Capability: Identity and Access Management

On This Page

Introduction Introduction
Requirement: Centralized Automated User Account Provisioning Across Heterogeneous Systems Requirement: Centralized Automated User Account Provisioning Across Heterogeneous Systems
Requirement: Directory-based Authentication of External Customers and Business Partners Requirement: Directory-based Authentication of External Customers and Business Partners

Introduction

Identity and Access Management is a Core Infrastructure Optimization capability and the foundation for implementing many capabilities in the Infrastructure Optimization Model.

The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Dynamic level in Identity and Access Management.

Challenges

Solutions

Benefits

Business Challenges

Users still require help desk to access resources—no user provisioning

No clear view of organization’s identity

IT Challenges

Lack of single sign-on across multiple systems although identities are centrally administered and settings and configurations are easily managed

Users continue receiving several authentication prompts daily

Projects

Implement solution to centrally manage user provisioning

Implement a federated identity management solution across organizational and platform boundaries

Business Benefits

Provide single sign-on across multiple systems reduces administration costs and increases user productivity

Various identity repositories are connected federated within firewall or trusted to allow provisioning of identity workflow

IT Benefits

Centralized password administration

Automated identity account de-provisioning and life-cycle management

Reduced support costs and user downtime

Ongoing Identity and Access Management focuses on the following capabilities as outlined in the Microsoft Identity and Access Management Series:

Note that the capabilities outlined above are all key parts of the Identity and Access Management service in any organization. For more information, please see the Microsoft Identity and Access Management Series.

The Standardized and Rationalized levels of Identity and Access Management in the Infrastructure Optimization Model address the key areas of a unified directory service and automated enforcement configurations and security policies. The Dynamic level extends these capabilities by implementing automated user account provisioning and secure access of network resources to third parties.

Requirement: Centralized Automated User Account Provisioning Across Heterogeneous Systems

Audience

You should read this section if you do not have a centralized and automated tool for user account provisioning across 80 percent or more of your heterogeneous systems.

Overview

Today's large organizations often have complex and poorly designed processes for provisioning systems with information for computer network users. For example, in some organizations, it can take up to two weeks before new information workers can access e-mail and the applications that they need for their jobs. The manual, task-intensive processes that are typically involved in identity provisioning add overhead, delay employee productivity, and often lead to a network environment that is not secure.

The manual administration of provisioning tasks is slow and typically does not enforce policies for access and authorization in a consistent manner. Without reliable, automated processes it will often not be practical to even attempt to implement all desirable policies.

Organizations store identity information in numerous repositories, or data stores. Using a product that includes metadirectory functionality allows you to synchronize existing data so that it is consistent across these stores. To move to the Dynamic level, you need to implement and utilize technologies that allow centralized and automated provisioning.

Phase 1: Assess

During the Assess phase, you should follow the typical activities that take place when employees join your organization, transfers or employee reorganizations occur, passwords are reset, or other self-driven common requests to user directories are made. These processes or workflows will always occur in any organization; some change workflows are more manually processed than others. The product of the Assess phase is a catalog that contains the workflows that exist to resolve common directory provisioning requests, any existing policies around access and authorization, and identification of required manual controls for change or access authorization. A record of the typical time required from initial request to change resolution will also aid in planning which tasks receive priority and can be used once the provisioning solution has been implemented to calculate productivity improvements.

Phase 2: Identify

Once you have identified the underlying workflows, policies, and effort required to perform common user provisioning tasks, the Identify phase identifies areas of improvement for existing directories or user activities.

This document highlights three primary scenarios for conducting the Identify phase:

  • HR-driven provisioning

  • Group management

  • Self-service provisioning

These scenarios will typically correspond with many of the challenges associated with your organization’s account provisioning and directory services, but they are not a comprehensive list. The results of this phase will be to identify many of the key areas of improvement or current policy violations to be included during the Evaluate and Plan phase of the project. Success criteria should include task-related efficiency gains as well as correction of the issues called out in the following sections.

HR-driven Provisioning

In this scenario, synchronizing identity information is only part of the required solution. In addition to enabling a comprehensive view of your users, you need an automated provisioning solution.

HR-driven provisioning addresses and corrects these issues:

  • Duplicated effort maintaining disparate data stores

  • Inconsistent data

  • Users “borrowing” another’s account

  • Stale accounts (those not promptly disabled or removed)

  • Inappropriate access

Group Management

Organizations typically use distribution groups to distribute e-mail and security groups to conveniently group users with similar entitlements. The challenge is to manage these different types of groups to ensure that the correct entitlements are granted or revoked in a timely manner in accordance with business rules, while providing the most efficient e-mail routing and the best user experience.

Without a centralized and automated provisioning solution, it is difficult both to place users in the appropriate groups during the provisioning process and to manage groups as users change roles, positions, and locations during their careers. This situation leads to user frustration, increased help desk call volume, and inappropriate access granted to some users.

Group management addresses and corrects these issues:

  • Delayed access for new users

  • Incorrect distribution lists

  • Stale groups

  • Redundant e-mail

  • Authorizations that are not removed when an employee leaves a group

  • Excessive number of administrative accounts

Self-Service Provisioning

While HR-driven provisioning is usually considered the authoritative source for permanent employees, it is not always an authoritative data source to drive fully automated provisioning for contractors and temporary employees.

Self-service provisioning addresses and corrects these issues:

  • Delays in contractors being able to do their jobs

  • Stale accounts

  • Inefficient or insecure password delivery

  • Duplicate accounts

Phase 3: Evaluate and Plan

In the Evaluate and Plan phase, you will look at what technologies can be used to aid in automating user account provisioning and self-service. You should evaluate and compare the functionality and costs associated with the tools and their implementation. Once a technology is selected, during the planning process you should discuss the implementation of the provisioning technology and prioritize the scenarios. Microsoft provides several tools that you can use to centralize and automate user provisioning in heterogeneous computing environments:

  • Microsoft Identity Lifecycle Manager 2007 (ILM 2007)

  • Microsoft Identity Integration Server (MIIS) 2003

  • Zero Touch Provisioning (ZTP)

Microsoft Identity Lifecycle Manager 2007

Microsoft Identity Lifecycle Manager 2007 (ILM 2007) is the recommended technology for automating user account provisioning. ILM 2007 provides an integrated and comprehensive solution for managing the entire life cycle of user identities and their associated credentials. ILM 2007 builds on the metadirectory and user provisioning capabilities in Microsoft Identity Integration Server 2003 (MIIS 2003) and adds new capabilities for managing strong credentials such as smartcards with Certificate Lifecycle Manager 2007 (CLM 2007). It provides identity synchronization, certificate and password management, and user provisioning in a single solution that works across Microsoft Windows® and other organizational systems. As a result, organizations can define and automate the processes used to manage identities from creation to retirement. Technical resource guidance for ILM 2007 continues to develop, see the Build a Single-Step Provisioning Workflow featured in the May 2007 edition of TechNet Magazine for additional details.

Microsoft Identity Integration Server 2003

Microsoft Identity Integration Server (MIIS) 2003 is a centralized service that stores and integrates identity information for organizations with multiple directories. The goal of MIIS 2003 is to provide organizations with a unified view of all known identity information about users, applications, and network resources. Microsoft TechNet provides several resources for planning and implementing automated user provisioning services using MIIS 2003, most notably Provisioning and Workflow in the Microsoft Identity and Access Management Series.

Zero Touch Provisioning

Zero Touch Provisioning is the implementation of actions, workflows, and operations required to enable users to self-subscribe to services and software. ZTP requires that identities are already being managed, and it extends provisioning from identity and access services to other IT service requests in the organization. ZTP allows organizations to move to a managed, self-service provisioning portal that allows delegates to perform such common provisioning tasks as password resets, e-mail provisioning, and elective application installation. ZTP is based on Microsoft BizTalk Server and requires the use of Systems Management Server 2003. ZTP provides a base to reliably provision enterprise or hosted commercial services and applications, resulting in reduced administrator intervention during the provisioning phase. An initial version of ZTP using BizTalk Server 2004 is available via the Solution Accelerator for Business Desktop Deployment Enterprise Edition Version 2.5 download. For more recent versions of Zero Touch Provisioning using BizTalk Server 2006, contact Microsoft Services.

Evaluating the Technologies

Each of the technologies listed above, as well as technologies available from other providers, can help you achieve automated account or identity object provisioning. Additionally, ZTP solutions add another layer of functionality to identity life-cycle management by providing automated provisioning of common service requests, such as self-service requesting and provisioning of new applications and password resets. We recommend reading the highlighted resources when evaluating your technology options, along with associated costs and implementation requirements.

Planning the Solution

You can design and plan a provisioning solution in the same way that you would design and plan any other IT project. The process requires gathering requirements; implementing conceptual, logical, and physical designs; building a proof of concept; and then creating project plans, a schedule, and a budget. For more information, see Identity Aggregation and Synchronization.

For more information about architecting a MIIS 2003 solution, see the MIIS 2003 Design and Planning Collection.

Project-specific guidance for ILM 2007 is currently under development. The guidance highlighted in the Identity and Access Management Series is built for and tested against MIIS 2003, but most of the core concepts can be applied to equivalent functionality as well as planning and deployment objectives for ILM 2007. Visit the technical library for ILM 2007 for additional guidance.

Phase 4: Deploy

Once your provisioning solutions have been evaluated and projects are planned, the final phase is Deployment. There are several prerequisites to deploying a workflow and provisioning solution, and this section focuses only on the prerequisites of identity and access related to provisioning:

Once prerequisites are met, implementation consists of configuring MIIS 2003 or ILM 2007 and beginning to perform identity management operations, including importing and synchronizing all existing data so that you are ready to conduct ongoing operations.

For more information on deploying a provisioning solution using ILM 2007, see Build a Single-Step Provisioning Workflow featured in the May 2007 edition of TechNet Magazine.

For more information about implementing MIIS 2003 for user account provisioning, see Implementing the Solution in the Workflow and Provisioning section of the Microsoft Identity and Access Management Series.

Further Information

For more information on user provisioning, go to Microsoft TechNet and search for “user provisioning.”

To see how Microsoft handles provisioning, go to https://www.microsoft.com/technet/itshowcase/content/ensidcon.mspx.

Topic Checkpoint

Tick

Requirements

Defined current identity object provisioning workflows in your organization, as well as areas to improve or optimize.

 

Identified technologies used to manage object identity life cycles.

 

Implemented a consolidated solution to automate common user account provisioning workflows.

If you have completed the steps listed above, your organization has met the minimum requirement of the Dynamic level for Centralized and Automated User Provisioning capabilities of the Infrastructure Optimization Model. We recommend that you follow the guidance of additional best practice resources for user provisioning to ensure that user access and network security levels are maintained to a known standard.

Go to the next Self-Assessment question.

Requirement: Directory-based Authentication of External Customers and Business Partners

Audience

You should read this section if you do not use a directory-based tool to enable authenticated access to external customers and business partners.

Overview

In the Infrastructure Optimization Planning Guide for Implementers: Basic to Standardized guide, we discussed using directory services for user authentication. To move to the Dynamic level, Core Infrastructure Optimization requires the ability to securely extend authentication to external customers and business partners when needed. Most organizations will need to provide information to external customers and business partners in some form on an ongoing basis. IT organizations can use identity federations to make decisions based on identity data from other organizations, while also sharing selected information about their own users' identities. A federation represents an agreement between two organizations with a common goal and is usually structured so that each organization retains the management of its own internal information, access policies, and identity objects.

Phase 1: Assess

Data and information is inevitably shared to external stakeholders for your organization. During the Assess phase, you will take an inventory of the shared data and how that is currently performed. The results of the Assess phase will be documentation listing resources where data and information is commonly shared and showing where a federation can improve efficiency by providing access to trusted external stakeholders.

Phase 2: Identify

Depending on the resources identified during the Assess phase, you may determine that some of the existing workflows can be made more secure by using manual processes to control the flow of data. In cases where the secured and authenticated access by external customers or partners does not compromise the organization, you will use the Identify phase to isolate priority resources, partners, and customers to participate in identity federation solutions. The results of the Identify phase will include a detailed list of those organizations, along with related resources and a corresponding list of identity objects targeted for the initial project.

Phase 3: Evaluate and Plan

As a result of progressing through the Core Infrastructure Optimization Model and achieving the prerequisites of the Standardized level, your organization will have at minimum an Active Directory infrastructure in place. We also assume in the model that organizations at the Rationalized level have knowledge of Active Directory Application Mode (ADAM). During the Evaluate and Plan phase, you will examine the technologies that can extend directory service authentication to external stakeholders, primarily Active Directory Federation Services (ADFS), and plan for the solution implementation. For additional options to manage access to extranet resources, see Extranet Access Management: Approaches to Extranet Access Management on Microsoft TechNet.

Active Directory Application Mode (ADAM)

ADAM provides directory services specifically for directory-enabled applications. ADAM does not require or rely on Active Directory domains or forests. However, in environments where Active Directory exists, ADAM can use Active Directory for the authentication of Windows security principals.

Active Directory Federation Services (ADFS)

Active Directory Federation Services (ADFS) is a component in Microsoft Windows Server 2003 R2 that provides browser-based clients (internal or external to your network) with single sign-on (SSO) access to protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations.

When an application is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application. These secondary credentials represent the user's identity in the realm where the application resides and are usually required by the Web server that hosts the application so that it can make the most appropriate authorization decision.

With ADFS, organizations can bypass requests for secondary credentials by providing trust relationships (federation trusts) that they can use to project a user's digital identity and access rights to trusted partners. In this federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.

ADFS is tightly integrated with Active Directory. ADFS retrieves user attributes from Active Directory, and it authenticates users against Active Directory. ADFS also uses Windows Integrated Authentication.

By employing ADFS, you can extend your existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in your organization.

Federation Scenarios

ADFS supports three federated identity scenarios:

  • Federated Web SSO

  • Federated Web SSO with forest trust

  • Web SSO

Federated Web SSO and Web SSO are the scenarios required to move to the Dynamic level in the Core Infrastructure Optimization Model.

Federated Web SSO

The ADFS Federated Web SSO scenario involves secure communication that often spans multiple firewalls, perimeter networks, and name resolution servers, in addition to the entire Internet routing infrastructure. Communication over a federated Web SSO environment can help foster more efficient and secure online transactions between organizations that are joined by federation trust relationships.

Figure 3. Federated Web SSO

Figure 3. Federated Web SSO

Federated Web SSO with Forest Trust

The ADFS Federated Web SSO with Forest Trust scenario involves two Active Directory forests in a single organization, as shown in the following illustration.

Figure 4. Federated Web SSO with Forest Trust

Figure 4. Federated Web SSO with Forest Trust

Web SSO

In the ADFS Web SSO scenario, users must authenticate only once to access multiple Web-based applications. In this scenario, all users are external, and no federation trust exists. Because the Web servers must be Internet-accessible and also be joined to the Active Directory domain, they are connected to two networks; that is, they are multihomed. The first network is Internet facing (the perimeter network) to provide the needed connectivity. The second network contains the Active Directory forest (the protected network), which is not directly Internet accessible.

Figure 5. Web SSO

Figure 5. Web SSO

Planning for ADFS Implementation

When planning for an ADFS implementation, you will need to consider technology prerequisites, project goals, partner or federation planning, federated application strategy, and infrastructure design.

Prerequisites

You will need to have the following services or functionalities in place prior to implementing ADFS:

  • Active Directory. An Active Directory domain is required only for the resource federation server. It is not used to host customer accounts.

  • ADAM. ADAM is used to contain the customer accounts that will be used to generate ADFS tokens. For more information about Active Directory or ADAM, see Appendix B: Reviewing Key ADFS Concepts.

  • Account/resource federation server. This federation server serves in both the account role and the resource role. The account/resource federation server is configured so that the Federation Service includes values for both an application and an account store—in this case, ADAM—that contains the customer accounts. For more information, see Review the role of the federation server in the account partner organization and Review the role of the federation server in the resource partner organization.

  • ADFS-enabled Web server. The ADFS-enabled Web server can host a claims-aware application or a Windows NT® token–based application. The ADFS Web Agent confirms that it receives valid ADFS tokens from customer accounts before it allows access to the protected Web site. For more information, see When to create an ADFS-enabled Web server

  • Customer. While on the Internet, the customer accesses an ADFS-secured Web application through a supported Web browser. The customer client computer on the Internet communicates directly with the federation server for authentication.

Primary Planning Considerations

The following guides are technical resources for planning ADFS services. Use these resources to help develop a project plan to implement ADFS services.

Phase 4: Deploy

After you collect information about your environment and decide on an Active Directory Federation Services (ADFS) design by following the guidance in the ADFS Design Guide, you can begin to plan the deployment of your organization's ADFS design. With the completed ADFS design and the information in this topic, you can determine which tasks to perform to deploy ADFS in your organization. For detailed technical guidance to deploy ADFS, see the Windows Server 2003 R2 technical library’s ADFS Deployment Guide.

For a step-by-step guide to setting up and administering ADFS, go to http://technet2.microsoft.com/WindowsServer/f/?en/library/d022ac37-9b74-4ba1-95aa-55868c0ebd8c1033.mspx.

Further Information

For more information on ADFS, go to Microsoft TechNet and search for “ADFS.”

Topic Checkpoint

Tick

Requirements

 

Validated need and uses for providing authenticated access to external entities.

 

Determined strategies and policies for providing external access to defined resources.

 

Implemented technologies to ensure secure access for defined external users to defined services.

If you have completed the steps listed above, your organization has met the minimum requirement of the Dynamic level for Directory-based Authentication of External Customers and Business Partners capabilities of the Infrastructure Optimization Model. We recommend that you follow the guidance of additional best practice resources for partner and client authentication.

Go to the next Self-Assessment question.