Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Forefront Identity Manager


Published on

Presentation held by Mr.Goce Bogatinov and Mr. Jordan Tikvesanski as a part of the - Cooperation between academia and ICT businesses Session at the 8th SEEITA and 7th MASIT Open Days Conference, 14th-15th October, 2010

  • Be the first to comment

Forefront Identity Manager

  1. 1. Forefront Identity Manager 2010 implementation in “Goce Delcev” University – Stip Goce Bogatinov, Chief IT Administrator University „Goce Delcev“ - Stip Jordan Tikvesanski, IT System Administrator University „Goce Delcev“ - Stip
  2. 2. Forefront Identity Manager 2010 implementation in “Goce Delcev” University – Stip Partners
  3. 3. Contents • Presentation of the University "Goce Delchev" – Stip and its informational system • The role and method of involvement of Microsoft Consulting Services in the performance of the decision • Intec Systems and Gemalto part in the performance of the decision • Experiences and recommendations
  4. 4. General information • Established in 2007 • Elected rector Prof. Dr. Sasa Mitrev • More than 13.000 students and 500 employees at the moment • 1.200 PC’s and up to 50 servers • 10 Campuses located in different cities • 10 Campuses in Stip
  5. 5. Infrastructure Internet links with VPN tunnels to Stip
  6. 6. Infrastructure in Stip Optical links Optical links in construction Wireless links
  7. 7. User profiles • Students • undergraduate • Master studies • PhD studies • Employees • Administration • Teachers (associates, visiting…) • Student Services • Other personnel • IT Staff • Administrators • Technical staff • Help desk
  8. 8. Student services • Mail • Microsoft Live@EDU • Learning gateway • Moodle • Student files • Microsoft Dynamics CRM • Video conferencing • Polycom • Wireless internet access • Cisco, Microsoft NAP
  9. 9. Employee services • Mail • Microsoft Exchange 2010 • Telephony • Cisco UCM, Cisco IP Phones • Microsoft Exchange 2010 UM • IM, A/V Conferencing, Desktop sharing • Microsoft Office Communicator • Document management • Xerox Docushare • Wireless internet access • Cisco, Microsoft NAP
  10. 10. Challenges • Unique user name and password for all • Time and attendance tracking system • Two-factor authentication • Student/employee ID card
  11. 11. Implementation stages • Specifying and clarifying what is necessary for project implementation ENVISION • Establishing the foundation of the team and core of the project cycle • Collecting as much information as possible PLAN • Development of conceptual solutions in specific design and plan • Making the decision in a test environment and its documentation BUILD • Testing of all aspects of the decision • Improving the quality of the solution to meet the criteria for his release in production STABILIZE • Verification of functionality and usability of the solution of business and user perspective • Setting up in production environment DEPLOY • Transition of the system into operational functioning
  12. 12. ENVISION PLAN BUILD STABILISE DEPLOY Administration and Demands IT Infrastructure maintenance • High level of • Various vendor based • Small team and automation, easy for technology helpdesk, no user use, high level of • Windows Server 2008 defined roles, large availability • AD DS number of critical • MS SQL 2008 systems, large number of helpdesk • MS Exchange 2010 demands. • MS SCCM 2007 • AD Certificate Services • Vmware virtualization technology
  13. 13. ENVISION PLAN BUILD STABILISE DEPLOY • 40% of the time spent on this stage • Functional specs (What are we going to build?) • Conceptual design (How will we build it?) • Timeline of activities (When will we build it?) • Are we ready to build?
  14. 14. ENVISION PLAN BUILD STABILISE DEPLOY • Building the system in test environment • Implementation of the planned functionalities • Testing • Testing • Testing
  15. 15. ENVISION PLAN BUILD STABILISE DEPLOY • The process of bringing the solution to an acceptable level of quality and functionality performed by testing and correction system • Implementation of the solution in production environment • Testing of all aspects of the decision of an isolated group of users – Pilot users
  16. 16. ENVISION PLAN BUILD STABILISE DEPLOY • Large overlap of activities performed in the phase of stabilization • Preparing the physical infrastructure through GPO, distribution of necessary client agents, installing enrollment kiosks… • Operating and maintenance of the system
  17. 17. PKI decision contents PKI based on Windows Server 2008 R2 1 Offline Root CA 2x Enterprise Issuing CA CRL and AIA publish via AD DS and IIS 7.0 Certificate templates • Vraboten Standard • Vraboten Encryption • Student Standard Use of certificates • Authentication (Domain Logon, Application logon, Wi-Fi Access) • E-Mail signing • Disk and data encryption
  18. 18. FIM 2010 CLM decision contents • FIM CLM Application - NLB Cluster FIM 2010 CLM servers • MS SQL 2008 Failover Cluster Backend DB • FIM 2010 client component • Self Service user portal • Administration and configuration portal • FIM CM SQL API for interaction with other systems • Profile templates for students and employees • Smart Card Middleware and Enrolment • Smart card printing
  19. 19. Smart Cards • Gemalto Hybrid Smart Card .NET + EM4100 contactless chip • .NET framework on SmartCard • Easy integration in Microsoft environment • Microsoft Base Smartcard CSP support • CMS Microsoft CMS/FIM 2010 preferred • .NET SDK integration with Microsoft Visual Studio
  20. 20. Gemalto .NET implementation on WSCF Microsoft Crypto Next Generation Architecture Gemalto .NET Crypto architecture Microsoft Smart Card Enabled Applications Microsoft Smart Card Enabled Applications Microsoft Base Smart Card CSP Microsoft Base Smart Card CSP Smart Card Vendor Mini Driver .NET Minidriver DLL MS Smart Card Resource Manager MS Smart Card Resource Manager PC/SC PC/SC Add-on on MS Base CSP witch redirects requests to Gemalto .NET card module
  21. 21. Experiences • Complex system of permissions and role separation • Profile Templates and Certificate Templates – crucial in the further exploitation period • Investments in compatible components • Condition of existing infrastructure • Concomitant use of x86 and 64bit clients • Client works through IE 6.0 +
  22. 22. Recommendations • The complexity of the system requires thorough planning • Using virtual environment • Document every step in the development and implementation of the system • Test the entire system after each change • Use separate user accounts for each user role even if the same person is in question • In system with more than 10,000 users there are no "minor" changes
  23. 23. Q&A ???
  24. 24. Thanks for the attention