1 / 28

Forefront Identity Manager 2010

Forefront Identity Manager 2010 . Technical Overview. Daniel Kaufmann (Microsoft Schweiz) Dominik Zemp (Microsoft Schweiz). Agenda. Identity and Access Business Needs and IT Challenges. Provide secure access to applications from anywhere . Multiple locations and devices.

kasa
Download Presentation

Forefront Identity Manager 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Forefront Identity Manager 2010 Technical Overview Daniel Kaufmann (Microsoft Schweiz) Dominik Zemp (Microsoft Schweiz)

  2. Agenda

  3. Identity and Access Business Needs and IT Challenges Provide secure access to applications from anywhere Multiple locations and devices Simplify user experience for collaboration Difficulty in extending business resources Provide seamless movement between applications Disparate systems to manage Reduce cost of account management Complex account lifecycle management BUSINESS Needs IT Needs AgilityandFlexibility Control

  4. Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management

  5. Simplify Identity Management • GOVERNED SELF-SERVICE AND AUTOMATION • Empower Business • Self-service profile, credential, and group management • Password and PIN reset from Windows login • Group management from within Microsoft Office • Single identity across heterogeneous applications • Empower IT • End-to-end, workflow-driven user provisioning • Policy-controlled self-service capabilities • Automatic, attribute-based group membership for simplified resource access GROUP MANAGEMENT IDENTITY MANAGEMENT • CREDENTIAL • MANAGeMENT “ If you wanted to access a file share in your network, previously you might have had to call your service desk and get approval. Now it is all workflow based. You go to a portal. There is no manual labor. - Brian Desmond, Microsoft MVP

  6. Identity Management tasks

  7. Identity ManagementUser provisioning • Policy-based identity lifecycle management system • Built-in workflow for identity management • Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users ActiveDirectory LotusDomino • Workflow • User Enrollment LDAP • FIM SQLServer • HR System • Approval Oracle DB • Manager FIM CM User provisioned on all allowed systems

  8. Identity ManagementUser de-provisioning • Automated user de-provisioning • Built-in workflow for identity management • Real-time de-provisioning from all systems to prevent unauthorized access and information leakage ActiveDirectory LotusDomino • Workflow • User de-provisioned LDAP • FIM SQLServer • HR System Oracle DB FIM CM User de-provisioned or disabled on all systems

  9. Identity Synchronization and ConsistencyIdentity synchronization across multiple directories GivenName Samantha sn Dearing title Coordinator mail someone@example.com employeeID 007 telephone 555-0129 givenName sn title mail employeeID telephone HR System FIM Samantha givenName Samantha sn Dearing Dearing Attribute Ownership title mail employeeID 007 007 telephone FirstName LastName EmployeeID SQL Server DB givenName Samara sn Darling title Coordinator Coordinator mail employeeID 007 telephone Title Identity Data Aggregation Active Directory/ Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone E-Mail • someone@example.com LDAP givenName Sammy sn Dearling title mail employeeID 008 555-0129 telephone 555-0129 Telephone

  10. Identity Synchronization and ConsistencyIdentity consistency across multiple directories HR System FIM givenName Samantha sn Dearing Attribute Ownership title mail employeeID 007 telephone FirstName LastName EmployeeID givenName Samantha Bob Samantha Samantha sn Dearing Dearing Dearing title Coordinator Coordinator Coordinator Coordinator SQL Server DB givenName Samara mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 mail Incorrect or Missing Information employeeID 007 telephone Identity Data Brokering (Convergence) Title Active Directory / Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone E-Mail LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129 Telephone

  11. Evolution of Identity Manager Common Platform Workflow Connectors Logging Web Service API Synchronization Group Management User Management Identity Synchronization User Provisioning Certificate and Smartcard Management Credential Management Policy Management Office Integration for Self-Service Support for 3rd Party CAs Declarative Provisioning Group & DL Management Workflow and Policy

  12. Key Pillars of Forefront Identity Manager UserManagement SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types Self-service password reset integrated with Windows logon GroupManagement Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management PolicyManagement Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates

  13. FIM 2010 Architecture

  14. User Demo

  15. Group Management • Self-service group and distribution list management with the FIM 2010 Web portal • Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity • Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory • Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes FIM Add-in for Outlook SharePoint-Based Management Console

  16. Group Management

  17. Group Management Demo

  18. Identity Stores and Management Agents

  19. Certificate and Smart card management • Increase access security beyond username and password solutions • Streamline deployment by enrolling user and computer certificates without user intervention • Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) • Enhance remote access security through certificates with Network Access Protection • Stronger authentication through certificates for administrative access and management • User is validated using multi-factor authentication • FIM policy triggers request for FIM CM to issue certificate or SmartCard SmartCard • Certificate is issued to user and written to either machine or smart card • End User • End User • FIM CM • Active Directory Certificate Services (AD CS) • FIM SmartCard User ID andPassword Multi-Factor Authentication • FIM Certificate Management (CM) requests certificate creation from AD CS • User Enrollment and Authentication request sent by HR System • HR System

  20. Its all abouttrust

  21. Single administration point for smart cards & digital certificates User self-service capabilities to help reduce helpdesk burden Configurable policy-based workflows for common tasks Enroll / renew / update Personalize smart card Recover / smart card replacement Issue temporary / duplicate smart card Revoke / retire / disable smart card Detailed auditing and reporting capabilities Support for centralized, decentralized and self-service scenarios Extensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometrics Tightly integrated with Active Directory and Certificate Services FIM 2010 CM Functionality

  22. FIM 2010 + FIM 2010 CM Does userhave permissionto add user to FIM ? FIM managesmanager and dept head approvals New user added in HR app Sync receives request Sync DB Management Agents Delegation& Permissions AuthN & AuthZ Workflows Approval workflows Card created & printed Certificates requested Self-service notification and One Time Password sent to end user End user downloads certificates onto smart card FIM sends welcomeand confirmatione-mails Once approved, changes committed to ILM app store FIM syncs to external identity stores FIM CM Service DB Sync DB Management Agents Action Workflow Identity Stores

  23. Microsoft Solution Components Workflows, Profiles for Smart Card Deployment and Management Certificate Authority Issue, Renew, Revoke Certs • Active Directory • Certificate Templates • Policy • Revocation info: • Certificate Revocation List • Online Responder Certs Revoked? Auto-publish and Auto- Enroll Revocation Check Smartcard Personalization • Client PC • Enrollment • Renewal Legend • FIM CM client / web kiosk • Self-service smart card management Forefront Identity Manager Windows Server AD Certificate Services AD Domain Services

  24. Component Architecture Physical Architecture Microsoft Certificate Authority FIM-CM Policy Module E-mail SQL AD FIM-CM Exit Module Microsoft CA’s FIM-CM AD Integration FIM - CM Server FIM-CM Web App Internet Information Server Internet Explorer End User FIM-CM Browser Control Smart Card Middleware FIM 2010 CM Architecture

  25. CLM Demo

  26. Technical Deployment Opportunities

  27. More information

More Related