InfoWorld review: Microsoft ADFS 2.0 and Forefront Identity Manager 2010

The previous release, Microsoft Identity Lifecycle Manager 2007, provided a platform for identity synchronization, basic certificate and smart card management, and user provisioning. Forefront Identity Manager 2010 takes these base features and enhances them to reduce the time, effort, and cost of managing a user's account throughout its lifecycle.

One area that got a lot of attention in FIM 2010 is policy management. The administration UI is a SharePoint-based system that uses natural language queries and menu-driven controls to generate rules and policies for managing users. The rules can be applied automatically to other users and groups based on various criteria. For example, you can create a rule to automatically add a new user to a group, issue a one-time password for a smart card, and push the user's email address and telephone number to another user directory while flagging HR to issue a request for a new health insurance policy.

One of the most powerful policy management features is the inclusion of Windows Workflow Foundation (WF). With WF, IT can create a multistep policy to easily automate user management. Workflows can be simple or complex with multiple branches depending on need. During my tests, I was able to create workflows to send approve or disapprove notifications to a specific manager whenever a user account was added to a certain group. FIM 2010 can also import and reuse existing WF-based workflows so that IT doesn't have to re-create the workflow wheel and can speed up deployment.

Another very nice feature in FIM 2010 is that it will synchronize user information between heterogeneous systems. Forefront Identity Manager 2010 integrates with a wide range of systems, including Active Directory, Novell, Sun, IBM, Lotus Notes, Exchange, Oracle and SQL Server databases, SAP, and even flat file systems -- in most cases with no additional software agent installed on the target system. A synchronization service takes care of passing user information in and out of FIM 2010.

A good example of this would be the scenario in which a new user is added to the company. HR creates the new user in FIM 2010. The synchronization service pushes the new user info into the enterprise's Active Directory, and following the workflow, once the manager gives approval, this same user information is then sent to the company's insurance provider (an external system, secured by ADFS) to add them to the health insurance plan.

Note that the synchronization isn't merely a one-way street; when the insurance company creates a new account in their system and assigns the new employee an account ID, that information can be sent back into FIM on a subsequent synchronization and stored in the employee's AD record or in FIM 2010 alone. Any update to the user record in any of these systems -- FIM 2010 or AD or the external insurance system -- is automatically updated in the others. With the multibranch capabilities of the policy engine, one change can create a cascade effect on other pertinent systems.