forefront identity manager 2010 deep dive presentation for technet 02.12.2011 christian jäggli,...
TRANSCRIPT
Forefront Identity Manager 2010Deep Dive
Presentation for TechNet
02.12.2011
Christian Jäggli, Solution Architect
Microsoft Consulting Services
Security, Identity and Access Management
AgendaForefront Identity Manager 2010
HistoryTechnologyFIM ArchitectureFIM Service and Request handlingFIM Synchronization ServiceFIM Certificate ManagementFIM ClientsCustomizationBackup, Recovery and Release Mgmt.Deployment Scenario LicensingRoadmap
Q&A, Discussion
3
FIM 2010 History
Identity SynchronizationUser ProvisioningCertificate and Smartcard Management
Office Integration for Self-ServiceSupport for 3rd Party CAsCodeless ProvisioningGroup & DL ManagementWorkflow and Policy
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization
PolicyManagement
4
Forefront Identity Manager 2010 Features
Credential Management
Heterogeneous certificate management with 3rd party CAsManagement of multiple credential types, including One Time PasswordsSelf-service password reset integrated with Windows logon
GroupManagement
Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates
UserManagement
Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management
PolicyManagement
SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency
5
Forefront Identity Manager 2010 Server:Windows Server 2008 and 2008 R2, 64-bit– Only supported server platform– Internet Information Services (IIS)– .NET Framework– Windows Workflow Foundation– Windows PowerShell– Web Services (WS*)
MS SQL Server 2008 (R2)SharePoint Services 3.0 or SharePoint FoundationVisual Studio 2008 / 2010 (for customizing)
Clients Modules:Windows XP, Windows Vista or Windows 732- and 64-BitOffice 2007 / 2010 (for Office integration)
Technology behind the scene
6
FIM 2010 Architecture
Solutions Group
MgmtCredential
MgmtPolicy Mgmt
CustomUser Mgmt
Outlook Portal Windows Custom
FIM Clients
FIM PlatformFIM SyncFIM Web
Service
AuthZWorkflow
AuthN Workflow
Delegation& Permissions
Action Workflow
AppDB
Adapters
Request Processor
SyncDB
Directories Databases E-Mail SystemsApplications
Identity Stores
Certificate Management
CMDB
CM
Portal
7
FIM Web Service
AuthZWorkflow
AuthN Workflow
Delegation& Permissions
AppDB
Request Processor
Service on the FIM ServerProviding Web services interfaces for WS* requests by clients and Web interface
Handles Authentication, Authorization, Workflows through Management Policy Rules
All Requests performed are logged and reported
Based on .NET and Windows Workflow foundation
FIM 2010 Web Services
Action Workflow
8
Request Handling and Workflows
1. Receive WS* Request and validate token (Kerberos Token)2. Create Request in FIM DB.3. Select MPR(s). At least one should grant permission to fulfill the
request4. If Authentication required, serialize and run interactive AuthN
workflows5. If Authorization required, parallelize and run asynchronous AuthZ
workflows6. Perform CRUD operation in the FIM Database
(Create/Read/Update/Delete).7. If additional Action required, run follow-up Action workflows.
1, 2 3 4 5 6 7
9
Management Policy Rules (MPR)
Management Policy Rule
Authentication workflow
Authorization workflow
Notification
Group Validation
Function Evaluator
Filter Validation
Approval
Action workflow
Function Eval.
Password reset
Request
PermissionsCan the Requestor
perform these Operations on the Target Resource?
QA Gate CustomLockout Gate
Custom
Synch Rule Custom
Notification
Requestor (a set)
Operations
Target before (a set)
Target after (a set)
Target attributes
10
Set
Static Sets
Dynamic Sets
Workflows
Authentication Workflows
Authorization Workflows
Action Workflows
Custom Action Workflows
Management Policy Rules
Permission MPRs
Workflow MPRs
Transition MPRs
Management Policy rules, Workflows and SetsDemo
11
FIM 2010 Synchronization Engine
Solutions Group
MgmtCredential
MgmtPolicy Mgmt
CustomUser Mgmt
Outlook Portal Windows Custom
FIM Clients
FIM PlatformFIM SyncFIM Web
Service
AuthZWorkflow
AuthN Workflow
Delegation& Permissions
Action Workflow
AppDB
Adapters
Request Processor
SyncDB
Directories Databases E-Mail SystemsApplications
Identity Stores
Certificate Management
CMDB
CM
Portal
12
Management Agent Connector Space Metaverse
FIM 2010 Synchronization Engine
13
Identity Stores and Management Agents
Type of System Management Agents
Network operating systems and
directory services
Active Directory Domain Services 2000, 2003, 2003 R2, 2008, 2008 R2Active Directory Lightweight Directory Services (ADLDS) – 2000, 2003, 2003 R2, 2008 Active Directory Global Address List (GAL) – Exchange 2000, 2003, 2007, 2010IBM Tivoli Directory Server up to version 6.2 Novell eDirectory - v8.7.3, v8.8Sun ONE and Netscape Directory Servers - v5.1, v5.2IBM Directory Server - v6.0, v6.2
Certificate and Smart Card
Management
FIM Certificate Management
E-mail and messaging Exchange Server 2007 and 2010 (use AD Management Agent)Lotus Notes - v6.5, v7.0 (32 bit Lotus Notes Client)
Databases Microsoft SQL Server 2000, 2005, 2008 IBM DB2 Universal Database 9.1 and 9.5 (64-bit client v9.5 FP5 or v9.7 FP1 required)Oracle Database - 10g (64-bit client)
File-based Attribute value Pairs CSVDelimited Fixed Width Directory Services Markup Language (DSML) 2.0 LDAP Interchange Format (LDIF)
Other SAP - R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0) (32bit client)XML-based systemsExtensible Management Agent for custom connectivity other systems
14
Management Agents
AD Management Agent
FIM Management Agent
Legacy Provisioning
Codeless Provisioning
Synchronization Rules
Provisioning Workflow
Expected Rule Entry (ERE)
Detected Rule Entries (DRE)
Synchronization Profiles
Run Profiles
Full Sync
Delta Sync
Scheduling
ProvisioningDemo
15
FIM 2010 Certificate Management
Solutions Group
MgmtCredential
MgmtPolicy Mgmt
CustomUser Mgmt
Outlook Portal Windows Custom
FIM Clients
FIM PlatformFIM SyncFIM Web
Service
AuthZWorkflow
AuthN Workflow
Delegation& Permissions
Action Workflow
AppDB
Adapters
Request Processor
SyncDB
Directories Databases E-Mail SystemsApplications
Identity Stores
Certificate Management
CMDB
CM
Portal
16
FIM CM Components
FIM CM Server
Email Server
SQL Server®
Corporate PartnerCorporate User
Customer
CertificationAuthority
ActiveDirectory®
17
FIM CM Architecture
Physical ArchitecturePhysical Architecture Logical ArchitectureLogical Architecture Other ServicesOther Services
FIM CM Server
End User
Enterprise CA Email Server
Active Directory
SQL Server
Certification Authority
FIM CM Policy Module
FIM CM Exit Module
FIM CM AD Integration
FIM CM ASP.NET Web App
IIS 7.0 or 7.1 (64-bit)
IE 6.x or IE 7.x or IE 8.x
FIM CM Client
Smart card middleware / Smart card base CSP
18
FIM can use different Clients to access the functionality:
SharePoint portal via Internet Explorer
Windows XP, Windows Vista or Windows 7 for Credential Management (Passwords and Smart Cards)
Office Outlook for Group management, approvals and request handling
Any application which can send WS* requests to the FIM web service (for example Helpdesk application)
FIM 2010 Clients
Outlook Portal Windows Custom
FIM Clients
19
Windows Password Reset
Outlook Add-in
Join Group
Leave Group
Add Members to Groups
Remove Members from Groups
Approve/Reject in Email
Windows and Office ExtensionsDemo
20
SharePoint Web Portal (SharePoint Services) for
FIM Administrators
End users for self service
Resource and group administrators
Workflow requestors and approvers
Password Management
User sees only what they are entitled to see and manage
Predefined page layout Can be fully customized and branded to user needs trough interface (no coding required)
FIM 2010 User Portal
21
Portal Customization
Branding
Home Page customization
Navigation bar customization
Keywords
BasicUI
Global
Custom
<None>
Resource Control Display Configuration RCDC
Language Settings
Portal Languages
Client Add-On Languages
Self-Service Password Reset Languages
FIM 2010 User portal customizationDemo
22
User, Groups and Sets
23
Users
Listing and searching
Predefined Search scopes
Groups
Security Groups
Distribution lists
Group membership assignment– Static
– Dynamic based on attributes
– Dynamic based on manager
Sets
Filter Builder Operators
Custom XPath Filters
Managing users, groups and SetsDemo
24
FIM 2010 Auditing (and Reporting)
25
PowerShell Modules
Backup Process Microsoft® Forefront Identity Manager (FIM) Backup and Restore
Exporting configuration in Development Environment
Export FIM Synchronization Server configuration
Export FIM Service Schema and Policies
Importing configuration in Production Environment
Put FIM in maintenance mode
Import FIM Service Schema
Import FIM Synchronization Server configuration
Import FIM Service Policies
Test functionality and put FIM in operational mode Microsoft® Forefront Identity Manager (FIM) Configuration Migration Deployment
Guide
Backup, Recovery, Release managementDemo
26
Deployment ScenariosExample
27
LicensingLicensingFIM 2010 licensing requires two separate license purchases:
Server license
Client access license
Server licensing
One license per physical FIM 2010 server
– Server can run FIM Web Service, FIM Synchronization Service, or FIM CM Service
– Can run each on separate server or on any combination of the three services
Client access license for every person who receives a certificate managed by FIM 2010 or accesses the Web Service in any form.
Software certificates or Smart card certificates
Portal access for user profile management
Includes ability to do user self-service password reset and self-service group management
Can consider purchasing an external connector license if certificate is issued to subscribers outside of the organization
FIM 2010 Licensing
FIM 2010 Server
If a person has two or more accounts in Active Directory, only a single CAL is required to manage to the two accounts including certificates
If a person has two or more accounts in Active Directory, only a single CAL is required to manage to the two accounts including certificates
Server License
CALs
28
Next Version: FIM 2010 R2, expected H1/2012
Public Release Candidate available
Main Features:
Credential Management– Web based password registration and reset
Reporting– Historical reporting for managed resources
– Service Manager data warehouse integration
Ease of Use– Enhanced diagnostics and Best Practice Analyzer
– Enhanced initial load performance
– Simplified deployment for password reset
Out-of-Band Releases
New/updated management agents
Additional Language packages
FIM 2010 Roadmap
Questions?
30
This material is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED.
31
Resource Control Display Configuration Controls
Control Description Read-Only
UocButton Simple Button (limited utility without handlers) Yes
UocCaptionControl Grouping Caption Yes
UocCheckBox Simple Checkbox Control No
UocCommonMultiValueControl
Multivalue box with values separated by ‘;’ No
UoCDateTimeControl
Textbox that only accepts Date & Time strings No
UocDropDownList Simple drop down box control No
UocFileDownload Hyperlink download path for a file (XML & Binary)
No
UocFileUpload Browse and Upload path for a file upload (XML & Binary)
No
UocFilterBuilder Build XPath expression using the Filter Builder No
UocHTLMSummary Summary Page Group Yes
UocHyperLink Unrestricted Hyperlink or Resource reference link
Yes
UocIdentityPicker Pick an resource from the FIM Service DB No
32
Resource Control Display Configuration Controls
Control Description Read-Only
UocLabel Read only text label control Yes
UocListView Advanced List View Control No
UocNumericBox Text box for Numeric Values (Integer only) No
UocPictureBox Render a picture from URL or binary data in the DB
Yes
UocRadioButtonList Simple Radio Button control No
UocSimpleRadioButton
Boolean (True/False) Radio Button Control No
UocTextBox Simple Text Box No