Extending MIIS 2003 Functionality

Microsoft Identity Integration Server (MIIS) 2003, Enterprise Edition is a lesser know member of the Windows Server System family. The third incarnation of the product formerly known as Microsoft Metadirectory Services (MMS), MIIS provides vital functions in today's security-conscious business world.

Identity information about users and network resources is typically scattered around the network in various applications and databases that aren't necessarily compatible with one another. MIIS provides a centralized service that consolidates all that information. The product synchronizes user account information, passwords, and other identity data across multiple directories and other data stores, making the information easy to manage and update across the enterprise and reducing the administrative overhead required to maintain multiple copies of information. MIIS also ensures that users have fast access to resources by eliminating denials of access that can result when identity information isn't promptly updated. And businesses can use MIIS to comply with industry-specific governmental regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLB Act), and the Sarbanes-Oxley Act, that mandate control of identity information.

MIIS in Brief
Here's how MIIS works. Software components called management agents or connectors connect data sources (e.g., databases, directories, flat files) to MIIS. The product implements these connections as a set of tables called a metaverse. MIIS contains a metadirectory, which consolidates all information about an object (i.e., a particular user or resource) into one entry. Each entry contains multiple attributes or pieces of information (e.g., a password, an employee number) for the object.

MIIS stores the metadirectory in a Microsoft SQL Server database. Administrators can access and update information from this central location. When one connected data source is changed, whether by an administrator, an end user, a program, or some other means, MIIS can automatically propagate the change to other connected data sources. MIIS resolves conflicts between information in different data sources based on rules that specify which data sources are authoritative for particular attributes.

Using MIIS
Implementing an identity-management infrastructure into an enterprise environment in which many disparate directories and databases are already in use is a complex undertaking. The process involves determining which attributes from each data source to include in the metaverse and which connected data sources to consider authoritative for particular attributes.

To help customers plan and implement their identity-management infrastructures, Microsoft teamed with PricewaterhouseCoopers to develop the Microsoft Identity and Access Management Solution. The Identity and Access Management Solution helps you design the Active Directory (AD) environment on which the centralized repository is based, assists in evaluating the cost effectiveness of different options, and guides you through the process of integrating MIIS into the organization. The Solution also discusses deployment and best practices with an eye toward ease of management, security, and lower total cost of ownership (TCO). To learn more about the Solution, see http://www.microsoft.com/technet/security/topics/identity/idmanage/default.mspx.

The first step in creating the identity-management infrastructure within an organization is to connect MIIS to all the data sources that hold identity information. These sources might include AD, the Windows NT user database, Novell Directory Services (NDS), email systems such as Microsoft Exchange Server and Lotus Notes, the underlying databases of management software products from companies such as PeopleSoft and SAP, databases such as SQL Server and Oracle 8i, and file-based sources such as comma-separated value (CSV) files and LDAP Data Interchange Format (LDIF) files. MIIS 2003, Enterprise Edition ships with many management agents that are designed to connect with data sources such as these.

Users who need to synchronize identity information and Exchange Server 2003 and Exchange Server 2000 Global Address Lists (GALs) only across multiple AD forests can use the Microsoft Identity Integration Feature Pack (IIFP) for Microsoft Windows Server Active Directory. The IIFP functions as a "lite" version of MIIS and includes a limited set of management agents for AD, Active Directory Application Mode (ADAM), and Exchange. You can obtain the free IIFP at http://www.microsoft.com/downloads/details.aspx?familyid=d9143610-c04d-41c4-b7ea-6f56819769d5&displaylang=en.

In addition to using Microsoft-supplied tools for implementing MIIS, administrators who have programming skills can create custom extensions to control the behavior of management agents and the metaverse. Unlike MMS, MIIS lets you use common scripting languages—specifically, Visual Basic .NET and C#—to create rule extensions. You can also use applications such as Windows Management Instrumentation (WMI) to manage MIIS. For example, you can use scripts that call WMI to schedule updates, start and stop management agents, check statistics, generate reports, and interface MIIS to third-party management consoles. You can use the WMI interface to start imports and exports of data and run queries against the MIIS metaverse.

Third-Party Extensions
Microsoft partners have developed a variety of products to interoperate with and extend MIIS in the enterprise. These products provide capabilities such as management console integration with MIIS, password management, cross-platform integration, and scalability. Table 1 lists the add-ons that I mention in this article.

Management-console integration.
Management consoles such as Microsoft Operations Manager (MOM), HP OpenView, and the IBM Tivoli Enterprise Console let you monitor and manage multiple servers and applications from one console view. Interfacing MIIS with your management console lets you use the familiar console interface to access MIIS information. For example, the MIIS 2003 Management Pack module lets you use MOM to monitor identity integration scenarios. OpenView and Tivoli Enterprise Console interface with MIIS through WMI to let you track and manage MIIS events within the big picture of the entire network. You can also configure many management consoles to automatically respond to events and notify administrators of events.

Password management.
Dealing with multiple passwords and password-associated problems costs businesses money and presents security risks. For security reasons, passwords are usually stored in hashed form. Because different systems use different hashing algorithms, the MIIS metadirectory can't synchronize password attributes directly.

Products such as M-Tech Information Technology's P-Synch can extend the MIIS metadirectory's functionality to include password-attribute management. P-Synch changes all a user's passwords to the same new value. The MIIS metadirectory can then generate new logon IDs and send passwords to users through email without creating a security risk.

Cross-platform integration.
Many companies have diverse networks that include platforms that MIIS doesn't support, such as mainframes or IBM WebSphere. Third-party solutions, such as OpenNetwork Technologies' Universal Identity Platform (Universal IdP) and Oblix COREid, let you use the MIIS identity infrastructure for identity management with non-Microsoft environments.

Universal IdP provides Web-based single sign-on (SSO). You can choose between a Microsoft .NET and Java-based version of Universal IdP—both versions provide role-based delegated administration of internal and external user accounts, identity profiles, and security and workflow policies across various platforms. The Universal Identity Manager (Universal IM) feature fills in some areas in which MIIS is weak, such as Web-based self-service. You can also use Universal IM for Web-based remote administration of MIIS, AD, and other Windows Server System products, such as Exchange.

Other third-party add-ons are task-specific. For example, Avatier's Account Terminator integrates with MIIS and provides a Web-based interface for enabling, disabling, and deleting user accounts across multiple platforms.

Enterprise-level scalability.
Microsoft's identity products—MIIS, AD, and ADAM—do a good job of providing identity management at the attribute level. These products propagate selected attributes or pieces of information, such as a user's email address or Social Security number, across multiple directories and ensure that the information is accurate based on the authoritative data source for that attribute. Third-party products such as Universal IdP and COREid extend this functionality by improving security and access control and providing easier centralized administration for enterprise implementations.

COREid extends MIIS by providing better scalability to large enterprise environments and high-volume extranets. The product, which includes real-time auditing and reporting, Web-based self service, and SSO, provides tight control over identity administration and provisioning through business rules that you can apply to internal and external users. COREid works directly with the MIIS metaverse to provision MIIS actively (rather than indirectly through AD), so you don't need to extend the AD schema to create permissions or settings for specific resources.

Oblix SHAREid is a standalone multiprotocol identity server that you can securely integrate with other trusted systems. You can use SHAREid in conjunction with COREid and the MIIS identity-management infrastructure to build an end-to-end system that lets MIIS provide identity management and user access across different organizations for business-to-business applications. Thus, you can give business partners, suppliers, and customers an SSO experience through a friendly Web interface.

Confronting Challenges
The evolution of MMS products into MIIS signals Redmond's intent to get serious about identity management. However, challenges remain in the pursuit of a cross-platform, enterprisewide solution to identity-related problems. Third-party products can meet some of these challenges by working with MIIS to extend its management capabilities, security, and ability to control identities for internal and external users across Microsoft and non-Microsoft platforms. You can download a 180-day evaluation copy of MIIS 2003, Enterprise Edition at http://www.microsoft.com/downloads/details.aspx?familyid=e2cf0ece-9f0d-4d73-bdd7-a32091ab3f30&displaylang=en.