Downloaded 132 times
Uploaded byMicrosoft Norge AS
Forefront Identity Manager 2010 (Av Rune Lystad)
This document discusses identity and access management solutions using Forefront Identity Manager 2010. It describes how FIM 2010 can automate user provisioning and deprovisioning, manage credentials and groups, implement security policies, and provide self-service identity management portals. FIM 2010 integrates with directories, applications, and devices to synchronize identity data and apply policies consistently across heterogeneous environments.
More Related Content
Similar to Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)
- 1.
- 2. Business Ready SecuritySolutionsSecure MessagingSecure EndpointSecure CollaborationInformation ProtectionIdentity and Access Management
- 3. Business Ready SecuritySolutionsSecure MessagingSecure EndpointSecure CollaborationInformation ProtectionIdentity and Access ManagementActive Directory®Federation Services
- 4. CreateProvision userProvision credentialsProvisionresourcesHelp Desk“Lost” Credentials
- 5.
- 6. New EntitlementsRetirePolicy ManagementDe-provisionidentitiesRevoke credentialsDe-provision resourcesPolicy enforcementApprovals and notificationsAudit trailsChangeRole changesPhone # or titlechangePassword and PIN resetResource requestsIdentity Lifecycle Management
- 7. Today: ManagementBurden Is On ITIT ProfessionalsDifficult to manage siloed identitiesOverloaded with help desk service requestsManually managing accounts and permissionsPoor tools for managing user credentialsInformation WorkersCall help desk for passwordand access requestsWait for days or weeks for accessWait for IT to implement business policiesGreater ComplexityWrong ContextsWrong PeopleHigher CostsDevelopersComplex to develop custom applications Forced to develop business rulesChallenge to learn different development modelsHard to integrate systems
- 8. Aligning Experiences WithThe Right PeopleIT ProfessionalsInformation WorkersArchitectureDeploymentSystem administrationGovernance SecurityAddUpdateUsersAccessCredentialsBusiness rules & policyPermissionsGroup & role membershipDistribution listsPasswords & PINsPolicyRevokeAuditDevelopersSystem & application integration & development
- 9. Integrated provisioning ofidentities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service and admin Profile ManagementUserManagementManage multiple credential types (passwords, certificates, smart cards)Self-service password reset integrated with Windows logonSupport for multiple & partner reset gates (q/a, smart card, speech, custom)Credential ManagementDelegated & self-service group and distribution list managementInformation worker self-service experiences through Office and SharePointAutomated group and distribution list updatesGroupManagementVisual, natural language process authoring & editingExtensible workflows through Windows Workflow FoundationIntegrates with System Center for monitoring and controlPolicyManagementFIM 2010 Solution Areas
- 10. Forefront Identity Managerin ActionDatabasesSelf-Service integrationWindowsLog OnLOB ApplicationsFIM PortalPolicy ManagementCredential ManagementUser Management Group ManagementCustomISV PartnerSolutionsIT DepartmentsDirectories
- 11. Identity ManagementUser provisioningPolicy-basedidentity lifecycle management system
- 12. Built-in workflow foridentity management
- 13. Automatically synchronize alluser information to different directories across the enterprise
- 14. Automates the processof on-boarding usersActiveDirectoryLotusDominoWorkflowUser Enrollment LDAPFIMSQLServerApprovalHR SystemOracle DBFIM CMManagerUser provisioned on all allowed systems
- 15. Identity ManagementUser de-provisioningAutomateduser de-provisioning
- 16. Built-in workflow foridentity management
- 17. Real-time de-provisioning fromall systems to prevent unauthorized access and information leakageActiveDirectoryLotusDominoWorkflowUser de-provisioned LDAPFIMSQLServerHR SystemOracle DBFIM CMUser de-provisioned or disabled on all systems
- 18. GivenNameSamanthasnDearingtitleCoordinatormailsomeone@example.comemployeeID007telephone555-0129givenNamesntitlemailemployeeIDtelephoneIdentity Synchronization andConsistencyIdentity synchronization across multiple directoriesHRSystemFIMSamanthagivenNameSamanthasnDearingDearingtitlemailAttribute OwnershipemployeeID007007telephoneFirstNameLastNameEmployeeIDSQL Server DBgivenNameSamarasnDarlingtitleCoordinatorCoordinatormailemployeeID007telephoneIdentityDataAggregationTitleActiveDirectory/ ExchangegivenNameSamsnDearingtitleInternmailsomeone@example.comemployeeID007telephoneE-Mailsomeone@example.comLDAPgivenNameSammysnDearlingtitlemailemployeeID008555-0129telephone555-0129Telephone
- 19. Identity Synchronization andConsistencyIdentity consistency across multiple directoriesFIMHRSystemgivenNameSamanthasnDearingtitlemailAttribute OwnershipemployeeID007telephonegivenNameBobSamanthaSamanthaSamanthasnDearingDearingDearingFirstNameLastNameEmployeeIDtitleCoordinatorCoordinatorCoordinatorCoordinatorSQL Server DBgivenNameSamaramailsomeone@example.comsomeone@example.comsomeone@example.comsomeone@example.comsnDarlingemployeeID007titleCoordinatortelephone555-0129555-0129555-0129555-0129mailIncorrect or MissingInformationemployeeID007telephoneIdentityDataBrokering(Convergence)TitleActiveDirectory / ExchangegivenNameSamsnDearingtitleInternmailsomeone@example.comemployeeID007telephoneE-MailLDAPgivenNameSammysnDearlingtitlemailemployeeID007telephone555-0129Telephone
- 20. Customizable Identity PortalSharePoint-basedIdentity Portal for Management and Self ServiceHow you extend itAdd your own portal pages or web partsBuild new custom solutionsExpose new attributes to manage by extending FIM schemaChoose SharePoint theme to customize look and feel
- 21. Password Reset AndSynchronizationMELISSAPASSWORD SYCHRONIZATIONWINDOWSMACHINEFIM 2010iPLANETFINANCEAPPLICATIONACTIVEDIRECTORYFINANCEPORTAL
Editor's Notes
- #3 There are six (6) core solutions that make up Business Ready Security. Each one delivers an integrated, identity-based platform that helps organizations reduce IT costs while enabling new capabilities:Secure MessagingEnable secure business communication from virtually anywhere and on any device, while preventing unauthorized use of confidential information.Secure CollaborationEnable secure business collaboration from virtually anywhere and on any device, while preventing unauthorized use of confidential information.Secure EndpointProtect client and server operating systems from emerging threats and information loss, while enabling secure access from virtually anywhere and any deviceInformation ProtectionDiscover, protect, and manage confidential data throughout your business with a comprehensive solution integrated with the computing platform and applicationsIdentity and Access ManagementEnable secure, seamless access to on-premise and cloud infrastructure and applications from any location or deviceIntegrated SecurityProtect information and infrastructure across your business through a comprehensive solution that is easier to manage and control
- #5 How do customers think about IDA management? What are the scenarios they are solving for? The lifecycle of identities, credentials and access from hire to retire…Customers are asking us for comprehensive solutions that span identities, credentials, and resources across the enterprise.
- #6 One reason IdM projects fail is that the burden is always on IT to get management tasks done. Why is the state of the art failing to deliver? Today’s offerings are…Verynarrow view of the problem. Identity management is not about dropping another expensive box into IT. Failing to empower the right people at the right time with the right tools and information.Siloed, with separate applications for identity, access and credential management. This drives complexity and cost.Lack a end-to-end view of IDA across the enterprise because of the lack of integration, lack of comprehensive scope. Result…IT is overloaded, cannot move IT to a strategic asset.End users are not empoweredDevelopers don’t have an identity platform or tools to build on…Detail…Challenges for usersThis slide sets the stage for exploring the present state of identity management in a typically large enterprise through the lens of a new employee or partner coming in to the enterprise. New users, businesses, and partners are not productive from day one because they do not have access to the right resources due to a lack of identity management processes. When you think about all of the business processes, IT infrastructure, IT services, and IT processes that are required to bring that new employee, contract or partner into the enterprise, you need toEnable them to be productive in a secure and efficient manner right from day oneManage their needs over their entire lifecycle within the enterpriseManage de-provisioning when they choose to leave or the contract endsManaging identity across the enterpriseChallenges for IT professionalsLack unified view of identity across the enterpriseUnable to automate systems; have to provision access in an ad-hoc manner, which drives up cost and increases risk We also have a set of challenges, needs, or domains of the enterprise that are separate for the specific end users, but then it’s all about managing identity across the enterprise. In any large enterprise, many business applications that contain identity information have to be synchronized, monitored, maintained, purported, and audited. Since they are responsible for managing these processes and domains, IT Pros should Be experts in all the business processes so they can respond to the demands of individual users Maintain the architecture and infrastructure of the enterprise Merge multiple applications, systems, and processes securely in mergers and acquisitions Manage all the governance and security associated with these systems and processes Handle everyday challenges, such as creating and deleting user accounts Manage provisioning and de-provisioning. One of the big challenges we have in identity management is that when new employees join, they are provisioned in an average of 16 applications. When those employees leave, they are only de-provisioned in about 10 applications. Over time, these create significant numbers of personal accounts that, from identity management standpoint, represent risks and security gaps because these systems are siloed, manual, and not integrated. This is the burden that the modern enterprise is dealing with today, so developers are brought in to stitch together these process applications and systems—at great cost. When all these systems are not working perfectly they get in the way of IWs being productive in driving business. With changing compliance, it’s difficult to cater to needs of IWs and users effectivelyChallenges for developers Unable to integrate security and policies into their application, which leads to complexity and dissatisfaction Must maintain provisioning, de-provisioning and Identity management, so the current state forces developers to use tools that are Application Platform specific limits their ability to develop identity-aware applications that can serve the needs of the organization
- #10 With automated user provisioning through Forefront Identity Manager, IT can automatically give and update rights to resources and business applications as per the user’s profile. It becomes easy to provision user identity to only those resources and applications which user is suppose to work and prevent from unauthorized use.Organizations using Forefront Identity Manager can define policies that automatically create user accounts, mail boxes, and group memberships in real time so that new employees are productive immediately. When a user changes roles within an organization, Forefront Identity Manager automatically makes the necessary changes in heterogeneous target systems to add and remove access rights.For example, if a user moves from a role in sales to a role in marketing, Forefront Identity Manager can remove them from sales-specific groups and add them to marketing-specific groups to deliver appropriate access permissions to perform their job function.
- #11 With Forefront Identity Manager (FIM), organizations can define automatic policy enforcement for removing user accounts, mail boxes, and group memberships in real time, which minimizes the risk of information leakage from unauthorized access to resources and confidential information. With FIM, de-provisioning for users leaving the enterprise also becomes centralized and less complicated, which makes it easier to ensure complete de-provisioning to handle future compliance audits.For example, if a user leaves the organization, the HR system forwards a de-provisioning request to FIM. FIM follows approval workflow. With the manager’s approval, FIM automatically removes all rights, account information, mail boxes, and memberships from all relevant applications, groups, and different directories.
- #12 Organizations can also use FIM to synchronize e-mail address lists that are maintained by heterogeneous e-mail systems, such as Microsoft Exchange Server 2000, Exchange Server 2007, and Lotus Notes. Organizations that have multiple Active Directory Domain Services and Exchange forests can use FIM to build a single address book. This increases the value of identity integration by simplifying collaboration as well as increasing IT control.Note:FIM 2010 provides a simplified single sign on experience through its identity synchronization capabilities, delivering the ability to synchronize passwords across heterogeneous systems.The policy-based management system of FIM manages users’ identity lifecycle and protects corporate assets against misuse as users move between roles or leave the organization. http://www.microsoft.com/forefront/identitymanager/en/us/features.aspxhttp://download.microsoft.com/download/3/2/A/32A7B77A-7D3A-4D24-ACE7-5AA3A908B95E/Understanding%20FIM%202010.docx
- #13 Combining identity data across multiple directories and systems yields automated account reconciliation and consistency management for user accounts, credentials, and attributes. This means organizations with many different directories and other data repositories, such as an HR application, can use Forefront Identity Manager to synchronize user accounts across systems.
- #15 Key points we want to illustrate: Melissa is a new employee starting her first day of work at Contoso. She sits down in her assigned office to begin her work which is heavily dependent on LOB applications and being ‘plugged in’ to key DLs.Rather than calling the help desk to get access, groups, etc. Melissa’s accounts and mailbox are automatically provisioned and available at first login, due to preconfigured rules in FIM 2010She is automatically granted access to the LOB apps relevant to her roleShe is dynamically added to key DLsAnimation flow:Data flows in from HR system. Would like a file to pass from HR to FIM 2010 with information on the new hire like Name = Melissa Meyers, Employee ID = 122145, Dept = Finance, Title = Analyst, Employee Type = Full Time.Data flows to each of the target systems. For Exchange a mailbox is created. I want icons to travel along the arrow to represent the data passed to Exchange as well mailbox created. Her email address should be filled in as mmeyers@contoso.com.For AD, a password is assigned and sent to her manager. She is also given membership in the “Finance,” “New Hire” and “FTE” groups in AD. I want icons to travel along the arrow to represent the data passed to AD as well as the password and new groups created.A smart card is also provisioned so for remote access and for her to access the finance appFor the other accounts show the data passing along the arrows. Show only her name, employee ID, and department being passed to iPlanet, and show her Name, ID, and Employee Type passing to the mainframe.
- #16 Active Directory Certificate Services (AD CS) provides an integrated public key infrastructure that enables the secure exchange of information. With strong security and easy administration across the Internet, extranets, intranets, and applications, AD CS provides customizable services for issuing and managing the certificates used in software security systems employing public key technologies.BenefitsIncrease access security with better security than username and password solutions, and verify the validity of certificates using the Online Certificate Status Protocol (OCSP).Reduce cost of ownership by taking advantage of Active Directory integration for enrollment, storage, and revocation processes.Simplify certificate management using a single information store that comes from full integration with Microsoft Management Console.Streamline deployment by enrolling user and computer certificates without user intervention.Client retrieves certificate policy from Active Directory.Client submits certificate request to Certificate Server based on policy.Certificate Server retrieves user information from Active Directory.Certificate Server returns signed digital certificate to the client.
- #18 Some example scenarios for each pillar, for end users. These are examples and non-exhaustive. Policy ManagementApprovals integrated in Outlook. The right person, in this case the CFO, can easily approve access within their scope of responsibilities and within agreed upon company policies. Credential ManagementIn addition to PW and PIN reset integrated with Windows, end users can provision their own smart cards through an easy to use self-service interface. One example of how this could be configured: FIM can send the user a one-time use password that the user could use with FIM to bring the right certificates down to their smart card. User Management Manage own identity profile. In this case end users could be given permission to manage their mobile phone number. This makes it easy for other end users to find one another, especially in cases where workers work remotely and operate using mobile phones frequently. Of course, other attributes could also be delegated to end users to manage. Group ManagementCreate and manage approvals for group membership in Office. End user can make requests to join groups, or create their own groups from a button in the Outlook ribbon.
- #19 Exemplary but non-exhaustive list of scenarios for IT professionals…Policy ManagementIT can use UI tools to generate policies to enforce required business approvals. Example: The policy is that a GM must approve VPN access for non employees (e.g., contractors). ILM will not grant VPN access to a contractor until they have received the required approval from the GM.Credential ManagementAs part of the policy to provision new users, the issuance of multiple types of credentials can be easily incorporated. User ManagementUser Provisioning Policy . Example: All FTEs should receive an AD account, Exchange mailbox, become a member of the “FTE” security group, and get a smart card. Group ManagementDynamic groups. FIM can create security groups or DLs based on attributes such as what department someone is in. In this case FIM would automatically create and populate a group for each department in a company.