Microsoft Forefront Identity Manager 2010
Elton AGOLLIChief of Infrastructure SectionTETRA Solutions [email protected]
Agenda
• Customer challenges• Microsoft’s Identity and Access Strategy• Identity and Access Management
− The business challenges− How Identity Manager addresses the
challenges− Scenarios
• Summary• Resources
Identity & Access Customer Challenges
Enabling new high businessvalue scenarios
Supporting mergers, acquisitions & reorganizations
Integrated user provisioning & credential management
Ensuring that only authorized users can access resources
Compliance with regulatory requirements
Auditable processes for granting access to resources
Reducing help desk burden for end user requests
Managing the complexity of distributed identity information
ComplianceOperationalEfficiency
IT SecurityBusinessAgility
Business Ready Security Solutions
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Active Directory® Federation Services
Information Protection
IDENTITY AND ACCESS MANAGEMENT
Extend business resources, especially to the cloud
Secure multiple devices and locations
Manage complex identity lifecycles
Business and IT Challenges
Agility and Flexibility
ControlBUSINESS
NeedsIT Needs
Simplify user experience for collaboration across
networks
Provide seamless movement between applications
Reduce cost of identity management
Provide secure access to applications from anywhere
Manage disparate systems
CreateProvision userProvision credentialsProvision resources
Policy authoring
Policy enforcement
Approvals and notifications
Audit trails
Policy Management
De-provision identities
Revoke credentials
De-provision resources
Retire
Role changes
Password and PIN reset
Resource requests
Update
Identity and Access Management
Identity Lifecycle Manager -> Forefront Identity Manager
Identity SynchronizationUser ProvisioningCertificate and Smartcard Management
Office Integration for Self-ServiceSupport for 3rd Party CAsCodeless ProvisioningGroup & DL ManagementWorkflow and Policy
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization
PolicyManagement
Version Feature ComparisonMIIS 2003 ILM 2007 FIM 2010
Identity synchronization X X X
Password synchronization X X X
Policy authoring and editing solution
ILM-CM only X
Policy enforcement X X X
Delegation management solution X
User provisioning solution X
Certificate and smart card management solution
X X
Group management solution X
DL management solution X
Workflow ILM-CM only X
Self-service password reset X
Localized ILM-CM only X
Heterogeneous certificate management with 3rd party CAsManagement of AD credentialsSelf-service password reset integrated with Windows logon
Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates
Integrated provisioning of identities, credentials, and resourcesAutomated, declarative user provisioning and de-provisioningSelf-service profile management
SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency
Forefront Identity Manger - Key Feature Areas
Credential Management
GroupManagement
UserManagement
PolicyManagement
Solutions
Group Mgmt
Credential Mgmt
Policy Mgmt
CustomUser Mgmt
Outlook FIM Portal Windows Custom
FIM Client Experiences
FIM Service and PortalILM SyncFIM Service
AuthZWorkflow
AuthN Workflow
Delegation& Permissions
Action Workflow
AppDB
Adapters
Request Processor
SyncDB
Directories Databases E-Mail SystemsApplications
Identity and data stores
Cert Mgmt
ILM-CMDB
ILM-CM
ILM-CM Portal
Forefront Identity Manger 2010 Architecture
USER SCENARIOS
End User Scenarios
Credential Management
GroupManagement
UserManagement
PolicyManagement
Self-service smart card provisioning & management
User asks to join secure distribution list for newproduct development
User changes cell phone number
Integration with Windows logonNo need to call help deskFaster time to resolution
Request process through OfficeNo waiting for help deskFaster time to resolution
Automatic updating of business applicationsNo need to call help deskFaster time to resolution
Example Scenario FIM 2010 Advantages
CFO gives final approval for newuser to access app with associated SOX compliance requirement
Automatic routing of multiple approvalsApproval process through OfficeAudit trail of approvals
IT Administrator Scenarios
Credential Management
GroupManagement
UserManagement
PolicyManagement
Create workflow to automatically issue passwords and smart cards to new users
Design policy to automatically create departmental security groups
Author policy to require HRapproval for job title change
Automatically provision new employees with identity, mailbox, and credentials
Centralized managementAutomatic policy enforcement across systems
Automatic policy enforcement across systemsManagement of role changes & retirements
Generation and delivery of initialone-time use passwordIntegration of smart card & cert enrollment with provisioning
Automatic management of group membershipSecure access to departmental resources, with audit trail
Example Scenario FIM 2010 Advantages
Customizable Identity Portal
How you extend it
SharePoint-based Identity Portal for Management and Self Service
Add your own portal pages or web partsBuild new custom solutionsExpose new attributes to manage by extending FIM schemaChoose SharePoint theme to customize look and feel
Given Name Melissa
Surname Meyers
Title Analyst
Department Finance
Employee ID 122145
Employee type Full Time
Given Name Melissa
Surname Meyers
Title Analyst
Department Finance
Employee ID 122145
Employee type Full Time
Given Name Melissa
Surname Meyers
Title Analyst
Department Finance
Employee ID 122145
Employee type Full Time
email [email protected]
New Employee Scenario
FIM 2010
MAINFRAME
FINANCEAPPLICATION
FINANCEPORTAL
iPLANET
SMARTCARD
EXCHANGE
ACTIVE DIRECTORY
HR SYSTEM
FIM PROVISIONING POLICY APPLIED
MANAGERAPPROVAL
MANAGERAPPROVAL
Workflow Create user
Given Name Melissa
Surname Meyers
TitleGroup Marketing
Manager
Department Marketing
Employee ID 122145
Employee type Full Time
emailmmeyers@
contoso.com
Given Name Melissa
Surname Meyers
Title Analyst
Department Finance
Employee ID 122145
Employee type Full Time
emailmmeyers@
contoso.com
Given Name Melissa
Surname Meyers
Title Group Marketing Manager
Department Marketing
Employee ID 122145
Employee type Full Time
emailmmeyers@
contoso.com
Employee Transition Scenario
FIM 2010
MAINFRAME
FINANCEAPPLICATION
FINANCEPORTAL
iPLANET
SMARTCARD
HR SYSTEM
FIM PROVISIONING POLICY APPLIED
MARKETINGAPPLICATION
MARKETINGPORTAL
EXCHANGE
ACTIVE DIRECTORY
Given Name Melissa
Surname Meyers
TitleGroup Marketing
Manager
Department Finance
EmployeeI D 122145
Employee type Terminated
emailmmeyers@
contoso.com
Given Name Melissa
Surname Meyers
TitleGroup Marketing
Manager
Department Finance
Employee ID 122145
Employee type Terminated
emailmmeyers@
contoso.com
Given Name Melissa
Surname Meyers
TitleGroup Marketing
Manager
Department Finance
Employee ID 122145
Employee type Full Time
emailmmeyers@
contoso.com
Separation/Fire Scenario
FIM 2010
MAINFRAME
MARKETINGAPPLICATION
MARKETINGPORTAL
iPLANET
SMARTCARD
HR SYSTEM
FIM PROVISIONING POLICY APPLIED
EXCHANGE
ACTIVE DIRECTORY
FIM 2010 In ActionSelf-service password management
AuthN & AuthZWorkflows
Delegation& Permissions
Action Workflow
ServiceDB
Sync DB
Management Agents
User forgets passwordRequests password
reset at Win logon and answers Q/A
Does userhave permission
to reset password?FIM validates Q/A
response from user
Changes committed to FIM
app store
FIM makes call to reset password
in AD
Identity Stores
FIM syncs new password to external identity
stores
FIM receives XML
Request Processor
FIM 2010 In ActionSelf-service smart card provisioning
AuthN & AuthZWorkflows
Delegation& Permissions
Action Workflow
ServiceDB
Sync DB
Management Agents
New user added in HR app
Does userhave permission
to add user to FIM ?
FIM managesmanager and
dept head approvals
Once approved, changes
committed to ILM app store
FIM sends welcomeand confirmation
e-mails
Identity Stores
FIM syncs to external identity stores
Sync receivesrequest
Sync
DB
Management Agents
Approval workflowsCard created & printedCertificates requested
Self-service notification and One
Time Password sent to end user
End user downloads
certificates onto smart card
FIM CM
Self-Service Group Management
Melissa Meyers, Business User
Chad Rice,Accounts Administrator
• Calls help desk
•Manually edits AD Users and Computers to add user to group
Situation: User needs to join the Fabrikam Project Virtual Team group
Without Forefront Identity Manager 2010
• Lost productivity• No resource access when she needs it
• Risk of error and policy non-compliance• Cost of manual administration
Activity Costs to the Business
Self-Service Group Management
Melissa Meyers,Business User
Chad Rice,Accounts Administrator
• Request to join Group from Outlook• FIM routes approvals and grants appropriate access
• Uses FIM to establish group management policies and workflows
Situation: User needs to join the Fabrikam Project Virtual Team group
With Forefront Identity Manager 2010
• User productivity• Enables effective business interactions
• Efficiency• Security• Compliance
Activity Business Benefits
Create Distribution List
Create Distribution List
Create Distribution List
Unauthorized User Attribute Change
HR Administrator, Samantha Smith
Chad Rice,Accounts Administrator
• Updates Megan Meyers’ title in SAP
• Asked to update Megan Meyers titles other systems• Accidentally changes Melissa Meyers title in ADUC
Situation: IT accidentally makes an unauthorized change to a user’s title
Without Forefront Identity Manager 2010
• Risk of error and policy non-compliance• Cost of manual admin
Ted Smith,ComplianceAuditor
• Discovers error in manual audit process of purchase order application
• Cost of manual auditing• Delay in discovery of non-compliance
Activity Costs to the Business
Unauthorized Change
HR Administrator, Samantha Smith
Chad Rice, Accounts Administrator
• Updates Megan Meyers’ title in SAP• Title change data flows to other systems that use it, per FIM policy
• Uses FIM to establish policies and workflows to that include management of job title data
Situation: IT accidentally makes an unauthorized change to a user’s title
With Forefront Identity Manager 2010
• Efficiency• Security• Compliance
Ted Smith, ComplianceAuditor
• Uses FIM audit trail to audit approvals
• Efficiency• Compliance
Activity Business Benefits
• Efficiency• Compliance
Integrates identity, credential, and access managementRich permissions and delegation modelEnables system auditing and compliance
Provides Office-based self-service toolsSharePoint admin console to manage identitiesGreater productivity through faster time to resolution
Reduces costs through automation and self-serviceMaximizes existing investments in Identity InfrastructureIntegrates with familiar developer tools to enable new scenarios
Empowers People
Delivers Agility and Efficiency
Increases Security
and Compliance
Software for policy-based management of identities,credentials, and resources across heterogeneous environments
Summary: FIM 2010
Resources
Learn more about Forefront Identity Manager• FIM 2010 Product Page:
http://www.microsoft.com/forefront/identitymanager
Learn about Microsoft Forefront Identity and Security • Forefront Home Page: www.microsoft.com/forefront
Evaluate the Identity Manger• Visit
http://technet.microsoft.com/en-gb/evalcenter/cc872861.aspx
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Top Related