Tech Ed North America 2010 4/24/2017 1:59 AM SESSION CODE: SIA327 Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager Brjann Brekkan Sr. Technical Product Manager Microsoft Corporation Robert DeLuca Sr. Program Manager Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management
Demos Agenda Forefront Identity Manager ‘architecture’ Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management Session SIA 307 Certificate and Smart Card Management
Evolution of Identity Manager User Management Group Management Common Platform Workflow Connectors Logging Web Service API Synchronization Credential Management Policy Management Identity Synchronization User Provisioning Certificate and Smartcard Management Office Integration for Self-Service Declarative Provisioning Group & DL Management Workflow and Policy Support for 3rd Party CAs 4
Delegation & Permissions Forefront Identity Manger 2010 Architecture Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt FIM Sync FIM Service AuthZ Workflow AuthN Delegation & Permissions Action DB Management Agents Request Processor Directories Databases E-Mail Systems Applications Identity and data stores FIM CM Outlook FIM Portal Windows FIM Client Experiences IDM Platform FIM CM Portal
Delegation & Permissions Forefront Identity Manger 2010 Architecture Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt FIM Sync FIM Service AuthZ Workflow AuthN Delegation & Permissions Action DB Management Agents Request Processor Directories Databases E-Mail Systems Applications Identity and data stores FIM CM Outlook FIM Portal Windows FIM Client Experiences IDM Platform FIM CM Portal
Delegation & Permissions Forefront Identity Manger 2010 Architecture Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt FIM Sync FIM Service AuthZ Workflow AuthN Delegation & Permissions Action DB Management Agents Request Processor Directories Databases E-Mail Systems Applications Identity and data stores FIM CM Outlook FIM Portal Windows FIM Client Experiences IDM Platform FIM CM Portal
Demos Agenda Forefront Identity Manager ‘architecture’ Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management
Provisioning Policy-based identity lifecycle management system Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users Active Directory Lotus Domino HR System “With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution.” Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company Workflow User Enrollment LDAP FIM SQL Server Approval Manager Oracle DB FIM CM User provisioned Source: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006604/
User de-provisioning or role updates Automated user de-provisioning Built-in workflow for identity management Real-time de-provisioning from all systems to prevent unauthorized access and information leakage Active Directory Lotus Domino HR System Workflow User de-provisioned or Role change LDAP FIM SQL Server Oracle DB User deleted FIM CM User disabled
Identity Synchronization and Consistency Identity synchronization across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System Identity Manager givenName Samantha Samantha sn Dearing Dearing title mail employeeID 007 007 telephone GivenName sn title mail employeeID telephone someone@example.com Samantha Dearing 007 Coordinator 555-0129 givenName sn title mail employeeID telephone SQL Server DB givenName Samara sn Darling title Coordinator Coordinator mail employeeID 007 telephone Identity Data Aggregation Active Directory/ Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 008 telephone 555-0129 555-0129
Incorrect or Missing Information Identity Synchronization and Consistency Identity consistency across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System Identity Manager givenName Samantha sn Dearing title mail employeeID 007 telephone givenName Samantha Samantha Samantha Bob sn Dearing Dearing Dearing SQL Server DB title Coordinator Coordinator Coordinator Coordinator givenName Samara mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 Incorrect or Missing Information mail employeeID 007 telephone Identity Data Brokering (Convergence) Active Directory / Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129
Example Data Flow for creating a new user Management Agents connects to data sources FIM MA connects to FIM Service Connector space contains objects from respective datasource Metaverse contains converged representation of object from all datasource Synchronization Rules control and configure data flow
Synchronization Rules (Sync Rules) Sync Rules control what happens in the Synchronization Service Inbound Outbound Inbound and Outbound Attribute Flow Provision Join
Synchronization Rules Management Agents Provisioning users from HR to FIM to AD Synchronizing users from AD to FIM Demo
Demos Agenda Forefront Identity Manager Architecture Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management
Policy Management Management Policy Rules Workflows Sets FIM Service AuthZ Workflow AuthN Delegation & Permissions Action DB Request Processor
Sets Identify different groupings of objects (resources) in the FIM Service database Permissions may be granted on and to Sets Also used in Policy Enforcement Membership Manual (strictly by set administrators) Criteria Examples All People, All Active People, Administrators (manual), Help Desk Users All Groups, Security Groups, Distribution Groups Password Reset Users Set, Password Objects Set Managers in Sales dept, Clerks, Clerks in Denver, All in Building 4
Membership of Sets
Workflow Types Workflow Types Purpose Examples Authentication (AuthN) WS Request Permissions Evaluation Authentication (AuthN) Authorization (AuthZ) FIM Service Database Action Workflow Types Purpose Examples Authentication (AuthN) To ensure that the user is who they say they are Password Reset Authorization (AuthZ) To allow for more sophisticated validation of the request beyond simple permissions to make a request Allowing users to request and update attributes Subject to a filter validation looking for profanity Followed by an approval email to HR or the user’s manager or both Action To allow FIM to take actions after the request has been performed Call Synchronization rules Send Notification Emails Modify resources Password Self-Service Reset calls Synchronization Service to reset the AD password in real time
Creating a Workflow
Workflow Activities
Management Policy Rules Set Transition Causes Workflows to be activated Even when not initiated by a request (Run on Policy Update) Perform an Action Request Based Can Grant Permissions Cause Workflows to be activated Authenticate the Requestor Seek Authorization
Policies can be disabled until ready for use Creating an MPR Policies can be disabled until ready for use
Set Transition MPR Defines an event When a resource either enters or exits the Set Defines how to respond to the event Initiate Action WFs
Outbound User Provisioning Rule Outbound provisioning from FIM to AD controlled by MPR Outbound Sync Rule Workflow Management Policy Rules DEMO
Defining a business policy using MPR’s Contractors need to be able to update their own contact information Manager approval is required Evaluating policy using MPR Explorer Create a contractors set Create Workflow for manager approval Create MPR DEMO
Demos Agenda Forefront Identity Manager ‘architecture’ Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management
SharePoint-Based Management Console Group Management Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes Self-service group and distribution list management Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity FIM Add-in for Outlook SharePoint-Based Management Console
Integrated Group Management Leverage and simplify existing technologies for access control based on AD groups Security groups managed by project or resource owner Distribution group management delegated to end users DEMO
Self-Service Password Management Enables users to reset their own passwords through both Windows logon and FIM password reset portal Controls helpdesk costs by enabling end users to manage certain parts of their own identities Active Directory User requests password reset Oracle FIM Server Passwords updated End User SQL Server IBM DS LDAP Reset Password
Self Service Password Management Turn-key solution empowers end users and lowers help desk cost Self service password reset configuration User experience DEMO
User Profile Management
Extending well managed AD using AD FS Partner Windows Integrated/Kerberos/ADFS Claims-Aware Applications Claims- Aware Applications Cloud Services Self Service Exchange GAL & DL HR System WS-* and SAML Claims SharePoint Profiles and Access Workflow FIM AD FS 2.0 Other user Data stores SAP and other apps Phone Title Department Manager Group Role Client List SQL Server ADDS
MGT 313 Microsoft System Center Service Manager – Drill Down Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Tech Ed North America 2010 4/24/2017 1:59 AM Related Content SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos MGT 313 Microsoft System Center Service Manager – Drill Down Same Room – 9:45 SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resources Learning Required Slide www.microsoft.com/teched Tech Ed North America 2010 4/24/2017 1:59 AM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Complete an evaluation on CommNet and enter to win! Tech Ed North America 2010 4/24/2017 1:59 AM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Tech Ed North America 2010 4/24/2017 1:59 AM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Tech Ed North America 2010 4/24/2017 1:59 AM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.