Identitet och åtkomsthantering (IAM)

Slides:



Advertisements
Liknande presentationer
SOA Governance with SOA Software For BUGS Martin Svensson.
Advertisements

Federerad säkerhet och identitetshantering – lokalt och i molnet Robert Folkesson
Master Data Management (MDM) for the enterprise using BizTalk 2006 R2
TFS – Maximera nyttan, mer än bara versionshantering
Nyinstallerad Webinfo •I Central parameters skapa parametern Statlogger och ge value 1 Logga endast vissa sidor genom att skapa parametern i PageId.
© 2010 IBM Corporation IBM ProtecTIER® Deduplication magic.
Per-Ola Carlsson, CEO Mats Karlsson, CTO.
Förslag med resultat från HistoryKonfigurera flera olika Search Providers Snabbt lägga till Search Provider Visuell sök med bilder i resultatet.
Framtiden skapas nu. Eller konsten att sköta en applikation
Sommarkollo PLEASE READ (hidden slide) This template uses Microsoft’s corporate font, Segoe Segoe is not a standard font included with Windows,
ASP.NET MVC MVC historik ● Traditionellt arkitekturmönster som ansetts särskilt lämpligt i webbapplikationer ● Separation of concerns & loose.
En "djyp" dykning I SharePoint's sök tjänst
© Apoteket AB Sidhuvud med plats för gemensamt namn för OH-serien Sidhuvud med plats för Enhet / Utförare – Internt Swedish community pharmacy classification.
Effektivt stöd för GRC med nya ISO Standarder
1.Numerical differentiation and quadrature Discrete differentiation and integration Ordinary.
All the small things Massor av små tips och tricks för BizTalk-utvecklaren Mikael Sand
Modern Data Protection
Live Communication Server 2005 with SP1 Martin Lidholm
Presentation av Marion Gullstrand Presentation av Robert Engberg
EAM INTRO © 2013 IFS Nuläge och statusuppdatering ULF STERN CO-FOUNDER – SENIOR ADVISOR.
Bo Linde Solution Specialist EPM/PPM
Get more efficient use of IFS Application with
MSDN Update Live Services Platform & CardSpace Robert Folkesson DPE Microsoft Sergio Molero ConcreteIT.
Workshop 7 mars 2013 Välkomna Dagens tema: Crowdsourcing Dagens talare 7/3/13 Behovsdriven utveckling i praktiken 1.
SWAMID WS Uppsala /18. SWAMID 2.0 Inledning, mål och syfte med SWAMIDs workshop eduID – Status, framtid och frågor eduID och AL2 LUNCH.
Compfab BUSINESS AT YOUR FINGERTIPS med Information Organizer MdH Erik Gyllenswärd Mladen Kap.
Motivation Terese Stenfors Motivation Vad är det? –Motivation is concerned with our movements or actions, and what determines them.
Backup strategies “in-a-nutshell” by System Center Robert Hedblom MVP System Center Cloud and Datacenter Management MEET member TechNet Moderator Consultant.
MIIS 2003 – User Identity Lifecycle Management
Microsoft Office SharePoint Server 2007 – del 1 Pontus Haglund Mid Market Solutions Specialist Microsoft AB.
Microsofts Produkter Mikael Nyström Senior Executive Consultant - TrueSec MVP Windows Server – Setup/Deployment
Microsoft Healthcare Desktop Microsoft AB Offentlig Sektor
Förstudie 2. Design 3. Migrering 4 Analys av befintlig miljö –Microsoft Assessment and Planning (MAP) kan användas för att analysera sin miljö.
Unified Communications. Unified Communications and Collaboration Simplify Working Together Pervasive capabilities for where and how people work.
Name Title Microsoft Sweden. Avtalspraktiska fördelar Om-installation med valfritt media Kräver inte samma fysiska media som maskinen kom med Men…
Mobila Lösningar— Exchange Server 2003 Patrick Hvid Kerfi AB Patrick Hvid Kerfi AB.
Systems Management Server 2003 Översikt Service Pack 1 och programdistribution Anders Grönlund Presale Zipper AB Översikt Service Pack 1 och programdistribution.
Creating an Adobe Presentation Rapidly create Flash-based presentations and eLearning courses from PowerPoint Set Preferences Add or Edit Audio Add multimedia.
The Swedish Travel Card
ISO/IEC 38500?.
För att uppdatera sidfotstexten, gå till menyn: Visa/Sidhuvud och sidfot... E-services – what’s now and what’s next for the Swedish Pensions Agency? Mikael.
Create a stunning dashboard and keep your job Patrik Sundqvist.
Self Service in the Enterprise Patrik Sundqvist.
Microsoft Dynamics AX (fd Axapta)
Transport models Are they really that important? Christian Nilsson, WSP 17 October 2014.
Swedish ports A linchpin in Swedish industry. 95% of Swedish foreign trade is transported through a port.
Bistånd och civil militär relationer Comprehensive Approach and Vision Implementation Geography Interference.
Copyright © 2006, SAS Institute Inc. All rights reserved. SAS®9 Plattformen en del av Tele2 Common Plattformen Ylva Andersson, Infotrek Frida Säfström,
IBM Tivoli/Netcool på Sandvik
ASP.NET 2.0 Providermodellen André Henriksson UtvecklarevangelistMicrosoft.
LINQ i alla dess smaker Johan Lindfors blogs.msdn.com/johanl Patrik Löwendahl
Systemutveckling i molnet - IRL Chris KlugRobert Folkesson.
OSD LIT/ZTI – Bending the rules Johan Arwidmark och Mikael Nyström.
För att uppdatera sidfotstexten, gå till menyfliken: Infoga | Sidhuvud och sidfot Fondbolagsträff 2015.
A Federation-Ninja’s warstories from the field…
Exempelbaserade specifikationer med SpecFlow
Microsoft Dynamics AX (fd Axapta)
Användar profiler Analytiker Informationsanvändare Specialistfunktioner 5-10% av användarna 15-25% av användarna 65-80% av användarna Reporting Services.
Access Management och OTP integration med Novell iChain.
TUG Konferens Djurönäset 12:e April Patrik Zander, Sr Sales Engineer.
Arkitektrollen. Ansvar och uppgifter Architecture notebook Mycket intensivt elaboration – inception Mål: en stabil arkitektur i slutet på elaboration.
Anything else? Yes, a Windows client "To Go", please! Tim Nilimaa.
Digitization and Management Consulting
Types of Business Consulting Services Cornerstoneorg.com.
Lycka till med din dator! Fler guider på Good Luck!
Marcus Grindange, COO Abe Zachariah, Backend-utvecklare
Improving business engagement and consumer outcomes through a redesign of Maine’s Community Rehabilitation Provider (CRP) system Changes & Accomplishments:
Whoami Christoffer Claesson Blogs at:
B/c there is more to structure than <h1> and <p>
Presentationens avskrift:

Identitet och åtkomsthantering (IAM) Identity Management Identitet och åtkomsthantering (IAM) Fundamentet för molnet

4/5/2017 8:25 PM Vad är en Identitet? “En identitet är ett antal påståenden som en part gör om en annan part i samband med en etablerad relation” Användarnamn: Lösenrod: Pass Engångslösenord (OTP) Badge A person who is granted a set of privileges based on their role The is then given an identifier that will be associated with their role The strength of the identifier will determine the strength of the forensic evidence in an investigation. Smarta kort Biometri Namn | Adress | Telefon | Mobil | Fax | Byggnad | Rum # 2 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Evolutionen av identiteter 4/5/2017 8:25 PM Evolutionen av identiteter “Client/Server eran startade en tillväxta av digitala Identiteter som fortsätter med molnet” Antal Identiteter Web SSO Stark Autentisering Molnet Enterprise SSO Mobilitet Ett ID och lösenord Federering In the early days IT was very simple you had one domain didn’t interact with other domains id users that logon to that the main the biggest privilege that they were granted was what they could see or what they could print. That evolved into portable clients they could take data and relatively large volumes away from the physical protection of the entity and also required remote connectivity But that was generally done by private line. Evolution of the Internet has data coming and going from many sources to many devices with IP spread across the Internet Internet PKI Client Server Identitetshantering Mainframe Pre-1980 1980 1990 2000 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Evolutionen av användare 4/5/2017 8:25 PM Evolutionen av användare Definitionen av en användare har förändrats sedan 80-talet och det har även antalet och komplexiteten kring digitala identiteter Antal Identiteter Mobila användare Web SSO Molnet Mobilitet In the early days IT was very simple you had one domain didn’t interact with other domains id users that logon to that the main the biggest privilege that they were granted was what they could see or what they could print. That evolved into portable clients they could take data and relatively large volumes away from the physical protection of the entity and also required remote connectivity But that was generally done by private line. Evolution of the Internet has data coming and going from many sources to many devices with IP spread across the Internet Leverantörer Partners Kunder Medborgare Off Shoring Entreprenörer Konsulter Outsourcing Anställd Pre-1980 1980 1990 2000 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Evolutionen av IT funktioner och tjänster Internt Externt Tidigare Idag Framtiden De traditionella gränserna för en organisation förändras när IT funktioner och tjänster inte längre begränsas av de traditionella modellerna

Huvudvärk för användaren Hantera Identiteter Växande antal identiter med olika användarid och lösenord eller hantera olika autentiserings tokens Glömda lösenord Åtkomst till tjänster Beställa åtkomst ofta krångligt När beställt dålig insikt i statusen Olika processer för olika system och applikationer Tar för lång tid Arbeta i molnet Åtkomst till tjänster i molntjänster ställer krav på att kunna hantera nya relationer med externa tjänsteleverantörer Ofta baseras relationen med tredje part på email och begränsat till att lita på en emailadress

Konsolidera Identiteten Fysisk Säkerhet Nätverks Säkerhet Engångslösenord (OTP) ID och lösen Applikations Säkerhet Smarta kort Dokument Säkerhet Certifikat

Värdeanalys Identitetshantering Monetära värden Direkta Monetära Värden Indirekta Värdeanalys Icke Monetära Värden Return on Investment (ROI) Sponsorskap & kommunikation Mätbara mål Värdebaserat tillvägagångssätt En analys av värdet av en IDM lösning skapar sponsorskap, definerar mätbara mål och prioriterar aktivititeter

Varför en Microsoft baserad IAM lösning? Microsoft erbjuder en integrerad lösning som är fokuserad på verksamhetsnytta Nyttja befintliga investeringar i viktig infrastruktur som Active Directory En smidigare och mer kapabel infrastruktur som kan leverera värde snabbare än konkurrenterna Stort nätverk av partners som kan utöka värdet och möjligheterna Lättare att få tag på kompetens och kort inlärningskurva Fokus flyttas från infrastruktur/teknik till att lösa verksamhetens behov

En komplett IAM lösning Edgile, Inc. 4/5/2017 En komplett IAM lösning Verksamhetsanpassad Identitetshantering Ease of Doing Business Förbättrade Processer Effektiv “Compliance” Koppla samman med molnet Säkerhet Externa Användare Externa System & Appar Användare Roller System & Appar Interna och externa användare... med verksamhets- funktioner och roller.... tilldelas åtkomst till.... interna och externa tjänster.. Microsoft och Partners Identitetslösningar Single Sign-0n IAM Processer Compliance Reporting Enterprise Roles Universal Badge Självbetjäning Federering User Access Revalidation Public Key Smart Card hantering

Lifespan of a User / Identity Constant change HR | Procurement | Business Units | IT | Legal Participation in a Team Termination of Employment Expansion of Roles New Hire Contracts End Change Jobs Summer Interns Professional Services Contract Employment Change at Third Party Promotions Staffing Contract Change in Relationships Change in Partnership New Business Relationship Office Closure New Services Employment Change at Service Provider Changing Locations New Customer Anställning Nya relationer Åtkomst till tjänster för att kunna utföra arbete Avslut/Terminering

Integrerade Processer Identitetshantering handlar i slutändan om verksamhetsprocesser Access Request & Approval Processes Integration Business Relationship Processes Human Resource Processes Workflow Security & Compliance Processes Procurement Processes Provisioning Processes

Integrating Provisioning Integration Access Request and Approval Processes Procurement Processes Human Resource Processes Security and Compliance Processes Workflow Business Relationship Processes Provisioning Processes Identity Process Management Capability HR Driven Self Service Component Policy Driven – who can access what and why Authorization based Transactional auditing – who authorized what Cross Platform Role Based Exception Based Component Audited and Reported Integrated Provisioning Identity Stores Content Stores Enterprise Apps Web Apps SaaS/Cloud Services Managed Systems and Directories

Evolution of Identity Manager (Zoomit, MMS, MIIS, ILM, FIM) User Management Group Management Common Platform Workflow Connectors Logging Web Service API Synchronization Credential Management Policy Management The journey we have been on for more than a decade… Microsoft has been in IDA for over 10 years. Began with our investments in AD. Brought meta-directory into the mainstream with MIIS. With ILM 2007 we converged the metadirectory and user provisioning with management of strong credentials, areas that have traditionally and needlessly been separate implementations. With Forefront Identity Manager 2010 we bring solutions to manage identities, credentials, and identity-based access policies across heterogeneous environments. Office Integration for Self-Service Password synch / reset Codeless Provisioning Group & DL Management Workflow and Policy Identity Synchronization User Provisioning Certificate and Smartcard Management 14

Identitetshantering Identitetsystemet måste kunna utökas Edgile, Inc. Identitetshantering 4/5/2017 Roller System och Applikationer Personer Roller används För att tilldela åtkomst till system och applikationer Externa Personer Personer har Roller med verksamhets- funktioner Externa System och Applikationer IAM Tjänster Federeringstjänst Process för Extern Åtkomst Process för Extern Provisionering IAM tjänsterna tillhandahåller funktioner som används av verksamheten för att beställa, spåra, hantera och validera behörigheter till rätt roller och system Identitetsystemet måste kunna utökas för att effektiv stöda molntjänster

Identity Management tasks Provisioning Deprovisioning Synchronization Self-Service Profile Management Self-Service Group Management Self-Service Password Management Certificate and Smart Card Management One of the most common challenges in managing identity is the provisioning and subsequent deprovisioning of new accounts in existing data sources; common data sources include LDAP directory services and databases. As technology evolves, so do the requirements placed upon it – nowadays, modern solutions must also consider self-service interaction as well as automated provisioning. FIM can help to solve the following common problems: Need Description Provisioning Identities need to be created automatically in one or more directories or data sources based on the identity appearing in an authoritative source like Human Resources (HR). E.g. Automatically create an Active Directory Account, Exchange Mailbox, LDAP user account, and record in the users table in a custom SQL Database, shortly after HR enters information for a new employee. Deprovisioning Identities need to be removed or disabled from one or more data sources once a qualifying event (transfer, promotion, leave, termination) occurs. E.g. Promptly, after HR enters someone’s termination information, automatically disable their AD account, hide their mailbox, delete their LDAP accounts, and update a status flag on a record in a custom SQL database. Synchronization Attribute data corresponding to the identity must be synchronized from an authoritative source to all other subscribing data sources to enforce consistency E.g. HR personnel update job titles and department names then the updated data flows to the corporate directory (AD), LDAP and phone book. Self-service Profile Management Users require the ability to update personal profile information like preferred name, address, and telephone number and this information needs to be kept consistent across all subscribers E.g. Users and managers update their cell phone numbers and preferred first names then the updated data flows to the corporate directory (AD), LDAP and phone book. Self-service Group Management Many users require the ability to request membership in security group or email distribution lists. Selected users may need the ability to request the creation of new security groups or email distribution list objects and manage them across their lifecycle; conversely, Administrators need a process for delegating access control back to the data owners Self-service Password Management Users require the ability to change their password and have it synchronized across all subscribing data sources as well as enroll for password reset in the event they forget their password E.g. Upon returning from vacation a user has forgotten his/her password and needs to reset it without call the helpdesk.

Identity Synchronization and Consistency Identity synchronization across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System FIM givenName Samantha Samantha sn Dearing Dearing title mail employeeID 007 007 telephone GivenName sn title mail employeeID telephone someone@example.com Samantha Dearing 007 Coordinator 555-0129 givenName sn title mail employeeID telephone SQL Server DB givenName Samantha sn Darling title Coordinator Coordinator mail employeeID 007 telephone Identity Data Aggregation Organizations can also use FIM to synchronize e-mail address lists that are maintained by heterogeneous e-mail systems, such as Microsoft Exchange Server 2000, Exchange Server 2007, and Lotus Notes. Organizations that have multiple Active Directory Domain Services and Exchange forests can use FIM to build a single address book. This increases the value of identity integration by simplifying collaboration as well as increasing IT control. Note: FIM 2010 provides a simplified single sign on experience through its identity synchronization capabilities, delivering the ability to synchronize passwords across heterogeneous systems. The policy-based management system of FIM manages users’ identity lifecycle and protects corporate assets against misuse as users move between roles or leave the organization. http://www.microsoft.com/forefront/identitymanager/en/us/features.aspx http://download.microsoft.com/download/3/2/A/32A7B77A-7D3A-4D24-ACE7- 5AA3A908B95E/Understanding%20FIM%202010.docx Active Directory/ Exchange givenName Sam sn Dearing title Intern mail someone@example.com someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129 555-0129

Incorrect or Missing Information Identity Synchronization and Consistency Identity consistency across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System FIM givenName Samantha sn Dearing title mail employeeID 007 telephone givenName Samantha Bob Samantha Samantha sn Dearing Dearing Dearing SQL Server DB title Coordinator Coordinator Coordinator Coordinator givenName Samantha mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 mail Incorrect or Missing Information employeeID 007 telephone Identity Data Brokering (Convergence) Combining identity data across multiple directories and systems yields automated account reconciliation and consistency management for user accounts, credentials, and attributes. This means organizations with many different directories and other data repositories, such as an HR application, can use Forefront Identity Manager to synchronize user accounts across systems. Active Directory / Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129

Connecting to systems

Synchronisation Rules

Connecting and attribute flow

Example of management agents Microsoft Active Directory, AD LDS Microsoft Exchange Microsoft SQL Server SAP IBM DB2, RACF, Tivoli Directory Server, Notes CA ACF2, Top secret Oracle Novell eDirectory Sun Directory Server LDAP, DSML, XML, CSV Extensible Management Agent (SOA, Web services) Many ISV Partner Managemente Agents Open Source Management Agents

Forefront Identity Manager Portal Overview

Creating Users

User Self Service

User Self Service Users by default can perform self service on themselves, create groups (that expire after a period of time), and view the white pages

Group Management Purpose: Distribution Security Membership: Manual (Owners adding/removing members or users requesting membership subject to Approval Policy) Manager Criteria-Based Scope: Universal Global Domain Local

Group Membership Types

Who can get in to the group?

Filter Builder for Groups

Workflow example

End User Experience - Portal

Joining a Group via Outlook

Password Reset – User Interface

QA Gate

Reset Password

Self-Service Password Management Simplify security, manage compliance Self-Service Password Management Enables users to reset their own passwords through both Windows logon and FIM password reset portal Controls helpdesk costs by enabling end users to manage certain parts of their own identities Improves security and compliance with minimal errors while managing multiple identities and passwords Active Directory User requests password reset Oracle FIM Server Passwords updated End User SQL Server FIM 2010 makes it possible for users to manage their own credentials information. It allows user to change and reset their passwords without depending on helpdesk support, and it takes care of password synchronization with back-end systems. FIM 2010 has configurable question-and-answer authentication gates and includes extensibility to build additional types of gates—for instance, a smart card gate or a gate that requires a user to enter a code sent to a mobile phone. The enrollment process for authentication gates can be configured to ensure that all users in an organization enroll—for instance, requiring registration at logon. For example, when users want to change their password, they will change their password through a password management application that verifies the current user’s credential information. If it matches, it will update the new password to FIM. Then, FIM will replicate the new password to all relevant applications, database servers, and multiple directories. http://www.microsoft.com/forefront/identitymanager/en/us/features.aspx IBM DS LDAP Reset Password FIM capabilities integrated with Windows logon Randomly selects a number of questions

Koppla samman med Molnet Verksamhetsanpassad Identitetshantering Koppla samman med Molnet

Problem Statement Autentisering (AuthN) Auktorisation (AuthZ) Verifiera användarens Identitet AnvändarID  “Vem är du?” Lösenord  “Bevisa att du är den du påstår dig vara” Auktorisation (AuthZ) Besluta vilka funktioner som skall vara tillgängliga för användaren Användarprofil  “Vilken sorts användare är du?”(e.g. grupp medlemskap, roll)

Problem statement För att en applikation skall kunna utföra en AuthN och AuthZ behövs följande AnvändarID Lösenord Profil (grupp medlemskap, AD attribut…) … vart lagras dessa??

AuthN & AuthZ for @molnet Två möjligheter för att lagra användarID, lösenord och profil I molnet Copy AuthN/AuthZ info from on-premise stores to a repository in the cloud using Forefront Identity Manager BPOS apps will query the repository in the cloud for AuthN/AuthZ info when users log on “On premise” – “Private Cloud/Onsite” Spara data @onsite Skicka AuthN/AuthZ info för en specifik användare till applikationen endast när användaren loggar på (ADFSv2/Federation)

Val 1: AuthN/AuthZ data i molnet BPOS inkluderar ett verktyg (ILM/FIM baserat) för att kopiera AuthN/AuthZ info från “on-premise” AD skog till molnet “On-Premise” Moln Kopia av lokala konton sparade I m,olnet Lokala konton User1, Seller User2, HR Mngr User3, HelpDesk OP User4, Finance Cntr User1, Seller User2, HR Mngr User3, HelpDesk OP User4, Finance Cntr User1, Seller User2, HR Mngr User3, HelpDesk OP User4, Finance Cntr BPOS On-premise AD Data synkat var 3 timme Endast “On-premise”  cloud synk BPOS Synch Tool

Val 2: AuthN/AuthN data “on-premise only” Kräver “federated trust relationship” mellan “on-premise identity store” och Microsoft Federation Gateway Local accounts Federated Trust Relationship (X.509 cert exchanged) BPOS ADFS 2.0 MS FG User1, Seller User2, HR Mngr User3, HelpDesk OP User4, Finance Cntr Token with username and profile On-Premise AD When a user logs on, a token with username and profile info is sent to BPOS app No need to create a copy of on-premise AuthN/AuthZ info The trust relationship allows BPOS applications to delegate to on-premise AD the task of authenticating users No copy of local accounts!!

Val 2: Federering/ADFS Verksamheten IT Ability to move seamlessly between applications using a single identity Collaboration across organizations IT No need to manage external accounts Simplified and flexible claims-based federation Common authentication controls for building custom applications ON-PREMISES ACTIVE DIRECTORY FEDERATION SERVICES WS-* and SAML 2.0 EXTERNAL PARTNER Background Collaborating across organizational boundaries—an increasing requirement due to economic forces that are driving companies to outsource more while involving partners and customers more deeply in business processes—requires establishing “trust” between IT environments. In essence, if you want to share sensitive information, then your identity on one network needs to be represented on the other. Otherwise, people outside your firewall will either not be able to view it, or you would have to remove all data restrictions when you forward it—obviously, this is a compliance violation. Talking Points End users need consistent, persistent identity and credentials that can flow between organizations and eliminate the need for multiple user accounts, passwords, group memberships, and other IT overhead. With Windows Server 2008 R2 Active Directory Federation Services 2.0 (formerly code named “Geneva”), a single identity can be “federated” from one organization to the other, leveraging “claims” which describe identity attributes and can be used to drive application and other system behaviors. The end result is that a single user needs only a single account (in the parent organization) and password (or smartcard), and all other access and usage policies—wherever the user is allowed to log in and whatever applications are used—are assigned by IT. When the partner or other external organization configures the federation (trust) with your company, they can assign whatever access privileges are needed without having to create a whole new identity / password / policy. The simply accept your “claim” of who you are, and allow you access. This works for both on-premise and in-the-cloud services / networks / applications, and enables a richer collaboration experience without the hassles normally associated with sharing sensitive information--because all policies are identity-based. One identity to rule them all! Additional Information BEST INNOVATION – European Identity award  at EIC 2009 “Geneva (ADFS) project one of the most significant enhancements for future use and dissemination of the Identity Federation”  - Kuppinger Cole   European Identity Conference 2009 (EIC) In the category “Best innovation”, the award went to the OpenSSO initiative, founded and supported by Sun Microsystems. Their project, OpenSSO Fedlet has provided a lean solution for the Identity Federation. Another award goes to the companies Yubico and AXSionics for their respective innovations in the area of strong authentication, which provide easier solutions for use on the internet and in the context of user-centric identity management. Another award in that category went to Microsoft for their Geneva project, in which federation becomes part of user containers – in the view of Kuppinger Cole, one of the most significant enhancements for future use and dissemination of the Identity Federation. Source: http://www.id-conf.com/blog/2009/05/07/awards-for-outstanding-identity-management-projects/

Val 2: ADFS / Single Sign On Exchange SharePoint Web App Security Token (e.g., Kerberos Ticket) AD DS Corporate User AD FS Cloud Services FIM provides the internal data quality to build claims from AD/SQL etc AD FS creates SAML token Signs it with company’s private key Sends it back to the user Access supplied with the token Partner Claims-Aware Application

Utöka lösningen Forefront Identity Manager 2010 (datakvalitet, roller, claims) ADFS 2.0 (Federering onsite/moln) WebSSO Unified Access Gateway 2010 (access policies, stöd för andra autentisetingsmekanismer BankID/eID SMS tokens Oath OTP Certifikat / Smarta kort / USB dongel etc RSA dosor etc

Sammanfattning En effektiv intern identitetshantering skapar ett stort värde för organisationen och är fundementet för att på ett säkert och kostnadseffektivt sätt kunna konsumera molnettjänster Identitetshantering handlar i slutändan om verksamhetsprocesser Microsoft och partners erbjuder en komplett och marknadsledande IDM lösning som är kostnadseffektiv “Microsoft's entry into the market is transformational in both the pricing and deployment models”