Self-Service Identity and Access Management Solution (Easy ID)
Raju Bhan here, I am a PM on the Information Security Tools team
If you haven’t had a chance to go through my last blog about ensuring identity consistency, please check it out here since Easy ID is an extension of that.
Easy ID was created to make email addresses at Microsoft more customer friendly. Isn’t it easier to remember someone’s email address based on their name ( email@example.com ) than based on SAMAccountName ( firstname.lastname@example.org )?
The core components of Easy ID include the self-service Web site, the Easy ID application database that stores Easy ID e-mail addresses, management agents to connect to the identity stores, and custom business logic to implement the business rules.
Easy ID connects to SAP through the MIIS ERP management agent. The MIIS ERP management agent provides a security-enhanced, continuous, point-to-point connection between SAP and Active Directory, enabling the direct flow of identity information between the authoritative source and Active Directory.
Easy ID uses the MIIS ERP management agent to import the name-related attributes from SAP to the metaverse. The metaverse is the MIIS 2003 database. It stores the identity information aggregated from all connected data sources in a Microsoft SQL Server™ 2000 database, providing a single, global, integrated view of all objects.
From the metaverse, the attributes are pushed to the Easy ID application database. The Easy ID application database is a SQL Server 2000 database that acts as the back end for the self-service Web site. It stores attributes and Easy ID e-mail addresses, and it contains a subset of information that is in the metaverse. SAP, the Easy ID application database, and Active Directory are connected data sources that contain identity information to be integrated with MIIS 2003. The self-service Web site is the front-end user interface and sits on top of the Easy ID application database.
The following events occur when an employee visits the Easy ID self-service Web site and creates an Easy ID e-mail address:
1. The Easy ID application database updates the user record of that employee to include the Easy ID e-mail address.
2. MIIS 2003 detects that the user record was updated in the Easy ID application database and updates the corresponding user record in the metaverse.
3. MIIS 2003 modifies the user account attributes of the employee in Active Directory as follows:
· The Easy ID e-mail address becomes the primary Simple Mail Transfer Protocol (SMTP) proxy address in the proxyAddresses attribute.
· The alias-based e-mail address becomes the secondary SMTP proxy address in the proxyAddresses attribute.
· The Automatically update e-mail addresses based on recipient policy option is disabled. This action ensures that the primary SMTP proxy address in the proxyAddresses attribute is not overridden.
4. The user account attributes are replicated to Exchange Server. As a result, the employee can send and receive e-mail messages by using the Easy ID e-mail address while continuing to receive e-mail messages addressed to the alias-based e-mail address.
Figure 3 shows a detailed view of the data-flow process for Easy ID.
Figure 3. Data-flow process for Easy ID
MIIS 2003 uses management agents and synchronization rules to control attribute flow between the connected data sources and the metaverse. The team configured management agents to connect MIIS 2003 to the Easy ID application database, SAP, and Active Directory.
To implement the business rules that govern attribute flow, team extended each management agent by creating a rules extension to store custom business logic. Rules extensions are implemented within a Microsoft .NET Framework assembly that is saved as a dynamic-link library (.dll) file. To build the rules extensions, the team used Microsoft Visual C#® .NET 2003 and the Microsoft Visual Studio® .NET 2003 development system.
Figure 4 shows the basic architecture of Easy ID.
Figure 4. The basic architecture of Easy ID
The team configured the management agents to run in continuous, three-hour cycles. Easy ID therefore actively operates 24 hours a day, seven days a week, requiring only minimal administrative intervention.
The team deployed the MIIS component of Easy ID on a server running MIIS 2003 Enterprise Edition SP1, SQL Server 2000, and Microsoft Windows Server™ 2003 Enterprise Edition. The team developed the self-service Web site, which hosts the business rules that enforce how Easy ID manages e-mail addresses, as a Microsoft ASP.NET Web application. This Web application component of Easy ID was deployed on a separate server running Internet Information Services (IIS) version 6.0 and Windows Server 2003 Enterprise Edition.
Check out the source Microsoft IT Showcase: Empowering Users with Self-Service Identity and Access Management Solutions: An Overview of Easy ID for more details.