fim best practices - architecting identity solutions that really work! carol wapshere, mvp identity...
TRANSCRIPT
FIM Best Practices - Architecting Identity Solutions that really work!Carol Wapshere, MVPIdentity Management SpecialistUnify Solutions
SIM322
In 1844 Charles Sturt led an expedition through central Australia. He took a boat…
Bad information
Unrealistic
expectations
Photo: National Museum of Australia
IAM projects can be very difficult…
Existing data
Existing processes
Photo: wallwin.ca
Session Agenda
What FIM does
Project planning
Design
Data
Implementation
ROI and Demo
What Forefront Identity Manager 2010 R2 Does
FIM 2010 R2 Components
Certificate Manager
Portal and Service
Password Sync
Synchronization Service
Connects matched objects in directories and
applications for provisioning and attribute
updates
Updates password of joined user accounts
following AD password changed. Sharepoint-based
Portal for user administration, self-
service and workflow.
Secret question password reset – GINA and Portal.
BHOLD RBAC SystemRole modelling, role
assignment, compliance, reportingAudit and reporting
using System Center Data Warehouse and
SQL Reporting Services
Request and renew
certificates.
Role Management
Reporting
Self-Service Password Reset
Planning
Who’s driving?
Stakeholders?
Deadlines?
Other projects depending on this?
Photo: Microsoft ClipArt
Understand the environment
Get account policies in writing
Talk to the people who really know
Data analysis
Picture: “The Friend of Australia”, Thomas J Maslen, 1827
Get the requirements
Essential vs Desirable
Focus on outcomes, not current processes
Get specifics
Don’t try to do everything at once
Photo: Carol Wapshere
Impact on project as requirements increase
Reqs
Days
Development
Reqs
Days
Implementation,Negotiation
Reqs
Days
Testing
Reqs
Risk
Design
Task automation
Photo: ACT Government
Some tasks must still be done by hand
Photo: Carol Wapshere
FIM is a State-Based System
What is the current state of the object?
What is the future state of the object?
We don’t care about how or who.
Extending
Extensible components:Sync ServiceCustom WFWeb Services
Use OOB before extending
Use only supported methods
Photo: Carol Wapshere
Data
Unique identifiers
Validated source data
Consistent formatting
Free text avoided
Minimise double-entry
The Sync Engine runs best on Clean Data
Picture: Library of Virginia, JA Bonsack patented cigarette rolling machine
Find the SourcePer object type or object sub-category:
One Object source,
One Attribute source for each attribute.
Make sure everyone understands where the sources are!
Photo: findaspring.com
Clean up existing accounts
Account identification
Remove old accounts
Move unmanaged accounts out of scope
Photo: Microsoft ClipArt
Get a full production data set for Dev and Test
Rules must be able to deal with real, not idealised, data
Joins and data cleaning analysis
Identify exceptions
Understand scale
Photo: gking.harvard.edu
Implementation
Expect teething problems
Production data and practices may bring surprises
People suddenly remember vital requirements
Confusion about what can be changed where
On-going Administration
It’s not a “set and forget” system
Data errors and duplicates will happen
Business rules will change
Return on Investment
ScenarioHR/AD/FIM Portal Sync already in place.
Cloud-based subscriber solution “ProjectSTAR” to be adopted for all project management tasks.
Two-tiered subscription:Project Manager: $250 pcmProject Resource: $25 pcm
Account management options:Manually create cloud account with separate password, and manually assign license type; orFederated access with automatic license assignment.
FIM Sync
ADHR
ProjectSTAR
FIM Portal
IdentifierIs AuthenticatedApplication Role
ADFS
CSV
Demo
Using FIM to integrate a cloud application
ROI realised on this integration…We already know who our users are – so we can tell the application provider straight away, Rapid deployment!Manage licensing through an internal Portal Control costs! No new interface to learn!Ensure Federation tokens contain correct information Meet security and compliance requirements!Allow self-service and delegated approval Minimises admin tasks for the IT department!
Architect a Great IAM Solution with FIM 2010 R2
Understand the environment
Develop for automation
Be realistic
Picture: murrayriver.com.au
Related Content
SIM423 FIM Best Practices – Technical Deep Dive
Exam 70-158 Forefront Identity Manager 2010, Configuring
Contact Me Later By…Email: [email protected]: http://www.wapshere.com/missmiisTwitter: @miss_miis
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.