FIM Best Practices - Architecting Identity Solutions that really work! Carol Wapshere, MVP Identity...

FIM Best Practices - Architecting Identity Solutions that really work!Carol Wapshere, MVPIdentity Management SpecialistUnify Solutions

SIM322

In 1844 Charles Sturt led an expedition through central Australia. He took a boat…

Bad information

Unrealistic

expectations

Photo: National Museum of Australia

IAM projects can be very difficult…

Existing data

Existing processes

Photo: wallwin.ca

Session Agenda

What FIM does

Project planning

Design

Data

Implementation

ROI and Demo

What Forefront Identity Manager 2010 R2 Does

FIM 2010 R2 Components

Certificate Manager

Portal and Service

Password Sync

Synchronization Service

Connects matched objects in directories and

applications for provisioning and attribute

updates

Updates password of joined user accounts

following AD password changed. Sharepoint-based

Portal for user administration, self-

service and workflow.

Secret question password reset – GINA and Portal.

BHOLD RBAC SystemRole modelling, role

assignment, compliance, reportingAudit and reporting

using System Center Data Warehouse and

SQL Reporting Services

Request and renew

certificates.

Role Management

Reporting

Self-Service Password Reset

Planning

Who’s driving?

Stakeholders?

Deadlines?

Other projects depending on this?

Photo: Microsoft ClipArt

Understand the environment

Get account policies in writing

Talk to the people who really know

Data analysis

Picture: “The Friend of Australia”, Thomas J Maslen, 1827

Get the requirements

Essential vs Desirable

Focus on outcomes, not current processes

Get specifics

Don’t try to do everything at once

Photo: Carol Wapshere

Impact on project as requirements increase

Reqs

Days

Development

Reqs

Days

Implementation,Negotiation

Reqs

Days

Testing

Reqs

Risk

Design

Task automation

Photo: ACT Government

Some tasks must still be done by hand

Photo: Carol Wapshere

FIM is a State-Based System

What is the current state of the object?

What is the future state of the object?

We don’t care about how or who.

Extending

Extensible components:Sync ServiceCustom WFWeb Services

Use OOB before extending

Use only supported methods

Photo: Carol Wapshere

Data

Unique identifiers

Validated source data

Consistent formatting

Free text avoided

Minimise double-entry

The Sync Engine runs best on Clean Data

Picture: Library of Virginia, JA Bonsack patented cigarette rolling machine

Find the SourcePer object type or object sub-category:

One Object source,

One Attribute source for each attribute.

Make sure everyone understands where the sources are!

Photo: findaspring.com

Clean up existing accounts

Account identification

Remove old accounts

Move unmanaged accounts out of scope

Photo: Microsoft ClipArt

Get a full production data set for Dev and Test

Rules must be able to deal with real, not idealised, data

Joins and data cleaning analysis

Identify exceptions

Understand scale

Photo: gking.harvard.edu

Implementation

Expect teething problems

Production data and practices may bring surprises

People suddenly remember vital requirements

Confusion about what can be changed where

On-going Administration

It’s not a “set and forget” system

Data errors and duplicates will happen

Business rules will change

Return on Investment

ScenarioHR/AD/FIM Portal Sync already in place.

Cloud-based subscriber solution “ProjectSTAR” to be adopted for all project management tasks.

Two-tiered subscription:Project Manager: $250 pcmProject Resource: $25 pcm

Account management options:Manually create cloud account with separate password, and manually assign license type; orFederated access with automatic license assignment.

FIM Sync

ADHR

ProjectSTAR

FIM Portal

IdentifierIs AuthenticatedApplication Role

ADFS

CSV

Demo

Using FIM to integrate a cloud application

ROI realised on this integration…We already know who our users are – so we can tell the application provider straight away, Rapid deployment!Manage licensing through an internal Portal Control costs! No new interface to learn!Ensure Federation tokens contain correct information Meet security and compliance requirements!Allow self-service and delegated approval Minimises admin tasks for the IT department!

Architect a Great IAM Solution with FIM 2010 R2

Understand the environment

Develop for automation

Be realistic

Picture: murrayriver.com.au

Related Content

SIM423 FIM Best Practices – Technical Deep Dive

Exam 70-158 Forefront Identity Manager 2010, Configuring

Contact Me Later By…Email: carol.wapshere@unifysolutions.netBlog: http://www.wapshere.com/missmiisTwitter: @miss_miis

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the

part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.