Hands on with Microsoft Forefront Identity Manager 2010

Identity management is the bane of many an IT administrator's existence. Employees come and go. Workers from partner companies require access to the network in a time-limited but secure way. Users forget their passwords and lose their smartcards. And new services come online all the time. It's a wonder anyone can get anything done.

There have been tools available for a while that purport to manage the total life cycle of user identity -- from hiring and first authorization to use of new applications until suspension, termination or separation -- all from one system. Microsoft's entry into this market, Forefront Identity Manager 2010, shows itself as a capable product with a few drawbacks.

Forefront Identity Manager 2010, or FIM, relies on a couple of features to differentiate itself from competitors: It gives users the ability to perform a variety of tasks themselves via self-service Web portals, and it's compatible with existing Web standards, enabling it to work with just about any other system.

Users can, for example, change their passwords on a variety of systems through native Windows tools like the log-on prompt. They can also manage group memberships easily through an intranet-based website that supports restricted group memberships and the approval workflows required.

Behind the scenes, FIM takes care of managing encrypted properties like certificates, smartcards, security life cycles and compliance, while wrapping it up in a nice bow with a good, logically arranged administrative user interface.

Policy management

FIM's view of identity management is that employees, their roles and their eventual authorizations and authentication should all fall under the purview of policies. Administrators familiar with Group Policy in Windows will find this metaphor holds well. These policies consist of rules that you, as the administrator, can create to dictate what happens when certain actions take place.

For example, a new-hire rule will create a user account and place him or her into appropriate groups based on date of hire, job position, work location and other factors. The same rule will query and direct the payroll system, via Web services, to add the requisite user information and will interface with the building security system to add the user's smartcard certificate to allow access to the building. Finally, the rule will generate a message to human resources to create a new-hire packet and send it to the new user.

You can imagine similar policies for, say, maternity leave, where, for a defined period of time, a user's building access would be suspended, her e-mail would be redirected, and pay and other HR policies would be modified as necessary and so on. But perhaps most important for security is the ability to manage separations from the company -- turning off access, removing users from security groups and cleanly and tidily processing financial matters.

Policies within FIM can dictate the actions that happen when any of these events -- or any other event that you define -- occur.

These policies that you define are kicked off and then subsequently managed by the Windows Workflow Foundation, or WF (part of the .Net Framework 3.5). WF provides a powerful base for all sorts of interesting and complex workflows, with nesting, conditions and multiple branches. If your group has already invested in creating rules via WF, you can very simply import them into FIM and use and further customize them from within FIM, saving you from reinvesting the time necessary to create the workflows again in a different tool. If you have a proficient developer staff, you can also create workflows in Visual Studio and export them for use within FIM.

Data synchronization

The core of any identity management product, FIM included, is the ability to keep multiple systems --often on different platforms, from different vendors, with different databases -- synchronized as often as possible. The goal is for changes initiated by any system to be replicated accurately and efficiently up and down the chain of related systems.

FIM's predecessor, Microsoft Identity Lifecycle Manager 2007, did a pretty good job of handling such synchronization among Microsoft products. FIM 2010 goes a step further and offers help with making sure databases like Novell eDirectory, Sun Directory Server, Lotus Notes, SQL Server, Oracle, Exchange, Active Directory, SAP and any other database or flat-file systems are updated via policies and workflows.

FIM's core, a synchronization service, manages the data coming into and out of FIM and handles communicating with the target systems -- and in most cases it does so using standards or direct API support with each system. In other words, no messy agents need run on most of these systems.