Microsoft Forefront Identity Manager: Review

IT professionals who have a basic understanding of the business needs of their organisation can use FIM 2010 to automate group creation and management workflows. While the workflow logic is flexible and allows for fairly sophisticated selection and approval criteria, the learning curve will likely be short for most IT staff. Mastering the group management and creation tools will likely be one of the keys to seeing a return on investment when using FIM 2010. Organisations where staff tends to quickly move into and out of groups will especially benefit from FIM 2010 group management tools.

Group management is an area that benefited from lowering the expertise level required to operate FIM 2010. What was likely a developer job in Microsoft ILM 2007 is now a— somewhat tricky— wizard-driven operation to map attributes used in a human resources application to those used in FIM 2010. Basically, I used the FIM Synchronization Service Manager to create an attribute management agent to automate the import of human resource information about employees into FIM 2010. The tricky part is that they rather poorly designed wizard interface basically hides the pairing process. Once I discovered that I had to constantly click back and forth between the source and destination pairing, the process of configuring the management agent went from bewildering to annoying. The amount of clicking needed to configure the management agent basically smoked my mousing finger.

The upside to this wizard is that Microsoft has indeed made it possible for an IT pro— as opposed to a developer or scripting expert— to configure the management agent. This meant that I was able to bring employee data from my human resources system into FIM 2010, and after configuring a federated trust environment with a completely different test organisation, assign these employees to groups with various levels of authority to view and use resources at both organisations.

Workflows that automated group membership have also been wizard-enabled so that business users can— with a minimum of training— create dynamic groups based on user attributes. I created several groups that used either a manual request, “managed by” or other criteria to create groups of users in my test environment. Although my tests used only Microsoft Outlook and Sharepoint for notification and resource examples, FIM 2010 can use other platforms including Lotus Notes.

Password reset

FIM 2010 did a good job at driving down typical help-desk costs. One of the best examples of this during my tests with the product were in self-service password reset. As is typical of most password reset systems, the user must enroll by answering a series of security questions. These questions are the usual assortment of “what was your first pet’s name?” type of questions. I answered three questions to enroll my test users.

When users attempted to log into the Windows domain with an incorrect password a “reset password” link appeared on the screen. It is worth mentioning that the FIM Password Reset component must be installed on the end-user system for this functionality to be enabled. As expected, when the previously enrolled answers were provided to the security challenge questions, the users were then able to reset the password and gain access to their authorized applications.

Although FIM 2010 is an ambitious identity management platform, IT managers should consider the ecosystem of non-Microsoft management tools that can be integrated with the product. For example, FIM 2010 now provides an STS (Secure Token Service). Vordel, among others have been providing STS systems for some time and are likely already in use in most large organisations.

Single-sign on tools are also widely used to manage password access to company resources. These systems can usually be integrated with the identity management capabilities of FIM 2010 to augment the authentication and authorisation services that FIM provides.

Page: 1 2

Cameron Sturdevant eWEEK USA 2012. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Cameron Sturdevant eWEEK USA 2012. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

North Koreans Stole $1.34bn In Crypto This Year

North Korea-liked hackers have stolen a record $1.34bn in cryptocurrency so far this year, as…

4 hours ago

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago