Microsoft Forefront Identity Manager 2010 Daniel MEYER Enterprise Technology Architect EMEA
Agenda IdA Concepts MS Strategy FIM Functional Overview FIM Technical Overview −Architecture −Main Features (How MS IT use FIM) FIM Positionning
Create Provision user Provision credentials Provision resources Policy authoring Policy enforcement Approvals and notifications Audit trails Policy Management De-provision identities Revoke credentials De-provision resources Retire Role changes Password and PIN reset Resource requests Update Identity and Access Management
Identity & Access Customer Challenges Enabling new high business value scenarios Supporting mergers, acquisitions & reorganizations Integrated user provisioning & credential management Ensuring that only authorized users can access resources Compliance with regulatory requirements Auditable processes for granting access to resources Reducing help desk burden for end user requests Managing the complexity of distributed identity information Compliance Operational Efficiency IT Security Business Agility 5
Identity Infrastructure Secure Platform Security Username and Credentials Identity and Access Identity Based Access Common platform and infrastructure Simplified and integrated management Systems ApplicationInformationNetworkRemote ManagementManagement End-to-end access Microsoft’s Integrated Solutions Delivering TCO in the drive to Dynamic IT Across physical and virtual environments ClientMobileServerCloud Threat Mitigation Comprehensive security ApplicationEndpointNetworkCloud
Microsoft Security: Defense In Depth TWC SDL Systems Management Operations Manager 2007 Configuration Manager 2007 Data Protection Manager Mobile Device Manager 2008 Active Directory Federation Services (ADFS) Identity & Access Management Certificate Lifecycle Management Information Protection Encrypting File System (EFS) BitLocker™ Client and Server OS Server Applications Edge Client and Server OS Server Applications Edge Forefront Stirling Management A well Managed Secure Infrastructure is the key! Services
Business Ready Security Solutions Integrated Security Information Protection Identity and Access Management Secure Messaging Secure Endpoint Secure Collaboration
Business Ready Security Solutions Integrated Security Identity and Access Management Secure Messaging Secure Endpoint Secure Collaboration Active Directory ® ® Federation Services Information Protection
FIM Manage Identity Operation: Create, Modify, Delete, Synchronize, Provision Identity Data: Users*, Groups & DLs, Certificates, SmartCard... * Users = Employees, Contractors, Partners, Customers... Using: Portal, Policies, Workflow How: Manually, automatically, by a scheduling
Forefront Identity Manager 2010Directories Custom Self-Service integration LOB Applications Forefront Identity Manager Portal ISV Partner Solutions Windows Log On IT Departments Databases Policy Management Credential Management User Management Group Management
End User Scenarios Credential Management Group Management User Management Policy Management 14 Integration with Windows logon No need to call help desk Faster time to resolution Request process through Office No waiting for help desk Faster time to resolution Automatic updating of business applications No need to call help desk Faster time to resolution Automatic routing of multiple approvals Approval process through Office Audit trail of approvals
IT Administrator Scenarios Credential Management Group Management User Management 15 Policy Management Centralized management Automatic policy enforcement across systems Management of role changes & retirements Generation and delivery of initial one-time use password Integration of smart card enrollment with provisioning Automatic management of group membership Secure access to departmental resources, with audit trail
MIIS CLM Beta Previously Today Microsoft Identity Lifecycle Manager 2007 Identity Synchronization User Provisioning Certificate & Smartcard Management H Integrated user experiences Spans user, credential, access and policy management Built on a common foundation ILM “2” User Management Access Management Credential Management Common Platform Connectors Delegation Workflow Logging Web Service API Policy Management FIM ….evolution
Version Feature Comparison
Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt FIM Service and Portal FIM Sync FIM Service AuthZ Workflow AuthN Workflow Delegation & Permissions Action Workflow App DB Adapters Request Processor Sync DB DirectoriesDatabases SystemsApplications Identity and data stores Cert Mgmt FIM-CM DB FIM-CM FIM-CM Portal FIM Architecture OutlookFIM PortalWindowsCustom FIM Client Experiences
Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types, including One Time Passwords Self-service password reset integrated with Windows logon Group Management User Management Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Forefront Identity Manager Features 20 Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates
Customizable Identity Portal How you extend it SharePoint-based Identity Portal for Management and Self Service Add your own portal pages or web parts Build new custom solutions Expose new attributes to manage by extending FIM schema Choose SharePoint theme to customize look and feel
ILM “2” Highlights Self-service capabilities through Office, Windows, and SharePointSolutions for managing identities, credentials, and resources Easily customize management experiences for your organization’s data and processes No need to write code for common tasks, workflows based on WWF Support for managing 3rd party CAs, OTP devices, and Windows Server 2008 CA.NET and WS-* based extensibility
White pages The portal includes a white pages view that can be searched against
Creating Users If you have permission, users can be created within the portal as well Normally most FTE users will come in through an Identity System (e.g. SAP HR) Temporary users can be created through the portal
Applying Business Rules to DLs Business rules and policies can be implemented in a number of ways, for example through the use or dynamic/calculated memberships to groups
Management Policies Used to define policy within the organisation for sets of data (for example ‘people’)
Management Policies Here we are saying all users can update and read there own attributes We can also assign this policy to kick off a workflow if required
Workflow Workflows can be defined for such things as approvals We associate workflows with actions such as a group approval
Workflow Workflows can be defined for such things as approvals We associate workflows with actions such as a group approval
Workflow Workflows can be defined for such things as approvals We associate workflows with actions such as a group approval
User Self Service Users by default can perform self service on themselves, create groups (that expire after a period of time), and view the white pages
User Self Service Users by default can perform self service on themselves, create groups (that expire after a period of time), and view the white pages
iPLANET Password Reset And Synchronization ILM “2” FINANCE APPLICATION FINANCE PORTAL ACTIVE DIRECTORY WINDOWS MACHINE PASSWORD SYCHRONIZATION MELISSA
Connecting to systems Connecting to systems is done via a Management Agent in the Synchronisation Engine Included in this is the attributes that you want to make available to the portal and the schema configuration
Synchronisation Rules Synchronisation rules define relationships and attribute flows to downstream identity systems, they can be configured for inbound, outbound or bidirectional data flow
Connecting and attribute flow Two ways in Forefront Identity Manager −Via the Management Agent for Attribute flow and provisioning −Via Sync Rules in the Forefront Identity Manager portal Either can be used based on the deployment scenario, for example we may use provisioning rules and attribute flow via the MA for devices installed out of the box. This reduces the complexity for customers.
Approval processes confirm permission Office 2007 Integration allows group memberships and approvals to be done from Outlook 2007.
FIM ‘Certificate Management’ (CM) Single administration point for smart cards & digital certificates User self-service capabilities to help reduce helpdesk burden Configurable policy-based workflows for common tasks −Enroll / renew / update −Personalize smart card −Recover / smart card replacement −Issue temporary / duplicate smart card −Revoke / retire / disable smart card Detailed auditing and reporting capabilities Support for centralized, decentralized and self-service scenarios Extensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometrics Tightly integrated with Active Directory and Certificate Services Gestion des certificats CM Portail CM DB Gest. Cert
CLM User Portal
CLM Manager Operations Portal
SCOM Management Pack
Key Challenges 6 Forests, 13 domains Migration/co-existence with legacy applications Complex deployment design across multiple scenarios Initial population of database Driving password reset registration First large scale deployment
MSIT Deployment Goals −Validate FIM’s value proposition −Reduce cost by automating processes −Eliminate custom costly custom solutions −Validate product readiness across the feature sets in a large enterprise environment −Customer proof Process −Highly collaborative −Cross-functional teams on both sides
Scenario Overview – Password Reset Today Jill needs to call the helpdesk to reset her password Company incurs a significant cost in managing credentials for 175,000 employees like Jill Company needs to maintain different tools for managing the credentials for employees and contractors Jill is able to reset her password without calling the helpdesk Microsoft IT maintains a centralized set of policies & common tools Employees can reset their credentials directly from the Windows logon screen or through the FIM 2010 Portal Jill has been out on vacation for a few weeks. As a result, she has forgotten her password and must reset it. With FIM
Define The Problem for MSIT The company incurs a significant cost in managing credentials for employees and contractors 42,000 X $20 = $850,000 Soft costs – Melissa is unproductive for 15 minutes while waiting to get her password reset Resets/Year = $600,000 per year in savings
Scenario Overview – Group Management Melissa Meyers has now started her job as an Analyst in the Finance department. As part of her daily tasks she will need to join new groups as well as manage her own project related groups. Today Melissa goes to the web site to use the custom group management tool Joining groups that need approval require access to the custom group management tool Dynamic group membership is not available to end users & requires a custom tool Melissa can create/join DLs right from the FIM 2010 Portal Owners can approve groups via Outlook or the FIM 2010 Portal Calculated groups automatically update membership With FIM
Define the Problem for MSIT Developing and maintaining group management tools costs millions of dollars Support of custom group management tools Complexity of deployment and lack of long term vision Lack of connectivity to group management tool results in soft costs around user productivity Security Group creation causes token bloat Bolt on applications that only administrators have access to, (ADUC) or other group management tools
Define The Problem for MSIT Custom software maintenance and upgrades > $3,000,000 Estimated per year in savings
Integrates identity, credential, and access management Rich permissions and delegation model Enables system auditing and compliance Provides Office-based self-service tools SharePoint admin console to manage identities Greater productivity through faster time to resolution Reduces costs through automation and self-service Maximizes existing investments in Identity Infrastructure Integrates with familiar developer tools to enable new scenarios Empowers People Delivers Agility and Efficiency Increases Security and Compliance Summary:
Resources Learn more about Forefront Identity Manager FIM 2010 Product Page: ILM 2007 Product Page: Learn about Microsoft Forefront Identity and Security Forefront Home Page: Evaluate the Identity Manger Visit To download this presentation click here :
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.