Brjann Brekkan Technical Product Manager Mark Wahl Architect Microsoft Corporation SIM332 Objective Explain how FIM 2010 and FIM 2010 R2 fits into your infrastructure and what it can do to put you in control of identities across different directories and applications ID: 287886
Download Presentation The PPT/PDF document "Technical Overview of Microsoft Forefron..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Technical Overview of Microsoft Forefront Identity Manager 2010 R2
Brjann Brekkan, Technical Product ManagerMark Wahl, ArchitectMicrosoft Corporation
SIM332Slide3
ObjectiveExplain how FIM 2010 and FIM 2010 R2 fits into your infrastructure and what it can do to put you in control of identities across different directories and applications
Introduction to new FIM 2010 R2 featuresSlide4
AgendaIdentity Management product roadmap and scenarios
Forefront Identity Manager 2010 R2 features and architectureQ&ASlide5
Evolution of Identity Manager
Office Integration for Self-Service
Declarative Provisioning
Group & DL Management
Workflow and Policy
Support for 3rd Party CAs
User
Management
Group
Management
Credential
Management
Common Platform
Workflow
Connectors
Logging
Web Service
API
Synchronization
Policy
Management
Identity Synchronization
User Provisioning
Certificate and Smartcard ManagementSlide6
Identity Management: Promise and Journey
Empowers People
Greater productivity through faster time to
resolution
Provides
Office-based self-service tools
Delivers SharePoint-based consoles for information workers to
manage
identities, access and credentials
Delivers Agility and Efficiency
Reduces costs through automation and self-service
Maximizes
investments
in existing identity infrastructureIntegrates with familiar developer tools to enable new scenarios
Helps Improve Productivity and ComplianceIntegrates identity, credential, and access management
Rich access, permissions and delegation modelEnables system auditing and complianceSlide7
Heterogeneous certificate management with 3rd party CAs
Management of
AD credentials
Self-service password reset integrated with Windows logon
Rich Office-based self-service group management tools
Offline approvals through Office
Automated group and distribution list updates
Integrated provisioning of identities, credentials, and resources
Automated, declarative user provisioning and de-provisioning
Self-service profile management
SharePoint-based console for policy authoring, enforcement & auditing
Extensible WS– * APIs and Windows Workflow Foundation workflows
Heterogeneous identity synchronization and consistency
Forefront Identity Manger - Key Feature Areas
Credential
Management
Group
Management
User
Management
Policy
ManagementSlide8
The SolutionsAlign ExperiencesSlide9
The Information Worker Lens
Join groups from within OutlookReset password from within Windows loginSlide10
The Developer Lens
Custom workflows built in Visual StudioIdentity Aware custom appsSlide11
The IT Pro Lens
Build scripts using PowerShellSlide12
DemoInformation Worker
Request management demoSlide13
Evolution of Identity Manager
Office Integration for Self-Service
Declarative Provisioning
Group & DL Management
Workflow and Policy
Support for 3rd Party CAs
User
Management
Group
Management
Credential
Management
Common Platform
Workflow
Connectors
Logging
Web Service
API
Synchronization
Policy
Management
Identity Synchronization
User Provisioning
Certificate and Smartcard Management
Web based password reset
Reporting
Simplified deployment and troubleshooting
Enhanced performance
Enhanced MA connectivity
Added language support
User
Management
Group
Management
Credential
Management
Common Platform
Workflow
Connectors
Logging
Web Service
API
Synchronization
Policy
Management
R2Slide14
Credential Management
Adds web-based password resetSupports password reset and registration from intranet or extranet via a web browserNo ActiveX control would be required for browser-based resetSupport for non-domain joined machinesSimplify deployment and management experiences for password resetSlide15
Corporate Network
IIS
FIM Password Reset Components
Illustrative Topology
Internet
Browser
Reverse Proxy
FIM Password Registration Portal
FIM Password Reset Portal
Firewall
FIM Service
Active Directory
Windows
Client
FIM Password Reset Extensions
FIM Sync Service
SharePoint
FIM Portal
Internet
Explorer
End User
End User
FIM AdminSlide16
Demo
Web based password resetSlide17
ReportingAdd historical reporting for FIM-managed objects
Includes frequently-requested reports, e.g.:Group membership changes over timeRequest historyPerson and group change historyReport data store is extensibleCan be extended to store history of custom FIM Service objects and attributes
Enable customers and ISVs to build custom reports
Integrates with System Center Service Manager, leveraging its data warehouseSlide18
How to Answer these Questions
State
Events
Historic
Current
Who is in group A?
What groups does a particular person belong to?
Who is person Y’s manager?
Who joined group A today?
What groups had new members today?
How many new people joined the company today?
Who joined group A on May 1
st
, 2010?
How did a group’s membership change over time?Who approved a group join?How did a set filter definition change over time?
What groups did person A have access to on November 4th, 2009?What was a group’s membership last July?
Source: FIM Portal and ReportingSource: FIM reporting
Source: FIM requests via portalSource: FIM database via portalSlide19
Out of Box Reports
Report Class
Defined Over
Description
Membership Change
Reports
Group Membership (SG + DG)
Set Membership
Contains membership
changes, who approved them, and the associated request which generated the change.Object History Reports
Users
Groups
Sets
RequestsPolicy Rules
Contains changes to key attributes over time.Slide20
Example Membership Change Report: Group Membership Change
User Information
User Display Name
User Account Name
User Object ID
User Domain
Group Information
Group Display Name
Group Account Name
Group Domain
Group Type
Group Owner
Request Information
Request Originator
Request Approver
Policy Rule that Triggered the RequestRequest ID
Account NameOperation TypeCommitted TimeGroup Name
Request OriginatorRequest ApproverRequest IDMPR that Triggered the RequestcwilcoxJoin Group
1/7/2011 14:27:02FinanceFIM Service{43edf…}All accountants have access to financial datakimaber
Join Group1/3/201116:12:25Saleskimaberdparker{81e2b…}
cwilcoxLeave Group1/1/2011 08:58:02Marketingsamanthas
Samantha removes Colin from the Marketing group
Kim requests to join the Sales group, Darren
a
pproves the request
Colin changes roles and is added, automatically, to the Finance group Slide21
Example History Report: User History
User
Name
User ID
Operation
Attribute
Value
Requestor
Committed Time
RequestColin Wilcox{732d2…}Remove
UserFIM Service
2/13/2011 01:22:00{532aa…}
Colin Wilcox
{732d2…}RemoveDisplay NameColin WilcoxFIM Service2/13/2011 01:22:00
{532aa…}Colin Wilcox{732d2…}RemoveFirst Name
ColinFIM Service2/13/2011 01:22:00{532aa…}Colin Wilcox
{732d2…}RemoveLast NameWilcoxFIM Service2/13/2011 01:22:00
{532aa…}Colin Wilcox{732d2…}AddManagergfort
Garth Fort9/22/2006 08:55:28{8457b…}Colin Wilcox{732d2…}Remove
ManagersamanthasGarth Fort9/22/2006 08:55:28{8457b…}Colin Wilcox
{732d2…}AddEmployee TypeFTEGarth Fort9/22/2006 08:55:28{8457b…}Colin Wilcox
{732d2…}RemoveEmployee TypeContractorGarth Fort9/22/2006 08:55:28
{8457b…}Colin Wilcox{732d2…}AddManagersamanthas
FIM Service5/2/2002 08:32:11
{126da…}Colin Wilcox{732d2…}AddEmployee TypeContractorFIM Service5/2/2002 08:32:11{126da…}Colin Wilcox{732d2…}Add
Display NameColin WilcoxFIM Service5/2/2002 08:32:11{126da…}Colin Wilcox
{732d2…}
AddUser
FIM Service5/2/2002 08:32:11
{126da…}
Colin is created in FIM in 2002 via a sync through HR, Samantha Smith is his first manager
In 2006, Colin becomes a full-time employee, and, as a result, gets a new manager, Garth.
In 2011, Colin leaves the company, and he is removed from FIM.Slide22
Reporting Architecture
FIM Service
FIM Reporting Administration
Management Packs
System Center Data Warehouse
SSRS Web Service
SCSM Console
FIM Service DB
Import Report
Initial Sync
Incremental Sync
Schema Binding
Fact/Dimension Definition
Class/Relationship Definition
Report Definition
Data Mart
SSRS
Staging
Repository
<
DWBind
>
<
obj
1>
<
obj
2>
<
obj
3>
...
Binding Objects
Row 1
Row 2
Row 3
Row 4
Row 5
Row 6
….
….….
Report LogSlide23
Extensibility
Fully extensible Data WarehouseExtensible dimensional based schemaETL process is further extensible via custom transformsCustom report authoring via SSRSSupport for “Favorite reports”Dynamic interface for flowing new data from FIM into the Data WarehouseBindings between FIM and DW, persisted in FIM objects
Automatic, scheduled, data flowSlide24
DemoReportingSlide25
New Extensible MA Framework
Enable extensible Management Agents to supportBatched call-based importBatched call-based exportProgrammatic schema, partition, and hierarchy discoveryPassword management behave as other methodsCustom anchors and additional dn styles
Support custom parameters
Full Export run step
.NET 4 support
New SAP, Oracle ERP, and Lotus Notes MAs for FIM 2010 R2 developed on top of the new APISlide26
Performance Improvements
Improve performance for initial load of customer data from connected system to FIM ServiceImprove performance for bulk addition (e.g., of new division) from connected system to an existing FIM deploymentProvide FIM Service database tuning guidance and enhancements Slide27
Ease of Use Improvements
Best Practices Analyzer (BPA)Reduce overall TCO (and support calls) with a FIM deployment validation tool Identifies possible issues in FIM setup relating to performance, security, configurationImprovements for troubleshootingEnhanced diagnostics and error messages in FIM Portal and web services
Additions to IT Pro documentation for top problem areas
Improvements in the setup process
Easier configuration of scenarios such as password reset
Reduced initial load timeSlide28
Platform Investments
FIM Add-in supports Outlook 2010 for group management and approvalsAdd support for 32-bit and 64-bit Outlook 2010Add-in localized to 33 languagesFIM Portal supports SharePoint 2010Support for installing FIM portal on the newest version of SharePoint Foundation Seamless installation experience
Continued support for WSS 3 (SharePoint 2007)
Same UI experience on both platformsSlide29
Q&ASlide30
Related Content
Required Slide
Speakers,
please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC
.
SIM205 Identity and Access and the Cloud Better Together (Monday)
SIM315 Optimizing FIM (Thursday)
SIM358 Preparing Identities for the Cloud with FIM (Tuesday)
SIM379-INT Self-service Password Reset (Wednesday)
SIM375-INT Chalk Talk with the Product Team (Tuesday)
SIM395-HOL FIM Overview
SIM399-HOL Managing Claims AuthN using FIM 2010
Forefront Identity Manager demos in the exhibition hallSlide31
Track Resources
Don’t forget to visit the
Cloud Power area within the TLC (
Blue
Section
)
to see product
demos and speak with experts about the
Server & Cloud Platform solutions that help drive your business forward.
You
can also find the latest information about
our products
at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center -
http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server -
http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud -
http://www.microsoft.com/privatecloud/ Slide32
Resources
www.microsoft.com/teched
Sessions On-Demand & Community
Microsoft Certification & Training Resources
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.Slide33
Complete an evaluation on
CommNet
and
enter to win!Slide34Slide35
©
2011 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation
. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide36
FIM 2010 R2 Enhancements
Credential ManagementWeb based password resetReportingHistorical reporting for managed resourcesService Manager data warehouse integrationEase of Use
Enhanced diagnostics
Enhanced initial load performance
Simplified deployment for password reset
Additional Support
Improved & added Management Agents for Oracle ERP, SAP, and Lotus Domino
Add language support for:
Russian, Norwegian (Bokmal), Swedish, Finnish, Brazilian Portuguese, Polish, Korean, Danish, Turkish, and CzechSlide37
Align
Experiences
Put the right tools in the right hands
Deliver a great experience for developers, information workers, and IT pros
ILM “2” Principles
Extensible
Platform
Build an extensible platform for present and future
IdM
solutions
Takes full advantage of state of the art technologies such as Web Services standards, federation, strong auth, and workflow
Integrated Policy
Management
Provide a tightly integrated solution for policy management
Solve the spectrum of identity challenges with unified concepts and architecture
Enhance
existing
investment
Enhance existing IT investments
“Light up” Office, Windows, and System Center, and provide synergistic enhancements to other connected systemsSlide38
FIM 2010 Features
User ManagementUser profile managementSynchronizes identity dataAccess ManagementAutomated policy based provisioning and de-provisioning across heterogeneous environments
Office-based self-service group and request management capabilities
Automated group and distribution list updates
Credential Management
Single administration point for certificates and smart cards
Mgmt
of credentials issued from AD CS and 3rd party CAs
Self-service password reset at Windows logon
Policy ManagementIdentity management policy authoring, enforcement & auditingOpen WS– * protocols and APIs