Download presentation
Published byJonathan Price Modified over 9 years ago
1
Tech Ed North America 2010 4/24/2017 1:59 AM SESSION CODE: SIA327 Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager Brjann Brekkan Sr. Technical Product Manager Microsoft Corporation Robert DeLuca Sr. Program Manager Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Business Ready Security Solutions
Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management
3
Demos Agenda Forefront Identity Manager ‘architecture’ Provisioning
Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management Session SIA 307 Certificate and Smart Card Management
4
Evolution of Identity Manager
User Management Group Management Common Platform Workflow Connectors Logging Web Service API Synchronization Credential Management Policy Management Identity Synchronization User Provisioning Certificate and Smartcard Management Office Integration for Self-Service Declarative Provisioning Group & DL Management Workflow and Policy Support for 3rd Party CAs 4
5
Delegation & Permissions
Forefront Identity Manger 2010 Architecture Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt FIM Sync FIM Service AuthZ Workflow AuthN Delegation & Permissions Action DB Management Agents Request Processor Directories Databases Systems Applications Identity and data stores FIM CM Outlook FIM Portal Windows FIM Client Experiences IDM Platform FIM CM Portal
6
Delegation & Permissions
Forefront Identity Manger 2010 Architecture Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt FIM Sync FIM Service AuthZ Workflow AuthN Delegation & Permissions Action DB Management Agents Request Processor Directories Databases Systems Applications Identity and data stores FIM CM Outlook FIM Portal Windows FIM Client Experiences IDM Platform FIM CM Portal
7
Delegation & Permissions
Forefront Identity Manger 2010 Architecture Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt FIM Sync FIM Service AuthZ Workflow AuthN Delegation & Permissions Action DB Management Agents Request Processor Directories Databases Systems Applications Identity and data stores FIM CM Outlook FIM Portal Windows FIM Client Experiences IDM Platform FIM CM Portal
8
Demos Agenda Forefront Identity Manager ‘architecture’ Provisioning
Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management
9
Provisioning Policy-based identity lifecycle management system
Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users Active Directory Lotus Domino HR System “With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution.” Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company Workflow User Enrollment LDAP FIM SQL Server Approval Manager Oracle DB FIM CM User provisioned Source:
10
User de-provisioning or role updates
Automated user de-provisioning Built-in workflow for identity management Real-time de-provisioning from all systems to prevent unauthorized access and information leakage Active Directory Lotus Domino HR System Workflow User de-provisioned or Role change LDAP FIM SQL Server Oracle DB User deleted FIM CM User disabled
11
Identity Synchronization and Consistency Identity synchronization across multiple directories
Attribute Ownership FirstName LastName EmployeeID Title Telephone HR System Identity Manager givenName Samantha Samantha sn Dearing Dearing title mail employeeID 007 007 telephone GivenName sn title mail employeeID telephone Samantha Dearing 007 Coordinator givenName sn title mail employeeID telephone SQL Server DB givenName Samara sn Darling title Coordinator Coordinator mail employeeID 007 telephone Identity Data Aggregation Active Directory/ Exchange givenName Sam sn Dearing title Intern mail employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 008 telephone
12
Incorrect or Missing Information
Identity Synchronization and Consistency Identity consistency across multiple directories Attribute Ownership FirstName LastName EmployeeID Title Telephone HR System Identity Manager givenName Samantha sn Dearing title mail employeeID 007 telephone givenName Samantha Samantha Samantha Bob sn Dearing Dearing Dearing SQL Server DB title Coordinator Coordinator Coordinator Coordinator givenName Samara mail sn Darling employeeID 007 title Coordinator telephone Incorrect or Missing Information mail employeeID 007 telephone Identity Data Brokering (Convergence) Active Directory / Exchange givenName Sam sn Dearing title Intern mail employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone
13
Example Data Flow for creating a new user
Management Agents connects to data sources FIM MA connects to FIM Service Connector space contains objects from respective datasource Metaverse contains converged representation of object from all datasource Synchronization Rules control and configure data flow
14
Synchronization Rules (Sync Rules)
Sync Rules control what happens in the Synchronization Service Inbound Outbound Inbound and Outbound Attribute Flow Provision Join
15
Synchronization Rules
Management Agents Provisioning users from HR to FIM to AD Synchronizing users from AD to FIM Demo
16
Demos Agenda Forefront Identity Manager Architecture Provisioning
Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management
17
Policy Management Management Policy Rules Workflows Sets FIM Service
AuthZ Workflow AuthN Delegation & Permissions Action DB Request Processor
18
Sets Identify different groupings of objects (resources) in the FIM Service database Permissions may be granted on and to Sets Also used in Policy Enforcement Membership Manual (strictly by set administrators) Criteria Examples All People, All Active People, Administrators (manual), Help Desk Users All Groups, Security Groups, Distribution Groups Password Reset Users Set, Password Objects Set Managers in Sales dept, Clerks, Clerks in Denver, All in Building 4
19
Membership of Sets
20
Workflow Types Workflow Types Purpose Examples Authentication (AuthN)
WS Request Permissions Evaluation Authentication (AuthN) Authorization (AuthZ) FIM Service Database Action Workflow Types Purpose Examples Authentication (AuthN) To ensure that the user is who they say they are Password Reset Authorization (AuthZ) To allow for more sophisticated validation of the request beyond simple permissions to make a request Allowing users to request and update attributes Subject to a filter validation looking for profanity Followed by an approval to HR or the user’s manager or both Action To allow FIM to take actions after the request has been performed Call Synchronization rules Send Notification s Modify resources Password Self-Service Reset calls Synchronization Service to reset the AD password in real time
21
Creating a Workflow
22
Workflow Activities
23
Management Policy Rules
Set Transition Causes Workflows to be activated Even when not initiated by a request (Run on Policy Update) Perform an Action Request Based Can Grant Permissions Cause Workflows to be activated Authenticate the Requestor Seek Authorization
24
Policies can be disabled until ready for use
Creating an MPR Policies can be disabled until ready for use
25
Set Transition MPR Defines an event
When a resource either enters or exits the Set Defines how to respond to the event Initiate Action WFs
26
Outbound User Provisioning Rule
Outbound provisioning from FIM to AD controlled by MPR Outbound Sync Rule Workflow Management Policy Rules DEMO
27
Defining a business policy using MPR’s
Contractors need to be able to update their own contact information Manager approval is required Evaluating policy using MPR Explorer Create a contractors set Create Workflow for manager approval Create MPR DEMO
28
Demos Agenda Forefront Identity Manager ‘architecture’ Provisioning
Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management
29
SharePoint-Based Management Console
Group Management Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes Self-service group and distribution list management Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity FIM Add-in for Outlook SharePoint-Based Management Console
30
Integrated Group Management
Leverage and simplify existing technologies for access control based on AD groups Security groups managed by project or resource owner Distribution group management delegated to end users DEMO
31
Self-Service Password Management
Enables users to reset their own passwords through both Windows logon and FIM password reset portal Controls helpdesk costs by enabling end users to manage certain parts of their own identities Active Directory User requests password reset Oracle FIM Server Passwords updated End User SQL Server IBM DS LDAP Reset Password
32
Self Service Password Management
Turn-key solution empowers end users and lowers help desk cost Self service password reset configuration User experience DEMO
33
User Profile Management
34
Extending well managed AD using AD FS
Partner Windows Integrated/Kerberos/ADFS Claims-Aware Applications Claims- Aware Applications Cloud Services Self Service Exchange GAL & DL HR System WS-* and SAML Claims SharePoint Profiles and Access Workflow FIM AD FS 2.0 Other user Data stores SAP and other apps Phone Title Department Manager Group Role Client List SQL Server ADDS
35
MGT 313 Microsoft System Center Service Manager – Drill Down
Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Tech Ed North America 2010 4/24/2017 1:59 AM Related Content SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos MGT 313 Microsoft System Center Service Manager – Drill Down Same Room – 9:45 SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
36
Resources Learning Required Slide www.microsoft.com/teched
Tech Ed North America 2010 4/24/2017 1:59 AM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources Resources for IT Professionals Resources for Developers © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
37
Complete an evaluation on CommNet and enter to win!
Tech Ed North America 2010 4/24/2017 1:59 AM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
38
Tech Ed North America 2010 4/24/2017 1:59 AM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
39
Tech Ed North America 2010 4/24/2017 1:59 AM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.