Introduction to Identity Management and Forefront
Identity Manager 2010 R2 SP1 (Part 2)
by Sajid Khan [Published on 27 December
2015 / Last Updated on 27 December 2015]
In
this part of this series, I will introduce to you Microsoft’s answer to identity
management.
If you would like to be notified when Scott Lowe releases the
next part of this article series please sign up to the
WindowsNetworking.com Real time article update newsletter.
If you would like to read the first part in this article series
please go to Introduction to Identity Management
and Forefront Identity Manager 2010 R2 SP1 (Part 1).
Introduction
When
we last met, we had just wrapped up a 1,300 word discussion regarding the
importance of identity management in the enterprise and outlined some of its
benefits. We also discussed some foundational items you need to consider before
embarking on an identity management journey in your organization. In this part
of this series, I will introduce to you Microsoft’s answer to identity
management. Entitled Forefront Identity Manager 2010 R2, Microsoft’s product
provides organizations with a comprehensive set of identity management
features.
Buying FIM 2010 R2
Before
we jump into the product feature set, let’s take a look at how it’s licensed.
As is usually the case with Microsoft products, licensing for FIM 2010 R2 is
messy and complex.
Servers
First
of all, for each server to which you deploy a FIM component, you must buy a
server license to run the software.
Database
FIM
requires a SQL Server database to operate. Frankly, I’m stunned that Microsoft
doesn’t grant a runtime instance of SQL for FIM, but according to the full licensing document,
FIM implementers must also buy a SQL Server license.
Users
For
each user that you manage through FIM, you need a Windows Server Client
Access License (CAL). If you’re a Microsoft shop, you probably already have
these licenses.
Additionally,
for each user that you manage through FIM, you need a FIM CAL is required.
Administrators that manage users through FIM also require a CAL.
If
you have external users that you need to include in your FIM environment, you
also need an external connectorlicense as well as a CAL for each
external user.
Reporting
FIM
2010 R2 leverages the reporting functionality from System Center Service
Manager. With the purchase of FIM, you are granted an SCSM license designed
strictly to enable reporting.
FIM 2010 R2 components
In
small environments, you might deploy most of the FIM environment to a single
server, but as the environment grows, you will probably find it easier to
deploy FIM to multiple servers. This allows you to more easily grow those
aspects of the environment that experience the most usage. The table below
describes FIM’s major components.
|
Component
|
Description
|
|
FIM Synchronization Service
|
The synchronization service is one
of FIM’s core services. It handles “metaverse”-wide synchronization of
identities between data sources. This service creates and maintains
identities in other systems.
|
|
FIM Service
|
The FIM service is a web
service component that provides connecting functionality behind the scenes in
FIM.
|
|
FIM Portal
|
The FIM portal is a user and
administrator-facing component that exposes much of FIM’s functionality
to users, including password reset capability, group management tasks,
and administrative options. The portal runs on SharePoint.
|
|
FIM Certificate Management
|
The certificate management
component is generally used in conjunction with smart cards and isn’t
deeply integrated into the rest of the suite. Many FIM deployments don’t even
include this component.
|
|
FIM Reporting
|
FIM leverages System Center
Service Manager’s reporting engine. Reporting in FIM is handled through
this special SCSM service. Users of FIM are granted a runtime license
for SCSM’s reporting component to enable this functionality.
|
|
FIM Password Registration Portal
|
One of FIM’s best features is the
ability to provide users with the ability to establish security
questions and answers that they can use to reset their passwords on
their own in the event that they’re forgotten.
|
|
FIM Password Reset Portal
|
Once a user establishes security
questions, if he forgets his password, he can visit the password reset
portal and reset it without having to contact the IT help desk. In R2,
the password reset portal is fully web based, so it can be used across
any platform. There are no longer any ActiveX controls. The password
reset tool can also integrate with the Windows login screen so that
users can reset their passwords even if they’re unable to log in to
their PCs.
|
|
SQL (FIM service database
database)
|
The FIM database stores all
of the information for the environment and is used for certain
transformations that take place.
|
|
BHOLD
|
BHOLD is a relatively new
addition to FIM that enables organizations to delegate role management
to users. This can further streamline the identity management experience in
the organization.
|
|
FIM Outlook Client
|
A number of FIM actions require
authorization through built-in workflows. Through the FIM Outlook client
add-in, users and administrators can approve or deny actions right from
Outlook without having to open a separate application.
|
Table 1
In
this article series, you will learn about the identity management and password
reset parts of FIM, but I will not be discussing certificate management.
Some additional terminology
As
you may have guessed, FIM is a relatively complex software platform and there
is a lot of supporting knowledge that goes into deploying the product. As such,
there is quite a bit of terminology that’s important to understand.
·
Metaverse. According to Microsoft, the metaverse is “…a
set of tables in the SQL Server database that contains the combined identity
information for a person or resource. Management agents update and modify the
metaverse from multiple connected data sources, and in turn, management agents
use the data in the metaverse to update and modify the connected data sources.
The metaverse contains its own schema, which defines which object types and
attributes the metaverse can contain.” In other words, the metaverse is the
universe in which the various FIM objects reside.
·
Connector
space. This is an area
where objects are written before being synchronized with the metaverse or a
connected data source.
·
Connector. In FIM, a connector is an object is the
connector space that is connected to an object in the metaverse.
·
Explicit
Connector. A specialized type
of connector that can only be created manually and that remains connected even
when filters are in place.
·
Management
agent. In FIM, a management
agent is responsible for connectivity to a specific data source.
Data source options
FIM
can connect to a variety of data source data. The list below described which
data sources Microsoft Forefront Identity Manager (FIM) 2010 R2 supports:
·
Active Directory
Domain Services 2000, 2003, 2003 R2, 2008
·
Active Directory
Lightweight Directory Services (ADLDS)
·
Active Directory
global address list (GAL)
·
Attribute-value pair
text files
·
FIM Certificate
Management
·
Delimited text files
·
Directory Services
Markup Language (DSML) 2.0
·
Microsoft Exchange
Server 2007 and 2010 (use the management agent for Active Directory)
·
Microsoft SQL Server
2000, SQL Server 2005, SQL Server 2008
·
Fixed-width text files
·
IBM DB2 Universal
Database 9.1 or 9.5
·
IBM Directory Server
6.0 or 6.2
·
LDAP Data Interchange
Format (LDIF)
·
Lotus Notes release
6.5 or 7.0
·
Novell eDirectory
8.7.3 or 8.8
·
Oracle10g Database
·
AP R/3 Enterprise
(4.7), mySAP 2004 (ECC 5.0)
·
Sun ONE and Netscape
Directory Server 5.1 and 5.2
·
SAP HCM
·
Oracle eBusiness Suite
·
Oracle PeopleSoft
There
are also some additional management agents available for certain online
services, such as Office 365. Using these data sources, you can manage identities
across just about any system.
High level deployment overview
Bearing
in mind that I won’t be covering the certificate management parts of FIM in
this series, it’s possible to deploy FIM in a number of different scenarios.
Here are some things to keep in mind:
·
Most roles can coexist on a single server.
This is generally suitable only in very small or lab environments.
·
The SCSM data
warehouse service must run separately from the other services.
·
For scalability,
administrators often place each role on a separate server. In the world of
virtualization, this is a pretty easy feat to accomplish and provides the
opportunity to granularly scale components as needed.
·
A best practice is to
install the FIM portal and the FIM service together.
On
the issue of scale, not all FIM services can load balance or use multiple
servers. Only a single server of the role type is supported.
Summary
With
more foundational elements in place, in the next part of this series, we’ll
walk through the beginnings of a FIM deployment.
If you would like to be notified when Scott Lowe releases the
next part of this article series please sign up to the
WindowsNetworking.com Real time article update newsletter.
If you would like to read the first part in this article series
please go to Introduction to Identity Management
and Forefront Identity Manager 2010 R2 SP1 (Part 1).
No comments:
Write comments