Forefront Identity Manager 2010

Daniel Kaufmann (Microsoft Schweiz)Dominik Zemp (Microsoft Schweiz)

Technical Overview

Identity and Access Management• Business Needs and IT Challenges• Business Ready Security• Microsoft Identity and Access Management Solution

FIM Overview and Architecture

FIM Features•User Management•Group Management•Password Reset•Policy Management incl workflow•Extensibility

CLM

Benefits of FIM

Agenda

Multiple locations and devices

Difficulty in extending business resources

Disparate systems to manage

Complex account lifecycle management

Agility and Flexibility

ControlBUSINESS

NeedsIT Needs

Provide secure access to applications from

anywhere

Simplify user experience for collaboration

Provide seamless movement between

applications

Reduce cost of account management

Identity and Access Business Needs and IT Challenges

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Information Protection

Business Ready Security Solutions

If you wanted to access a file share in your network, previously you might have had to call your service desk and get approval. Now it is all workflow based. You go to a portal. There is no manual labor.- Brian Desmond, Microsoft MVP“

Empower Business

• Self-service profile, credential, and group management

• Password and PIN reset from Windows login

• Group management from within Microsoft Office

• Single identity across heterogeneous applications

Empower IT

• End-to-end, workflow-driven user provisioning

• Policy-controlled self-service capabilities

• Automatic, attribute-based group membership for simplified resource access

GOVERNED SELF-SERVICE AND AUTOMATION

Simplify Identity Management

Identity Management tasks

Provisioning Deprovisioning

Synchronization

Self-Service Profile

Management

Self-Service Group

Management

Self-Service Password

Management

Certificate and Smart

Card Management

ActiveDirectory

LotusDomino

LDAP

SQLServer

Oracle DB

HR SystemFIM

Workflow

Manager

• Policy-based identity lifecycle management system• Built-in workflow for identity management• Automatically synchronize all user information to different

directories across the enterprise • Automates the process of on-boarding users

User Enrollment

Approval

User provisioned on all allowed systems

Identity ManagementUser provisioning

FIM CM

HR SystemFIM

Workflow

• Automated user de-provisioning • Built-in workflow for identity management• Real-time de-provisioning from all systems to prevent unauthorized

access and information leakage

User de-provisioned

User de-provisioned or disabled on all systems

Identity ManagementUser de-provisioning

ActiveDirectory

LotusDomino

LDAP

SQLServer

Oracle DB

FIM CM

HRSystem FIM

LDAP

ActiveDirectory/ Exchange

SQL Server DB

givenNamesntitlemailemployeeIDtelephone

SammyDearling

008

givenNamesntitlemailemployeeIDtelephone

givenNamesntitlemailemployeeIDtelephone

SamaraDarling

007

givenNamesntitlemailemployeeIDtelephone

SamDearingIntern

007

givenNamesntitlemailemployeeIDtelephone

555-0129

SamanthaDearing

007

Coordinator

someone@example.com

555-0129

SamanthaDearing

Coordinator

007

IdentityData

Aggregation

GivenNamesntitlemailemployeeIDtelephone

someone@example.com

SamanthaDearing

007

Coordinator

555-0129

Identity Synchronization and ConsistencyIdentity synchronization across multiple directories

Attribute Ownership

FirstNameLastName

EmployeeID

Title

E-Mail

Telephone

Attribute Ownership

FirstNameLastName

EmployeeID

Title

E-Mail

Telephone

FIMHRSystem

LDAP

ActiveDirectory / Exchange

SQL Server DB

IdentityData

Brokering(Convergence)

givenNamesntitlemailemployeeIDtelephone

SammyDearling

007

givenNamesntitlemailemployeeIDtelephone

givenNamesntitlemailemployeeIDtelephone

SamaraDarling

007

givenNamesntitlemailemployeeIDtelephone

SamDearingIntern

007

givenNamesntitlemailemployeeIDtelephone 555-0129

BobDearing

007

Coordinator

555-0129

SamanthaDearing

Coordinator

someone@example.com

007

someone@example.com

SamanthaDearingCoordinatorsomeone@example.com

555-0129

Coordinatorsomeone@example.com

555-0129

SamanthaDearing

someone@example.com

Samantha

Coordinator

555-0129

Identity Synchronization and ConsistencyIdentity consistency across multiple directories

Evolution of Identity Manager

Identity SynchronizationUser ProvisioningCertificate and Smartcard Management

Office Integration for Self-ServiceSupport for 3rd Party CAsDeclarative ProvisioningGroup & DL ManagementWorkflow and Policy

User Management

GroupManagement

Credential Management

Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization

PolicyManagement

Credential Management

Heterogeneous certificate management with 3rd party CAsManagement of multiple credential typesSelf-service password reset integrated with Windows logon

GroupManagement

Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates

UserManagement

Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management

PolicyManagement

SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency

Key Pillars of Forefront Identity Manager

FIM 2010 Architecture

User Demo

SharePoint-Based Management Console

FIM Add-in for Outlook

Group Management• Self-service group and distribution list management with the FIM

2010 Web portal

• Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity

• Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory

• Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes

Group Management

Purpose:• Distribution• Security

Membership:• Manual (Owners adding/removing members or

users requesting membership subject to Approval Policy)

• Manager• Criteria-Based

Scope:• Universal• Global• Domain Local

Group Management Demo

Identity Stores and Management AgentsType of System Management Agents

Network operating systems and

directory services

Active Directory Domain Services 2000, 2003, 2003 R2, 2008, 2008 R2

Active Directory Lightweight Directory Services (ADLDS) – 2000, 2003, 2003 R2, 2008, 2008 R2 

Active Directory Global Address List (GAL) – Exchange 2000, 2003, 2007, 2010

IBM Tivoli Directory Server up to version 6.2

Novell eDirectory - v8.7.3, v8.8

Sun ONE and Netscape Directory Servers - v5.1, v5.2

IBM Directory Server - v6.0, v6.2

Certificate and Smart Card Management FIM Certificate Management

E-mail and messaging Exchange Server 2007 and 2010 (use AD Management Agent)

Lotus Notes - v6.5, v7.0 (32 bit Lotus Notes Client)

Databases Microsoft SQL Server 2000, 2005, 2008

IBM DB2 Universal Database 9.1 and 9.5 (64-bit client v9.5 FP5 or v9.7 FP1 required)

Oracle Database - 10g (64-bit client)

File-based Attribute value Pairs

CSV

Delimited

Fixed Width

Directory Services Markup Language (DSML) 2.0

LDAP Interchange Format (LDIF)

1 These file formats allow for integration with a variety of applications, databases, telephone

switches, X.500 systems, Mainframe and metadirectory products or underlying systems that can

produce a file for importa and export..

Other SAP - R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0) (32bit client)

XML-based systems

Extensible Management Agent for custom connectivity other systems

• Increase access security beyond username and password solutions

• Streamline deployment by enrolling user and computer certificates without user intervention

• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)

• Enhance remote access security through certificates with Network Access Protection

• Stronger authentication through certificates for administrative access and management

Certificate and Smart card management

HR System

Active Directory Certificate Services

(AD CS)

FIM CM

FIM

User Enrollment and Authentication request sent by HR System

FIM policy triggers request for FIM CM to issue certificate or SmartCard

User is validated using multi-factor authentication

FIM Certificate Management (CM) requests certificate creation from AD CS

Certificate is issued to user and written to either machine or smart card

End User

SmartCard

User ID andPassword

SmartCard

End User

Its all about trust

Authentication

“I am the employee

you know as Mary”

Digital Signature

“This content hasn’t

changed since I

signed it”

Encryption

“No one but Mary can see this content”

Single administration point for smart cards & digital certificatesUser self-service capabilities to help reduce helpdesk burdenConfigurable policy-based workflows for common tasks

Enroll / renew / updatePersonalize smart cardRecover / smart card replacementIssue temporary / duplicate smart cardRevoke / retire / disable smart card

Detailed auditing and reporting capabilitiesSupport for centralized, decentralized and self-service scenariosExtensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometricsTightly integrated with Active Directory and Certificate Services

FIM 2010 CM Functionality

FIM 2010 + FIM 2010 CM

AuthN & AuthZWorkflows

Delegation& Permissions

Action Workflow

ServiceDB

Sync DB

Management Agents

New user added in HR app

Does userhave permission

to add user to FIM ?

FIM managesmanager and dept

head approvals

Once approved, changes committed to

ILM app store

FIM sends welcomeand confirmation

e-mails

Identity Stores

FIM syncs to external identity stores

Sync receivesrequest

Sync DB

Management Agents

Approval workflowsCard created & printedCertificates requested

Self-service notification and One Time Password

sent to end user

End user downloads certificates onto smart

card

FIM CM

Microsoft Solution Components

Revocation info:• Certificate Revocation

List• Online Responder

Active Directory• Certificate

Templates• Policy

Certificate AuthorityIssue, Renew, Revoke Certs

Revocation Check

Certs Revoked?

Workflows, Profiles for Smart Card Deployment and Management

FIM CM client / web kiosk

Self-service smart card management

Smartcard Personalization

Auto-publish and

Auto- Enroll

Client PC• Enrollment• Renewal

Forefront Identity Manager

Windows Server AD Certificate Services

AD Domain Services

Legend

FIM 2010 CM Architecture

FIM - CMServer

Microsoft CA’s

End User

Physical Architecture

SQLAD

E-mail FIM-CM Policy Module

FIM-CM Exit Module

Internet Explorer

FIM-CM Browser Control

FIM-CM AD Integration

FIM-CM Web App

Internet Information Server

Component Architecture

Microsoft Certificate Authority

Smart Card Middleware

CLM Demo

Technical Deployment Opportunities

FIM is very extensible

Infrastructure footprint can start small and scale up

FIM Sync is Agentless

Amount of custom development required minimized and is well encapsulated to empower administrators

No need to learn a new programming language use C# or VB.NET

More information

•http://technet.microsoft.com/en-us/FIM/default.aspx

TechCenter on TechNet

•http://www.microsoft.com/FIM

Product Page

•http://social.technet.microsoft.com/Forums/en-US/FIM2/threads

TechNet Forum

•http://www.microsoft.com/Forefront/identitymanager/en/us/technical-resources.aspx

Additional Technical

information