Microsoft Canadian Colleges Exec Briefing – Identity and Access Mgmt

by | February 4, 2011

Mark Wahl, Senior Program Manager/Architect, Microsoft Corporation

Identity and Access Management – Business ready Security Solutions

Business needs agility and flexibility and IT needs control – these needs are in competition

Business Ready Security – Protections = protect everywhere, access anywhere,  Access = simplify the security experience, Management = manage compliance, integrate and extend security across the enterprise

Consistent Identity and Access Experiences – for end users, for data owners,  for security adminstrators

Identity Metasystem Architecture

User — access –> Relying Party (authZ = access control, personalization, collaboration)

User — authenticate –> Identity Provider (authN, self service, credentialing)

Identity Provider — token containing claims –> Relying Party

Claims in the Identity Metasystem

  • Claims enable authN, authZ, personalization, and access across boundaries – defines a contract between identity and resource authoritiies
  • tokens and claim transfer protocols beign standardized and interoperable

ForeFront Unified Access Gateway – allows direct access from anywhere as trusted and untrusted connections, creates a virtual private network (claims based authentication supported).  Active Directory will support WS* and SAML standards

ForeFront Identity Manager – provides synchronization to move identity information between systems.   Key functions: identity management, group access, self service password management


There is a balance between the Person’s need for “contextual separation” and the Person’s need to traverse contexts.  People can bring their own trusted identity and request services.  The concepts of Federated Directory and Minimal Disclosure Token Concepts to protect Relying Parties or Identity Providers to aggregate your service access requests to build a profile of your behaviour and personal information.

There is a lot of governance and policy work to get to the point of having the appropriate identity providers for the appropriate contexts for the claims based system to really be functional.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.