Thursday, 7 May 2009

Microsoft Security and Identity Lifecycle Platform

Yesterday, Wednesday 6th of may, I went to a Microsoft Architects forum about the new IAM products that Microsoft has to offer. Geneva, the codename of the new claims based identity system from Microsoft that allows single sign-on access to systems that are active across several data centres. It consists of the Geneva server, which is to deal with issuing and exchanging claims and controlling user access, a cardspace client and the Geneva Framework, an extension of Microsoft's .Net Framework 3.5. The server itself supports active directory and web service standards like Security Assertion Markup Language 2.0 (SAML), WS-Federation and WS-Trust.
The other product that Microsoft offers, and i'm going to discuss in more detail, is FIM (formerly known as ILM2). FIM stands for ForeFront Identity Manager,and it fits inside the range of other ForeFront-suite products offered by Microsoft. Like most of the Microsoft products it offers perfect integration with other Microsoft products and a familiar look and feel to any Windows user. The interface is made in SharePoint,it must be said that the interface looks like the most intuitive one i've seen in an Identity Manager,something Microsoft is really good at. (although I didn't have a hands on experience yet, i am building a demo system as we speak and will come back to this in another blog item)also worth noting that FIM interacts with Outlook aswell. Let me illustrate the previous statement with an example: when a user is added to a group or role in the identity system and approval is required to obtain that. The approver will recieve a mail in outlook with integrated "approve/reject" option similar to the accept/decline option when you are invited for a meeting in Outlook. What's also intresting is that in FIM you now have a workflow editor (it was missing in the pervious lifecycle manager from Microsoft). it also has a broader range of supported protocols. What does concern me is that, while FIM seems to support alot of possible directories (AD,ADAM,'other LDAP',..) for provisioning; but, for example, it's still unclear to me what will happen if i try to provision to an LDAP installed on a Linux or UNIX device. But as previously stated i will test this out and share my experience on this blog!

In General I was pleasantly surprised about this product. Because of the fact that companies tend to already have a large selection of Microsoft products installed,especially for the ones that have SharePoint and other ForeFront products, will make it easier for the employees to navigate the interface. This is a powerfull asset, especially since this is only the second release (other Identity Managers are at their 8th or even 12th release) i do see alot of potential in this aslong as Microsoft doesnt forget that companies tend to have a more exotic selection of protocols and directories other then their own.
Important to note that this product is expected to be released for the beginning of 2010.

No comments: