jean-pierre simonis (data # 3) bruce smith (data # 3)
TRANSCRIPT
Identity Management, Self Service and Orchestration in the Data CentreJean-Pierre Simonis (Data#3)Bruce Smith (Data#3)
MDC324A
Overview
OverviewIdentity ManagementWhat is it?Who manages it?Why do we need it?What tools can we use?Integration between FIM, Orchestrator and Service Manager
Self-Service and OrchestrationCommon Scenarios and BenefitsCloud integration
Questions
Identity Management
What is it?
What is it?Identity is a summary of information about a person, group or resource in which we wish to store data.
Identity
Person
• First Name• Last Name• Display Name• Account Name• Email Address• Phone Number• Address• Password
EXAMPLE
What is it?Identity management is a set of technologies intended to streamline the management of user identity information both inside and outside the enterprise, including: DirectoriesUser provisioningPassword managementFederationEnterprise single sign-onWeb access management and web single sign-on
What is it?Identity and access management is a shared platform with consistent processes for managing information about users: Who they are?How they are authenticated?What they can access?
Typical state of identity management todayLots of manual process across different, decentralised systems
Cloud
Postini, Workday, etc
Active Directory
Exchange
HR (PeopleSoft, SAP)
ApplicationOwner
BusinessManager
Users
IT Helpdesk
Administrator
Administrator
Financials
SharePoint
Sales
Multiple Identity storesModern organisations run a complex mix of IT infrastructure, including: Network operating systems, used to share files and printers. Application servers, running web servers, databases and similar software. Mainframe and midrange servers, typically hosting legacy applications. Email and other collaboration software. User directories, publishing lists of users and other network objects. Human resources, payroll and contractor management systems. A variety of line-of-business applications. Customer relationship management (CRM) and enterprise resource planning (ERP) applications. Cloud applications.
Different user typesMany kinds of users access these systems, including: EmployeesContractorsPartnersVendorsCustomers
Future state, centralised identity managementLocate the logic in one place and automate it with many systems
• Self Service Group Management
• Self Service Password Reset
• Improved Productivity
• Workflow• Notifications• Approvals• Attestation and
Reporting
• Automated Provisioning• Automated De-
provisioning• Account, Group and
Mailbox Management
HR (PeopleSoft, SAP, Workday)Cloud
Office365, Salesforce, ADP…
Administrators
Active Directory
Exchange
ApplicationOwners & Managers
Users
IdentityManagement
On PremiseDatabase, Directories
& Applications
Who manages it?
Who manages it?As organisations deploy an ever wider array of IT infrastructure, their identity profiles and their security privileges on those systems becomes increasingly challengingMana
ge
Support
Offboard
Onboard
Identity Lifecycle
Who manages it?Manag
e
Support
Offboard
Onboard
Identity Lifecycle
Human Resource
s
IT Operation
s
Managers
Security Operation
s
End Users
Why do we need it?
Common Challenges
OnboardingDelays and productivityRequests and approvalsRedundant administration
ManageDelaysChange requestsRedundant administration
SupportForgotten passwordsIntruder lockoutsAccess denied errors
OffboardingReliableCompleteTimely
Why do we need it?
BenefitsConsolidation of Identity data from different sourcesReduce IT operations overheadImprove user productivityImproved network security and complianceImproved authorisation and approvalAttestation and reporting
What tools can we use?
What tools can we use?
PowerShell
.Net
Active Directory
with BHOLD
Example
Access FIM Portal for ZTP Activities
Approve/reject requests via Email to the FIM Portal approval system
Custom PortalFIM Portal
ZTP Administration ZTP End Users
FIM Service FIM Synchronisation
Contoso.com
FIM PortalProvide
Administration for ZTP solution
Contoso.com
Service Manager Data Warehouse
Orchestrator Runbook Activities Trigger Scripts that perform automation tasks on File Servers and Edge Domain Controllers
etc based on the defined ZTP requests launched and stored in the FIM Service. ZTP Runbooks will be hosted on the Orchestrator
ZTP Activity job servers
Runbook Reporting Each Runbook will report back
to reporting DB
ZTP Custom Reporting DB
FIM Reporting Connector
ZTP Custom Reporting DB
Service Manager Data WarehouseCollect FIM reporting data and hosts SQL reporting services and reports
SQL Reporting Services ReportsCollate data from multiple ZTP solution
Databases into agreed SQL reports
SQL Reporting Services
Active Directory Domain Services MAProject existing users and groups to FIM, provision new users and groups, perform import and export attribute
flow
Generic Web ControlCommunicate with FIM Web APIs
and Performs ZTP Activity Authorisation
Network Load Balancer Network Load Balancer
Network Load Balancer
Network Load Balancer
SQL DB
SQL MAAdditional enterprise identity information to contribute core
identity attributes
ZTP Administration
FIM Service MASynchronise person, group, and system
objects between the FIM Service database and the metaverse
Custom FIM Workflow Activities
Offload orchestration of ZTP to Orchestrator.
Orchestrator
ZTP Activity Approvals
FIM ServiceProvides AuthN and
AuthZ and Host business rules and workflows for each
activity
ZTP End User NotificationOrchestrator run books will notify ZTP end users about
start, end, success and failure of ZTP activities
What tools did we use?Solution Components
Custom User
Interface
FIM 2010 R2 SP1
FIM Custom Activity (.Net)
Orchestrator 2012
SP1
Service Manager 2012 SP1
PowerShell
What does it do?
Custom user interface
FIM Service
FIM Custom activity
Orchestrator
PowerShell/Orchestrator activities
Service Manager data warehouse
Self-service orchestration for onsite support staff to provide role based administration activities.
BenefitsReduced operational costImproved securityIncreased visibilityExtensible
Why did we choose this platform?
Leveraged existing skill sets
Supportable and extensible
Centralised
Auditable
Consolidated end to end reporting
Zero Touch Provisioning OperationBruce Smith
Integration
IntegrationWeb Services APIFIMOrchestratorService Manager
Orchestrator RunbooksPowerShell.NetRunbook standard activitiesOrchestrator integration packs
FIM Management AgentsActive DirectoryActive Directory LDSSQLFileNotesAzureECMA 2.0Web Services… and more
FIM Custom ActivitiesCustom Workflow Foundation activities
Integration
Development and Integration
Bruce Smith
Self-Service and Orchestration
Common Scenarios
Common Scenarios
New employee
Employee changes position
Provision additional employee services
Self-Service Password reset
Employee leaves
Self-Service and Orchestration common scenariosBruce Smith
Cloud integration
Cloud IntegrationSolution Components
FIM Azure Management Agent
Azure Active
Directory
Active Directory
Federation Services
Orchestrator 2012
SP1
Azure/Office 365
DirSyncPowerShell
Cloud IntegrationAzure Single Sign-on for Cloud applications
http://technet.microsoft.com/en-us/library/dn308588.aspx
Cloud IntegrationAzure Single Sign-on for custom applications
http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx
Questions
Related contentMDC324B: Service Manager and Orchestrator, the perfect partnershipATC334: The Identity JigsawATC421: FIM2010 R2: Custom Workflow Activities
Find Us Later in the Expo Hall
Developer Network
Resources for Developers
http://msdn.microsoft.com/en-au/
Learning
Virtual Academy
http://www.microsoftvirtualacademy.com/
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd/Australia/2013
Resources for IT Professionals
http://technet.microsoft.com/en-au/
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.