th
30
st
31 ,
May
–
2007
Chateau Laurier Ottawa
Identity Management
John Weigelt,
National Technology Officer
Microsoft Canada
Outline
The Power of Identity
Unleashing the Power of Identity
Technical Strategy
Roadmap
Summary
2006
What is Identity Management?
Directory
Services
Repositories for storing and managing
accounts, identity information, and security
credentials.
A system of procedures and policies to
The process of authenticating credentials
Access
manage theandlifecycle
entitlements
controllingand
access
to networked of
Management
resources based on trust and identity.
electronic credentials.
Identity
Lifecycle
Management
The processes used to create and delete
accounts, manage account and entitlement
changes, and track policy compliance.
The Power of Identity
Empowering
Communication
& Collaboration
Connecting
Know who
you are
Interacting
with
Prove
record of
interaction
Anywhere
Access
2006
Grant
appropriate
access
Extending the
Enterprise
Protect
confidential
information
Connected
Systems
Identity Facts
Too Many User Repositories
Enterprises have 68 internal and 12 external account directories
75% of internal users and 38% of external users are in multiple stores
Increasing IT Operational costs
45% of all help desk calls are for p/w resets
Organizations are managing on average 46 suppliers, spending over
1380 hours managing changes to access privilege.
Inefficient Account Provisioning/De-Provisioning
User management consumes 34% of the total time IT spends on IdM
User accounts get created in 16 systems and deleted in 10.
Impact on User Productivity
On average IT is managing access to 73 unique applications requiring
user access.
Average user spends 16 minutes a day for logins
SSO increases user productivity by 15% and efficiency by 18%
2006
Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002, MSFT Internal
IDA Challenges
Provisioning in accordance with company policies
Compliance
Establishing auditable processes for granting access rights
Ensuring that only authorized users get network access
Security
Protecting confidential information from improper distribution
Business
Enablement
Operational
Efficiency
Freeing up IT resources to focus on high business-value work
Creating new ways to connect with customers & partners
Automating, reducing and simplifying manual processes
Reducing the complexity of managing many identity stores
Connected Identity
Partners
Customers
Internet
Services
Identity Metasystem
WS-* Web Services
Architecture
Extending the Reach
of Applications
2006
Extending the Reach
of Information Workers
Authentication Spectrum
Domain
Login
X-Forest
Trust
Federation
Identity
Metasystem
Web
Self-Asserted
Login
eAuthentication
Employee
Network
Access
eID
Cross
Program
Authentication
Interjurisdictional
Authentication
Business
Extranet
Citizen
Service
Delivery
Products
Domain/Directory
Services
SQL
CardSpace
ERM
CRM
LDAP
ADFS
X.500
9
Certificate
Piecemeal Approaches
User
Provisioning
User
Experiences
Strong
Authentication
User
Experiences
Web Access
Management
User
Experiences
Federated
Identity
User
Experiences
Infrastructure
Infrastructure
Infrastructure
Infrastructure
Connectors
Connectors
Connectors
Connectors
Directories
HR Systems
ERP Systems
Databases
Different
User Portals
Designers
Role Mgmt
Reporting
Policy Model
Workflow
Configuration DB
Dev Model
Identity Stores
Supported
Applications
Audit Systems
Multiple products with separate management, infrastructure, and connectors
Feature overlap across management and core infrastructure
Microsoft’s Offerings
Microsoft
Office
Windows
.Net &
Visual Studio
Web
Sites
IDA
Management
Identity Lifecycle Manager
Certificate
Services
Rights Management
Services
Active Directory
Federation Services
Active Directory Domain & Directory Services
Workflow Foundation
20+ Connectors
User and
Developer
Experiences
Platform
Components
Windows Services
WS-*
Extensibility
Best of breed for Windows that extends to the enterprise
Five Solution Scenarios
Microsoft Solution
Focus Areas
Microsoft
Office
Windows
Web
Sites
.Net &
Visual Studio
IDA
Management
Identity Lifecycle Manager
Certificate
Services
Rights Management
Services
Active Directory
Federation Services
Active Directory Domain & Directory Services
Workflow Foundation
20+ Connectors
User and
Developer
Experiences
Platform
Components
Directory
Services
Information
Protection
Strong
Authentication
Windows Services
WS-*
Extensibility
Federated
Identity/SSO
Identity
Lifecycle Mgmt
Extending trust across domains
G2G, G2B Federated Single Sign-on
Security Token
(eg Kerberos Ticket)
Exchange
Web Service
Collaboration
Active
Directory
ADFS
Intranet
Applications
1.
2.
3.
4.
ADFS Creates XRML token
Signs it with department’s private key
Sends it back to the user
Access external department with the token
1.
2.
3.
4.
ADFS Creates SAML token
Signs it with department’s private key
Sends the token back to the user
Accesses Jurisdiction B using the
token
Department A
Jurisdiction B
WS Security
Application
User Account/Credentials
Security
2006 Token
Requires XRML
WS Security
Application
Requires SAML
Password Fatigue
Have we been conditioned to
be phished?
2006
Phishing & Phraud
New Phishing Sites by Month
December 2004 – December 2005
7,197
1,707
5,2595,242
4,564
4,3674,630
4,280
3,326
2,854
2,870
2,625
2,560
Mar Apr May Jun Jul Aug Sep Oct Nov
Feb
Jan
Dec
Dec
04
05
Source: http://www.antiphishing.org
2006
What is a digital identity?
A set of claims
someone makes
about me
Claims are
packaged as
security tokens
Many identities for
many uses
Useful to distinguish
from profiles
Identity is Matched to Context
In Context
Bank card at ATM
Gov’t ID at border check
Coffee card at coffee stand
MSN Passport at HotMail
Out of Context
Coffee card at border check
Maybe Out of Context?
Gov’t ID at ATM
SSN as Student ID
MSN Passport at eBay
The Laws of Identity
Details
An Industry Dialog
1. User control and consent
2. Minimal disclosure for a defined use
3. Justifiable parties
4. Directional identity
5. Pluralism of operators and technologies
6. Human integration
7. Consistent experience across contexts
Join the discussion at www.identityblog.com
2006
Identity Metasystem
Anonymous
Identities
Reputation
Services
Governments
Code
Devices
Individuals
Businesses
Identity
Providers
Individuals
Metasystem Players
Identity Providers
Issue identities
Relying Parties
Require identities
Subjects
Individuals and other
entities about whom
claims are made
2006
Roles of Identity Selector
Relying Party (RP)
Require identities
Identity Provider (IP)
Issue identities
Subject
Individual or other entity about whom claims
are made.
Display digital identities (cards) from
IPs
Get requirements from RP
User selects the card to be presented
to RP
Identity Selector (IS)
“User controls and consents for the release of
user’s identity” - (Laws of Identity #1)
Windows CardSpace™

Protects users
Simple, conistent
from phishing &
user experience
phraud attacks
Replaces
Support for twousernames and
factor
passwords with
Standards!!
authentication
strong
tokens

Built
on WS-* Web Services Protocols
Can be supported by websites on any technology & platform
Tokens are cryptographically strong
Private Desktop
Runs under separate
desktop and restricted
account
Isolates "InfoCard"
from Windows desktop
Deters hacking
attempts by user-mode
processes
"InfoCard" cards
Richard’s Card
Stored locally
Assertions about me
Not corroborated
Woodgrove Bank
Provided by banks,
government, clubs, etc
Stored at STS
Metadata only
CardSpace Demo
IE7
Vista
Windows
XP with
WinFX
Built on Open Web Services Protocols
An Industry-Wide Activity
Benefits of Participating
Bet on the “playing field”, not some
particular solution
Increased reach
Claims transformer enables new
relationships
Increased flexibility
Policy, claims transformation “knobs and
levers” enable wide variety of relationships
Easy to add support for new technology
Simple, safe user experience
2006
More Information on IDA
Learn More About Identity Lifecycle Management
ILM 2007 Home Page www.microsoft.com/ILM 2007
Identity Lifecycle Solutions www.microsoft.com/ILM
ILM 2007 Evaluation Edition www.microsoft.com/ILM
2007
Learn About Microsoft Identity and Access (IDA)
IDA Solutions Home Page www.microsoft.com/IDA
Work with Microsoft IDA Partners
IDA Partners www.microsoft.com/IDA
2006
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft
makes no warranties, express or implied, in this summary.