Introduction to Identity Management and Forefront Identity Manager 2010 R2 SP1 (Part 2)

by [Published on 9 May 2013 / Last Updated on 9 May 2013]

In this part of this series, I will introduce to you Microsoft’s answer to identity management.

If you would like to be notified when Scott Lowe releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

If you would like to read the first part in this article series please go to Introduction to Identity Management and Forefront Identity Manager 2010 R2 SP1 (Part 1).

Introduction

When we last met, we had just wrapped up a 1,300 word discussion regarding the importance of identity management in the enterprise and outlined some of its benefits. We also discussed some foundational items you need to consider before embarking on an identity management journey in your organization. In this part of this series, I will introduce to you Microsoft’s answer to identity management. Entitled Forefront Identity Manager 2010 R2, Microsoft’s product provides organizations with a comprehensive set of identity management features.

Buying FIM 2010 R2

Before we jump into the product feature set, let’s take a look at how it’s licensed. As is usually the case with Microsoft products, licensing for FIM 2010 R2 is messy and complex.

Servers

First of all, for each server to which you deploy a FIM component, you must buy a server license to run the software.

Database

FIM requires a SQL Server database to operate. Frankly, I’m stunned that Microsoft doesn’t grant a runtime instance of SQL for FIM, but according to the full licensing document, FIM implementers must also buy a SQL Server license.

Users

For each user that you manage through FIM, you need a Windows Server Client Access License (CAL). If you’re a Microsoft shop, you probably already have these licenses.

Additionally, for each user that you manage through FIM, you need a FIM CAL is required. Administrators that manage users through FIM also require a CAL.

If you have external users that you need to include in your FIM environment, you also need an external connector license as well as a CAL for each external user.

Reporting

FIM 2010 R2 leverages the reporting functionality from System Center Service Manager. With the purchase of FIM, you are granted an SCSM license designed strictly to enable reporting.

FIM 2010 R2 components

In small environments, you might deploy most of the FIM environment to a single server, but as the environment grows, you will probably find it easier to deploy FIM to multiple servers. This allows you to more easily grow those aspects of the environment that experience the most usage. The table below describes FIM’s major components.

Component

Description

FIM Synchronization Service

The synchronization service is one of FIM’s core services. It handles “metaverse”-wide synchronization of identities between data sources. This service creates and maintains identities in other systems.

FIM Service

The FIM service is a web service component that provides connecting functionality behind the scenes in FIM.

FIM Portal

The FIM portal is a user and administrator-facing component that exposes much of FIM’s functionality to users, including password reset capability, group management tasks, and administrative options. The portal runs on SharePoint.

FIM Certificate Management

The certificate management component is generally used in conjunction with smart cards and isn’t deeply integrated into the rest of the suite. Many FIM deployments don’t even include this component.

FIM Reporting

FIM leverages System Center Service Manager’s reporting engine. Reporting in FIM is handled through this special SCSM service. Users of FIM are granted a runtime license for SCSM’s reporting component to enable this functionality.

FIM Password Registration Portal

One of FIM’s best features is the ability to provide users with the ability to establish security questions and answers that they can use to reset their passwords on their own in the event that they’re forgotten.

FIM Password Reset Portal

Once a user establishes security questions, if he forgets his password, he can visit the password reset portal and reset it without having to contact the IT help desk. In R2, the password reset portal is fully web based, so it can be used across any platform. There are no longer any ActiveX controls. The password reset tool can also integrate with the Windows login screen so that users can reset their passwords even if they’re unable to log in to their PCs.

SQL (FIM service database database)

The FIM database stores all of the information for the environment and is used for certain transformations that take place.

BHOLD

BHOLD is a relatively new addition to FIM that enables organizations to delegate role management to users. This can further streamline the identity management experience in the organization.

FIM Outlook Client

A number of FIM actions require authorization through built-in workflows. Through the FIM Outlook client add-in, users and administrators can approve or deny actions right from Outlook without having to open a separate application.

Table 1

In this article series, you will learn about the identity management and password reset parts of FIM, but I will not be discussing certificate management.

Some additional terminology

As you may have guessed, FIM is a relatively complex software platform and there is a lot of supporting knowledge that goes into deploying the product. As such, there is quite a bit of terminology that’s important to understand.

  • Metaverse. According to Microsoft, the metaverse is “…a set of tables in the SQL Server database that contains the combined identity information for a person or resource. Management agents update and modify the metaverse from multiple connected data sources, and in turn, management agents use the data in the metaverse to update and modify the connected data sources. The metaverse contains its own schema, which defines which object types and attributes the metaverse can contain.” In other words, the metaverse is the universe in which the various FIM objects reside.
  • Connector space. This is an area where objects are written before being synchronized with the metaverse or a connected data source.
  • Connector. In FIM, a connector is an object is the connector space that is connected to an object in the metaverse.
  • Explicit Connector. A specialized type of connector that can only be created manually and that remains connected even when filters are in place.
  • Management agent. In FIM, a management agent is responsible for connectivity to a specific data source.

Data source options

FIM can connect to a variety of data source data. The list below described which data sources Microsoft Forefront Identity Manager (FIM) 2010 R2 supports:

  • Active Directory Domain Services 2000, 2003, 2003 R2, 2008

  • Active Directory Lightweight Directory Services (ADLDS)

  • Active Directory global address list (GAL) 

  • Attribute-value pair text files 

  • FIM Certificate Management

  • Delimited text files 

  • Directory Services Markup Language (DSML) 2.0 

  • Microsoft Exchange Server 2007 and 2010 (use the management agent for Active Directory)

  • Microsoft SQL Server 2000, SQL Server 2005, SQL Server 2008

  • Fixed-width text files 

  • IBM DB2 Universal Database 9.1 or 9.5

  • IBM Directory Server 6.0 or 6.2

  • LDAP Data Interchange Format (LDIF) 

  • Lotus Notes release 6.5 or 7.0

  • Novell eDirectory 8.7.3 or 8.8

  • Oracle10g Database 

  • AP R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0)

  • Sun ONE and Netscape Directory Server 5.1 and 5.2

  • SAP HCM
  • Oracle eBusiness Suite
  • Oracle PeopleSoft

There are also some additional management agents available for certain online services, such as Office 365. Using these data sources, you can manage identities across just about any system.

High level deployment overview

Bearing in mind that I won’t be covering the certificate management parts of FIM in this series, it’s possible to deploy FIM in a number of different scenarios. Here are some things to keep in mind:

  • Most roles can coexist on a single server. This is generally suitable only in very small or lab environments.
  • The SCSM data warehouse service must run separately from the other services.
  • For scalability, administrators often place each role on a separate server. In the world of virtualization, this is a pretty easy feat to accomplish and provides the opportunity to granularly scale components as needed.
  • A best practice is to install the FIM portal and the FIM service together.

On the issue of scale, not all FIM services can load balance or use multiple servers. Only a single server of the role type is supported.

Summary

With more foundational elements in place, in the next part of this series, we’ll walk through the beginnings of a FIM deployment.

If you would like to be notified when Scott Lowe releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

If you would like to read the first part in this article series please go to Introduction to Identity Management and Forefront Identity Manager 2010 R2 SP1 (Part 1).

Advertisement

Featured Links