Forefront Identity Manager 2010 From Identity Synchronization to

  • Slides: 27
Download presentation
Forefront Identity Manager 2010 From Identity Synchronization to Identity Management Federico Guerrini IDA TSP,

Forefront Identity Manager 2010 From Identity Synchronization to Identity Management Federico Guerrini IDA TSP, EMEA Incubation Team federico. guerrini@microsoft. com

Agenda • Forefront Identity Manager (FIM) 2010 history and evolution • Identity Synchronization: the

Agenda • Forefront Identity Manager (FIM) 2010 history and evolution • Identity Synchronization: the IT-centric approach • Identity Management : the Business-centric approach • FIM 2010 Solutions: deploying identity management solutions quickly and effectively

FIM 2010 History FIM 2010’s Heritage

FIM 2010 History FIM 2010’s Heritage

ILM & FIM History ILM 2007 FIM 2010 MIIS + CLM Policy Management Group

ILM & FIM History ILM 2007 FIM 2010 MIIS + CLM Policy Management Group Management Yesterday MIIS CLM Beta Credential Management Once upon a time… User Management Today

Problem #1: User Provisioning Name Employee ID Cost center Manager Roles FIM 2010 Name

Problem #1: User Provisioning Name Employee ID Cost center Manager Roles FIM 2010 Name Email Alias Mailbox settings Human Resources Email Name Domain Account Manager Email App Account App profile 1 App profile 2 App profile 3 Security? Compliancy? Productivity/Cost Reduction? Reporting? Active Directory App Servers IT ADMIN

Problem #2: Certificate and Smart Card Lifecycle Management FIM-CM 2010 ata d ted p

Problem #2: Certificate and Smart Card Lifecycle Management FIM-CM 2010 ata d ted p y r Enc signed Digitally email Smar t card logon Ce rtif ic we ateb a bas uth ed Human Resources Email Certificate renewal? Lost smart card? Forgotten PIN? Blocked smart card? Active Directory App servers IT ADMIN

Session Focus: User Provisioning Name Employee ID Cost center Manager Roles Name Email Alias

Session Focus: User Provisioning Name Employee ID Cost center Manager Roles Name Email Alias Mailbox settings Human Resources Email Name Domain Account Manager Email App Account App profile 1 App profile 2 App profile 3 Security? Compliancy? Productivity/Cost Reduction? Reporting? Active Directory App stores IT ADMIN

Identity Synchronization The “IT-Centric” Approach

Identity Synchronization The “IT-Centric” Approach

IT-Centric Approach: Identity Synchronization Name Employee ID Cost center Manager Roles Email Alias Domain

IT-Centric Approach: Identity Synchronization Name Employee ID Cost center Manager Roles Email Alias Domain Account App Profile 1 App Profile 2 App Profile 3 Name Employee ID Cost center Manager Roles Name Email Alias Mailbox settings Name Domain Account Manager Email Meta Directory + Synch Engine App Account App profile 1 App profile 2 App profile 3 Human Resources Email Active Directory App stores

Identity Synchronization Example 2 Name Employee ID Cost center Manager Roles Email Alias Domain

Identity Synchronization Example 2 Name Employee ID Cost center Manager Roles Email Alias Domain Account App Profile 1 App Profile 2 App Profile 3 1 Name Employee ID Cost center Manager Roles Name Email Alias Mailbox settings 3 Name Domain Account Manager Email Human Resources Email Active Directory 4 Meta Directory + Synch Engine App Account App profile 1 App profile 2 App profile 3 App servers

Synch Engine Logical Architecture Connected Directories Management Agents Synch Engine + Repository

Synch Engine Logical Architecture Connected Directories Management Agents Synch Engine + Repository

The IT-Centric Approach: Summary My organization is far too complex for each and every

The IT-Centric Approach: Summary My organization is far too complex for each and every provisioning process to be described by a synchronization rule!! Provisioning processes driven by synchronization rules 2 IT ADMIN Name Employee ID Cost center Manager Roles Email Alias Domain Account App Profile 1 App Profile 2 App Profile 3 Provisioning processes triggered by modifications on connected directories 1 Name Employee ID Cost center Manager Roles Name Email Alias Mailbox settings 3 Name Domain Account Manager Email 4 App Account App profile 1 App profile 2 App profile 3 Human Resources Email Active Directory App stores

Identity Management The “Business-Centric” Approach

Identity Management The “Business-Centric” Approach

Focus on Business Processes Empowering People Users must be given the power to trigger,

Focus on Business Processes Empowering People Users must be given the power to trigger, participate in and drive provisioning processes Increasing Security and Compliance Rich permissions and delegation model System auditing and compliance Delivering Agility and Efficiency Route users’ requests to appropriate decision makers Offload IT admin from dealing with users requests

How FIM 2010 Extends the Identity Synch Approach • Workflow support − FIM 2010

How FIM 2010 Extends the Identity Synch Approach • Workflow support − FIM 2010 can automate business processes for managing user identities and their entitlements • Self-service and delegation − FIM 2010 provides high-level interfaces for end users to request provisioning access to resources, either for themselves or on someone else’s behalf • Policy management − FIM 2010 enables IT professionals to create and maintain provisioning policies through simplified, graphical, web-based interfaces

FIM 2010 Logical Architecture W S S Object Store FIM 2010 MA FIM 2010

FIM 2010 Logical Architecture W S S Object Store FIM 2010 MA FIM 2010 introduces a web portal that provides self-service functionalities, workflows, policy management and GUI-based configuration wizards FIM 2010 introduces a new repository, referred to as Object Store” connected to ILM 2007 Metadirectory & Synch layer via a dedicated MA FIM 2010 underlying synchronization engine stays the same as in current version (ILM 2007)

FIM 2010 Solutions Deploying core IDA capabilities quickly

FIM 2010 Solutions Deploying core IDA capabilities quickly

Policy Management • Management Policy Rules: Formal description of business processes for managing users,

Policy Management • Management Policy Rules: Formal description of business processes for managing users, resources, entitlements • Typical MPR − When a new employee is hired − − AD and RACF accounts created Mailbox created Notification sent to employee’s manager Requests for relevant groups membership sent to owners

Policy Management - Demo

Policy Management - Demo

Group Management • Dynamic groups / DLs − Membership calculated based on user attributes

Group Management • Dynamic groups / DLs − Membership calculated based on user attributes

Group Management - Demo

Group Management - Demo

Credential Management • • Self-service password reset integrated in Windows Logon Default pwd reset

Credential Management • • Self-service password reset integrated in Windows Logon Default pwd reset workflow based on “security questions” − Can be customized

Credential Management - Demo

Credential Management - Demo

User Management • Self-service user portal − Delegate to end users maintenance of nonsecurity-sensitive

User Management • Self-service user portal − Delegate to end users maintenance of nonsecurity-sensitive attributes • Self-service group management tools − “Add me to” − Group − DL − Office Integration

User Management - Demo

User Management - Demo

Q&A

Q&A

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows Vista and other product names

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U. S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.