Introduction to Identity Management with MIIS 2003 Steve Plank Architectural Engineer Session code.

Introduction to Identity Introduction to Identity Management with MIIS 2003Management with MIIS 2003

Steve PlankSteve PlankArchitectural EngineerArchitectural Engineer

Session codeSession code

AgendaAgenda

MIIS ScenariosMIIS Scenarios

How MIIS worksHow MIIS works

MIIS FuturesMIIS Futures

Hire ScenarioHire ScenarioHRHRSystemSystem MIIS

Notes

ContractorContractorSystemSystem

ADADApp ModeApp Mode

SQLSQLServerServer

iPlanetiPlanetDirectoryDirectory

ActiveActiveDirectoryDirectory

LotusLotusNotesNotes

File

LDAP

LDAP

SQL

LDAP

Fire ScenarioFire ScenarioHRHRSystemSystem MIIS

Notes

ContractorContractorSystemSystem

ADADApp ModeApp Mode

SQLSQLServerServer




File

LDAP

LDAP

SQL

LDAP

Identity Joining ScenarioIdentity Joining Scenario

HRHRSystemSystem

MIIS




givenNamesntitlemailemployeeIDtelephone

KlarekCenntt

008



ClarkKennttt

007


KlarkeKentSuperhero

007

867-5309

ClarkKent

007

Reporter

[email protected]

867-5309

ClarkKent

Reporter

[email protected]

007Project to Metaverse


ClarkKent

007

007

007Join on employeeIDJOINED

PROJECTED

007

007

Join on employeeIDJOINED

Join on employeeIDJOINEDManual Join

Attribute Flow ScenarioAttribute Flow Scenario

HRHRSystemSystem

MIIS




•FirstName•LastName•EmployeeID

•Title

•E-Mail

•Telephone givenNamesntitlemailemployeeIDtelephone

KlarekCenntt

008



ClarkKennttt

007


KlarkeKentSuperhero

007


867-5309

ClarkKent

007

Reporter

[email protected]

867-5309

ClarkKent

Reporter

[email protected]

007

IdentityData

Aggregation


007

ClarkKent

007

Reporter

867-5309


HRHRSystemSystem

MIIS





•Title

•E-Mail


KlarekCenntt

007



ClarkKennttt

007


KlarkeKentSuperhero

007

givenNamesntitlemailemployeeIDtelephone 867-5309

ClarkKent

007

Reporter

867-5309

ClarkKent

Reporter

[email protected]

007

[email protected]

[email protected]

867-5309

[email protected]

867-5309

ClarkKent

[email protected]

Clark

Reporter

867-5309

IdentityData

Brokering

(Convergence)


HRHRSystemSystem

MIIS





•Title

•E-Mail


007



Clark

007


Kent

007


ClarkKent

007

867-5309

ClarkKent

Reporter

[email protected]

007

[email protected]

KentReporter

867-5309

Reporter

[email protected]

867-5309

Clark

Kent

[email protected]

Clark

Reporter

867-5309

IdentityData

IntegrityEnforcem

ent

007Superhero

SuperheroSuperheroSuperheroReporterSuperhero

Identity Data Integrity EnforcementIdentity Data Integrity Enforcement

HRHRSystemSystem

MIIS





•Title

•E-Mail


007



Clark

007


Kent

007


ClarkKent

007

867-5309

ClarkKent

Reporter

[email protected]

007

[email protected]

KentPublisher

867-5309

Publisher

[email protected]

867-5309

Clark

Kent

[email protected]

Clark

Reporter

867-5309

IdentityData

IntegrityEnforcem

ent

007Reporter

SuperheroReporterReporterReporterReporter

MIIS in action…MIIS in action…

DemoDemo

AgendaAgenda




Connector Connector SpaceSpaceConnector Connector SpaceSpace

Management Agent (MA)Management Agent (MA)Management Agent (MA)Management Agent (MA)

Connected Connected DirectoriesDirectoriesConnected Connected DirectoriesDirectories

TerminologyTerminology

MetaverseMetaverseMetaverseMetaverse

i/fi/f ““filters” filters” schemaschema

filtersfiltersrulesrules





StagingStaging ProjectionProjection ProvisioningProvisioning ExportExport JoinJoin

Import/Export Run ProfileImport/Export Run Profile Sync Run ProfileSync Run Profile

Connector Connector SpaceSpaceConnector Connector SpaceSpace

Management Agent (MA)Management Agent (MA)Management Agent (MA)Management Agent (MA)

Connected Connected DirectoriesDirectoriesConnected Connected DirectoriesDirectories

TerminologyTerminology

MetaverseMetaverseMetaverseMetaverse





Rules ExtensionRules Extension

Rules ExtensionRules Extension

Import Attribute Flow Export Attribute Flow



MIIS – Metadirectory Functionality and ConnectivityMIIS – Metadirectory Functionality and Connectivity

Identity DataIdentity Data

LDAPLDAP SQLSQL

Wide range of connectivityWide range of connectivityActive Directory & ADAMActive Directory & ADAM

Sun/iPlanet DirectorySun/iPlanet Directory

IBM DSIBM DS

Novell eDirectoryNovell eDirectory

Microsoft SQL 2000 & SQL 7Microsoft SQL 2000 & SQL 7

Oracle 9i/8iOracle 9i/8i

IBM DB2IBM DB2

Lotus Notes 5.x/6.xLotus Notes 5.x/6.x

Microsoft Exchange 5.5, 2K, 2K3Microsoft Exchange 5.5, 2K, 2K3

Microsoft NT 4.xMicrosoft NT 4.x

RACFRACF

DSML, LDIF, CSV, fixed widthDSML, LDIF, CSV, fixed width

……others to followothers to follow

MA SDK allows ISVs and corporate MA SDK allows ISVs and corporate developers to build custom MAsdevelopers to build custom MAs

NOSNOS

LOB AppsLOB Apps

Synchronizing Identity StoresSynchronizing Identity Stores- The Management Agent SDK- The Management Agent SDK

Easy to use SDK to build Management AgentsEasy to use SDK to build Management Agents.Net hosted set of interfaces.Net hosted set of interfaces

Address IT Pro and ISV audiencesAddress IT Pro and ISV audiencesIT ProIT Pro

Fast MA development using template Fast MA development using template

Simple to configure by reusing “Extensible MA UI”Simple to configure by reusing “Extensible MA UI”

ISVsISVsAllow customizing MA configuration UI and provide customized Allow customizing MA configuration UI and provide customized look and feellook and feel

Enable packaging and redistribution of management agentsEnable packaging and redistribution of management agents

Enable Identity Manager-integrated development of MA Enable Identity Manager-integrated development of MA configuration UIconfiguration UI

Supports password synchronizationSupports password synchronization

Password Synchronization: Password Change NotificationPassword Synchronization: Password Change Notification

Password FilterPassword Filter

The password filter is extremely lightweight The password filter is extremely lightweight to minimize any impact on the DCto minimize any impact on the DC

Filter receives the change notifications and Filter receives the change notifications and securely communicates passwords to the securely communicates passwords to the serviceservice

Password Notification ServicePassword Notification Service

Service encrypts and queues the password Service encrypts and queues the password notification to be delivered to the registered notification to be delivered to the registered targets (MIIS or HIS)targets (MIIS or HIS)

Notifications are transmitted via secure Notifications are transmitted via secure RPC to targetRPC to target

Queuing and retry mechanism guards Queuing and retry mechanism guards against lost passwords due to connectivity against lost passwords due to connectivity issuesissues

PCNS and MIIS mutually authenticate to PCNS and MIIS mutually authenticate to prevent spoofingprevent spoofing

Active Directory Domain Controller

LSA Process

Password Filter

Password Notification

Service

Identity Integration Server

Password Synchronization: Identity Integration ServerPassword Synchronization: Identity Integration Server

MIIS receives notifications from PCNS and MIIS receives notifications from PCNS and locates matching object for user’s Active locates matching object for user’s Active Directory accountDirectory account

MIIS leverages metadirectory “join” MIIS leverages metadirectory “join” relationship to locate correct accounts in relationship to locate correct accounts in the target systemsthe target systems

MIIS maintains queue for each target MIIS maintains queue for each target system to optimize delivery and handle system to optimize delivery and handle systems that are less reliablesystems that are less reliable

Passwords can be synchronized to any Passwords can be synchronized to any system managed by MIIS management system managed by MIIS management agents.agents.

Password Extensions allow synchronizing Password Extensions allow synchronizing passwords to custom applications and passwords to custom applications and directoriesdirectories

Ide

ntit

y In

teg

ratio

n S

erv

er

PCNS

Connected Directories

Connector Space

Queue Queue

Metaverse

VisualizationVisualization

Different hierarchies suit different needsDifferent hierarchies suit different needs

Multiple hierarchical representations can be Multiple hierarchical representations can be discovered from datadiscovered from data

Polyarchy eliminates the requirement for fixed Polyarchy eliminates the requirement for fixed hierarchyhierarchy

Polyarchy provides multiple hierarchical views Polyarchy provides multiple hierarchical views and richer visualization of infrastructure and richer visualization of infrastructure informationinformation




AgendaAgenda

MIIS RoadmapMIIS Roadmap

Lowering the cost and risks of Identity Management

Extending MA Reach and password capabilities

MIIS - Gemini

MIIS 2003 SP1 Q4/CY04

Codeless provisioningEntitlement reporting

Self-service platformPassword resetadditional MAs

Additional MAs MA SDK

Password ExtensionsPassword synchronization

from Windows desktop

Providing tools for provisioning

MIIS 2003 SP1 ResKit - Q4/CY04

Code generator

Workflow

1.1. Codeless provisioningCodeless provisioning2.2. Richer logging/auditingRicher logging/auditing3.3. Self-service platformSelf-service platform4.4. Workflow for provisioning and self-serviceWorkflow for provisioning and self-service5.5. Password self-service resetPassword self-service reset6.6. Cluster supportCluster support7.7. Computed attributes (dynamic groups)Computed attributes (dynamic groups)8.8. Cross-forest group managementCross-forest group management9.9. Entitlement reportingEntitlement reporting10.10. Capacity planning documentationCapacity planning documentation11.11. Scalability improvementsScalability improvements12.12. UNIX / OpenLDAP / Generic LDAP MAUNIX / OpenLDAP / Generic LDAP MA

ReviewReview




Introduction to Identity Management with MIIS 2003 Steve Plank Architectural Engineer Session code.

Documents

Transcript of Introduction to Identity Management with MIIS 2003 Steve Plank Architectural Engineer Session code.