what's new fim 2010 r2
DESCRIPTION
What's New FIM 2010 R2TRANSCRIPT
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
19th June 2009
TechNet goes virtual
Virtual ConferenceExperiencePresentation
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
TechNet goes virtual
Technical Overview
Paul LoonenCTO Group – Avanade France & Belgium
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Agenda
• FIM product roadmap and scenarios• Forefront Identity Manager 2010 R2
new features and architecture• Q&A
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
INTRODUCTION
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Evolution of Identity Manager
Office Integration for Self-ServiceDeclarative ProvisioningGroup & DL ManagementWorkflow and PolicySupport for 3rd Party CAs
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization
PolicyManagement
Identity SynchronizationUser Provisioning Certificate and Smartcard Management
Web-based password resetReportingSimplified deployment and troubleshootingEnhanced performanceEnhanced MA connectivityAdded language support
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization
PolicyManagement
R2
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
FIM 2010 R2 RC Availability
• Released November 2011• Available on Connect
– Log onto https://connect.microsoft.com/site433– Click the Join link– Answer the short survey (auto-enrolls in Beta)– Click Downloads in the left-hand column– Submit feedback through the Connect Feedback
link– Don’t forget to also download the documentation
• Important note– R2 RC is NOT supported in production
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
SELF-SERVICE PASSWORD RESET
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Self-Service Password Reset
• Adds web-based password reset– Supports password reset and registration from
intranet or extranet via a web browser– Support for non-domain-joined machines– No ActiveX control required for browser-based reset– Internet Explorer 9 support– Firefox 4 support for password reset and registration
portals only– Portals can be customized
• banner logo, string resources, and cascading style sheets
• Simplify deployment and management experiences for password reset
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
IIS
FIM Password Reset Components
Browser
FIM Password
Registration Portal
FIM Password
Reset Portal
FIM Service Active
Directory
Windows Client
FIM Password
Reset Extensions
FIM Sync Service
SharePoint
FIM Portal
InternetExplorer
End User
End User
FIM Admin
Reverse Proxy Firewall
Illustrative Topology
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Setup Experience – PW Reset Portals
2 Specify whether host is extranet accessible1 Choose to install Password Portals
4 Password Portals visible in IIS Manager3 Specify AD user account for Portal
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
SSPR – New Gates
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
New QA Gate Features
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Distinguishing Requests from Extranet - Registration
Security context is determined without reliance upon IP addresses
Registration Portal• Makes registration request to the FIM Service in the context of the Registration Portal’s AD identity
• Adds an optional SOAP header to tell the FIM Service the identity of the user who is registering
• Adds an optional SOAP header “Security Context” – “Extranet” or “NoneSpecified”
FIM Service• Identifies registration requests from the Registration Portal’s identity, and for those:
– Changes the requestor to be the Windows user who is registering
– Applies policy to the request based on the actual requestor, e.g., “contoso\Mmeyers” instead of “contoso\PWRegistrationPortal”
– Stamps the security context on the Request object in the FIM Service DB
Windows Client Extensions• Client makes request in context of logged in AD user, does not send a SOAP header for security
context
• FIM Service processes request, with Security Context = null
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Distinguishing Requests from Extranet – Reset
Reset Portal• Makes password reset request to the FIM Service in the context of the Reset Portal’s
AD identity
• Adds an optional SOAP header “Security Context” – “Extranet” or “NoneSpecified”
FIM Service• Identifies reset requests from the reset portal, and for those:
– Stamps the security context on the Request object in the FIM Service DB
– When the Password Reset workflow executes, the workflow evaluates the security context of the request, and executes the Gates which correspond to that security context.
Windows Client Extensions• Client makes request in context of anonymous user, does not send a SOAP header
• FIM Service processes request, with Security Context = null
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Password Reset & Reporting
Example Questions How Answered
“Which users (or how many users) have successfully registered for Password Reset?”
“Which users (or how many users) have successfully reset their passwords using FIM?”
“What successful requests has a given user made in FIM?”
FIM Reporting
“What successful and unsuccessful requests have been made to reset a user’s password?”
Query from FIM Portal
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
OUTLOOK ADD-IN FOR FIM2010 R2
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
FIM Add-in for Outlook 2010
• R2 Add-in preserves the functionality of the Add-in for Outlook 2007 – hence there’s almost a flat learning curve.
• The Add-in will install on both 32 and 64 bit Outlook• Automatic detection and installation based on Outlook version –
2007 or 2010.• Enables you to perform FIM 2010 group management tasks
through Outlook 2010• Tasks include
– Joining / Leaving a group– Adding / Removing a member to / from a group
• Makes group management tasks easily discoverable in Outlook 2010– “Groups” tab and associated ribbon– Context menus on mail items in mail list view– Persona menus on names in mail items
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Outlook Add-In: Groups Tab
• Exposes all functionalities of the Add-in on the Outlook ribbon.
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Outlook Add-In: Context menu on mail items
Right-clicking on any mail in the mail list:
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Outlook Add-In: Persona menus on names in mail items
Right-clicking on the logged-in user:
Right-clicking on any other user:
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Group Management – Approvals
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Production Deployment Option for Outlook 2010 Add-in
• Available to ALL customers, not just TAP• R2 add-in compatible with FIM 2010
server components• Requires accepting supplemental license
agreement– ONLY grants production deployment rights
for this add-in, no other R2 components– Must upgrade server components to R2
within 90 days of public release• Answer Connect survey to accept terms
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
FIM REPORTING
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
FIM Reporting
• FIM knows about current state of things– Limited to elements that are in FIM– FIM is not always authoritative (“What Should Be”
vs. “What is”)– Limited log of System State changes
• Request view only keeps information for about 30 days
• R2 adds historical reporting for FIM-managed objects– Includes frequently-requested reports; for example
• Entitlement (Group/Set membership) changes over time• Request history• Person and group change history
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
FIM Reporting (2)
• Leverages System Center Service Manager data warehouse– Other options were explored but discarded
• Build on top of FIM DB (performance nightmare – OLTP vs OLAP)
• Build own data warehouse (would take years to develop)
– RTM includes SCSM license for FIM Reporting use only– Can use existing SCSM if you have it
• Report data store is extensible– Required because FIM data model is extensible– Can be extended to store history of custom FIM Service
objects and attributes– Enable customers and ISVs to build custom reports
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
How to Answer These QuestionsState Events
Now
• Who is in group A?• What groups does a particular
person belong to?• Who is person Y’s manager?
• Who joined group A today?• What groups had new members
today?• How many new people joined the
company today?
• Who joined group A on May 1, 2010?
• How did a group’s membership change over time?
• Who approved a group join?• How did a set filter definition change
over time?
• What groups did person A have access to on November 4, 2009?
• What was a group’s membership last July?
Not included with FIM Reporting Source: FIM reporting
Source: FIM requests via portalSource: FIM database via portal
History
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Non-targets for R2 Reporting
• Reporting on current state of resources– “Show me the membership of the ‘sales’
group.”
• Reporting on failed requests (password reset)– “Show me all the failed password resets in the
last month.”
• Self-Service Reporting– “Show a user the members of groups he owns.”
• Reporting on the metaverse
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Out of Box Reports
Report Class Defined Over Description
Membership Change Reports
• Group Membership (SG + DG)
• Set Membership
Contains membership changes, who approved them, and the associated request and MPRs that generated the change
Object History Reports
• Users• Groups• Sets• Requests• Policy Rules
Contains changes to key attributes over time
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Reporting Extensibility
• Fully extensible Data Warehouse– Extensible dimensional based schema– ETL process is further extensible via custom
transforms– Custom report authoring via SSRS– Support for “Favorite reports”
• Dynamic interface for flowing new data from FIM into the Data Warehouse– Bindings between FIM and DW, persisted in FIM
objects– Automatic, scheduled data flow
• Can export to Excel (analysis, etc.)
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Reporting Architecture Overview
FIM Service
FIM Reporting Administration
Management Packs
System Center Service Manager SSRS
Web
Se
rvic
eSC
SM
Cons
ole
FIM Service DB
Import Report
Initial Sync
Incremental Sync
Schema Binding
Fact/Dimension Definition
Class/Relationship Definition
Report Definition
Data Mart SSRS
Staging
Repository
<DWBind><obj 1><obj 2><obj 3>...
Binding Objects
Row 1Row 2Row 3Row 4Row 5Row 6….….….
Report Log
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
OTHER ENHANCEMENTS
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Performance Improvements
• Improve performance for initial load of customer data from connected system to FIM Service
• Improve performance for bulk addition from connected system to an existing FIM deployment (e.g., add a new division)
• Provide clearer FIM Service database tuning guidance and enhancements
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Performance Improvements - FIM MA
• FIM MA now creates Composite Requests– FIM MA gives asynchronous ack to the FIM Sync Service– FIM MA writes batch of changes to the FIM Service DB– FIM Service creates composite request with multiple targets– All changes in the composite must succeed in order for the
changes to be applied, otherwise re-sent one at a time
• New configuration settings for FIM MA– aggregate - True/False - Controls whether or not batching is
used.– aggregationThreshold – Controls the size of the batch. The
default value is 1000 attribute changes.– asynchronous - True/False - Setting to false returns the FIM
MA to the FIM 2010 behavior
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Troubleshooting Improvements
• Portal displays errors generated from the FIM Service
• Better error messages• Correlation identifiers to link user error with
service-side error• New plumbing for Authentication and
Authorization workflow errors• Event Tracing for Windows• FIM MA Event Log• Additions to IT Pro documentation for top
problem areas
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Ease of Use Improvements
• Improvements for troubleshooting– Enhanced diagnostics and user-visible error messages in
FIM portal and web services– Additions to IT Pro documentation for top problem areas
• Best Practices Analyzer (BPA)– Reduce overall TCO (and support calls) with a FIM
deployment validation tool – Identifies possible issues in FIM setup relating to
performance, security, configuration
• Improvements in the setup process– Easier configuration of scenarios such as password reset– Reduced initial load time
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
“ECMA2” – The New Extensible MA Framework
• Delivered with FIM 2010 Update Rollup 2 (build 4.0.3606.2) and included in R2
• New extensible Management Agents to support– Batched call-based import– Batched call-based export– Programmatic schema, partition, and hierarchy discovery– Password management behave as other methods– Custom anchors and additional dn styles– Support custom parameters– Full Export run step– .NET 4 support
• New SAP, Oracle ERP and Lotus Notes MAs are developed using this new API
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Platform Investments
• FIM portal supports SharePoint 2010– Can install FIM portal on the newest version of
SharePoint Foundation – Seamless installation experience
• Continued support for WSS 3 (SharePoint 2007)• Same User and Admin experience on both
platforms
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Localization
Windows Client Extensions
Password Reset & Registration Portals
FIM Portal and Service
33 languages
Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian,
Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian,
Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian,
Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian
19 languages for RTM
Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German,
Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese
(Portugal), Russian, Spanish, Swedish, Turkish
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
SUMMARY
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Conclusion
• Great update to the FIM 2010 platform
• RTM in Q2 2012• Watch for announcements
from Microsoft in this space very soon
Web-based password resetReportingSimplified deployment and troubleshootingEnhanced performanceEnhanced MA connectivityAdded language support
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization
PolicyManagement
R2
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Some Resources
• www.microsoft.com/fim• R2 RC Download on Connect
– https://connect.microsoft.com/site433
• FIM 2010 Update Rollup 2 (ECMA2)– http://support.microsoft.com/kb/2635086– ECMA 2 Documentation– Notes Connector– SAP Connector (Beta)
• TechNet Forum– http://social.technet.microsoft.com/Forums/e
n-US/ilm2/threads
• TechNet – http://
technet.microsoft.com/en-us/forefront/cc470030.aspx
– http://technet.microsoft.com/en-us/library/hh322910(v=ws.10).aspx
• Developer Reference on MSDN– http://
msdn.microsoft.com/en-us/library/ee652263.aspx
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
Contact Information
[email protected]@ploonen
http://be-id.blogspot.com
Click to edit Master title style
TechNet goes virtual© Microsoft Corporation. All Rights Reserved.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.