Microsoft Forefront Identity Manager 2010

Daniel MEYER Enterprise Technology Architect EMEA

Agenda

• IdA Concepts• MS Strategy• FIM Functional Overview• FIM Technical Overview

− Architecture− Main Features

• (How MS IT use FIM)• FIM Positionning

Concepts

CreateProvision userProvision credentialsProvision resources

Policy authoring

Policy enforcement

Approvals and notifications

Audit trails

Policy Management

De-provision identities

Revoke credentials

De-provision resources

Retire

Role changes

Password and PIN reset

Resource requests

Update

Identity and Access Management

Identity & Access Customer Challenges

Enabling new high businessvalue scenarios

Supporting mergers, acquisitions & reorganizations

Integrated user provisioning & credential management

Ensuring that only authorized users can access resources

Compliance with regulatory requirements

Auditable processes for granting access to resources

Reducing help desk burden for end user requests

Managing the complexity of distributed identity information

ComplianceOperationalEfficiency

IT SecurityBusinessAgility

5

MS Strategy

Identity Infrastructure

Secure Platform

Security

Username and Credentials

Identity and Access

Identity Based Access

Common platform and

infrastructure

Simplified and integrated

management Systems

Application InformationNetworkRemote

Management

End-to-endaccess

Microsoft’s Integrated Solutions Delivering TCO in the drive to Dynamic IT

Across physical and virtual environments

Client MobileServerCloud

Threat MitigationComprehensive security Application EndpointNetworkCloud

Microsoft Security: Defense In Depth

TWC

SDL

SystemsManagement

Operations Manager 2007

Configuration Manager 2007

Data Protection Manager

Mobile Device Manager 2008

Active Directory Federation

Services (ADFS)

Identity & AccessManagement

Certificate Lifecycle

Management

Information Protection

Encrypting File System (EFS)

BitLocker™

Client and Server OS

Server Applications

Edge

Network Access Protection (NAP)

Client and

Server OS

Server

Applications

Edge

Forefront Stirling Management

A well Managed Secure Infrastructure

is the key!Services

Business Ready Security Solutions

Integrated Security

Information Protection

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Business Ready Security Solutions

Integrated Security

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Active Directory®® Federation Services

Information Protection

FIM Functional Overview

FIM Manage IdentityOperation:• Create, Modify, Delete, Synchronize,

ProvisionIdentity Data:• Users*, Groups & DLs, Certificates,

SmartCard ...* Users = Employees, Contractors, Partners,

Customers...

Using:• Portal, Policies, WorkflowHow:• Manually, automatically, by a scheduling

Forefront Identity Manager 2010

Directories

Custom

Self-Service integration

LOB Applications

Forefront Identity ManagerPortal

ISV PartnerSolutions

WindowsLog On

IT Departments

Databases

Policy ManagementCredential Management

User Management Group Management

End User Scenarios

Credential Management

GroupManagement

UserManagement

PolicyManagement

14

Self-service smart card provisioning

User requests to join secure distribution list for newproduct development

User changes their cell phone number

Integration with Windows logonNo need to call help deskFaster time to resolution

Request process through OfficeNo waiting for help deskFaster time to resolution

Automatic updating of business applicationsNo need to call help deskFaster time to resolution

Example Scenario Advantages

CFO gives final approval for newuser to access in-scope SOX app

Automatic routing of multiple approvalsApproval process through OfficeAudit trail of approvals

IT Administrator Scenarios

Credential Management

GroupManagement

UserManagement

15

PolicyManagement

Create workflow to automatically issue passwords and smart cards to new users

Design policy to automatically create departmental security groups

Author policy to require HRapproval for job title change

Automatically provision new employees with identity, mailbox, and credentials

Centralized managementAutomatic policy enforcement across systems

Automatic policy enforcement across systemsManagement of role changes & retirements

Generation and delivery of initialone-time use passwordIntegration of smart cardenrollment with provisioning

Automatic management of group membershipSecure access to departmental resources, with audit trail

Example Scenario Advantages

FIM Technical Overview

Version Feature ComparisonMIIS 2003 ILM 2007 FIM 2010

Identity synchronization X X X

Password synchronization X X X

Policy authoring and editing solution

ILM-CM only X

Policy enforcement X X X

Delegation management solution X

User provisioning solution X

Certificate and smart card management solution

X X

Group management solution X

DL management solution X

Workflow ILM-CM only X

Self-service password reset X

Localized ILM-CM only X

Solutions

Group Mgmt

Credential Mgmt

Policy Mgmt

CustomUser Mgmt

FIM Service and PortalFIM SyncFIM Service

AuthZWorkflow

AuthN Workflow

Delegation& Permissions

Action Workflow

AppDB

Adapters

Request Processor

SyncDB

Directories Databases E-Mail SystemsApplications

Identity and data stores

Cert Mgmt

FIM-CMDB

FIM-CM

FIM-CM Portal

FIM Architecture

Outlook FIM Portal Windows Custom

FIM Client Experiences

Credential Management

Heterogeneous certificate management with 3rd party CAsManagement of multiple credential types, including One Time PasswordsSelf-service password reset integrated with Windows logon

GroupManagement

UserManagement

Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management

PolicyManagement

SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency

Forefront Identity Manager Features

20

Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates

Customizable Identity Portal

How you extend it

SharePoint-based Identity Portal for Management and Self Service

Add your own portal pages or web partsBuild new custom solutionsExpose new attributes to manage by extending FIM schemaChoose SharePoint theme to customize look and feel

ILM “2” Highlights

Self-service capabilities through Office, Windows, and SharePoint

Solutions for managing identities, credentials, and resources

Easily customize management experiences for your organization’s data and processes

No need to write code for common tasks, workflows based on WWF

Support for managing 3rd party CAs, OTP devices, and Windows Server 2008 CA

.NET and WS-* based extensibility

White pages• The portal includes a white pages view that can be searched

against

Creating Users

• If you have permission, users can be created within the portal as well

• Normally most FTE users will come in through an Identity System (e.g. SAP HR)

• Temporary users can be created through the portal

Applying Business Rules to DLs• Business rules and policies can be implemented in a number

of ways, for example through the use or dynamic/calculated memberships to groups

Management Policies• Used to define policy within the organisation for sets of data

(for example ‘people’)

Management Policies• Here we are saying all users can update and read there own

attributes• We can also assign this policy to kick off a workflow if

required

Workflow• Workflows can be defined for such things as approvals• We associate workflows with actions such as a group

approval

Workflow• Workflows can be defined for such things as approvals• We associate workflows with actions such as a group

approval

Workflow• Workflows can be defined for such things as approvals• We associate workflows with actions such as a group

approval

User Self Service• Users by default can perform self service on themselves,

create groups (that expire after a period of time), and view the white pages

User Self Service• Users by default can perform self service on themselves,

create groups (that expire after a period of time), and view the white pages

iPLANET

Password Reset And Synchronization

ILM “2”

FINANCEAPPLICATION

FINANCEPORTAL

ACTIVEDIRECTORY

WINDOWSMACHINE

PASSWORD SYCHRONIZATION

MELISSA

Connecting to systems• Connecting to systems is done via a Management Agent in

the Synchronisation Engine• Included in this is the attributes that you want to make

available to the portal and the schema configuration

Synchronisation Rules• Synchronisation rules define relationships and attribute flows

to downstream identity systems, they can be configured for inbound, outbound or bidirectional data flow

Connecting and attribute flow• Two ways in Forefront Identity Manager

− Via the Management Agent for Attribute flow and provisioning

− Via Sync Rules in the Forefront Identity Manager portal

• Either can be used based on the deployment scenario, for example we may use provisioning rules and attribute flow via the MA for devices installed out of the box. This reduces the complexity for customers.

Approval processes confirm permissionOffice 2007 Integration allows group memberships and approvals to be done from Outlook 2007.

FIM ‘Certificate Management’ (CM)Single administration point for smart cards & digital certificates

• User self-service capabilities to help reduce helpdesk burden

• Configurable policy-based workflows for common tasks− Enroll / renew / update− Personalize smart card− Recover / smart card replacement− Issue temporary / duplicate smart card− Revoke / retire / disable smart card

• Detailed auditing and reporting capabilities

• Support for centralized, decentralized and self-service scenarios

• Extensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometrics

• Tightly integrated with Active Directory and Certificate Services

Gestion des

certificats

CM

Portail CM

DB Gest. Cert

SCOM Management Pack

MS IT deployment

overview

Key Challenges

• 6 Forests, 13 domains• Migration/co-existence with legacy

applications• Complex deployment design across

multiple scenarios• Initial population of database• Driving password reset registration

• First large scale deployment

MSIT Deployment• Goals

− Validate FIM’s value proposition− Reduce cost by automating processes − Eliminate custom costly custom solutions

− Validate product readiness across the feature sets in a large enterprise environment

− Customer proof

• Process− Highly collaborative − Cross-functional teams on both sides

Scenario Overview – Password Reset

TodayJill needs to call the helpdesk to reset her passwordCompany incurs a significant cost in managing credentials for 175,000 employees like JillCompany needs to maintain different tools for managing the credentials for employees

and contractors

Jill is able to reset her password without calling the helpdesk

Microsoft IT maintains a centralized set of policies & common tools

Employees can reset their credentials directly from the Windows logon screen or through the FIM 2010 Portal

Jill has been out on vacation for a few weeks. As a result, she has forgotten her password and must reset it.

With FIM

Define The Problem for MSIT

The company incurs a significant cost in managing credentials for employees and contractors 42,000 X $20 = $850,000

Soft costs – Melissa is unproductive for 15 minutes while waiting to get her password reset

Resets/Year

= $600,000 per year

in savings

Scenario Overview – Group ManagementMelissa Meyers has now started her job as an

Analyst in the Finance department. As part of her daily tasks she will need to join new groups as well as manage her own project related groups.

TodayMelissa goes to the web site to use the custom group management tool

Joining groups that need approval require access to the custom group management tool

Dynamic group membership is not available to end users & requires a custom tool

Melissa can create/join DLs right from the FIM 2010 Portal

Owners can approve groups via Outlook or the FIM 2010 Portal

Calculated groups automatically update membership

With FIM

Define the Problem for MSITDeveloping and maintaining group management tools costs millions of dollars

Support of custom group management tools

Complexity of deployment and lack of long term vision

Lack of connectivity to group management tool results in soft costs around user productivity

Security Group creation causes token bloat

Bolt on applications that only administrators have access to, (ADUC) or other group management tools

Define The Problem for MSIT

Custom software maintenance and upgrades > $3,000,000

Estimated per yearin savings

Integrates identity, credential, and access managementRich permissions and delegation modelEnables system auditing and compliance

Provides Office-based self-service toolsSharePoint admin console to manage identitiesGreater productivity through faster time to resolution

Reduces costs through automation and self-serviceMaximizes existing investments in Identity InfrastructureIntegrates with familiar developer tools to enable new scenarios

Empowers People

Delivers Agility and Efficiency

Increases Security

and Compliance

Software for policy-based management of identities,credentials, and resources across heterogeneous environments

Summary:

Resources

Learn more about Forefront Identity Manager• FIM 2010 Product Page: www.microsoft.com/fim • ILM 2007 Product Page: www.microsoft.com/ILM2007

Learn about Microsoft Forefront Identity and Security • Forefront Home Page: www.microsoft.com/forefront

Evaluate the Identity Manger• Visit www.microsoft.com/fim

• To download this presentation click here :

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.