Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic @s- itsolutions.hr Rijeka, 11. prosinac 2013.

Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. [email protected] Rijeka, 11. prosinac 2013

Embed Size (px)

Citation preview

Page 1: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

Microsoft Forefront Identity Manager 2010 R2

Edin Smlatićs IT Solutions HR d.o.o.

[email protected]

Rijeka, 11. prosinac 2013.

Page 2: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

Agenda:- Općenito o Identity Managementu- Povijest FIM-a- FIM komponente- Instalacija FIM-a- FIM Syncronization Service- Demo 1. – Synchronization Service Manager- FIM Service i FIM Portal- Demo 2. – FIM Service i FIM Portal

O čemu danas nećemo govoriti:- FIM Password Registration and Reset Portal- FIM Reporting- FIM Certificate Managenemt- Backup / Restore

Page 3: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

Općenito o Identity Managementu:- Što je identitet?

- Skup objekata koji nas interesira ili bilo koji objekt čije podatke želimo skladištiti, npr ljudi, grupe, računala, printeri

- Identiteti od našeg značaja često se nalaze u različitim ne kompatibilnim data store-ovima koji znaju biti nekonzistentni

- Identity Management System- Skup servisa i/ili aplikacija koje koordiniraju informacijama skladištenim u različitim data

store-ovima- Omogućuje nam efikasnije upravljanje našim podacima

- Forefront Identity Manager- Skup proizvoda

Page 4: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

Povijest FIM-a:- 1999 godina:

- Microsoft kupuje firmu Zoomit pa time i proizvod zvan VIA- Integracija Zoomit VIA u Microsoft Metadirectory Service – proizvod dostupan samo kroz

Microsoft Consulting Service rješenja

- 2003 godina:- Microsoft Identity Integration Server (MIIS)

- Prva javno dostupna verzija, danas poznata kao FIM Syncronization service

- 2005 godina:- Microsoft kupuje firmu Alacris pa time i proizvod IdNexus- IdNexus kasnije dobiva naziv Certificate Lifecycle Manager (CLM)

- 2007 godina:- Spajanje MIIS i CLM u Identity Lifecycle Manager 2007 (ILM)

- 2010 godina:- Forefront Identity Manager 2010 (FIM)

- FIM Portal

- 2012 godina:- Forefront Identity Manager 2010 R2 (FIM)

- FIM Reporting

Page 5: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM komponente:- FIM Synchronization Service:

- Non-declarative (classic) vs declarative syncronization

- FIM Service- FIM Portal- FIM Password Registration and Reset- FIM Reporting

- Naslanja se na Data Warehouse komponentu od SCSM

- FIM Certificate Managenemt

Page 6: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

Instalacija FIM-a:- Sistemski zahtjevi:

- Hardware – x64 CPU, 2GB RAM, 2 GB HDD- Software –

- Windows Server 2008 ili 2008 R2- SQL Server 2008 x64 SP1- PowerShell- .NET Framework

- FIM Synchronization Service:- Visual Studio 2008 – za potrebe developing-a non-declarative sync rule-ova- Exchange Management Tools – za potrebe mail provisioninga

- FIM Service- FIM Portal, Password Registration and Reset

- IIS- Sharepoint Services 3.0 SP2 ili Sharepoint Foundation 2010

- FIM Reporting- SCSM 2010 SP1

- FIM Certificate Managenemt- FIM Client-Side Components

- Add-in for Outlook- Password Reset Extensions

Page 7: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Synchronization Service:

Page 8: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Synchronization Service:

Page 9: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Synchronization Service:- Primarne komponente:

- Management Agents (MA)- Connector Data Source (CDS)- Metaverse (MV)- Connector Space (CS)

- Build-in MA:- Databases: SQL Server, Oracle, IBM DB2 Universal Database - Active Directory®: Domain Services, GAL Sync, AD LDS - Other Directories: IBM Directory Server, Lotus Notes, Novell eDirectory, Sun and Netscape

Directory Servers - File-based MAs: Attribute Value Pair (AVP), LDAP Directory Interchange Format (LDIF),

Directory Services Mark-up Language (DSML), delimited text, fixed width text - Others: SAP R/3 (Microsoft), Extensible Connectivity

Page 10: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Synchronization Service:- Objekti i atributi- MV i CS:

- Join rules, Project rules, Manual Joining- Connectors, Disconnectors – Normalni i Eksplicitni- Connector Filters- Anchor attributes and GUIDs- Attribute flow: Import i Export- Authority and precedence

- Run Profiles- Import – Full, Delta- Sync – Full, Delta- Export – uvijek Delta- Confirm Import – najčešće Delta Import i Delta Sync

- MA Statistics i greške

Page 11: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Synchronization Service:- Sync Service Manager Tools:

- Operations – uvid u izvršavanje Run Profile-a- MV Designer Tool

- Configure attribute flow precedence- Edit Attribute – Indexing- Configure Object Deletion Rule

- MV Search Tool- Joiner Tool

- Provisioning:- Classic rules – DLL- Declarative - Portal

- Deprovisioning- MV Object Deletion Rule- Make it Disconnector- Make it Explicit Disconnector- Stage a delete on the object on next export run- Determine With a Rules Extension

Page 12: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Synchronization Service

Page 13: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Synchronization Service

Page 14: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

DemoFIM Syncronization Service Manager

Page 15: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Service i FIM Portal:- Declarative (Codeless) Provisioning- SQL server- Sharepoint Portal- FIM Service MA

- Mandatory Object Types – DRE, ERE, SyncRule- Mandatory Object Type Mappings

- Mandatory Attribute Flow

Data Source Object Type Metaverse Object TypeDetectedRuleEntry detectedRuleEntryExpectedRuleEntry expectedRuleEntrySynchronizationRule synchronizationRule

Data Source Attribute Metaverse Attribute TypeDn Sync-rule-mapping – ExpressionMVObjectID <object-id> DirectDetectedRulesList DetectedRulesList Direct<dn> csObjectID DirectExpectedRulesList ExpectedRulesList Direct

Page 16: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Service i FIM Portal:- Sets- Workflows

- Authentication- Authorization- Action

- Management Policy Rules (MPR)- Request MPRs – grant permissions and run workflows- Set Transition MPRs – cannot grant permissions only run workflows

- Syncronization Rules- Inbound- Outbound

- Expected Rules Entry (ERE)- Expected Rules List (ERL)- Detected Rules Entry (DRE)- Detected Rules List (DRL)

- Inbound / Outbound

Page 17: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Service i FIM Portal:- ERE/DRE

Page 18: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

FIM Service i FIM Portal:

Page 19: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

DemoFIM Portal

Page 20: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013

Zaključci:- Poželjno testiranje u test okolini prije izmjena na produkciji- Classic vs Declarative Provisioning?- Deprovisioning Disconnect or Delete?- Automatizacija Run Profile-a

- VBS- PowerShell- Mail Error Alerting

Page 21: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013


Page 22: Microsoft Forefront Identity Manager 2010 R2 Edin Smlatić s IT Solutions HR d.o.o. edin.smlatic@s-itsolutions.hr Rijeka, 11. prosinac 2013
