Register for TEC 2010 – hope to see you there

 

Register using this code to get a discount: ATESENSYNC

TEC 2010 – Speaking and Sponsoring

I am super excited about speaking at The Experts Conference 2010 (I also spoke at Directory Experts in ‘07, and ‘08 as well as last year’s The Experts Conference).

Register using this code to get a discount: ATESENSYNC

Once more Ensynch is sponsoring TEC but this year we are a gold sponsor for TEC 2010.

Here is the lineup of Ensynch Speakers at The Experts Conference (also see Brad Turner’s take on our new speakers)

Track	Speaker	Picture	Topic	Date
Exchange – Pre conference workshop	Justin Hiedeman		Exchange 2010 Migration to Microsoft Exchange Online: Hands-on Workshop	Sunday April 25th 1pm-5pm
Directory & Identity	David Lundell		FIM 2010 Performance Tuning (SQL and more)	Monday April 26th 1:00 pm
Directory & Identity	Brad Turner		Using DFS and GPO in ILM High Availability Scenarios	Monday April 26th 2:15 pm
Directory & Identity and SharePoint	Chris Calderon   and Jeff Holliday	Jeff	Federated SSO Solutions Using SharePoint 2010	Tuesday April 27th 9:45 am
Directory & Identity	David Lundell		Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS	Tuesday April 27th 1:30 pm
Directory & Identity	Joe Zamora		Custom Workflow Development in FIM 2010	Wednesday April 28th 8:00 am
Directory & Identity	Brad Turner		Practical Converged Physical and Logical Access Control	Wednesday April 28th 9:45 am

FIM 2010 RTM Today!

Today, March 2, at the RSA conference Microsoft announced the release to manufacturing of Forefront Identity Manager 2010 (FIM, formerly codenamed ILM “2”) with General Availability starting next month.

Download the eval here:

Microsoft® Forefront™ Identity Manager 2010 Evaluation Version

Yeah!

FIM gives us capabilities for User provisioning (and deprovisioning), Group management, Self-Service Password Reset, Password Synchronization, Workflows with Approvals, User profile self-service management, and accomplishing these items through Declarative Provisioning. Yet FIM retains an incredible set of extensibility points, allows customization of the Portal, schema of the objects, managing new systems, custom workflows, custom clients to the FIM web service.

 

According to the release notes there are some nice new enhancements:

You can now have explicit members in a set which has a defined filter (so sets can have dynamic members based on the filter and explicitly added members).

Password Reset now accepts the user principal name (UPN) as well as the fully qualified domain name (FQDN) when specifying user credentials

In addition to the enhancements found in RC 1 and its update 1, update 2 and update 3 (Brad’s take on update 3):

Adds support for SQL Server Failover Clusters for High Availability

New type of MPR (Set based Transition vs. Request based)

· Adds support for taking database backups without stopping the FIM Service.

· New Supported Platforms for FIM Certificate Management

· Windows Server 2008 R2

· Windows Server Datacenter edition

· Added support for Exchange 2010 for the following scenarios:

· FIM Synchronization Service support for Active Directory Management Agent and GAL Management Agent

· The FIM Service sending and receiving mail

· Outlook 2007 on Exchange 2010 sending approvals and group membership requests

· You can now copy and paste a vertical list from Excel to the Resource Picker input box. This is especially useful for doing bulk Adds.

· The UOC text box now lets you check uniqueness using a custom XPATH statement that you provide.

The FIMMA will now store error messages with the operation during export. You do not have to look in the FIMService event log anymore to see the errors.

You can now have several MAs that are responsible for deleting a resource, which solves a common problem where custom code still was needed for declarative provisioning.

· Added two new Declarative provisioning functions:

· Null – This Synchronization Rule should not contribute a value to support not flowing values to disabled accounts.

· ReplaceString – Find and replace a substring in another string

Added support for Exchange 14 mailbox provisioning

Final Update for FIM RC1 released

On Friday the product group released Update 3 for Forefront Identity Manager 2010 RC1 available through connect

https://connect.microsoft.com/site433/Downloads

Major changes as part of Update 3 (my regurgitation and comments from the release notes):

• Fewer trips to the FIM Service event log – since the FIM MA export errors will now show up in the Synchronization Service Manager! Hallelujah!
• Less need for custom old style code
  • Now more than 1 MA can be authoritative for deleting an object (resource)
  • New functions for Sync Rules (Declarative Provisioning) – I guess I will have to update my function cheatsheet
    • Null – not certain what they mean by this – null out the value or let another sync rule provide the value.
    • ReplaceString
• New type of MPR – Set Transition MPRs vs. request based MPRs
  • Run on Policy Update only applies to this type
  • All other MPRs are – request based MPRs
  • This should easy some of the difficulty in wrapping heads around MPRs.
• DBA’s will love these:
  • Backups without stopping the FIM Service and now supported!
  • SQL Failover Clusters are now supported! (I don’t know if this means that clustering the Synchronization Service is supported)
• Prereqs have changed
  • Server Components
    • Windows Installer 4.5 is required,
  • FIM Service requires SQL 2008 SP 1
  • The addin for Outlook now needs Outlook 2007 SP 2

 

 

Even the certificate management side got some improvements: Windows Server 2008 R2

 

Also check out Brad’s post on the SP3 for MIIS or an update to ILM 2007 FP 1

FIM Hand on Labs

More Hands on Labs for Forefront Identity Manager will be coming up (similar to the one I did in Irvine, CA) – Phoenix April 7th and 8th and then Dallas sometime in May.

FIM RCDC explained in brief

In this post I attempt to give you the reader a quick overview of how the FIM RCDC works conceptually. As for the mechanics of modifying the RCDC the nearly complete but growing collection of documents downloadable from MSFT will suffice.

As you will recall FIM is the new abbreviation for ILM, since it has been renamed Forefront Identity Manager, and RCDC is the Resource Control Display Configuration formerly known as the Object Visualization Configuration (OVC). RCDC is the way you custom how FIM displays objects (now called resources) in the portal. Now for English: If you need to change the options and information users see in the FIM portal when they create new users, groups (security or distribution), or edit or view these resources you do it by modifying the RCDC. The RCDC is an XML object, and each resource type (user, group, request, etc) has three: Create, Edit and View. To get a handle on the terms take a look at the figure below:

 

Every RCDC has a Panel that contains all other visible elements. You don’t have to worry about the Panel, other than to know that you need a have it and it must have a name.

The next item to which I must call your attention is the Groupings. The little area which I have outlined in Red is the Header Grouping and provides the caption for the RCDC in this case: Create Security Group. The Header Grouping contains just one control the UocCaptionControl and it is this control that determines what will be displayed based on the Caption and Description Attributes.

The rest of the groupings show up as tabs. The first three are content groupings (there can be up. to 16 groupings counting the Header Grouping and the Summary Grouping, leave up to 14 slots for content groupings). Each content tab or grouping can contain between 1 and 256 controls.

Not visible in the screenshot above are data sources. Data sources provide access to the data of the resource (PrimaryResourceObjectDataSource), the changes that are being made during the edit or create process (PrimaryResourceDeltaDataSource), what rights the current user has to each attribute (PrimaryResourceRightsDataSource), information about the resource type and its attribute types, such as displayname and description (SchemaDataSource), and a listing of Active Directory Domains that are managed by this instance of FIM (DomainDataSource). Additionally, you can have XML data sources. There are two purposes for these: 1) to provide the xsl transformation to provide a different summary of changes on the Grouping Summary, and 2) to provide a list for use in UocDropDownList and UocRadioButtonList controls (there is at least one other method for providing the options list).

Controls have elements, and attributes. The element type you will be concerned with are the Properties. (Help only applies to groupings, CustomProperties is not supported, Options only applies to the UocDropDownList and UocRadioButtonList controls, Buttons only applies to the UoCListView Control, and you can’t make use of events.)

The attributes and properties are used to govern the behavior of the control. They can be bound to the different data sources, to cause the control to interact with an attribute on a resource, to control the visibility and editing on a control, and to provide the list of options to choose from.

Well that covers the conceptual overview. Next time I blog about RCDC, I plan on discussing the attributes of controls, and their common properties.

Answering my FIM RC 1 question

Thanks to Darryl Russi for answering my questions in my earlier post An Update to FIM RC1 where I was asked about something I had read in the release notes:

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

So the short answer to my last question is yes and then Darryl answers the first question in great deal.

Here is his answer: Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Great job Darryl! I see this as a great way to ensure good response time for users and to scale out.

Identity Synchronization FIM 2010 HOL Irvine California

I will be at the Microsoft Technical Center in Irvine on Dec 1 and 2 presenting this HOL with Marvin Tansley of Gemalto.

Identity Synchronization – Hands on Training

 

Date: December 1-2, 2009

Location:   3 Park Plaza, Suite 1800   Irvine, CA  92614     949-263-3000

Microsoft, Gemalto and Ensynch invite you to a free 2-day training seminar and hands-on-lab on Microsoft’s Forefront Lifecycle Manager (FIM 2010).

Come and learn how FIM 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.

The curriculum for this training is modular, which will allow users with different technical levels to attend. 

Day 1 Agenda:

· FIM 2010 Overview Presentation and Demo

· FIM 2010 Managing Users and Groups Hands-on Lab

· Introduction to identity management

· ROI - a Tool to Help you Sell Your Project

· OTP Provisioning using FIM 2010

· Certificate Basics Presentation

· Certificate Demo and Basic Use Cases

Day 2 Agenda:

· FIM 2010 Synchronization Presentation and Demo

· FIM 2010 Hands-on Lab

· FIM 2010 Policy Management Presentation and Demo

· FIM 2010 Hands-on Lab

· Making It All Work Together

Who Should Attend?
IT security staff as well as system administrators and engineers who work with the installation, configuration, and maintenance of a variety of server types and have two to three years of experience managing an enterprise-level Microsoft Windows Server environment.

Space is limited. Register to reserve your seat.   Invitation only registration link – click here!

Questions? Contact Gemalto |  amy.gant@gemalto.com  |  (888) 343 5773  | www.gemalto.com/enterprise

An Update to FIM RC1

Microsoft has posted an update to FIM RC 1, dated Nov 6.

It looks like this update covers pretty much everywhere except Certificate Services (sorry Brian and Paul).

The Release notes included in the download lists the follow improvements:

• Query and Sets
• Resolved a number of issues that resulted in incorrect dynamic set membership.
• Removed support for the use of the != operator with multivalued attributes. Xpath equality expressions on multivalued attributes must use the not() function.  For example, the following xpath is not supported: /Group[Owner != /Person].  Instead, use the following xpath: /Group[not(Owner = /Person)]
• Synchronization engine
• Resolved a data corruption issue in Multi-Mastery scenarios where deleted Member attributes were being added back during full sync of AD and FIM.
• Workflows
• Workflows are now run on a FIM Service that uses the same ExternalHostName as the FIM Service that originally created the workflow. This enables the partitioning of workflow execution among servers dedicated to specific functionality. 
  For example, if a FIM Service is dedicated to servicing Requests submitted by the Synchronization Service, all workflows resulting from Synchronization Service Requests will only run on that FIM Service.
• Resolved an issue that caused a Request’s RequestStatus attribute to retain the value “Validating” even though the Request’s operation timed out.
• Resolved an issue in the EnumerateResourcesActivity that prevented selecting which attributes to return. Previously, regardless of the attribute selection specified, all attributes bound to the enumerated resources were returned.
• Resolved various issues and made general improvements for:
• Management Policy Rules
• Portal user interface Request Management
• Self-service Password Reset
• Schema

 

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

 

Go to Connect.microsoft.com and 11/6/2009
Here’s the link: FIM 2010 RC1 Update 1
4.0.2570.0 (compare to 4.0.2560.0 the version released on 9/29/09 -- RC1)
Build

It references a KB article that I can’t find: KB976465

The total download is under 36 MB so this is definitely a patch and not the full enchilada.

Looks like Jorge got the news out first.

Password Reset?

How would you feel if this was the only barrier between the hacker and your data – a single password reset question? Just one!

I won’t tell you who this is since then you’ll just want to go after my data on that site.

Oh well. The barn door won’t be shut until the wolf has gotten into the sheep

Ensynch The Place to Be

In the last four months two very talented people have joined Ensynch, Chris Calderon, ILM MVP, and Mark Struck.

Chris Calderon of IdentityJunkie.com fame is extremely talented with ILM, AD Federated Services (AD FS) and many other tools.

Mark Struck, is a very talented developer, and experienced implementer of ILM. Even before Mark joined the team he and I collaborated to figure out how to use the ILM 2 web services.

A few excellent Live@edu (Outlook Live) Blogs

I have been involved with the Microsoft Live@edu (formerly Windows Live@edu) and the Outlook Live (formerly Exchange Labs) programs for quite sometime.

What a wonderful opportunity for schools to alleviate the cost of hosting email for students and then to be able to offer it to alumni helping provide them with lifelong connection to the university and way to keep their email address from their student days. Maintaining stronger ties leads to more evangelism on the school's behalf and will lead to more Alumni donations. I would have love have kept my dpl@bigdog.engr.arizona.edu, lundelld@gas.uug.arizona.edu or dlundell@u.arizona.edu accounts. Instead of rediscovering friends on facebook I might never have lost touch with them in the first place.

A few weeks ago Robert Hughes of Bridgepoint introduced me to Jonny Chambers blog as another excellent resource to information about Outlook Live. So I thought I would collect some resources here:

Jonny Chambers blog

Jonny has a great list of official links to Live@edu

http://cid-c76eae4d4a509fbd.profile.live.com/Lists/cns!C76EAE4D4A509FBD!495/

Almero Steyn (pronounced Al mare Roo  Stain)  another ILM MVP has also put together some fantastic blog posts on Outlook Live.

New Certificate and Identity Blogger on the Loose

Marc Mac Donnell has just launched his blog on http://assurancesinidentity.blogspot.com/ and called it Assurances in Identity, and has posted the links to the CLM API documentation and case study about some work he did with MCS UK and CapGemini.

I look forward to many more posts from Mark about some of the wizardry and trick in managing certificates and identities.

Posted: ILM 2 Business Value webinar recording

ILM 2 Business Value Webinar Recording

It has actually been posted for some time now, I have just been a bit busy (apology to my readers).

Other items will also get posted here in the column on the right hand side:

http://ensynch.com/pa_ci_identity_and_access_management.aspx

Netpro DEC -> Quest TEC -- Ensynch's Sessions

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro's The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest's The Expert Conference. 

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas www.tec2009.com 

Day	Time	Topic	Speakers
Sunday	1PM - 5 PM	Pre conference Workshop 2 Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal	David Lundell and Brad Turner
Monday	1 PM - 2:15 PM	Designing an Object Expiration & Reconciliation process in ILM 2	Brad Turner
	1 PM - 2:15 PM	Proper Care & Feeding of ILM, CLM and RMS Databases	David Lundell
	Mon 4 PM - 5:15 PM	Rescue Your Identity Metasystem from Chaos Through Reporting against ILM 2 with SSRS	David Lundell Brad Turner
Tue	2:45 PM - 4 PM	ADFS Extensibility	Chris Calderon will probably co-present with Randy Weimar

 

(yes the current schedule has Brad and I speaking on Monday at 1 PM in different rooms)

What’s new in Identity Lifecycle Manager 2, Ask the experts

Brad Turner and I are putting on a webinar on ILM 2.

Business Problems and their Technical Roots

Business Problem	Possible Underlying Business Problem	Cause	Technical Cause
Business launches a strategic initiative late	Employees don't receive communications that they should	Don't have email accounts Aren't in the right distribution lists	Lack of automated distribution list management and self service fulfillment
Employee  can't fulfill a customer order	Employees don't have access to resources	Accounts haven't been provisioned to the systems they need Aren't member of the groups or roles they need	Lack of automated security group management and self service fulfillment
Leak of Customer Information OR  stock affecting info OR Valuable data is destroyed	Employees have access to resources they shouldn't OR Former employees still have access to resources	Permissions granted too liberally Or User accounts haven't been terminated	Lack of automated security group management and self service fulfillment AND Lack of Automated deprovisioning
Customer Care Rep can't find  right person to whom they can escalate key customer problem	Employees can't find accurate, up to date  contact info for each other	Global address lists and other databases out of synch	Too many directories No IDA tool to synchronize them IDA tool hasn't matched the identities

Business Problems VS Technical Problems

A business problem is when employees can't execute their job duties in an efficient fashion. In fact sometimes they are unable to complete the tasks at all. Business problems are especially costly when they directly affect customers. These problems can cause cash flowing into the company to be delayed as a customer waits to place an order, or to receive goods (and hence to pay), they can cause revenue to be lost as a customer temporarily takes their business to a competitor or a finds a substitute, sometimes this leads to customers forming new business relationships and loss of all future revenue from that customer. Non-customer affecting business problems may result in higher costs without affecting revenue. For example a problem on the job shop floor causes workers to put in overtime to complete customer jobs on time, raising costs without directly affecting the customer.

As Rodd Wagner and James K Harter point out in their book 12: The Elements of Great Managing company profitability is highly correlated with employees knowing what is expected of them, and when having adequate tools and materials (elements 1 and 2). When these two elements are short changed business problems result, costs go up and revenue goes down.

A technical problem is often the root cause of employees not having adequate tools or materials. A more specific definition could be that a technical problem is cause of the Information Technology department (people, process and technology) not being able to adequately fulfill a need expressed by the business. This inadequacy could be a matter of accuracy, timeliness, or consistency. It could also be a matter of lacking the capability. These are technical problems, like can't provision and deprovision accounts and entitlements quickly enough, accurately enough (deleted the account for the wrong Jane Smith), consistently enough (only 10 of the user's 16 accounts deprovisioned on the average per IDC) because the Identity Management system goes down frequently, or is too complex to change and the rules it enforces are outdated. Another possible technical problem could be that requests are lost or seem to take forever to be fulfilled either because the process supported by paper or a help desk ticket doesn't move efficiently. Requests may be fulfilled incorrectly, or inconsistently because the fulfillment is not automated and/or checklists don't exist or aren't followed.

Hence good managers look for ways to provide a knowledge of expectations and the sufficient tools and materials for their employees to do their jobs. I believe you'll agree that one of those great tools is ILM "2"

ILM 2 Web Services Part 1 and 1/2

A few days after my post about setting up the ILM 2 Web Service reference Joe Schulman and others from the ILM product group began a new blog designed to fill in the gaps in the knowledge in the community about how to use the web services. So far the blog looks great and is a welcome addition to my knowledge and the communities knowledge base! Great job Joe and Company and thanks for the link to my blog.

Identity Management Extensibility

I recommend starting out by reading the intro post as it gives a great overview of what to expect.

Also check out the code samples online at MSDN

Shortly I will be getting back to more technical posts.

ILM 2 Web Services Part 1 The Service Reference

Together, Mark Struck of Ipseity Inc and I, have figured out (after much beating of our heads against brick walls) how to use the ILM 2 Enumeration Endpoint to perform some basic reporting. (I figured out how to send the enumeration and get a response and then Mark figured out how to correctly form the pull messages so as to be able to retrieve the actual objects -- teamwork at its finest). We would also like to thank Mark Gabarra and Rob Ward for their input.

Here are some lessons we learned:

First lesson: the SDK provided with ILM 2 Beta 3 is incomplete and in some cases misleading. (Just one of those areas that hasn't been well documented yet)

Second lesson: Reading the WS-Enumeration specification is like drinking from a firehouse.

Third lesson: Case matters when specifying the endpoint.

Today's post will show you how to setup the Service Reference.

Type in http://localhost:526/ResourceManagementService/MEX/

The case of the url is important. R M S must be capitals and so must MEX.

The name you type in for name space is important as it is the name you will use in your code.

I recommend replacing the ServiceReference1 that you see in the figure with ILM_RMS.

After you click Go it shows you the various services available and operations for each service. The Search Service is the one we will want.

Once you click OK you see the following show up under service reference:

An enumeration.wsdl file is generated and your app.config file will also be populated with lots of settings such as this one.

   <binding name="ServiceMultipleTokenBinding_Search" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                    allowCookies="false" contextProtectionLevel="Sign">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="Message">
                        <transport clientCredentialType="Windows" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Windows" negotiateServiceCredential="true"
                            algorithmSuite="Default" establishSecurityContext="false" />
                    </security>

You can also generate this info through a command line approach using the svcutil.exe utility.

Then in your code you make use of it like this as you see in my code:

Dim scReporting As ILM_RMS.SearchClient 
scReporting = New ILM_RMS.SearchClient("ServiceMultipleTokenBinding_Search")

See how to use the Namespace that you setup when you made the service reference, and how you need  use the binding name setup in the app.config file. Instead of using the settings in the config file you can use a programmatic approach to setting up the bindings. Look at the example from Mark Struck's C# code:

WSHttpContextBinding wsBinding = new WSHttpContextBinding(); 
// Cannot use WSHttpBinding since it does not allow you to Sign the EnumerationContext element 
// WsHttpContextBinding provides a property called ContextProtectionLevel which defaults to Sign, which is 
// what is needed to communicate with the web service when the action is Pull. 
// WsHttpBinding will work if you are just calling the web service with the Enumerate action. 
//WSHttpBinding wsBinding = new WSHttpBinding(); 

// Set binding properties 
wsBinding.ReceiveTimeout = new TimeSpan( 0, 5, 0); 
wsBinding.SendTimeout = new TimeSpan( 0, 5, 0); 
wsBinding.Security.Mode = SecurityMode.Message; 
wsBinding.Security.Message.EstablishSecurityContext = false; 
wsBinding.Security.Message.NegotiateServiceCredential = true; 
wsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Windows; 
wsBinding.Security.Message.AlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Default; 

// Create EndpointAddress object and create the SearchClient object with the binding and endpointaddress objects 
EndpointAddress ep = new EndpointAddress(ILMSERVICE_URI_ENUMERATION); 
SearchClient searchClient = new SearchClient(wsBinding, ep);

IDM in pop culture

Some days I am amazed at how deeply the identity management concepts have penetrated into popular culture:

"Mr Big Stuff, who do you think you are?" clearly relates to an authentication issue or authorization issue.

"Won't get fooled again" by the WHO is clearly making a reference to a Certificate Revocation List, now that I have revoked your certificate you won't be authenticated again.

One area where pop culture is still shockingly uninformed still need help is in asset protection. I guess the authors of many forlorn love songs wish they could have used Rights Management Service and issued a use license that did not contain the permission to "Steal my heart" and "Break my heart."

Tech Ed -- Lotsa Buzz ILM 2 and CLM

On Tuesday Bob Muglia made a big announcement -- ILM 2 Beta 3 has been released. While the beta install is only 64 bit on Microsoft Connect you can download the 32-bit Virtual PC. At the ILM 2 booth at Tech Ed the Microsoft ILM Product Group and I were handing them out like crazy.

Thanks to Nima for inviting me to participate at the booth.

Best session I went was by Candy Stark from MS IT. She presented on the smart card deployment at MSFT using CLM.

The Grand Unified Demo of Identity Management

As I was architecting and assembling the Identity All Up workshop (part of the 2008 Directory Experts Conference see the review by Felix Gaehtgens, an analyst for Kuppinger Cole) designed to expose the attendees (or delegates) to all facets of the Microsoft Identity Access Platform, Lori Craw, from Microsoft referred to this as the "Grand Unified Demo". I chuckled, instantly catching the reference to the still undiscovered Grand Unified Field theory that eluded Einstein and even today's theoretical physicists.

In creating and delivering this workshop, I have reinforced, my earlier belief that the Active Directory (AD) is the medium through which most of these interactions happen that allow for interactions between these components of the platform, and Identity Lifecycle Manager (ILM) is the driving force.

Allow me to explain -- In order to manage the lifecycle of smart cards through Certificate Lifecycle Manager (CLM) you must belong to groups in AD that have been assigned permissions to the CLM Service Connection Point, the CLM Profile Template, the CLM Certificate Template, and a group that contains the user upon whom you will act. How do you get into these groups? Through Identity Lifecycle Manager! So AD is the medium and ILM the driver.

In the case of CLM, ILM also has a more direct connection through the Certificate Lifecycle Management agent through which ILM can provision, enroll requests, termination requests, suspend requests, renewal requests, and unblock requests.

Let's take a look at Active Directory Rights Management Services (RMS). With RMS permissions as with most other permissions, they are assigned to Groups in AD. Once more -- AD is the medium and ILM is the driver.

Now please turn your attention to Active Directory Federated Services (AD FS). Users get access to resources at the resource partner by virtue of having claim that gives them access, most of the time this claim will be a group claim. Once more -- ILM is driving through the medium of AD.

Even more, look at AD RMS integration with AD FS. Now we can extend Rights Management protection to documents while sharing them with partners without the unrealistic expectation for the partner to have their own AD RMS infrastructure (the requirement for RMS prior to Windows Server 2008). Once more, access for partners is through being member of a group that establishes an outgoing claim to the resource partner that is then consumed by RMS, and once more the best way to get users into groups is through ILM.

Expand your horizons, once more, now using a smart card (provisioned through an ILM request to CLM), we can authenticate to the Directory build the list of groups to which we belong (managed by ILM), we can access an RMS protected document at a Partner's SharePoint site, and have the appropriate restrictions apply to us.

Wait, what about AD Lightweight Directory Services (AD LDS -- formerly known as ADAM), and Windows Cardspace? Where do they fit in?

AD LDS can be used as another repository for storing identities usually for your extranet, for partners that aren't federation ready (either because of lack of size, technology, or policy). AD FS can use AD LDS as one of its account stores! Hence the same protection of RMS documents can be extended once more to non-federation partners without the need for another RMS infrastructure -- in fact vendors could offer RMS as a service using ADFS and AD LDS to cover the authentication needs.

What about Card Space? Card Space, can also be incorporated, but that is a topic for another day.

I want to give special thanks to Chris Calderon for his tireless efforts in helping me setup the virtual machines and hammering out the AD RMS AD FS integration with Sharepoint. Thanks also to David Wozny (pronounced Wahznee) for improving and delivering the deepdive into CLM. Thanks to Craig Martin for assisting David Wozny in improving the ILM deepdive. Additional thanks to Bob Tucker for helping with the VM setup. Thanks to Hugh Simpson-Wells and James Cowling for editing the labs. Thanks to James Booth for listening and improving while I dreamed up the scenarios used in the labs.