Transcript Fred Delombaerde Microsoft IT Microsoft Corporation SIA302 Identity Lifecycle Manager”2” is now Forefront Identity Manager 2010

Fred Delombaerde
Microsoft IT
Microsoft Corporation
SIA302
Identity Lifecycle Manager”2” is now
Forefront Identity Manager 2010
Agenda
Goals
Business case
MSIT’s technical requirements
Defining business processes
Server deployment
Forefront Identity Manager (FIM 2010) Solutions
MSIT’s best practices
Futures
Session Outcomes
Gain insight to MSIT’s deployment of FIM 2010
Takeaway best practices for your deployment
Understand how FIM 2010 provides solutions
for Password Reset & Group Management
Gain insight to future FIM scenarios for MSIT
Business Ready Security
Help securely enable business by managing risk and empowering people
Protect everywhere,
access anywhere
Identity
Simplify the security
experience,
manage compliance
Highly Secure & Interoperable Platform
Integrate and extend
security across the
enterprise
from:
Block
Cost
Siloed
to:
Enable
Value
Seamless
MSIT Deployment
Goals
Validate FIM’s value proposition
Reduce cost by automating processes
Eliminate custom costly custom solutions
Validate product readiness across the feature sets in a
large enterprise environment
Customer proof
Process
Highly collaborative
Cross-functional teams on both sides
Results
Over 100 P1 bugs
Critical to shipping – “life itself”
Scenario Overview – Password Reset
Jill has been out on vacation for a few weeks.
As a result, she has forgotten her password and
must reset it.
Today
With FIM
Jill needs to call the
helpdesk to reset her password
Jill is able to reset
her password without
calling the helpdesk
Company incurs a significant cost
in managing credentials for
175,000 employees like Jill
Microsoft IT maintains a centralized
set of policies & common tools
Company needs to maintain
different tools for managing the
credentials for employees
and contractors
Employees can reset their
credentials directly from the
Windows logon screen or
through the FIM 2010 Portal
Define The Problem for MSIT
The company incurs a significant
cost in managing credentials for
employees and contractors
Resets/Year
42,000 X $20
Soft costs – Melissa is unproductive
for 15 minutes while waiting to get her
password reset
= $850,000
= $600,000
per year
in savings
Scenario Overview – Group Management
Melissa Meyers has now started her job as an Analyst in
the Finance department. As part of her daily
tasks she will need to join new groups as well as manage
her own project related groups.
Today
With FIM
Melissa goes to the web
site to use the custom
group management tool
Melissa can create/join DLs
right from the FIM 2010 Portal
Joining groups that need approval
require access to the custom group
management tool
Owners can approve groups via
Outlook or the FIM 2010 Portal
Dynamic group membership is not
available to end users & requires a
custom tool
Calculated groups automatically
update membership
Define the Problem for MSIT
Developing and maintaining group management tools costs
millions of dollars
Support of custom group management tools
Complexity of deployment and lack of long term vision
Lack of connectivity to group management tool results in soft
costs around user productivity
Security Group creation causes token bloat
Bolt on applications that only administrators have
access to, (ADUC) or other group management tools
Define The Problem for MSIT
Custom software maintenance
and upgrades
> $3,000,000
Estimated per year
in savings
MSIT Technical Requirements for
Password Reset
User must be able to reset their password from
Windows Logon screen or a web portal
User must be able to register for password reset in
a web portal
User must be automatically prompted to register
MSIT must be able to track and enforce registration
MSIT must be able to prevent attackers from resetting
the passwords of users
Registration data must be transported and
stored securely
MSIT Requirements for
Group Management
Replace legacy application with supported
released product – FIM 2010
Leverage new features to increase productivity
Outlook integration
Calculated Groups (manager groups)
Manageability
Non-coded business rule configuration
Approval & notification workflows
Key Challenges
6 Forests, 13 domains
Migration/co-existence with legacy applications
Complex deployment design across multiple
scenarios
Initial population of database
Driving password reset registration
First large scale deployment
Project Overview
Joint effort by product group and MSIT
Timeframe
Time
Jun-2008
Feb-2009
May-2009
Jul-2009
Nov-2009
+ 6 months
+ 1 Year
Build
Beta 3
RC0
IDS1
IDS1
RC1 + Update 1
RTM
RTM
Status
Pilot
DGs: 200 users, 300 groups
1500 users, 1500 DGs. Add Password Reset
Add Security Groups
Live for all users
150K users, 400K groups, Autogroup retired
Expand to user provisioning
Results
Over 100 P1 bugs fixed
RC1 is the result of what we learned starting to deploy on RC0
MSIT - Configuration
Data Set:
Forests: 6 Domains: 13 Accounts: 200,1011 Groups: 453,568
Policy Configuration:
Sync Rules: 80 Sets: 118 Workflows: 56 MPRs:118
Hardware:
FIM Synchronization (includes DB)
FIM Service DB
FIM Service 1 – Admin
FIM Service 2 – User
1 includes users,
contractors, vendors, services, etc.
2(4x6) Xeon E7450 2.4Ghz
HDD 2x146 GB 10k
3(2x4) Xeon E5410 2.3Ghz
HDD 8x136 GB 10k
24 CPU2 64GB
24 CPU2 64GB
8 CPU3 16 GB
8 CPU3 8GB
AutoGroup application
AutoGroup User
Portal
Active Directory Forest1
DC + Exchange
SQL
FIM 2010(Groups)
Domain1
Domain2
Domain3
Domain4
Domain5
Domain6
Domain7
Domain8
Forest2
Domain1
DC + Exchange
Portal and
Service
FIM Administrator
SQL
Sync Engine +
SQL
Forest3
Domain1
FIM 2010 OU
DC + Exchange
ILM 2007 (Groups)
Forest4
Domain1
Sync Engine + SQL
& Warm standby
DC + Exchange
FIM User
Forest5
Domain1
ILM 2007 (Users)
DC + Exchange
Forest6
Domain1
HR Feed
DC
Active Directory Forest1
DC + Exchange
FIM 2010
Forest2
Portal and
Service
Domain1
DC + Exchange
FIM 2010 OU
FIM Administrator
Portal and
Service
Domain1
Domain2
Domain3
Domain4
Domain5
Domain6
Domain7
Domain8
SQL
Sync Engine +
SQL
Forest3
Domain1
DC + Exchange
Forest4
Domain1
DC + Exchange
FIM User
Forest5
Domain1
ILM 2007 (Users)
DC + Exchange
Forest6
Domain1
HR Feed
DC
Active Directory Forest1
FIM 2010 (Users &
Groups)
DC + Exchange
SQL
FIM Administrator
Server
Domain1
Domain2
Domain3
Domain4
Domain5
Domain6
Domain7
Domain8
Forest2
Domain1
DC + Exchange
Forest3
Sync Engine
Domain1
DC + Exchange
FIM User
Forest4
Domain1
Portal
Server
SQL
DC + Exchange
Forest5
Domain1
HR Feed
DC + Exchange
Forest6
Domain1
DC
Understanding the Design Principles
FIM reacts to events on resources you care about
First define to resources you care about in the form of
SETS
Second, define the behaviors that map to your business
policies in the form of WORKFLOWS
Third, define the policy that will trigger permissions
and behaviors for the resources you care about in the
form of MPRs
MSIT (136 MPRs, 118 Sets, 56 workflows, 81 Sync
rules, 3 custom activities (bad name checking, alias
reservation\release, group size validation activity,
group expiration) )
Sets
Sets provide a mechanism for grouping
resources you care about
i.e. Users who work in HR that are full time
employees
Sets design has profound impact on your
deployment
The number and complexity of Sets will impact
system performance
Invest in designing and testing your sets up
front
Sets Best Practices
Minimize the use of dynamic nesting (eg. “Users
In the FTE set”)
If possible duplicating set membership conditions
instead of nesting sets
Example:
Set1: /Person[EmployeeType = ‘FTE’]
Set2: /Person[JobTitle = ‘IT Pro’ and ObjectID =
/Set[ObjectID = ‘Set1’]/ComputedMember]
Replace Set2 with: /Person[JobTitle = ‘IT Pro’ and
EmployeeType = ‘FTE’]
Sets Best Practices
Favor “positive” membership conditions over
“negative” conditions.
A “negative” membership condition is one of the
following (represented as xpath operators): not(), !=, <,
<=
Negative conditions are significantly more expensive to
evaluate compared to positive conditions.
Where possible, represent a negative condition as a
collection of positive conditions.
Example: the condition not(EmployeeType = ‘Intern’)
may be replaced with EmployeeType = ‘Full Time
Employee’ or EmployeeType = ‘Contractor’.
Workflow Best Practices for FIM
Develop fault tolerant activities
Include appropriate persistence points in your
activities, to allow your activities to resume from a
saved state should the FIM Service be interrupted
(eg. Hardware failure)
Include fault handling logic in your custom activities
if specific actions needs to be taken by the activity
when certain errors are encountered
Workflow Best Practices for FIM
Think re-usable
Package all authZ activities for a request in a
single workflow definition
Provides a more consistent experience
More boxes help handle workflow load
Consider dedicating a FIM server to running
workflows initiated by Sync
MPRs Best Practices
Create your MPR definitions as tight as possible to
avoid possible side effects. This includes the sets
used in the definition but also attributes to which
the MPRs apply
Collapse workflows from multiple MPRs into a
single MPR with multiple activities to maximize
performance
Use disjoint before/after sets for MPRs which you
want to fire only once on object transitioning
in/out of the sets
Use name groupings to organize the MPRs in your
system. E.g. Group mgmt: MPR1, Group
mgmt: MPR2, Group mgmt: MPR3
Sync
Initial load and full sync is expensive!
DO NOT design sync rules as you go!
Identify relationships between connected
systems early in the design process
Exercise change control over sync configuration
Changes in sync configuration will lose precious
time
Sync
Use sync rules when policy based flows are
required
Expected Rules Entries (EREs) are expensive
Disable Detected Rules Entries (DREs) if possible
Use scripted flow to maximize performance
Sync is disk IO bound for performance
Processors – Quality over Quantity
Fewer faster processors > lots of slow ones
Sync - SQL
Sync Engine database and log file are configured
on separate drives
Database file pre-grown to 20 GB (10% unrestricted
auto-growth)
Log file pre-grown to 10 GB (10% unrestricted
auto-growth)
Memory (RAM) – Bigger is better
Turn off automatic statistics updating – full scan
status update job is configured to run every 5
hours
Deployment
Get business process owner involved in
validation of processes they own
Leverage Sets and new MPR functionality to
phase in new configuration
Configuration Migration PowerShell cmdlets
provide a mechanism for migrating staged
configurations into production
Realize that FIM has end user facing features –
not just ITPro focused
Configuration Migration
Config migration
Powshell cmdlets
now in RC1
Observe object
type precedence
for import
Schema
Sync config
Data resources
Policy config
Portal config
MSIT Implementation of Password Reset
Client components deployed via System Center
Configuration Manager
Available via Windows Logon and
FIM 2010 Portal
42 customized questions (14 required)
Minimum of 14 responses required
For reset 10 random question from registered
answers 6 correct to pass
Connected to multiple Forests
FIM 2010 (Password Reset)
Active Directory
Password Reset UserWindows Logon
Forest1
Portal and
Service
Sync Engine + SQL
SQL
ILM User
Domain1
Domain2
Domain3
Domain4
Domain5
DC + Exchange
ILM 2007 (Users)
Forest2
Domain1
DC
HR Feed
ILM Administrator
Best Practices for Password Reset
Plan with the existing topology in mind
Create a configuration guide specific to your
deployment
Implement a FIM lockout policy to prevent
attackers from resetting users passwords
Review deployment plans with your IT security
department
What did we Learn?
Usage patterns effect your adoption rate
Multiple machines
Locked desktops
Local admins
Deploy incrementally
FIM uses lots of different new technologies
requiring expertise no typically held in one
identity group
ActiveX control work well in Microsoft friendly
environments
MSIT Implementation of
Group Management
Deployment started as a stand alone dogfood effort
Scenario prioritization
High use scenarios – distribution lists first
Sample MSIT business rules
Alias reservation
Limit large groups (membership sizes)
OU segregation/permissions used to separate the two
distinct group management applications
Phased roll out by organizations and divisions
Training – Online, In person, FAQ
Group application
Active Directory
Forest1
Group management User
Portal
DC + Exchange
SQL
Domain1
Domain2
Domain3
Domain4
Domain5
Forest2
FIM 2010(Groups)
Domain1
DC + Exchange
ILM User
Portal and
Service
SQL
Sync Engine +
SQL
Forest3
Domain1
FIM 2010 OU
DC + Exchange
ILM 2007 (Groups)
Forest4
Domain1
Sync Engine + SQL
& Warm standby
DC + Exchange
ILM Administrator
Forest5
Domain1
ILM 2007 (Users)
DC + Exchange
Forest6
Domain1
HR Feed
DC
Best Practices
Training
Multi-master before roll out
OU segregation
Enrolling users in to dogfood – data driven
Define business rules
What did we Learn?
Cross forest requires a lot of planning
Migrating from an existing app leads to
complexity
Dynamic groups are not IW focused
Need to understand the enterprise data model
New design pattern
Understand the enterprise data
End user focus requires different deployment
and communication pattern
Challenges: Reporting
Reports needed for tracking product usage
Failed password reset attempts
Successful password resets
Group updates
Group creations
Password registrations
Etc.
Solution Design: Query Requests
Request-based approach to reporting
Search Scopes used as shortcut to simple
reports
MSIT Report Examples
Name: Group creation requests from last 7 days
Filter: /Request[TargetObjectType = 'Group' and Operation = 'Create' and Creator = /Set[ObjectID =
'251ec15d-60b0-4bc6-a509-8b1b37d950b4']/ComputedMember and CreatedTime>op:subtractdayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P7D'))]
Name: Group deletion requests from last 7 days
Filter: /Request[TargetObjectType = 'Group' and Operation = 'Delete' and Creator = /Set[ObjectID = '251ec15d60b0-4bc6-a509-8b1b37d950b4']/ComputedMember and CreatedTime>op:subtract-dayTimeDuration-fromdateTime(fn:current-dateTime(), xs:dayTimeDuration('P7D'))]
Name: Group update requests in last 7 days
Filter: /Request[TargetObjectType = 'Group' and Operation = 'Put' and Creator = /Set[ObjectID = '251ec15d60b0-4bc6-a509-8b1b37d950b4']/ComputedMember and CreatedTime>op:subtract-dayTimeDuration-fromdateTime(fn:current-dateTime(), xs:dayTimeDuration('P7D'))]
Name: Password reset attempts in last 7 days
Filter: /Request[Creator = 'b0b36673-d43b-4cfa-a7a2-aff14fd90522' and Operation = 'Put' and
TargetObjectType = 'Person' and CreatedTime>op:subtract-dayTimeDuration-from-dateTime(fn:currentdateTime(), xs:dayTimeDuration('P7D'))]
Name: Successful password resets in last 7 days
Filter: /Request[Creator = 'b0b36673-d43b-4cfa-a7a2-aff14fd90522' and Operation = 'Put' and
TargetObjectType = 'Person' and RequestStatus = 'Completed' and CreatedTime>op:subtractdayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P7D'))]
Other FIM Scenarios in MSIT
Full smart card and software certificate
management migration away from custom
developed tools
MSIT Future Scenarios
Replace ILM 2007 user provisioning
Replacing other custom tools
Multi factor password reset
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Identity Management Community
Blogs
Joe’s Identity Management Extensibility
http://blogs.msdn.com/imex
Nima’s blog http://blogs.technet.com/doittoit/
Brjann’s Identity Management
http://blogs.technet.com/identitymanagement/
TechNet Forum
http://social.technet.microsoft.com/Forums/enUS/identitylifecyclemanager/threads
Complete an evaluation
on CommNet and enter to
win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.