In my recent discussions with IT Pros on systems management topics, a number of questions have arisen in regards to automating the provisioning of user identities across disparate application systems within business organizations. My initial recommendation is to always start with an evaluation of how authentication and authorization is currently handled across your applications - often times, much of the existing complexity can be reduced to a much simpler solution by consolidating on a small number of user directories. In our world, this commonly translates into first determining the feasibility of integrating all or most of your applications with Active Directory. Obviously, in some cases this may not be practical for all of your existing applications, but it can certainly help to reduce complexity if most of your current applications have a common directory system.
For remaining applications that cannot be directly integrated into Active Directory for justified technical or business reasons, the next step is to then evaluate how best to automate the provisioning, modification and deprovisioning of user identities across the (hopefully) small number of user directories that you are left with. Common examples I see in the business world include:
Both of these examples can be addressed by Microsoft Forefront Identity Manager (FIM) 2010 R2. FIM provides unified user identity management across disparate user directories and applications via a central logic engine and agents that can establish file-based or call-based programmatic connectivity to each system. Once FIM is installed and configured, it serves as the central "clearinghouse" for user identity management changes across these systems to reduce or eliminate the time involved in the manual administration of user identities and common user modifications, such as password and group changes.
To help you get started with evaluating FIM, I've provided some great resources below that will help you understand the FIM architecture and also step through the build-out of a lab environment in your own shop.
Once you've explored the basics with FIM, I'd also highly recommend the following FREE eBook to gain additional depth prior to moving forward with a production deployment plan:
Want to try out FIM in your own lab environment? You can download a 180-day FREE evaluation version of FIM 2010 R2 here.
Be sure to check out these additional resources:
Keith Mayer is a Senior Technical Architect at Microsoft, focused on helping ISV partners leverage the Azure cloud platform. Keith has over 20 years of experience as a technical leader of complex IT projects, in diverse roles, such as Network Engineer, IT Manager, Technical Instructor and Consultant. He has consulted and trained thousands of customers and partners worldwide on design of enterprise technology solutions.
Keith is currently certified on several Microsoft technologies, including Azure, Private Cloud, System Center, Hyper-V, Windows, Windows Server, SharePoint, SQL Server and Exchange. He also holds other industry certifications from VMware, IBM, Cisco, Citrix, HP, CheckPoint, CompTIA and Interwoven.
You can contact Keith online at http://aka.ms/AskKeith.