what's new fim 2010 r2

Click to edit Master title style

TechNet goes virtual© Microsoft Corporation. All Rights Reserved.

19th June 2009

TechNet goes virtual

Virtual ConferenceExperiencePresentation



TechNet goes virtual

Technical Overview

Paul LoonenCTO Group – Avanade France & Belgium



Agenda

• FIM product roadmap and scenarios• Forefront Identity Manager 2010 R2

new features and architecture• Q&A



INTRODUCTION



Evolution of Identity Manager

Office Integration for Self-ServiceDeclarative ProvisioningGroup & DL ManagementWorkflow and PolicySupport for 3rd Party CAs

User Management

GroupManagement

Credential Management

Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization

PolicyManagement

Identity SynchronizationUser Provisioning Certificate and Smartcard Management

Web-based password resetReportingSimplified deployment and troubleshootingEnhanced performanceEnhanced MA connectivityAdded language support

User Management

GroupManagement



PolicyManagement

R2



FIM 2010 R2 RC Availability

• Released November 2011• Available on Connect

– Log onto https://connect.microsoft.com/site433– Click the Join link– Answer the short survey (auto-enrolls in Beta)– Click Downloads in the left-hand column– Submit feedback through the Connect Feedback

link– Don’t forget to also download the documentation

• Important note– R2 RC is NOT supported in production

https://connect.microsoft.com/site433



SELF-SERVICE PASSWORD RESET



Self-Service Password Reset

• Adds web-based password reset– Supports password reset and registration from

intranet or extranet via a web browser– Support for non-domain-joined machines– No ActiveX control required for browser-based reset– Internet Explorer 9 support– Firefox 4 support for password reset and registration

portals only– Portals can be customized

• banner logo, string resources, and cascading style sheets

• Simplify deployment and management experiences for password reset



IIS

FIM Password Reset Components

Browser

FIM Password

Registration Portal

FIM Password

Reset Portal

FIM Service Active

Directory

Windows Client

FIM Password

Reset Extensions

FIM Sync Service

SharePoint

FIM Portal

InternetExplorer

End User

End User

FIM Admin

Reverse Proxy Firewall

Illustrative Topology



Setup Experience – PW Reset Portals

2 Specify whether host is extranet accessible1 Choose to install Password Portals

4 Password Portals visible in IIS Manager3 Specify AD user account for Portal



SSPR – New Gates



New QA Gate Features

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-78-39/6761.QAEnhancement.png



Distinguishing Requests from Extranet - Registration

Security context is determined without reliance upon IP addresses

Registration Portal• Makes registration request to the FIM Service in the context of the Registration Portal’s AD identity

• Adds an optional SOAP header to tell the FIM Service the identity of the user who is registering

• Adds an optional SOAP header “Security Context” – “Extranet” or “NoneSpecified”

FIM Service• Identifies registration requests from the Registration Portal’s identity, and for those:

– Changes the requestor to be the Windows user who is registering

– Applies policy to the request based on the actual requestor, e.g., “contoso\Mmeyers” instead of “contoso\PWRegistrationPortal”

– Stamps the security context on the Request object in the FIM Service DB

Windows Client Extensions• Client makes request in context of logged in AD user, does not send a SOAP header for security

context

• FIM Service processes request, with Security Context = null



Distinguishing Requests from Extranet – Reset

Reset Portal• Makes password reset request to the FIM Service in the context of the Reset Portal’s

AD identity

• Adds an optional SOAP header “Security Context” – “Extranet” or “NoneSpecified”

FIM Service• Identifies reset requests from the reset portal, and for those:

– Stamps the security context on the Request object in the FIM Service DB

– When the Password Reset workflow executes, the workflow evaluates the security context of the request, and executes the Gates which correspond to that security context.

Windows Client Extensions• Client makes request in context of anonymous user, does not send a SOAP header

• FIM Service processes request, with Security Context = null



Password Reset & Reporting

Example Questions How Answered

“Which users (or how many users) have successfully registered for Password Reset?”

“Which users (or how many users) have successfully reset their passwords using FIM?”

“What successful requests has a given user made in FIM?”

FIM Reporting

“What successful and unsuccessful requests have been made to reset a user’s password?”

Query from FIM Portal



OUTLOOK ADD-IN FOR FIM2010 R2



FIM Add-in for Outlook 2010

• R2 Add-in preserves the functionality of the Add-in for Outlook 2007 – hence there’s almost a flat learning curve.

• The Add-in will install on both 32 and 64 bit Outlook• Automatic detection and installation based on Outlook version –

2007 or 2010.• Enables you to perform FIM 2010 group management tasks

through Outlook 2010• Tasks include

– Joining / Leaving a group– Adding / Removing a member to / from a group

• Makes group management tasks easily discoverable in Outlook 2010– “Groups” tab and associated ribbon– Context menus on mail items in mail list view– Persona menus on names in mail items



Outlook Add-In: Groups Tab

• Exposes all functionalities of the Add-in on the Outlook ribbon.



Outlook Add-In: Context menu on mail items

Right-clicking on any mail in the mail list:



Outlook Add-In: Persona menus on names in mail items

Right-clicking on the logged-in user:

Right-clicking on any other user:



Group Management – Approvals



Production Deployment Option for Outlook 2010 Add-in

• Available to ALL customers, not just TAP• R2 add-in compatible with FIM 2010

server components• Requires accepting supplemental license

agreement– ONLY grants production deployment rights

for this add-in, no other R2 components– Must upgrade server components to R2

within 90 days of public release• Answer Connect survey to accept terms



FIM REPORTING



FIM Reporting

• FIM knows about current state of things– Limited to elements that are in FIM– FIM is not always authoritative (“What Should Be”

vs. “What is”)– Limited log of System State changes

• Request view only keeps information for about 30 days

• R2 adds historical reporting for FIM-managed objects– Includes frequently-requested reports; for example

• Entitlement (Group/Set membership) changes over time• Request history• Person and group change history



FIM Reporting (2)

• Leverages System Center Service Manager data warehouse– Other options were explored but discarded

• Build on top of FIM DB (performance nightmare – OLTP vs OLAP)

• Build own data warehouse (would take years to develop)

– RTM includes SCSM license for FIM Reporting use only– Can use existing SCSM if you have it

• Report data store is extensible– Required because FIM data model is extensible– Can be extended to store history of custom FIM Service

objects and attributes– Enable customers and ISVs to build custom reports



How to Answer These QuestionsState Events

Now

• Who is in group A?• What groups does a particular

person belong to?• Who is person Y’s manager?

• Who joined group A today?• What groups had new members

today?• How many new people joined the

company today?

• Who joined group A on May 1, 2010?

• How did a group’s membership change over time?

• Who approved a group join?• How did a set filter definition change

over time?

• What groups did person A have access to on November 4, 2009?

• What was a group’s membership last July?

Not included with FIM Reporting Source: FIM reporting

Source: FIM requests via portalSource: FIM database via portal

History



Non-targets for R2 Reporting

• Reporting on current state of resources– “Show me the membership of the ‘sales’

group.”

• Reporting on failed requests (password reset)– “Show me all the failed password resets in the

last month.”

• Self-Service Reporting– “Show a user the members of groups he owns.”

• Reporting on the metaverse



Out of Box Reports

Report Class Defined Over Description

Membership Change Reports

• Group Membership (SG + DG)

• Set Membership

Contains membership changes, who approved them, and the associated request and MPRs that generated the change

Object History Reports

• Users• Groups• Sets• Requests• Policy Rules

Contains changes to key attributes over time



Reporting Extensibility

• Fully extensible Data Warehouse– Extensible dimensional based schema– ETL process is further extensible via custom

transforms– Custom report authoring via SSRS– Support for “Favorite reports”

• Dynamic interface for flowing new data from FIM into the Data Warehouse– Bindings between FIM and DW, persisted in FIM

objects– Automatic, scheduled data flow

• Can export to Excel (analysis, etc.)



Reporting Architecture Overview

FIM Service

FIM Reporting Administration

Management Packs

System Center Service Manager SSRS

Web

Se

rvic

eSC

SM

Cons

ole

FIM Service DB

Import Report

Initial Sync

Incremental Sync

Schema Binding

Fact/Dimension Definition

Class/Relationship Definition

Report Definition

Data Mart SSRS

Staging

Repository

<DWBind><obj 1><obj 2><obj 3>...

Binding Objects

Row 1Row 2Row 3Row 4Row 5Row 6….….….

Report Log



OTHER ENHANCEMENTS



Performance Improvements

• Improve performance for initial load of customer data from connected system to FIM Service

• Improve performance for bulk addition from connected system to an existing FIM deployment (e.g., add a new division)

• Provide clearer FIM Service database tuning guidance and enhancements



Performance Improvements - FIM MA

• FIM MA now creates Composite Requests– FIM MA gives asynchronous ack to the FIM Sync Service– FIM MA writes batch of changes to the FIM Service DB– FIM Service creates composite request with multiple targets– All changes in the composite must succeed in order for the

changes to be applied, otherwise re-sent one at a time

• New configuration settings for FIM MA– aggregate - True/False - Controls whether or not batching is

used.– aggregationThreshold – Controls the size of the batch. The

default value is 1000 attribute changes.– asynchronous - True/False - Setting to false returns the FIM

MA to the FIM 2010 behavior



Troubleshooting Improvements

• Portal displays errors generated from the FIM Service

• Better error messages• Correlation identifiers to link user error with

service-side error• New plumbing for Authentication and

Authorization workflow errors• Event Tracing for Windows• FIM MA Event Log• Additions to IT Pro documentation for top

problem areas



Ease of Use Improvements

• Improvements for troubleshooting– Enhanced diagnostics and user-visible error messages in

FIM portal and web services– Additions to IT Pro documentation for top problem areas

• Best Practices Analyzer (BPA)– Reduce overall TCO (and support calls) with a FIM

deployment validation tool – Identifies possible issues in FIM setup relating to

performance, security, configuration

• Improvements in the setup process– Easier configuration of scenarios such as password reset– Reduced initial load time



“ECMA2” – The New Extensible MA Framework

• Delivered with FIM 2010 Update Rollup 2 (build 4.0.3606.2) and included in R2

• New extensible Management Agents to support– Batched call-based import– Batched call-based export– Programmatic schema, partition, and hierarchy discovery– Password management behave as other methods– Custom anchors and additional dn styles– Support custom parameters– Full Export run step– .NET 4 support

• New SAP, Oracle ERP and Lotus Notes MAs are developed using this new API

http://support.microsoft.com/kb/2635086



Platform Investments

• FIM portal supports SharePoint 2010– Can install FIM portal on the newest version of

SharePoint Foundation – Seamless installation experience

• Continued support for WSS 3 (SharePoint 2007)• Same User and Admin experience on both

platforms



Localization

Windows Client Extensions

Password Reset & Registration Portals

FIM Portal and Service

33 languages

Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian,

Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian,

Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian,

Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian

19 languages for RTM

Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German,

Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese

(Portugal), Russian, Spanish, Swedish, Turkish



SUMMARY



Conclusion

• Great update to the FIM 2010 platform

• RTM in Q2 2012• Watch for announcements

from Microsoft in this space very soon

Web-based password resetReportingSimplified deployment and troubleshootingEnhanced performanceEnhanced MA connectivityAdded language support

User Management

GroupManagement



PolicyManagement

R2



Some Resources

• www.microsoft.com/fim• R2 RC Download on Connect

– https://connect.microsoft.com/site433

• FIM 2010 Update Rollup 2 (ECMA2)– http://support.microsoft.com/kb/2635086– ECMA 2 Documentation– Notes Connector– SAP Connector (Beta)

• TechNet Forum– http://social.technet.microsoft.com/Forums/e

n-US/ilm2/threads

• TechNet – http://

technet.microsoft.com/en-us/forefront/cc470030.aspx

– http://technet.microsoft.com/en-us/library/hh322910(v=ws.10).aspx

• Developer Reference on MSDN– http://

msdn.microsoft.com/en-us/library/ee652263.aspx

http://www.microsoft.com/fim





http://msdn.microsoft.com/en-us/library/hh859557.aspx

http://go.microsoft.com/%E2%80%8Bfwlink/?LinkID=242615

https://connect.microsoft.com/%E2%80%8Bsite433/Downloads/%E2%80%8BDownloadDetails.aspx?DownloadID%E2%80%8B=41558

http://social.technet.microsoft.com/Forums/en-US/ilm2/threads

http://social.technet.microsoft.com/Forums/en-US/ilm2/threads

http://technet.microsoft.com/en-us/forefront/cc470030.aspx



http://technet.microsoft.com/en-us/library/hh322910(v=ws.10).aspx



http://msdn.microsoft.com/en-us/library/ee652263.aspx

http://msdn.microsoft.com/en-us/library/ee652263.aspx



Contact Information

[email protected]@ploonen

http://be-id.blogspot.com

mailto:[email protected]



© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

what's new fim 2010 r2

Documents

policy manageme

virtual microsoft

password reset

microsoft

group management

credential

pro documentation

distinguishing