Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management

Agenda Forefront Identity Manager (FIM) 2010 history and evolution Identity Synchronization: the IT-centric approach Identity Management : the Business-centric approach FIM 2010 Solutions: deploying identity management solutions quickly and effectively

FIM 2010’s Heritage

ILM & FIM History MIIS CLM Beta Once upon a time… Yesterday FIM 2010 User Management Group Management Credential Management Policy Management ILM 2007 MIIS + CLM Today

Problem #1: User Provisioning App Servers Active Directory Human Resources Name Employee ID Cost center ManagerRoles Name Alias Mailboxsettings NameDomainAccountManager App Account App profile1 App profile2 App profile3 Security? Compliancy? Productivity/Cost Reduction? Reporting? IT ADMIN FIM 2010

Problem #2: Certificate and Smart Card Lifecycle Management App serversActive Directory Human Resources Smart card logon Digitally signed Encrypted data Certificate-based web auth Certificate renewal? Lost smart card? Forgotten PIN? Blocked smart card? IT ADMIN FIM-CM 2010

Session Focus: User Provisioning App stores Active Directory Human Resources Name Employee ID Cost center ManagerRoles Name Alias Mailboxsettings NameDomainAccountManager App Account App profile1 App profile2 App profile3 Security? Compliancy? Productivity/Cost Reduction? Reporting? IT ADMIN

The “IT-Centric” Approach

IT-Centric Approach: Identity Synchronization App storesActive Directory Human Resources Name Employee ID Cost center ManagerRoles Name Alias Mailboxsettings NameDomainAccountManager App Account App profile1 App profile2 App profile3 Name Employee ID Cost center ManagerRoles Alias Domain Account App Account App Profile 1 App Profile 2 App Profile 3 Meta Directory + Synch Engine

Identity Synchronization Example App servers Active Directory Human Resources Name Employee ID Cost center ManagerRoles Name Alias Mailboxsettings NameDomainAccountManager App Account App profile1 App profile2 App profile3 Name Employee ID Cost center ManagerRoles Alias Domain Account App Account App Profile 1 App Profile 2 App Profile 3 Meta Directory + Synch Engine 1234

Synch Engine Logical Architecture Connected Directories Management Agents Synch Engine + Repository Synch Engine + Repository

The IT-Centric Approach: Summary App stores Active Directory Human Resources Name Employee ID Cost center ManagerRoles Name Alias Mailboxsettings NameDomainAccountManager App Account App profile1 App profile2 App profile3 Name Employee ID Cost center ManagerRoles Alias Domain Account App Account App Profile 1 App Profile 2 App Profile My organization is far too complex for each and every provisioning process to be described by a synchronization rule!! IT ADMIN Provisioning processes triggered by modifications on connected directories Provisioning processes driven by synchronization rules

The “Business-Centric” Approach

Focus on Business Processes Rich permissions and delegation model System auditing and compliance Users must be given the power to trigger, participate in and drive provisioning processes Route users’ requests to appropriate decision makers Offload IT admin from dealing with users requests Empowering People Delivering Agility and Efficiency Increasing Security and Compliance

How FIM 2010 Extends the Identity Synch Approach Workflow support −FIM 2010 can automate business processes for managing user identities and their entitlements Self-service and delegation −FIM 2010 provides high-level interfaces for end users to request provisioning access to resources, either for themselves or on someone else’s behalf Policy management −FIM 2010 enables IT professionals to create and maintain provisioning policies through simplified, graphical, web-based interfaces

FIM 2010 Logical Architecture FIM 2010 introduces a new repository, referred to as Object Store” connected to ILM 2007 Metadirectory & Synch layer via a dedicated MA FIM 2010 underlying synchronization engine stays the same as in current version (ILM 2007) FIM 2010 introduces a web portal that provides self-service functionalities, workflows, policy management and GUI-based configuration wizards Object Store FIM 2010 MA WSSWSSWSSWSS WSSWSSWSSWSS

Deploying core IDA capabilities quickly

Policy Management Management Policy Rules: Formal description of business processes for managing users, resources, entitlements Typical MPR −When a new employee is hired −AD and RACF accounts created −Mailbox created −Notification sent to employee’s manager −Requests for relevant groups membership sent to owners

Policy Management - Demo

Group Management Dynamic groups / DLs −Membership calculated based on user attributes

Group Management - Demo

Credential Management Self-service password reset integrated in Windows Logon Default pwd reset workflow based on “security questions” −Can be customized

Credential Management - Demo

User Management Self-service user portal −Delegate to end users maintenance of non- security-sensitive attributes Self-service group management tools −“Add me to” −Group −DL −Office Integration

User Management - Demo

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.