jean-pierre simonis (data # 3) bruce smith (data # 3)

Identity Management, Self Service and Orchestration in the Data CentreJean-Pierre Simonis (Data#3)Bruce Smith (Data#3)

MDC324A

Overview

OverviewIdentity ManagementWhat is it?Who manages it?Why do we need it?What tools can we use?Integration between FIM, Orchestrator and Service Manager

Self-Service and OrchestrationCommon Scenarios and BenefitsCloud integration

Questions

Identity Management

What is it?

What is it?Identity is a summary of information about a person, group or resource in which we wish to store data.

Identity

Person

• First Name• Last Name• Display Name• Account Name• Email Address• Phone Number• Address• Password

EXAMPLE

What is it?Identity management is a set of technologies intended to streamline the management of user identity information both inside and outside the enterprise, including: DirectoriesUser provisioningPassword managementFederationEnterprise single sign-onWeb access management and web single sign-on

What is it?Identity and access management is a shared platform with consistent processes for managing information about users: Who they are?How they are authenticated?What they can access?

Typical state of identity management todayLots of manual process across different, decentralised systems

Cloud

Postini, Workday, etc

Active Directory

Exchange

HR (PeopleSoft, SAP)

ApplicationOwner

BusinessManager

Users

IT Helpdesk

Administrator

Administrator

Financials

SharePoint

Sales

Multiple Identity storesModern organisations run a complex mix of IT infrastructure, including: Network operating systems, used to share files and printers. Application servers, running web servers, databases and similar software. Mainframe and midrange servers, typically hosting legacy applications. Email and other collaboration software. User directories, publishing lists of users and other network objects. Human resources, payroll and contractor management systems. A variety of line-of-business applications. Customer relationship management (CRM) and enterprise resource planning (ERP) applications. Cloud applications.

Different user typesMany kinds of users access these systems, including: EmployeesContractorsPartnersVendorsCustomers

Future state, centralised identity managementLocate the logic in one place and automate it with many systems

• Self Service Group Management

• Self Service Password Reset

• Improved Productivity

• Workflow• Notifications• Approvals• Attestation and

Reporting

• Automated Provisioning• Automated De-

provisioning• Account, Group and

Mailbox Management

HR (PeopleSoft, SAP, Workday)Cloud

Office365, Salesforce, ADP…

Administrators

Active Directory

Exchange

ApplicationOwners & Managers

Users

IdentityManagement

On PremiseDatabase, Directories

& Applications

Who manages it?

Who manages it?As organisations deploy an ever wider array of IT infrastructure, their identity profiles and their security privileges on those systems becomes increasingly challengingMana

ge

Support

Offboard

Onboard

Identity Lifecycle

Who manages it?Manag

e

Support

Offboard

Onboard

Identity Lifecycle

Human Resource

s

IT Operation

s

Managers

Security Operation

s

End Users

Why do we need it?

Common Challenges

OnboardingDelays and productivityRequests and approvalsRedundant administration

ManageDelaysChange requestsRedundant administration

SupportForgotten passwordsIntruder lockoutsAccess denied errors

OffboardingReliableCompleteTimely

Why do we need it?

BenefitsConsolidation of Identity data from different sourcesReduce IT operations overheadImprove user productivityImproved network security and complianceImproved authorisation and approvalAttestation and reporting

What tools can we use?

What tools can we use?

PowerShell

.Net

Active Directory

with BHOLD

Example

Access FIM Portal for ZTP Activities

Approve/reject requests via Email to the FIM Portal approval system

Custom PortalFIM Portal

ZTP Administration ZTP End Users

FIM Service FIM Synchronisation

Contoso.com

FIM PortalProvide

Administration for ZTP solution

Contoso.com

Service Manager Data Warehouse

Orchestrator Runbook Activities Trigger Scripts that perform automation tasks on File Servers and Edge Domain Controllers

etc based on the defined ZTP requests launched and stored in the FIM Service. ZTP Runbooks will be hosted on the Orchestrator

ZTP Activity job servers

Runbook Reporting Each Runbook will report back

to reporting DB

ZTP Custom Reporting DB

FIM Reporting Connector

ZTP Custom Reporting DB

Service Manager Data WarehouseCollect FIM reporting data and hosts SQL reporting services and reports

SQL Reporting Services ReportsCollate data from multiple ZTP solution

Databases into agreed SQL reports

SQL Reporting Services

Active Directory Domain Services MAProject existing users and groups to FIM, provision new users and groups, perform import and export attribute

flow

Generic Web ControlCommunicate with FIM Web APIs

and Performs ZTP Activity Authorisation

Network Load Balancer Network Load Balancer

Network Load Balancer

Network Load Balancer

SQL DB

SQL MAAdditional enterprise identity information to contribute core

identity attributes

ZTP Administration

FIM Service MASynchronise person, group, and system

objects between the FIM Service database and the metaverse

Custom FIM Workflow Activities

Offload orchestration of ZTP to Orchestrator.

Orchestrator

ZTP Activity Approvals

FIM ServiceProvides AuthN and

AuthZ and Host business rules and workflows for each

activity

ZTP End User NotificationOrchestrator run books will notify ZTP end users about

start, end, success and failure of ZTP activities

What tools did we use?Solution Components

Custom User

Interface

FIM 2010 R2 SP1

FIM Custom Activity (.Net)

Orchestrator 2012

SP1

Service Manager 2012 SP1

PowerShell

What does it do?

Custom user interface

FIM Service

FIM Custom activity

Orchestrator

PowerShell/Orchestrator activities

Service Manager data warehouse

Self-service orchestration for onsite support staff to provide role based administration activities.

BenefitsReduced operational costImproved securityIncreased visibilityExtensible

Why did we choose this platform?

Leveraged existing skill sets

Supportable and extensible

Centralised

Auditable

Consolidated end to end reporting

Zero Touch Provisioning OperationBruce Smith

Integration

IntegrationWeb Services APIFIMOrchestratorService Manager

Orchestrator RunbooksPowerShell.NetRunbook standard activitiesOrchestrator integration packs

FIM Management AgentsActive DirectoryActive Directory LDSSQLFileNotesAzureECMA 2.0Web Services… and more

FIM Custom ActivitiesCustom Workflow Foundation activities

Integration

Development and Integration

Bruce Smith

Self-Service and Orchestration

Common Scenarios

Common Scenarios

New employee

Employee changes position

Provision additional employee services

Self-Service Password reset

Employee leaves

Self-Service and Orchestration common scenariosBruce Smith

Cloud integration

Cloud IntegrationSolution Components

FIM Azure Management Agent

Azure Active

Directory

Active Directory

Federation Services

Orchestrator 2012

SP1

Azure/Office 365

DirSyncPowerShell

Cloud IntegrationAzure Single Sign-on for Cloud applications

http://technet.microsoft.com/en-us/library/dn308588.aspx

Cloud IntegrationAzure Single Sign-on for custom applications

http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx

Questions

Related contentMDC324B: Service Manager and Orchestrator, the perfect partnershipATC334: The Identity JigsawATC421: FIM2010 R2: Custom Workflow Activities

Find Us Later in the Expo Hall

Developer Network

Resources for Developers

http://msdn.microsoft.com/en-au/

Learning

Virtual Academy

http://www.microsoftvirtualacademy.com/

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd/Australia/2013

Resources for IT Professionals

http://technet.microsoft.com/en-au/

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.