It's hard to find a Windows environment that doesn't rely heavily on Active Directory these days. Indeed, since the inception of AD in the late 90s and early 2000s it has become the de-facto directory of choice and the 'single source of truth' for logon credentials, username schemas, mailboxes and many other identity-related facets of an organization. Many organizations simply synchronize data from their HR system directly into Active Directory and populate a few fields of information, but how does this data get managed inside the directory? Provisioning and de-provisioning become a big issue, as is synchronization of credentials and automating workflows in other tools that rely on the directory. Forefront Identity Manager (FIM) 2010 simplifies a lot of these tasks while helping enterprises clean up their Active Directory environment as well. In this article, we'll walk through some of the features and capabilities of FIM to help you decide if it's right for your company.
What is FIM and what is it good at?
When evaluating Identity and Access tools, it can be difficult to decide how much to bite off and what an organization really needs from a requirements perspective. Large vendors offer very comprehensive suites of tools that are costly and often require a lot of specialized services to implement and fine tune. For many enterprises, a simple set of requirements emerge when looking at:
- Data Synchronization. The FIM Synchronization service includes the meta-directory, the provisioning engine, and the management agents (MAs) (See Figure 1). It allows for synchronization between the FIM database and other identity sources in an organization.
- Self-service password reset - Allowing users to reset their own password to avoid tying up helpdesk resources.
- Provisioning and de-provisioning accounts in the directory.
FIM fulfills these requirements and has a relatively low cost of admission compared to other products on the market, especially for organizations that are Microsoft shoppers and have Microsoft skillsets within their IT team.
Figure 1: Management Agent creation / provisioning options (Source: technet.com)
Identity and Password Synchronization
Synchronizing Identities (particularly usernames and passwords) across multiple systems can be a quick win for an identity and access solution. Giving a user a single set of credentials to remember and manage makes it easier for them to get their work done, provides for faster provisioning and onboarding when users are accessing new systems and services, and allows for more efficient credential management in an enterprise environment.
FIM offers what is called a state-based system for identity synchronization. It infers changes in the identity store with previously stored data and decides whether there's been a modification or not. FIM uses Management Agents (MAs) to synchronize with other systems like Siebel, People Soft, etc. Imports from these systems are done on a 'delta' basis, importing only what's changed from the primary source. This allows for business rules to be enforced persistently across the entire environment. For example, synchronization of objects can be done on a regular schedule (every 24 hours) and policy can be enforced across the environment uniformly for things like minimum password length, password expiration, etc.
Synchronizing multiple data sources through FIM allows for an important view into the environment from an audit and compliance perspective as well. Being able to perform a cursory audit on other systems, but diving deep on credential security and configuration in a single system like Active Directory through the FIM meta-verse, saves a lot of time and energy from an internal and external review perspective. Also, the ability to add and remove Management Agents provides for future growth as you expand FIM out beyond simple Active Directory and your HR application synchronization. If the default FIM interface and options don't provide enough "detail", there is a scripting component that allows for development of custom Management Agents and a fairly active partner community that develops these as well. Synchronization of identity with FIM is something you can start small with and grow as you need to.
Self-service password reset
With many organizations citing password reset as the #1 request to the helpdesk, the ability to move to a self-service option is very attractive. Providing users a set of questions and process (See Figure 2) to perform their own password reset could save tens of thousands of dollars in time and resources over the course of a year. Indeed, many companies justify the cost of an identity and access solution based on the potential cost savings from this module.
Figure 2: FIM Self-Service Password Reset registration screen (source: blogs.technet.com)
In FIM, there are two components to the self-service password reset module: the FIM Password Reset Portal and the FIM Password Reset client, which gets installed locally on managed machines. A current drawback with the solution today is that it's required to be installed on a domain-joined client. In future versions of FIM, Microsoft has hinted that this module will be expanded to work on non-domain joined clients as well.
To use the password management tool, users must first register with the system and enter a number of data points. A set of security questions is created by the administrator that the user must provide valid answers to. These questions can be defined by the administrator and the user has the ability to select which they'd like to answer. Examples include "What City were you born in?" or "What was your first pet's name?" This flexibility reduces the likelihood that the user can be easily spoofed and the customization of questions allows the administrator to keep a 'hands-off' approach to the reset process as much as possible.
From a user interface perspective, the Self Service Password Reset module in FIM integrates into the Windows logon screen, providing for a very seamless experience for the end user. This is a huge plus when training end users on the process to change or reset their password.
Provisioning and De-Provisioning Accounts
FIM can be used as the authoritative provisioning and de-provisioning tool for Active Directory. This is great from an Active Directory cleanup perspective as users can be assigned groups for things like job role or physical site and as they move from one location to another. With FIM, the provisioning process can be triggered through a workflow embedded in a tool like SharePoint or even in Outlook for group management. Business rules can be enforced to automatically remove access to certain resources or remove objects out of groups as users transfer roles within the company (ex: moving from an HR organizational role to an IT organizational role).
A big issue in provisioning accounts is the lack of a consistent and easy to use process for an accounts administrator to add, remove or modify accounts. The Active Directory Users and Groups tool is not the most intuitive user interface and mistakes can easily be made. FIM provides a step by step blueprint to provision a new employee and a drop-down for a job or role, eliminates much of the human error factor (See Figure 3). Again, this is very helpful from an audit and compliance perspective as well.
Figure 3: Customized FIM portal administration screen. (Source: blogs.msdn.com)
Forefront Identity Manager is a relatively low cost solution for Identity and Access management. It is not as complex as some other products on the market, but an easy integration with Active Directory and a tight coexistence with the Microsoft ecosystem, large or small. The user experience for self-service password reset is tough to compete with. Synchronizing objects in the meta-verse is an easily automated process and is extensible to a number of different systems. Learn more about FIM here and see if it makes sense to deploy in your environment.