Best practices in the Identity Management world come hard-won, and are often discovered only after going down paths that seemed perfectly reasonable at the time, only to find they don’t scale or adapt to new business requirements.
Projects fail for many non-technical reasons – politics, resistance to change, poor data quality and unrealistic expectations. In this session get the inside track from someone who’s been architecting and delivering Identity solutions with FIM (and its predecessors) for 7 years, and in many different environments.
The session offers practical advice on preparing the non-technical landscape for your IdM project, and on architecting your solution to really benefit from the strengths of Forefront Identity Manager 2010 R2.
Presented by Carol Wapshere
Disclaimer: These are conference session notes I compiled during various sessions at Microsoft Tech Ed 2012, September 11-14, 2012. The majority of the content comprises notes taken from the presentation slides accompanied, occasionally, by my own narration. Some of the content may be free hand style. Enjoy… Rob
Identity Architecture with Forefront Identity Manager. Don’t build your Identity management solution like Charles Sturt chose to conduct explorations (poorly planned). Pivot to: Don’t rely on bad information!
When do you need to address fundamental design changes? Rapidly changing needs?
- What does FIM do?
- Project planning
What is FIM 2010 R2?
Summary by component.
Synchronization Service – Core service, connects matched objects in directories and applications for provisioning.
Password Synchronization – Driven from Active Directory, can synch with any connected accounts
Portal and Service – Portal based on SharePoint, user administration and workflow
Self-Service Password Reset – Secret questions (portal view), access from GINA or Portal, one time password capability
Reporting – System Center Data Warehouse based, auditing information
Role Management – New! Role modelling, assignment, compliance and maps to permissions
Certificate Manager – Request and renew certificates (can be hooked to Synch service)
What drives an Identity Management project? Stakeholders? Deadlines? Other project dependencies?
Who is driving it? Needs to be properly sponsored (IT driven rarely succeeds).
Early involvement of Identity stakeholders. Understand your environment. Get policy in writing, talk to the people who know. Do data analysis.
- Determine essential vs. desirable
- Focus on outcomes
- Get specifics (define specific tasks, etc)
- Don’t try the big bang (don’t do everything at once)
- Greater scale, greater effort
- Greater scope equals greater risk
- Keep project phases small
Automation requires neat, predictable shapes. Requires a degree of consistency. Don’t focus on trying to automate everything. There will always be manual processes.
FIM is state based.
- Current state of objects
- Future state of objects
- Don’t care about the how or why an object has changed state
- Synch Service
- Custom Workflow
- Web Services
Do try to use out of the box, and use supported functionality. Avoid undocumented API/functionality.
- Runs best on clean data
- Unique identifiers
- Validated source data
- Consistent formatting
- Avoid free text (use drop lists, checkboxes etc)
- Minimise double entry (prefer single entry)
- Multiple data sources (e.g. AD is not necessarily the best place to get phone numbers)
- Locate data sources which are most up to date (sources of truth)
Find the Source (per object type of sub-category)
- One object source
- One attribute source per attribute
- Make sure everyone understands the sources of truth!
Avoids duplication, merge conflicts.
- Identity accounts
- Clean up old accounts
- Move unmanaged accounts out of scope (don’t manage with FIM) – maybe move to alternate OU
Dev and Test
- Have full production data sets (i.e. be realistic)
- Run all rules through real data
- Rules must cope with real data
- Analyse joins/cleans
- Identify exceptions
- Understand scale
- Test hardware/environment should be fully spec’d (as much as possible)
Expect Teething Pain
- Production data may provide surprises
- Just in time requirements
- Confusion about what is changed and where (source data concept)
- Doesn’t work in isolation without management/monitoring
- Data errors/merge issues will occur, require manual intervention
- Rules will change (change FIM, don’t work around it)
Return on Investment?
Integrating a Cloud Application with FIM
Created additional tab in the portal for roles for the Cloud application. Synch service synchs roles to AD. Once authenticated, the Cloud App can read the properties based on the claim token (e.g. group membership). Changes in the portal are automatically synched to AD.
Henry Parkes used to say ‘Federation is great!’ and he wasn’t wrong.
- Automatically provide user data
- Manage licensing
- Ensure tokens are up to date
- Self service and/or approval
- Minimised IT overhead
- Understand the environment
- Develop for automation
- Be realistic (what can FIM do, how much scope to undertake)