My TEC 2010 Highlights

Posted on by Carol

At TEC you really can learn from the best. Some of the speakers may not be the most polished, but at least you know they’re talking from a position of genuine experience. My top three sessions this year were the ones where I felt I learnt the most.

Brian Kormar’s PKI session

PKI and cert services is something I’ve had to figure out to certain extent as it literally pops up as part of every project I do these days. I’ve done the Windows 2008 AD Configuration exam which supposedly covers cert services, but actually sticks to a pretty simplistic line based on what you can do in the GUI. I had definite gaps in my knowledge around policy files, and what all those % symbols meant in the config batch files you sometimes see. Brian filled some of that in for me, as well as driving home the need for protection, recoverability and audit compliance - topics I would have ignored in the past, expecting whoever “the security guy” was to pick them up, but which I may well make enquiries about in the future.

Jack Kabat’s FIM session on “modelling entitlements”

This was the FIM session in which I learnt the most. I was aware of the new “Transition In” and “Transition Out” MPRs, but hadn’t thought through the implications. I had several penny-drop moments in this session, including:

  • Request MPRs should typically trigger only AuthN and AuthZ workflows. The request part is all about asking for something – object creation, object change, object deletion. So it makes sense that the key MPR tasks are “is the requestor who they say they are?”, “do they have the rights?”, “is extra authorization needed?”.
  • Transition MPRs can only run Action workflows. Transitions occur at the point an object changes from one state to another – eg., the person was in the “HR Users” set, and now they are not. Transition MPRs are concerned with processes that should run at this point of change, such as group membership or provisioning changes.

I really like this way of handling MPRs. In the RC releases which only had one type of MPR I ran into a few problems by tying what should happen with who had asked for it. For example when a normal user requested a new account the workflows would run, but when the Administrator created the account a different MPR applied and the workflows did not run. I had definite concerns about the confusion this may cause, and I am glad the actions have now been decoupled from the requestor, and have in fact been made more state-based. Hmmm…

Some questions from Jeremy Palanchar did make me think that this is still a very black and white way of looking at status, and there could be plenty of requirements for a temporal addition to this model (such as “People who joined this set within the last 6 hours”, used for checking if their new entitlements were actually added in that time; and “People who left that set over 1 month ago”, which could be used for delaying group membership changes) however it is certainly a step in the right direction.

Jackson Shaw’s session on SSO protocols / Pam Dingle’s session on Claims

For my third top session I’m actually choosing two – because together they made me understand something about network authentication and authorization protocols, and why they are important.

I’ve always thought about SSO pretty much in terms of user convenience, and if anyone asked me about it I’d say “I can give you password sync with ILM” and “there’s something called Federation, but your applications have to support it”.

So now it’s starting to dawn on me that all this re-entering of passwords (even if they are the same one – in fact in some cases especially if it’s the same one) can reduce the security of your network and your data. Far better to authenticate locally and have the rest of the story handled by tokens that are passed around and exchanged in a secure manner. Between the user and their applications there may be an increasing number of breakpoints where the session is handed off to a different system, or a new session started on behalf of the user. Clearly, as applications move into the cloud, part of the connection may cross the internet. Technologies and standards now exist to support converting tokens and proxying sessions so you better make sure your applications support them!

And finally…

This was a lot of fun too.

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.