Identity management is the bane of many an IT administrator’s existence. Employees come and go. Workers from partner companies require access to the network in a time-limited but secure way. Users forget their passwords and lose their smartcards. And new services come online all the time. It’s a wonder anyone can get anything done.
There have been tools available for a while that purport to manage the total life cycle of user identity — from hiring and first authorization to use of new applications until suspension, termination or separation — all from one system. Microsoft’s entry into this market, Forefront Identity Manager 2010, shows itself as a capable product with a few drawbacks.
Forefront Identity Manager 2010, or FIM, relies on a couple of features to differentiate itself from competitors: It gives users the ability to perform a variety of tasks themselves via self-service Web portals, and it’s compatible with existing Web standards, enabling it to work with just about any other system.
Users can, for example, change their passwords on a variety of systems through native Windows tools like the log-on prompt. They can also manage group memberships easily through an intranet-based website that supports restricted group memberships and the approval workflows required.
Behind the scenes, FIM takes care of managing encrypted properties like certificates, smartcards, security life cycles and compliance, while wrapping it up in a nice bow with a good, logically arranged administrative user interface.
For example, a new-hire rule will create a user account and place him or her into appropriate groups based on date of hire, job position, work location and other factors. The same rule will query and direct the payroll system, via Web services, to add the requisite user information and will interface with the building security system to add the user’s smartcard certificate to allow access to the building. Finally, the rule will generate a message to human resources to create a new-hire packet and send it to the new user.
Policies within FIM can dictate the actions that happen when any of these events — or any other event that you define — occur.
These policies that you define are kicked off and then subsequently managed by the Windows Workflow Foundation, or WF (part of the .Net Framework 3.5). WF provides a powerful base for all sorts of interesting and complex workflows, with nesting, conditions and multiple branches. If your group has already invested in creating rules via WF, you can very simply import them into FIM and use and further customize them from within FIM, saving you from reinvesting the time necessary to create the workflows again in a different tool. If you have a proficient developer staff, you can also create workflows in Visual Studio and export them for use within FIM.
FIM’s predecessor, Microsoft Identity Lifecycle Manager 2007, did a pretty good job of handling such synchronization among Microsoft products. FIM 2010 goes a step further and offers help with making sure databases like Novell eDirectory, Sun Directory Server, Lotus Notes, SQL Server, Oracle, Exchange, Active Directory, SAP and any other database or flat-file systems are updated via policies and workflows.
FIM’s core, a synchronization service, manages the data coming into and out of FIM and handles communicating with the target systems — and in most cases it does so using standards or direct API support with each system. In other words, no messy agents need run on most of these systems.
What’s nice about this level of integration and synchronization is that changes made not only in FIM but in other systems individually are automatically replicated back to all other systems of which FIM is aware. So if you change a password directly in Active Directory, FIM will pick that up very soon afterward — the precise amount of time is a function of link speeds, the systems involved and other factors, but we’re talking a matter of minutes — and distribute that information to, say, SAP. Likewise, if you remove a user from your business intelligence system, you can configure FIM so that when it detects that a user has been deleted, it will then remove the user from all of the other appropriate systems at the time of the next synchronization.
This way, all of the places where identities live (and die) are kept up to date and fresh.
All of these synchronization actions can be gated via the workflow system so that administrators or other designated personnel have to approve changes before they are sequenced throughout your organization — most helpful for creating and deleting users, but also helpful depending on the sensitivity of the systems in your network.
Alongside the synchronization service, FIM excels at managing smartcards and certificates and at enhancing and automating the user-provisioning process. FIM can handle the creation and expiration of user certificates stored both on a system and on a physical smartcard and takes care of the provisioning and decommissioning of these tools. Since FIM rides on top of Windows’ Active Directory Certificate Services, your administrators’ expertise and familiarity with standard features of Windows Server will pay off here as well.
For distribution group management, users can even subscribe to or delete themselves from groups from within their Outlook mail client, right where they’re most likely to receive the mail they want to opt out from. Considering the fact that popular statistics put the cost of help-desk assistance at many tens of dollars to more than $100 per call, empowering your end users to do things themselves only helps.
Additionally, FIM will let users reset their passwords from GINA — the traditional Windows log-on screen. This process is gated so that users have a challenge/response-type authentication mechanism, establishing reasonable security questions that add some tightness to the password-reset process.
At the lowest levels of compliance with those terms, you need a server license for each server on which FIM components are installed, which gives you the right to use FIM server software; a CAL for each user for whom the software issues or manages identity information, and a CAL for each administrator using FIM management capabilities. Not easy on the budget.
On a more minor basis, the product is not well documented either — outside of the in-product help, there isn’t a lot of support on the Microsoft website. There is a big FIM user community, however, and it isn’t hard to find consultants with deployment and implementation expertise.