forefront identity manager
DESCRIPTION
Presentation held by Mr.Goce Bogatinov and Mr. Jordan Tikvesanski as a part of the - Cooperation between academia and ICT businesses Session at the 8th SEEITA and 7th MASIT Open Days Conference, 14th-15th October, 2010TRANSCRIPT
Goce Bogatinov, Chief IT Administrator
University „Goce Delcev“ - Stip
Jordan Tikvesanski, IT System Administrator
University „Goce Delcev“ - Stip
Forefront Identity Manager
2010 implementation in “Goce
Delcev” University – Stip
Forefront Identity Manager
2010 implementation in “Goce
Delcev” University – Stip
Partners
Contents
• Presentation of the University "Goce Delchev" – Stip and its
informational system
• The role and method of involvement of Microsoft Consulting
Services in the performance of the decision
• Intec Systems and Gemalto part in the performance of the decision
• Experiences and recommendations
General information
• Established in 2007
• Elected rector Prof. Dr. Sasa Mitrev
• More than 13.000 students and 500 employees at the moment
• 1.200 PC’s and up to 50 servers
• 10 Campuses located in different cities
• 10 Campuses in Stip
InfrastructureInternet links with VPN tunnels to Stip
Infrastructure in StipOptical links
Optical links in construction
Wireless links
User profiles
• Students
• undergraduate
• Master studies
• PhD studies
• Employees
• Administration
• Teachers (associates, visiting…)
• Student Services
• Other personnel
• IT Staff
• Administrators
• Technical staff
• Help desk
Student services
• Microsoft Live@EDU
• Learning gateway
• Moodle
• Student files
• Microsoft Dynamics CRM
• Video conferencing
• Polycom
• Wireless internet access
• Cisco, Microsoft NAP
Employee services
• Microsoft Exchange 2010
• Telephony
• Cisco UCM, Cisco IP Phones
• Microsoft Exchange 2010 UM
• IM, A/V Conferencing, Desktop sharing
• Microsoft Office Communicator
• Document management
• Xerox Docushare
• Wireless internet access
• Cisco, Microsoft NAP
Challenges
• Unique user name and password for all
• Time and attendance tracking system
• Two-factor authentication
• Student/employee ID card
ENVISION
• Specifying and clarifying what is necessary for project implementation
• Establishing the foundation of the team and core of the project cycle
PLAN
• Collecting as much information as possible
• Development of conceptual solutions in specific design and plan
BUILD
• Making the decision in a test environment and its documentation
• Testing of all aspects of the decision
STABILIZE
• Improving the quality of the solution to meet the criteria for his release in production
• Verification of functionality and usability of the solution of business and user perspective
DEPLOY
• Setting up in production environment
• Transition of the system into operational functioning
Implementation stages
ENVISION PLAN BUILD STABILISE DEPLOY
Demands
• High level of automation, easy for use, high level of availability
IT Infrastructure
• Various vendor based technology
• Windows Server 2008
• AD DS
• MS SQL 2008
• MS Exchange 2010
• MS SCCM 2007
• AD Certificate Services
• Vmware virtualization technology
Administration and maintenance
• Small team and helpdesk, no user defined roles, large number of critical systems, large number of helpdesk demands.
ENVISION PLAN BUILD STABILISE DEPLOY
• 40% of the time spent on this stage
• Functional specs (What are we going to build?)
• Conceptual design (How will we build it?)
• Timeline of activities (When will we build it?)
• Are we ready to build?
ENVISION PLAN BUILD STABILISE DEPLOY
• Building the system in test environment
• Implementation of the planned functionalities
• Testing• Testing• Testing
ENVISION PLAN BUILD STABILISE DEPLOY
• The process of bringing the solution to an
acceptable level of quality and functionality
performed by testing and correction system
• Implementation of the solution in production
environment
• Testing of all aspects of the decision of an
isolated group of users – Pilot users
ENVISION PLAN BUILD STABILISE DEPLOY
• Large overlap of activities performed in the phase
of stabilization
• Preparing the physical infrastructure through GPO,
distribution of necessary client agents, installing
enrollment kiosks…
• Operating and maintenance of the system
PKI decision contents
PKI based on Windows Server 2008 R2
1 Offline Root CA
2x Enterprise Issuing CA
CRL and AIA publish via AD DS and IIS 7.0
Certificate templates
• Vraboten Standard
• Vraboten Encryption
• Student Standard
Use of certificates
• Authentication (Domain Logon, Application logon, Wi-Fi Access)
• E-Mail signing
• Disk and data encryption
FIM 2010 CLM decision contents
• FIM CLM Application - NLB Cluster FIM 2010 CLM
servers
• MS SQL 2008 Failover Cluster Backend DB
• FIM 2010 client component
• Self Service user portal
• Administration and configuration portal
• FIM CM SQL API for interaction with other
systems
• Profile templates for students and employees
• Smart Card Middleware and Enrolment
• Smart card printing
Smart Cards• Gemalto Hybrid Smart Card .NET + EM4100 contactless chip
• .NET framework on SmartCard
• Easy integration in Microsoft environment
• Microsoft Base Smartcard CSP support
• CMS Microsoft CMS/FIM 2010 preferred
• .NET SDK integration with Microsoft Visual Studio
MS Smart Card Resource Manager
PC/SC
Microsoft Base Smart Card CSP
Microsoft Smart Card Enabled Applications
Smart Card Vendor Mini Driver
Microsoft Crypto Next
Generation Architecture
MS Smart Card Resource Manager
PC/SC
Microsoft Base Smart Card CSP
Microsoft Smart Card Enabled Applications
.NET Minidriver DLL
Gemalto .NET Crypto
architecture
Add-on on MS Base CSP witch redirects
requests to Gemalto .NET card module
Gemalto .NET implementation on WSCF
Experiences
• Complex system of permissions and role separation
• Profile Templates and Certificate Templates – crucial in the further exploitation period
• Investments in compatible components
• Condition of existing infrastructure
• Concomitant use of x86 and 64bit clients
• Client works through IE 6.0 +
Recommendations
• The complexity of the system requires thorough planning
• Using virtual environment
• Document every step in the development and implementation of the system
• Test the entire system after each change
• Use separate user accounts for each user role even if the same person is in question
• In system with more than 10,000 users there are no "minor" changes
Q&A
???
Thanks for
the attention