Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forefront Identity Manager 2010 Deep Dive

Published byJeffery Chapman Modified over 8 years ago

Similar presentations

Presentation on theme: "Forefront Identity Manager 2010 Deep Dive"— Presentation transcript:

1 Forefront Identity Manager 2010 Deep Dive
Presentation for TechNet Christian Jäggli, Solution Architect Microsoft Consulting Services Security, Identity and Access Management

2 Agenda Forefront Identity Manager 2010 Q&A, Discussion History
Technology FIM Architecture FIM Service and Request handling FIM Synchronization Service FIM Certificate Management FIM Clients Customization Backup, Recovery and Release Mgmt. Deployment Scenario Licensing Roadmap Q&A, Discussion

3 FIM 2010 History Identity Synchronization
User Management Group Management Common Platform Workflow Connectors Logging Web Service API Synchronization Credential Management Policy Management Identity Synchronization User Provisioning Certificate and Smartcard Management Office Integration for Self-Service Support for 3rd Party CAs Codeless Provisioning Group & DL Management Workflow and Policy

4 Forefront Identity Manager 2010 Features
Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types, including One Time Passwords Self-service password reset integrated with Windows logon User Management Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management Group Management Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates

5 Technology behind the scene
Forefront Identity Manager 2010 Server: Windows Server 2008 and 2008 R2, 64-bit Only supported server platform Internet Information Services (IIS) .NET Framework Windows Workflow Foundation Windows PowerShell Web Services (WS*) MS SQL Server 2008 (R2) SharePoint Services 3.0 or SharePoint Foundation Visual Studio 2008 / 2010 (for customizing) Clients Modules: Windows XP, Windows Vista or Windows 7 32- and 64-Bit Office 2007 / 2010 (for Office integration)

6 Delegation & Permissions
FIM 2010 Architecture Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt Outlook Portal Windows Custom FIM Clients Portal FIM Platform CM FIM Web Service FIM Sync Sync DB App DB CM DB Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow Action Workflow Certificate Management Adapters Directories Databases Systems Applications Identity Stores

7 Delegation & Permissions
FIM 2010 Web Services FIM Web Service App DB Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow Action Workflow Service on the FIM Server Providing Web services interfaces for WS* requests by clients and Web interface Handles Authentication, Authorization, Workflows through Management Policy Rules All Requests performed are logged and reported Based on .NET and Windows Workflow foundation

8 Request Handling and Workflows
Receive WS* Request and validate token (Kerberos Token) Create Request in FIM DB. Select MPR(s). At least one should grant permission to fulfill the request If Authentication required, serialize and run interactive AuthN workflows If Authorization required, parallelize and run asynchronous AuthZ workflows Perform CRUD operation in the FIM Database (Create/Read/Update/Delete). If additional Action required, run follow-up Action workflows. 1, 2 3 4 5 6 7

9 Management Policy Rules (MPR)
Request Authentication workflow Lockout Gate QA Gate Custom Requestor (a set) Operations Authorization workflow Notification Group Validation Function Evaluator Filter Validation Approval Target before (a set) Target after (a set) Target attributes Custom Action workflow Function Eval. Password reset Permissions Can the Requestor perform these Operations on the Target Resource? Notification Synch Rule Custom

10 Management Policy rules, Workflows and Sets
Demo Set Static Sets Dynamic Sets Workflows Authentication Workflows Authorization Workflows Action Workflows Custom Action Workflows Management Policy Rules Permission MPRs Workflow MPRs Transition MPRs

11 FIM 2010 Synchronization Engine
Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt Outlook Portal Windows Custom FIM Clients Portal FIM Platform CM FIM Web Service FIM Sync Sync DB App DB CM DB Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow Action Workflow Certificate Management Adapters Directories Databases Systems Applications Identity Stores

12 FIM 2010 Synchronization Engine
Management Agent Connector Space Metaverse

13 Identity Stores and Management Agents
Type of System Management Agents Network operating systems and directory services Active Directory Domain Services 2000, 2003, 2003 R2, 2008, 2008 R2 Active Directory Lightweight Directory Services (ADLDS) – 2000, 2003, 2003 R2, 2008  Active Directory Global Address List (GAL) – Exchange 2000, 2003, 2007, 2010 IBM Tivoli Directory Server up to version 6.2 Novell eDirectory - v8.7.3, v8.8 Sun ONE and Netscape Directory Servers - v5.1, v5.2 IBM Directory Server - v6.0, v6.2 Certificate and Smart Card Management FIM Certificate Management and messaging Exchange Server 2007 and 2010 (use AD Management Agent) Lotus Notes - v6.5, v7.0 (32 bit Lotus Notes Client) Databases Microsoft SQL Server 2000, 2005, 2008 IBM DB2 Universal Database 9.1 and 9.5 (64-bit client v9.5 FP5 or v9.7 FP1 required) Oracle Database - 10g (64-bit client) File-based Attribute value Pairs CSV Delimited Fixed Width Directory Services Markup Language (DSML) 2.0 LDAP Interchange Format (LDIF) Other SAP - R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0) (32bit client) XML-based systems Extensible Management Agent for custom connectivity other systems The Extensible Management Agent (XMA or ECMA) will be covered during the extensibility points

14 Provisioning Demo Management Agents AD Management Agent
FIM Management Agent Legacy Provisioning Codeless Provisioning Synchronization Rules Provisioning Workflow Expected Rule Entry (ERE) Detected Rule Entries (DRE) Synchronization Profiles Run Profiles Full Sync Delta Sync Scheduling

15 FIM 2010 Certificate Management
Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt Outlook Portal Windows Custom FIM Clients Portal FIM Platform CM FIM Web Service FIM Sync Sync DB App DB CM DB Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow Action Workflow Certificate Management Adapters Directories Databases Systems Applications Identity Stores

16 FIM CM Components Certification Authority SQL Server®
Active Directory® Server FIM CM Server Corporate Partner Customer Corporate User

17 FIM CM Architecture Physical Architecture Logical Architecture
Other Services Certification Authority FIM CM Policy Module FIM CM Exit Module Enterprise CA Server FIM CM AD Integration FIM CM ASP.NET Web App IIS 7.0 or 7.1 (64-bit) Active Directory FIM CM Server IE 6.x or IE 7.x or IE 8.x FIM CM Client Smart card middleware / Smart card base CSP SQL Server End User

18 FIM 2010 Clients FIM Clients
Outlook Portal Windows Custom FIM can use different Clients to access the functionality: SharePoint portal via Internet Explorer Windows XP, Windows Vista or Windows 7 for Credential Management (Passwords and Smart Cards) Office Outlook for Group management, approvals and request handling Any application which can send WS* requests to the FIM web service (for example Helpdesk application)

19 Windows and Office Extensions
Demo Windows Password Reset Outlook Add-in Join Group Leave Group Add Members to Groups Remove Members from Groups Approve/Reject in

20 FIM 2010 User Portal SharePoint Web Portal (SharePoint Services) for
FIM Administrators End users for self service Resource and group administrators Workflow requestors and approvers Password Management User sees only what they are entitled to see and manage Predefined page layout Can be fully customized and branded to user needs trough interface (no coding required)

21 FIM 2010 User portal customization
Demo Portal Customization Branding Home Page customization Navigation bar customization Keywords BasicUI Global Custom <None> Resource Control Display Configuration RCDC Language Settings Portal Languages Client Add-On Languages Self-Service Password Reset Languages

22 User, Groups and Sets

23 Managing users, groups and Sets
Demo Users Listing and searching Predefined Search scopes Groups Security Groups Distribution lists Group membership assignment Static Dynamic based on attributes Dynamic based on manager Sets Filter Builder Operators Custom XPath Filters

24 FIM 2010 Auditing (and Reporting)
Windows Embedded Design Review April FIM 2010 Auditing (and Reporting) © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 Backup, Recovery, Release management
Demo PowerShell Modules Backup Process Microsoft® Forefront Identity Manager (FIM) Backup and Restore Exporting configuration in Development Environment Export FIM Synchronization Server configuration Export FIM Service Schema and Policies Importing configuration in Production Environment Put FIM in maintenance mode Import FIM Service Schema Import FIM Synchronization Server configuration Import FIM Service Policies Test functionality and put FIM in operational mode Microsoft® Forefront Identity Manager (FIM) Configuration Migration Deployment Guide

26 Deployment Scenarios Example

27 FIM 2010 Licensing FIM 2010 Server
FIM 2010 licensing requires two separate license purchases: Server license Client access license Server licensing One license per physical FIM 2010 server Server can run FIM Web Service, FIM Synchronization Service, or FIM CM Service Can run each on separate server or on any combination of the three services Client access license for every person who receives a certificate managed by FIM 2010 or accesses the Web Service in any form. Software certificates or Smart card certificates Portal access for user profile management Includes ability to do user self-service password reset and self- service group management Can consider purchasing an external connector license if certificate is issued to subscribers outside of the organization Licensing Server License FIM 2010 Server CALs If a person has two or more accounts in Active Directory, only a single CAL is required to manage to the two accounts including certificates

28 FIM 2010 Roadmap Next Version: FIM 2010 R2, expected H1/2012
Public Release Candidate available Main Features: Credential Management Web based password registration and reset Reporting Historical reporting for managed resources Service Manager data warehouse integration Ease of Use Enhanced diagnostics and Best Practice Analyzer Enhanced initial load performance Simplified deployment for password reset Out-of-Band Releases New/updated management agents Additional Language packages

29 Questions?

30 This material is provided for informational purposes only
This material is provided for informational purposes only. Microsoft makes no warranties, express or implied.

31 Resource Control Display Configuration Controls
Description Read-Only UocButton Simple Button (limited utility without handlers) Yes UocCaptionControl Grouping Caption UocCheckBox Simple Checkbox Control No UocCommonMultiValueControl Multivalue box with values separated by ‘;’ UoCDateTimeControl Textbox that only accepts Date & Time strings UocDropDownList Simple drop down box control UocFileDownload Hyperlink download path for a file (XML & Binary) UocFileUpload Browse and Upload path for a file upload (XML & Binary) UocFilterBuilder Build XPath expression using the Filter Builder UocHTLMSummary Summary Page Group UocHyperLink Unrestricted Hyperlink or Resource reference link UocIdentityPicker Pick an resource from the FIM Service DB

32 Resource Control Display Configuration Controls
Description Read-Only UocLabel Read only text label control Yes UocListView Advanced List View Control No UocNumericBox Text box for Numeric Values (Integer only) UocPictureBox Render a picture from URL or binary data in the DB UocRadioButtonList Simple Radio Button control UocSimpleRadioButton Boolean (True/False) Radio Button Control UocTextBox Simple Text Box

Download ppt "Forefront Identity Manager 2010 Deep Dive"

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Forefront Identity Manager 2010

Forefront Identity Manager 2010
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Service Manager for MSPs

Service Manager for MSPs
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core.

Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core.
Microsoft Forefront Identity Manager 2010

Microsoft Forefront Identity Manager 2010
Microsoft Forefront Identity Manager 2010 Daniel MEYER Enterprise Technology Architect EMEA.

Microsoft Forefront Identity Manager 2010 Daniel MEYER Enterprise Technology Architect EMEA.
IBM Software Group ® Accessing Domino via Outlook iNotes Access for Microsoft Outlook - Notes Domino 5.5 – 6.0.1 Domino Access for MS Outlook - Notes Domino.

IBM Software Group ® Accessing Domino via Outlook iNotes Access for Microsoft Outlook - Notes Domino 5.5 – Domino Access for MS Outlook - Notes Domino.
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Identity Management with Microsoft Identity Integration Server.

Identity Management with Microsoft Identity Integration Server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
SharePoint Server 2013 Architecture and Identity www.netcomlearning.com.

SharePoint Server 2013 Architecture and Identity
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Understanding Active Directory

Understanding Active Directory
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Similar presentations

Ads by Google