Managing user access in businesses today is something like playing traffic cop in an intersection of a thousand roads. From Web-based applications to homegrown programs, from desktop PCs to the latest crop of smartphones, IT has to be able to control access to every sort of resource while allowing users to access them from anywhere and any platform.
A bigger challenge is providing seamless access to applications and systems across corporate or network boundaries. It's no trouble for IT to define and manage user names and passwords on their own network, but it takes more work -- or is nearly impossible -- to extend access to internal systems to numerous external users or to manage local user access to a system outside of their control.
Microsoft has updated Forefront Identity Manager (FIM) 2010 and Active Directory Federation Services (ADFS) to aid IT in applying identity management across domains and business boundaries. Both of these tools are intended to extend user access control across the enterprise; FIM uses a common platform to tie user, certificate, group, and policy management together, while ADFS provides trust accounts between different networks or organizations. Together, they provide a powerful platform for extending user management beyond the company domain or network edge.
Active Directory Federation Services 2.0
Active Directory Federation Services, first available in Windows Server 2003, is now a server role in Windows Server 2008 R2. ADFS is a single-sign-on technology that uses claims-based authentication to validate a user's identity across domains. Normally when the user's account is in one domain and the resource is in another, the resource will prompt the user for local credentials. ADFS eliminates the secondary credential request; the user's identity is validated, and access provided, based on information in the user's home directory.
A claims-based system, like many others, uses digital tokens that contain information about the user. But unlike a request made directly against Active Directory and generating a Kerberos token, the resource being accessed doesn't interact directly with the user data store. Instead, it talks to a Security Token Service, such as ADFS, which performs the check against the user information store and creates a claims token based on the result of the lookup. The claims token can contain as much -- or as little -- information as needed to access the particular service.
Using claims-based authentication between two different domains requires a Security Token Service in each domain. Each domain's Security Token Service must trust the other one, and based on this trust, a policy is defined that specifies if access is granted or denied to a specific resource. For example, when a user on Network A attempts to access a Web portal on Network B, an authentication request is made to the user's Security Token Service on Network A. After validating the claims for the user against the local user directory, Network A's Security Token Service provides a token to Network B's Security Token Service, which then issues its own token to the requesting user in order to access the Web portal. There is a lot of back and forth behind the scenes, but once the remote domain gets the all-clear from the user's Security Token Service, the user gets a new token as if they were a member of the remote domain.
[ From powerful productivity enhancers to important security safeguards, Microsoft Office 2010 has a number of features that businesses will love. See "Top 10 Office 2010 features for business," "More great Office 2010 features for business," and "PowerPivot for Excel 2010: Power to Excel people." ]
Within a single domain -- such as when you want to extend user access to a cloud service without implementing a direct authentication connection to Active Directory or another user database -- a single Security Token Service will do the job. In addition to supporting claims-aware ASP.Net applications and (through an IIS Web server agent) Windows NT token-based applications on the resource side, ADFS 2.0 can communicate with third-party federation services and cloud services using SAML 2.0.
To get started with ADFS, make sure you have a valid SSL certificate (self-signed is sufficient but not recommended for a production environment), Windows Server 2008 R2, Microsoft SQL Server 2008 (for the policy store), and Active Directory Domain Services. The ADFS 2.0 software is available as a free download from Microsoft through the Download Center.
Setting up ADFS takes quite a few steps, most of which involve importing the SSL certificate, exporting certificates, and creating shared certificates. Each ADFS server has to import the other's SSL certificate in order to authenticate the external lookup request. The end result is that a trust relationship between the two federation servers (Security Token Services) is established using SOAP messages and SAML metadata. The last step is generating the claims rules appropriate for the exposed resource.
Claims rules can come in many forms and vary greatly based on the target resource or application. For the most part, each rule or policy must know the Uniform Resource Identifier (URI) of the application, which claims are being offered, which claims the application requires, the URL the application should expose to the user, and finally, if the token should be encrypted or not. Some rules might require user name, email address, and group affiliation, while others may only need first and last name. Rules can simply pass information through to ADFS or transform the data into something recognizable. For example, if ADFS talks to an LDAP server, it might need to reformat the user name so that the other ADFS (or Security Token Service) can properly process it. ADFS provides a very flexible rule engine that can handle most every situation.
Active Directory Federation Services is a great way to extend trusted authenticated access between domains using claims-based authentication. The fact that it works with other open Web standards allows it to extend its reach into non-Microsoft domains, while still allowing trusted access and single-sign-on capabilities. It does require a little work to get set up, but once in place, the benefits really pay off.
Forefront Identity Manager 2010
Forefront Identity Manager 2010 is a powerful platform for managing user identities, credentials, and identity-based access policies for both Windows and non-Windows environments. In FIM 2010, Microsoft took smart card and certificate management and merged it with identity lifecycle tools to streamline administration and improve user security and compliance. FIM 2010 also empowers users through self-service tools to manage their own group memberships or reset their user password from the Windows logon page. FIM 2010 is based on Web standards for greater extensibility and will work with third-party certificate authorities.
The previous release, Microsoft Identity Lifecycle Manager 2007, provided a platform for identity synchronization, basic certificate and smart card management, and user provisioning. Forefront Identity Manager 2010 takes these base features and enhances them to reduce the time, effort, and cost of managing a user's account throughout its lifecycle.
One area that got a lot of attention in FIM 2010 is policy management. The administration UI is a SharePoint-based system that uses natural language queries and menu-driven controls to generate rules and policies for managing users. The rules can be applied automatically to other users and groups based on various criteria. For example, you can create a rule to automatically add a new user to a group, issue a one-time password for a smart card, and push the user's email address and telephone number to another user directory while flagging HR to issue a request for a new health insurance policy.
One of the most powerful policy management features is the inclusion of Windows Workflow Foundation (WF). With WF, IT can create a multistep policy to easily automate user management. Workflows can be simple or complex with multiple branches depending on need. During my tests, I was able to create workflows to send approve or disapprove notifications to a specific manager whenever a user account was added to a certain group. FIM 2010 can also import and reuse existing WF-based workflows so that IT doesn't have to re-create the workflow wheel and can speed up deployment.
Another very nice feature in FIM 2010 is that it will synchronize user information between heterogeneous systems. Forefront Identity Manager 2010 integrates with a wide range of systems, including Active Directory, Novell, Sun, IBM, Lotus Notes, Exchange, Oracle and SQL Server databases, SAP, and even flat file systems -- in most cases with no additional software agent installed on the target system. A synchronization service takes care of passing user information in and out of FIM 2010.
A good example of this would be the scenario in which a new user is added to the company. HR creates the new user in FIM 2010. The synchronization service pushes the new user info into the enterprise's Active Directory, and following the workflow, once the manager gives approval, this same user information is then sent to the company's insurance provider (an external system, secured by ADFS) to add them to the health insurance plan.
FIM 2010: Automating rights management
Credential management has been greatly simplified for both IT and the end-user. Now all user credential management -- including one-time password devices and third-party certificate authorities -- can be done through a single console. FIM 2010 also provides a mechanism to allow end-users to reset their password from the Windows logon screen. Based on policy, the user can be presented with traditional question-and-answer prompts, or FIM 2010 can send a one-time password via text message, or any combination of these. This reduces the burden on IT and allows the end-user to continue working instead of waiting on a simple password reset.
A couple of nice enhancements to user management are built into FIM 2010. In addition to simply creating the user account, FIM 2010 can automatically provision resources, such as an email account or a one-time PIN for a smart card. This automation becomes especially important when the time comes to de-provision a user. By allowing the proper policies to automatically take the user out of the system, FIM 2010 helps maintain compliance and minimizes the chance of leaving a user account active and failing a compliance audit.
Another nice feature is the ability for end-users to manage portions of their own user profile. For example, FIM 2010 can be set up to allow users to update telephone numbers, addresses, or other personal information without being able to change email address or logon name.
Along these same lines, users can manage their own distribution and user groups. This can be done through the FIM Web portal or, via integration with Office 2007 or Office 2010, right from inside Outlook. Group managers can approve or disapprove user requests via Outlook, making user group management even easier.
In a world where users are not always the exclusive management property of one domain, Forefront Identity Manager 2010 offers a way to bridge the gaps between systems. The bi-directional synchronization between heterogeneous identity systems extends FIM 2010's reach beyond Microsoft-only networks, while the use of policy and workflows helps keep the compliance train on track. If you have to work with multiple domains or authentication systems, Forefront Identity Manager 2010 is definitely one tool to check out.