《SIM205-Identity_.ppt》由会员分享,可在线阅读,更多相关《SIM205-Identity_.ppt(43页珍藏版)》请在三一文库上搜索。
1、Identity and Access and Cloud: Better Together,Brjann Brekkan Sr Technical Product Manager Identity and Access Microsoft Corporation,SIM205,Agenda,Framing the Cloud opportunity Supporting Technologies Private Cloud Public Cloud PaaS Public Cloud SaaS Summary,What is the Cloud?,Delivering IT as a Sta
2、ndardized Service,Opportunities,Performing IT more cheaply Capitalizing on new ways to address customers Benefitting from further democratization of IT Operating a business without IT limits Leveraging the cloud for competitive advantage Developing transformative experiences and solutions,Existing i
3、nternal applications remain critical in foreseeable future Need to integrate with applications across organizations and cloud Borderless collaboration across on-premises, partners, and cloud Partners and customers will bring their own identities Identity platform needs to support range of developers
4、 Identity needs to be more extensible, more flexible,Challenges,Enabling the Hybrid Enterprise,Types of Cloud Services Identity consistent,(On-Premises),You manage,Compliance and Security in the Cloud,An organizations current identity management gaps extend to the cloud and become more complex Failu
5、re to disable accounts in a timely manner when peoples employment is terminated Failure to adjust rights and permissions when people transfer to new roles Enabling self-service capabilities without having control of user identities can result in access problems and lack of productivity,Identity and
6、the Cloud,Private Cloud,On-Premises,Public Cloud,Partners,SaaS,PaaS,User,Microsoft Identity Components,Private Cloud,On-Premises,Partners,AD Federation Services,AD Certificate Services,AD Rights Management Services,AppFabric Access Control service,SAML,OAUTH,WS-Trust, SAML,User,Claims based applicat
7、ions,Some of Our Cloud/Federation Players,Claims-Based Access Basics,Resource provider: requires, uses claims to define users Claims provider: supports protocols for issuing claims Relationship: context in which meaning of claims defined,Relationship,Claims Provider (Security Token Service),2. Get c
8、laims,3. Send claims,1. Require claims,SUBJECT,Resource Provider,Microsoft Claims-Based Access Model,End User,Configure: Claims Rules (Federation Metadata),Configure: Establish Relationship / Trust (Signing key),3. Get claims,2. AuthN (Creds),Claims Framework (WIF),App Business Logic,4. AuthN (Claim
9、s),1. Get policy,5. Grant/deny access,Resource Provider Claims-aware application,Security Token Service (AD FS),Directory (AD DS),Federation: Claims Sources,Authentication comes from AD Attributes can come from AD, other LDAP directories, SQL, custom sources Consider whether to put claim values in A
10、D, or create SQL tables for new claims When should AD schema be extended? If using SQL in ADFS, identify a unique key for users as an AD attribute and table column FIM manages attributes in AD and SQL,Enable 2 factor auth on-premises and manage Smart Cards with FIM Password Reset on-premises,Automat
11、ed security and distribution group memberships Self service management of security and distribution groups,Add additional data needed in AD with provisioning and synchronization Directory clean up and ensure data quality,Policy and workflows help with controlling access to cloud services Ensure accu
12、rate data used in federation scenarios,Forefront Identity Manager 2010 On-Premises,Scenarios,Private Cloud Self service management of virtualization is based on providing delegated access empowering users Access application in Windows Azure Build app. With WIF Access app via Azure AppFabric ACS Fede
13、rate with id-providers Enable BPOS / Office 365 Identity synchronization Single Sign on and Authentication,Private Cloud,Hyper-V Authorization Manager Common identity in Private Cloud,Default role allows access to all operations,Additional roles with desired rights can be created 33 different operat
14、ions OOB grouped under Hyper-V Service Operations Hyper-V Networks Operations Hyper-V Virtual Machine Operations,Virtual Machine Manager Common identity in Private Cloud,The Administrator profile Complete administrative access to all the hosts, virtual machines, and library servers in VMM 2008 The D
15、elegated Administrator profile Grants administrative access to a defined set of host groups and library servers The Self-Service User profile Administrative access to a defined set of virtual machines through the Web-based Virtual Machine Manager Self-Service Portal Additional delegation capabilitie
16、s in Self service portal,Enhancing Private Cloud with FIM Common identity,Hyper-V and SC Virtual Machine Manager uses roles Roles can contain users or groups from AD Delegation of datacenter management Forefront Identity Manager securely manages membership in AD groups,Public Cloud Identity Manageme
17、nt Options,Use cloud service providers (CSPs) identity management system Synchronize on-premises identity store with CSPs identity store Federate identity in trusted third-party provider with CSP Federate identity in on-premises directory with CSP,Cloud Identity Management Option Use CSPs System,Pro
18、s,Easy to set up, requiring no work with existing identity management system,Cons,Difficult to keep identities synchronized between on-premises and cloud Terminations and transfers most problematic Might not work with hybrid clouds Worse, might require dangerous integration practices,Cloud Identity
19、Management Option Synchronization of On-Premises Identity,Pros,Not as difficult to set up as federation Synchronization can be scheduled or event-driven Terminations and transfers easier to manage Works with existing on-premises Identity Lifecycle solutions,Cons,More difficult to set up than CSP ide
20、ntity management system User names might not be identical CSPs usually default to email address as user name Passwords often not synchronized May be possible with additional client software,Cloud Identity Management Option Federate with third-party identity providers,Pros,Allows integration with exi
21、sting cloud-based identity Potentially services and data, and hybrid clouds Integration of third-party with on-premises identity possible Useful approach if not possible to federate with on-premises identity store,Cons,End users may still have multiple identities Can be most difficult to set up and
22、operate of all options Taking dependency on third-party identity provider,Cloud Identity Management Option Federate with On-Premises Identity,Pros,Integrates seamlessly with on-premises identity Terminations and transfers can be handled with ease User names are usually identical No need to synchroni
23、ze passwords Works well with hybrid clouds,Cons,Can be difficult to set up Requires compatible on-premises identity store Can magnify existing identity management problems,Public Cloud,Platform as a Service,Windows Azure Identity Management Options,Use cloud service providers (CSPs) identity managem
24、ent system Applications built in Windows Azure can have own ID store Synchronize on-premises identity store with CSPs identity store Load application user profiles from on-premises AD Federate identity in trusted third-party provider with CSP Access Control service using public identity providers Fe
25、derate identity in on-premises directory with CSP Federate directly with application Federate with Access Control service,Identity and Access Options Common Identity Across Applications,Active Directory,Other Providers,WS-* and SAML,On Premises,Use of Active Directory identities and groups through f
26、ederation,Enable seamless access experience with other corporate applications tied to AD,Integration with 3rd party systems through WS-* and SAML 2.0 open standards,In the next release of AppFabric Access Control Services (ACS 2.0), single sign-on with popular Internet identity providers,Access Cont
27、rol Service,Your Service,2. Request token (pass input claims),4. Return token (receive output claims),5. Send message with token,0. Establish trust via key exchange,Customer,1. Define access control rules for an identity provider,3. Map input claims to output claims based on access control rules,How
28、 ACS works,6. Process token,demo,Fabrikam Shipping,Example of Software as a Service in Windows Azure Sign up experience with Access Control service,Public Cloud,Software as a Service,PaaS Identity Management Options,Use cloud service providers (CSPs) identity management system Smaller customers usin
29、g Office 365 ID Synchronize on-premises identity store with CSPs identity store Directory Sync required by appl in Office 365 Federate identity in trusted third-party provider with CSP Federate identity in on-premises directory with CSP Office 365 enables single sign on via federation,On Premises,Of
30、fice 365 Identity and Access Options Identity synchronization and authentication,AD,Online Directory Sync,Identity services,Provisioning platform,Lync,SharePoint,Exchange,Active Directory Federation Services,Trust,IdP,Directory Store,Admin portal,Authentication platform,IdP,Forefront Identity Manage
31、r 2010,Small/Medium Customer,What Does DirSync Do?,Enables “Identity” and “Application” coexistence Identities are managed on premise Syncs users, groups and contacts Enables easy identity federation Enables Application coexistence (Exchange and OC) Application coexistence On premise Mail and OC ser
32、vices work with their corresponding cloud services (OC users on premise IM cloud users and Mail on premise routes to the cloud and vice versa) Enabler for Exchange “Rich Coexistence” features Involves a write-back of cloud data to on-premises customer directory,Enhancing MS Online Services with FIM,
33、FIM manages on-premises AD DS Simplify and clean up AD Necessary attributes for Office 365 maintained Managing groups on-premises MS Online Directory Synchronization tool keeps on-premises directory in sync with MS Online Directory FIM supplies AD FS with additional data for claims Construct a “role
34、”-claim based on data in Active Directory populated by FIM to use for authorizing access to Office 365 FIM provisions users with smartcards or software certificates Enables users to leverage stronger authentication for access to cloud-based services,Managing Common Identity,Windows Integrated/Kerber
35、os,FIM 2010,Workflow,ADDS,Phone Title Department Manager Group,AD FS 2.0,WS-* and SAML Claims,Partner,Claims-Aware Applications,SQL Server,Role Client List,Self Service,MS Online Directory Synchronization,Next Steps,Prepare for and embrace cloud by Improving quality and enhancing data in AD Leveragi
36、ng Forefront Identity Manager to prepare for cloud and ongoing management on-premises Learning more about identity federation Understanding how claims based identity can assist developers,Resources,Forefront Identity Manager Claims Based Identity: Whitepaper and Architecture Guide on Programming
37、 WIF from MSPress Identity Developer Training Windows Azure Training Kit Content,TLC: Identity Federation, Identity Management, Directory Services,SIM203 | Microsoft Identity and Access Strategy SIM358 Preparing Identities for the Cloud with FIM SIM324 | Using Windows Azure Access Control Service
38、 2.0 with Your Cloud Application OSP215 | Microsoft Office 365: Identity and Access Solutions SIM322 | Developers View on Single Sign-On for Applications Using Windows Azure,SIM377-INT Claims-Based Identity,SIM399-HOL Managing Claims AuthN using FIM 2010 MID274-HOL | Introduction to the Windows Azur
39、e AppFabric Access Control Service V2,Track Resources,Dont forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. You can also find the latest information about
40、our products at the following links:,Windows Azure - http:/ System Center - http:/ Forefront - http:/ Server - http:/ Power - http:/ Cloud - http:/ On-Demand & Community,Microsoft Certification & Training Resources,Resources for IT Professionals,Resources for Developers, Share. Discuss.,Complete an
41、evaluation on CommNet and enter to win!, 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
42、represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.,