sim332 usermanagement groupmanagement credentialmanagement common platform workflowconnectorslogging...
TRANSCRIPT
Technical Overview of Microsoft Forefront Identity Manager 2010 R2
Brjann Brekkan, Technical Product ManagerMark Wahl, ArchitectMicrosoft Corporation
SIM332
Objective
Explain how FIM 2010 and FIM 2010 R2 fits into your infrastructure and what it can do to put you in control of identities across different directories and applicationsIntroduction to new FIM 2010 R2 features
Agenda
Identity Management product roadmap and scenariosForefront Identity Manager 2010 R2 features and architectureQ&A
Evolution of Identity Manager
Office Integration for Self-ServiceDeclarative ProvisioningGroup & DL ManagementWorkflow and PolicySupport for 3rd Party CAs
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization Policy
Management
Identity SynchronizationUser Provisioning Certificate and Smartcard Management
Identity Management: Promise and Journey
Empowers People• Greater productivity through faster time to resolution• Provides Office-based self-service tools• Delivers SharePoint-based consoles for information workers to manage identities, access and credentials
Delivers Agility and Efficiency• Reduces costs through automation and self-service• Maximizes investments in existing identity infrastructure• Integrates with familiar developer tools to enable new scenarios
Helps Improve Productivity and Compliance• Integrates identity, credential, and access management• Rich access, permissions and delegation model• Enables system auditing and compliance
Heterogeneous certificate management with 3rd party CAsManagement of AD credentialsSelf-service password reset integrated with Windows logon
Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates
Integrated provisioning of identities, credentials, and resourcesAutomated, declarative user provisioning and de-provisioningSelf-service profile management
SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency
Forefront Identity Manger - Key Feature Areas
Credential Management
GroupManagement
UserManagement
PolicyManagement
The Developer Lens
Custom workflows built in Visual StudioIdentity Aware custom apps
Evolution of Identity Manager
Office Integration for Self-ServiceDeclarative ProvisioningGroup & DL ManagementWorkflow and PolicySupport for 3rd Party CAs
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization
PolicyManagement
Identity SynchronizationUser Provisioning Certificate and Smartcard Management
Web based password resetReportingSimplified deployment and troubleshootingEnhanced performanceEnhanced MA connectivityAdded language support
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization Policy
Management
R2
Credential Management
Adds web-based password resetSupports password reset and registration from intranet or extranet via a web browserNo ActiveX control would be required for browser-based resetSupport for non-domain joined machines
Simplify deployment and management experiences for password reset
Corporate NetworkIIS
FIM Password Reset ComponentsIllustrative Topology
Internet
BrowserReverse
Proxy
FIM Password
Registration Portal
FIM Password
Reset Portal
Firewall
FIM Service Active
Directory
Windows ClientFIM
Password Reset
Extensions
FIM Sync
Service
SharePoint
FIM PortalInternetExplorer
End User
End User
FIM Admin
Reporting
Add historical reporting for FIM-managed objectsIncludes frequently-requested reports, e.g.:
Group membership changes over timeRequest historyPerson and group change history
Report data store is extensibleCan be extended to store history of custom FIM Service objects and attributesEnable customers and ISVs to build custom reports
Integrates with System Center Service Manager, leveraging its data warehouse
How to Answer these QuestionsState Events
Historic
Current
• Who is in group A?• What groups does a particular
person belong to?• Who is person Y’s manager?
• Who joined group A today?• What groups had new members today?• How many new people joined the
company today?
• Who joined group A on May 1st, 2010?• How did a group’s membership change
over time?• Who approved a group join?• How did a set filter definition change over
time?
• What groups did person A have access to on November 4th, 2009?
• What was a group’s membership last July?
Source: FIM Portal and Reporting Source: FIM reporting
Source: FIM requests via portalSource: FIM database via portal
Out of Box Reports
Report Class Defined Over Description
Membership Change Reports
• Group Membership (SG + DG)
• Set Membership
Contains membership changes, who approved them, and the associated request which generated the change.
Object History Reports
• Users• Groups• Sets• Requests• Policy Rules
Contains changes to key attributes over time.
Example Membership Change Report: Group Membership Change
User Information• User Display Name• User Account Name• User Object ID• User Domain
Group Information• Group Display Name• Group Account Name• Group Domain• Group Type• Group Owner
Request Information• Request Originator• Request Approver• Policy Rule that Triggered the Request• Request ID
Account Name
Operation Type
Committed Time
Group Name
Request Originator
Request Approver
Request ID
MPR that Triggered the Request
cwilcox Join Group 1/7/2011 14:27:02
Finance FIM Service {43edf…}
All accountants have access to financial data
kimaber Join Group 1/3/201116:12:25
Sales kimaber dparker {81e2b…}
cwilcox Leave Group
1/1/2011 08:58:02
Marketing samanthas
Samantha removes Colin from the
Marketing group
Kim requests to join the Sales group, Darren approves the request
Colin changes roles and is added, automatically, to the Finance group
Example History Report: User History
User Name User ID Operation Attribute Value Requestor Committed Time Request
Colin Wilcox {732d2…} Remove User FIM Service
2/13/2011 01:22:00 {532aa…}
Colin Wilcox {732d2…} Remove Display Name Colin Wilcox FIM Service
2/13/2011 01:22:00 {532aa…}
Colin Wilcox {732d2…} Remove First Name Colin FIM Service
2/13/2011 01:22:00 {532aa…}
Colin Wilcox {732d2…} Remove Last Name Wilcox FIM Service
2/13/2011 01:22:00 {532aa…}
Colin Wilcox {732d2…} Add Manager gfort Garth Fort 9/22/2006 08:55:28 {8457b…}
Colin Wilcox {732d2…} Remove Manager samanthas Garth Fort 9/22/2006 08:55:28 {8457b…}
Colin Wilcox {732d2…} Add Employee Type
FTE Garth Fort 9/22/2006 08:55:28 {8457b…}
Colin Wilcox {732d2…} Remove Employee Type
Contractor Garth Fort 9/22/2006 08:55:28 {8457b…}
Colin Wilcox {732d2…} Add Manager samanthas FIM Service
5/2/2002 08:32:11 {126da…}
Colin Wilcox {732d2…} Add Employee Type
Contractor FIM Service
5/2/2002 08:32:11 {126da…}
Colin Wilcox {732d2…} Add Display Name Colin Wilcox FIM Service
5/2/2002 08:32:11 {126da…}
Colin Wilcox {732d2…} Add User FIM Service
5/2/2002 08:32:11 {126da…}
Colin is created in FIM in 2002 via a sync
through HR, Samantha Smith is his first
manager
In 2006, Colin becomes a full-time employee,
and, as a result, gets a new manager, Garth.
In 2011, Colin leaves the company, and he is
removed from FIM.
Reporting Architecture
FIM Service
FIM Reporting Administration
Management Packs
System Center Data Warehouse
SS
RS
W
eb
Ser
vice
SC
SM
C
onso
le
FIM Service DB
Import Report
Initial Sync
Incremental Sync
Schema Binding
Fact/Dimension Definition
Class/Relationship Definition
Report Definition
Data Mart
SS
RS
Staging
Repository
<DWBind><obj 1><obj 2><obj 3>...
Binding Objects
Row 1Row 2Row 3Row 4Row 5Row 6….….….
Report Log
Extensibility
Fully extensible Data WarehouseExtensible dimensional based schemaETL process is further extensible via custom transformsCustom report authoring via SSRSSupport for “Favorite reports”
Dynamic interface for flowing new data from FIM into the Data Warehouse
Bindings between FIM and DW, persisted in FIM objectsAutomatic, scheduled, data flow
New Extensible MA Framework
Enable extensible Management Agents to supportBatched call-based importBatched call-based exportProgrammatic schema, partition, and hierarchy discoveryPassword management behave as other methodsCustom anchors and additional dn stylesSupport custom parametersFull Export run step.NET 4 support
New SAP, Oracle ERP, and Lotus Notes MAs for FIM 2010 R2 developed on top of the new API
Performance Improvements
Improve performance for initial load of customer data from connected system to FIM ServiceImprove performance for bulk addition (e.g., of new division) from connected system to an existing FIM deploymentProvide FIM Service database tuning guidance and enhancements
Ease of Use Improvements
Best Practices Analyzer (BPA)Reduce overall TCO (and support calls) with a FIM deployment validation tool Identifies possible issues in FIM setup relating to performance, security, configuration
Improvements for troubleshootingEnhanced diagnostics and error messages in FIM Portal and web servicesAdditions to IT Pro documentation for top problem areas
Improvements in the setup processEasier configuration of scenarios such as password resetReduced initial load time
Platform Investments
FIM Add-in supports Outlook 2010 for group management and approvals
Add support for 32-bit and 64-bit Outlook 2010Add-in localized to 33 languages
FIM Portal supports SharePoint 2010Support for installing FIM portal on the newest version of SharePoint Foundation Seamless installation experienceContinued support for WSS 3 (SharePoint 2007)Same UI experience on both platforms
Related Content
SIM205 Identity and Access and the Cloud Better Together (Monday)SIM315 Optimizing FIM (Thursday)SIM358 Preparing Identities for the Cloud with FIM (Tuesday)
SIM379-INT Self-service Password Reset (Wednesday)SIM375-INT Chalk Talk with the Product Team (Tuesday)
SIM395-HOL FIM OverviewSIM399-HOL Managing Claims AuthN using FIM 2010
Forefront Identity Manager demos in the exhibition hall
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
FIM 2010 R2 Enhancements
Credential ManagementWeb based password reset
ReportingHistorical reporting for managed resourcesService Manager data warehouse integration
Ease of UseEnhanced diagnostics Enhanced initial load performanceSimplified deployment for password reset
Additional SupportImproved & added Management Agents for Oracle ERP, SAP, and Lotus DominoAdd language support for:
Russian, Norwegian (Bokmal), Swedish, Finnish, Brazilian Portuguese, Polish, Korean, Danish, Turkish, and Czech
Align Experiences
Put the right tools in the right hands
Deliver a great experience for developers, information workers, and IT pros
ILM “2” Principles
ExtensiblePlatform
Build an extensible platform for present and future IdM solutions
Takes full advantage of state of the art technologies such as Web Services standards, federation, strong auth, and workflow
Integrated PolicyManagement
Provide a tightly integrated solution for policy management
Solve the spectrum of identity challenges with unified concepts and architecture
Enhanceexisting
investment
Enhance existing IT investments
“Light up” Office, Windows, and System Center, and provide synergistic enhancements to other connected systems
FIM 2010 Features
User ManagementUser profile managementSynchronizes identity data
Access ManagementAutomated policy based provisioning and de-provisioning across heterogeneous environments Office-based self-service group and request management capabilitiesAutomated group and distribution list updates
Credential ManagementSingle administration point for certificates and smart cardsMgmt of credentials issued from AD CS and 3rd party CAsSelf-service password reset at Windows logon
Policy ManagementIdentity management policy authoring, enforcement & auditingOpen WS– * protocols and APIs