Agenda

Single Sign-on z Why Single Sign-on

and Identity z The Challenges of SSO
Management z Implementing SSO today
¾ Windows SSO
Joe Donahue ¾ Reduced Sign-on (Enterprise SSO)
Federal Program Manager ¾ Web SSO (B2E, B2B & B2C)
Directory Services
Microsoft z Microsoft Identity Roadmap

Why Single Sign-on Why Single Sign-on

User Perspective IT Perspective
The Problem z The Problem
z Too many credentials z Provisioning new accounts
Web Service z Which one for which app Web Service z Password management
File Share z Multiple logons File Share z Auditing user activity
email email
z De-provisioning users
z Managing non-employee access
z Deploying Enterprise
VPN VPN
Mainframe Mainframe Applications

Internet
UNIX App
The Business Impact Internet
UNIX App
The Business Impact
z Increases risk of compromise z People Intensive
z Reduced productivity z Delayed access for new hires
B2B z Increased helpdesk expenses B2B z Risk of unauthorized access
User Account/Credentials
Account Directory z No single view of the user

Implementing Single Sign-on Today

The Challenges
z Multiple Platforms and Application Models
Windows

¾ Windows Server, multiple versions of UNIX, OS390, AS400

Sign-on

‰ ActiveDirectory – The foundation for Identity management

Single

¾ Legacy & custom applications

¾ Web applications and services ‰ Windows Integrated Applications
¾ Network gateways (VPN, Wireless, Internet)
‰ Network Single Sign-on with Windows Server
z Different Security Mechanisms
¾ Kerberos
¾ Basic Authentication
¾ X.509 Certificates ‰ Extending Windows SSO to non-integrated applications
Enterprise

Passport
Reduced

¾
Sign-on

¾ Proprietary (eg database lookups) ‰ Using Active Directory for LDAP authentication
z Multiple Account Directories ‰ The role of Microsoft Metadirectory Server (MMS)
¾ Active Directory ‰ Active Directory in Application Mode (ADAM) usage
¾ LDAP
¾ Databases
¾ Application integrated

z Complexities with B2B and B2C ‰ B2E using Active Directory and IIS
Sign-on
Single
Web

¾ Concerns about mixing partner & customer accounts with employee accounts
¾ Privacy (outbound) as well as security (inbound) concerns
‰ B2C using Active Directory and Passport
¾ Are external users & their entitlements up to date? ‰ Extranet Access Management using Active Directory
¾ Day to day management issues (eg password reset)

© 2002 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1
 Implementing Single Sign-on Today Windows Single Sign-on
Active Directory – Foundation for Identity Management
Central Repository for:
Windows

Sign-on

‰ ActiveDirectory – The foundation for Identity management

Single

• User Accounts & Attributes

‰ Windows Integrated Applications
• System Accounts & Attributes
‰ Network Single Sign-on with Windows Server • Organizational & Security Groups
• Application & Service Locations
• Management Policy Active
Directory
• Security Policy
‰ Extending Windows SSO to non-integrated applications • Digital Certificates
Enterprise
Reduced

Directory Access Protocols

Sign-on

‰ Using Active Directory for LDAP authentication • Network Access Permissions

• Printer Locations • LDAP v3 – Standards-based access
‰ The role of Microsoft Metadirectory Server (MMS)
• File Shares Locations • ADSI – Simple COM-based Interface
‰ Active Directory in Application Mode (ADAM) usage … • DSML – XML Interface
Integrated Security
• Kerberos v5
‰ B2E using Active Directory and IIS • x.509 Certificates (PKI)
Sign-on
Single
Web

‰ B2C using Active Directory and Passport • Security Domain

‰ Extranet Access Management using Active Directory

Windows Single Sign-on Windows Single Sign-on

Integrated Windows Sign-on Extending SSO to the Network
IAS/RADIUS
Exchange Exchange

Logon to Windows VPN/RAS Gateway

Web Service Web Service

Internet Corp Net

Active Active
Directory Directory

Integrated Network Sign-on Services

File Share File Share
Integrated VPN SSO
Integrated Wireless SSO
Flexible Authentication Single Sign-on to: Certificate and smartcard logon
Windows Integrated Standards-based interoperability ERP/CRM
Kerberos Windows File servers Applications
• L2TP/IPSEC VPN
X509 v3/Smartcard Windows Web applications • 802.1x wireless and wired LAN
Biometrics Exchange email • RADIUS
Passport (Web) SQL Server • EAP
Basic (Web) BizTalk Server • PEAP (Windows Server 2003)
Remote User
Digest (Web) Other Microsoft applications
3rd Party Integrated Apps

Implementing Single Sign-on Today Reduced Enterprise Sign-on

Extending Windows SSO
Windows

Sign-on

‰ ActiveDirectory – The foundation for Identity management

Single

‰ Windows Integrated Applications

‰ Network Single Sign-on with Windows Server
Kerberos
Logon to AD Application

Active
Directory
‰ Extending Windows SSO to non-integrated applications
Enterprise
Reduced

Sign-on

‰ Using Active Directory for LDAP authentication

‰ The role of Microsoft Metadirectory Server (MMS) UNIX

‰ Active Directory in Application Mode (ADAM) usage

390/AS400
‰ B2E using Active Directory and IIS
Sign-on

Kerberos Services for UNIX Host Integration Server

Single
Web

¾ Native AuthN protocol ¾ NIS Server for AD ¾ Windows to RACF accounts

‰ B2C using Active Directory and Passport
¾ MIT v5 Compliant ¾ NIS-AD directory sync ¾ Windows to 0S/400 Security System
‰ Extranet Access Management using Active Directory ¾ Carries group info in PAC ¾ Password synchronization ¾ Bi-Directional Password Synchronization
¾ Windows PAC is open ¾ User name mapping

© 2002 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 2
 Reduced Enterprise Sign-on ADAM Usage
LDAP Authentication & Directory Integration Integrating extended LDAP app with AD
Integrate LDAP with AD User (right)
z LDAP v3 compliant and “shadow” (left)
Store/
Web Service z Single AD and LDAP user account retrieve
Exchange File Share z ADAM for personalization data data
Web
Microsoft Metadirectory Server app ADAM
Active
Application Directory Application z Directory synchronization
¾ LDAP (eg iPlanet & others) Client
¾ Relational databases
¾ DSML Server
¾ Application specific Infrastructure Active Directory
LDAP SQL z Account Provisioning Data specific
¾ Automate account creation to portal app Data shared
¾ Automate account de-provisioning by all apps
z Password Management (MMS 2003)
¾ Self-service password reset z Store app data without extending infra DS schema
Enterprise z Certificate Management
App z App data keyed off identifier from infra directory
Account Directory
z Maintain central user repository!

Implementing Single Sign-on Today Web Single Sign-on

B2E Using Active Directory and IIS
Windows

Sign-on

‰ ActiveDirectory – The foundation for Identity management

Single

‰ Windows Integrated Applications Web App 1

‰ Network Single Sign-on with Windows Server IIS

Logon to AD
Web App 2
‰ Extending Windows SSO to non-integrated applications IIS
Enterprise
Reduced

Sign-on

‰ Using Active Directory for LDAD authentication Active

Directory
‰ The role of Microsoft Metadirectory Server (MMS) Web App 3
‰ Active Directory in Application Mode (ADAM) usage IIS

IIS Integrated Authentication

• Uses Kerberos or NTLM
‰ B2E using Active Directory and IIS
Sign-on

• Supports RBAC in Windows Server 2003

Single
Web

‰ B2C using Active Directory and Passport • Supports URL authorization in Windows Server 2003
‰ Extranet Access Management using Active Directory

Web Single Sign-on Web Single Sign-on

B2C Using Passport and Active Directory Extranet Access Management using AD
Enterprise Extranet “Trusted” Business Partner

Active Cookie
Directory
Authorization Web App 1
Check
(Step 3) Web app verifies
(Step 2) Passport verifies SSO Agent
activation code & maps SSL
the user’s credentials
PUID to AD account. Session
“Their” Corporate
and sends a PUID back Identities
to the Web site
Web App 2
EAM
Web SSO Agent
(Step 4) User is authorized SSO Active
based AD account. Directory
Delegated
Windows Server 2003
Admin SSL

IIS Web Server AuthN SSO Agent Session

Partner LDAP Bind

Identities “My” Corporate
Identities Cookie
(Step 1) Customer accesses
a Web site using any Passport manages user credentials Cross Forest
Applications
standards-based browser Passport manages user authentication Trust/Kerb
You manage user access controls Internal Application User
Active Active
Directory or ADAM Directory

© 2002 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 3
 XML Web Services
Next Wave of Internet Evolution
XML
L
HTM
What’s Next? ch n
olog
y
TCP
/IP
Te
Standard Connectivity Presentation Programmability
Inno
vati FTP, E-m
on ail, G
ophe
r
Vision and Roadmap Web
Page
s
Web
Browse Serv
ices
the Web Program
the Web

Digital Identities Web Services Security

Next Wave of Evolution
y
curit
SecureConversation Federation Authorization
WS-Se
e/PW
, Nam Policy Trust Privacy
SSL
T P
gy , SM
h nolo DNS Today Security
Tec
Identity Pseudonymity Islands Connected
Inno SOAP Foundation
vat i E-m
on ail
Web
Apps Security in a Web Services World
Send E-mail Web – IBM/MSFT White Paper
Serv
Identity ices
Management WS-Security Specification
Federated
– At OASIS, broad industry support
Identities

The Vision of Single Sign-on The Vision and Future of SSO

B2B Federated Single Sign-on
z A Single User Identity
¾ A single corporate identity Security Token Exchange Web Service
¾ A single consumer identity (eg Kerberos Ticket)

z Strong multifactor authentication Active

Collaboration

¾ Certificates Directory
¾ Biometrics “TrustBridge”

z Interoperability (client and server) Intranet

Applications

¾ Multi-Platform 1. “TrustBrdge” Creates XRML token 1. “TrustBridge” Creates SAML token

¾ Multi-Application 2.
3.
Signs it with company’s private key
Sends it back to the user
2.
3.
Signs it with company’s private key
Sends the token back to the user
¾ Multi-Protocol 4. Access Supplier with the token 4. Accesses Supplier B using the token

Supplier A Supplier B
z Federated Authentication and Access
¾ Single Sign-on that spans businesses WS Security WS Security
¾ Single sign-on that spans consumer applications User Account/Credentials
Application
Requires XRML
Application
Requires SAML
Security Token

© 2002 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 4
 Identity Management Roadmap Summary
z XML Web Services Specifications
¾ Broad set of specifications to enable federation of Web Services
z Standardize on a Single Directory Technology
¾ In collaboration with IBM, Verisign, etc. ¾ Consolidate LDAP directories with Active Directory
¾ WS-Security working group within OASIS
ƒ Kerberos, X509v3, SAML and XrML “security tokens” ¾ Use AD with integrated security for Windows SSO
z Windows Server 2003 – April 2003
¾ Cross Forest Trust – Intranet Federation ¾ Use AD/AM for application specific user information
Native support for Passport authentication
Use Kerberos for Interoperability
¾
¾ Integrated Role-Based Access Control z
¾ Web Services integration (.NET framework and UDDI)
z MMS 2003 – Windows Server 2003 + 90 days ¾ Industry standard protocol for authentication
¾ Directory Integration & Synchronization ¾ Native protocol used by Windows Servers and Clients
¾ Account Provisioning
¾ Password Management ¾ Used by many UNIX-based applications
Use MMS to Simplify Identity Management
¾ Single view of a user across the enterprise
z Active Directory Application Mode – Windows Server 2003 + 90 days z
¾
¾
Enables AD to be deployed as a “simple” LDAP directory
Used for application specific user information
¾ Directory integration synchronization
z “Jupiter” (e-business server) – Q4 2003 ¾ Simple Account provisioning
¾ SSO through adapters to enterprise applications ¾ Password management
z Passport Federation Support – H2 2003
¾ Authentication authority for consumer web services ¾ Single view of the user across the enterprise
z
¾ Federation support in 2003 based on Web Services
“TrustBridge” – TBD z Plan for Federated Identity Management
¾
¾
Based on WS-Security for identity interoperability
True federated Single Sign-on (no duplicated or mapped ids)
¾ Utilize Web services standards (XML, SOAP, UDDI)
¾ Web Security runtime to enable federated applications ¾ Get familiar with WS-Security
¾ “TrustBridge” will enable secure identity federation

© 2002 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

© 2002 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 5