Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Forefront Identity Manager 2010 Deploying FIM

Published byLee Higgins Modified over 6 years ago

Similar presentations

Presentation on theme: "Microsoft Forefront Identity Manager 2010 Deploying FIM"— Presentation transcript:

1 Microsoft Forefront Identity Manager 2010 Deploying FIM
Tech Ed North America 2010 11/30/2018 5:22 PM Required Slide SESSION CODE: SIA318 Microsoft Forefront Identity Manager 2010 Deploying FIM Mark Wahl, CISA Mas Libman Architect Program Manager Microsoft Corporation Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Prerequisites General knowledge of Forefront Identity Manager (FIM)

3 Agenda Identity Management governance Deploying FIM servers
Policies and data flows Roles and entitlements Deploying FIM servers FIM and IT service management

4 Identity Management and Governance
Policies and Data Flows

5 Business Ready Security Help securely enable business by managing risk and empowering people
Across on-premises & cloud Protection Access Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance Block from: Enable Cost Value Siloed Seamless to: © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Identity Management Provide agility and efficiency in controlling access to applications Increase security and compliance with automatable/auditable processes for assigning and maintaining identities, credentials and other resources Empower end users through delegation and self-service

7 Identity Management and Governance
Governance controls can maintain the quality of identity data What is the business value of identity data? Who is the owner of each element of the data? Who is the custodian? What processes ensure the data has appropriate quality to support applications relying upon it?

8 Example Identity Data Flows
Change Request Approval FIM 2010 Application Data Sources System of Record Data Sources FIM Portal and Service Portal Policies Requests Active Directory Application #1 Workflow Database FIM Synchronization Service Database Database Application #2 Metaverse Other DS FIM Certificate Management Application #3 Cert DB CA

9 FIM Supporting Application Access Control
Enabling on-premises applications FIM creates user and group accounts in AD and other directories Enabling federated and cloud-based services FIM supplies ADFS with data for constructing claims For example, FIM could construct and sync into a DB or AD a value which becomes a “role” claim for authorization across organizations FIM supplies cloud-based services with user account provisioning and deprovisioning For services which need a copy of the directory, e.g., for address book FIM provisions users with smartcards or software certificates Enables users to leverage stronger authentication for access to cloud-based services than just “username and password”

10 FIM Supporting Application Access Control
Rights-Aware Client Web Client Security Group-based Access Control Active Directory Rights Mgmt. Services Forefront Unified Access Gateway Active Directory Federation Services Claims-based Web Application Claims Windows Identity Foundation FIM 2010 Active Directory IdP Database Portal RP Database (additional attributes) FIM Service FIM Sync Service FIM CM

11 Controlling Data Flows with FIM
Sets A collection of resources matching a filter (XPath expression) Define sets related to each other for partitioning the data flows By ownership or system of record source By controller or maintenance lifecycle By requirements for visibility or constraints for privacy/data protection By approach for delegation Groups controlling access to LBI data or discussion: open, anyone can join Controlling access to MBI: owner approval Controlling access to HBI: Administrator-maintained (existing procedures) By roles and by entitlements

12 Controlling Data Flows with FIM
Workflows A sequence of one or more activities for the FIM Service to perform Outbound Synchronization Rule Defines how attributes are synchronized from a representation of a resource in FIM Sync Service Metaverse into a representation in a connected system

13 Controlling Data Flows with FIM
Management Policy Rules Request MPRs (R-MPR) Defines the access control policy enforced in FIM itself for operations on resources by requestors using the FIM Portal or Web Service Evaluated and applied to requests based on a requestor in a requestor set Set Transition MPRs (T-MPR) Defines a policy with an action workflow to apply to resources in a set, which runs when a resource enters or leaves the set Action workflow activity could reference an outbound synchronization rule “Run on Policy Update” flag applies T-MPR policies to resources already in the set when the T-MPR is created, enabled or the MPR’s set or workflow references are updated

14 Identity Management and Governance
Roles and Entitlements

15 Modeling Roles In FIM A role abstraction captures the entitlements independent of specific users Assigning a user to a role grants them all the entitlements defined for the role FIM Sets and MPRs can be used to model the policies for roles, by Defining who is in a role via Set membership (e.g., FIM Administrators) The set represents the role; Members are in the role. Expressed in R-MPR as Requestors Defining roles by values in resource attributes (e.g., owner of groups) Works well for near-universal or very common role relationships Roles mapped to connected systems by group membership The group represents the role and the target system is configured to grant access to the group

16 Entitlements in FIM Entitlement for use in FIM service itself are modeled through R-MPRs Entitlements as Group Memberships are modeled through Security Groups Workflow-based entitlement for storing data in connected systems are modeled as Set + Transition-In T-MPR + Transition-Out T-MPR + Workflows A Set to represent the entitlement A resource member of the Set has received entitlement; otherwise not A Transition-In T-MPR to invoke the provisioning workflow A Transition-Out T-MPR to invoke the deprovisioning workflow Requires Run on Policy Update workflow flag for the workflows Exception: may want to avoid re-running WF if it has no semantic effect but will cause lots of processing e.g. notification workflow activities

17 Roles and Entitlements Design Planning
Design for Business Process Roles: Define the roles for the business processes Define the entitlements For each role, determine the entitlements required for them

18 Avoiding unintended side effects
Entitlement “Full time employee has AD account” Set “Full time employees” Set: “Full time employees” Transition-In T-MPR Action Workflow: AD Provision Transition-Out T-MPR Action Workflow: AD Deprovision Filter: “/Person[ETYPE=‘FTE’]” Person “Alice” ETYPE: “FTE”

19 Avoiding unintended side effects
Avoid associating multiple sets with the same entitlement Entitlement “Full time employee has AD account” Set “Full time employees” Set: “Full time employees” Transition-In T-MPR Action Workflow: AD Provision Transition-Out T-MPR Action Workflow: AD Deprovision Filter: “/Person[ETYPE=‘FTE’]” Person “Alice” ETYPE: “FTE” Entitlement “Employee on leave has AD account” Set “Employees on leave” Set: “Employees on leave” Transition-In T-MPR Action Workflow: AD Provision Transition-Out T-MPR Action Workflow: AD Deprovision Filter: “/Person[ETYPE=‘OnLeave’]” Person “Bob” ETYPE: “OnLeave”

20 Avoiding unintended side effects
Redefine the set to include all roles sharing this entitlement Define sets in terms of other sets when it makes semantic sense Set “Full time employees” Filter: “/Person[ETYPE=‘FTE’]” Person “Alice” Entitlement “Employees have AD account” ETYPE: “FTE” Set “Employees needing AD accounts” Set: “Employees needing AD accounts” Transition-In T-MPR Action Workflow: AD Provision Transition-Out T-MPR Action Workflow: AD Deprovision Filter: “/Person[/ObjectID=… ]” Set “Employees on leave” Filter: “/Person[ETYPE=‘OnLeave’]” Person “Bob” ETYPE: “OnLeave”

21 Roles and Entitlements Implementation Planning
First, sync in all the user data For each role, create the set For each sync rule or other workflow-based entitlement: Create the workflows for provisioning and deprovisioning the entitlement Ensure activities are idempotent and reentrant Use Run On Policy Update - ensures policy is applied to all existing members Create a set which represents the entitlement Create an ‘transition out’ T-MPR configured with the set and the deprovision action workflow Create an ‘transition in’ T-MPR configured with the set and the provision action workflow Avoid using R-MPR workflows for sync rule entitlements

22 Deploying FIM Servers

23 Deploying the FIM Servers
Topological considerations Organizational requirements Data partitioning Disaster recovery/business continuity Availability management Performance, scalability, responsiveness See more details in the capacity planning guide at

24 Typical Topology FIM Portal and FIM Service are paired
Separated from FIM Service Database and FIM Sync Service Load balancer for web requests

25 Complex Topology

26 FIM Portal Deployment Recommend using NLB with session pinning backed by a WSS 3.0 server farm Provide a single alias (CNAME) for end users WSS in a server farm will need a SQL Server database as well Consider having a dedicated Portal install as well for use by administrators

27 FIM Service Deployment
Multiple FIM Service instances can share same SQL Server FIMService DB Only one can process incoming Exchange messages, however FIM Service typically not disk or CPU bound… except when running workflows FIM Service Partitions control which FIM service runs which workflows May be useful for handling load from administrator requests, incoming sync operations, service initiated (e.g. temporal), or WS-* clients See

28 FIM Sync Deployment If using 1GBps networks and modern hardware, does not need to be collocated with its database For full import from AD DS of 451,253 objects, having FIM Sync Service and SQL Server was 18% slower than collocated Sync Service and SQL Full sync 11% slower Full export to Extensible MA only 4% slower For delta import from AD DS of 18,639 changes, delta import only 2% slower Delta sync only 6% slower Delta export through Extensible MA only 2% slower

29 SQL Performance Considerations
FIM performance dependent on well-performing SQL Server RAM and more cores help as FIM Service uses sprocs extensively Storage capability is measured in GB and IOPS Understand the I/O capacity of storage layer – what are the IOPS SLAs? Example disks: volume for OS (single spindle); volume for log (single spindle) volume for data (5 spindles) Configuration considerations Pre-Size your data and log volumes - AUTOGROW ON is only a safety valve Create additional tempdb files Set the database recovery model; If appropriate, schedule your log backups See 200,000 user performance test results at

30 FIM and IT Service Management

31 Identity Management and Service Management
FIM and System Center Service Manager (SCSM) are complementary SCSM is where IT generates requests, orchestrates work between people/processes/systems, and tracks history for compliance/auditing Both enable different aspects of end-user self-service, which together dramatically reduces the cost of supporting users FIM 2010 FIM Sync Service FIM Service Portal FIM CM System Center Service Manager Common Tech. Infrastructure ITIL/MOF Automation End User Portal and Ops Console Identity and Access Mgmt. Systems Mgmt.

32 Additional Resources SIA 319 www.microsoft.com/fim TechNet Forum
FIM discussion group, FIM Scriptbox, Greatest Hits Articles TechNet and MSDN content Topology Planning guide, Capacity Planning guide, Best Practices SQL Resources Storage Top 10 Best Practices Optimizing tempdb Performance SQL Server Best Practices (SQLIO)

33 Related Content Product Demo Stations
Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Tech Ed North America 2010 11/30/2018 5:22 PM Related Content Breakout Sessions SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview  SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos Hands-On Labs SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Product Demo Stations Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Track Resources Learn more about our solutions: Try our products:
Try our products:

35 Resources Learning Required Slide www.microsoft.com/teched
Tech Ed North America 2010 11/30/2018 5:22 PM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources Resources for IT Professionals Resources for Developers © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Complete an evaluation on CommNet and enter to win!
Tech Ed North America 2010 11/30/2018 5:22 PM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

38 Tech Ed North America 2010 11/30/2018 5:22 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39 Required Slide Tech Ed North America 2010 11/30/2018 5:22 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Forefront Identity Manager 2010 Deploying FIM"

Similar presentations

Christian Paquin Senior Program Manager Microsoft Corporation SESSION CODE: SIA305.

Christian Paquin Senior Program Manager Microsoft Corporation SESSION CODE: SIA305.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Identity and Access Management Business Ready Security Solutions.

Identity and Access Management Business Ready Security Solutions.
John “JG” Chirapurath Director, Identity & Security BG Microsoft SIA-205 Business Ready Security.

John “JG” Chirapurath Director, Identity & Security BG Microsoft SIA-205 Business Ready Security.
Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.

Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.
Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management.

Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management.
Patrick Ortiz Global SQL Solution Architect Dell Inc. BIN209.

Patrick Ortiz Global SQL Solution Architect Dell Inc. BIN209.
Tech·Ed  North America 2009 6/11/ :01 AM SESSION CODE: DEV405

Tech·Ed  North America /11/ :01 AM SESSION CODE: DEV405
SaaS Application Deep Dive

SaaS Application Deep Dive
6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.

6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.
Microsoft Virtual Academy

Microsoft Virtual Academy
Julie Strauss Senior Program Manager Microsoft

Julie Strauss Senior Program Manager Microsoft
Threat Management Gateway

Threat Management Gateway
MDOP: Advanced Group Policy Management 4.0

MDOP: Advanced Group Policy Management 4.0
Excel Services Deployment and Administration

Excel Services Deployment and Administration
SharePoint Online Management and Control

SharePoint Online Management and Control
Overview of Social Computing in Microsoft SharePoint 2010

Overview of Social Computing in Microsoft SharePoint 2010
Integrating Microsoft SharePoint 2010 with Windows Azure

Integrating Microsoft SharePoint 2010 with Windows Azure
TechEd 2013 11/21/2018 5:20 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.

TechEd /21/2018 5:20 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.

Similar presentations

Ads by Google