《SIM205Identity.ppt》由会员分享,可在线阅读,更多相关《SIM205Identity.ppt(43页珍藏版)》请在三一办公上搜索。
1、Identity and Access and Cloud:Better Together,Brjann BrekkanSr Technical Product ManagerIdentity and AccessMicrosoft Corporation,SIM205,Agenda,Framing the Cloud opportunitySupporting TechnologiesPrivate CloudPublic Cloud PaaSPublic Cloud SaaSSummary,What is the Cloud?,Delivering IT as a Standardized
2、 Service,Opportunities,Performing IT more cheaplyCapitalizing on new ways to addresscustomersBenefitting from further democratization of ITOperating a business without IT limitsLeveraging the cloud for competitiveadvantageDeveloping transformative experiences and solutions,Existing internal applicat
3、ions remain critical in foreseeable futureNeed to integrate with applications across organizations and cloud Borderless collaboration across on-premises,partners,and cloudPartners and customers will bring their own identitiesIdentity platform needs to support range of developersIdentity needs to be
4、more extensible,more flexible,Challenges,Enabling the Hybrid Enterprise,Types of Cloud ServicesIdentity consistent,(On-Premises),You manage,Compliance and Security in the Cloud,An organizations current identity management gaps extend to the cloud and become more complexFailure to disable accounts in
5、 a timely manner when peoples employment is terminatedFailure to adjust rights and permissions when people transfer to new rolesEnabling self-service capabilities without having control of user identities can result in access problems and lack of productivity,Identity and the Cloud,Private Cloud,On-
6、Premises,Public Cloud,Partners,SaaS,PaaS,User,Microsoft Identity Components,Private Cloud,On-Premises,Partners,AD Federation Services,AD Certificate Services,AD Rights Management Services,AppFabric Access Control service,SAML,OAUTH,WS-Trust,SAML,User,Claims based applications,Some of Our Cloud/Feder
7、ation Players,Claims-Based Access Basics,Resource provider:requires,uses claims to define usersClaims provider:supports protocols for issuing claimsRelationship:context in which meaning of claims defined,Relationship,Claims Provider(Security Token Service),2.Get claims,3.Send claims,1.Require claims
8、,SUBJECT,Resource Provider,Microsoft Claims-Based Access Model,End User,Configure:Claims Rules(Federation Metadata),Configure:Establish Relationship/Trust(Signing key),3.Get claims,2.AuthN(Creds),ClaimsFramework(WIF),App BusinessLogic,4.AuthN(Claims),1.Get policy,5.Grant/deny access,Resource Provide
9、rClaims-aware application,Security Token Service(AD FS),Directory(AD DS),Federation:Claims Sources,Authentication comes from ADAttributes can come from AD,other LDAP directories,SQL,custom sourcesConsider whether to put claim values in AD,or create SQL tables for new claimsWhen should AD schema be e
10、xtended?If using SQL in ADFS,identify a unique key for users as an AD attribute and table columnFIM manages attributes in AD and SQL,Enable 2 factor auth on-premises and manage Smart Cards with FIMPassword Reset on-premises,Automated security and distribution group membershipsSelf service management
11、 of security and distribution groups,Add additional data needed in AD with provisioning and synchronizationDirectory clean up and ensure data quality,Policy and workflows help with controlling access to cloud servicesEnsure accurate data used in federation scenarios,Forefront Identity Manager 2010 O
12、n-Premises,Scenarios,Private Cloud Self service management of virtualization is based on providing delegated access empowering usersAccess application in Windows AzureBuild app.With WIFAccess app via Azure AppFabric ACSFederate with id-providers Enable BPOS/Office 365 Identity synchronization Single
13、 Sign on and Authentication,Private Cloud,Hyper-V Authorization ManagerCommon identity in Private Cloud,Default role allows access to all operations,Additional roles with desired rights can be created33 different operations OOB grouped underHyper-V Service OperationsHyper-V Networks OperationsHyper-
14、V Virtual Machine Operations,Virtual Machine ManagerCommon identity in Private Cloud,The Administrator profile Complete administrative access to all the hosts,virtual machines,and library servers in VMM 2008The Delegated Administrator profileGrants administrative access to a defined set of host grou
15、ps and library servers The Self-Service User profile Administrative access to a defined set of virtual machines through the Web-based Virtual Machine Manager Self-Service PortalAdditional delegation capabilities in Self service portal,Enhancing Private Cloud with FIMCommon identity,Hyper-V and SC Vi
16、rtual Machine Manager uses rolesRoles can contain users or groups from ADDelegation of datacenter management Forefront Identity Manager securely manages membership in AD groups,Public Cloud Identity Management Options,Use cloud service providers(CSPs)identity managementsystemSynchronize on-premises
17、identity store with CSPs identitystoreFederate identity in trusted third-party provider with CSPFederate identity in on-premises directory with CSP,Cloud Identity Management OptionUse CSPs System,Pros,Easy to set up,requiring no work with existing identity management system,Cons,Difficult to keep id
18、entities synchronized between on-premises and cloudTerminations and transfers mostproblematicMight not work with hybrid cloudsWorse,might require dangerous integration practices,Cloud Identity Management OptionSynchronization of On-Premises Identity,Pros,Not as difficult to set up as federationSynch
19、ronization can be scheduled or event-drivenTerminations and transfers easier tomanageWorks with existing on-premises Identity Lifecycle solutions,Cons,More difficult to set up than CSP identity management systemUser names might not be identicalCSPs usually default to email address as user namePasswo
20、rds often not synchronizedMay be possible with additional client software,Cloud Identity Management OptionFederate with third-party identity providers,Pros,Allows integration with existing cloud-based identityPotentially services and data,and hybrid cloudsIntegration of third-party with on-premises
21、identity possibleUseful approach if not possible to federate with on-premises identitystore,Cons,End users may still have multipleidentitiesCan be most difficult to set up and operate of all optionsTaking dependency on third-party identity provider,Cloud Identity Management OptionFederate with On-Pr
22、emises Identity,Pros,Integrates seamlessly with on-premisesidentityTerminations and transfers can be handled with easeUser names are usually identicalNo need to synchronize passwordsWorks well with hybrid clouds,Cons,Can be difficult to set upRequires compatible on-premises identity storeCan magnify
23、 existing identity management problems,Public Cloud,Platform as a Service,Windows Azure Identity Management Options,Use cloud service providers(CSPs)identity managementsystemApplications built in Windows Azure can have own ID storeSynchronize on-premises identity store with CSPs identitystoreLoad ap
24、plication user profiles from on-premises ADFederate identity in trusted third-party provider with CSPAccess Control service using public identity providersFederate identity in on-premises directory with CSPFederate directly with applicationFederate with Access Control service,Identity and Access Opt
25、ionsCommon Identity Across Applications,Active Directory,Other Providers,WS-*and SAML,On Premises,Use of Active Directory identities and groups through federation,Enable seamless access experience with other corporate applications tied to AD,Integration with 3rd party systems through WS-*and SAML 2.
26、0 open standards,In the next release of AppFabric Access Control Services(ACS 2.0),single sign-on with popular Internet identity providers,Access Control Service,YourService,2.Request token(pass input claims),4.Return token(receive output claims),5.Send messagewith token,0.Establish trust via key ex
27、change,Customer,1.Define access control rules for an identity provider,3.Map input claims to output claims based on access control rules,How ACS works,6.Processtoken,demo,Fabrikam Shipping,Example of Software as a Service in Windows AzureSign up experience with Access Control service,Public Cloud,So
28、ftware as a Service,PaaS Identity Management Options,Use cloud service providers(CSPs)identity managementsystemSmaller customers using Office 365 IDSynchronize on-premises identity store with CSPs identitystoreDirectory Sync required by appl in Office 365Federate identity in trusted third-party prov
29、ider with CSPFederate identity in on-premises directory with CSPOffice 365 enables single sign on via federation,On Premises,Office 365 Identity and Access OptionsIdentity synchronization and authentication,AD,Online Directory Sync,Identity services,Provisioningplatform,Lync,SharePoint,Exchange,Acti
30、ve Directory Federation Services,Trust,IdP,DirectoryStore,Admin portal,Authentication platform,IdP,Forefront Identity Manager 2010,Small/Medium Customer,What Does DirSync Do?,Enables“Identity”and“Application”coexistenceIdentities are managed on premiseSyncs users,groups and contactsEnables easy iden
31、tity federationEnables Application coexistence(Exchange and OC)Application coexistence On premise Mail and OC services work with their corresponding cloud services(OC users on premise IM cloud users and Mail on premise routes to the cloud and vice versa)Enabler for Exchange“Rich Coexistence”features
32、Involves a write-back of cloud data to on-premises customer directory,Enhancing MS Online Services with FIM,FIM manages on-premises AD DSSimplify and clean up ADNecessary attributes for Office 365 maintained Managing groups on-premisesMS Online Directory Synchronization tool keeps on-premises direct
33、ory in sync with MS Online DirectoryFIM supplies AD FS with additional data for claimsConstruct a“role”-claim based on data in Active Directory populated by FIM to use for authorizing access to Office 365FIM provisions users with smartcards or software certificates Enables users to leverage stronger
34、 authentication for access to cloud-basedservices,Managing Common Identity,Windows Integrated/Kerberos,FIM 2010,Workflow,ADDS,PhoneTitleDepartmentManagerGroup,AD FS 2.0,WS-*and SAML Claims,Partner,Claims-AwareApplications,SQL Server,RoleClient List,Self Service,MS Online Directory Synchronization,Ne
35、xt Steps,Prepare for and embrace cloud byImproving quality and enhancing data in ADLeveraging Forefront Identity Manager to prepare for cloud and ongoing management on-premisesLearning more about identity federationUnderstanding how claims based identity can assistdevelopers,Resources,Forefront Iden
36、tity M Based Identity:Whitepaper and Architecture Guide on Programming WIF from MSP Developer Training Windows Azure Training K,Related Content,TLC:Identity Federation,Identity Management,Directory Services,SIM203|Microsoft Identity and Access Strategy SIM358 Preparing Identities for the Cloud with
37、FIMSIM324|Using Windows Azure Access Control Service 2.0 with Your Cloud ApplicationOSP215|Microsoft Office 365:Identity and Access SolutionsSIM322|Developers View on Single Sign-On for Applications Using Windows Azure,SIM377-INT Claims-Based Identity,SIM399-HOL Managing Claims AuthN using FIM 2010M
38、ID274-HOL|Introduction to the Windows Azure AppFabric Access Control Service V2,Track Resources,Dont forget to visit the Cloud Power area within the TLC(Blue Section)to see product demos and speak with experts about the Server&Cloud Platform solutions that help drive your business forward.You can al
39、so find the latest information about our products at the following links:,Windows Azure-http:/,Microsoft System Center-http:/,Microsoft Forefront-http:/,Windows Server-http:/,Cloud Power-http:/,Private Cloud-http:/,Resources,Sessions On-Demand&Community,Microsoft Certification&Training Resources,Res
40、ources for IT Professionals,Resources for Developers,http:/,http:/,Learning,http:/,Connect.Share.Discuss.,Complete an evaluation on CommNet and enter to win!,2011 Microsoft Corporation.All rights reserved.Microsoft,Windows,Windows Vista and other product names are or may be registered trademarks and
41、/or trademarks in the U.S.and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft,and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES,EXPRESS,IMPLIED OR STATUTORY,AS TO THE INFORMATION IN THIS PRESENTATION.,
