Better Together Brjann Brekkan Sr Technical Product Manager Identity and Access Microsoft Corporation SIM205 Agenda Framing the Cloud opportunity Supporting Technologies Private Cloud ID: 593921
Download Presentation The PPT/PDF document "Identity and Access and Cloud:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Identity and Access and Cloud:Better Together
Brjann BrekkanSr Technical Product ManagerIdentity and AccessMicrosoft Corporation
SIM205Slide2
AgendaFraming the Cloud opportunitySupporting Technologies
Private CloudPublic Cloud – PaaSPublic Cloud – SaaSSummarySlide3
Customer datacenter
Partner datacenter
Microsoft datacenter
What is the Cloud?
Delivering IT as a Standardized ServiceSlide4
OpportunitiesPerforming IT more cheaply
Capitalizing on new ways to address customersBenefitting from further democratization of ITOperating a business without IT limitsLeveraging the cloud for competitive advantageDeveloping transformative experiences and solutions
Existing internal applications remain critical in foreseeable future
Need to integrate with applications across organizations and cloud
Borderless collaboration across on-premises, partners, and cloud
Partners and customers will bring their own identities
Identity platform needs to support range of developers
Identity needs to be more extensible, more flexible
Challenges
Enabling the Hybrid EnterpriseSlide5
Types of Cloud ServicesIdentity consistent
(On-Premises)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You manage
Infrastructure
(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Other Manages
You manage
Platform
(as a Service)
Other Manages
You manage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Software
(as a Service)
Other Manages
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
DataSlide6
Compliance and Security in the CloudAn organization's current identity management gaps extend to the cloud and become more complex
Failure to disable accounts in a timely manner when people’s employment is terminatedFailure to adjust rights and permissions when people transfer to new rolesEnabling self-service capabilities without having control of user identities can result in access problems and lack of productivitySlide7
Identity and the Cloud
Private Cloud
On-Premises
Public Cloud
Partners
SaaS
PaaS
User
Public Cloud
SaaS
PaaSSlide8
Microsoft Identity Components
Private Cloud
On-Premises
Partners
Public Cloud
SaaS
PaaS
AD Federation Services
AD Certificate Services
AD Rights Management Services
AppFabric
Access
Control
service
SAML
OAUTH
WS-Trust, SAML
User
Claims based applicationsSlide9
Some of Our Cloud/Federation Players
a claims store and so much more
Active Directory Domain Service
the developer experience
Windows Identity Foundation
cloud hosted STS
AppFabric
Access Control
Service
on-premises STS
Active Directory Federation Service
on-premises identity management
Forefront Identity Manager
cloud identity provider + much more
Windows Live ID
SaaS
- Exchange Online, SharePoint Online…
Office 365 / BPOS
PaaS
- a cloud-OS offering a development, service-hosting and service-management environment
Windows AzureSlide10
Claims-Based Access BasicsResource provider: requires, uses claims to define users
Claims provider: supports protocols for issuing claimsRelationship: context in which meaning of claims defined
Relationship
Claims Provider
(Security Token Service)
2. Get claims
3. Send claims
1. Require claims
SUBJECT
Resource ProviderSlide11
Microsoft Claims-Based Access Model
End User
Configure: Claims Rules
(Federation Metadata)
Configure
:
Establish Relationship / Trust
(Signing key)
3
.
Get
claims
2
.
AuthN
(
Creds
)
Claims
Framework (WIF)
App Business
Logic
4
.
AuthN
(Claims)
1
. Get policy
5
. Grant/deny access
Resource Provider
Claims-aware application
Security Token Service
(AD FS)
Directory
(AD DS)Slide12
Federation: Claims SourcesAuthentication comes from ADAttributes can come from AD, other LDAP directories, SQL, custom sources
Consider whether to put claim values in AD, or create SQL tables for new claimsWhen should AD schema be extended? If using SQL in ADFS, identify a unique key for users as an AD attribute and table columnFIM manages attributes in AD and SQLSlide13
Credential
Management
Enable 2 factor
auth
on-premises and manage Smart Cards with FIM
Password Reset on-premises
Group
Management
Automated security and distribution group memberships
Self service management of security and distribution groups
User
Management
Add additional data needed in AD with provisioning and synchronization
Directory clean up and ensure data quality
Policy
Management
Policy and workflows help with controlling access to cloud services
Ensure accurate data used in federation scenarios
Forefront Identity Manager 2010 On-PremisesSlide14
ScenariosPrivate Cloud Self service management of virtualization is based on providing delegated access empowering users
Access application in Windows AzureBuild app. With WIFAccess app via Azure AppFabric ACSFederate with id-providers Enable BPOS / Office 365 Identity synchronization Single Sign on and AuthenticationSlide15
Private CloudSlide16
Hyper-V Authorization Manager
Common identity in Private Cloud
Default role allows access to all operations
Additional roles with desired rights can be created
33 different operations OOB
grouped under
Hyper-V Service Operations
Hyper-V Networks Operations
Hyper-V Virtual Machine OperationsSlide17
Virtual Machine ManagerCommon identity in Private Cloud
The Administrator profile Complete administrative access to all the hosts, virtual machines, and library servers in VMM 2008The Delegated Administrator profileGrants administrative access to a defined set of host groups and library servers
The Self-Service User profile
Administrative access to a defined set of virtual machines through the Web-based Virtual Machine Manager Self-Service Portal
Additional delegation capabilities
in Self service
portalSlide18
Enhancing Private Cloud with FIM
Common identity
Hyper-V and SC Virtual Machine Manager uses roles
Roles can contain users or groups from AD
Delegation of datacenter management
Forefront Identity Manager securely manages membership
in AD groupsSlide19
Public Cloud Identity Management Options
Use cloud service provider’s (CSP’s) identity management systemSynchronize on-premises identity store with CSP’s identity storeFederate identity in trusted third-party provider with CSPFederate identity in on-premises directory with CSPSlide20
Cloud Identity Management OptionUse
CSP’s SystemPros
Easy to set up, requiring no work with existing identity management system
Cons
Difficult to keep identities synchronized between on-premises and cloud
Terminations and transfers most problematic
Might not work with hybrid clouds
Worse, might require dangerous integration practicesSlide21
Cloud Identity Management OptionSynchronization of On-Premises Identity
ProsNot as difficult to set up as federationSynchronization can be scheduled or event-driven
Terminations and transfers easier to manage
Works with existing on-premises Identity Lifecycle solutions
Cons
More difficult to set up than CSP identity management system
User names might not be identical
CSPs usually default to email address as user name
Passwords often not synchronized
May be possible with additional client softwareSlide22
Cloud Identity Management OptionFederate with third-party identity providers
Pros
Allows integration with existing cloud-based identity
Potentially services and data, and hybrid clouds
Integration of third-party with on-premises identity possible
Useful approach if not possible to federate with on-premises identity store
Cons
End users may still have multiple identities
Can be most difficult to set up and operate of all options
Taking dependency on third-party identity providerSlide23
Cloud Identity Management OptionFederate with On-Premises Identity
ProsIntegrates seamlessly with on-premises identity
Terminations and transfers can be handled with ease
User names are usually identical
No need to synchronize passwords
Works well with hybrid clouds
Cons
Can be difficult to set up
Requires compatible on-premises identity store
Can magnify existing identity management problemsSlide24
Public CloudPlatform as a ServiceSlide25
Windows Azure Identity Management Options
Use cloud service provider’s (CSP’s) identity management systemApplications built in Windows Azure can have own ID storeSynchronize on-premises identity store with CSP’s identity storeLoad application user profiles from on-premises AD
Federate identity in trusted third-party provider with CSP
Access Control service using public identity providers
Federate identity in on-premises directory with CSP
Federate directly with application
Federate with Access Control serviceSlide26
Identity and Access OptionsCommon Identity Across Applications
Active Directory
Other Providers
WS-* and SAML
On Premises
Use of Active Directory identities and groups through federation
Enable seamless access experience with other corporate applications tied to AD
Integration with 3
rd
party systems through WS-* and SAML 2.0 open standards
In the next release of AppFabric Access Control Services (ACS 2.0),
s
ingle
sign-on
with popular
Internet identity providersSlide27
Access Control Service
YourService
2. Request
t
oken
(pass input claims)
4
. Return token
(receive output claims)
5
. Send message
with token
0. Establish trust via key exchange
Customer
1. Define access control rules for an identity provider
3. Map input claims
to output claims based on
access control rulesHow ACS works
6. ProcesstokenSlide28
demo Fabrikam Shipping
Example of Software as a Service in Windows AzureSign up experience with Access Control serviceSlide29
Public CloudSoftware as a ServiceSlide30
PaaS Identity Management Options
Use cloud service provider’s (CSP’s) identity management systemSmaller customers using Office 365 IDSynchronize on-premises identity store with CSP’s identity storeDirectory Sync required by appl in Office 365
Federate identity in trusted third-party provider with CSP
Federate identity in on-premises directory with CSP
Office 365 enables single sign on via federationSlide31
On Premises
Office 365 Identity and Access Options
Identity synchronization and authentication
AD
Online
Directory Sync
Identity
services
Provisioning
platform
Lync
SharePoint
Exchange
Active Directory Federation
Services
Trust
IdP
Directory
Store
Admin
portal
Authentication platform
IdP
Forefront Identity Manager 2010
Small/Medium CustomerSlide32
What Does DirSync Do?Enables “Identity” and “Application” coexistenceIdentities are managed on premise
Syncs users, groups and contactsEnables easy identity federationEnables Application coexistence (Exchange and OC) Application coexistence – On premise Mail and OC services work with their corresponding cloud services (OC users on premise IM cloud users and Mail on premise routes to the cloud and vice versa)Enabler for Exchange “Rich Coexistence” featuresInvolves a write-back of cloud data to on-premises customer directorySlide33
Enhancing MS Online Services with FIMFIM manages on-premises AD DS
Simplify and clean up ADNecessary attributes for Office 365 maintained Managing groups on-premisesMS Online Directory Synchronization tool keeps on-premises directory in sync with MS Online DirectoryFIM supplies AD FS with additional data for claimsConstruct a “role”-claim based on data in Active Directory populated by FIM to use for authorizing access to Office 365
FIM provisions users with smartcards or software certificates
Enables users to leverage stronger authentication for access to cloud-based servicesSlide34
Managing Common Identity
Windows Integrated/Kerberos
FIM 2010
HR System
Workflow
ADDS
Phone
Title
Department
Manager
Group
Identity directories
Exchange GAL & DL
SharePoint Profiles and Access
SAP and other apps
AD FS 2.0
WS-* and SAML Claims
Partner
Claims-Aware
Applications
Claims-Aware
Applications
SQL Server
Role
Client List
Self Service
MS Online Directory SynchronizationSlide35
Next StepsPrepare for and embrace cloud by
Improving quality and enhancing data in ADLeveraging Forefront Identity Manager to prepare for cloud and ongoing management on-premisesLearning more about identity federationUnderstanding how claims based identity can assist developersSlide36
Resources Forefront Identity Manager
www.microsoft.com/fim, technet.microsoft.com/ilmblogs.technet.com/identitymanagementClaims Based Identity: Whitepaper and Architecture Guide on
www.microsoft.com/wif
Programming WIF from MSPress
www.microsoft.com/adfs
Identity Developer Training
Windows Azure Training Kit
www.microsoft.com/cloudwww.microsoft.com/online Slide37
Related Content
TLC: Identity Federation, Identity Management, Directory Services
SIM203 | Microsoft Identity and Access Strategy
SIM358
Preparing Identities for the Cloud with FIM
SIM324
| Using Windows Azure Access Control Service 2.0 with Your Cloud
Application
OSP215 | Microsoft Office 365: Identity and Access
Solutions\
SIM322 | Developer's View on Single Sign-On for Applications Using Windows Azure
SIM377-INT Claims-Based
Identity
SIM399-HOL Managing Claims AuthN using FIM 2010
MID274-HOL | Introduction to the Windows Azure
AppFabric
Access Control Service V2 Slide38
Track Resources
Don’t forget to visit the
Cloud Power area within the TLC (
Blue
Section
)
to see product
demos and speak with experts about the
Server & Cloud Platform solutions that help drive your business forward.
You
can also find the latest information about
our products at the following links:
Windows Azure -
http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront -
http://www.microsoft.com/forefront/
Windows Server -
http://www.microsoft.com/windowsserver/
Cloud Power -
http://
www.microsoft.com/cloud/
Private Cloud -
http://
www.microsoft.com/privatecloud/
Slide39
Resources
www.microsoft.com/teched
Sessions On-Demand & Community
Microsoft Certification & Training Resources
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.Slide40
Complete an evaluation on
CommNet
and
enter to win!Slide41Slide42
©
2011 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation
. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide43