Post on 21-Jan-2016
Forefront Identity Manager 2010
Federico Guerrini
IDA TSP, EMEA Incubation Teamfederico.guerrini@microsoft.com
From Identity Synchronization to Identity Management
Agenda
• Forefront Identity Manager (FIM) 2010 history and evolution
• Identity Synchronization: the IT-centric approach
• Identity Management : the Business-centric approach
• FIM 2010 Solutions: deploying identity management solutions quickly and effectively
FIM 2010 HistoryFIM 2010’s Heritage
ILM & FIM History
MIIS
CLM Beta
Once upon a time…
Yesterday
FIM 2010
User Management
GroupManagement
Credential Management
PolicyManagement
ILM 2007
MIIS + CLM
Today
Problem #1: User Provisioning
App Servers
Active Directory
Human Resources
NameEmployee IDCost centerManagerRoles Name
Email AliasMailboxsettings
NameDomain Account ManagerEmail
App AccountApp profile1App profile2App profile3
Security?Compliancy?Productivity/
Cost Reduction?Reporting?
IT ADMIN
FIM 2010
Problem #2: Certificate and Smart Card Lifecycle Management
App servers
Active Directory
Human Resources
Smart card logon
Digitally signed
Encrypted data
Certificate-
based web auth
Certificate renewal?
Lost smart card?
Forgotten PIN?Blocked smart
card?
IT ADMIN
FIM-CM 2010
Session Focus: User Provisioning
App stores
Active Directory
Human Resources
NameEmployee IDCost centerManagerRoles Name
Email AliasMailboxsettings
NameDomain Account ManagerEmail
App AccountApp profile1App profile2App profile3
Security?Compliancy?Productivity/
Cost Reduction?Reporting?
IT ADMIN
Identity Synchronization
The “IT-Centric” Approach
IT-Centric Approach: Identity Synchronization
App stores
Active Directory
Human Resources
NameEmployee IDCost centerManagerRoles
NameEmail AliasMailboxsettings
NameDomain Account ManagerEmail
App AccountApp profile1App profile2App profile3
NameEmployee IDCost centerManagerRolesEmail AliasDomain AccountApp AccountApp Profile 1App Profile 2App Profile 3
Meta Directory + Synch Engine
Identity Synchronization Example
App servers
Active Directory
Human Resources
NameEmployee IDCost centerManagerRoles
NameEmail AliasMailboxsettings
NameDomain Account ManagerEmail
App AccountApp profile1App profile2App profile3
NameEmployee IDCost centerManagerRolesEmail AliasDomain AccountApp AccountApp Profile 1App Profile 2App Profile 3
Meta Directory + Synch Engine
1
2
3
4
Synch Engine Logical Architecture
Connected Directories
Management Agents
Synch Engine +
Repository
The IT-Centric Approach: Summary
App stores
Active Directory
Human Resources
NameEmployee IDCost centerManagerRoles
NameEmail AliasMailboxsettings
NameDomain Account ManagerEmail
App AccountApp profile1App profile2App profile3
NameEmployee IDCost centerManagerRolesEmail AliasDomain AccountApp AccountApp Profile 1App Profile 2App Profile 3
1
2
3
4
My organization is far too complex for
each and every provisioning process to be described by a synchronization
rule!!
IT ADMIN
Provisioning processes triggered by modifications on
connected directories
Provisioning processes driven
by synchronization
rules
Identity Management
The “Business-Centric” Approach
Focus on Business Processes
Rich permissions and delegation modelSystem auditing and compliance
Users must be given the power to trigger, participate in and drive provisioning processes
Route users’ requests to appropriate decision makersOffload IT admin from dealing with users requests
Empowering People
Delivering Agility and Efficiency
Increasing Security
and Compliance
How FIM 2010 Extends the Identity Synch Approach• Workflow support
− FIM 2010 can automate business processes for managing user identities and their entitlements
• Self-service and delegation− FIM 2010 provides high-level interfaces for end
users to request provisioning access to resources, either for themselves or on someone else’s behalf
• Policy management− FIM 2010 enables IT professionals to create and
maintain provisioning policies through simplified, graphical, web-based interfaces
FIM 2010 Logical Architecture
FIM 2010 introduces a new repository, referred to as
Object Store” connected to ILM 2007 Metadirectory &
Synch layer via a dedicated MA
FIM 2010 underlying synchronization engine stays
the same as in current version (ILM 2007)
FIM 2010 introduces a web portal that provides self-service functionalities,
workflows, policy management and GUI-based
configuration wizards
Object Store
FIM 2010 MA
WSS
FIM 2010 SolutionsDeploying core IDA capabilities quickly
Policy Management
• Management Policy Rules: Formal description of business processes for managing users, resources, entitlements
• Typical MPR− When a new employee is hired
− AD and RACF accounts created− Mailbox created− Notification sent to employee’s manager− Requests for relevant groups membership
sent to owners
Policy Management - Demo
Group Management
• Dynamic groups / DLs− Membership calculated based on user
attributes
Group Management - Demo
Credential Management
• Self-service password reset integrated in Windows Logon
• Default pwd reset workflow based on “security questions”− Can be customized
Credential Management - Demo
User Management
• Self-service user portal− Delegate to end users maintenance of
non-security-sensitive attributes
• Self-service group management tools− “Add me to”
− Group− DL
− Office Integration
User Management - Demo
Q & A
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.