Microsoft Identity Integration Server

1
Microsoft Identity Integration Server Role Base
Access

• Theo Kostelijk
• Consultant
• Microsoft BV
• theok_at_microsoft.com

2
Agenda

• Microsoft Identity Integration Server Concepts
  Architecture (MIIS)
• Authorization Manager (AzMan)

3
What is Microsoft Identity Integration Server?

• Directory Synchronization
• Password Management
• Provisioning and Workflow

Mainframe/ Unix
Identity Data
4
Connectivity in MIIS 2003, Enterprise Edition

• Active Directory
• Active Directory Application Mode
• Active Directory Global Address List (GAL)
• Attribute-value pair text file
• Delimited text file
• Directory Service Markup Language (DSML) 2.0
• Exchange Server 5.5
• Exchange Server 5.5 (Bridgehead Server)
• Extensible Connectivity
• Fixed-width text file
• IBM DB2 Universal Database
• IBM Directory Server
• LDAP Data Interchange Format (LDIF)
• Lotus Notes
• Novell eDirectory 8.6.2 and 8.7
• Oracle Database 8i and 9i
• SQL Server 7.0 and 2000
• Sun and Netscape Directory Servers
• Windows NT 4.0

5
Directory Synchronization

• Synchronizes multiple repositories
• Management agents use touchless connection to
  other systems
• Provides attribute-level control
• Manage global address lists (GAL)
• Automate group and DL management

6
Directory Synchronisation
MIIS
HR System
Active Directory
Lotus Notes
7
Attribute Flow
8
Password Management

• Initial password set when provisioning
• Centralized password control via a Web app
  ctr-alt-del
• Self-service password change
• Helpdesk password reset

9
Provisioning Workflow

• Simple Provisioning De-provisioning
• Provision users as they appear in authoritative
  systems
• Set initial values for attributes (including
  password)
• Disable or delete accounts
• Complex Workflow
• Initiate workflow or provisioning system
• Integrate with BizTalk
• Integrate with 3rd party provisioning systems

10
Provisioning Scenario
MIIS
HR System
DB
Active Directory
LDAP
iPlanet Directory
LDAP
11
De-Provisioning Scenario
MIIS
HR System
DB
Active Directory
LDAP
iPlanet Directory
LDAP
12
MIIS Architecture
HR App with SQL
Active Directory
Metaverse
Connector Space Object
Metaverse Object
Connector
Connector Space
13
Authorization ManagerAzMan Advantages
Introduced in Windows Server 2003 Also
available for Windows Server 2000

• Centralized authorization policy for multiple
  applications
• The ability to create security groups outside of
  Active Directory and managed by the application
  administrator
• The ability to create groups based on the result
  of an LDAP query
• Relies on a Policy Store for one or more apps
• Delegated Admin (AD ADAM only)
• XML Store not recommended for Enterprise Apps
• Authorized users Must have an actual account on
  the web server or user account in AD or ADAM

14
Authorization ManagerAdvantages

• 3 Key Mechanisms for user Role Assignments
• Membership in AD or Local Server, or AzMan
  Groups
• LDAP Query Groups
• BizRules
• Centrally Managed across the organization without
  managing Web.config files or changing application
  code

15
RoleTasks, TaskOperations
Web Expense Application
Database Operation
Web Operation
Directory Operation
Payment System Operation
16
AzMan Groups
17
AzMan Operation Defenitions
18
AzMan Task Definitions
19
How to use AzMan in your code?
20
MIIS AzMan (HRApp naar MIIS)
21
MIIS AzMan (MIIS Naar AD)
22
MIIS AzMan (AzMan AD)
23
(No Transcript)