INTEGRATE and EXTEND security
SharePoint Server Farm
AD DSAD FS
Business Partners
AD DS AD FS
AD RMS
FederationTrust
Application Access
Redirect to Security Token Service (STS)
Auth
entica
tion
Toke
n a
nd
clai
ms
Post claims
Firma AAccount Forest
Firma BResource Forest
User Account/Credentials
Security Token
• Shared identity with partner organizations and cloud services
• Boost cross-organizational efficiency and communication with more secure access
−Support the sharing of rights-protected messages between organizations
Active Directory Federation Services
AD DS
AD FS
• Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services
• Helps provide consistent security with a single user access model externalized from applications
Security Token(e.g., Kerberos Ticket)
• AD FS creates SAML token
• Signs it with company’s private key
• Sends it back to the user
• Access supplied with the token
Partner
Exchange SharePoint
Web App
Claims-Aware
Application
Corporate User
Single Sign On with Extended Collaboration
CLOUD SERVIC
ES
SIMPLIFY security,MANAGE compliance
CreateProvision userProvision credentialsProvision resources
Policy enforcement
Approvals and notifications
Audit trails
Policy Management
De-provision identities
Revoke credentials
De-provision resources
RetireRole changes
Phone # or title change
Password and PIN reset
Resource requests
Change
Identity Lifecycle Management
Help Desk “Lost” Credentials Password Reset New Entitlements
Forefront Identity Manager in Action
Directories
Custom
Self-Service integration
LOB Applications
FIM Portal
ISV PartnerSolutions
WindowsLog On
IT Departments
Databases
Policy ManagementCredential Management
User Management Group Management
ActiveDirectory
LotusDomino
LDAP
SQLServer
Oracle DB
HR SystemFIM
Workflow
Manager
• Policy-based identity lifecycle management system
• Built-in workflow for identity management
• Automatically synchronize all user information to different directories across the enterprise
• Automates the process of on-boarding users
User Enrollment
Approval
User provisioned on all allowed systems
Identity ManagementUser provisioning
FIM CM
HR SystemFIM
Workflow
• Automated user de-provisioning
• Built-in workflow for identity management
• Real-time de-provisioning from all systems to prevent unauthorized access and information leakage
User de-provisioned
User de-provisioned or disabled on all systems
Identity ManagementUser de-provisioning
ActiveDirectory
LotusDomino
LDAP
SQLServer
Oracle DB
FIM CM
SharePoint-Based Management Console
Add-in for Office
Self Service Group Management
• Self-service group and distribution list management with the FIM 2010 Web portal
• Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity
• Enables users to use Outlook to manage approvals while they are offline
• Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory
• Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes
• Enables users to reset their own passwords through both Windows logon and FIM password reset portal
• Controls helpdesk costs by enabling end users to manage certain parts of their own identities
• Improves security and compliance with minimal errors while managing multiple identities and passwords
End User
ActiveDirectory
Oracle
SQLServer
Notes
LDAP
User requests password reset
FIM Server
Passwords updates
Self-Service Password Management
• FIM capabilities integrated with Windows logon• Randomly selects a number of questions
Reset Password
Learn more at www.microsoft.com/forefront
PROTECT everywhere, ACCESS anywhere
INTEGRATE and EXTEND security
SIMPLIFY security,MANAGE compliance
Enable more secure, identity-based access to applications on-premises and
in the cloud from virtually any location or device
• Provide more secure, always-on access
• Enable access from virtually any device
• Extend powerful self-service capabilities to users
• Automate and simplify management tasks
• Control access across organizations
• Provide standards-based interoperability
Summary
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.