Microsoft FIM Knits Identity Security Blanket

By Cameron Sturdevant  |  Posted 2010-07-22

Microsoft FIM Knits Identity Security Blanket

Forefront Identity Manager is the result of Microsoft's latest effort to untangle the mesh of identity procedures and policies that wrap around high value business assets. 

The trick is to keep identity management costs reasonable while outwitting phishers and satisfying auditors. Forefront Identity Manger 2010- the successor to Identity Lifecycle Manager 2007- succeeds largely through the extensive use of wizards and streamlined management processes that should let lower-level staff implement sufficiently challenging and flexible access policies. 

Forefront Identity Manager 2010 (FIM 2010) started shipping on April 1. FIM 2010 has a list price of $15,000 per server and $18 per user CAL (Client Access License).

As you might imagine, FIM 2010 carries a "better together" tradition that makes it most appropriate for shops that are already users of other Microsoft infrastructure including Active Directory, Sharepoint and Exchange. While FIM 2010 can interact with a variety of other directory, collaboration and e-mail notification tools, it is optimized for use with Microsoft's tools.

These Microsoft infrastructure components made up the test environment that I used to evaluate FIM 2010. I ran FIM on a Dell PowerEdge R610 server with 2 quad-core Intel Xeon 5520 processors, 32GB of RAM and six 146GB drives. Using Microsoft Windows 2008 R2 64-bit edition my test environment was composed of 12 virtual systems that provided Sharepoint, Active Directory, Exchange along with a number of Windows 7 systems that accessed various resources by using identity services that were enabled through FIM 2010.

FIM 2010 is much more than a password or credential management system, although it does enable user self-service password reset. I used the product to manage remote access to test documents, create federated access to resources between different organizations, and streamlined the onboarding and offboarding process of employees.

While FIM 2010 was significantly easier to use than Identity Lifecycle Manager 2007, my work with the product indicates that significant IT resources will still be needed for FIM 2010 daily operations use. Full implementation of the product will almost certainly require a services engagement. As might be expected, installing a new version of FIM 2010 or- more likely- upgrading to FIM 2010 from a previous generation identity management system is no small task. Even where Microsoft was able to streamline setup tasks, FIM 2010 operates in highly sensitive and usually highly regulated territory.

Group Management


FIM 2010 is a Web service and synchronization platform. One of the first steps I took in my evaluation of the product was to use FIM 2010 to create dynamic groups based on user attributes. This feature uses FIM 2010 integration with Microsoft Exchange and Outlook to automate the approval process. I was able to create a workflow that granted access to customer data when approval was granted by a specific manager. It was easy enough to create a process in FIM 2010 that accomplished this process in the same way that knowing how my car works I'm able to drive a rental car of a make and model that I've never driven. Those who have a passing familiarity with identity management tools should, however haltingly at first, be able to pick up the basics without much trouble.

IT professionals who have a basic understanding of the business needs of their organization can use FIM 2010 to automate group creation and management workflows. While the workflow logic is flexible and allows for fairly sophisticated selection and approval criteria, the learning curve will likely be short for most IT staff. Mastering the group management and creation tools will likely be one of the keys to seeing a return on investment when using FIM 2010. Organizations where staff tends to quickly move into and out of groups will especially benefit from FIM 2010 group management tools. 

Group management is an area that benefited from lowering the expertise level required to operate FIM 2010. What was likely a developer job in Microsoft ILM 2007 is now a- somewhat tricky- wizard-driven operation to map attributes used in a human resources application to those used in FIM 2010. Basically, I used the FIM Synchronization Service Manager to create an attribute management agent to automate the import of human resource information about employees into FIM 2010. The tricky part is that they rather poorly designed wizard interface basically hides the pairing process. Once I discovered that I had to constantly click back and forth between the source and destination pairing, the process of configuring the management agent went from bewildering to annoying. The amount of clicking needed to configure the management agent basically smoked my mousing finger.

The upside to this wizard is that Microsoft has indeed made it possible for an IT pro- as opposed to a developer or scripting expert- to configure the management agent. This meant that I was able to bring employee data from my human resources system into FIM 2010, and after configuring a federated trust environment with a completely different test organization, assign these employees to groups with various levels of authority to view and use resources at both organizations.

Workflows that automated group membership have also been wizard-enabled so that business users can- with a minimum of training- create dynamic groups based on user attributes. I created several groups that used either a manual request, "managed by" or other criteria to create groups of users in my test environment. Although my tests used only Microsoft Outlook and Sharepoint for notification and resource examples, FIM 2010 can use other platforms including Lotus Notes. 

Password Reset


FIM 2010 did a good job at driving down typical help-desk costs. One of the best examples of this during my tests with the product were in self-service password reset. As is typical of most password reset systems, the user must enroll by answering a series of security questions. These questions are the usual assortment of "what was your first pet's name?" type of questions. I answered three questions to enroll my test users. 

When users attempted to log into the Windows domain with an incorrect password a "reset password" link appeared on the screen. It is worth mentioning that the FIM Password Reset component must be installed on the end-user system for this functionality to be enabled. As expected, when the previously enrolled answers were provided to the security challenge questions, the users were then able to reset the password and gain access to their authorized applications. 

Although FIM 2010 is an ambitious identity management platform, IT managers should consider the ecosystem of non-Microsoft management tools that can be integrated with the product. For example, FIM 2010 now provides an STS (Secure Token Service). Vordel, among others have been providing STS systems for some time and are likely already in use in most large organizations. 

Single-sign on tools are also widely used to manage password access to company resources. These systems can usually be integrated with the identity management capabilities of FIM 2010 to augment the authentication and authorization services that FIM provides. 


Rocket Fuel