In my recent discussions with IT Pros on systems management topics, a number of questions have arisen in regards to automating the provisioning of user identities across disparate application systems within business organizations. My initial recommendation is to always start with an evaluation of how authentication and authorization is currently handled across your applications - often times, much of the existing complexity can be reduced to a much simpler solution by consolidating on a small number of user directories. In our world, this commonly translates into first determining the feasibility of integrating all or most of your applications with Active Directory. Obviously, in some cases this may not be practical for all of your existing applications, but it can certainly help to reduce complexity if most of your current applications have a common directory system.
For remaining applications that cannot be directly integrated into Active Directory for justified technical or business reasons, the next step is to then evaluate how best to automate the provisioning, modification and deprovisioning of user identities across the (hopefully) small number of user directories that you are left with. Common examples I see in the business world include:
- Leveraging a corporate Human Resources application system as an authoritative source system for provisioning user credentials for new employees in Active Directory and other business applications.
- Leveraging Active Directory as an authoritative source system for synchronizing the provisioning of user credentials in legacy corporate applications that cannot be directly integrated with Active Directory.
Both of these examples can be addressed by Microsoft Forefront Identity Manager (FIM) 2010 R2. FIM provides unified user identity management across disparate user directories and applications via a central logic engine and agents that can establish file-based or call-based programmatic connectivity to each system. Once FIM is installed and configured, it serves as the central "clearinghouse" for user identity management changes across these systems to reduce or eliminate the time involved in the manual administration of user identities and common user modifications, such as password and group changes.
To help you get started with evaluating FIM, I've provided some great resources below that will help you understand the FIM architecture and also step through the build-out of a lab environment in your own shop.
- Common Configuration Guide - Great starting point to understand the requirements, dependencies and architecture of FIM
- Introduction to Inbound Synchronization - For scenarios in which an external application, such as an HR app, will be authoritative for user identities
- Introduction to Outbound Synchronization - For scenarios in which FIM/Active Directory will be authoritative for user identities
- Lab Guide - Installing Forefront Identity Manager - Step-by-step guide to build out a FIM lab environment in your shop
- Lab Guide - Implementing a File-based Connectivity Management Agent - Step-by-step guide to implement a file-based agent for synchronizing user identities
- Lab Guide - Implementing a Call-based Connectivity Management Agent - Step-by-step guide to implement a call-based agent for synchronizing user identities
Once you've explored the basics with FIM, I'd also highly recommend the following FREE eBook to gain additional depth prior to moving forward with a production deployment plan:
Want to try out FIM in your own lab environment? You can download a 180-day FREE evaluation version of FIM 2010 R2 here.