Presentation is loading. Please wait.

Presentation is loading. Please wait.

Daniel Kaufmann (Microsoft Schweiz) Dominik Zemp (Microsoft Schweiz) Technical Overview.

Similar presentations


Presentation on theme: "Daniel Kaufmann (Microsoft Schweiz) Dominik Zemp (Microsoft Schweiz) Technical Overview."— Presentation transcript:

1 Daniel Kaufmann (Microsoft Schweiz) Dominik Zemp (Microsoft Schweiz) Technical Overview

2 Identity and Access Management Business Needs and IT Challenges Business Ready Security Microsoft Identity and Access Management Solution FIM Overview and ArchitectureFIM Features User Management Group Management Password Reset Policy Management incl workflow Extensibility CLMBenefits of FIM

3 Multiple locations and devices Difficulty in extending business resources Disparate systems to manage Complex account lifecycle management Control BUSINESS NeedsIT Needs Provide secure access to applications from anywhere Simplify user experience for collaboration Provide seamless movement between applications Reduce cost of account management

4 Identity and Access Management Secure Messaging Secure Endpoint Secure Collaboration Information Protection

5 Empower Business Self-service profile, credential, and group management Password and PIN reset from Windows login Group management from within Microsoft Office Single identity across heterogeneous applications Empower IT End-to-end, workflow-driven user provisioning Policy-controlled self-service capabilities Automatic, attribute-based group membership for simplified resource access GOVERNED SELF-SERVICE AND AUTOMATION

6 ProvisioningDeprovisioningSynchronization Self-Service Profile Management Self-Service Group Management Self-Service Password Management Certificate and Smart Card Management

7 Active Directory Lotus Domino LDAP SQL Server Oracle DB HR System FIM Workflow Manager Policy-based identity lifecycle management system Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users User Enrollment Approval User provisioned on all allowed systems FIM CM

8 HR System FIM Workflow Automated user de-provisioning Built-in workflow for identity management Real-time de-provisioning from all systems to prevent unauthorized access and information leakage User de-provisioned User de-provisioned or disabled on all systems Active Directory Lotus Domino LDAP SQL Server Oracle DB FIM CM

9 HR System FIM LDAP Active Directory/ Exchange SQL Server DB givenName sn title mail employeeID telephone Sammy Dearling 008 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Samara Darling 007 givenName sn title mail employeeID telephone Sam Dearing Intern 007 givenName sn title mail employeeID telephone Samantha Dearing 007 Coordinator Samantha Dearing Coordinator 007 Identity Data Aggregation GivenName sn title mail employeeID telephone Samantha Dearing 007 Coordinator Attribute Ownership FirstNameLastNameEmployeeID Title Telephone

10 FirstNameLastNameEmployeeID Title Telephone FIM HR System LDAP Active Directory / Exchange SQL Server DB Identity Data Brokering (Convergence) givenName sn title mail employeeID telephone Sammy Dearling 007 givenName sn title mail employeeID telephone givenName sn title mail employeeID telephone Samara Darling 007 givenName sn title mail employeeID telephone Sam Dearing Intern 007 givenName sn title mail employeeID telephone Bob Dearing 007 Coordinator Samantha Dearing Coordinator 007 Samantha Dearing Coordinator Coordinator Samantha Dearing Samantha Coordinator

11 Identity Synchronization User Provisioning Certificate and Smartcard Management Office Integration for Self-Service Support for 3rd Party CAs Declarative Provisioning Group & DL Management Workflow and Policy UserManagement GroupManagement CredentialManagement Common Platform WorkflowConnectorsLogging Web Service API Synchronization PolicyManagement

12 Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types Self-service password reset integrated with Windows logon Group Management Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates User Management Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency

13

14

15 SharePoint-Based Management Console FIM Add-in for Outlook Group Management Self-service group and distribution list management with the FIM 2010 Web portal Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on users attributes

16 Purpose: Distribution Security Membership: Manual (Owners adding/removing members or users requesting membership subject to Approval Policy) Manager Criteria-Based Scope: Universal Global Domain Local

17

18 Type of SystemManagement Agents Network operating systems and directory services Active Directory Domain Services 2000, 2003, 2003 R2, 2008, 2008 R2 Active Directory Lightweight Directory Services (ADLDS) – 2000, 2003, 2003 R2, 2008, 2008 R2 Active Directory Global Address List (GAL) – Exchange 2000, 2003, 2007, 2010 IBM Tivoli Directory Server up to version 6.2 Novell eDirectory - v8.7.3, v8.8 Sun ONE and Netscape Directory Servers - v5.1, v5.2 IBM Directory Server - v6.0, v6.2 Certificate and Smart Card ManagementFIM Certificate Management and messaging Exchange Server 2007 and 2010 (use AD Management Agent) Lotus Notes - v6.5, v7.0 (32 bit Lotus Notes Client) Databases Microsoft SQL Server 2000, 2005, 2008 IBM DB2 Universal Database 9.1 and 9.5 (64-bit client v9.5 FP5 or v9.7 FP1 required) Oracle Database - 10g (64-bit client) File-based Attribute value Pairs CSV Delimited Fixed Width Directory Services Markup Language (DSML) 2.0 LDAP Interchange Format (LDIF) 1 These file formats allow for integration with a variety of applications, databases, telephone switches, X.500 systems, Mainframe and metadirectory products or underlying systems that can produce a file for importa and export.. OtherSAP - R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0) (32bit client) XML-based systems Extensible Management Agent for custom connectivity other systems

19 Increase access security beyond username and password solutions Streamline deployment by enrolling user and computer certificates without user intervention Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) Enhance remote access security through certificates with Network Access Protection Stronger authentication through certificates for administrative access and management HR System Active Directory Certificate Services (AD CS) FIM CM FIM User Enrollment and Authentication request sent by HR System FIM policy triggers request for FIM CM to issue certificate or SmartCard User is validated using multi- factor authentication FIM Certificate Management (CM) requests certificate creation from AD CS Certificate is issued to user and written to either machine or smart card End User SmartCard User ID and Password SmartCard End User

20 Authentication I am the employee you know as Mary Digital Signature This content hasnt changed since I signed it Encryption No one but Mary can see this content

21 Single administration point for smart cards & digital certificates User self-service capabilities to help reduce helpdesk burden Configurable policy-based workflows for common tasks Enroll / renew / update Personalize smart card Recover / smart card replacement Issue temporary / duplicate smart card Revoke / retire / disable smart card Detailed auditing and reporting capabilities Support for centralized, decentralized and self-service scenarios Extensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometrics Tightly integrated with Active Directory and Certificate Services

22 Approval workflows Card created & printed Certificates requested Self-service notification and One Time Password sent to end user End user downloads certificates onto smart card FIM CM

23 Revocation info: Certificate Revocation List Online Responder Revocation info: Certificate Revocation List Online Responder Active Directory Certificate Templates Policy Active Directory Certificate Templates Policy Certificate Authority Issue, Renew, Revoke Certs Certificate Authority Issue, Renew, Revoke Certs Revocation Check Certs Revoked? Workflows, Profiles for Smart Card Deployment and Management FIM CM client / web kiosk Self-service smart card management FIM CM client / web kiosk Self-service smart card management Smartcard Personalization Auto-publish and Auto- Enroll Client PC Enrollment Renewal Client PC Enrollment Renewal Forefront Identity Manager Windows Server AD Certificate Services AD Domain Services Windows Server AD Certificate Services AD Domain Services Legend

24 FIM - CM Server Microsoft CAs End User Physical Architecture SQL AD FIM-CM Policy Module FIM-CM Exit Module Internet Explorer FIM-CM Browser Control FIM-CM AD Integration FIM-CM Web App Internet Information Server Component Architecture Microsoft Certificate Authority Smart Card Middleware

25

26 FIM is very extensibleInfrastructure footprint can start small and scale upFIM Sync is Agentless Amount of custom development required minimized and is well encapsulated to empower administrators No need to learn a new programming language use C# or VB.NET

27 us/FIM/default.aspxhttp://technet.microsoft.com/en- us/FIM/default.aspx TechCenter on TechNet Product Page ms/en-US/FIM2/threadshttp://social.technet.microsoft.com/Foru ms/en-US/FIM2/threads TechNet Forum itymanager/en/us/technical- resources.aspxhttp://www.microsoft.com/Forefront/ident itymanager/en/us/technical- resources.aspx Additional Technical information

28


Download ppt "Daniel Kaufmann (Microsoft Schweiz) Dominik Zemp (Microsoft Schweiz) Technical Overview."

Similar presentations


Ads by Google