44,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Microsoft's Forefront Identity Manager simplifies enterprise identity management for end users by automating admin tasks and integrating the infrastructure of an enterprise with strong authentication systems.
The "Microsoft Forefront Identity Manager 2010 R2 Handbook" is an in-depth guide to Identity Management. You will learn how to manage users and groups and implement self-service parts. This book also covers basic Certificate Management and troubleshooting.
Throughout the book we will follow a fictional case study. You will see how to implement IM and also set up Smart Card logon for strong administrative accounts within Active Directory. You will learn to implement all the features of FIM 2010 R2. You will see how to install a complete FIM 2010 R2 infrastructure including both test and production environment. You will be introduced to Self-Service management of both users and groups. FIM Reports to audit the identity management lifecycle are also discussed in detail.
With the "Microsoft Forefront Identity Manager 2010 R2 Handbook" you will be able implement and manage FIM 2010 R2 almost effortlessly.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 390
Veröffentlichungsjahr: 2012
Ähnliche
Table of Contents
Microsoft Forefront Identity Manager 2010 R2 Handbook
Microsoft Forefront Identity Manager 2010 R2 Handbook
Copyright © 2012 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: August 2012
Production Reference: 1170812
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-849685-36-8
www.packtpub.com
Cover Image by Priyal Bhiwandkar (<[email protected]>)
Credits
Author
Kent Nordström
Reviewers
Peter Geelen
Henrik Nilsson
Acquisition Editor
Dhwani Devater
Lead Technical Editor
Pramila Balan
Technical Editors
Veronica Fernandes
Merin Jose
Naheed Shaikh
Copy Editors
Brandt D'Mello
Insiya Morbiwala
Project Coordinator
Sai Gamare
Proofreader
Aaron Nash
Indexer
Tejal Daruwale
Graphics
Manu Joseph
Valentina D'Silva
Production Coordinator
Arvindkumar Gupta
Cover Work
Arvindkumar Gupta
About the Author
KentNordström wrote his first lines of code in the late 70s, so he's been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system, he started a close relationship with them, which has continued ever since.
For many years now, Kent has been working part-time as a Sub-contractor to Microsoft Consulting Services, and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge about Forefront TMG, Forefront UAG, and PKI. Find out more by visiting his blog at http://konab.com.
I would like to thank my family for their patience during the many evenings and weekends I have spent writing this book.
I would also like to thank Peter Geelen and Henrik Nilsson for taking the time to review my writing. Your feedback has been invaluable!
About the Reviewers
PeterGeelen is CISSP, CISA, MCT (Microsoft Certified Trainer), MCSE:Security, and MCSA:Security, ITIL & PRINCE2 foundation certified.
Peter has been working with ICT since 1997, with a solid base on the Microsoft Windows server platform, running IT and network projects with MS server management and network support, advanced troubleshooting, presales, and enterprise architecture.
Since 2005, he has also been working as a consultant in Security, Identity, and Access Management, delivering Microsoft product support for server and enterprise platforms, such as Windows server, SQL Server, Directory Services, MS Identity Integration Server, MS Identity Lifecycle Manager, Forefront Identity Manager 2010, Omada Identity Manager, PKI, TMG, IAG/UAG, ADFS, and other IDM systems; and single sign-on and security solutions, including Sentillion expreSSO and Vergence product suite, Identity Forge solutions, and BHOLD.
Peter is co-founder of Winsec.be, the Belgian Microsoft Security User Group (http://www.winsec.be). He has been awarded the MVP award for Identity Lifecycle Manager (now MVP Forefront Identity Manager) four times, since 2008.
He is currently working as a Premier Field Engineer, FIM and Security, at Microsoft. Peter blogs at http://blog.identityunderground.be. You may also catch him on LinkedIn, at http://be.linkedin.com/in/pgeelen.
Peter has also reviewed FIM Best Practices Volume 1: Introduction, Architecture And Installation Of Forefront Identity Manager 2010, by David Lundell (http://www.lulu.com/shop/david-lundell/fim-best-practices-volume-1-introduction-architecture-and-installation-of-forefront-identity-manager-2010/ebook/product-18334749.html).
HenrikNilsson has been working with Forefront Identity Manager and its predecessors since 2006. Before that he had been working in the IT industry since 1997, mainly as a developer of Microsoft products. In 2010, Henrik was awarded the Microsoft Most Valuable Award for spreading his knowledge about FIM in the community.
Henrik works at Cortego as a consultant within the IDA area using Microsoft products. Cortego is a Swedish consulting company working explicitly with Identity and Access Management.
I wish to thank my girlfriend Amanda, who coped with me not only while I was reviewing this book, but also during the times that I spent on the Identity and Access Management topic, which not only is my job but also my main interest.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Instant Updates on New Packt Books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page.
Preface
Microsoft's Forefront Identity Manager simplifies enterprise Identity Management for end users by automating admin tasks and integrating the infrastructure of an enterprise with strong authentication systems.
The Microsoft Forefront Identity Manager 2010 R2 Handbook is an in-depth guide to Identity Management. You will learn how to manage users and groups, and implement self-service parts. This book also covers basic Certificate Management and troubleshooting.
Throughout the book we will follow a fictional case study. You will see how to implement IM and also set up Smart Card logon for strong administrative accounts within Active Directory. You will learn to implement all the features of FIM 2010 R2. You will see how to install a complete FIM 2010 R2 infrastructure, including both test and production environments. You will be introduced to Self-Service management of both users and groups. FIM Reports to audit the identity management lifecycle are also discussed in detail.
With the Microsoft Forefront Identity Manager 2010 R2 Handbook you will be able to implement and manage FIM 2010 R2 almost effortlessly.
What this book covers
Chapter 1, The Story in this Book: In this chapter, the author gives a short description of a fictive company, which he uses throughout the book as an example.
He also discusses some of the Identity Management-related challenges faced by the fictive company, solutions to these challenges, and the company's IT system infrastructure.
Chapter 2, Overview of FIM 2010 R2: In this chapter, the author gives an overview of the history of FIM 2010 R2, FIM Synchronization Service, FIM Service, FIM Portal, FIM Reporting, FIM Certificate Management, and licensing.
Chapter 3, Installation: In this chapter, we discuss the prerequisites for installing different components of FIM 2010 R2, see how to actually install the components, and look at a few post-installation steps to get it working.
Chapter 4, Basic Configuration: In this chapter, we discuss some of the basic configurations we need to look at, no matter how our environment looks or how we plan to use FIM 2010 R2. We focus on the initial configuration of FIM Synchronization Service and FIM Service, specifically topics such as creating Management Agents, schema management, FIM Service Management Agents, initial load versus scheduled runs, and moving configurations from the development to the production environment.
If you have an environment already set up, this chapter can act as a guide for you to verify that you have not missed any important steps that will cause your FIM environment to not work properly.
Chapter 5, User Management: User management is the primary goal for most FIM deployments. Synchronizing user information between different Management Agents, and managing user provisioning/deprovisioning is often the first thing we focus on in our FIM deployment.
In this chapter, we discuss how user management is set up in FIM Service and FIM Synchronization Service. We also discuss how to manage users in Active Directory, Microsoft Exchange, a fictive phone system, and how to enable users to do some self-service.
Chapter 6, Group Management: Once you have User Management in place, it is usually time to start looking at Group Management. In this chapter, we will look at the different group scopes and types in AD and FIM, how to manage groups using the Outlook add-in, and synchronizing groups between HR, AD, and FIM.
Chapter 7, Self-service Password Reset: In this chapter, we look at the Self-service Password Reset (SSPR) feature, which allows users to reset their own passwords if they have forgotten them.
We discuss how to enable password management in AD, allow FIM Service to set a password, and configure FIM Service. We also discuss the user experience of the Self-service Password Reset feature.
Chapter 8, Using FIM to Manage Office 365 and Other Cloud Identities: In this chapter, we see how FIM 2010 R2 might fit into the puzzle of managing Office 365 identities and also how FIM might play a role in Identity Federation scenarios.
Chapter 9, Reporting: One of the new features in FIM 2010 R2 is built-in Reporting support. In this chapter, we discuss how to verify the System Center Service Manager 2010 (SCSM) setup, the default reports that are automatically installed, and the SCSM ETL process. We look at the methods to check/verify and modify reports.
Chapter 10, FIM Portal Customization: In this chapter, we take a quick look at the components of the FIM Portal UI. We discuss how to modify the basic FIM Portal UI, and how to customize search scopes and forms.
Chapter 11, Customizing Data Transformations: In this chapter, we will discuss the overall need and options for data transformation and selective deprovisioning. We also look at an example of managing Microsoft Lync, and a case with strange roles.
Chapter 12, Issuing Smart Cards: In this chapter, we will take a look at how we can use FIM CM to issue Smart Cards. You will see how FIM CM adds a lot of functionality and security to the process of managing the complete lifecycle of your Smart Cards.
Chapter 13, Troubleshooting: In this chapter, we discuss how to go about troubleshooting issues, depending on where we see the failure and the type of failure. We also see how to perform backup and restore the various parts of FIM.
What you need for this book
In the book we install and configure a complete FIM 2010 R2 environment. In this book, all the installations and servers use the following operating system:
The required software is as follows:
Apart from the software required to get FIM 2010 R2 up and running, the following software is also used or referred to in the book:
Who this book is for
If you are implementing and managing FIM 2010 R2 in your business, then this book is for you. You will need to have a basic understanding of Microsoft-based infrastructure using Active Directory. If you are new to Forefront Identity Management, the case-study approach of this book will help you understand the concepts and implement them.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "The public domain used by The Company is company.com; this is also the primary email domain used."
A block of code is set as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: " Open up the Security tab in the domain.".
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title through the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the erratasubmissionform link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website, or added to any list of existing errata, under the Errata section of that title.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. The Story in this Book
Microsoft Forefront Identity Manager 2010 R2 (FIM 2010 R2) is a tool that helps you with Identity Management. As you might know or are able to guess, Identity Management is, for the most part, process-oriented rather than technology-oriented. In order to be able to explain some concepts within this area, I have chosen to write this book using a fictive company as an example.
In this chapter, I will give you a description of this company and will talk about:
The Company
The name of my fictive company is The Company. The Company is neither small nor big. I will not give you any numbers on the size of this company because I do not want you to take my example setup as being optimized for a company of a particular size.
As with many other companies, The Company tries to keep up with modern techniques within their IT infrastructure. They are a big fan of Microsoft and live by the following principle:
If Microsoft has a product that can do it, let's try that one first.
The concept ofcloud computing is still somewhat fuzzy to them, and they do not yet know how or when they will be using it. They do understand that in the near future this technology will be an important factor for them, so they have decided that, for every new system or function that needs to be implemented, they will take cloud computing into account.
The challenges
During a recent inventory of the systems and functions that the The Company's IT department supported, a number of challenges were detected. We will now have a look at some of the Identity Management (IdM)-related challenges that were detected.
Provisioning of users
Within The Company, they discovered that it can take up to one week before a new employee or contractor is properly assigned their role and provisioned to the different systems required by them to do their job.
The Company would like for this to not take more than a few hours.
Identity lifecycle procedures
A number of issues were detected in lifecycle management of identities.
Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or changed their job. Termination and disabling of identities was also out of control. They found that accounts of users who had left the company more than six months ago were still active.
After a security review, they found out that a consultant working with the HR system still had access using VPN and an active administrative account within the HR system. The access should have been disabled about six months ago, when the upgrade project was completed. They also found that the consultant who the company engaged to help out during the upgrade, didn't even work for the firm any more.
What The Company would like is not only a way of defining policies about identity management, but also a tool that enforces it and detects anomalies.
Highly Privileged Accounts (HPA)
Although The Company has been successful in reducing the number of strong administrative accounts over the last few years, a few still exist. There are also other highly privileged accounts and also a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.
The Public Key Infrastructure (PKI) within The Company is a one layer PKI, using an Enterprise Root CA without Hardware Security Module (HSM). The CSO is concerned that it is not sufficient to start using smart cards, because he feels the assurance level of the PKI is not high enough.
Password management
The helpdesk at The Company spends a lot of time helping users who forgot their password. These are both internal users as well as partners, with access to the shared systems.
Traceability
They found that they had no process or tools in place to trace the status of identities and roles historically. They wanted to be able answer questions such as:
The solutions
Once the challenges had been defined, The Company started looking for possible solutions.
When they were searching the globe for someone who might help them with their issues, they found a highly recommended consultant in Sweden, who had worked with identity management for more than a decade. We will now have a look at the solutions that he proposed for their major issues.
Implement FIM 2010 R2
By implementing Microsoft Forefront Identity Manager 2010 R2, The Company will be able to:
Start using smart cards
By using smart cards to store identities of the highly privileged accounts, the security for this type of account is increased. Even if the PKI does not have a high assurance level, it is more secure to use a smart card than to just use a password.
By implementing the Certificate Management (CM) part of FIM 2010 R2, The Company will get the control they would like when managing these strong identities.
Even if the PKI within The Company does not have high assurance levels, the use of smart cards will enhance the security of the highly privileged accounts. If the initial proof-of-concept of using smart cards works out, a redesign of the current PKI will be discussed.
Implement federation
All the services shared with the major partners were using Microsoft Sharepoint. The consultant therefore suggested that The Company should investigate if federation would work with these partners.
The Microsoft product used when implementing federation is ActiveDirectoryFederation Services (AD FS). To get an overview of federation and AD FS, please visit http://aka.ms/ADFSOverview.
By implementing federation, it would be easier for The Company to move shared resources to the cloud. For example, moving the Sharepoint sites shared with partners, to Microsoft Office 365 cloud services. Read more about Office 365 at http://office365.microsoft.com.
Note
Within this book, I will not explain in detail how the implementation of federation using Active Directory Federation Services (AD FS) is made.
The use of FIM is vital in a federation scenario, as federation using claims-based authentication and authorization requires very good control on attributes and group/role membership changes of users.
The environment
The following diagram gives you an overview of the relevant parts of infrastructure within The Company:
The servers you see do not in any way represent any scaling scenario, but rather show the different functions I will be using in my examples in this book.
In the following table, you will find a short summary of the systems involved, so that when they are referenced in the book later on, you will have an idea about their usage:
System
Usage
Products installed/to be installed
DC
Domain Controller for the Active Directory domain ad.company.com.
AD DS and DNS role installed.
CA
Enterprise Root Certification Authority. The Company uses only a one-layer PKI without any HSM.
AD CS, including Web Enrollment role, installed
SQL
Central Microsoft SQL Server used by many systems. Among these systems are the HR and Phone systems.
SQL Server 2008 R2, including Integration Services, installed.
E-mail system.
Exchange 2010 installed.
RD
Remote Desktop system used by administrators.
Remote Desktop Services role installed.
TMG
The Company firewall.
Forefront Threat Management Gateway 2010 installed.
UAG
The remote access solution used by The Company.
Forefront Unified Access Gateway 2010 installed.
FIM-Dev
The test and development server for FIM.
SQL Server 2008 R2 and Visual Studio 2008. FIM Sync, Service and Portal will be installed.
FIM-Sync
The FIM Synchronization server.
FIM Synchronization Service will be installed.
FIM-Service
The FIM Web Service and Portal server.
FIM Service and FIM Portal will be installed.
FIM-CM
The FIM Certificate Management Server
FIM CM Service and Portal will be installed.
FIM-PW
The FIM Password Registration and Reset server.
FIM Password Registration and Reset will be installed.
SCSM-MGMT
SCSM Management Server. Used by FIM Reporting.
SQL Server 2008 R2 and System Center Service Manager will be installed.
SCSM-DW
SCSM Data Warehouse Server. Used by FIM Reporting.
SQL Server 2008 R2 and System Center Service Manager will be installed.
All systems have Microsoft Windows Server 2008 R2 as the operating system.
The products installed/to be installed show the status of the systems when we start our journey with The Company in this book. Details about the features and products already installed will be explained in Chapter 2, Installation.
The Active Directory domain within The Company is ad.company.com, using AD as the NetBIOS name. The public domain used by The Company is company.com; this is also the primary email domain used.
Moving forward
The CIO, CSO, and CTO of The Company found that the solutions explained to them by the consultant would indeed help The Company mitigate the challenges they were facing. They decided to implement FIM 2010 R2.
In this book, we will follow them as they implement FIM 2010 R2. We will see how the different features and functions of FIM 2010 R2 will, in the end, solve all the issues that the company has detected.
The use of digital identities, using smart cards, is very new to them, so they decide that this should initially be implemented as a proof of concept.
Summary
You now know a little about the company I will be using in this book to give you examples and to explain concepts. So let's go on and see how The Company implements Microsoft Forefront Identity Manager 2010 R2 in its environment.
In the next chapter, I will start off with an overview to give you some conceptual understanding of FIM 2010 R2.
Chapter 2. Overview of FIM 2010 R2
Microsoft Forefront Identity Manager 2010 R2 (FIM 2010 R2) is not one product, but a family of products working together to mitigate the challenges regarding Identity Management.
The following picture shows a high-level overview of the FIM family and the components relevant to an FIM 2010 R2 implementation:
Within the FIM family, there are some parts that can live by themselves and others that depend on other parts. But, in order to fully utilize the power of FIM 2010 R2, you should have all parts in place.
At the center, we have FIM Service and FIM Synchronization Service (FIM Sync). The key to a successful implementation of FIM 2010 R2 is to understand how these two components work—by themselves as well as together.
In this chapter, I will give you an overview of:
The history of FIM 2010 R2
Let me give you a short summary of the versions preceding FIM 2010 R2.
In 1999, Microsoft bought a company called Zoomit. They had a product called VIA—a directory synchronization product. Microsoft incorporated Zoomit VIA into Microsoft Metadirectory Services (MMS). MMS was only available as a Microsoft Consulting Services solution.
In 2003, Microsoft released Microsoft Identity Integration Server (MIIS), and this was the first publicly available version of the synchronization engine today known as FIM 2010 R2 Synchronization Service.
In 2005, Microsoft bought a company called Alacris. They had a product called IdNexus, which was used to manage certificates and smart cards. Microsoft renamed it Certificate Lifecycle Manager(CLM).
In 2007, Microsoft took MIIS (now with Service Pack 2) and CLM and slammed them together into a new product called Identity Lifecycle Manager 2007 (ILM 2007). Despite the name, ILM 2007 was basically a directory synchronization tool with a certificate management side-kicker.
Finally, in 2010, Microsoft released Forefront Identity Manager 2010 (FIM 2010). FIM 2010 was a whole new thing, but as you will see, the old parts from MIIS and CLM are still there. The most fundamental change in FIM 2010 was the addition of the FIM Service component. In my opinion, the most important news was that FIM Service added workflow capability to the synchronization engine. Many identity management operations that used to require a lot of coding were suddenly available without a single line of code.
Many things in this book will be valid for FIM 2010, but this book will cover the R2 release of FIM 2010, released in 2012. In FIM 2010 R2, Microsoft added the FIM Reporting component and also made significant improvements to the other components.
FIM Synchronization Service (FIM Sync)
FIM Synchronization Service is the oldest member of the FIM family. Anyone who has worked with MIIS back in 2003 will feel quite at home with it. Visually, the management tools look the same.
FIM Synchronization Service can actually work by itself, without any other component of FIM 2010 R2 being present. You will then basically get the same functionality as MIIS had, back in 2003.
FIM Synchronization Service is the heart of FIM, which pumps the data around, causing information about identities to flow from one system to another.
Let's look at the pieces that make up the FIM Synchronization Service:
As you can see, there are lots of acronyms and concepts that need a little explaining.
On the right-hand side of FIMSynchronizationService, we have Metaverse (MV). Metaverse is used to collect all the information about all the identities managed by FIM.
On the other side, we have Connected Data Source (CDS). Connected Data Source is the database, directory, and file, among others, that the synchronization service imports information regarding the managed identities from, and/or exports this information to.
To talk to different kinds of Connected Data Sources, FIM Synchronization Service uses adapters that are called Management Agents (MA). In FIM 2010 R2, we will start to use the term Connectors, instead. But, as the user interface in FIM Synchronization Manager still uses the term Management Agent, I will use that term throughout this book.
The Management Agent stores a representation of the objects in the CDS, in its Connector Space (CS). When stored in the Connector Space, we refer to the objects as holograms. If we were to look into this a little deeper, we would find that the holograms (objects) are actually stored in multiple instances so that the Management Agent can keep a track of the changes to the objects in the Connector Space.
In order to synchronize information from/to different Connected Data Sources, we connect the objects in the Connector Space with the corresponding object in the Metaverse. By collecting information from all Connected Data Sources, the synchronization engine aggregates the information about the object from all the Connected Data Sources into the Metaverse object. This way, the Metaverse will only contain one representation of the object (for example, a user).
To describe the data flow within the synchronization service, let's look at the previous diagram and follow a typical scenario.
The scenario is this—we want information in our Human Resource (HR) system to govern how users appear in Active Directory (AD) and in our e-mail system.
Projection, Joining, and Provisioning all create a connector between the Metaverse object and the Connector Space object, making it possible to synchronize identity information between different Connected Data Sources.
A key concept to understand here, is that you do not configure synchronization between Connected Data Sources or between Connector Spaces. You synchronize between each Connector Space and Metaverse. Looking at the previous example, you can see that when information flows from HR to AD, you configure the following:
Management Agents
Management Agents, or Connectors as some people call them, are the entities that enable FIM to talk to different kinds of data sources. Basically, you can say that FIM can talk to any type of data source, but it only has built-in Management Agents for some. If the data source is really old, you might even have to use the extensibility platform and write your own Management Agent or buy a Management Agent from a third-party supplier. At http://aka.ms/FIMPartnerMA, you can find a list of Management Agents supplied by Microsoft Partners.
For a complete list of Management Agents built in and available from Microsoft, please look at http://aka.ms/FIMMA.
With R2, a new Management Agent for Extensible Connectivity 2.0 (ECMA 2.0) is released, introducing new ways of making custom Management Agents. I suppose that we will see updated versions of most third party Management Agents as soon as they are migrated to the new ECMA 2.0 platform. Microsoft will also ship new Management Agents using the new ECMA 2.0 platform.
Writing your own MA is one way of solving problems communicating with odd data sources. But, as I will discuss further in Chapter 11, Customizing Data Transformation, there might be other solutions to the problem that will require less coding.
Non-declarative vs. declarative synchronization
If you are using FIM Synchronization Service the old way, like we did in MIIS or ILM 2007, it is called non-declarative synchronization. I usually call that classic synchronization and will also use that term in this book. If we use the FIM Service logic to control it all, it is called declarative synchronization.
As classic synchronization usually involves writing code, and declarative does not; you will also find references calling declarative synchronization codeless.
In fact, it was quite possible, in some scenarios, to have codeless synchronization—even in the old MIIS or ILM 2007—using classic synchronization. The fact also remains that there are very few FIM 2010 R2 implementations that are indeed code free. In some cases you might even mix the two. This could be due either to migration from MIIS/ILM 2007 to FIM 2010 R2 or to the decision that it is cheaper/quicker/easier to solve a particular problem using classic synchronization.
The solutions I will describe in this book will be based on declarative synchronization, rather than the old-fashioned, classic ones. In Chapter 11, Customizing Data Transformations, I will show some examples in which classic synchronization is the best way to solve some problems.
Password synchronization
Let me first state that I am not a fan of using password synchronization. I believe that this should be the last resort to achieve some kind of Single Sign On (SSO). Instead of implementing password synchronization, I try to make my customers look at other ways, such as Kerberos or Federation, to get SSO.
There are, however, many cases where password synchronization is the best option to maintain passwords in different systems. Not all environments can utilize Kerberos or Federation and therefore need the FIM password synchronization feature to maintain passwords in different Connected Data Sources.
The use of this feature is to have Active Directory by either installing and configuring Password Change Notification Service (PCNS) on Domain Controllers or using FIM Service as a source for the password change. FIM Synchronization Service then updates the password on the connected object in Connected Data Sources, which are configured as password synchronization targets. In order for FIM to set the password in a target system, the Management Agent used to connect to that specific CDS needs to support this. Most Management Agents available today support password management or can be configured to do so.
FIM Service Management Agent
A very special Management Agent is the one connecting FIM Synchronization Service to FIM Service. Many of the rules we apply to other types of Management Agents do not apply to this one. If you have experience working with classic synchronization in MIIS or ILM 2007, you will find that this Management Agent does not work as the others.
This Management Agent will be fully explained in Chapter 4, Basic Configuration. For now, let's just leave it at the fact that this is a special Management Agent.
FIM Service
If FIM Synchronization Service is the heart pumping information, FIM Service is the brain (sorry FIM CM, but your brain is not as impressive; I'll give you credit later).
FIM Service plays many roles in FIM, and during the design phase the capabilities of FIM Service is often on focus. FIM Service allows you to enforce the Identity Management policy within your organization and also make sure you are compliant at all times.
FIM Service has its own database, where it stores the information about the identities it manages.
Request pipeline
In order to make any changes to objects in the FIM Service database, you need to work your way through the FIM Service request pipeline. So, let's look at the following diagram and walk through the request pipeline:
Every request is made to the web service interface, and follows the ensuing flow:
As you can see, a request to FIM Service may trigger three types of workflows. With the installation of FIM 2001 R2, you will get a few workflows that will cover many basic requirements, but this is one of the situations where custom coding or third-party workflows might be required in order to fulfill the identity management policy within the organization.
Authentication workflow (AuthN) is used when the request requires additional authentication. An example of this is when a user tries to reset his password—the AuthN workflow will ask the anonymous user to authenticate using the QA gateway.
Authorization workflow (AuthZ) is used when the request requires authorization from someone else. An example of this is when a user is added to a group, but the policy states that the owner of the group needs to approve the request.
