Post on 29-Mar-2015
Forefront Identity Manager 2010
Daniel Kaufmann (Microsoft Schweiz)Dominik Zemp (Microsoft Schweiz)
Technical Overview
Identity and Access Management• Business Needs and IT Challenges• Business Ready Security• Microsoft Identity and Access Management Solution
FIM Overview and Architecture
FIM Features•User Management•Group Management•Password Reset•Policy Management incl workflow•Extensibility
CLM
Benefits of FIM
Agenda
Multiple locations and devices
Difficulty in extending business resources
Disparate systems to manage
Complex account lifecycle management
Agility and Flexibility
ControlBUSINESS
NeedsIT Needs
Provide secure access to applications from
anywhere
Simplify user experience for collaboration
Provide seamless movement between
applications
Reduce cost of account management
Identity and Access Business Needs and IT Challenges
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Information Protection
Business Ready Security Solutions
If you wanted to access a file share in your network, previously you might have had to call your service desk and get approval. Now it is all workflow based. You go to a portal. There is no manual labor.- Brian Desmond, Microsoft MVP“
Empower Business
• Self-service profile, credential, and group management
• Password and PIN reset from Windows login
• Group management from within Microsoft Office
• Single identity across heterogeneous applications
Empower IT
• End-to-end, workflow-driven user provisioning
• Policy-controlled self-service capabilities
• Automatic, attribute-based group membership for simplified resource access
GOVERNED SELF-SERVICE AND AUTOMATION
Simplify Identity Management
Identity Management tasks
Provisioning Deprovisioning
Synchronization
Self-Service Profile
Management
Self-Service Group
Management
Self-Service Password
Management
Certificate and Smart
Card Management
ActiveDirectory
LotusDomino
LDAP
SQLServer
Oracle DB
HR SystemFIM
Workflow
Manager
• Policy-based identity lifecycle management system• Built-in workflow for identity management• Automatically synchronize all user information to different
directories across the enterprise • Automates the process of on-boarding users
User Enrollment
Approval
User provisioned on all allowed systems
Identity ManagementUser provisioning
FIM CM
HR SystemFIM
Workflow
• Automated user de-provisioning • Built-in workflow for identity management• Real-time de-provisioning from all systems to prevent unauthorized
access and information leakage
User de-provisioned
User de-provisioned or disabled on all systems
Identity ManagementUser de-provisioning
ActiveDirectory
LotusDomino
LDAP
SQLServer
Oracle DB
FIM CM
HRSystem FIM
LDAP
ActiveDirectory/ Exchange
SQL Server DB
givenNamesntitlemailemployeeIDtelephone
SammyDearling
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone
555-0129
SamanthaDearing
007
Coordinator
someone@example.com
555-0129
SamanthaDearing
Coordinator
007
IdentityData
Aggregation
GivenNamesntitlemailemployeeIDtelephone
someone@example.com
SamanthaDearing
007
Coordinator
555-0129
Identity Synchronization and ConsistencyIdentity synchronization across multiple directories
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
FIMHRSystem
LDAP
ActiveDirectory / Exchange
SQL Server DB
IdentityData
Brokering(Convergence)
givenNamesntitlemailemployeeIDtelephone
SammyDearling
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone 555-0129
BobDearing
007
Coordinator
555-0129
SamanthaDearing
Coordinator
someone@example.com
007
someone@example.com
SamanthaDearingCoordinatorsomeone@example.com
555-0129
Coordinatorsomeone@example.com
555-0129
SamanthaDearing
someone@example.com
Samantha
Coordinator
555-0129
Identity Synchronization and ConsistencyIdentity consistency across multiple directories
Evolution of Identity Manager
Identity SynchronizationUser ProvisioningCertificate and Smartcard Management
Office Integration for Self-ServiceSupport for 3rd Party CAsDeclarative ProvisioningGroup & DL ManagementWorkflow and Policy
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization
PolicyManagement
Credential Management
Heterogeneous certificate management with 3rd party CAsManagement of multiple credential typesSelf-service password reset integrated with Windows logon
GroupManagement
Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates
UserManagement
Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management
PolicyManagement
SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency
Key Pillars of Forefront Identity Manager
FIM 2010 Architecture
User Demo
SharePoint-Based Management Console
FIM Add-in for Outlook
Group Management• Self-service group and distribution list management with the FIM
2010 Web portal
• Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity
• Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory
• Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes
Group Management
Purpose:• Distribution• Security
Membership:• Manual (Owners adding/removing members or
users requesting membership subject to Approval Policy)
• Manager• Criteria-Based
Scope:• Universal• Global• Domain Local
Group Management Demo
Identity Stores and Management AgentsType of System Management Agents
Network operating systems and
directory services
Active Directory Domain Services 2000, 2003, 2003 R2, 2008, 2008 R2
Active Directory Lightweight Directory Services (ADLDS) – 2000, 2003, 2003 R2, 2008, 2008 R2
Active Directory Global Address List (GAL) – Exchange 2000, 2003, 2007, 2010
IBM Tivoli Directory Server up to version 6.2
Novell eDirectory - v8.7.3, v8.8
Sun ONE and Netscape Directory Servers - v5.1, v5.2
IBM Directory Server - v6.0, v6.2
Certificate and Smart Card Management FIM Certificate Management
E-mail and messaging Exchange Server 2007 and 2010 (use AD Management Agent)
Lotus Notes - v6.5, v7.0 (32 bit Lotus Notes Client)
Databases Microsoft SQL Server 2000, 2005, 2008
IBM DB2 Universal Database 9.1 and 9.5 (64-bit client v9.5 FP5 or v9.7 FP1 required)
Oracle Database - 10g (64-bit client)
File-based Attribute value Pairs
CSV
Delimited
Fixed Width
Directory Services Markup Language (DSML) 2.0
LDAP Interchange Format (LDIF)
1 These file formats allow for integration with a variety of applications, databases, telephone
switches, X.500 systems, Mainframe and metadirectory products or underlying systems that can
produce a file for importa and export..
Other SAP - R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0) (32bit client)
XML-based systems
Extensible Management Agent for custom connectivity other systems
• Increase access security beyond username and password solutions
• Streamline deployment by enrolling user and computer certificates without user intervention
• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)
• Enhance remote access security through certificates with Network Access Protection
• Stronger authentication through certificates for administrative access and management
Certificate and Smart card management
HR System
Active Directory Certificate Services
(AD CS)
FIM CM
FIM
User Enrollment and Authentication request sent by HR System
FIM policy triggers request for FIM CM to issue certificate or SmartCard
User is validated using multi-factor authentication
FIM Certificate Management (CM) requests certificate creation from AD CS
Certificate is issued to user and written to either machine or smart card
End User
SmartCard
User ID andPassword
SmartCard
End User
Its all about trust
Authentication
“I am the employee
you know as Mary”
Digital Signature
“This content hasn’t
changed since I
signed it”
Encryption
“No one but Mary can see this content”
Single administration point for smart cards & digital certificatesUser self-service capabilities to help reduce helpdesk burdenConfigurable policy-based workflows for common tasks
Enroll / renew / updatePersonalize smart cardRecover / smart card replacementIssue temporary / duplicate smart cardRevoke / retire / disable smart card
Detailed auditing and reporting capabilitiesSupport for centralized, decentralized and self-service scenariosExtensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometricsTightly integrated with Active Directory and Certificate Services
FIM 2010 CM Functionality
FIM 2010 + FIM 2010 CM
AuthN & AuthZWorkflows
Delegation& Permissions
Action Workflow
ServiceDB
Sync DB
Management Agents
New user added in HR app
Does userhave permission
to add user to FIM ?
FIM managesmanager and dept
head approvals
Once approved, changes committed to
ILM app store
FIM sends welcomeand confirmation
e-mails
Identity Stores
FIM syncs to external identity stores
Sync receivesrequest
Sync DB
Management Agents
Approval workflowsCard created & printedCertificates requested
Self-service notification and One Time Password
sent to end user
End user downloads certificates onto smart
card
FIM CM
Microsoft Solution Components
Revocation info:• Certificate Revocation
List• Online Responder
Active Directory• Certificate
Templates• Policy
Certificate AuthorityIssue, Renew, Revoke Certs
Revocation Check
Certs Revoked?
Workflows, Profiles for Smart Card Deployment and Management
FIM CM client / web kiosk
Self-service smart card management
Smartcard Personalization
Auto-publish and
Auto- Enroll
Client PC• Enrollment• Renewal
Forefront Identity Manager
Windows Server AD Certificate Services
AD Domain Services
Legend
FIM 2010 CM Architecture
FIM - CMServer
Microsoft CA’s
End User
Physical Architecture
SQLAD
E-mail FIM-CM Policy Module
FIM-CM Exit Module
Internet Explorer
FIM-CM Browser Control
FIM-CM AD Integration
FIM-CM Web App
Internet Information Server
Component Architecture
Microsoft Certificate Authority
Smart Card Middleware
CLM Demo
Technical Deployment Opportunities
FIM is very extensible
Infrastructure footprint can start small and scale up
FIM Sync is Agentless
Amount of custom development required minimized and is well encapsulated to empower administrators
No need to learn a new programming language use C# or VB.NET
More information
•http://technet.microsoft.com/en-us/FIM/default.aspx
TechCenter on TechNet
•http://www.microsoft.com/FIM
Product Page
•http://social.technet.microsoft.com/Forums/en-US/FIM2/threads
TechNet Forum
•http://www.microsoft.com/Forefront/identitymanager/en/us/technical-resources.aspx
Additional Technical
information