My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Thursday, May 15, 2008

Processing Actions Asynchronously outside of ILM MA's

For years developers have had access to the Microsoft Message Queue (MSMQ) as a way to be able to queue up actions for processing later or on a remote machine. With the release of SQL 2005 back in well 2005, developers with access to SQL 2005 could replace these MSMQ apps with SQL Service Broker Queues (SSB). With ILM 2007 /MIIS 2003 SP 2 supporting SQL 2005 the use of SQL Service Broker Queues became much more accessible to ILM Developers.



Here is an article comparing MSMQ with SQL Service Broker Queues

http://www.devx.com/dbzone/Article/34110



Here it is another discussion on the matter in an MSDN forum:

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=661768&SiteID=1



Here is an interesting blog post about working with both SQL Service Broker Queues (SSB) and

Windows Workflow Foundation:

http://devhawk.net/2006/12/11/Transactions+In+Workflow+Foundationland.aspx

The DevHawk has many good insights into SSB.



One huge advantage to me in dealing with SSB is that I can query a view just like a table to examine its current contents. SSB is also very easy to scale out.

At DEC 2008 Craig Martin and Marshall Hamilton (both from OCG North America) spoke on the SSH MA (originally developed by Patrick Rempel from OCG Germany) which is being used to manage thousands of Unix servers (well together multiple instances of the MA are managing several thousand servers) through SSH connections and issuing he command line commands to create users etc.

One problem they had to solve was what if one server is down during import? Regurgitate data for systems that are down which necesitates caching the data somewhere. Another problem I envision in such scenarios is that performance is probably an issue. Imagine a slightly different design.

What if an intermediate database was used to hold the results from the servers. Importing data from the servers on separate schedules, then importing to ILM on yet another separate schedule. The requests to import could be popped into a queue for multiple processes to implement. For executing exports have the XMA pop the requests into a SSB queue and then have a process that pulls info from the queue. If performance on export becomes an issue it is child's play to scale out with SSB, add another process that pulls import request messages from the queue.

Another use case for SSB is to replace anytime MSMQ has been used. Benefits: SSB can be clustered for failover, back up is as simple as backing up the database hosting the SSB queues.

For a Gentle Intro to SSB

Labels: , , , , ,

Wednesday, May 14, 2008

SQL Business Intelligence

This evening I attended a nice SQL 2005 BI presentation by Kathrine Lord of Microsoft.
She took the Arizona SQL Server Users Group through a nice tour of a datawarehouse that she built for a call center. (Thanks to Pete Miller of Statera for all these years of running and organizing the AZ SQL Server User's group).

Her presentation was a quick end to end walkthrough: building cubes, MDX calculations, creation of named sets, Key Performance Indicators (KPI's) and using the Pivot Tables inside of Excel 2007.

Just imagine being able to provide inside a sharepoint site, reports using business Intelligence capabilities from SQL to demonstrate long term trends with Identities in your organization. Being able to show how long between hire date and active directory account creation date, between term date, and disabling the account.

At the 2007 Directory Experts Conference in April of 2007, there were two excellent presentations that began to scratch the surface of how to perform such reporting from ILM -- Brad Turner on Reporting from MIIS and Rob Allen "Leverage MIIS Statistics and Provide Trend Analysis"

Imagine adding KPI's and building scorecards hosted in Sharepoint through SQL Reporting Services. Imagine the high-level visibility you can add to your IDM project. Imagine more clearly demonstrating the ROI of your project.

She also discussed the new SQL 2008 GeoSpatial Data types and being able to tie into Virtual Earth. Interesting capabilities for showing user account creation by geography.

Additionally, SQL 2008 adds new data types in the Date time area:
http://www.sql-server-performance.com/articles/dev/datetime_2008_p1.aspx
Splitting off Date and Time. Yet we still have no Date or Time datatype in the Metaverse in ILM 2007. Would love to have that in ILM 2!

Identity Chaos? Get your Identities Ensynch!

I recently joined the Identity Management Practice, as a Solution Architect, at Ensynch Inc, an award winning Microsoft Gold Partner based in Tempe, AZ, with a strong award winning presence in Southern California. In 2006 Ensynch won Microsoft Worldwide Partner Award for Excellence in Active Directory and Identity Management and in 2007 was the only finalist from North America. In fact the only finalist from the Western Hemisphere.

I am especially happy to be working with Brad Turner, fellow ILM MVP and a good friend. I am also excited to work with the creator of the Camel Logic Configurator -- Jerry Camel.

Labels: ,

Wednesday, May 7, 2008

The Grand Unified Demo of Identity Management

As I was architecting and assembling the Identity All Up workshop (part of the 2008 Directory Experts Conference see the review by Felix Gaehtgens, an analyst for Kuppinger Cole) designed to expose the attendees (or delegates) to all facets of the Microsoft Identity Access Platform, Lori Craw, from Microsoft referred to this as the "Grand Unified Demo". I chuckled, instantly catching the reference to the still undiscovered Grand Unified Field theory that eluded Einstein and even today's theoretical physicists.

In creating and delivering this workshop, I have reinforced, my earlier belief that the Active Directory (AD) is the medium through which most of these interactions happen that allow for interactions between these components of the platform, and Identity Lifecycle Manager (ILM) is the driving force.

Allow me to explain -- In order to manage the lifecycle of smart cards through Certificate Lifecycle Manager (CLM) you must belong to groups in AD that have been assigned permissions to the CLM Service Connection Point, the CLM Profile Template, the CLM Certificate Template, and a group that contains the user upon whom you will act. How do you get into these groups? Through Identity Lifecycle Manager! So AD is the medium and ILM the driver.

In the case of CLM, ILM also has a more direct connection through the Certificate Lifecycle Management agent through which ILM can provision, enroll requests, termination requests, suspend requests, renewal requests, and unblock requests.

Let's take a look at Active Directory Rights Management Services (RMS). With RMS permissions as with most other permissions, they are assigned to Groups in AD. Once more -- AD is the medium and ILM is the driver.

Now please turn your attention to Active Directory Federated Services (AD FS). Users get access to resources at the resource partner by virtue of having claim that gives them access, most of the time this claim will be a group claim. Once more -- ILM is driving through the medium of AD.

Even more, look at AD RMS integration with AD FS. Now we can extend Rights Management protection to documents while sharing them with partners without the unrealistic expectation for the partner to have their own AD RMS infrastructure (the requirement for RMS prior to Windows Server 2008). Once more, access for partners is through being member of a group that establishes an outgoing claim to the resource partner that is then consumed by RMS, and once more the best way to get users into groups is through ILM.

Expand your horizons, once more, now using a smart card (provisioned through an ILM request to CLM), we can authenticate to the Directory build the list of groups to which we belong (managed by ILM), we can access an RMS protected document at a Partner's SharePoint site, and have the appropriate restrictions apply to us.

Wait, what about AD Lightweight Directory Services (AD LDS -- formerly known as ADAM), and Windows Cardspace? Where do they fit in?

AD LDS can be used as another repository for storing identities usually for your extranet, for partners that aren't federation ready (either because of lack of size, technology, or policy). AD FS can use AD LDS as one of its account stores! Hence the same protection of RMS documents can be extended once more to non-federation partners without the need for another RMS infrastructure -- in fact vendors could offer RMS as a service using ADFS and AD LDS to cover the authentication needs.

What about Card Space? Card Space, can also be incorporated, but that is a topic for another day.

I want to give special thanks to Chris Calderon for his tireless efforts in helping me setup the virtual machines and hammering out the AD RMS AD FS integration with Sharepoint. Thanks also to David Wozny (pronounced Wahznee) for improving and delivering the deepdive into CLM. Thanks to Craig Martin for assisting David Wozny in improving the ILM deepdive. Additional thanks to Bob Tucker for helping with the VM setup. Thanks to Hugh Simpson-Wells and James Cowling for editing the labs. Thanks to James Booth for listening and improving while I dreamed up the scenarios used in the labs.

Labels: , , , , , ,