Microsoft Forefront Identity Manager 2010

Microsoft Forefront
Identity Manager 2010
Elton AGOLLI
Chief of Infrastructure Section
TETRA Solutions
eagolli@tetra.al
Agenda
•
•
•
•
•
Customer challenges
Microsoft’s Identity and Access Strategy
Identity and Access Management
− The business challenges
− How Identity Manager addresses the challenges
− Scenarios
Summary
Resources
Identity & Access Customer Challenges
Compliance with regulatory
requirements
Reducing help desk burden for
end user requests
Auditable processes for granting
access to resources
Managing the complexity of
distributed identity information
Compliance
Business
Agility
Operational
Efficiency
IT Security
Enabling new high business
value scenarios
Integrated user provisioning &
credential management
Supporting mergers, acquisitions &
reorganizations
Ensuring that only authorized
users can access resources
Business Ready Security
Solutions
Secure Messaging
Secure Collaboration
Secure Endpoint
Information Protection
Identity and Access
Management
Active Directory Federation Services
®
IDENTITY AND ACCESS
MANAGEMENT
Business and IT Challenges
Identity and Access
Management
Create
Provision user
Provision credentials
Provision resources
Policy Management
Policy authoring
Policy enforcement
Approvals and notifications
Audit trails
Update
Role changes
Retire
De-provision identities
Revoke credentials
De-provision resources
Password and PIN reset
Resource requests
Identity Lifecycle Manager ->
Forefront Identity Manager
User
Management
Credential
Management
Identity Synchronization
User Provisioning
Certificate and
Smartcard Management
Common Platform
Workflow
Connectors
Logging
Web Service API
Synchronization
Group
Management
Policy
Management
Office Integration for Self-Service
Support for 3rd Party CAs
Codeless Provisioning
Group & DL Management
Workflow and Policy
Version Feature Comparison
MIIS 2003
ILM 2007
FIM 2010
Identity synchronization
X
X
X
Password synchronization
X
X
X
ILM-CM only
X
X
X
Policy authoring and editing solution
Policy enforcement
X
Delegation management solution
X
User provisioning solution
X
Certificate and smart card
management solution
X
X
Group management solution
X
DL management solution
X
Workflow
ILM-CM only
Self-service password reset
Localized
X
X
ILM-CM only
X
Forefront Identity Manger - Key Feature Areas
Policy
Management
SharePoint-based console for policy authoring, enforcement & auditing
Extensible WS– * APIs and Windows Workflow Foundation workflows
Heterogeneous identity synchronization and consistency
Credential
Management
Heterogeneous certificate management with 3rd party CAs
Management of AD credentials
Self-service password reset integrated with Windows logon
User
Management
Integrated provisioning of identities, credentials, and resources
Automated, declarative user provisioning and de-provisioning
Self-service profile management
Group
Management
Rich Office-based self-service group management tools
Offline approvals through Office
Automated group and distribution list updates
Forefront Identity Manger 2010 Architecture
Solutions
Group
Mgmt
Credential
Mgmt
User
Mgmt
Policy
Mgmt
FIM Client
Experiences
Custom
ILM-CM
Portal
Outlook
FIM Portal
Windows
Custom
FIM Service and Portal
ILM Sync
FIM Service
App
DB
Request Delegation
AuthN
Processor & Permissions Workflow
AuthZ
Workflow
Sync
DB
Action
Workflow
Adapters
Identity and data
stores
Directories
Applications
Databases
E-Mail Systems
ILM-CM
ILM-CM
DB
Cert Mgmt
USER SCENARIOS
End User Scenarios
Policy
Management
Automatic routing of multiple
approvals
Approval process through Office
Audit trail of approvals
Credential
Management
Integration with Windows logon
No need to call help desk
Faster time to resolution
User
Management
Automatic updating of business
applications
No need to call help desk
Faster time to resolution
Group
Management
Request process through Office
No waiting for help desk
Faster time to resolution
IT Administrator Scenarios
Policy
Management
Centralized management
Automatic policy enforcement
across systems
Credential
Management
Generation and delivery of initial
one-time use password
Integration of smart card & cert
enrollment with provisioning
User
Management
Group
Management
Automatic policy enforcement
across systems
Management of role changes &
retirements
Automatic management of group
membership
Secure access to departmental
resources, with audit trail
Customizable Identity Portal
SharePoint-based Identity Portal
for Management and Self Service
How you extend it
Add your own portal pages
or web parts
Build new custom solutions
Expose new attributes to manage by
extending FIM schema
Choose SharePoint theme to
customize look and feel
New Employee Scenario
MANAGER
APPROVAL
HR SYSTEM
Given Name
Melissa
Surname
Meyers
Title
Title
Analyst
Analyst
Department
Department
Finance
Finance
Employee
ID
Employee
Employee ID
ID
Employee
type
Employee
Employee type
type
122145
122145
122145
Full
Time
Full
Full Time
Time
email
email
mmeyers@
contoso.com
FIM PROVISIONING
POLICY APPLIED
FIM 2010
MANAGER
APPROVAL
MAINFRAME
FINANCE
APPLICATION
ACTIVE
DIRECTORY
EXCHANGE
FINANCE
PORTAL
SMART
CARD
iPLANET
Workflow Create user
Employee Transition Scenario
Given
GivenName
Name
Melissa
Melissa
Surname
Surname
Meyers
Meyers
Title
Title
Group
Marketing
Group
Marketing
Analyst
Manager
Manager
Department
Department
Department
Finance
Marketing
Marketing
Employee
ID
Employee
EmployeeID
ID
122145
122145
122145
Employee
type
Employee
Employeetype
type
Full
Time
Full
FullTime
Time
email
email
email
mmeyers@
mmeyers@
mmeyers@
contoso.com
contoso.com
contoso.com
HR SYSTEM
FIM PROVISIONING
POLICY APPLIED
FIM 2010
MAINFRAME
ACTIVE
DIRECTORY
MARKETING
FINANCE
APPLICATION
EXCHANGE
FINANCE
MARKETING
PORTAL
SMART
CARD
iPLANET
Separation/Fire Scenario
Given Name
Melissa
Surname
Meyers
Title
Group Marketing
Manager
Department
Finance
EmployeeIID
D
Employee
122145
Employee type
Terminated
Full Time
email
mmeyers@
contoso.com
HR SYSTEM
FIM PROVISIONING
POLICY APPLIED
FIM 2010
MAINFRAME
ACTIVE
DIRECTORY
MARKETING
APPLICATION
EXCHANGE
MARKETING
PORTAL
SMART
CARD
iPLANET
FIM 2010 In Action
Self-service password management
User forgets password
Requests password reset
at Win logon and answers
Q/A
FIM receives
XML
Does user
have permission
to reset password?
FIM validates Q/A
response from user
Request
Processor
Delegation
& Permissions
AuthN & AuthZ
Workflows
FIM makes call to
reset password
in AD
Changes committed
to FIM app store
FIM syncs new password to
external identity stores
Sync
DB
Identity Stores
Management
Agents
Service
DB
Action
Workflow
FIM 2010 In Action
Self-service smart card provisioning
New user added
in HR app
Sync receives
request
Does user
have permission
to add user to FIM ?
FIM manages
manager and dept
head approvals
Delegation
& Permissions
AuthN & AuthZ
Workflows
Sync
DB
Management
Agents
FIM sends welcome
and confirmation
e-mails
FIM syncs to external
identity stores
Service
DB
Sync
DB
Identity Stores
Management
Agents
Once approved,
changes committed
to ILM app store
Action
Workflow
FIM
CM
Approval workflows
Card created & printed
Certificates requested
Self-service notification
and One Time Password
sent to end user
End user downloads
certificates onto
smart card
Self-Service Group Management
Situation: User needs to join the Fabrikam Project Virtual Team group
Without Forefront Identity Manager 2010
Activity
Costs to the Business
Melissa Meyers,
Business User
• Calls help desk
• Lost productivity
• No resource access when
she needs it
Chad Rice,
Accounts
Administrator
• Manually edits AD Users and
Computers to add user to group
• Risk of error and policy
non-compliance
• Cost of manual
administration
Self-Service Group Management
Situation: User needs to join the Fabrikam Project Virtual Team group
With Forefront Identity Manager 2010
Activity
Business Benefits
Chad Rice,
Accounts
Administrator
• Uses FIM to establish group
management policies and
workflows
• Efficiency
• Security
• Compliance
Melissa Meyers,
Business User
• Request to join Group from
Outlook
• FIM routes approvals and grants
appropriate access
• User productivity
• Enables effective business
interactions
Create Distribution List
Create Distribution List
Create Distribution List
Unauthorized User Attribute Change
Situation: IT accidentally makes an unauthorized change to a user’s title
Without Forefront Identity Manager 2010
Activity
Costs to the Business
HR Administrator,
Samantha Smith
• Updates Megan Meyers’ title in
SAP
Chad Rice,
Accounts
Administrator
• Asked to update Megan Meyers
titles other systems
• Accidentally changes Melissa
Meyers title in ADUC
• Risk of error and policy
non-compliance
• Cost of manual admin
Ted Smith,
Compliance
Auditor
• Discovers error in manual audit
process of purchase order
application
• Cost of manual auditing
• Delay in discovery of noncompliance
Unauthorized Change
Situation: IT accidentally makes an unauthorized change to a user’s title
With Forefront Identity Manager 2010
Activity
Business Benefits
Chad Rice,
Accounts
Administrator
• Uses FIM to establish policies
and workflows to that include
management of job title data
• Efficiency
• Security
• Compliance
HR Administrator,
Samantha Smith
• Updates Megan Meyers’ title in
SAP
• Title change data flows to other
systems that use it, per FIM
policy
• Efficiency
• Compliance
Ted Smith,
Compliance
Auditor
• Uses FIM audit trail to audit
approvals
• Efficiency
• Compliance
Summary: FIM 2010
Empowers
People
Provides Office-based self-service tools
SharePoint admin console to manage identities
Greater productivity through faster time to resolution
Delivers
Agility and
Efficiency
Reduces costs through automation and self-service
Maximizes existing investments in Identity Infrastructure
Integrates with familiar developer tools to enable new scenarios
Increases
Security and
Compliance
Integrates identity, credential, and access management
Rich permissions and delegation model
Enables system auditing and compliance
Resources
Learn more about Forefront Identity Manager
• FIM 2010 Product Page:
http://www.microsoft.com/forefront/identitymanager
Learn about Microsoft Forefront Identity and Security
• Forefront Home Page: www.microsoft.com/forefront
Evaluate the Identity Manger
• Visit http://technet.microsoft.com/en-gb/evalcenter/cc872861.aspx
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.