RE: [ActiveDir] Identity Management using AD

[Jackson Shaw]

Title: Message

Yes, this has been in the works for some time – to say the least. Glad the release is out and we are just about finished here at the Catalyst conference where we showed off our IdM products in our suite last night to a great reception by attendees. I wasn’t at that specific meeting – I think I was meeting w/Gartner in Connecticut then…   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 10, 2003 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Identity Management using AD   You're that sure, are you Jackson?  ;-)   I had this really interesting discussion with Kim, Chuck (Director of AD??) a number of developers and Program and Product Mgrs. in February at the MVP Summit.  I'm absolutely floored that you folks moved that fast on the Identity Management, given the discussions that we had.  Obviously, this has been in the works for some time for MMS to morph.   I can't say that I remember - were you there for that meeting (about 12 Server MVP's and about 10 MS folks packed into a conference room)? Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Thursday, July 10, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Identity Management using AD We’re going to make the MV writeable…. J   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, July 10, 2003 10:26 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Identity Management using AD   Meaning being able to make changes in the metaview to replicate out....   It has not been decided.   Todd -----Original Message----- From: Jackson Shaw [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 8:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Identity Management using AD We're going to make the MV writeable...   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, July 08, 2003 7:12 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Identity Management using AD   We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management.  Currently no one allows the metaview write access anywhere.   I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below.   To build on what Gil wrote,  The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information.  Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications.  The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server.  So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info.   If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals.  Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them.   Todd -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -----Original Message----- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Identity Management using AD All,   We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database.  There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment.   I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc).   I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg:   - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead.   Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need.   We could possibly then use MIIS to "backchannel" into the production AD system, so that corporate users can gain access to these Internet applications without requiring multiple accounts.   This is all just brainstorming at the moment, however (as usual), I need to come up with some sort of design by next week (gotta love being given lots of time *grin*).  Having not actually got my hands on MIIS, this could be completely unfeasible.  Other options are a custom database for the "customer store", or some other existing product.   Has anyone been down this road before, and could share some insights / resources ?   Thanks   Glenn