Microsoft Identity and Access Management Series
At a Glance
This series of papers provides numerous identity and access management concepts, techniques, and solutions for use in heterogeneous IT environments.
Identity and access management combines processes, technologies, and policies to manage digital identities and specify how they are used to access resources.
Send your feedback, questions, and requests for future papers to secwish@microsoft.com.
This guide comprises the following documents:
On This Page
Overview of the Microsoft Identity and Access Management Series
Overview of the Microsoft Identity and Access Management Series
The overview describes the series, how it is structured and provides information about the following:
| • | How to access the Tools and Templates. |
| • | Style conventions in the papers. |
| • | Consulting services and system integrators. |
| • | Independent hardware and software vendors. |
Part I – The Foundation for Identity and Access Management
This paper includes key concepts, terminology, and technologies, as well as identity and access management challenges and approaches for overcoming them. This paper is prerequisite reading for the other papers in the series.
This paper defines common platform requirements and a technology infrastructure for all of the identity and access management solutions in the series.
Part II – Identity Life-Cycle Management
Identity Aggregation and Synchronization
This paper describes the approaches and technologies available for integrating identity stores across a heterogeneous environment. It also provides detailed implementation guidance for identity aggregation and synchronization between Microsoft® Active Directory® directory service forests, Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server), and Lotus Notes using Microsoft Identity Integration Server 2003, Enterprise Edition (MIIS 2003) with Service Pack 1 (SP1).
This paper describes several password management approaches and includes guidance on password policies and enabling password reset, password change, and password synchronization to multiple authentication stores by using MIIS 2003 with SP1. It also provides detailed implementation guidance plus ASP.NET code samples (in Microsoft Visual C#® and Microsoft Visual Basic® .NET) for:
| • | Intranet Password Management: This scenario uses an intranet Active Directory forest as the password master (for policy), propagating password changes to Lotus Notes and Sun ONE Directory Server 5.1 using MIIS 2003 with SP1. |
| • | Extranet Password Management: This scenario uses sample ASP.NET code for password change, self-service password reset, reporting, and a scheduled script for password expiry notification. |
This paper discusses how to provision identities automatically into multiple directories and identity stores in a heterogeneous environment, manage membership in security and e-mail groups, and implement workflow processes that extend the automated processes. This paper provides detailed implementation guidance plus ASP.NET code samples (in Microsoft Visual C#® and Microsoft Visual Basic® .NET) for:
| • | HR-driven Provisioning: This scenario describes how HR can be used to drive fully automated provisioning to a heterogeneous environment. The scenario will use SAP as the HR system and provisions accounts in the intranet Active Directory, extranet Active Directory, Lotus Notes, and Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) using MIIS 2003 SP1. |
| • | Group Management: This scenario describes how to have security groups and distribution lists automatically managed based on identity attributes such as manager, location, etc. The scenario will use Group Populator (included with MIIS 2003 SP1), a SQL table for group definitions, and provides a basic ASP.NET Web UI to make it easy for an administrator to establish computed groups based on manager, location, and other attributes. |
| • | Contractor Account Provisioning: This scenario describes how to implement a provisioning workflow application using ASP.NET and MIIS 2003 SP1 that facilitates the creation and provisioning of contractor accounts within the heterogeneous Contoso environment. |
Part III – Access Management and Single Sign On
This paper describes the approaches available for intranet single sign on (SSO), access management, and platform and application integration. It also provides detailed implementation guidance for:
| • | Integrating UNIX workstations with Active Directory. |
| • | Integrating SAP R/3 Application Server authentication using the Kerberos version 5 authentication protocol. |
This paper describes the approaches available for extranet SSO, access management, and providing business-to-consumer (B2C), business-to-business (B2B), and business-to-employee (B2E) services. It also provides detailed implementation guidance for:
| • | B2E extranet Web access and SSO using X.509 certificates. |
| • | B2C extranet Web access and SSO using Microsoft Passport. |
Developing Identity-Aware ASP.NET Applications
This paper describes approaches for building Active Directory-integrated multi-tier Microsoft ASP.NET applications (for authentication, authorization, and security logging) plus detailed implementation guidance and ASP.NET code samples (in Microsoft Visual C#® and Microsoft Visual Basic® .NET) for:
| • | Intranet Web applications that use Windows-integrated authentication and Windows Authorization Manager. |
| • | Extranet Web applications for B2B, B2C, and B2E scenarios using Windows authentication (including Forms-based authentication, X.509 certificates, and Microsoft Passport) and Windows Authorization Manager. |
Complementary Solutions from Microsoft
Microsoft Solutions for Security
This series is the latest guidance from Microsoft Solutions for Security (MSS), which also produced the Windows Server 2003 Security Guide and the Windows XP Security Guide. The Microsoft Identity and Access Management Series was prepared and tested on computers that were configured using these security guides.
Windows Server System Reference Architecture
This guidance includes lab-tested and proven architectural blueprints and implementation guidance. The Microsoft Identity and Access Management Series was prepared and tested in an environment that was based on Windows Server System Reference Architecture (WSSRA) guidance. For more information about WSSRA, see the Windows Server System Reference Architecture page on Microsoft.com.
Solution Guide for Windows Security and Directory Services for UNIX
The Solution Guide for Windows Security and Directory Services for UNIX provides guidance for enabling Microsoft Windows Server™ 2003 Active Directory, the Kerberos version 5 protocol, and LDAP services for authentication and authorization within heterogeneous Windows and UNIX environments.
Related Resources
Read other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team.
Give Us Your Feedback
The Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions.
Have an opinion? Let us know on the Security Solutions Blog for the IT Professional.
Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback to this mailbox.
We look forward to hearing from you.