1 / 39

Microsoft Forefront Identity Manager 2010 Deploying FIM

Required Slide. SESSION CODE: SIA318. Microsoft Forefront Identity Manager 2010 Deploying FIM. Mark Wahl, CISA Mas Libman Architect Program Manager Microsoft Corporation Microsoft Corporation. Prerequisites. General knowledge of Forefront Identity Manager (FIM). Agenda.

jinelle
Télécharger la présentation

Microsoft Forefront Identity Manager 2010 Deploying FIM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: SIA318 Microsoft Forefront Identity Manager 2010Deploying FIM Mark Wahl, CISA Mas Libman Architect Program Manager Microsoft Corporation Microsoft Corporation

  2. Prerequisites • General knowledge of Forefront Identity Manager (FIM)

  3. Agenda • Identity Management governance • Policies and data flows • Roles and entitlements • Deploying FIM servers • FIM and IT service management

  4. Identity Management and Governance Policies and Data Flows

  5. Business Ready SecurityHelp securely enable business by managing risk and empowering people Across on-premises & cloud Access Protection Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless

  6. Identity Management • Provide agility and efficiency in controlling access to applications • Increase security and compliance with automatable/auditable processes for assigning and maintaining identities, credentials and other resources • Empower end users through delegation and self-service

  7. Identity Management and Governance • Governance controls can maintain the quality of identity data • What is the business value of identity data? • Who is the owner of each element of the data? Who is the custodian? • What processes ensure the data has appropriate quality to support applications relying upon it?

  8. Example Identity Data Flows Approval ChangeRequest FIM 2010 ApplicationData Sources System of RecordData Sources FIM Portal and Service Active Directory Policies Requests Portal Application#1 Workflow Database FIM Synchronization Service Database Database Application#2 Metaverse Other DS Application#3 FIM Certificate Management Cert DB CA

  9. FIM Supporting Application Access Control • Enabling on-premises applications • FIM creates user and group accounts in AD and other directories • Enabling federated and cloud-based services • FIM supplies ADFS with data for constructing claims • For example, FIM could construct and sync into a DB or AD a value which becomes a “role” claim for authorization across organizations • FIM supplies cloud-based services with user account provisioning and deprovisioning • For services which need a copy of the directory, e.g., for address book • FIM provisions users with smartcards or software certificates • Enables users to leverage stronger authentication for access to cloud-based services than just “username and password”

  10. FIM Supporting Application Access Control Rights-Aware Client Web Client Active Directory Rights Mgmt. Services Forefront Unified AccessGateway Active Directory Federation Services Claims-based Web Application Security Group-based Access Control Claims Windows Identity Foundation FIM 2010 Active Directory IdPDatabase Portal RPDatabase (additional attributes) FIM Service FIM Sync Service FIM CM

  11. Controlling Data Flows with FIM • Sets • A collection of resources matching a filter (XPath expression) • Define sets related to each other for partitioning the data flows • By ownership or system of record source • By controller or maintenance lifecycle • By requirements for visibility or constraints for privacy/data protection • By approach for delegation • Groups controlling access to LBI data or discussion: open, anyone can join • Controlling access to MBI: owner approval • Controlling access to HBI: Administrator-maintained (existing procedures) • By roles and by entitlements

  12. Controlling Data Flows with FIM • Workflows • A sequence of one or more activities for the FIM Service to perform • Outbound Synchronization Rule • Defines how attributes are synchronized from a representation of a resource in FIM Sync Service Metaverse into a representation in a connected system

  13. Controlling Data Flows with FIM • Management Policy Rules • Request MPRs (R-MPR) • Defines the access control policy enforced in FIM itself for operations on resources by requestors using the FIM Portal or Web Service • Evaluated and applied to requests based on a requestor in a requestor set • Set Transition MPRs (T-MPR) • Defines a policy with an action workflow to apply to resources in a set, which runs when a resource enters or leaves the set • Action workflow activity could reference an outbound synchronization rule • “Run on Policy Update” flag applies T-MPR policies to resources already in the set when the T-MPR is created, enabled or the MPR’s set or workflow references are updated

  14. Identity Management and Governance Roles and Entitlements

  15. Modeling Roles In FIM • A role abstraction captures the entitlements independent of specific users • Assigning a user to a role grants them all the entitlements defined for the role • FIM Sets and MPRs can be used to model the policies for roles, by • Defining who is in a role via Set membership (e.g., FIM Administrators) • The set represents the role; Members are in the role. • Expressed in R-MPR as Requestors • Defining roles by values in resource attributes (e.g., owner of groups) • Works well for near-universal or very common role relationships • Roles mapped to connected systems by group membership • The group represents the role and the target system is configured to grant access to the group

  16. Entitlements in FIM • Entitlement for use in FIM service itself are modeled through R-MPRs • Entitlements as Group Memberships are modeled through Security Groups • Workflow-based entitlement for storing data in connected systems are modeled as Set + Transition-In T-MPR + Transition-Out T-MPR + Workflows • A Set to represent the entitlement • A resource member of the Set has received entitlement; otherwise not • A Transition-In T-MPR to invoke the provisioningworkflow • A Transition-Out T-MPR to invoke the deprovisioningworkflow • Requires Run on Policy Update workflow flag for the workflows • Exception: may want to avoid re-running WF if it has no semantic effect but will cause lots of processing e.g. notification workflow activities

  17. Roles and Entitlements Design Planning • Design for Business Process Roles: • Define the roles for the business processes • Define the entitlements • For each role, determine the entitlements required for them

  18. Avoiding unintended side effects Entitlement “Full time employee has AD account” Set “Full time employees” Set: “Full time employees” Transition-In T-MPR Action Workflow: AD Provision Transition-Out T-MPR Action Workflow: AD Deprovision Filter: “/Person[ETYPE=‘FTE’]” Person “Alice” ETYPE: “FTE”

  19. Avoiding unintended side effects • Avoid associating multiple sets with the same entitlement Entitlement “Full time employee has AD account” Set “Full time employees” Set: “Full time employees” Transition-In T-MPR Action Workflow: AD Provision Transition-Out T-MPR Action Workflow: AD Deprovision Filter: “/Person[ETYPE=‘FTE’]” Person “Alice” ETYPE: “FTE” Entitlement “Employee on leave has AD account” Set “Employees on leave” Set: “Employees on leave” Transition-In T-MPR Action Workflow: AD Provision Transition-Out T-MPR Action Workflow: AD Deprovision Filter: “/Person[ETYPE=‘OnLeave’]” Person “Bob” ETYPE: “OnLeave”

  20. Avoiding unintended side effects • Redefine the set to include all roles sharing this entitlement • Define sets in terms of other sets when it makes semantic sense Set “Full time employees” Filter: “/Person[ETYPE=‘FTE’]” Person “Alice” Entitlement “Employees have AD account” Set “Employees needing AD accounts” ETYPE: “FTE” Set: “Employees needing AD accounts” Transition-In T-MPR Action Workflow: AD Provision Transition-Out T-MPR Action Workflow: AD Deprovision Filter: “/Person[/ObjectID=… ]” Set “Employees on leave” Filter: “/Person[ETYPE=‘OnLeave’]” Person “Bob” ETYPE: “OnLeave”

  21. Roles and Entitlements Implementation Planning • First, sync in all the user data • For each role, create the set • For each sync rule or other workflow-based entitlement: • Create the workflows for provisioning and deprovisioning the entitlement • Ensure activities are idempotent and reentrant • Use Run On Policy Update - ensures policy is applied to all existing members • Create a set which represents the entitlement • Create an ‘transition out’ T-MPR configured with the set and the deprovision action workflow • Create an ‘transition in’ T-MPR configured with the set and the provision action workflow • Avoid using R-MPR workflows for sync rule entitlements

  22. Deploying FIM Servers

  23. Deploying the FIM Servers • Topological considerations • Organizational requirements • Data partitioning • Disaster recovery/business continuity • Availability management • Performance, scalability, responsiveness • See more details in the capacity planning guide at http://technet.microsoft.com/en-us/library/ff400273(WS.10).aspx

  24. Typical Topology • FIM Portal and FIM Service are paired • Separated from FIM Service Database and FIM Sync Service • Load balancer for web requests

  25. Complex Topology

  26. FIM Portal Deployment • Recommend using NLB with session pinning backed by a WSS 3.0 server farm • Provide a single alias (CNAME) for end users • WSS in a server farm will need a SQL Server database as well • Consider having a dedicated Portal install as well for use by administrators

  27. FIM Service Deployment • Multiple FIM Service instances can share same SQL Server FIMService DB • Only one can process incoming Exchange messages, however • FIM Service typically not disk or CPU bound… • except when running workflows • FIM Service Partitions control which FIM service runs which workflows • May be useful for handling load from administrator requests, incoming sync operations, service initiated (e.g. temporal), or WS-* clients • See http://blogs.msdn.com/b/darrylru/archive/2009/11/23/service-partitions-multiple-middle-tiers-request-workflow-processing.aspx

  28. FIM Sync Deployment • If using 1GBps networks and modern hardware, does not need to be collocated with its database • For full import from AD DS of 451,253 objects, having FIM Sync Service and SQL Server was 18% slower than collocated Sync Service and SQL • Full sync 11% slower • Full export to Extensible MA only 4% slower • For delta import from AD DS of 18,639 changes, delta import only 2% slower • Delta sync only 6% slower • Delta export through Extensible MA only 2% slower

  29. SQL Performance Considerations • FIM performance dependent on well-performing SQL Server • RAM and more cores help as FIM Service uses sprocs extensively • Storage capability is measured in GB and IOPS • Understand the I/O capacity of storage layer – what are the IOPS SLAs? • Example disks: • volume for OS (single spindle); volume for log (single spindle) • volume for data (5 spindles) • Configuration considerations • Pre-Size your data and log volumes - AUTOGROW ON is only a safety valve • Create additional tempdb files • Set the database recovery model; If appropriate, schedule your log backups • See 200,000 user performance test results at http://technet.microsoft.com/en-us/library/ff400287(WS.10).aspx

  30. FIM and IT Service Management

  31. Identity Management and Service Management • FIM and System Center Service Manager (SCSM) are complementary • SCSM is where IT generates requests, orchestrates work between people/processes/systems, and tracks history for compliance/auditing • Both enable different aspects of end-user self-service, which together dramatically reduces the cost of supporting users FIM 2010 System Center Service Manager Portal End User Portal and Ops Console FIM Service ITIL/MOF Automation Systems Mgmt. Identity and Access Mgmt. FIM Sync Service Common Tech. Infrastructure FIM CM

  32. Additional Resources • SIA 319 • www.microsoft.com/fim • TechNet Forum • http://social.technet.microsoft.com/Forums/en-US/ilm2/threads • FIM discussion group, FIM Scriptbox, Greatest Hits Articles • TechNet and MSDN content • http://technet.microsoft.com/en-us/library/ee621258(WS.10).aspx • Topology Planning guide, Capacity Planning guide, Best Practices • SQL Resources • Storage Top 10 Best Practices • Optimizing tempdb Performance • SQL Server Best Practices (SQLIO)

  33. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content Breakout Sessions SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos • Hands-On Labs • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory • Product Demo Stations • Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

  34. Track Resources Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

  35. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  36. Required Slide Complete an evaluation on CommNet and enter to win!

  37. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  38. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  39. Required Slide

More Related