Microsoft Identity and Access Management Series

Platform and Infrastructure

Chapter 2: Approaches to Choosing a Platform

Published: May 11, 2004 | Updated: June 26, 2006

Establishing a platform for identity and access management involves making some significant decisions that will make a noticeable impact on an organization's IT capabilities. The first decision an organization must make is whether to choose a single-vendor solution or multiple "best-of-breed" products that can integrate to form a complete solution.

The advantages of a single-vendor solution can include:

Easier integration.

Comprehensive, single-source support.

Discount or package licensing.

The advantages of a best-of-breed solution can (but again, not always) include:

The ability to choose individual products based on requirements.

The ability to license and deploy only the products that are needed.

Many organizations enjoy the advantages of both models by selecting a single vendor (typically a platform vendor) for a significant portion of the infrastructure, and then augment this baseline of products with other products from vendors to fill specific functionality gaps. If an organization chooses this path, it is important for the platform vendor to demonstrate that the technology will interoperate with many other vendors in different technology areas.

The rest of this chapter discusses the choices that need to be made when selecting a single platform or best-of-breed product in the following technology areas:

Directory services.

Access management services.

Trust mechanisms.

Identity life-cycle management tools.

The application platform.

On This Page
Choosing Directory ServicesChoosing Directory Services
Choosing Access Management ServicesChoosing Access Management Services
Choosing Identity Life-Cycle Management ToolsChoosing Identity Life-Cycle Management Tools
Choosing an Application PlatformChoosing an Application Platform
The Microsoft Identity and Access Management PlatformThe Microsoft Identity and Access Management Platform

Choosing Directory Services

Successful operation of the identity and access management platform requires a suitable location for storing application and identity information. While other options for storing user information exist, the industry has rapidly standardized on directory technology to achieve this capability. Most commercially available directories today support a common set of capabilities that include:

Support for either the Lightweight Directory Access Protocol (LDAP) or Directory Access Protocol (DAP) or both of these protocols, based on the International Telecommunication Union (ITU) X.500 standard.

Standardized attribute types based on the X.520 standard.

Standardized object classes based on the X.521 standard.

Because directory object storage and directory access mechanisms are fairly consistent across most directories, what differentiates directory service products are often capabilities such as:

Search performance.

Storage and multiprocessor efficiency for scale up.

Data replication performance for scale out.

Robust failover and recovery capabilities.

Integration with different types of security services.

Integration with different types of applications and system management services.

Publication technologies.

Precise access control at the object and attribute level.

Licensing.

Support.

Directory requirements may also depend on the role that a directory is asked to perform. Capabilities that are required in one role may differ from those required in another role. For example, many organizations will need to deploy directory services to perform the following roles:

Intranet (enterprise) directory

Extranet (perimeter) directory

Application directory

The following sections in this chapter describe considerations for directories in these roles.

Intranet Directory

Most organizations currently have one or more directory service on their intranet. Intranet directory services must provide the following capabilities:

A central repository for user accounts.

Centralized, secure storage of credentials used for authentication.

Centralized storage of attribute information used for authorization.

Information to locate network resources.

Information to locate people and groups.

In addition to these capabilities, it is highly valuable if the intranet directory service also integrates tightly with security services that are often found on the intranet.

Extranet Directory

Extranet directories have the same fundamental requirements as intranet directories in most organizations. The additional requirements for choosing a directory that must support applications used by partners, customers, and employees include:

The ability to scale to millions of users.

Cost-effective licensing.

Support for Internet-compatible authentication mechanisms.

The ability to present multiple distinct communities or organizations (such as partners and customers) within a single directory.

Application Directory

Application directories are deployed in organizations where directory service technologies meet the requirements of the scenario, but where the data stored in the directory is not useful to a large set of users or applications. Application directories usually have a subset of directories that are used at the organizational level, and additional requirements for manageability and operability. Application directories should offer the following:

Storage for application-specific information.

Easy set up and deployment.

A simple administration model.

Reasonable scale up and failover capabilities.

Low-cost licensing.

Choosing Access Management Services

Access management services provide the organization's applications with the capability to authenticate users securely and carry out robust authorization. When considering your access management choices, select technologies that integrate well with the directory services product.

Selecting Authentication Methods

The requirements and considerations for authentication mechanisms can vary greatly based on the scenario. Typical requirements that differentiate how authentication is performed include:

What requirements can the organization impose on the user?

What infrastructure can be established and maintained to support the user?

Should the user have a single sign on (SSO) experience?

What kind of applications does the user need to access?

Although there can be variations within the scenarios, intranet and extranet authentication offers one way to categorize users and applicable authentication mechanisms.

Intranet Authentication

Intranet authentication has the following characteristics that will influence the authentication mechanisms you choose:

High levels of control (through policies) that govern how computer users (employees) can use the network.

Complete control over the network environment and availability of services.

Control over the configuration of user workstations.

Multiple application types, such as client/server, Web-based or Microsoft® Windows® Forms-based.

Because of these characteristics, it is possible to choose authentication mechanisms for the intranet that offer high levels of security while providing an SSO experience. However, these also require a combination of sophisticated infrastructure, configuration, and certain user behaviors. Examples of authentication technologies that meet this description include:

The Kerberos version 5 authentication protocol.

X.509 digital certificates on smartcards.

Hardware tokens such as RSA SecurID.

For more information about these technologies, see the "Intranet Access Management" paper in this series.

Extranet Authentication

With the single exception of employees (and in a few cases, partners) that access extranet resources by using VPN technologies over the Internet, Web-based extranet access has a completely different set of characteristics:

Low levels of control (through policies) govern how computer users (customers, partners) can use the network.

There is little or no control over the network environment and availability of services beyond your perimeter network.

There is no control over the configuration of user workstations.

Access requires mostly Web-based applications.

Because of these characteristics, authentication mechanisms should be chosen for the extranet that offer adequate levels of security without placing unrealistic requirements on users. Examples of authentication technologies that meet this description include:

Forms-based authentication.

X.509 digital certificates for employees.

Microsoft Passport Services for customers and partners.

Even with the very explicit restrictions that the extranet environment dictates, extranet users expect the same SSO experience across multiple applications that intranet users enjoy. Furthermore, many organizations have requirements to provide an SSO user experience across different applications running on different platforms. A strong independent software vendor (ISV) market has matured to address this problem of providing Web SSO across heterogeneous platforms, and many suitable solutions are available from a large number of vendors.

For more information about these technologies, see the "Extranet Access Management" paper in this series.

Implementing Authorization

Most platforms support some form of access control list (ACL) mechanism for granting permissions on static objects such as files and printers. Access to these objects is granted by being a user or a member of a group that is explicitly allowed access to the object.

In addition, most organizations are contemPlating whether to use some form of role-based access control (RBAC). RBAC tends to be more intuitive, and as a result it is easier to manage and more flexible.

RBAC mechanisms should be capable of implementing a business rule to define authorization policy. For example, a RBAC mechanism should be able to enforce a business rule of the following type:

Only bank tellers can process savings account deposits between the hours of 9am and 4pm.

An organization should choose a platform that provides efficient ACL – based access control for static objects, as well as a robust, flexible RBAC mechanism that is intuitive to manage, and capable of expressing complex business rules as access policies.

Implementing Trust Mechanisms

Of all the technologies that have been discussed so far, the implementation of trust is likely the biggest technology area that differentiates various platforms. At the highest level, trust is the reliance that one computer places on another computer or group of computers to assert the identity of a user. The differentiation between trust mechanisms is mostly in how computers and users become part of a circle of trust.

For example, host-based systems are, by their very nature, both autonomous and encompassing. Few organizations have more than one mainframe, and if they do, those computers are unlikely to trust each other except through the explicit sharing of passwords.

UNIX and Linux operating systems are typically either stand-alone systems (not a member of any "circle of trust") or part of a Network Information Service (NIS) or NIS+ grouping. You can also configure UNIX and Linux workstations to use LDAP for authentication and authorization. When this happens, all such workstations configured to use the same directory instance become part of this circle of trust.

In order to become a truly valuable tool for enabling effective identity and access management, the platform should provide trust mechanisms that scale across the entire organization, and even between organizations. Establishing circles of trust should make up a fundamental component that you can organize into hierarchical groupings to make it easy to administer the trust relationship at the appropriate level.

Choosing Identity Life-Cycle Management Tools

Identity life-cycle management tools provide the means to manage the following basic tasks related to identities:

User management.

Credential management.

Entitlement management.

All platforms come with tools and interfaces that allow the administrator to perform these basic tasks, but this is another area where a strong ISV market has developed in order to provide user-friendly, cross-platform management capabilities. In many cases, these tools are Web-based, which is highly appropriate for extranet identity management scenarios, such as partner-delegated administration (in which the partner organization takes responsibility for administering their users).

You should consider using best-of-breed identity management tools for your organization's scenario if the platform-provided tools that have been designed for the intranet scenario in this paper series do not meet your organization's requirements.

Implementing Identity Integration

Identity integration tools are often sophisticated, complex products in their own right. These tools can aggregate and synchronize the information that describes digital identities (attributes) between the many existing identity stores in established organizations. Some of these products are also described as metadirectory products.

Features to consider when evaluating an identity integration product include:

How many different types of identity stores does it connect to?

Does each "connector" require a footprint (a user account or an additional table) on the connected system?

How robust are the rules that govern attribute flow between identity stores?

What is the development environment for extending the rules that come with the product?

Can the product synchronize or propagate user passwords from one store to another?

Does the product support both state-based (based on the current state of an object) and event-based processing (based on changes within the connected identity store)?

Does the product integrate well with the platform directory services selected by the organization?

Provisioning and Deprovisioning

The ability to provision and deprovision user accounts in multiple identity stores may be features that are part of an identity integration product or they may be implemented in a stand-alone product. The features to consider when evaluating provisioning products are similar to those for an identity integration product. The ability to support different levels of workflow is also an important distinction for provisioning.

Choosing an Application Platform

Application development environments have a history of integrating well with their native platform, but not so well with other platforms. For this reason, your organization's choice of application platform will most likely depend on your choice of infrastructure platform for the application servers in your environment.

Many organizations choose to develop or maintain applications on two or more platforms. For such organizations it is critical to understand how heterogeneous applications can interoperate by using common protocols and by taking advantage of common infrastructure services. An application platform that does not integrate or interoperate well with others should not be chosen. Application platform vendors should have a demonstrated commitment to interoperability and support the relevant standards efforts that make interoperability possible.

The Microsoft Identity and Access Management Platform

The following sections in this chapter describe the core products and technologies that make up the Microsoft Identity and Access Management platform, and the benefits it brings to an organization.

Directory Services

Microsoft Windows Server™ 2003 includes support for the Microsoft Active Directory® directory service, and for an application directory service called Active Directory Application Mode (ADAM). The following figure shows the central role Active Directory plays, and how it integrates with other Microsoft and ISV technologies.

Figure 2.1. Active Directory integration with other network components

Figure 2.1. Active Directory integration with other network components
See full-sized image

Active Directory

Active Directory has the following features that make it suitable for both the intranet and extranet directory service role:

A central location for network administration and delegation of administrative authority. Administrators have access to objects representing all network users, devices, and resources, as well as the ability to group objects for ease of management, and apply security and Group Policy.

Information security and SSO for user access to network resources. Tight integration with security eliminates costly tracking of accounts for authentication and authorization between systems. A single user name and password combination can identify each network user, and this identity follows the user throughout the network.

Scalability. Active Directory includes one or more domains, each with one or more domain controllers, which enables you to scale the directory to meet any network requirements.

Flexible and global searching. Users and administrators can use desktop tools to search Active Directory. By default, searches are directed to the global catalog, which provides forest-wide search capabilities.

Storage for application data. Active Directory provides a central location to store data that is shared between applications, and for applications that need to distribute their data across entire Windows-based networks.

Systematic synchronization of directory updates. Updates are distributed throughout the network through secure and cost-efficient replication between domain controllers.

Remote administration. You can connect to any domain controller remotely from any Windows-based computer that has administrative tools installed. Alternatively, you can use the Remote Desktop feature to log on to a domain controller from a remote computer.

Single, modifiable, and extensible schema. The schema is a set of objects and rules that provide the structure requirements for Active Directory objects. You can modify the schema to implement new types of objects or object properties.

Integration of object names with Domain Name System (DNS), the Internet-standard computer location system. Active Directory uses DNS to implement an IP – based naming system so that Active Directory services and domain controllers are locatable over standard IP both on intranets and the Internet.

LDAP support. Lightweight Directory Access Protocol (LDAP) is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.

Active Directory Application Mode

Active Directory Application Mode (ADAM) has the following features that make it suitable for the application directory service role:

Ease of deployment. Developers, end users, and ISVs can easily deploy ADAM as a lightweight directory service on most Windows Server 2003 platforms and on clients running Microsoft Windows® XP Professional. You can easily install, reinstall, or remove the ADAM application directory, making it the ideal directory service to deploy with an application.

Reduced infrastructure costs. By using a single directory technology for both your network operating system (NOS) and application directory needs, you can reduce overall infrastructure costs. Additional investment is not required for training, administration, or management of your application directory.

Standardized application programming interfaces (APIs). LDAP, Active Directory Service Interfaces (ADSI), and Directory Services Markup Language (DSML) are implemented in both ADAM and Active Directory. These capabilities enable you to build applications on ADAM, and then migrate them to Active Directory as needed, with minimal change.

Increased security. Because ADAM is integrated with the Windows security model, any application that uses ADAM can authenticate access against Active Directory across the enterprise.

Increased flexibility. An application owner can easily deploy directory-enabled applications without affecting the directory schema for the entire organization, while continuing to use the identity information and credentials that are stored in the organization’s NOS directory.

Reliability and scalability. Applications that use ADAM have the same reliability, scalability, and performance that they have with deployments of Active Directory in the NOS environment.

For more information about ADAM, download the white paper "Introduction to Active Directory Application Mode"

Security Services

The following security services are tightly integrated with Windows application servers, Windows client operating systems, and computers running Windows 2000 Server and Windows Server 2003 acting as domain controllers:

The Kerberos version 5 protocol supports authentication, including APIs for use by client/server applications, as well as a Kerberos Key Distribution Center (KDC) that is integrated with Active Directory.

The Microsoft Security Support Provider Interface (SSPI) is a well-defined common API for obtaining integrated security services for authentication, message integrity, message privacy, and security quality of service for any distributed application protocol.

The X.509 – based Public Key Certificate Server built into Windows Server lets organizations issue public-key certificates for authentication to their users, without depending on commercial certification authority (CA) services.

Secure Socket Layer (SSL) and Transport Layer Security (TLS) use client/server X.509 digital certificates to support strong, mutual authentication and secure communications.

Smart cards provide tamper-resistant storage for protecting private keys, account numbers, passwords, and other forms of personal information and are a key component of the public-key infrastructure (PKI) that Microsoft integrates into the Windows® platform.

Microsoft Passport provides an SSO user experience for customer authentication to an organization's extranet applications.

Access Control Lists (ACLs) on static resources. The Microsoft Windows Server™ object-based security model allows administrators to grant access rights to a user or group rights that govern who can access a specific object.

Authorization Manager supports RBAC in custom applications.

Note   Authorization Manager is included with Windows Server 2003, but you must download and install it for use on Windows 2000 Server from the Windows 2000 Authorization Manager Runtime page

Security auditing allows changes to directory objects and access events to be reported through the Security Event log.

Identity Integration Services

Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1) includes the following features that you can use to streamline identity and access management across your organization:

Identity aggregation, synchronization, and provisioning across heterogeneous identity stores.

Management agents for connection to multiple identity stores, including directory services, databases, and e-mail systems.

Password management and synchronization, including a self-service Web application for password resets.

No connector footprint on the connected identity stores.

Event or state-based synchronization processing.

Easy extensibility through the Microsoft Visual Studio® .NET programming environment.

A reduced feature set version called the Identity Integration Feature Pack for Active Directory offers:

Management agents for Active Directory, ADAM, and Global Address List (GAL) Synchronization.

Client Operating System

Organizations that standardize on Windows XP Professional will realize these benefits:

Support for Windows-Integrated Authentication with platform services to achieve SSO for file, print and Web application services.

Domain-level Group Policy to enforce increased security.

Additional SSO capabilities between different organizations that use passwords, X.509 digital certificates, and Microsoft Passport accounts through Windows Credential Manager.

Development Platform

Microsoft Visual Studio.NET and the .NET Framework provide the capability to:

Develop identity-aware applications that use the power of the Microsoft Identity and Access Management platform.

Reduce application development costs.

Platform Benefits

Implementing the Microsoft Identity and Access Management platform with the solutions describe in the following chapters of this paper will allow Contoso to achieve the following benefits:

A single, secure, trusted source of identity information. Administrators have a reliable, up-to-date view of all applications and systems, as well as all users and their entitlements.

Seamless application integration. The Microsoft development platform provides secure, standards-based authentication, authorization, and data protection mechanisms.

Improved security and provisioning. Identities across multiple systems in the organization for employees, customers, or partners are removed as soon as their relationships with the organization end.

Simplified administration and reduced administrative costs. Administrators can add, change, and remove digital identities and entitlements quickly and easily in a centralized place.

Fine-grained access control. Administrators can control more precisely what resources users can access, what they can do with those resources, and how security policies are applied to users and resources at a detailed level.

Using fewer passwords and better password management. Users can access applications more conveniently and Helpdesk personnel will spend less time managing password problems.

Interoperability among identity systems and operating systems. The solution provides interoperability through standards-based access and authentication mechanisms that reduce the time it takes to integrate and administer multiple systems.

Secure, reliable auditing. Auditing provides the necessary trail to explain who, what, when, where, and how resources are accessed across the network.

Local Credential Management. Strong protection of locally stored password credentials by using Windows Credential Manager.

While the platform provides core services that are required for identity and access management, several solutions need to be implemented with the platform to achieve all of these benefits. Chapter 4, "Designing the Infrastructure" in this paper discusses these solutions.


**
**

Download

Get the Microsoft Identity and Access Management Series

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions