Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Security

General security

Microsoft Forefront Identity Manager 2010 review

Article comments

Identity management is the bane of many an IT administrator's existence. Employees come and go. Workers from partner companies require access to the network in a time-limited but secure way. Users forget their passwords and lose their smartcards. And new services come online all the time. It's a wonder anyone can get anything done.

There have been tools available for a while that purport to manage the total lifecycle of user identity, from hiring and first authorisation, to use of new applications, until suspension, termination or separation, all from one system. Microsoft's entry into this market, Forefront Identity Manager 2010, shows itself as a capable product with a few drawbacks.

Forefront Identity Manager 2010, or FIM, relies on a couple of features to differentiate itself from competitors. It gives users the ability to perform a variety of tasks themselves via self-service web portals, and it's compatible with existing web standards, enabling it to work with just about any other system.

How we tested

I reviewed FIM in a Hyper-V virtual environment with two Active Directory domain controllers, an Exchange machine and FIM 2010 servers in two different Windows domains. All of this was housed on a single Dell rackmounted server.

While this is clearly not a production setup, it was a useful testbed for ensuring that FIM worked as advertised. In addition, over the course of 2010, I had the opportunity to deploy FIM in a production environment with a business services firm that has four heterogeneous systems and more than 2,500 users. I found that my experiences with the client deployment and the tests in my lab environment were very similar.

Users can, for example, change their passwords on a variety of systems through native Windows tools like the logon prompt. They can also manage group memberships easily through an intranet-based website that supports restricted group memberships and approval workflows.

Behind the scenes, FIM takes care of managing encrypted properties like certificates, smartcards, security lifecycles and compliance, while wrapping it up in a nice bow with a good, logically arranged administrative user interface.

Policy management

FIM's view of identity management is that employees, their roles and their eventual authorisations and authentication should all fall under the purview of policies. Administrators familiar with Group Policy in Windows will find this metaphor holds well. These policies consist of rules that you, as the administrator, can create to dictate what happens when certain actions take place.

For example, a new hire rule will create a user account and place him or her into appropriate groups based on date of hire, job position, work location and other factors. The same rule will query and direct the payroll system, via web services, to add the requisite user information and will interface with the building security system to add the user's smartcard certificate to allow access to the building. Finally, the rule will generate a message to human resources to create a new hire packet and send it to the new user.

Identity management

You can imagine similar policies for maternity leave, where for a defined period of time, a user's building access would be suspended, her email would be redirected and pay and other HR policies would be modified as necessary and so on. But perhaps most important for security is the ability to manage separations from the company, turning off access, removing users from security groups and cleanly and tidily processing financial matters.

Policies within FIM can dictate the actions that happen when any of these events, or any other event that you define, occur.

These policies that you define are kicked off and then subsequently managed by the Windows Workflow Foundation, or WF (part of the .Net Framework 3.5). WF provides a powerful base for all sorts of interesting and complex workflows, with nesting, conditions and multiple branches.

If your group has already invested in creating rules via WF, you can very simply import them into FIM and use and further customise them from within FIM, saving you from reinvesting the time necessary to create the workflows again in a different tool. If you have a proficient developer staff, you can also create workflows in Visual Studio and export them for use within FIM.

Data synchronisation

The core of any identity management product, FIM included, is the ability to keep multiple systems, often on different platforms, from different vendors, with different databases, synchronised as often as possible. The goal is for changes initiated by any system to be replicated accurately and efficiently up and down the chain of related systems.

FIM's predecessor, Microsoft Identity Lifecycle Manager 2007, did a pretty good job of handling such synchronisation among Microsoft products. FIM 2010 goes a step further and offers help with making sure databases like Novell eDirectory, Sun Directory Server, Lotus Notes, SQL Server, Oracle, Exchange, Active Directory, SAP and any other database or flat-file systems are updated via policies and workflows.

FIM's core, a synchronisation service, manages the data coming into and out of FIM and handles communicating with the target systems, and in most cases it does so using standards or direct API support with each system. In other words, no messy agents need run on most of these systems.

What's nice about this level of integration and synchronisation is that changes made not only in FIM, but in other systems individually are automatically replicated back to all other systems of which FIM is aware. So if you change a password directly in Active Directory, FIM will pick that up very soon afterward. The precise amount of time is a function of link speeds, the systems involved and other factors, but we're talking a matter of minutes, and then that information will be distributed to, say, SAP.

Likewise, if you remove a user from your business intelligence system, you can configure FIM so that when it detects that a user has been deleted, it will then remove the user from all of the other appropriate systems at the time of the next synchronisation. This way, all of the places where identities live (and die) are kept up to date and fresh.

All of these synchronisation actions can be gated via the workflow system so that administrators or other designated personnel have to approve changes before they are sequenced throughout your organisation, most helpful for creating and deleting users, but also helpful depending on the sensitivity of the systems in your network.

Alongside the sync service, FIM excels at managing smartcards and certificates and at enhancing and automating the user provisioning process. FIM can handle the creation and expiration of user certificates stored both on a system and on a physical smartcard, and takes care of the provisioning and decommissioning of these tools. Since FIM rides on top of Windows' Active Directory Certificate Services, your administrators' expertise and familiarity with standard features of Windows Server will pay off here as well.

User self-service

One of the big points of emphasis in FIM 2010 is the delegation of simple administrative tasks to users themselves. From resetting passwords to managing distribution groups, FIM's web portal makes it reasonably simple for users to manage their group memberships, profile information (like addresses and office and mobile phone numbers for example) and passwords themselves, without involving a help desk call.

For distribution group management, users can even subscribe to or delete themselves from groups from within their Outlook mail client, right where they're most likely to receive the mail they want to opt out from.

Additionally, FIM will let users reset their passwords from GINA, the traditional Windows logon screen. This process is gated so that users have a challenge/response-type authentication mechanism, establishing reasonable security questions that add some tightness to the password reset process.

Drawbacks

While FIM works as advertised, to be frank the largest drawback is its pricing: It's stratospheric. According to Microsoft, FIM 2010 is licensed on both (as in simultaneously, you can't choose one or the other) a per-server and per-user Client Access License (CAL) basis. FIM 2010 has a list price of $15,000 per server and $18 per user CAL. Additionally, FIM is available only through volume licensing programmes.

At the lowest levels of compliance with those terms, you need a server licence for each server on which FIM components are installed, which gives you the right to use FIM server software, a CAL for each user for whom the software issues or manages identity information and a CAL for each administrator using FIM management capabilities. Not easy on the budget.

On a more minor basis, the product is not well documented either. Outside of the in-product help, there isn't a lot of support on the Microsoft website. There is a big FIM user community, however, and it isn't hard to find consultants with deployment and implementation expertise.



Share:

More from Techworld

More relevant IT news

Comments

Joe said: I was using Active Roles Server for provisioning My IT Co-director went mad and replaced Active Roles with FIM If I compaire FIM with Active Roles ARS get 99100 and FIM get 1100 FIM is truely a SHIT

Anon said: Sir have you seen any other IdM system at all FIM is not really enterprise ready doesnt handleprovisioningparticulary efficiently thedeclarative rules require syncimportexportsync before they can be used does this solution really scale compared to market leaders such as Novell Oracle and Courion Cmon man FIM just not even in the same league

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *