1. Federico Guerrini IDA TSP, EMEA Incubation Team federico.guerrini@microsoft.com From Identity Synchronization to Identity Management

2. Agenda Forefront Identity Manager (FIM) 2010 history and evolution Identity Synchronization: the IT-centric approach Identity Management : the Business-centric approach FIM 2010 Solutions: deploying identity management solutions quickly and effectively

3. FIM 2010’s Heritage

4. ILM & FIM History MIIS CLM Beta Once upon a time… Yesterday FIM 2010 User Management Group Management Credential Management Policy Management ILM 2007 MIIS + CLM Today

5. Problem #1: User Provisioning Email App Servers Active Directory Human Resources Name Employee ID Cost center ManagerRoles Name Email Alias Mailboxsettings NameDomainAccountManagerEmail App Account App profile1 App profile2 App profile3 Security? Compliancy? Productivity/Cost Reduction? Reporting? IT ADMIN FIM 2010

6. Problem #2: Certificate and Smart Card Lifecycle Management Email App serversActive Directory Human Resources Smart card logon Digitally signed email Encrypted data Certificate-based web auth Certificate renewal? Lost smart card? Forgotten PIN? Blocked smart card? IT ADMIN FIM-CM 2010

7. Session Focus: User Provisioning Email App stores Active Directory Human Resources Name Employee ID Cost center ManagerRoles Name Email Alias Mailboxsettings NameDomainAccountManagerEmail App Account App profile1 App profile2 App profile3 Security? Compliancy? Productivity/Cost Reduction? Reporting? IT ADMIN

8. The “IT-Centric” Approach

9. IT-Centric Approach: Identity Synchronization Email App storesActive Directory Human Resources Name Employee ID Cost center ManagerRoles Name Email Alias Mailboxsettings NameDomainAccountManagerEmail App Account App profile1 App profile2 App profile3 Name Employee ID Cost center ManagerRoles Email Alias Domain Account App Account App Profile 1 App Profile 2 App Profile 3 Meta Directory + Synch Engine

10. Identity Synchronization Example Email App servers Active Directory Human Resources Name Employee ID Cost center ManagerRoles Name Email Alias Mailboxsettings NameDomainAccountManagerEmail App Account App profile1 App profile2 App profile3 Name Employee ID Cost center ManagerRoles Email Alias Domain Account App Account App Profile 1 App Profile 2 App Profile 3 Meta Directory + Synch Engine 1234

11. Synch Engine Logical Architecture Connected Directories Management Agents Synch Engine + Repository Synch Engine + Repository

12. The IT-Centric Approach: Summary Email App stores Active Directory Human Resources Name Employee ID Cost center ManagerRoles Name Email Alias Mailboxsettings NameDomainAccountManagerEmail App Account App profile1 App profile2 App profile3 Name Employee ID Cost center ManagerRoles Email Alias Domain Account App Account App Profile 1 App Profile 2 App Profile 3 1 2 3 4 My organization is far too complex for each and every provisioning process to be described by a synchronization rule!! IT ADMIN Provisioning processes triggered by modifications on connected directories Provisioning processes driven by synchronization rules

13. The “Business-Centric” Approach

14. Focus on Business Processes Rich permissions and delegation model System auditing and compliance Users must be given the power to trigger, participate in and drive provisioning processes Route users’ requests to appropriate decision makers Offload IT admin from dealing with users requests Empowering People Delivering Agility and Efficiency Increasing Security and Compliance

15. How FIM 2010 Extends the Identity Synch Approach Workflow support −FIM 2010 can automate business processes for managing user identities and their entitlements Self-service and delegation −FIM 2010 provides high-level interfaces for end users to request provisioning access to resources, either for themselves or on someone else’s behalf Policy management −FIM 2010 enables IT professionals to create and maintain provisioning policies through simplified, graphical, web-based interfaces

16. FIM 2010 Logical Architecture FIM 2010 introduces a new repository, referred to as Object Store” connected to ILM 2007 Metadirectory & Synch layer via a dedicated MA FIM 2010 underlying synchronization engine stays the same as in current version (ILM 2007) FIM 2010 introduces a web portal that provides self-service functionalities, workflows, policy management and GUI-based configuration wizards Object Store FIM 2010 MA WSSWSSWSSWSS WSSWSSWSSWSS

17. Deploying core IDA capabilities quickly

18. Policy Management Management Policy Rules: Formal description of business processes for managing users, resources, entitlements Typical MPR −When a new employee is hired −AD and RACF accounts created −Mailbox created −Notification sent to employee’s manager −Requests for relevant groups membership sent to owners

19. Policy Management - Demo

20. Group Management Dynamic groups / DLs −Membership calculated based on user attributes

21. Group Management - Demo

22. Credential Management Self-service password reset integrated in Windows Logon Default pwd reset workflow based on “security questions” −Can be customized

23. Credential Management - Demo

24. User Management Self-service user portal −Delegate to end users maintenance of non- security-sensitive attributes Self-service group management tools −“Add me to” −Group −DL −Office Integration

25. User Management - Demo

27. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.