Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ......
-
Upload
vuongkhanh -
Category
Documents
-
view
221 -
download
0
Transcript of Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ......
![Page 1: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/1.jpg)
Intro to theIdentity Experience Engine
Kim Cameron, Microsoft Architect of IdentityISSE Paris November 2016
![Page 2: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/2.jpg)
Intro to the Identity Experience Engine (IEE)
• Withering away of the enterprise domain boundary means identity tech must evolve• From: the app‐to‐domain federation model • To: app‐to‐world federation model
• Different app users will “bring their own identities” of differing believability• Loss of domain‐era single truth mean apps need an engine that can orchestrate user experiences to• Take advantage of identity providers• Augment claims by picking them up from specialized “claims providers”• Assemble, mash and arbitrate claims to deliver a claimset the app can “act on”• Apply authorization policies based on the claims• Invoke additional processes and workflows to strengthen confidence and relationships
![Page 3: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/3.jpg)
Identity Experience Engine (IEE)
• Architecturally, the IEE is a new piece that operates on behalf of the app• IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world• The IEE requirement applies to B2E, B2C, G2C, B2B, and IOT.
Application
Identity Provider
Information source
Workflow
Claims Provider
IEE exposes the underlying technology used in the Azure B2C product now in GA – we have been collaborating for 4 years with select customers to define the general purpose engine which we previously referred to using the codename “CPIM”
![Page 4: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/4.jpg)
Handling the big shift towards B2B and B2C
• "IDaaS for Customers and Citizens"• It’s about providing all IAM functions an
application needs to handle a customer/citizen audience
• "IDaaS for Partners & Supply Chain"• It’s about providing all IAM functions an
application needs to handle their partners and supply chain
• Combining the two capabilities allows to adequately sustain multisided platforms (MSPs) initiatives
![Page 5: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/5.jpg)
IEE adds a “User‐Driven” Identity Lifecycle Model
• Administrator Managed• Identities are created, updated and deleted
by administrators through the identity management portal.
• Administrative actions are constrained by OIM governance policies
• Federation Managed• Identities are created and deleted in one or
more external systems such as on‐premises AD or HR systems. The identities are then synchronized into the cloud using AAD Connect or Microsoft Identity Manager – and thereafter remain in sync.
11/18/2016 Microsoft Confidential 5
• User Driven• People create and manage aspects of their
identities – and request entitlements – through User Journeys based on policy
• Users in approval roles approve new identities, attribute changes and entitlements through portals or IES User Journeys implementing policy
• Externally Provisioned• Systems create and manage OIM identities using
the Microsoft Graph or the SCIM protocol• Provides integration with 3rd party
governance systems like Sailpoint• OIM can also provision into external systems
based on its provisioning policies
The Models Compose
![Page 6: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/6.jpg)
How we are factoring IEE in AAD
RegistrationAuthenticationAuthorizationSelf‐Service
Graph
Tenant Partition
PeopleNodes
Edges(Relationships)
PolicyNodes
DeviceNodes
AppNodes
Authorization
DefaultAuth Experience
Graph REST
ManagementSecurityReports, Audit
Portals
Apps
People
IEE Policy Based User Experience
![Page 7: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/7.jpg)
Dimensions of IEE User JourneysTrust Framework Policy
InteractiveExperiences
ClaimsExchanges
Persistence
Claims‐drivenLogic
Inheritance and
refinement
Security
Communitiesof Interest(reuse)
Reliability
![Page 8: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/8.jpg)
IEE Journeys help companies create and enhance relationships with customers, partners and
employees. And in government, IEE Journeys can empower citizen identity.
By way of example, here are some IEE Journeys created by a national government
‐ as experienced by the citizen(i.e. the interactive dimension)
![Page 9: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/9.jpg)
One of theeGov
applications
![Page 10: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/10.jpg)
Consent
![Page 11: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/11.jpg)
Self AssertedWith Email Verification
![Page 12: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/12.jpg)
Self Asserted Unverified
![Page 13: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/13.jpg)
Self AssertedWith Phone Verification
![Page 14: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/14.jpg)
Digital Id created and returned
![Page 15: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/15.jpg)
Registration is one journey amongst
several through which citizens manage their
own identities and interact with government departments
Register
Login
Login SMS
Manage
Verify
The Government Trust Framework is implemented through a set of User Journeys shared by Government applications
![Page 16: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/16.jpg)
Consent Recording
User provides name etc
Search for User with the same email
Azure AD Store
The Claims Exchange Backend Dimension
ClaimsExchanges
Email validation ModuleUser Provides Email
Phone Factorvalidation ModuleUser Provides Phone
Create the citizen record
Azure AD Store
![Page 17: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/17.jpg)
The Developer Dimension: Simplicity, Safety
https://login.microsoftonline.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_Registration&client_Id=6b5474c4‐0f28‐4b10‐b7ad‐69dee3ab0380&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%2F&scope=openid&response_type=id_token&prompt=login
One line OAuth2 or SAML redirect
Response: json dictionary containing the user’s claims
![Page 18: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/18.jpg)
Security and Reliability
• The Application does one “redirect” to AAD and everything else materializes through the service
• Professionalizes security and privacy protection• Applications control visuals, IEE provides security and privacy
• Example: badly written applications cannot create CORS or javascript attack vectors that endanger the authorization/authentication system as is normally possible
• Provides 24/7 operational guarantees with multi‐site redundancy and JIT scaleout
Persistence
Security
Reliability
![Page 19: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/19.jpg)
Other User Journeys in the Government Trust Framework
![Page 20: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/20.jpg)
![Page 21: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/21.jpg)
Self AssertedWith Claims Exchange
![Page 22: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/22.jpg)
Optionallyup‐level with
phone
![Page 23: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/23.jpg)
Andmore User Journeys
![Page 24: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/24.jpg)
Based on Trust Frameworks
• Benefits of Trust Framework• Show how Trust Frameworks support communities of interest like a government
• Claims driven logic• Inheritance and refinement, like the journeys shown here
Claims‐drivenLogic
Inheritance and
refinement
Communitiesof Interest
![Page 25: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/25.jpg)
JIT Up‐levelling Registration
![Page 26: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/26.jpg)
Linking toGovt Claims Provider
![Page 27: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/27.jpg)
IdP AssertedWith Phone Verification
![Page 28: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/28.jpg)
In‐Person linked to digital Id
![Page 29: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/29.jpg)
Enter card id from in‐person meeting
Retrieve custom claims using with the object Id
Azure AD Store
The Claims Exchange Backend Dimension
ClaimsExchanges
Username / Password
Link Digital Id to Gov Id
Mark citizen record as verified
Azure AD Store
AAD Local IdP
![Page 30: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/30.jpg)
Flexibility in Persistence and Claims Sourcing
• Persistence• Reads from and writes to any store that supports REST or identity protocols
• Different attribute sets can live on different stores and be combined
• Satisfies compliance requirements
• Example:• Roles in an existing roles store• Different stores in different GEOs• PII or Secret claims
Persistence
Claims‐drivenLogic
Inheritance and
refinement
![Page 31: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/31.jpg)
Application
Identity Provider
Application
Identity Providers Claims Providers
RestfulServices
Identity Experience Engine
TrustFrameworkPolicies
Works using Standard Protocols
• Cloud‐era federation• Domain‐era federation
(Same protocols with the addition of a “policy” parameter)
![Page 32: Intro to the Identity Experience Engine - EEMA · Intro to the Identity Experience Engine (IEE) ... •IEE does not replace IdPs but rather allows apps to live in a multi‐IdP world](https://reader031.fdocuments.us/reader031/viewer/2022022712/5c03936209d3f219408c4b38/html5/thumbnails/32.jpg)
Endless examples of uses
Within Microsoft
MSA
AzureAD
IEE
FederalApps
City A Police
City B Police
Federal Department
IEE
SkypeIEE
National Intelligence
… 70 other forces
Multi‐NationalCompany
European Employees
US Employees
Home Office
IEE
Social Networks
National ID Systems
MSA
Aadhar
Other Verified IDs