Post on 15-Jan-2016
Microsoft Forefront Identity Manager 2010
Daniel MEYER Enterprise Technology Architect EMEA
Agenda
• IdA Concepts• MS Strategy• FIM Functional Overview• FIM Technical Overview
− Architecture− Main Features
• (How MS IT use FIM)• FIM Positionning
Concepts
CreateProvision userProvision credentialsProvision resources
Policy authoring
Policy enforcement
Approvals and notifications
Audit trails
Policy Management
De-provision identities
Revoke credentials
De-provision resources
Retire
Role changes
Password and PIN reset
Resource requests
Update
Identity and Access Management
Identity & Access Customer Challenges
Enabling new high businessvalue scenarios
Supporting mergers, acquisitions & reorganizations
Integrated user provisioning & credential management
Ensuring that only authorized users can access resources
Compliance with regulatory requirements
Auditable processes for granting access to resources
Reducing help desk burden for end user requests
Managing the complexity of distributed identity information
ComplianceOperationalEfficiency
IT SecurityBusinessAgility
5
MS Strategy
Identity Infrastructure
Secure Platform
Security
Username and Credentials
Identity and Access
Identity Based Access
Common platform and
infrastructure
Simplified and integrated
management Systems
Application InformationNetworkRemote
Management
End-to-endaccess
Microsoft’s Integrated Solutions Delivering TCO in the drive to Dynamic IT
Across physical and virtual environments
Client MobileServerCloud
Threat MitigationComprehensive security Application EndpointNetworkCloud
Microsoft Security: Defense In Depth
TWC
SDL
SystemsManagement
Operations Manager 2007
Configuration Manager 2007
Data Protection Manager
Mobile Device Manager 2008
Active Directory Federation
Services (ADFS)
Identity & AccessManagement
Certificate Lifecycle
Management
Information Protection
Encrypting File System (EFS)
BitLocker™
Client and Server OS
Server Applications
Edge
Network Access Protection (NAP)
Client and
Server OS
Server
Applications
Edge
Forefront Stirling Management
A well Managed Secure Infrastructure
is the key!Services
Business Ready Security Solutions
Integrated Security
Information Protection
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Business Ready Security Solutions
Integrated Security
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Active Directory®® Federation Services
Information Protection
FIM Functional Overview
FIM Manage IdentityOperation:• Create, Modify, Delete, Synchronize,
ProvisionIdentity Data:• Users*, Groups & DLs, Certificates,
SmartCard ...* Users = Employees, Contractors, Partners,
Customers...
Using:• Portal, Policies, WorkflowHow:• Manually, automatically, by a scheduling
Forefront Identity Manager 2010
Directories
Custom
Self-Service integration
LOB Applications
Forefront Identity ManagerPortal
ISV PartnerSolutions
WindowsLog On
IT Departments
Databases
Policy ManagementCredential Management
User Management Group Management
End User Scenarios
Credential Management
GroupManagement
UserManagement
PolicyManagement
14
Self-service smart card provisioning
User requests to join secure distribution list for newproduct development
User changes their cell phone number
Integration with Windows logonNo need to call help deskFaster time to resolution
Request process through OfficeNo waiting for help deskFaster time to resolution
Automatic updating of business applicationsNo need to call help deskFaster time to resolution
Example Scenario Advantages
CFO gives final approval for newuser to access in-scope SOX app
Automatic routing of multiple approvalsApproval process through OfficeAudit trail of approvals
IT Administrator Scenarios
Credential Management
GroupManagement
UserManagement
15
PolicyManagement
Create workflow to automatically issue passwords and smart cards to new users
Design policy to automatically create departmental security groups
Author policy to require HRapproval for job title change
Automatically provision new employees with identity, mailbox, and credentials
Centralized managementAutomatic policy enforcement across systems
Automatic policy enforcement across systemsManagement of role changes & retirements
Generation and delivery of initialone-time use passwordIntegration of smart cardenrollment with provisioning
Automatic management of group membershipSecure access to departmental resources, with audit trail
Example Scenario Advantages
FIM Technical Overview
Version Feature ComparisonMIIS 2003 ILM 2007 FIM 2010
Identity synchronization X X X
Password synchronization X X X
Policy authoring and editing solution
ILM-CM only X
Policy enforcement X X X
Delegation management solution X
User provisioning solution X
Certificate and smart card management solution
X X
Group management solution X
DL management solution X
Workflow ILM-CM only X
Self-service password reset X
Localized ILM-CM only X
Solutions
Group Mgmt
Credential Mgmt
Policy Mgmt
CustomUser Mgmt
FIM Service and PortalFIM SyncFIM Service
AuthZWorkflow
AuthN Workflow
Delegation& Permissions
Action Workflow
AppDB
Adapters
Request Processor
SyncDB
Directories Databases E-Mail SystemsApplications
Identity and data stores
Cert Mgmt
FIM-CMDB
FIM-CM
FIM-CM Portal
FIM Architecture
Outlook FIM Portal Windows Custom
FIM Client Experiences
Credential Management
Heterogeneous certificate management with 3rd party CAsManagement of multiple credential types, including One Time PasswordsSelf-service password reset integrated with Windows logon
GroupManagement
UserManagement
Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management
PolicyManagement
SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency
Forefront Identity Manager Features
20
Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates
Customizable Identity Portal
How you extend it
SharePoint-based Identity Portal for Management and Self Service
Add your own portal pages or web partsBuild new custom solutionsExpose new attributes to manage by extending FIM schemaChoose SharePoint theme to customize look and feel
ILM “2” Highlights
Self-service capabilities through Office, Windows, and SharePoint
Solutions for managing identities, credentials, and resources
Easily customize management experiences for your organization’s data and processes
No need to write code for common tasks, workflows based on WWF
Support for managing 3rd party CAs, OTP devices, and Windows Server 2008 CA
.NET and WS-* based extensibility
White pages• The portal includes a white pages view that can be searched
against
Creating Users
• If you have permission, users can be created within the portal as well
• Normally most FTE users will come in through an Identity System (e.g. SAP HR)
• Temporary users can be created through the portal
Applying Business Rules to DLs• Business rules and policies can be implemented in a number
of ways, for example through the use or dynamic/calculated memberships to groups
Management Policies• Used to define policy within the organisation for sets of data
(for example ‘people’)
Management Policies• Here we are saying all users can update and read there own
attributes• We can also assign this policy to kick off a workflow if
required
Workflow• Workflows can be defined for such things as approvals• We associate workflows with actions such as a group
approval
Workflow• Workflows can be defined for such things as approvals• We associate workflows with actions such as a group
approval
Workflow• Workflows can be defined for such things as approvals• We associate workflows with actions such as a group
approval
User Self Service• Users by default can perform self service on themselves,
create groups (that expire after a period of time), and view the white pages
User Self Service• Users by default can perform self service on themselves,
create groups (that expire after a period of time), and view the white pages
iPLANET
Password Reset And Synchronization
ILM “2”
FINANCEAPPLICATION
FINANCEPORTAL
ACTIVEDIRECTORY
WINDOWSMACHINE
PASSWORD SYCHRONIZATION
MELISSA
Connecting to systems• Connecting to systems is done via a Management Agent in
the Synchronisation Engine• Included in this is the attributes that you want to make
available to the portal and the schema configuration
Synchronisation Rules• Synchronisation rules define relationships and attribute flows
to downstream identity systems, they can be configured for inbound, outbound or bidirectional data flow
Connecting and attribute flow• Two ways in Forefront Identity Manager
− Via the Management Agent for Attribute flow and provisioning
− Via Sync Rules in the Forefront Identity Manager portal
• Either can be used based on the deployment scenario, for example we may use provisioning rules and attribute flow via the MA for devices installed out of the box. This reduces the complexity for customers.
Approval processes confirm permissionOffice 2007 Integration allows group memberships and approvals to be done from Outlook 2007.
FIM ‘Certificate Management’ (CM)Single administration point for smart cards & digital certificates
• User self-service capabilities to help reduce helpdesk burden
• Configurable policy-based workflows for common tasks− Enroll / renew / update− Personalize smart card− Recover / smart card replacement− Issue temporary / duplicate smart card− Revoke / retire / disable smart card
• Detailed auditing and reporting capabilities
• Support for centralized, decentralized and self-service scenarios
• Extensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometrics
• Tightly integrated with Active Directory and Certificate Services
Gestion des
certificats
CM
Portail CM
DB Gest. Cert
SCOM Management Pack
MS IT deployment
overview
Key Challenges
• 6 Forests, 13 domains• Migration/co-existence with legacy
applications• Complex deployment design across
multiple scenarios• Initial population of database• Driving password reset registration
• First large scale deployment
MSIT Deployment• Goals
− Validate FIM’s value proposition− Reduce cost by automating processes − Eliminate custom costly custom solutions
− Validate product readiness across the feature sets in a large enterprise environment
− Customer proof
• Process− Highly collaborative − Cross-functional teams on both sides
Scenario Overview – Password Reset
TodayJill needs to call the helpdesk to reset her passwordCompany incurs a significant cost in managing credentials for 175,000 employees like JillCompany needs to maintain different tools for managing the credentials for employees
and contractors
Jill is able to reset her password without calling the helpdesk
Microsoft IT maintains a centralized set of policies & common tools
Employees can reset their credentials directly from the Windows logon screen or through the FIM 2010 Portal
Jill has been out on vacation for a few weeks. As a result, she has forgotten her password and must reset it.
With FIM
Define The Problem for MSIT
The company incurs a significant cost in managing credentials for employees and contractors 42,000 X $20 = $850,000
Soft costs – Melissa is unproductive for 15 minutes while waiting to get her password reset
Resets/Year
= $600,000 per year
in savings
Scenario Overview – Group ManagementMelissa Meyers has now started her job as an
Analyst in the Finance department. As part of her daily tasks she will need to join new groups as well as manage her own project related groups.
TodayMelissa goes to the web site to use the custom group management tool
Joining groups that need approval require access to the custom group management tool
Dynamic group membership is not available to end users & requires a custom tool
Melissa can create/join DLs right from the FIM 2010 Portal
Owners can approve groups via Outlook or the FIM 2010 Portal
Calculated groups automatically update membership
With FIM
Define the Problem for MSITDeveloping and maintaining group management tools costs millions of dollars
Support of custom group management tools
Complexity of deployment and lack of long term vision
Lack of connectivity to group management tool results in soft costs around user productivity
Security Group creation causes token bloat
Bolt on applications that only administrators have access to, (ADUC) or other group management tools
Define The Problem for MSIT
Custom software maintenance and upgrades > $3,000,000
Estimated per yearin savings
Integrates identity, credential, and access managementRich permissions and delegation modelEnables system auditing and compliance
Provides Office-based self-service toolsSharePoint admin console to manage identitiesGreater productivity through faster time to resolution
Reduces costs through automation and self-serviceMaximizes existing investments in Identity InfrastructureIntegrates with familiar developer tools to enable new scenarios
Empowers People
Delivers Agility and Efficiency
Increases Security
and Compliance
Software for policy-based management of identities,credentials, and resources across heterogeneous environments
Summary:
Resources
Learn more about Forefront Identity Manager• FIM 2010 Product Page: www.microsoft.com/fim • ILM 2007 Product Page: www.microsoft.com/ILM2007
Learn about Microsoft Forefront Identity and Security • Forefront Home Page: www.microsoft.com/forefront
Evaluate the Identity Manger• Visit www.microsoft.com/fim
• To download this presentation click here :
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.