Forefront Identity Manager 2010 Technical Overview Daniel Kaufmann (Microsoft Schweiz) Dominik Zemp (Microsoft Schweiz)
Agenda Identity and Access Management FIM Overview and Architecture Business Needs and IT Challenges Business Ready Security Microsoft Identity and Access Management Solution FIM Overview and Architecture FIM Features User Management Group Management Password Reset Policy Management incl workflow Extensibility CLM Benefits of FIM
Identity and Access Business Needs and IT Challenges Provide secure access to applications from anywhere Simplify user experience for collaboration Provide seamless movement between applications Reduce cost of account management Multiple locations and devices Difficulty in extending business resources Disparate systems to manage Complex account lifecycle management BUSINESS Needs IT Needs Agility and Flexibility Control
Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management
Simplify Identity Management GOVERNED SELF-SERVICE AND AUTOMATION Empower Business Self-service profile, credential, and group management Password and PIN reset from Windows login Group management from within Microsoft Office Single identity across heterogeneous applications Empower IT End-to-end, workflow-driven user provisioning Policy-controlled self-service capabilities Automatic, attribute-based group membership for simplified resource access GROUP MANAGEMENT IDENTITY MANAGEMENT CREDENTIAL MANAGeMENT “ If you wanted to access a file share in your network, previously you might have had to call your service desk and get approval. Now it is all workflow based. You go to a portal. There is no manual labor. - Brian Desmond, Microsoft MVP
Identity Management tasks Provisioning Deprovisioning Synchronization Self-Service Profile Management Self-Service Group Management Self-Service Password Management Certificate and Smart Card Management
Identity Management User provisioning Policy-based identity lifecycle management system Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users Active Directory Lotus Domino HR System Workflow User Enrollment LDAP FIM SQL Server Approval Manager Oracle DB FIM CM User provisioned on all allowed systems
Identity Management User de-provisioning Automated user de-provisioning Built-in workflow for identity management Real-time de-provisioning from all systems to prevent unauthorized access and information leakage Active Directory Lotus Domino HR System Workflow User de-provisioned LDAP FIM SQL Server Oracle DB User de-provisioned or disabled on all systems FIM CM
Identity Synchronization and Consistency Identity synchronization across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System FIM givenName Samantha Samantha sn Dearing Dearing title mail employeeID 007 007 telephone givenName sn title mail employeeID telephone GivenName sn title mail employeeID telephone someone@example.com Samantha Dearing 007 Coordinator 555-0129 SQL Server DB givenName Samara sn Darling title Coordinator Coordinator mail employeeID 007 telephone Identity Data Aggregation Active Directory/ Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone someone@example.com LDAP givenName Sammy sn Dearling title mail employeeID 008 telephone 555-0129 555-0129
Identity Synchronization and Consistency Identity consistency across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System FIM givenName Samantha sn Dearing title mail employeeID 007 telephone givenName Samantha Samantha Bob Samantha sn Dearing Dearing Dearing SQL Server DB title Coordinator Coordinator Coordinator Coordinator givenName Samara mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 mail Incorrect or Missing Information employeeID 007 telephone Identity Data Brokering (Convergence) Active Directory / Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129
Evolution of Identity Manager User Management Group Management Common Platform Workflow Connectors Logging Web Service API Synchronization Credential Management Policy Management Identity Synchronization User Provisioning Certificate and Smartcard Management Office Integration for Self-Service Support for 3rd Party CAs Declarative Provisioning Group & DL Management Workflow and Policy 11
Key Pillars of Forefront Identity Manager Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types Self-service password reset integrated with Windows logon User Management Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management Group Management Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates
FIM 2010 Architecture
User Demo
SharePoint-Based Management Console Group Management Self-service group and distribution list management with the FIM 2010 Web portal Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes FIM Add-in for Outlook SharePoint-Based Management Console
Group Management Purpose: Membership: Scope: Distribution Security Manual (Owners adding/removing members or users requesting membership subject to Approval Policy) Manager Criteria-Based Scope: Universal Global Domain Local
Group Management Demo
Identity Stores and Management Agents Type of System Management Agents Network operating systems and directory services Active Directory Domain Services 2000, 2003, 2003 R2, 2008, 2008 R2 Active Directory Lightweight Directory Services (ADLDS) – 2000, 2003, 2003 R2, 2008, 2008 R2 Active Directory Global Address List (GAL) – Exchange 2000, 2003, 2007, 2010 IBM Tivoli Directory Server up to version 6.2 Novell eDirectory - v8.7.3, v8.8 Sun ONE and Netscape Directory Servers - v5.1, v5.2 IBM Directory Server - v6.0, v6.2 Certificate and Smart Card Management FIM Certificate Management E-mail and messaging Exchange Server 2007 and 2010 (use AD Management Agent) Lotus Notes - v6.5, v7.0 (32 bit Lotus Notes Client) Databases Microsoft SQL Server 2000, 2005, 2008 IBM DB2 Universal Database 9.1 and 9.5 (64-bit client v9.5 FP5 or v9.7 FP1 required) Oracle Database - 10g (64-bit client) File-based Attribute value Pairs CSV Delimited Fixed Width Directory Services Markup Language (DSML) 2.0 LDAP Interchange Format (LDIF) 1 These file formats allow for integration with a variety of applications, databases, telephone switches, X.500 systems, Mainframe and metadirectory products or underlying systems that can produce a file for importa and export.. Other SAP - R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0) (32bit client) XML-based systems Extensible Management Agent for custom connectivity other systems
Certificate and Smart card management Increase access security beyond username and password solutions Streamline deployment by enrolling user and computer certificates without user intervention Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) Enhance remote access security through certificates with Network Access Protection Stronger authentication through certificates for administrative access and management End User SmartCard User is validated using multi- factor authentication FIM policy triggers request for FIM CM to issue certificate or SmartCard Certificate is issued to user and written to either machine or smart card User ID and Password Multi-Factor Authentication SmartCard End User HR System FIM FIM CM FIM Certificate Management (CM) requests certificate creation from AD CS User Enrollment and Authentication request sent by HR System Active Directory Certificate Services (AD CS)
Its all about trust Authentication Digital Signature Encryption “I am the employee you know as Mary” Digital Signature “This content hasn’t changed since I signed it” Encryption “No one but Mary can see this content”
FIM 2010 CM Functionality Single administration point for smart cards & digital certificates User self-service capabilities to help reduce helpdesk burden Configurable policy-based workflows for common tasks Enroll / renew / update Personalize smart card Recover / smart card replacement Issue temporary / duplicate smart card Revoke / retire / disable smart card Detailed auditing and reporting capabilities Support for centralized, decentralized and self-service scenarios Extensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometrics Tightly integrated with Active Directory and Certificate Services
FIM 2010 + FIM 2010 CM Approval workflows Card created & printed AuthN & AuthZ Workflows Delegation & Permissions Action Workflow Service DB Sync DB Management Agents New user added in HR app Does user have permission to add user to FIM ? FIM manages manager and dept head approvals Once approved, changes committed to ILM app store FIM sends welcome and confirmation e-mails Identity Stores FIM syncs to external identity stores Sync receives request Approval workflows Card created & printed Certificates requested Self-service notification and One Time Password sent to end user End user downloads certificates onto smart card FIM CM
Microsoft Solution Components Workflows, Profiles for Smart Card Deployment and Management Certificate Authority Issue, Renew, Revoke Certs Active Directory Certificate Templates Policy Revocation info: Certificate Revocation List Online Responder Certs Revoked? Auto-publish and Auto- Enroll Revocation Check Smartcard Personalization Client PC Enrollment Renewal Legend FIM CM client / web kiosk Self-service smart card management Forefront Identity Manager Windows Server AD Certificate Services AD Domain Services
FIM 2010 CM Architecture FIM - CM Server Physical Architecture Microsoft CA’s End User Physical Architecture SQL AD E-mail FIM-CM Policy Module FIM-CM Exit Module Internet Explorer FIM-CM Browser Control FIM-CM AD Integration FIM-CM Web App Internet Information Server Component Architecture Microsoft Certificate Authority Smart Card Middleware
CLM Demo
Technical Deployment Opportunities FIM is very extensible Infrastructure footprint can start small and scale up FIM Sync is Agentless Amount of custom development required minimized and is well encapsulated to empower administrators No need to learn a new programming language use C# or VB.NET
Additional Technical information More information TechCenter on TechNet http://technet.microsoft.com/en-us/FIM/default.aspx Product Page http://www.microsoft.com/FIM TechNet Forum http://social.technet.microsoft.com/Forums/en-US/FIM2/threads Additional Technical information http://www.microsoft.com/Forefront/identitymanager/en/us/technical-resources.aspx