Technical Overview of Microsoft Forefront Identity Manager 2010 R2

Brjann Brekkan, Technical Product ManagerMark Wahl, ArchitectMicrosoft Corporation

SIM332

Objective

Explain how FIM 2010 and FIM 2010 R2 fits into your infrastructure and what it can do to put you in control of identities across different directories and applicationsIntroduction to new FIM 2010 R2 features

Agenda

Identity Management product roadmap and scenariosForefront Identity Manager 2010 R2 features and architectureQ&A

Evolution of Identity Manager

Office Integration for Self-ServiceDeclarative ProvisioningGroup & DL ManagementWorkflow and PolicySupport for 3rd Party CAs

User Management

GroupManagement

Credential Management

Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization Policy

Management

Identity SynchronizationUser Provisioning Certificate and Smartcard Management

Identity Management: Promise and Journey

Empowers People• Greater productivity through faster time to resolution• Provides Office-based self-service tools• Delivers SharePoint-based consoles for information workers to manage identities, access and credentials

Delivers Agility and Efficiency• Reduces costs through automation and self-service• Maximizes investments in existing identity infrastructure• Integrates with familiar developer tools to enable new scenarios

Helps Improve Productivity and Compliance• Integrates identity, credential, and access management• Rich access, permissions and delegation model• Enables system auditing and compliance

Heterogeneous certificate management with 3rd party CAsManagement of AD credentialsSelf-service password reset integrated with Windows logon

Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates

Integrated provisioning of identities, credentials, and resourcesAutomated, declarative user provisioning and de-provisioningSelf-service profile management

SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency

Forefront Identity Manger - Key Feature Areas

Credential Management

GroupManagement

UserManagement

PolicyManagement

The Solutions

Align Experiences

The Information Worker Lens

Join groups from within OutlookReset password from within Windows login

The Developer Lens

Custom workflows built in Visual StudioIdentity Aware custom apps

The IT Pro Lens

Build scripts using PowerShell

Demo

Information WorkerRequest management demo

Evolution of Identity Manager

Office Integration for Self-ServiceDeclarative ProvisioningGroup & DL ManagementWorkflow and PolicySupport for 3rd Party CAs

User Management

GroupManagement

Credential Management

Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization

PolicyManagement

Identity SynchronizationUser Provisioning Certificate and Smartcard Management

Web based password resetReportingSimplified deployment and troubleshootingEnhanced performanceEnhanced MA connectivityAdded language support

User Management

GroupManagement

Credential Management

Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization Policy

Management

R2

Credential Management

Adds web-based password resetSupports password reset and registration from intranet or extranet via a web browserNo ActiveX control would be required for browser-based resetSupport for non-domain joined machines

Simplify deployment and management experiences for password reset

Corporate NetworkIIS

FIM Password Reset ComponentsIllustrative Topology

Internet

BrowserReverse

Proxy

FIM Password

Registration Portal

FIM Password

Reset Portal

Firewall

FIM Service Active

Directory

Windows ClientFIM

Password Reset

Extensions

FIM Sync

Service

SharePoint

FIM PortalInternetExplorer

End User

End User

FIM Admin

Demo

Web based password reset

Reporting

Add historical reporting for FIM-managed objectsIncludes frequently-requested reports, e.g.:

Group membership changes over timeRequest historyPerson and group change history

Report data store is extensibleCan be extended to store history of custom FIM Service objects and attributesEnable customers and ISVs to build custom reports

Integrates with System Center Service Manager, leveraging its data warehouse

How to Answer these QuestionsState Events

Historic

Current

• Who is in group A?• What groups does a particular

person belong to?• Who is person Y’s manager?

• Who joined group A today?• What groups had new members today?• How many new people joined the

company today?

• Who joined group A on May 1st, 2010?• How did a group’s membership change

over time?• Who approved a group join?• How did a set filter definition change over

time?

• What groups did person A have access to on November 4th, 2009?

• What was a group’s membership last July?

Source: FIM Portal and Reporting Source: FIM reporting

Source: FIM requests via portalSource: FIM database via portal

Out of Box Reports

Report Class Defined Over Description

Membership Change Reports

• Group Membership (SG + DG)

• Set Membership

Contains membership changes, who approved them, and the associated request which generated the change.

Object History Reports

• Users• Groups• Sets• Requests• Policy Rules

Contains changes to key attributes over time.

Example Membership Change Report: Group Membership Change

User Information• User Display Name• User Account Name• User Object ID• User Domain

Group Information• Group Display Name• Group Account Name• Group Domain• Group Type• Group Owner

Request Information• Request Originator• Request Approver• Policy Rule that Triggered the Request• Request ID

Account Name

Operation Type

Committed Time

Group Name

Request Originator

Request Approver

Request ID

MPR that Triggered the Request

cwilcox Join Group 1/7/2011 14:27:02

Finance FIM Service {43edf…}

All accountants have access to financial data

kimaber Join Group 1/3/201116:12:25

Sales kimaber dparker {81e2b…}

cwilcox Leave Group

1/1/2011 08:58:02

Marketing samanthas

Samantha removes Colin from the

Marketing group

Kim requests to join the Sales group, Darren approves the request

Colin changes roles and is added, automatically, to the Finance group

Example History Report: User History

User Name User ID Operation Attribute Value Requestor Committed Time Request

Colin Wilcox {732d2…} Remove User FIM Service

2/13/2011 01:22:00 {532aa…}

Colin Wilcox {732d2…} Remove Display Name Colin Wilcox FIM Service

2/13/2011 01:22:00 {532aa…}

Colin Wilcox {732d2…} Remove First Name Colin FIM Service

2/13/2011 01:22:00 {532aa…}

Colin Wilcox {732d2…} Remove Last Name Wilcox FIM Service

2/13/2011 01:22:00 {532aa…}

Colin Wilcox {732d2…} Add Manager gfort Garth Fort 9/22/2006 08:55:28 {8457b…}

Colin Wilcox {732d2…} Remove Manager samanthas Garth Fort 9/22/2006 08:55:28 {8457b…}

Colin Wilcox {732d2…} Add Employee Type

FTE Garth Fort 9/22/2006 08:55:28 {8457b…}

Colin Wilcox {732d2…} Remove Employee Type

Contractor Garth Fort 9/22/2006 08:55:28 {8457b…}

Colin Wilcox {732d2…} Add Manager samanthas FIM Service

5/2/2002 08:32:11 {126da…}

Colin Wilcox {732d2…} Add Employee Type

Contractor FIM Service

5/2/2002 08:32:11 {126da…}

Colin Wilcox {732d2…} Add Display Name Colin Wilcox FIM Service

5/2/2002 08:32:11 {126da…}

Colin Wilcox {732d2…} Add User FIM Service

5/2/2002 08:32:11 {126da…}

Colin is created in FIM in 2002 via a sync

through HR, Samantha Smith is his first

manager

In 2006, Colin becomes a full-time employee,

and, as a result, gets a new manager, Garth.

In 2011, Colin leaves the company, and he is

removed from FIM.

Reporting Architecture

FIM Service

FIM Reporting Administration

Management Packs

System Center Data Warehouse

SS

RS

W

eb

Ser

vice

SC

SM

C

onso

le

FIM Service DB

Import Report

Initial Sync

Incremental Sync

Schema Binding

Fact/Dimension Definition

Class/Relationship Definition

Report Definition

Data Mart

SS

RS

Staging

Repository

<DWBind><obj 1><obj 2><obj 3>...

Binding Objects

Row 1Row 2Row 3Row 4Row 5Row 6….….….

Report Log

Extensibility

Fully extensible Data WarehouseExtensible dimensional based schemaETL process is further extensible via custom transformsCustom report authoring via SSRSSupport for “Favorite reports”

Dynamic interface for flowing new data from FIM into the Data Warehouse

Bindings between FIM and DW, persisted in FIM objectsAutomatic, scheduled, data flow

Demo

Reporting

New Extensible MA Framework

Enable extensible Management Agents to supportBatched call-based importBatched call-based exportProgrammatic schema, partition, and hierarchy discoveryPassword management behave as other methodsCustom anchors and additional dn stylesSupport custom parametersFull Export run step.NET 4 support

New SAP, Oracle ERP, and Lotus Notes MAs for FIM 2010 R2 developed on top of the new API

Performance Improvements

Improve performance for initial load of customer data from connected system to FIM ServiceImprove performance for bulk addition (e.g., of new division) from connected system to an existing FIM deploymentProvide FIM Service database tuning guidance and enhancements

Ease of Use Improvements

Best Practices Analyzer (BPA)Reduce overall TCO (and support calls) with a FIM deployment validation tool Identifies possible issues in FIM setup relating to performance, security, configuration

Improvements for troubleshootingEnhanced diagnostics and error messages in FIM Portal and web servicesAdditions to IT Pro documentation for top problem areas

Improvements in the setup processEasier configuration of scenarios such as password resetReduced initial load time

Platform Investments

FIM Add-in supports Outlook 2010 for group management and approvals

Add support for 32-bit and 64-bit Outlook 2010Add-in localized to 33 languages

FIM Portal supports SharePoint 2010Support for installing FIM portal on the newest version of SharePoint Foundation Seamless installation experienceContinued support for WSS 3 (SharePoint 2007)Same UI experience on both platforms

Q&A

Related Content

SIM205 Identity and Access and the Cloud Better Together (Monday)SIM315 Optimizing FIM (Thursday)SIM358 Preparing Identities for the Cloud with FIM (Tuesday)

SIM379-INT Self-service Password Reset (Wednesday)SIM375-INT Chalk Talk with the Product Team (Tuesday)

SIM395-HOL FIM OverviewSIM399-HOL Managing Claims AuthN using FIM 2010

Forefront Identity Manager demos in the exhibition hall

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

FIM 2010 R2 Enhancements

Credential ManagementWeb based password reset

ReportingHistorical reporting for managed resourcesService Manager data warehouse integration

Ease of UseEnhanced diagnostics Enhanced initial load performanceSimplified deployment for password reset

Additional SupportImproved & added Management Agents for Oracle ERP, SAP, and Lotus DominoAdd language support for:

Russian, Norwegian (Bokmal), Swedish, Finnish, Brazilian Portuguese, Polish, Korean, Danish, Turkish, and Czech

Align Experiences

Put the right tools in the right hands

Deliver a great experience for developers, information workers, and IT pros

ILM “2” Principles

ExtensiblePlatform

Build an extensible platform for present and future IdM solutions

Takes full advantage of state of the art technologies such as Web Services standards, federation, strong auth, and workflow

Integrated PolicyManagement

Provide a tightly integrated solution for policy management

Solve the spectrum of identity challenges with unified concepts and architecture

Enhanceexisting

investment

Enhance existing IT investments

“Light up” Office, Windows, and System Center, and provide synergistic enhancements to other connected systems

FIM 2010 Features

User ManagementUser profile managementSynchronizes identity data

Access ManagementAutomated policy based provisioning and de-provisioning across heterogeneous environments Office-based self-service group and request management capabilitiesAutomated group and distribution list updates

Credential ManagementSingle administration point for certificates and smart cardsMgmt of credentials issued from AD CS and 3rd party CAsSelf-service password reset at Windows logon

Policy ManagementIdentity management policy authoring, enforcement & auditingOpen WS– * protocols and APIs