Introduction to Identity Management and Forefront Identity Manager 2010 R2 SP1

This article provides you with a foundation on which to understand the importance of identity management and begins to introduce you to FIM 2010 R2 SP1.

Even in 2013, many organizations continue to struggle with ongoing identity management needs. If you’re unfamiliar with the term, identity management in the world of IT refers to the “management of individual identities, their authentication, authorization, roles, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks.” In layman’s terms, identity management is the overarching process by which organizations answer the following questions:

• Who? Who is allowed to access particularly systems or services in the organization?
• What? What level of access is allowed to individual systems and services?
• How? By what methods is a user allowed to access these systems and services?

For many, identity management simply boils down to user account creation and password management. While this is one element of identity management, these are important aspects of the service. However, a comprehensive identity management solution should be able to do much more, including:

• Automatic creation of a user’s Active Directory account based on information gleaned from a database considered an authoritative source. In many cases, this is the human resources or payroll database.
• Automatic creation of a user’s Exchange or Office 365 mailbox.
• Automatic creation of a user’s home directory on a file server.
• Automatic inclusion of a user’s account in any security groups that are appropriate for his job. Again, whether or not access to a particular group is appropriate would be dictated by information in the authoritative source database.
• Self-service management of a user’s password. A user should be able to reset his password on demand and be provided with a mechanism by which to reset his password in the event that it is forgotten.

Note that everything in the list above implies that IT takes a mostly hands off stance with regard to ongoing identity management. Since this activity can fully consume people, particularly in organizations that see a lot of turnover, automation and self-services shifts the burden of the process away from personnel and turns it in just another IT service. Personally, I see identity management in many organizations as “low hanging fruit” that can save IT a lot of time and help the department focus more on bottom line-driven needs.

Moreover, robust identity management provides organizations with an additional layer of security. For example, IT may not be informed right away that a high level person has been fired, but you can bet that payroll has been notified. A rule could be created to deactivate an account when payroll performs a termination action in their system. This can help the organization ensure that only those that are authorized have access to the system.

Identity management can also become a compliance issue, particularly if it’s done poorly.

There are many, many ways to attack the identity management gorilla, but I’ll be focused in this series on Microsoft Forefront Identity Manager 2010 R2 SP1. With this product, administrators overseeing Microsoft-centric environments can automate and distribute significant identity and rights-related tasks. With FIM, for example, an administrator can automate the provisioning of an Active Directory account and distribute to an administrative assistant the ability to manage the permissions in distribution and security groups in that person’s division.

That’s another way by which IT can return to the users some carefully controlled keys to the kingdom, thus further reducing IT’s need to be involved in every account-related activity in the organization. With a fully realized identity management solution, IT’s involvement moves to one of oversight and exception handling only. IT still retains responsibility for the automated systems, but is able to easily delegate some of the operational tasks.

Before I jump into Forefront, it’s important that you understand some prerequisites that must be in place before you jump into identity management in your organization:

• You must have a rock solid understanding of the workflow that is involved in creating accounts in your organization, right down to the field level. You can’t automate what you don’t understand.
• You must understand what triggers various activities in the identity lifecycle. For example, what action initiates the creation of a new credential in a particular system? What actions deactivate a particular access level or credential?
• You must have a complete systems inventory and an understanding of the authentication mechanisms for each.
• Your “authoritative systems” must be clean. For example, if you intend to use the Human Resources system as the source repository for employee identity, you must ensure that the data in the system is valid and complete. For example, are you capturing the name of a new employee’s manager? If not, you’re eliminating FIM’s ability to automatically email new user credentials to an new hire’s supervisor.

Once you understand your organization’s existing landscape, you can start doing some terraforming with Forefront Identity Manager.

Feature set

Forefront Identity Manager 2010 R2 brings to IT a host of features that can ease the identity management burden. I won’t say that getting to a fully realized identity management system is an easy undertaking; it isn’t. However, once an organization commits to and see it through, the product feature show a clear benefit.

Self-service portal

An identity management system isn’t complete unless a user can perform some self-service functions on his own. Again, this helps IT focus on what’s important rather than on the mundane. FIM 2010 R2 brings such a portal, which is based on SharePoint. Included in the portal is the ability to:

• Manage personal information.
• Manage group memberships.
• Manage password, including self-service password reset.

FIM’s self-service password reset capability is quite good. It works by requiring that a user first register with the password reset service. Just like you do with your bank, you’re asked a series of personal questions and your answers are stored in a database. If you happen to forget your password, you can browse to a web site to reset it or, if you’re not able to log in to your machine, you can take advantage of FIM’s ability to integrate with the Windows login screen, as shown below. When you click the Reset Password link, you’re provided just enough of a computing environment to reset your password after which you can log in as normal.

Figure 1: FIM integrates with the Windows login screen

Some help desks spend more than ½ of their time managing user password issues. What if that particular class of call went away or, at the very least, was reduced to a trickle? That can mean vast savings for the IT department and the ability to redirect staff resources at higher priority projects.

With FIM, you can grant users as many or as few of the rights that I’ve described above using FIM’s built in capability to granularly manage roles and role assignments.

Codeless user management

For relatively straightforward deployments, FIM 2010 includes the ability to prevision and deprovision users without having to write a bunch of code. Of course, this isn’t supported in every scenario, but is supported for such items as Active Directory and can make the product a bit easier to deploy.

Ongoing data synchronization

Organizations are not static creations. They change every day. People change, departments change and even whole companies change. With FIM, if you make a change to authoritative data, you can configure the product to automatically reflect that change across all systems. For example, if you change the name of a department, any users in that department can have their Active Directory accounts updated to reflect the change.

Workflow

While automation is wonderful, sometimes a human has to be involved for approvals. For example, if a user makes an attempt to use the self-service portal to change their nickname, HR can create a policy that forbids that change without HR’s approval.

Summary

This article provided you with a foundation on which to understand the importance of identity management and began to introduce you to FIM 2010 R2 SP1. In the next part of this series, we will continue exploring the product.

+++++++++++++++++++++

(Part 2)

+++++++++++++++++++++

In this part of this series, I will introduce to you Microsoft’s answer to identity management.

Introduction

When we last met, we had just wrapped up a 1,300 word discussion regarding the importance of identity management in the enterprise and outlined some of its benefits. We also discussed some foundational items you need to consider before embarking on an identity management journey in your organization. In this part of this series, I will introduce to you Microsoft’s answer to identity management. Entitled Forefront Identity Manager 2010 R2, Microsoft’s product provides organizations with a comprehensive set of identity management features.

Buying FIM 2010 R2

Before we jump into the product feature set, let’s take a look at how it’s licensed. As is usually the case with Microsoft products, licensing for FIM 2010 R2 is messy and complex.

Servers

First of all, for each server to which you deploy a FIM component, you must buy a server license to run the software.

Database

FIM requires a SQL Server database to operate. Frankly, I’m stunned that Microsoft doesn’t grant a runtime instance of SQL for FIM, but according to the full licensing document, FIM implementers must also buy a SQL Server license.

Users

For each user that you manage through FIM, you need a Windows Server Client Access License (CAL). If you’re a Microsoft shop, you probably already have these licenses.

Additionally, for each user that you manage through FIM, you need a FIM CAL is required. Administrators that manage users through FIM also require a CAL.

If you have external users that you need to include in your FIM environment, you also need an external connectorlicense as well as a CAL for each external user.

Reporting

FIM 2010 R2 leverages the reporting functionality from System Center Service Manager. With the purchase of FIM, you are granted an SCSM license designed strictly to enable reporting.

FIM 2010 R2 components

In small environments, you might deploy most of the FIM environment to a single server, but as the environment grows, you will probably find it easier to deploy FIM to multiple servers. This allows you to more easily grow those aspects of the environment that experience the most usage. The table below describes FIM’s major components.

Component	Description
FIM Synchronization Service	The synchronization service is one of FIM’s core services. It handles “metaverse”-wide synchronization of identities between data sources. This service creates and maintains identities in other systems.
FIM Service	The FIM service is a web service component that provides connecting functionality behind the scenes in FIM.
FIM Portal	The FIM portal is a user and administrator-facing component that exposes much of FIM’s functionality to users, including password reset capability, group management tasks, and administrative options. The portal runs on SharePoint.
FIM Certificate Management	The certificate management component is generally used in conjunction with smart cards and isn’t deeply integrated into the rest of the suite. Many FIM deployments don’t even include this component.
FIM Reporting	FIM leverages System Center Service Manager’s reporting engine. Reporting in FIM is handled through this special SCSM service. Users of FIM are granted a runtime license for SCSM’s reporting component to enable this functionality.
FIM Password Registration Portal	One of FIM’s best features is the ability to provide users with the ability to establish security questions and answers that they can use to reset their passwords on their own in the event that they’re forgotten.
FIM Password Reset Portal	Once a user establishes security questions, if he forgets his password, he can visit the password reset portal and reset it without having to contact the IT help desk. In R2, the password reset portal is fully web based, so it can be used across any platform. There are no longer any ActiveX controls. The password reset tool can also integrate with the Windows login screen so that users can reset their passwords even if they’re unable to log in to their PCs.
SQL (FIM service database database)	The FIM database stores all of the information for the environment and is used for certain transformations that take place.
BHOLD	BHOLD is a relatively new addition to FIM that enables organizations to delegate role management to users. This can further streamline the identity management experience in the organization.
FIM Outlook Client	A number of FIM actions require authorization through built-in workflows. Through the FIM Outlook client add-in, users and administrators can approve or deny actions right from Outlook without having to open a separate application.

Table 1

In this article series, you will learn about the identity management and password reset parts of FIM, but I will not be discussing certificate management.

Some additional terminology

As you may have guessed, FIM is a relatively complex software platform and there is a lot of supporting knowledge that goes into deploying the product. As such, there is quite a bit of terminology that’s important to understand.

• Metaverse. According to Microsoft, the metaverse is “…a set of tables in the SQL Server database that contains the combined identity information for a person or resource. Management agents update and modify the metaverse from multiple connected data sources, and in turn, management agents use the data in the metaverse to update and modify the connected data sources. The metaverse contains its own schema, which defines which object types and attributes the metaverse can contain.” In other words, the metaverse is the universe in which the various FIM objects reside.
• Connector space. This is an area where objects are written before being synchronized with the metaverse or a connected data source.
• Connector. In FIM, a connector is an object is the connector space that is connected to an object in the metaverse.
• Explicit Connector. A specialized type of connector that can only be created manually and that remains connected even when filters are in place.
• Management agent. In FIM, a management agent is responsible for connectivity to a specific data source.

Data source options

FIM can connect to a variety of data source data. The list below described which data sources Microsoft Forefront Identity Manager (FIM) 2010 R2 supports:

• Active Directory Domain Services 2000, 2003, 2003 R2, 2008

• Active Directory Lightweight Directory Services (ADLDS)

• Active Directory global address list (GAL) 

• Attribute-value pair text files 

• FIM Certificate Management

• Delimited text files 

• Directory Services Markup Language (DSML) 2.0 

• Microsoft Exchange Server 2007 and 2010 (use the management agent for Active Directory)

• Microsoft SQL Server 2000, SQL Server 2005, SQL Server 2008

• Fixed-width text files 

• IBM DB2 Universal Database 9.1 or 9.5

• IBM Directory Server 6.0 or 6.2

• LDAP Data Interchange Format (LDIF) 

• Lotus Notes release 6.5 or 7.0

• Novell eDirectory 8.7.3 or 8.8

• Oracle10g Database 

• AP R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0)

• Sun ONE and Netscape Directory Server 5.1 and 5.2

• SAP HCM
• Oracle eBusiness Suite
• Oracle PeopleSoft

There are also some additional management agents available for certain online services, such as Office 365. Using these data sources, you can manage identities across just about any system.

High level deployment overview

Bearing in mind that I won’t be covering the certificate management parts of FIM in this series, it’s possible to deploy FIM in a number of different scenarios. Here are some things to keep in mind:

• Most roles can coexist on a single server. This is generally suitable only in very small or lab environments.
• The SCSM data warehouse service must run separately from the other services.
• For scalability, administrators often place each role on a separate server. In the world of virtualization, this is a pretty easy feat to accomplish and provides the opportunity to granularly scale components as needed.
• A best practice is to install the FIM portal and the FIM service together.

On the issue of scale, not all FIM services can load balance or use multiple servers. Only a single server of the role type is supported.

Summary

With more foundational elements in place, in the next part of this series, we’ll walk through the beginnings of a FIM deployment.