The document discusses Microsoft's Identity and Access Management solutions. It describes challenges with current systems that require time-intensive password resets and separate identities for different applications. The solutions proposed integrate on-premises and cloud-based applications, simplify management through automation and self-service, and provide secure access from any device through single sign-on. Features include direct access for remote users, active directory federation services for partner organizations, and Forefront Identity Manager for automated user lifecycle management.

1. Identity and Access ManagementBusiness Ready Security SolutionsRune Lystadrunel@microsoft.comEnterprise Solution Manager

2. Multiple identities and limited sign-on helpPassword reset and access requests handled through help deskDifferent sign–on requirements for applications ON-PREMISESCONTOSOContoso managing Fabrikam accountsSeparate Remote access solution w/ separate identitiesEMPLOYEES (REMOTE)PARTNERSFabrikamFabrikam managing Contoso accountsCurrent SituationTime and labor intensive process

3. Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or devicePROTECT everywhereACCESS anywhereINTEGRATE andEXTEND securitySIMPLIFY security,MANAGE complianceProvide more secure, always-on access

4. Enable access from virtually any device

5. Extend powerful self-service capabilities to users

6. Automate and simplify management tasks

7. Control access across organizations

8. Provide standards-based interoperabilityIdentity and Access Management Strategy

9. Business Ready Security SolutionsSecure MessagingSecure EndpointSecure CollaborationInformation ProtectionIdentity and Access Management

10. Secure MessagingSecure EndpointSecure CollaborationInformation ProtectionIdentity and Access ManagementActive Directory®Federation ServicesBusiness Ready Security Solutions

11. PROTECT Everywhere,ACCESS Anywhere

12. Provides seamless, always-on, secure connectivity to on-premises and remote users

13. Eliminates the need to connect explicitly to corporate network while remote

14. Facilitates more secure, end-to-end communication and collaboration

15. Uses a policy-based network access approach

16. Enables IT to easily service, secure, update, and provision mobile machines, whether they are inside or outside the networkIntranetInternetCorporate ResourcesDirectAccess ClientDirectAccess ServerInternal trafficInternet ServersInternet trafficWindows DirectAccess

17. DirectAccess in Windows 7IPv4 DevicesIPv6 DevicesIT desktop managementNative IPv6 with IPSecAD Group Policy, NAP, software updatesIPv6 Transition ServicesInternetWinSrv 2008R2 DirectAccessRoleSupports variety of remote network protocolsWindows 7 Client

18. INTEGRATE and EXTEND security

19. Shared identity with partner organizations and cloud services

20. Boost cross-organizational efficiency and communication with more secure access

21. Support the sharing of rights-protected messages between organizationsFirma AAccount ForestFirma BResource ForestFederationTrustBusiness PartnersToken and claimsAuthenticationApplication AccessPost claimsAD FSAD FSAD RMSAD DSAD DSRedirect to Security Token Service (STS)SharePoint Server FarmUser Account/CredentialsSecurity TokenActive Directory Federation Services

22. Cloud ServicesImplements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services

23. Helps provide consistent security with a single user access model externalized from applicationsSecurity Token(e.g., Kerberos Ticket)Corporate UserAD FSExchangeSharePointWeb AppClaims-AwareApplicationAD DSAD FS creates SAML token

24. Signs it with company’s private key

25. Sends it back to the user

26. Access supplied with the tokenPartnerSingle Sign On with Extended Collaboration

27. SIMPLIFY security,MANAGE compliance

28. Identity Lifecycle ManagementCreateProvision userProvision credentialsProvision resourcesHelp Desk“Lost” Credentials

29. Password Reset

30. New EntitlementsRetirePolicy ManagementDe-provision identitiesRevoke credentialsDe-provision resourcesPolicy enforcementApprovals and notificationsAudit trailsChangeRole changesPhone # or titlechangePassword and PIN resetResource requests

31. Forefront Identity Manager in ActionDatabasesSelf-Service integrationLOB ApplicationsWindowsLog OnFIM PortalPolicy ManagementCredential ManagementUser Management Group ManagementCustomISV PartnerSolutionsIT DepartmentsDirectories

32. Policy-based identity lifecycle management system

33. Built-in workflow for identity management

34. Automatically synchronize all user information to different directories across the enterprise

35. Automates the process of on-boarding usersActiveDirectoryLotusDominoWorkflowUser Enrollment LDAPFIMSQLServerHR SystemApprovalOracle DBManagerFIM CMUser provisioned on all allowed systemsIdentity ManagementUser provisioning

36. Automated user de-provisioning

37. Built-in workflow for identity management

38. Real-time de-provisioning from all systems to prevent unauthorized access and information leakageIdentity ManagementUser de-provisioningActiveDirectoryLotusDominoWorkflowUser de-provisioned LDAPFIMSQLServerHR SystemOracle DBFIM CMUser de-provisioned or disabled on all systems

39. Self Service Group ManagementSelf-service group and distribution list management with the FIM 2010 Web portal

40. Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity

41. Enables users to use Outlook to manage approvals while they are offline

42. Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory

43. Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributesAdd-in for OfficeSharePoint-Based Management Console

44. Self-Service Password ManagementEnables users to reset their own passwords through both Windows logon and FIM password reset portal

45. Controls helpdesk costs by enabling end users to manage certain parts of their own identities

46. Improves security and compliance with minimal errors while managing multiple identities and passwordsActiveDirectoryUser requests password resetOracleFIM ServerPasswords updatesSQLServerNotesEnd UserLDAPReset PasswordFIM capabilities integrated with Windows logon

47. Randomly selects a number of questionsEnable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or devicePROTECT everywhere,ACCESS anywhereINTEGRATE andEXTEND securitySIMPLIFY security,MANAGE complianceProvide more secure, always-on access

48. Enable access from virtually any device

49. Extend powerful self-service capabilities to users

50. Automate and simplify management tasks

51. Control access across organizations

52. Provide standards-based interoperabilityLearn more at www.microsoft.com/forefrontSummary

53. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.