Microsoft Forefront Identity Manager 2010 Elton AGOLLI Chief of Infrastructure Section TETRA Solutions eagolli@tetra.al
Agenda Customer challenges Microsoft’s Identity and Access Strategy Identity and Access Management The business challenges How Identity Manager addresses the challenges Scenarios Summary Resources
Identity & Access Customer Challenges Compliance with regulatory requirements Auditable processes for granting access to resources Reducing help desk burden for end user requests Managing the complexity of distributed identity information Compliance Operational Efficiency IT Security Business Agility Enabling new high business value scenarios Supporting mergers, acquisitions & reorganizations Integrated user provisioning & credential management Ensuring that only authorized users can access resources
Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management Active Directory® Federation Services
Identity and Access Management
Business and IT Challenges Simplify user experience for collaboration across networks Provide seamless movement between applications Reduce cost of identity management Extend business resources, especially to the cloud Secure multiple devices and locations Manage complex identity lifecycles Provide secure access to applications from anywhere Manage disparate systems BUSINESS Needs IT Needs Agility and Flexibility Control
Identity and Access Management Create Provision user Provision credentials Provision resources Policy Management Policy authoring Policy enforcement Approvals and notifications Audit trails Role changes Password and PIN reset Resource requests Update De-provision identities Revoke credentials De-provision resources Retire
Identity Lifecycle Manager -> Forefront Identity Manager User Management Group Management Common Platform Workflow Connectors Logging Web Service API Synchronization Credential Management Policy Management Identity Synchronization User Provisioning Certificate and Smartcard Management Office Integration for Self-Service Support for 3rd Party CAs Codeless Provisioning Group & DL Management Workflow and Policy 8
Version Feature Comparison 4/14/2017 Version Feature Comparison MIIS 2003 ILM 2007 FIM 2010 Identity synchronization X Password synchronization Policy authoring and editing solution ILM-CM only Policy enforcement Delegation management solution User provisioning solution Certificate and smart card management solution Group management solution DL management solution Workflow Self-service password reset Localized © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Forefront Identity Manger - Key Feature Areas Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Credential Management Heterogeneous certificate management with 3rd party CAs Management of AD credentials Self-service password reset integrated with Windows logon User Management Integrated provisioning of identities, credentials, and resources Automated, declarative user provisioning and de-provisioning Self-service profile management Group Management Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates
Delegation & Permissions Forefront Identity Manger 2010 Architecture Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt Outlook FIM Portal Windows Custom FIM Client Experiences Cert Mgmt ILM-CM DB ILM-CM Portal FIM Service and Portal ILM Sync FIM Service AuthZ Workflow AuthN Delegation & Permissions Action App DB Adapters Request Processor Sync Directories Databases E-Mail Systems Applications Identity and data stores
User scenarios
Credential Management End User Scenarios Example Scenario FIM 2010 Advantages Policy Management Automatic routing of multiple approvals Approval process through Office Audit trail of approvals CFO gives final approval for new user to access app with associated SOX compliance requirement Credential Management Integration with Windows logon No need to call help desk Faster time to resolution Self-service smart card provisioning & management User Management Automatic updating of business applications No need to call help desk Faster time to resolution User changes cell phone number Group Management User asks to join secure distribution list for new product development Request process through Office No waiting for help desk Faster time to resolution
IT Administrator Scenarios Example Scenario FIM 2010 Advantages Policy Management Centralized management Automatic policy enforcement across systems Author policy to require HR approval for job title change Credential Management Generation and delivery of initial one-time use password Integration of smart card & cert enrollment with provisioning Create workflow to automatically issue passwords and smart cards to new users User Management Automatic policy enforcement across systems Management of role changes & retirements Automatically provision new employees with identity, mailbox, and credentials Group Management Automatic management of group membership Secure access to departmental resources, with audit trail Design policy to automatically create departmental security groups
Customizable Identity Portal SharePoint-based Identity Portal for Management and Self Service How you extend it Add your own portal pages or web parts Build new custom solutions Expose new attributes to manage by extending FIM schema Choose SharePoint theme to customize look and feel
FIM PROVISIONING POLICY APPLIED 4/14/2017 9:10 AM New Employee Scenario Given Name Melissa Surname Meyers Title Analyst Department Finance Employee ID 122145 Employee type Full Time email Given Name Melissa Surname Meyers Title Analyst Department Finance Employee ID 122145 Employee type Full Time email mmeyers@ contoso.com Given Name Melissa Surname Meyers Title Analyst Department Finance Employee ID 122145 Employee type Full Time email HR SYSTEM MANAGER APPROVAL FIM PROVISIONING POLICY APPLIED FIM 2010 MANAGER APPROVAL MAINFRAME ACTIVE DIRECTORY FINANCE APPLICATION EXCHANGE FINANCE PORTAL SMART CARD iPLANET © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Workflow Create user
Employee Transition Scenario 4/14/2017 9:10 AM Employee Transition Scenario Given Name Melissa Surname Meyers Title Group Marketing Manager Department Marketing Employee ID 122145 Employee type Full Time email mmeyers@ contoso.com Given Name Melissa Surname Meyers Title Analyst Department Finance Employee ID 122145 Employee type Full Time email mmeyers@ contoso.com Given Name Melissa Surname Meyers Title Group Marketing Manager Department Marketing Employee ID 122145 Employee type Full Time email mmeyers@ contoso.com HR SYSTEM FIM PROVISIONING POLICY APPLIED FIM 2010 MAINFRAME ACTIVE DIRECTORY MARKETING APPLICATION FINANCE APPLICATION EXCHANGE FINANCE PORTAL MARKETING PORTAL SMART CARD iPLANET © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Separation/Fire Scenario 4/14/2017 9:10 AM Separation/Fire Scenario Given Name Melissa Surname Meyers Title Group Marketing Manager Department Finance EmployeeI D 122145 Employee type Terminated email mmeyers@ contoso.com Given Name Melissa Surname Meyers Title Group Marketing Manager Department Finance Employee ID 122145 Employee type Full Time email mmeyers@ contoso.com Given Name Melissa Surname Meyers Title Group Marketing Manager Department Finance Employee ID 122145 Employee type Terminated email mmeyers@ contoso.com HR SYSTEM FIM PROVISIONING POLICY APPLIED FIM 2010 MAINFRAME ACTIVE DIRECTORY MARKETING APPLICATION EXCHANGE MARKETING PORTAL SMART CARD iPLANET © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
FIM 2010 In Action Self-service password management User forgets password Requests password reset at Win logon and answers Q/A Does user have permission to reset password? FIM receives XML FIM validates Q/A response from user Request Processor Delegation & Permissions AuthN & AuthZ Workflows FIM makes call to reset password in AD FIM syncs new password to external identity stores Changes committed to FIM app store Sync DB Service DB Management Agents Action Workflow Identity Stores
FIM 2010 In Action Self-service smart card provisioning AuthN & AuthZ Workflows Delegation & Permissions Action Workflow Service DB Sync DB Management Agents New user added in HR app Does user have permission to add user to FIM ? FIM manages manager and dept head approvals Once approved, changes committed to ILM app store FIM sends welcome and confirmation e-mails Identity Stores FIM syncs to external identity stores Sync receives request Approval workflows Card created & printed Certificates requested Self-service notification and One Time Password sent to end user End user downloads certificates onto smart card FIM CM
Self-Service Group Management Situation: User needs to join the Fabrikam Project Virtual Team group Without Forefront Identity Manager 2010 Activity Costs to the Business Melissa Meyers, Business User Calls help desk Lost productivity No resource access when she needs it Chad Rice, Accounts Administrator Manually edits AD Users and Computers to add user to group Risk of error and policy non-compliance Cost of manual administration
Self-Service Group Management Situation: User needs to join the Fabrikam Project Virtual Team group With Forefront Identity Manager 2010 Activity Business Benefits Chad Rice, Accounts Administrator Uses FIM to establish group management policies and workflows Efficiency Security Compliance Melissa Meyers, Business User Request to join Group from Outlook FIM routes approvals and grants appropriate access User productivity Enables effective business interactions
Create Distribution List
Create Distribution List
Create Distribution List
Unauthorized User Attribute Change Situation: IT accidentally makes an unauthorized change to a user’s title Without Forefront Identity Manager 2010 Activity Costs to the Business HR Administrator, Samantha Smith Updates Megan Meyers’ title in SAP Chad Rice, Accounts Administrator Asked to update Megan Meyers titles other systems Accidentally changes Melissa Meyers title in ADUC Risk of error and policy non-compliance Cost of manual admin Ted Smith, Compliance Auditor Discovers error in manual audit process of purchase order application Cost of manual auditing Delay in discovery of non-compliance
Unauthorized Change Situation: IT accidentally makes an unauthorized change to a user’s title With Forefront Identity Manager 2010 Activity Business Benefits Chad Rice, Accounts Administrator Uses FIM to establish policies and workflows to that include management of job title data Efficiency Security Compliance HR Administrator, Samantha Smith Updates Megan Meyers’ title in SAP Title change data flows to other systems that use it, per FIM policy Efficiency Compliance Ted Smith, Compliance Auditor Uses FIM audit trail to audit approvals Efficiency Compliance
Summary: FIM 2010 Software for policy-based management of identities, credentials, and resources across heterogeneous environments Empowers People Provides Office-based self-service tools SharePoint admin console to manage identities Greater productivity through faster time to resolution Delivers Agility and Efficiency Reduces costs through automation and self-service Maximizes existing investments in Identity Infrastructure Integrates with familiar developer tools to enable new scenarios Increases Security and Compliance Integrates identity, credential, and access management Rich permissions and delegation model Enables system auditing and compliance
Resources Learn more about Forefront Identity Manager FIM 2010 Product Page: http://www.microsoft.com/forefront/identitymanager Learn about Microsoft Forefront Identity and Security Forefront Home Page: www.microsoft.com/forefront Evaluate the Identity Manger Visit http://technet.microsoft.com/en-gb/evalcenter/cc872861.aspx
© 2008 Microsoft Corporation. All rights reserved © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.