Designing an Identity Management Portal

1
Designing an Identity Management Portal

• Integrating Identity and Access with SharePoint

• Brad Turner
• Architect, Identity and Access Management
• http//www.identitychaos.com

• Jerry Camel
• Senior Consultant, Identity and Access Management
• http//digitalcamel.blogspot.com

If youre here, youre probably not the
SharePoint person theyre all at the
SharePoint Conference 2008 also this week.
2
Introduction and Focus

• People
• Skills update for ILM 2 and WSS requirements
• Process
• Common issues surrounding WSS installations
• Technology
• Security (Microsoft Supports 1 reason for
  calling)
• WSS/SharePoint authentication considerations
• Kerberization via AzMan supplemental content
  on the blogs
• Content
• Portal content and reporting
• Dashboards
• Workflow integration and reporting

Sample Portal Application Youve been tasked
with controlling the lifecycle of service
accounts in your organization. How can you build
a solution that models application relationships
with their service accounts and that
automatically maintains Kerberos delegation? How
can you report on workflow status?
3
ILM 2 Architecture Overview
4
ILM 2 Architecture
ILM 2
how many servers to scale the new components?
ILM 2007
local or remote SQL install, clustered or not?
5
SharePoint Database

• As of ILM 2 Beta 2, only the Windows Internal
  Database is supported for hosting the ILM portal
  application
• This isnt going to be acceptable for most
  deployments

6
IDA Evolving Skill Sets
7
Directory Services
8
.NET Framework
9
SQL/DBMS
10
Certificate Lifecycle Manager
SharePoint Portal in ILM 2?
11
Windows SharePoint Services
12
Office Integration
13
Sharepoint Portal security
14
Getting Started with WSS 3.0

• What do I need to know to get started?
• Windows SharePoint Services 3.0 Technical Library
• Getting started for Windows SharePoint Services
  3.0 technology
• Microsoft SharePoint Products and Technologies
  Team Blog
• Microsoft E-Learning Collections 5403
• Microsoft E-Learning Courses 5244, 5245, 5246,
  5247
• Microsoft Windows SharePoint Services 3.0 Step by
  Step

Find a local SharePoint Users Group!
15
WSS Common Problems

• I cant find the database you installed using
  Typical mode and now you have Windows Internal
  Database
• How do I create a portal create a new Web
  Application first and then create a new Site
  Collection
• Trouble accessing the site check your
  Alternate Access Mappings, these should match the
  URL youre attempting as well as your host
  headers also make sure Anonymous access is
  disabled and that these sites are in the Intranet
  zone in IE

16
WSS Common Problems (contd)

• Occasionally it takes forever for the portal
  to respond this is IIS shutting the process
  down after it becomes idle

• current identity does not have write access to
  (the framework temp dir) you need to run
  aspnet_regiis -i to re-register the Framework
  components with IIS.
• I cant get Kerberos to work many people get
  frustrated and fall back to NTLM, its confusing
  but it IS possible
• Other common errors and troubleshootinghttp//su
  pport.microsoft.com/kb/944267

17
ILM Proof of Concept

• Check 1dent1y cHa0s for the release this week
• ADMA configured to read AzMan store from AD
• Sample attribute flow code to set SPNs and
  delegation on service accounts
• Walkthrough for configuring AzMan to model the
  application, service class, and URIs.

18
Modeling SPN Relationships
Normal Delegation uses userAccountControl
(TRUSTED_FOR_DELEGATION)
Constrained Delegation uses msDS-AllowedToDelega
teTo
19
AzMan as an Application Model

• Authorization Manager (AzMan) provides a
  functional way to model an application in AD or
  XML
• AzMan alone isnt designed to represent complex
  relationships required to automate Constrained
  Delegation we need some help from SQL or custom
  SharePoint lists to do this
• The entire relationship to model includes
• Applicationlt-gtSvc Acctslt-gtSvc Classeslt-gtURLPort

20
Simple Delegation Modeling with AzMan
msDS-AzRole
msDS-AzTask
Security principal to delegate
msDS-AzTask
Service Class to assign
msDS-AzOperation
msDS-AzTask
URL and Port designation
21
POC Designing a Portal Solution for the
Kerberization problem

• Built as SharePoint application and leverage
  AzMan itself for authorizations
• Possible Roles for the Portal Application
• Domain Users no access
• App Admins developers, delegated ability to
  create and modify apps without the need for the
  AzMan MMC
• Infrastructure Admins ability to assign AD
  principals and publish the application
• The Portal Application should leverage AzMan AD
  store to express the modeled applications once
  published
• Web Applications and their associated security
  principals should be automatically configured for
  Kerberos delegation by ILM
• Workflows should be leveraged whenever tasks
  change hands or require approval
• SharePoint provides all of the tools necessary to
  build the Portal Application and logic within ILM
  can complete the modifications to the security
  principals

22
BUILDING THE ilm Portal Content
23
Elements of a Portal

• SRS Reports
• Shortcuts / Menus For Navigation
• Dashboards
• Documentation
• External Tools
• Direct Links
• Embedded (ltiframegt or otherwise)
• Anything Your Little Heart Desires

24
SharePoint Elements

• Document Libraries

• Link Lists

• Web Part Pages

• Web Parts

25
Reporting Basics The SRS Web Part

• SRS Web Part Overview

26
Dashboards

• Provide an Overview of System or Identity Status
• Use SRS Reports and Other Web Parts as Building
  Blocks
• Advanced Dashboard Techniques
• Might Involve HTML and/or JavaScript knowledge
• SRS Report Linking
• (Not the same thing as drill down reports.)

27
Landing Page
28
Links and Menus

• Use Standard SharePoint Lists
• Group By Category

29
External Application Example

• Camelogic Configuration Files
• XML Based Hierarchical Configuration Categories

• Visual Studio Integrated
• Type Safe Code References
• Indexed Configuration Values for Quick Switching
• Web Based Configuration Editor

30
Integrating External Applications

• Create Web Parts When Feasible
• Use Page Viewer Web Parts
• Content Editor Web Parts w/ HTML ltiframegt
• May Require Some Tweaking w/ SharePoint Designer

31
Complex Reporting Dashboards

• Use an SRS Report Viewer Web Part as a Report
  Anchor
• Anchor Uses a JavaScript Call In Navigation
  Properties of a Textbox

• Sub-reports are Linked Via Content Editor Web
  Parts and Embedded JavaScript

32
Complex Reporting Dashboards
33
Complex Reporting Dashboards
34
Workflow Integration

• Use to Incorporate Asynchronous Actions
• Allows for Human Interaction in ILM Based
  Activities
• Can be Persisted
• Can be Tracked

35
Reporting Workflow Status
36
Custom SRS Report items

• Provide information in the form of a bitmap
• Specific to SRS, not SharePoint
• Require advanced .Net coding skills to create.
• Drag, Drop and Configure, to use.
• Sample Code

http//msdn.microsoft.com/msdnmag/issues/06/10/SQL
Server2005/
37
Complex Reporting Live Demo
Full Details At http//digitalcamel.blogspot.com/
2008/02/tabbed-sub-reports-with-srs-and.html
38
Parting Thoughts

• The ILM 2 portal will be extensible if
  nothing else youll be able to build your own
  version from the ground up using the new Web
  Service and the SDK, so its time to start
  building relationships with the talent in your
  company or looking to acquire it yourself when it
  comes time to fine tune your own
  implementation!
• What about interfacing SharePoint with emerging
  technologies like Windows CardSpace?
• Look for more detail on the Kerberos and
  reporting solutions herehttp//www.identitychaos
  .comhttp//digitalcamel.blogspot.com
• Thanks to the following people who helped with
  the research From Microsoft Tom Wisnowski, Tim
  Baggs, James World

39

• Q A