Microsoft Forefront Identity Manager 2010 Elton AGOLLI Chief of Infrastructure Section TETRA Solutions email@example.com Agenda • • • • • Customer challenges Microsoft’s Identity and Access Strategy Identity and Access Management − The business challenges − How Identity Manager addresses the challenges − Scenarios Summary Resources Identity & Access Customer Challenges Compliance with regulatory requirements Reducing help desk burden for end user requests Auditable processes for granting access to resources Managing the complexity of distributed identity information Compliance Business Agility Operational Efficiency IT Security Enabling new high business value scenarios Integrated user provisioning & credential management Supporting mergers, acquisitions & reorganizations Ensuring that only authorized users can access resources Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management Active Directory Federation Services ® IDENTITY AND ACCESS MANAGEMENT Business and IT Challenges Identity and Access Management Create Provision user Provision credentials Provision resources Policy Management Policy authoring Policy enforcement Approvals and notifications Audit trails Update Role changes Retire De-provision identities Revoke credentials De-provision resources Password and PIN reset Resource requests Identity Lifecycle Manager -> Forefront Identity Manager User Management Credential Management Identity Synchronization User Provisioning Certificate and Smartcard Management Common Platform Workflow Connectors Logging Web Service API Synchronization Group Management Policy Management Office Integration for Self-Service Support for 3rd Party CAs Codeless Provisioning Group & DL Management Workflow and Policy Version Feature Comparison MIIS 2003 ILM 2007 FIM 2010 Identity synchronization X X X Password synchronization X X X ILM-CM only X X X Policy authoring and editing solution Policy enforcement X Delegation management solution X User provisioning solution X Certificate and smart card management solution X X Group management solution X DL management solution X Workflow ILM-CM only Self-service password reset Localized X X ILM-CM only X Forefront Identity Manger - Key Feature Areas Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Credential Management Heterogeneous certificate management with 3rd party CAs Management of AD credentials Self-service password reset integrated with Windows logon User Management Integrated provisioning of identities, credentials, and resources Automated, declarative user provisioning and de-provisioning Self-service profile management Group Management Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates Forefront Identity Manger 2010 Architecture Solutions Group Mgmt Credential Mgmt User Mgmt Policy Mgmt FIM Client Experiences Custom ILM-CM Portal Outlook FIM Portal Windows Custom FIM Service and Portal ILM Sync FIM Service App DB Request Delegation AuthN Processor & Permissions Workflow AuthZ Workflow Sync DB Action Workflow Adapters Identity and data stores Directories Applications Databases E-Mail Systems ILM-CM ILM-CM DB Cert Mgmt USER SCENARIOS End User Scenarios Policy Management Automatic routing of multiple approvals Approval process through Office Audit trail of approvals Credential Management Integration with Windows logon No need to call help desk Faster time to resolution User Management Automatic updating of business applications No need to call help desk Faster time to resolution Group Management Request process through Office No waiting for help desk Faster time to resolution IT Administrator Scenarios Policy Management Centralized management Automatic policy enforcement across systems Credential Management Generation and delivery of initial one-time use password Integration of smart card & cert enrollment with provisioning User Management Group Management Automatic policy enforcement across systems Management of role changes & retirements Automatic management of group membership Secure access to departmental resources, with audit trail Customizable Identity Portal SharePoint-based Identity Portal for Management and Self Service How you extend it Add your own portal pages or web parts Build new custom solutions Expose new attributes to manage by extending FIM schema Choose SharePoint theme to customize look and feel New Employee Scenario MANAGER APPROVAL HR SYSTEM Given Name Melissa Surname Meyers Title Title Analyst Analyst Department Department Finance Finance Employee ID Employee Employee ID ID Employee type Employee Employee type type 122145 122145 122145 Full Time Full Full Time Time email email mmeyers@ contoso.com FIM PROVISIONING POLICY APPLIED FIM 2010 MANAGER APPROVAL MAINFRAME FINANCE APPLICATION ACTIVE DIRECTORY EXCHANGE FINANCE PORTAL SMART CARD iPLANET Workflow Create user Employee Transition Scenario Given GivenName Name Melissa Melissa Surname Surname Meyers Meyers Title Title Group Marketing Group Marketing Analyst Manager Manager Department Department Department Finance Marketing Marketing Employee ID Employee EmployeeID ID 122145 122145 122145 Employee type Employee Employeetype type Full Time Full FullTime Time email email email mmeyers@ mmeyers@ mmeyers@ contoso.com contoso.com contoso.com HR SYSTEM FIM PROVISIONING POLICY APPLIED FIM 2010 MAINFRAME ACTIVE DIRECTORY MARKETING FINANCE APPLICATION EXCHANGE FINANCE MARKETING PORTAL SMART CARD iPLANET Separation/Fire Scenario Given Name Melissa Surname Meyers Title Group Marketing Manager Department Finance EmployeeIID D Employee 122145 Employee type Terminated Full Time email mmeyers@ contoso.com HR SYSTEM FIM PROVISIONING POLICY APPLIED FIM 2010 MAINFRAME ACTIVE DIRECTORY MARKETING APPLICATION EXCHANGE MARKETING PORTAL SMART CARD iPLANET FIM 2010 In Action Self-service password management User forgets password Requests password reset at Win logon and answers Q/A FIM receives XML Does user have permission to reset password? FIM validates Q/A response from user Request Processor Delegation & Permissions AuthN & AuthZ Workflows FIM makes call to reset password in AD Changes committed to FIM app store FIM syncs new password to external identity stores Sync DB Identity Stores Management Agents Service DB Action Workflow FIM 2010 In Action Self-service smart card provisioning New user added in HR app Sync receives request Does user have permission to add user to FIM ? FIM manages manager and dept head approvals Delegation & Permissions AuthN & AuthZ Workflows Sync DB Management Agents FIM sends welcome and confirmation e-mails FIM syncs to external identity stores Service DB Sync DB Identity Stores Management Agents Once approved, changes committed to ILM app store Action Workflow FIM CM Approval workflows Card created & printed Certificates requested Self-service notification and One Time Password sent to end user End user downloads certificates onto smart card Self-Service Group Management Situation: User needs to join the Fabrikam Project Virtual Team group Without Forefront Identity Manager 2010 Activity Costs to the Business Melissa Meyers, Business User • Calls help desk • Lost productivity • No resource access when she needs it Chad Rice, Accounts Administrator • Manually edits AD Users and Computers to add user to group • Risk of error and policy non-compliance • Cost of manual administration Self-Service Group Management Situation: User needs to join the Fabrikam Project Virtual Team group With Forefront Identity Manager 2010 Activity Business Benefits Chad Rice, Accounts Administrator • Uses FIM to establish group management policies and workflows • Efficiency • Security • Compliance Melissa Meyers, Business User • Request to join Group from Outlook • FIM routes approvals and grants appropriate access • User productivity • Enables effective business interactions Create Distribution List Create Distribution List Create Distribution List Unauthorized User Attribute Change Situation: IT accidentally makes an unauthorized change to a user’s title Without Forefront Identity Manager 2010 Activity Costs to the Business HR Administrator, Samantha Smith • Updates Megan Meyers’ title in SAP Chad Rice, Accounts Administrator • Asked to update Megan Meyers titles other systems • Accidentally changes Melissa Meyers title in ADUC • Risk of error and policy non-compliance • Cost of manual admin Ted Smith, Compliance Auditor • Discovers error in manual audit process of purchase order application • Cost of manual auditing • Delay in discovery of noncompliance Unauthorized Change Situation: IT accidentally makes an unauthorized change to a user’s title With Forefront Identity Manager 2010 Activity Business Benefits Chad Rice, Accounts Administrator • Uses FIM to establish policies and workflows to that include management of job title data • Efficiency • Security • Compliance HR Administrator, Samantha Smith • Updates Megan Meyers’ title in SAP • Title change data flows to other systems that use it, per FIM policy • Efficiency • Compliance Ted Smith, Compliance Auditor • Uses FIM audit trail to audit approvals • Efficiency • Compliance Summary: FIM 2010 Empowers People Provides Office-based self-service tools SharePoint admin console to manage identities Greater productivity through faster time to resolution Delivers Agility and Efficiency Reduces costs through automation and self-service Maximizes existing investments in Identity Infrastructure Integrates with familiar developer tools to enable new scenarios Increases Security and Compliance Integrates identity, credential, and access management Rich permissions and delegation model Enables system auditing and compliance Resources Learn more about Forefront Identity Manager • FIM 2010 Product Page: http://www.microsoft.com/forefront/identitymanager Learn about Microsoft Forefront Identity and Security • Forefront Home Page: www.microsoft.com/forefront Evaluate the Identity Manger • Visit http://technet.microsoft.com/en-gb/evalcenter/cc872861.aspx © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.