InfoWorld review: Microsoft ADFS 2.0 and Forefront Identity Manager 2010

Extensible cross-domain user authentication and automated user rights management highlight these powerful tools

1 2 3 4 5 Page 5
Page 5 of 5

FIM 2010: Automating rights management
Credential management has been greatly simplified for both IT and the end-user. Now all user credential management -- including one-time password devices and third-party certificate authorities -- can be done through a single console. FIM 2010 also provides a mechanism to allow end-users to reset their password from the Windows logon screen. Based on policy, the user can be presented with traditional question-and-answer prompts, or FIM 2010 can send a one-time password via text message, or any combination of these. This reduces the burden on IT and allows the end-user to continue working instead of waiting on a simple password reset.

A couple of nice enhancements to user management are built into FIM 2010. In addition to simply creating the user account, FIM 2010 can automatically provision resources, such as an email account or a one-time PIN for a smart card. This automation becomes especially important when the time comes to de-provision a user. By allowing the proper policies to automatically take the user out of the system, FIM 2010 helps maintain compliance and minimizes the chance of leaving a user account active and failing a compliance audit.

Another nice feature is the ability for end-users to manage portions of their own user profile. For example, FIM 2010 can be set up to allow users to update telephone numbers, addresses, or other personal information without being able to change email address or logon name.

Along these same lines, users can manage their own distribution and user groups. This can be done through the FIM Web portal or, via integration with Office 2007 or Office 2010, right from inside Outlook. Group managers can approve or disapprove user requests via Outlook, making user group management even easier.

In a world where users are not always the exclusive management property of one domain, Forefront Identity Manager 2010 offers a way to bridge the gaps between systems. The bi-directional synchronization between heterogeneous identity systems extends FIM 2010's reach beyond Microsoft-only networks, while the use of policy and workflows helps keep the compliance train on track. If you have to work with multiple domains or authentication systems, Forefront Identity Manager 2010 is definitely one tool to check out.

Microsoft ADFS 2.0 and FIM 2010 at a glance

  Cost Pros Cons Bottom Line
Microsoft Active Directory Federation Services 2.0 Free download from Microsoft
  • Greatly extends user management capabilities beyond local domains
  • Supports traditional Windows-based authorization in addition to claims-based authentication
  • No changes or additions to user directories required
  • No confidential information is passed between domains
  • Based on open Web standards (SAML 2.0, WS-Federation, WS-Trust)
Establishing trusts between two ADFS servers requires a bit of certificate manipulation ADFS 2.0 is a powerful server role for Windows Server 2008 R2 that extends IT's control over user access across domains and other identity systems. Using its claims-based tokens, ADFS can create trusts between domains and easily facilitate secure, controlled access to non-local users.
Microsoft Forefront Identity Manager 2010 $15,000 per server, $18 per user CAL
  • Powerful policy engine
  • Extremely flexible workflow engine
  • User self-support features
  • Works with non-Windows directories and user data stores via synchronization engine
Costly for medium-sized businesses FIM 2010 is a very powerful tool for automating all phases of user management, from initial provisioning to termination. FIM 2010 allows IT to create user policies and workflows, it will work with third-party certificate authorities as well as smart cards, and its ability to share information with non-Windows data stores makes it a great candidate for global user management.

Tops for Windows:

More on Microsoft's back office:

This article, "InfoWorld review: Microsoft ADFS 2.0 and Forefront Identity Manager 2010," was originally published at InfoWorld.com. Follow the latest developments in security, networking, and Windows at InfoWorld.com.

Copyright © 2010 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5