FIM R2 Showdown -- Classic vs. Declarative

Come join me at The Experts Conference 2012 in San Diego April 29 - May2 where I will be presenting:

FIM R2 Showdown — Classic vs. Declarative
Speaker: David Lundell

Is there room enough for both in this town? FIM 2010 R2 has two ways of accomplishing many tasks: Classic and Declarative. Attend this showdown to learn when to saddle up Classic vs. when to saddle up with Declarative Sync Rules and why. Dissenting opinions politely welcomed — join the controversy! Discussion will take into account performance, ease of implementation and maintainability.

My colleague Lutz Mueller-Hipper has been selected to present three sessions:

Data Loss Prevention with RMS: 2012 the Year of RMS
Speaker: Lutz Mueller-Hipper

In this session we talk about the reasons for RMS and the battle against PKI. RMS is growing up, so let’s see what we got with Mac Office, for unsupported documents formats and automatic data classification tools. We will also cover what is new with RMS in Windows 8 and RMS in the Cloud.

EZ PKI and PKI Housekeeping
Speaker: Lutz Mueller-Hipper

It is time to use PKI to simplify computer management, and this session will go over design recommendations and security aspects for scenarios with Wifi and VPN. Don’t just do it, do it right, and see why and how. The second part of this session will discuss user certificates in the wild, how to publish them securely with AD LDS and what needs to be done for housekeeping in Active Directory for PKI.

Public/Private Cloud Application Security and Single Sign On with BYOD –
Tear Down the Walls
Speaker: Lutz Mueller-Hipper

The IT business is moving rapidly to cloud based solutions. Want to know what that means to the traditional network infrastructure and how you can run an open but secured network? The session will look at all those things from an application level and authentication in enterprises with classic SSO and federation.

For all of the Directory and Identity Abstracts

Cloud computing single sign-on. Making ADFS work with Google and Salesforce (Nikita Ryumin)

This TEC session on the Directory Services track was short but sweet illustrating how to connect ADFS to Google and SalesForce.

Recruiting

Hey readers, our Identity Practice at Ensynch is keeping us very busy. We would like to have more Identity consultants as part of our team. Come work with me and the rest of our fantastically talented Identity Team.

We are looking for people with experience in Forefront Identity Manager 2010 and people with experience in ADFS 2.0. We are looking for both Full Time Employees as well as people interested in being contractors for us.

Travel requirement: Depends on where you live and ranges from 15%-60%

Locations: Ideally New York/New Jersey (travel between 15%-30%)

Southern California (travel between 20%-50%)

Any other place in the continental US with access to a major airport (Travel between 50%-60%)

Shoot me an email at DLundell

(at)

Ensynch.com

Making Sense of the Cloud

 

National Roadshow Series:  2 High Value Sessions in 1 Business Focused Technology Briefing from Leading Industry Experts at Ensynch and Microsoft It’s time to make sense of the plethora of rhetoric around the term "Cloud." It's time to cut through the hype and figure out how to leverage the latest Dynamic Private Cloud and Public Cloud technologies and provide real value to your business. Why Attend? Learn how organizations worldwide are realizing tremendous business value as they begin to migrate portions of their business to securely provide IT as a service through private and public cloud solutions.  Unlike many product-focused technology events, this event is focused on business use cases and solutions.  You will leave this event having gained real value and perspective that you can immediately apply to your business's information technology strategy and roadmap. Complimentary Steakhouse Lunch  will be served at noon to all attendees present. We recommend attending both event sessions, but you can choose to attend the one that will provide you with the most value. Session 1- Building your Business Cloud (10:30 AM) How to Makeover your Infrastructure by providing IT as a Service through Virtualization, Next Generation Management, and Automation solutions from Microsoft. Session 1- Intended Audience: Business focused IT Executives and Leaders, Infrastructure and Desktop Management Directors and Managers, Identity Management and Security Directors and Managers. Products Relevant in Session 1: Windows 7, Windows Server 2008 R2, Systems Center Suite, Windows Server Hyper-V, Microsoft Desktop Optimization Pack, Forefront Identity Manager 2010, Windows InTune, Quest vWorkspace, Quest One Identity Manager, Active Directory Federation Services (ADFS) Lunch Break: (12:00 PM) Complimentary steakhouse lunch will be served. Session 2- Consuming your Business Cloud (1:00 PM) How to makeover your productivity and business intelligence platforms powered by SharePoint 2010 and SQL to enable One Place to View the Facts, Collaborate, and Provide a Consumer Cloud Experience at Work.  Session 2- Intended Audience: Business and IT Executives, SharePoint/Collaboration/Web Directors and Managers, Business Intelligence Leaders and Stakeholders. Products Relevant in Session 2: SharePoint 2010, Office 365, Lync 2010, SQL Server 2008 R2, SQL Azure, Windows Azure Choose Your City. RSVP Today. April 27, 2011 - Irvine, CA  (Ruth's Chris Steakhouse) April 28, 2011 - San Diego, CA (Donovan's Steakhouse) May 4, 2011 - Parsippany, NJ  (Ruth's Chris Steakhouse) May 5, 2011 - New York, NY (Park Avenue-Spring Restaurant) May 11, 2011 - Phoenix, AZ (Donovan's Steakhouse)

TEC 2010 Europe – Sweet German Chocolate!

Overall TEC 2010 Europe  in Dusseldorf Germany was pretty cool. I enjoyed the speakers reception on Sunday night and got to meet some folks from the SharePoint side some of whom are even interested in FIM and one of them bought my book!

For the first time I was able to bring my wife along to TEC! We enjoyed some good time in Dusseldorf including seeing Schloss (Palace) Benrather.

Monday we started off with a keynote from  Uday Hegde and Mark Wahl on the future of Directory and Identity Technologies. It was mostly an overview and demo of the various MSFT Identity technologies, FIM, RMS, ADFS etc. I did enjoy Mark’s well prepared video demo. He clearly had practiced the timing quite well, explaining as the mouse moved across the screen carrying out his demo.

I spent some time in the solution lab taking a look at Quest’s newest acquisition, Active Entry (part of the Voelcker acquisition). It is quite an exciting product, with Role Mining, and RBAC capabilities. More on that at another time.

I loved Brian Komar’s presentation on how to screw up your PKI. I know he has titled the other way but if you take your notes the wrong way then he is teaching you how to screw up. But if you study it the right way it is quite an insightful look into how to avoid huge mistakes!

For the next session to attend it was a close call between “Claims Provisioning and the Cloud” by Mark Wahl and Andreas Kjellman and attending Joe Kaplan’s “Add LDAP and Two-Factor Auth to ADFS v2”. I chose to attend Joe Kaplan’s session. it really was quite interesting to see the tact he took to add in LDAP auth and two-factor. Even funnier was how Joe revealed his grand deception that his two factor authentication component was accepting any password.

After lunch I skipped Jeremy Palenchar’s awesome session on Logging and Auditing with FIM (I saw it in LA back in April) in order to relax for my care and feeding of identity databases. As always presenting at TEC is great fun. I gave away a few copies of FIM Best Practices Volume 1 in the session. Then Brad Turner spoke in FIM and ILM High availability.

Monday nights reception was great fun. I had quite a thrill talking to so many readers of blog and book.

Tuesday morning I enjoyed Mark Wahl’s presentation on Integrating FIM into IT Service Management. While it was geared towards using Service Center Service Manager as a data warehouse, the thought of integrating automated Identity Management with help desk and asset management is quite intriguing. Then Brad spoke about Applying FIM Policy retroactively with ROPU “Run on policy update” which we refer to as Rope You.

I attended part of Jackson Shaw’s Evolution of the Identity Market. He had a fascinating story of how the destruction of one company’s directory led to the meta directory concept.

After lunch I delivered my session on FIM Performance Tuning. It was a bit surreal but I was asked to personalize several copies of FIM Best Practices Volume 1.

I enjoyed being able to attend Andreas Kjellman’s how to avoid a FIM support call. I thought the feedback about the common support items was invaluable.

Wednesday we skipped out to some sight seeing.

ADFS v2 Test Report -- Found

Something has happened with the project liberty website and most links to it are now broken, including the link to the test results from last year which includes which profiles ADFS v2 passed. So here it is:

http://projectliberty.org/liberty/content/download/4732/32917/file/SAML_3Q09_%20IOP_Test_Event_Final_Report.pdf

ADFS v2 passed: IDP Lite, SP Lite, eGov 1.5

Accelerate Your Business Now with Identity Management & Single-Sign-On (SSO)

• Jun 10, 2010

  1:00 p.m. Eastern / 10:00 a.m. Pacific (60 minutes)

• To Register follow this link

• 

  Christopher Yeich - Editor, Strategic Content - Ziff Davis Enterprise

  David Lundell - Identity Management Practice Director, Ensynch | Microsoft Identity Management MVP

  Jonathan Sander - IAM and Security Analyst - Quest Software

  Has your business experienced identity theft, with unauthorized access to your systems, data, and/or trade secrets?
  Have you lost business because your customers and/or employees didn’t have access when needed?
  How much time have you wasted in producing compliance/regulatory reports for various auditors?
  These are all real-life situations that business and IT leaders like you are experiencing every day. Breaches lead to millions—sometimes billions—in lost monies every year. Additionally, there's also confusion, frustration, and lost productivity that organizations deal with every day as they fight to manage appropriate access to information and tools that employees, business partners, and customers actually need.
  Join Microsoft Identity MVP David Lundell of Ensynch, and Jonathan Sander, IAM and Security Analyst of Quest Software, for a candid presentation that uncovers ways you can protect and accelerate your business—as well as save money—with identity and secure access management (ISAM).
  Topics of discussion will include:

  • Business Goals of Identity Management
  • Methods for Achieving Identity Management Business Goals
  • Business Value of Single-Sign-On (SSO) and Federation and Overview of Business Ready SSO and Federation Solutions
  • Business Value of Identity and Secure Access Management
    -Value of Automating Identity Management
    *Overview of Business Ready Identity Management Solutions: Quest One ARS and Forefront Identity Manager 2010
    -Value of Strong Authentication
    *Overview of Business Ready Strong Authentication Solution: Quest Defender
  • Real-Life Case Studies
  • How an Identity + SSO Business Accelerator Assessment can help uncover the right solutions for your organization that will solve a variety of business problems

• 

  Ensynch

  Quest Software

To Register follow this link

ADFS v.2 shipped

Active Directory Federation Services v2 Ships!

This is awesome stuff – with ADFS v2 we can help you setup SSO with your SaaS vendors.

 

Here is an example that has been rendered generic.

ADFS 2.0 supports SAML 2.0 (the idp lite profile and rdp lite profile) which opens up many federation doors and WIF allows us to write custom security token services (sts) just in case the idp lite and rdp lite profile support isn’t up to handling the interaction.

AD RMS on R2 -- new Federation Features

AD RMS on Windows Server 2008 R2 adds a really slick feature blogged about here: Group Expansion for Federated Users

Prior to R2 to issue a use license to a federated user they need to specifically be granted permissions. With Windows Server 2008 R2 you can create a contact matching the external federated user and then place the contact in the group and then they have the same RMS permissions as that group.

This is great to be able to include external users in groups, and still without provisioning a user account for them in your domain. Oops, now we need to provision a contact object for them and put that into the group. But perhaps if we combine this capability with custom claims transformation modules to do on demand provisioning the way my coworker Chris Calderon demonstrated on Windows Server 2008 at TEC 2009 (to get his slides go to  http://theexpertscommunity.com/item/show/blog/659/TEC-presentations-now-available  and follow the instructions).

But On-Demand Provisioning only solves half of the battle (and here all of the GI Joe fans thought knowing was half the battle ;)

Even though the user's access has been turned off by their employer disabling or deleting their account, the contact objects on your side still need to get cleaned up. But how to know when to deprovision an account from a federated partner? Perhaps you could use the RMS logging database as a starting point and look for users that haven't accessed the system in a while, email them and see if you get a bounce. After receiving an NDR for a federated user that hasn't accessed anything for months would be a pretty safe bet to delete their contact object.

How to make that happen? Create your own service or scripts to automate querying the logging database and sending the email. Another script to check for NDRs and then write to a table the contacts to be deleted. Then use FIM to read the table and delete the contacts, or your script could do it directly, as appropriate.

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

Brad and I are going to cover the value of the whole Identity Management Stack from Microsoft and a few additional pieces from partners.

When:
Thursday, May 28th

Where:
Webinar/Online
(Live Meeting links will be
sent to all registrants) (Click Here to RSVP)

Presenters:
David Lundell – Microsoft MVP for ILM, Ensynch Practice Director
Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect
Time:
9am-10am Pacific/Arizona
10am-11am Mountain
11am-12pm Central
12pm-1pm Eastern

*Convert time zone

 

Webinar: The Business Impact of Identity
and Access Management with Forefront Identity Manager 2010 (formerly ILM "2")

You’re invited to attend an informational webinar showcasing the business benefits associated of Identity and Access Management with the newly named Microsoft Forefront Identity Manager 2010 (Formerly ILM "2").

This webinar is designed for Business and Technology Decision-makers interested in reducing operational costs while increasing security, compliance and overall operational efficiency. If you're interested in how Identity and Access Management solutions can impact business results, this webinar is for you.
Ensynch is proud of our world-class Identity and Access Management practice, boasting 3 Microsoft MVPs (out of only a handful world-wide). This team’s efforts have earned Ensynch back-to-back Microsoft Worldwide Partner Awards for Identity Management in 2007 and 2006. Take advantage of this opportunity to learn from their vast enterprise and mid-market experience in incorporating Best Practices to deliver heightened business results.

---

Agenda:
The Business Value of Microsoft’s Identity Management Stack

• Evaluate the business challenges, the cost and the opportunities for savings with Identity Management

• IDA with Forefront Identity Manager 2010 (ILM 2)

• Maintaining existing ILM 2007 deployments

• Strong Authentication

• Certificate Services

• Quest Defender

• Sharing with Partners and Customers

• Active Directory Federation Services /Geneva

• Reducing the need to provision Accounts for Partners

• Speedier disabling of access for Partner/Customer’s Accounts

• Implications with cloud based applications

• Information Protection (now that you’re sharing your documents, how do you protect them)

• Active Directory Rights Management Services

• Add-ons

Ensynch The Place to Be

In the last four months two very talented people have joined Ensynch, Chris Calderon, ILM MVP, and Mark Struck.

Chris Calderon of IdentityJunkie.com fame is extremely talented with ILM, AD Federated Services (AD FS) and many other tools.

Mark Struck, is a very talented developer, and experienced implementer of ILM. Even before Mark joined the team he and I collaborated to figure out how to use the ILM 2 web services.

Netpro DEC -> Quest TEC -- Ensynch's Sessions

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro's The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest's The Expert Conference. 

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas www.tec2009.com 

Day	Time	Topic	Speakers
Sunday	1PM - 5 PM	Pre conference Workshop 2 Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal	David Lundell and Brad Turner
Monday	1 PM - 2:15 PM	Designing an Object Expiration & Reconciliation process in ILM 2	Brad Turner
	1 PM - 2:15 PM	Proper Care & Feeding of ILM, CLM and RMS Databases	David Lundell
	Mon 4 PM - 5:15 PM	Rescue Your Identity Metasystem from Chaos Through Reporting against ILM 2 with SSRS	David Lundell Brad Turner
Tue	2:45 PM - 4 PM	ADFS Extensibility	Chris Calderon will probably co-present with Randy Weimar

 

(yes the current schedule has Brad and I speaking on Monday at 1 PM in different rooms)

Live ID's are now Open ID's, Geneva supports SAML 2.0

At the PDC Microsoft's Kim Cameron and colleague Bertocci Vittorio announced that Microsoft Live is now an Open Id provider. Additionally, when signing into Live you can use Information Cards (Info Card, Card Space, Geneva Card Space).

They also demonstrated the new Geneva Framework (formerly known as Zermat) -- essentially a successor to Windows Server 2008 Active Directory Federation Services, and showed it supporting SAML 2.0 the "protocol" not just SAML 2.0 the token.

Other new announcements included the Microsoft Federation Gateway, which allows you to federate with Microsoft,  Live (including both managed domains and individual consumers -- all 400 million of them), other Geneva (ADFS) organizations, and other third party Service Token Services (STS). They also showed issuing LINQ queries against the .Net Access Control Service to retrieve roles to make authorization decisions.

Good show gentlemen! This is a tremendous step forward for interoperability. I just hope that the interoperability between Geneva and other third parties STS's is much easier to implement than the brittle, painful interoperability between ADFS and Shibboleth (that didn't support SAML 2.0). Hopefully, Shibboleth will be one of those 3rd parties!

The Grand Unified Demo of Identity Management

As I was architecting and assembling the Identity All Up workshop (part of the 2008 Directory Experts Conference see the review by Felix Gaehtgens, an analyst for Kuppinger Cole) designed to expose the attendees (or delegates) to all facets of the Microsoft Identity Access Platform, Lori Craw, from Microsoft referred to this as the "Grand Unified Demo". I chuckled, instantly catching the reference to the still undiscovered Grand Unified Field theory that eluded Einstein and even today's theoretical physicists.

In creating and delivering this workshop, I have reinforced, my earlier belief that the Active Directory (AD) is the medium through which most of these interactions happen that allow for interactions between these components of the platform, and Identity Lifecycle Manager (ILM) is the driving force.

Allow me to explain -- In order to manage the lifecycle of smart cards through Certificate Lifecycle Manager (CLM) you must belong to groups in AD that have been assigned permissions to the CLM Service Connection Point, the CLM Profile Template, the CLM Certificate Template, and a group that contains the user upon whom you will act. How do you get into these groups? Through Identity Lifecycle Manager! So AD is the medium and ILM the driver.

In the case of CLM, ILM also has a more direct connection through the Certificate Lifecycle Management agent through which ILM can provision, enroll requests, termination requests, suspend requests, renewal requests, and unblock requests.

Let's take a look at Active Directory Rights Management Services (RMS). With RMS permissions as with most other permissions, they are assigned to Groups in AD. Once more -- AD is the medium and ILM is the driver.

Now please turn your attention to Active Directory Federated Services (AD FS). Users get access to resources at the resource partner by virtue of having claim that gives them access, most of the time this claim will be a group claim. Once more -- ILM is driving through the medium of AD.

Even more, look at AD RMS integration with AD FS. Now we can extend Rights Management protection to documents while sharing them with partners without the unrealistic expectation for the partner to have their own AD RMS infrastructure (the requirement for RMS prior to Windows Server 2008). Once more, access for partners is through being member of a group that establishes an outgoing claim to the resource partner that is then consumed by RMS, and once more the best way to get users into groups is through ILM.

Expand your horizons, once more, now using a smart card (provisioned through an ILM request to CLM), we can authenticate to the Directory build the list of groups to which we belong (managed by ILM), we can access an RMS protected document at a Partner's SharePoint site, and have the appropriate restrictions apply to us.

Wait, what about AD Lightweight Directory Services (AD LDS -- formerly known as ADAM), and Windows Cardspace? Where do they fit in?

AD LDS can be used as another repository for storing identities usually for your extranet, for partners that aren't federation ready (either because of lack of size, technology, or policy). AD FS can use AD LDS as one of its account stores! Hence the same protection of RMS documents can be extended once more to non-federation partners without the need for another RMS infrastructure -- in fact vendors could offer RMS as a service using ADFS and AD LDS to cover the authentication needs.

What about Card Space? Card Space, can also be incorporated, but that is a topic for another day.

I want to give special thanks to Chris Calderon for his tireless efforts in helping me setup the virtual machines and hammering out the AD RMS AD FS integration with Sharepoint. Thanks also to David Wozny (pronounced Wahznee) for improving and delivering the deepdive into CLM. Thanks to Craig Martin for assisting David Wozny in improving the ILM deepdive. Additional thanks to Bob Tucker for helping with the VM setup. Thanks to Hugh Simpson-Wells and James Cowling for editing the labs. Thanks to James Booth for listening and improving while I dreamed up the scenarios used in the labs.