Mark Wahl, Senior Program Manager/Architect, Microsoft Corporation
Identity and Access Management – Business ready Security Solutions
Business needs agility and flexibility and IT needs control – these needs are in competition
Business Ready Security – Protections = protect everywhere, access anywhere, Access = simplify the security experience, Management = manage compliance, integrate and extend security across the enterprise
Consistent Identity and Access Experiences – for end users, for data owners, for security adminstrators
Identity Metasystem Architecture
User — access –> Relying Party (authZ = access control, personalization, collaboration)
User — authenticate –> Identity Provider (authN, self service, credentialing)
Identity Provider — token containing claims –> Relying Party
Claims in the Identity Metasystem
- Claims enable authN, authZ, personalization, and access across boundaries – defines a contract between identity and resource authoritiies
- tokens and claim transfer protocols beign standardized and interoperable
ForeFront Unified Access Gateway – allows direct access from anywhere as trusted and untrusted connections, creates a virtual private network (claims based authentication supported). Active Directory will support WS* and SAML standards
ForeFront Identity Manager – provides synchronization to move identity information between systems. Key functions: identity management, group access, self service password management
There is a balance between the Person’s need for “contextual separation” and the Person’s need to traverse contexts. People can bring their own trusted identity and request services. The concepts of Federated Directory and Minimal Disclosure Token Concepts to protect Relying Parties or Identity Providers to aggregate your service access requests to build a profile of your behaviour and personal information.
There is a lot of governance and policy work to get to the point of having the appropriate identity providers for the appropriate contexts for the claims based system to really be functional.