Microsoft Forefront Identity Manager 2010

Elton AGOLLIChief of Infrastructure SectionTETRA Solutions eagolli@tetra.al

Agenda

• Customer challenges• Microsoft’s Identity and Access Strategy• Identity and Access Management

− The business challenges− How Identity Manager addresses the

challenges− Scenarios

• Summary• Resources

Identity & Access Customer Challenges

Enabling new high businessvalue scenarios

Supporting mergers, acquisitions & reorganizations

Integrated user provisioning & credential management

Ensuring that only authorized users can access resources

Compliance with regulatory requirements

Auditable processes for granting access to resources

Reducing help desk burden for end user requests

Managing the complexity of distributed identity information

ComplianceOperationalEfficiency

IT SecurityBusinessAgility

Business Ready Security Solutions

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Active Directory® Federation Services

Information Protection

IDENTITY AND ACCESS MANAGEMENT

Extend business resources, especially to the cloud

Secure multiple devices and locations

Manage complex identity lifecycles

Business and IT Challenges

Agility and Flexibility

ControlBUSINESS

NeedsIT Needs

Simplify user experience for collaboration across

networks

Provide seamless movement between applications

Reduce cost of identity management

Provide secure access to applications from anywhere

Manage disparate systems

CreateProvision userProvision credentialsProvision resources

Policy authoring

Policy enforcement

Approvals and notifications

Audit trails

Policy Management

De-provision identities

Revoke credentials

De-provision resources

Retire

Role changes

Password and PIN reset

Resource requests

Update

Identity and Access Management

Identity Lifecycle Manager -> Forefront Identity Manager

Identity SynchronizationUser ProvisioningCertificate and Smartcard Management

Office Integration for Self-ServiceSupport for 3rd Party CAsCodeless ProvisioningGroup & DL ManagementWorkflow and Policy

User Management

GroupManagement

Credential Management

Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization

PolicyManagement

Version Feature ComparisonMIIS 2003 ILM 2007 FIM 2010

Identity synchronization X X X

Password synchronization X X X

Policy authoring and editing solution

ILM-CM only X

Policy enforcement X X X

Delegation management solution X

User provisioning solution X

Certificate and smart card management solution

X X

Group management solution X

DL management solution X

Workflow ILM-CM only X

Self-service password reset X

Localized ILM-CM only X

Heterogeneous certificate management with 3rd party CAsManagement of AD credentialsSelf-service password reset integrated with Windows logon

Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates

Integrated provisioning of identities, credentials, and resourcesAutomated, declarative user provisioning and de-provisioningSelf-service profile management

SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency

Forefront Identity Manger - Key Feature Areas

Credential Management

GroupManagement

UserManagement

PolicyManagement

Solutions

Group Mgmt

Credential Mgmt

Policy Mgmt

CustomUser Mgmt

Outlook FIM Portal Windows Custom

FIM Client Experiences

FIM Service and PortalILM SyncFIM Service

AuthZWorkflow

AuthN Workflow

Delegation& Permissions

Action Workflow

AppDB

Adapters

Request Processor

SyncDB

Directories Databases E-Mail SystemsApplications

Identity and data stores

Cert Mgmt

ILM-CMDB

ILM-CM

ILM-CM Portal

Forefront Identity Manger 2010 Architecture

USER SCENARIOS

End User Scenarios

Credential Management

GroupManagement

UserManagement

PolicyManagement

Self-service smart card provisioning & management

User asks to join secure distribution list for newproduct development

User changes cell phone number

Integration with Windows logonNo need to call help deskFaster time to resolution

Request process through OfficeNo waiting for help deskFaster time to resolution

Automatic updating of business applicationsNo need to call help deskFaster time to resolution

Example Scenario FIM 2010 Advantages

CFO gives final approval for newuser to access app with associated SOX compliance requirement

Automatic routing of multiple approvalsApproval process through OfficeAudit trail of approvals

IT Administrator Scenarios

Credential Management

GroupManagement

UserManagement

PolicyManagement

Create workflow to automatically issue passwords and smart cards to new users

Design policy to automatically create departmental security groups

Author policy to require HRapproval for job title change

Automatically provision new employees with identity, mailbox, and credentials

Centralized managementAutomatic policy enforcement across systems

Automatic policy enforcement across systemsManagement of role changes & retirements

Generation and delivery of initialone-time use passwordIntegration of smart card & cert enrollment with provisioning

Automatic management of group membershipSecure access to departmental resources, with audit trail

Example Scenario FIM 2010 Advantages

Customizable Identity Portal

How you extend it

SharePoint-based Identity Portal for Management and Self Service

Add your own portal pages or web partsBuild new custom solutionsExpose new attributes to manage by extending FIM schemaChoose SharePoint theme to customize look and feel

Given Name Melissa

Surname Meyers

Title Analyst

Department Finance

Employee ID 122145

Employee type Full Time

email

Given Name Melissa

Surname Meyers

Title Analyst

Department Finance

Employee ID 122145

Employee type Full Time

email

Given Name Melissa

Surname Meyers

Title Analyst

Department Finance

Employee ID 122145

Employee type Full Time

email mmeyers@contoso.com

New Employee Scenario

FIM 2010

MAINFRAME

FINANCEAPPLICATION

FINANCEPORTAL

iPLANET

SMARTCARD

EXCHANGE

ACTIVE DIRECTORY

HR SYSTEM

FIM PROVISIONING POLICY APPLIED

MANAGERAPPROVAL

MANAGERAPPROVAL

Workflow Create user

Given Name Melissa

Surname Meyers

TitleGroup Marketing

Manager

Department Marketing

Employee ID 122145

Employee type Full Time

emailmmeyers@

contoso.com

Given Name Melissa

Surname Meyers

Title Analyst

Department Finance

Employee ID 122145

Employee type Full Time

emailmmeyers@

contoso.com

Given Name Melissa

Surname Meyers

Title Group Marketing Manager

Department Marketing

Employee ID 122145

Employee type Full Time

emailmmeyers@

contoso.com

Employee Transition Scenario

FIM 2010

MAINFRAME

FINANCEAPPLICATION

FINANCEPORTAL

iPLANET

SMARTCARD

HR SYSTEM

FIM PROVISIONING POLICY APPLIED

MARKETINGAPPLICATION

MARKETINGPORTAL

EXCHANGE

ACTIVE DIRECTORY

Given Name Melissa

Surname Meyers

TitleGroup Marketing

Manager

Department Finance

EmployeeI D 122145

Employee type Terminated

emailmmeyers@

contoso.com

Given Name Melissa

Surname Meyers

TitleGroup Marketing

Manager

Department Finance

Employee ID 122145

Employee type Terminated

emailmmeyers@

contoso.com

Given Name Melissa

Surname Meyers

TitleGroup Marketing

Manager

Department Finance

Employee ID 122145

Employee type Full Time

emailmmeyers@

contoso.com

Separation/Fire Scenario

FIM 2010

MAINFRAME

MARKETINGAPPLICATION

MARKETINGPORTAL

iPLANET

SMARTCARD

HR SYSTEM

FIM PROVISIONING POLICY APPLIED

EXCHANGE

ACTIVE DIRECTORY

FIM 2010 In ActionSelf-service password management

AuthN & AuthZWorkflows

Delegation& Permissions

Action Workflow

ServiceDB

Sync DB

Management Agents

User forgets passwordRequests password

reset at Win logon and answers Q/A

Does userhave permission

to reset password?FIM validates Q/A

response from user

Changes committed to FIM

app store

FIM makes call to reset password

in AD

Identity Stores

FIM syncs new password to external identity

stores

FIM receives XML

Request Processor

FIM 2010 In ActionSelf-service smart card provisioning

AuthN & AuthZWorkflows

Delegation& Permissions

Action Workflow

ServiceDB

Sync DB

Management Agents

New user added in HR app

Does userhave permission

to add user to FIM ?

FIM managesmanager and

dept head approvals

Once approved, changes

committed to ILM app store

FIM sends welcomeand confirmation

e-mails

Identity Stores

FIM syncs to external identity stores

Sync receivesrequest

Sync

DB

Management Agents

Approval workflowsCard created & printedCertificates requested

Self-service notification and One

Time Password sent to end user

End user downloads

certificates onto smart card

FIM CM

Self-Service Group Management

Melissa Meyers, Business User

Chad Rice,Accounts Administrator

• Calls help desk

•Manually edits AD Users and Computers to add user to group

Situation: User needs to join the Fabrikam Project Virtual Team group

Without Forefront Identity Manager 2010

• Lost productivity• No resource access when she needs it

• Risk of error and policy non-compliance• Cost of manual administration

Activity Costs to the Business

Self-Service Group Management

Melissa Meyers,Business User

Chad Rice,Accounts Administrator

• Request to join Group from Outlook• FIM routes approvals and grants appropriate access

• Uses FIM to establish group management policies and workflows

Situation: User needs to join the Fabrikam Project Virtual Team group

With Forefront Identity Manager 2010

• User productivity• Enables effective business interactions

• Efficiency• Security• Compliance

Activity Business Benefits

Create Distribution List

Create Distribution List

Create Distribution List

Unauthorized User Attribute Change

HR Administrator, Samantha Smith

Chad Rice,Accounts Administrator

• Updates Megan Meyers’ title in SAP

• Asked to update Megan Meyers titles other systems• Accidentally changes Melissa Meyers title in ADUC

Situation: IT accidentally makes an unauthorized change to a user’s title

Without Forefront Identity Manager 2010

• Risk of error and policy non-compliance• Cost of manual admin

Ted Smith,ComplianceAuditor

• Discovers error in manual audit process of purchase order application

• Cost of manual auditing• Delay in discovery of non-compliance

Activity Costs to the Business

Unauthorized Change

HR Administrator, Samantha Smith

Chad Rice, Accounts Administrator

• Updates Megan Meyers’ title in SAP• Title change data flows to other systems that use it, per FIM policy

• Uses FIM to establish policies and workflows to that include management of job title data

Situation: IT accidentally makes an unauthorized change to a user’s title

With Forefront Identity Manager 2010

• Efficiency• Security• Compliance

Ted Smith, ComplianceAuditor

• Uses FIM audit trail to audit approvals

• Efficiency• Compliance

Activity Business Benefits

• Efficiency• Compliance

Integrates identity, credential, and access managementRich permissions and delegation modelEnables system auditing and compliance

Provides Office-based self-service toolsSharePoint admin console to manage identitiesGreater productivity through faster time to resolution

Reduces costs through automation and self-serviceMaximizes existing investments in Identity InfrastructureIntegrates with familiar developer tools to enable new scenarios

Empowers People

Delivers Agility and Efficiency

Increases Security

and Compliance

Software for policy-based management of identities,credentials, and resources across heterogeneous environments

Summary: FIM 2010

Resources

Learn more about Forefront Identity Manager• FIM 2010 Product Page:

http://www.microsoft.com/forefront/identitymanager

Learn about Microsoft Forefront Identity and Security • Forefront Home Page: www.microsoft.com/forefront

Evaluate the Identity Manger• Visit

http://technet.microsoft.com/en-gb/evalcenter/cc872861.aspx

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.