Q&A: What's new with Microsoft identity and access management?

Microsoft's Brjann Brekkan discusses what to expect from identity and access management releases like Forefront Identity Manager 2010 and AD Federation Services 2.0.

In July 2010, Microsoft's Brjann Brekkan participated in a Live Chat at the IT Knowledge Exchange where he answered questions on the latest identity and access management (IAM) releases from Microsoft. Brekkan is the company's senior technical product manager for IAM, and many of the questions he answered dealt with the new Forefront Identity Manager (FIM) 2010 and Active Directory Federation Services (AD FS) 2.0 releases.

Below you will find a sampling of responses from Brekkan's chat, covering topics such as FIM deployment considerations, new features and the cloud. You can find more from the chat by visiting the IT Knowledge Exchange's Microsoft Forefront page, where you can also post questions of your own.

FIM 2010 features and capabilities

On what Forefront Identity Manager 2010 really is:
"FIM is a tool that manages the identities and attributes in identity stores such as Active Directory. This identity store is then used by the identity provider in a claims-based model. FIM can manage the attribute stores that AD FS 2.0 supports (AD, AD Lightweight Directory Services and SQL Server)."

On how FIM 2010 addresses compliance issues:

More on identity and access management

The compliance benefits of Windows identity and access management

Six ways to improve identity and access management (IAM) for Windows

Are identity and access management payoffs worth the fuss?

"As FIM is the connecting central for identity stores, it can help with compliance by making sure user accounts and access rights are kept up to date as changes happen in other systems. [A user] moves from one role to other, FIM management policy rules fire to remove access as appropriate.

All actions taken by FIM -- including syncing changes to and from connected data stores -- are tracked in FIM. Then we recommend partners such as Omada to provide rich reporting and attestation."

On how customizable FIM 2010 is:
"You can customize a lot of things in FIM. You can define your own objects and attributes in the FIM schema, customize the portal, add custom workflows from Windows Workflow designer and much more. Under Technical Concepts on TechNet, you have a couple of docs on the subject. You also have some great resources and experts at the FIM 2010 forums."

On FIM 2010's ability to synchronize with Active Directory:
"Sync and provisioning with Active Directory allows you to sync users to and from AD using declarative provisioning, meaning you don't write code. You can provision mailboxes on [Exchange Server] as well.

Group management is another big thing; allowing groups to be managed in FIM. You can manage memberships in groups manually or dynamically. There are a couple of great docs on how to do management with AD on TechNet, and you can also view my session from TechEd 2010."

On manually managed vs. criteria-based memberships:
"In FIM, we can manage groups in Active Directory, but we also have sets to group objects together in the FIM Service and Portal so that we can apply policies and actions based on membership or membership changes in sets.

Membership in groups and sets can be manual, where users need to be added or removed manually by themselves or by someone that has permissions. Manual groups can have approval workflows so that the owners of the group need to approve members. Criteria-based membership is where membership is based on a filter of attributes of the user … manager criterion is just an implementation for criteria-based membership -- all users reporting to this manager. "

FIM 2010 implementations

On considerations for migrating from ILM 2007 to FIM 2010: 
"The two are compatible, so you can migrate your current synchronization rules and configuration to FIM 2010. You would need to [decide] if you'd like to implement declarative provisioning on some of your management agents to get away from the coding you have today. We have provided a document on migration guidance as well."

On limiting SQL Server memory prior to implementing FIM 2010:
"SQL Server performance is the number one thing to plan carefully when deploying larger implementations. [I'm not sure] limiting is the right way, but you should plan your SQL Server memory and, of course, disks."

On the licensing structure for FIM 2010:
"Licensing for FIM is pretty simple. We have a Server license per server that you deploy and a user CAL per user that you manage. List price in the U.S. is $15,000 for server license and $18 per CAL."

Identity and the cloud

On Forefront solutions being extended to Microsoft Azure:
"Extension to the cloud is possible already today with Active Directory Federation Services 2.0. Cloud apps can be built using Windows Identity Foundation that can accept claims from AD FS."

On considerations for using FIM 2010 along with cloud-based applications:
"FIM can be used in two ways. One is to provision users to your applications in the cloud. You would need to have access to the API of the datastore you have in the cloud for those users.

SQL Server performance is the number one thing to plan carefully when deploying larger implementations.

Brjann Brekkan,
senior technical product manager for IAMMicrosoft

Two, [you can use] FIM to manage the on-premise Active Directory that is used to authenticate users to the cloud app through, for example, AD Federation Services. With FIM, you can make sure that the right people have access and also provide self-service access management as users can request to join the correct groups or modify their user profiles in FIM."

On setting up partner access to on-site and/or cloud-based apps:
"Federation is the best approach to this for your premier partners. You set up a federation trust with your partners that includes defining which claims you need [in order to] give them access to your claims-based apps.

Federation is really nice in that it doesn't tie the app to an infrastructure component such as Active Directory; the app just accepts a set of claims about the user. We have published an awesome e-book from our Patterns and Practices team on the design of claims-based models."

Active Directory Federation Services

On the latest features for Active Directory Federation Services 2.0:
"AD FS 2.0 has support of Security Assurance Markup Language (SAML) 2.0 to enable federation across platforms and across different federation products. We also added more capabilities for creating claims and transforming claims as they are issued to users. [It's a great tool] when you need to extend authentication outside of your network -- to partners or to cloud apps."

On AD FS 2.0 and SharePoint:
"AD FS and SharePoint have a great combination in that SharePoint supports claims-based authentication out of the box, and AD FS can be that Secure Token Service (STS) that provides the claims to users accessing SharePoint. This way you can allow external users access to your SharePoint sites as long as they can provide a claim that your SharePoint trusts and understands."

Remember, you can find more responses from Brekkan on Microsoft identity and access management in our IT Knowledge Exchange forum.

Dig Deeper on Windows Server troubleshooting