Microsoft A. Datum Account Forest(Users) E-Company Store Trey Research Resource Forest (Resource) Federation Trust Contract ID Region Country Account Mgr. Sales Mgr. NA US Jason John EU UK Joe Sam EU FR Ariel Jorge EU FR Ariel Linda EU DE Jon Sarah Business Policy Acct Mgrs: Read contracts in their region Edit contracts their country Create.
Download ReportTranscript Microsoft A. Datum Account Forest(Users) E-Company Store Trey Research Resource Forest (Resource) Federation Trust Contract ID Region Country Account Mgr. Sales Mgr. NA US Jason John EU UK Joe Sam EU FR Ariel Jorge EU FR Ariel Linda EU DE Jon Sarah Business Policy Acct Mgrs: Read contracts in their region Edit contracts their country Create.
Microsoft A. Datum Account Forest(Users) E-Company Store Trey Research Resource Forest (Resource) Federation Trust Contract ID Region Country Account Mgr. Sales Mgr. 101 NA US Jason John 102 EU UK Joe Sam 103 EU FR Ariel Jorge 104 EU FR Ariel Linda 105 EU DE Jon Sarah Business Policy Acct Mgrs: Read contracts in their region Edit contracts their country Create new contracts Sales Rep: Edit contracts they own Application Roles: Create Read Update How do you build the token for Ariel? <102>Read</102>??? This doesn’t work <roles>Create</roles> - doesn’t reflect the policy <roles>Read</roles> <role>Create~102/Read~103/Update~104/Update~105/Read</role> Token bloat with too many values App Suite STS - Augmented claims - Authorization tokens Identity STS - Authentication - Partner Federation - Identity Normalization - Immutable Identifiers ADFS issues authentication tickets to the PARTNER REALM, not to any specific application Once a user is authenticated by ADFS, the PARTNER ADFS SERVER will issue tokens for any application which trusts it without going back for authorization Policy does not allow service to issue a token based on the SERVICE PROVIDERS policy (ex. Subscription to services) Policy must reflect the application access CONTOSO has for it’s users, but is enforced at the federation broker STS • Loss of personal/confidential data – Recoverability after termination – The enterprise should not have to provide access to corporate ID’s – Users should not have to find and re-permission their data to a new account http://www.google.com/a/cpanel/premier/new Exchange Online Microsoft Federation Gateway Corporate Network Exchange Online Microsoft Federation Gateway ID: 12345 UPN: [email protected] PUID: E0A178 ID: 12345 UPN: [email protected] PUID: E0A178 PUID: E0A178 MAIL: [email protected] ID: 12345 UPN: [email protected] Corporate Network Exchange Online Microsoft Federation Gateway ID: 12345 UPN: [email protected] PUID: E0A178 ID: 12345 UPN: [email protected] PUID: E0A178 PUID: E0A178 MAIL: [email protected] ID: 12345 UPN: [email protected] Corporate Network Exchange Online Microsoft Federation Gateway ID: 12345 UPN: [email protected] PUID: E0A178 ID: 12345 UPN: [email protected] PUID: E0A178 PUID: E0A178 MAIL: [email protected] ID: 12345 UPN: [email protected] Corporate Network Exchange Online Microsoft Federation Gateway ID: 12345 UPN: [email protected] PUID: E0A178 ID: 12345 UPN: [email protected] PUID: E0A178 PUID: E0A178 MAIL: [email protected] ID: 12345 UPN: [email protected] Corporate Network Exchange Online Microsoft Federation Gateway ID: 12345 UPN: [email protected] PUID: E0A178 ID: 12345 UPN: [email protected] PUID: E0A178 PUID: E0A178 MAIL: [email protected] ID: 12345 UPN: [email protected] Corporate Network Exchange Online Microsoft Federation Gateway ID: 12345 UPN: [email protected] PUID: E0A178 ID: 12345 UPN: [email protected] PUID: E0A178 PUID: E0A178 MAIL: [email protected] ID: 12345 UPN: [email protected] Corporate Network Exchange Online Microsoft Federation Gateway ID: UPN: PUID: PWD: ID: 12345 UPN: [email protected] PUID: E0A178 12345 [email protected] E0A178 P@ssword UPN: [email protected] PUID: E0A178 MAIL: [email protected] ID: 12345 UPN: [email protected] Corporate Network Exchange Online Microsoft Federation Gateway ID: UPN: PUID: PWD: ID: 12345 UPN: [email protected] PUID: E0A178 12345 [email protected] E0A178 P@ssword PUID: E0A178 MAIL: [email protected] ID: 12345 UPN: [email protected] Corporate Network Breakout Sessions SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos Hands-On Labs SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Product Demo Stations Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year