Hands on with Microsoft Forefront Identity Manager 2010

What's nice about this level of integration and synchronization is that changes made not only in FIM but in other systems individually are automatically replicated back to all other systems of which FIM is aware. So if you change a password directly in Active Directory, FIM will pick that up very soon afterward -- the precise amount of time is a function of link speeds, the systems involved and other factors, but we're talking a matter of minutes -- and distribute that information to, say, SAP. Likewise, if you remove a user from your business intelligence system, you can configure FIM so that when it detects that a user has been deleted, it will then remove the user from all of the other appropriate systems at the time of the next synchronization.

This way, all of the places where identities live (and die) are kept up to date and fresh.

All of these synchronization actions can be gated via the workflow system so that administrators or other designated personnel have to approve changes before they are sequenced throughout your organization -- most helpful for creating and deleting users, but also helpful depending on the sensitivity of the systems in your network.

Alongside the synchronization service, FIM excels at managing smartcards and certificates and at enhancing and automating the user-provisioning process. FIM can handle the creation and expiration of user certificates stored both on a system and on a physical smartcard and takes care of the provisioning and decommissioning of these tools. Since FIM rides on top of Windows' Active Directory Certificate Services, your administrators' expertise and familiarity with standard features of Windows Server will pay off here as well.

User self-service

One of the big points of emphasis in FIM 2010 is the delegation of simple administrative tasks to users themselves. From resetting passwords to managing distribution groups, FIM's We- portal makes it reasonably simple for users to manage their group memberships, profile information (like addresses and office and mobile phone numbers, for example) and passwords themselves, without involving a help desk call.

For distribution group management, users can even subscribe to or delete themselves from groups from within their Outlook mail client, right where they're most likely to receive the mail they want to opt out from. Considering the fact that popular statistics put the cost of help-desk assistance at many tens of dollars to more than $100 per call, empowering your end users to do things themselves only helps.

Additionally, FIM will let users reset their passwords from GINA -- the traditional Windows log-on screen. This process is gated so that users have a challenge/response-type authentication mechanism, establishing reasonable security questions that add some tightness to the password-reset process.

Drawbacks

While FIM works as advertised, to be frank the largest drawback is its pricing: It's stratospheric. According to Microsoft, FIM 2010 is licensed on both (as in, simultaneously -- you can't choose one or the other) a per-server and per-user Client Access License (CAL) basis. FIM 2010 has a list price of $15,000 per server and $18 per user CAL. Additionally, FIM is available only through volume licensing programs.

At the lowest levels of compliance with those terms, you need a server license for each server on which FIM components are installed, which gives you the right to use FIM server software; a CAL for each user for whom the software issues or manages identity information, and a CAL for each administrator using FIM management capabilities. Not easy on the budget.

On a more minor basis, the product is not well documented either -- outside of the in-product help, there isn't a lot of support on the Microsoft website. There is a big FIM user community, however, and it isn't hard to find consultants with deployment and implementation expertise.

Wrapping up

FIM 2010 offers enterprises the ability to do something elusive: To control, in an automated way, all of the users, and their identities, that come into an organization and to manage their life cycles, from creation to daily duty to separation. Given the increased emphasis on compliance, closing security loopholes and identifying areas in which manual processes aren't keeping up, FIM 2010 certainly provides a compelling, if very expensive, solution for managing those "who's" and making sure they're on -- or off -- systems as they should be.

Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include a variety of books on Windows clients and servers, including Learning Windows Server 2003. You can reach Jon at jhassell@sunvalleygp.com or follow him on Twitter at @jghassell.