My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Friday, August 14, 2009

AD RMS on R2 -- new Federation Features

AD RMS on Windows Server 2008 R2 adds a really slick feature blogged about here: Group Expansion for Federated Users

Prior to R2 to issue a use license to a federated user they need to specifically be granted permissions. With Windows Server 2008 R2 you can create a contact matching the external federated user and then place the contact in the group and then they have the same RMS permissions as that group.

This is great to be able to include external users in groups, and still without provisioning a user account for them in your domain. Oops, now we need to provision a contact object for them and put that into the group. But perhaps if we combine this capability with custom claims transformation modules to do on demand provisioning the way my coworker Chris Calderon demonstrated on Windows Server 2008 at TEC 2009 (to get his slides go to  and follow the instructions).

But On-Demand Provisioning only solves half of the battle (and here all of the GI Joe fans thought knowing was half the battle ;)

Even though the user's access has been turned off by their employer disabling or deleting their account, the contact objects on your side still need to get cleaned up. But how to know when to deprovision an account from a federated partner? Perhaps you could use the RMS logging database as a starting point and look for users that haven't accessed the system in a while, email them and see if you get a bounce. After receiving an NDR for a federated user that hasn't accessed anything for months would be a pretty safe bet to delete their contact object.

How to make that happen? Create your own service or scripts to automate querying the logging database and sending the email. Another script to check for NDRs and then write to a table the contacts to be deleted. Then use FIM to read the table and delete the contacts, or your script could do it directly, as appropriate.

Labels: , , , ,

Wednesday, June 24, 2009

H30, Geneva Cola, Sitrus and Orange Fizz

Back in business school I was a connoisseur of fine commercials.  Recently I watched a commercial for Lipton Ice Tea (note I am a teetotaler who doesn't drink tea) and I have to admire their cleverness in coming up with names for competitor products (see the title) in their "Lipton Tea, I think I love you" commercial. (Lyrics here)

Really the names are clever although the best is the H30 -- I just love it, a chemical compound that as far as I can tell can't exist, but we all know they are making fun of flavored water. Of course I also love ordering water by requesting Di-Hydrogen-Oxide.

OK they didn't actually have Geneva Cola it was really Milan Cola, but since I really wanted to blog about Geneva and how "I think I love [it]" well I couldn't resist the name substitution.

Now before I pester you with anymore puns let me tell you why I love Geneva, Microsoft's next evolutionary leap with Federation and SSO.

Of late there has been a lot of buzz about Cloud computing. But there are obstacles, when you host applications in the cloud or use SaS type applications you wind up creating new identity stores.

With Geneva your identities will be almost ubiquitous, in that you can use it anywhere and your applications built using the Geneva framework will be able to accept and use identities from anywhere that you decide to trust.  It won't matter anymore where your applications, are in Microsoft's cloud, your cloud, or your partner's cloud.

In short if Cloud Computing will transform the industry then Geneva is the way to get there. It certainly lowers some of the barriers

Additionally, we can use Geneva to provide SSO for apps within an organization.

Now to tie in the commercial, since Geneva also supports the SAML 2.0 protocol it even inter-operates with Hot Ball of GAS SSO, and "Fiction Books Access Manager"

Labels: , ,

Friday, May 15, 2009

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

Brad and I are going to cover the value of the whole Identity Management Stack from Microsoft and a few additional pieces from partners.

Thursday, May 28th

(Live Meeting links will be
sent to all registrants) (Click Here to RSVP)

David Lundell – Microsoft MVP for ILM, Ensynch Practice Director
Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect
9am-10am Pacific/Arizona
10am-11am Mountain
11am-12pm Central
12pm-1pm Eastern

*Convert time zone


Webinar: The Business Impact of Identity
and Access Management with Forefront Identity Manager 2010
(formerly ILM "2")

You’re invited to attend an informational webinar showcasing the business benefits associated of Identity and Access Management with the newly named Microsoft Forefront Identity Manager 2010 (Formerly ILM "2").

This webinar is designed for Business and Technology Decision-makers interested in reducing operational costs while increasing security, compliance and overall operational efficiency. If you're interested in how Identity and Access Management solutions can impact business results, this webinar is for you.
Ensynch is proud of our world-class Identity and Access Management practice, boasting 3 Microsoft MVPs (out of only a handful world-wide). This team’s efforts have earned Ensynch back-to-back Microsoft Worldwide Partner Awards for Identity Management in 2007 and 2006. Take advantage of this opportunity to learn from their vast enterprise and mid-market experience in incorporating Best Practices to deliver heightened business results.

The Business Value of Microsoft’s Identity Management Stack

  • Evaluate the business challenges, the cost and the opportunities for savings with Identity Management

    • IDA with Forefront Identity Manager 2010 (ILM 2)

    • Maintaining existing ILM 2007 deployments

  • Strong Authentication

    • Certificate Services

    • Quest Defender

  • Sharing with Partners and Customers

  • Active Directory Federation Services /Geneva

    • Reducing the need to provision Accounts for Partners

    • Speedier disabling of access for Partner/Customer’s Accounts

    • Implications with cloud based applications

  • Information Protection (now that you’re sharing your documents, how do you protect them)

  • Active Directory Rights Management Services

    • Add-ons

Labels: , , , , ,

Wednesday, March 11, 2009

Netpro DEC -> Quest TEC -- Ensynch's Sessions

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro's The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest's The Expert Conference. 

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas 

Day Time Topic Speakers
Sunday 1PM - 5 PM Pre conference Workshop 2
Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal
David Lundell and Brad Turner
Monday 1 PM - 2:15 PM Designing an Object Expiration & Reconciliation process in ILM 2 Brad Turner
  1 PM - 2:15 PM Proper Care & Feeding of ILM, CLM and RMS Databases David Lundell
  Mon 4 PM - 5:15 PM Rescue Your Identity Metasystem from Chaos Through Reporting against ILM 2 with SSRS David Lundell
Brad Turner
Tue 2:45 PM - 4 PM ADFS Extensibility Chris Calderon will probably co-present with Randy Weimar


(yes the current schedule has Brad and I speaking on Monday at 1 PM in different rooms)

Labels: , , , ,

Thursday, October 30, 2008

Live ID's are now Open ID's, Geneva supports SAML 2.0

At the PDC Microsoft's Kim Cameron and colleague Bertocci Vittorio announced that Microsoft Live is now an Open Id provider. Additionally, when signing into Live you can use Information Cards (Info Card, Card Space, Geneva Card Space).

They also demonstrated the new Geneva Framework (formerly known as Zermat) -- essentially a successor to Windows Server 2008 Active Directory Federation Services, and showed it supporting SAML 2.0 the "protocol" not just SAML 2.0 the token.

Other new announcements included the Microsoft Federation Gateway, which allows you to federate with Microsoft,  Live (including both managed domains and individual consumers -- all 400 million of them), other Geneva (ADFS) organizations, and other third party Service Token Services (STS). They also showed issuing LINQ queries against the .Net Access Control Service to retrieve roles to make authorization decisions.

Good show gentlemen! This is a tremendous step forward for interoperability. I just hope that the interoperability between Geneva and other third parties STS's is much easier to implement than the brittle, painful interoperability between ADFS and Shibboleth (that didn't support SAML 2.0). Hopefully, Shibboleth will be one of those 3rd parties!

Labels: , , , , ,

Wednesday, May 7, 2008

The Grand Unified Demo of Identity Management

As I was architecting and assembling the Identity All Up workshop (part of the 2008 Directory Experts Conference see the review by Felix Gaehtgens, an analyst for Kuppinger Cole) designed to expose the attendees (or delegates) to all facets of the Microsoft Identity Access Platform, Lori Craw, from Microsoft referred to this as the "Grand Unified Demo". I chuckled, instantly catching the reference to the still undiscovered Grand Unified Field theory that eluded Einstein and even today's theoretical physicists.

In creating and delivering this workshop, I have reinforced, my earlier belief that the Active Directory (AD) is the medium through which most of these interactions happen that allow for interactions between these components of the platform, and Identity Lifecycle Manager (ILM) is the driving force.

Allow me to explain -- In order to manage the lifecycle of smart cards through Certificate Lifecycle Manager (CLM) you must belong to groups in AD that have been assigned permissions to the CLM Service Connection Point, the CLM Profile Template, the CLM Certificate Template, and a group that contains the user upon whom you will act. How do you get into these groups? Through Identity Lifecycle Manager! So AD is the medium and ILM the driver.

In the case of CLM, ILM also has a more direct connection through the Certificate Lifecycle Management agent through which ILM can provision, enroll requests, termination requests, suspend requests, renewal requests, and unblock requests.

Let's take a look at Active Directory Rights Management Services (RMS). With RMS permissions as with most other permissions, they are assigned to Groups in AD. Once more -- AD is the medium and ILM is the driver.

Now please turn your attention to Active Directory Federated Services (AD FS). Users get access to resources at the resource partner by virtue of having claim that gives them access, most of the time this claim will be a group claim. Once more -- ILM is driving through the medium of AD.

Even more, look at AD RMS integration with AD FS. Now we can extend Rights Management protection to documents while sharing them with partners without the unrealistic expectation for the partner to have their own AD RMS infrastructure (the requirement for RMS prior to Windows Server 2008). Once more, access for partners is through being member of a group that establishes an outgoing claim to the resource partner that is then consumed by RMS, and once more the best way to get users into groups is through ILM.

Expand your horizons, once more, now using a smart card (provisioned through an ILM request to CLM), we can authenticate to the Directory build the list of groups to which we belong (managed by ILM), we can access an RMS protected document at a Partner's SharePoint site, and have the appropriate restrictions apply to us.

Wait, what about AD Lightweight Directory Services (AD LDS -- formerly known as ADAM), and Windows Cardspace? Where do they fit in?

AD LDS can be used as another repository for storing identities usually for your extranet, for partners that aren't federation ready (either because of lack of size, technology, or policy). AD FS can use AD LDS as one of its account stores! Hence the same protection of RMS documents can be extended once more to non-federation partners without the need for another RMS infrastructure -- in fact vendors could offer RMS as a service using ADFS and AD LDS to cover the authentication needs.

What about Card Space? Card Space, can also be incorporated, but that is a topic for another day.

I want to give special thanks to Chris Calderon for his tireless efforts in helping me setup the virtual machines and hammering out the AD RMS AD FS integration with Sharepoint. Thanks also to David Wozny (pronounced Wahznee) for improving and delivering the deepdive into CLM. Thanks to Craig Martin for assisting David Wozny in improving the ILM deepdive. Additional thanks to Bob Tucker for helping with the VM setup. Thanks to Hugh Simpson-Wells and James Cowling for editing the labs. Thanks to James Booth for listening and improving while I dreamed up the scenarios used in the labs.

Labels: , , , , , ,