Secure Messaging Secure Collaboration Information Protection Identity and Access Management Secure Endpoint Forefront Identity Manager ‘architecture’ Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Certificate and Smart Card Management Self-Service Profile Management.
Download ReportTranscript Secure Messaging Secure Collaboration Information Protection Identity and Access Management Secure Endpoint Forefront Identity Manager ‘architecture’ Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Certificate and Smart Card Management Self-Service Profile Management.
Secure Messaging Secure Collaboration Information Protection Identity and Access Management Secure Endpoint Forefront Identity Manager ‘architecture’ Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Certificate and Smart Card Management Self-Service Profile Management User Management Credential Management Identity Synchronization User Provisioning Certificate and Smartcard Management Common Platform Workflow Connectors Logging Web Service API Synchronization Group Management Policy Management Office Integration for Self-Service Declarative Provisioning Group & DL Management Workflow and Policy Support for 3rd Party CAs Forefront Identity Manger 2010 Architecture Solutions Group Mgmt User Mgmt Credential Mgmt Outlook FIM Portal Policy Mgmt Custom FIM Client Experiences Windows Custom FIM CM Portal IDM Platform FIM Service Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow FIM Service DB Action Workflow FIM Sync FIM CM FIM Sync DB FIM CM DB Management Agents Identity and data stores Directories Applications Databases E-Mail Systems Forefront Identity Manger 2010 Architecture Solutions Group Mgmt User Mgmt Credential Mgmt Outlook FIM Portal Policy Mgmt Custom FIM Client Experiences Windows Custom FIM CM Portal IDM Platform FIM Service Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow FIM Service DB Action Workflow FIM Sync FIM CM FIM Sync DB FIM CM DB Management Agents Identity and data stores Directories Applications Databases E-Mail Systems Forefront Identity Manger 2010 Architecture Solutions Group Mgmt User Mgmt Credential Mgmt Outlook FIM Portal Policy Mgmt Custom FIM Client Experiences Windows Custom FIM CM Portal IDM Platform FIM Service Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow FIM Service DB Action Workflow FIM Sync FIM CM FIM Sync DB FIM CM DB Management Agents Identity and data stores Directories Applications Databases E-Mail Systems Forefront Identity Manager ‘architecture’ Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management • Policy-based identity lifecycle management system • Built-in workflow for identity management • Automatically synchronize all user information to different directories across the • enterprise Automates the process of on-boarding users Active Directory Lotus Domino “With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution.” Workflow User Enrollment HR System LDAP FIM SQL Server Approval Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company Oracle DB User provisioned Source: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006604/ Manager FIM CM • Automated user de-provisioning • Built-in workflow for identity management • Real-time de-provisioning from all systems to prevent unauthorized access and information leakage Active Directory Lotus Domino Workflow User de-provisioned or Role change HR System LDAP FIM SQL Server Oracle DB User deleted User disabled FIM CM Attribute Ownership HR System FirstName LastName EmployeeID SQL Server DB Title Samantha Dearing givenName sn title mail employeeID telephone Samara Darling Coordinator Identity Manager 007 GivenName givenName sn title mail employeeID telephone Samantha Dearing Coordinator [email protected] 007 555-0129 007 Active Directory/ Exchange givenName sn title mail employeeID telephone Sam Dearing Intern [email protected] 007 LDAP givenName sn title mail employeeID telephone Sammy Dearling E-Mail Telephone givenName sn title mail employeeID telephone 008 555-0129 Identity Data Aggregation Attribute Ownership HR System FirstName LastName EmployeeID SQL Server DB Title Active Directory / Exchange E-Mail LDAP Telephone givenName sn title mail employeeID telephone Samantha Dearing givenName sn title mail employeeID telephone Samara Darling Coordinator Identity Manager 007 givenName sn title mail employeeID telephone Samantha Bob Dearing Coordinator [email protected] [email protected] 007 555-0129 007 givenName sn title mail employeeID telephone Sam Dearing Intern [email protected] 007 givenName sn title mail employeeID telephone Sammy Dearling Identity Data Brokering (Convergence) 007 555-0129 AD MA HRMA connector space connector space Metaverse person employee HR AD connected data source connected data source connector space FIM MA FIM Synchronization Service FIM Service and Portal user Synchronization Rules FIM Service Join Provision Attribute Flow Forefront Identity Manager Architecture Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management Sets Workflows Management Policy Rules FIM Service Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow FIM Service DB Action Workflow Identify different groupings of objects (resources) in the FIM Service database • Permissions may be granted on and to Sets • Also used in Policy Enforcement Membership • Manual (strictly by set administrators) • Criteria Examples • All People, All Active People, Administrators (manual), Help Desk Users • All Groups, Security Groups, Distribution Groups • Password Reset Users Set, Password Objects Set • Managers in Sales dept, Clerks, Clerks in Denver, All in Building 4 WS Request Permissions Evaluation Authentication (AuthN) Authorization FIM Service (AuthZ) Database Workflow Types Purpose Examples Authentication (AuthN) • To ensure that the user is who they say they are • Password Reset Action • Allowing users to request and update attributes Authorization (AuthZ) • To allow for more sophisticated validation of the request beyond simple permissions to make a request • Subject to a filter validation looking for profanity • Followed by an approval email to HR or the user’s manager or both • Call Synchronization rules • Send Notification Emails Action • To allow FIM to take actions after the request has been performed • Modify resources • Password Self-Service Reset calls Synchronization Service to reset the AD password in real time Set Transition • Causes Workflows to be activated • Even when not initiated by a request (Run on Policy Update) • Perform an Action Request Based • Can Grant Permissions • Cause Workflows to be activated • Authenticate the Requestor • Seek Authorization • Perform an Action Policies can be disabled until ready for use Defines an event • When a resource either enters or exits the Set Defines how to respond to the event • Initiate Action WFs Management Policy Rules Workflow Outbound Sync Rule Create a contractors set Create Workflow for manager approval Create MPR Forefront Identity Manager ‘architecture’ Provisioning Deprovisioning Synchronization Building blocks for policy management Self-Service Group Management Self-Service Password Management Self-Service Profile Management • Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes • Self-service group and distribution list management • Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity FIM Add-in for Outlook SharePoint-Based Management Console • Enables users to reset their own passwords through both Windows logon and FIM password reset portal • Controls helpdesk costs by enabling end users to manage certain parts of their own identities Active Directory User requests password reset Oracle FIM Server Passwords updated End User Reset Password SQL Server IBM DS LDAP Partner CLOUD SERVICES Self Service WS-* and SAML Claims Workflow HR System AD FS 2.0 FIM Role Client List Other user Data stores SQL Server ADDS Phone Title Department Manager Group Windows Integrated/Kerberos/ADFS Claims-Aware Applications ClaimsAware Applications Exchange GAL & DL SharePoint Profiles and Access SAP and other apps SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn