FIM R2 Showdown -- Classic vs. Declarative

Come join me at The Experts Conference 2012 in San Diego April 29 - May2 where I will be presenting:

FIM R2 Showdown — Classic vs. Declarative
Speaker: David Lundell

Is there room enough for both in this town? FIM 2010 R2 has two ways of accomplishing many tasks: Classic and Declarative. Attend this showdown to learn when to saddle up Classic vs. when to saddle up with Declarative Sync Rules and why. Dissenting opinions politely welcomed — join the controversy! Discussion will take into account performance, ease of implementation and maintainability.

My colleague Lutz Mueller-Hipper has been selected to present three sessions:

Data Loss Prevention with RMS: 2012 the Year of RMS
Speaker: Lutz Mueller-Hipper

In this session we talk about the reasons for RMS and the battle against PKI. RMS is growing up, so let’s see what we got with Mac Office, for unsupported documents formats and automatic data classification tools. We will also cover what is new with RMS in Windows 8 and RMS in the Cloud.

EZ PKI and PKI Housekeeping
Speaker: Lutz Mueller-Hipper

It is time to use PKI to simplify computer management, and this session will go over design recommendations and security aspects for scenarios with Wifi and VPN. Don’t just do it, do it right, and see why and how. The second part of this session will discuss user certificates in the wild, how to publish them securely with AD LDS and what needs to be done for housekeeping in Active Directory for PKI.

Public/Private Cloud Application Security and Single Sign On with BYOD –
Tear Down the Walls
Speaker: Lutz Mueller-Hipper

The IT business is moving rapidly to cloud based solutions. Want to know what that means to the traditional network infrastructure and how you can run an open but secured network? The session will look at all those things from an application level and authentication in enterprises with classic SSO and federation.

For all of the Directory and Identity Abstracts

Calling a stored procedure in an ADFS claims rule

After you have setup your SQL Attribute Claims Store in ADFS. If you want to use it and in fact test it you must set up a claims rule that makes use of it. To do this you must create a claim using a custom rule, which allows you to employ the claims rule language.

The following technet entry is a good start as it illustrates how to enter a SQL Query and even a stored procedure.

SQL Query:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

=> issue(store = "SQLClaims", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = "SELECT myID from employees where @myp={0}", param = c.Value);

Stored Procedure:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

=> issue(store = "SQLClaims", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = "EXEC dbo.test @myp={0}", param = c.Value);

Note that the parameter{0} is not surrounded by single quotes.

One may ask what gets passed in as the parameter? The incoming claim value of course. In this case the emailaddress as defined in the c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

One might also ask what happens if I make a query or stored procedure that returns more than one value? Your claims transformation rule adds all the resulting values to the token as claims of the same type.

One might also ask what happens if my query or stored procedure returns more than one column? An error results and the whole process fails.

Troubleshooting SQL Attribute Stores with ADFS

Several others have showed how to define SQL attribute stores with ADFS.

Note that when entering the connection string there is no validation or feedback to the administrator. If there is a problem you usually won’t see it until you setup a claims rule that uses it and you get an error. So make certain to carefully build and test your connection string. Remember that if you use integrated authentication to connect to the SQL Server that it will run under the context of your ADFS Service account so you will need to grant your ADFS service account permissions to the SQL Server and Database.

Troubleshooting

For example you might get event 149

During processing of the Federation Service configuration, the attribute store 'SQLClaims' could not be loaded. 
Attribute store type: Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SqlAttributeStore, Microsoft.IdentityServer.ClaimsPolicy

User Action
If you are using a custom attribute store, verify that the custom attribute store is configured using AD FS 2.0 Management snap-in.

Additional Data
POLICY3906: Could not parse the parameter as a valid connection string.

TEC 2010 Europe – Sweet German Chocolate!

Overall TEC 2010 Europe  in Dusseldorf Germany was pretty cool. I enjoyed the speakers reception on Sunday night and got to meet some folks from the SharePoint side some of whom are even interested in FIM and one of them bought my book!

For the first time I was able to bring my wife along to TEC! We enjoyed some good time in Dusseldorf including seeing Schloss (Palace) Benrather.

Monday we started off with a keynote from  Uday Hegde and Mark Wahl on the future of Directory and Identity Technologies. It was mostly an overview and demo of the various MSFT Identity technologies, FIM, RMS, ADFS etc. I did enjoy Mark’s well prepared video demo. He clearly had practiced the timing quite well, explaining as the mouse moved across the screen carrying out his demo.

I spent some time in the solution lab taking a look at Quest’s newest acquisition, Active Entry (part of the Voelcker acquisition). It is quite an exciting product, with Role Mining, and RBAC capabilities. More on that at another time.

I loved Brian Komar’s presentation on how to screw up your PKI. I know he has titled the other way but if you take your notes the wrong way then he is teaching you how to screw up. But if you study it the right way it is quite an insightful look into how to avoid huge mistakes!

For the next session to attend it was a close call between “Claims Provisioning and the Cloud” by Mark Wahl and Andreas Kjellman and attending Joe Kaplan’s “Add LDAP and Two-Factor Auth to ADFS v2”. I chose to attend Joe Kaplan’s session. it really was quite interesting to see the tact he took to add in LDAP auth and two-factor. Even funnier was how Joe revealed his grand deception that his two factor authentication component was accepting any password.

After lunch I skipped Jeremy Palenchar’s awesome session on Logging and Auditing with FIM (I saw it in LA back in April) in order to relax for my care and feeding of identity databases. As always presenting at TEC is great fun. I gave away a few copies of FIM Best Practices Volume 1 in the session. Then Brad Turner spoke in FIM and ILM High availability.

Monday nights reception was great fun. I had quite a thrill talking to so many readers of blog and book.

Tuesday morning I enjoyed Mark Wahl’s presentation on Integrating FIM into IT Service Management. While it was geared towards using Service Center Service Manager as a data warehouse, the thought of integrating automated Identity Management with help desk and asset management is quite intriguing. Then Brad spoke about Applying FIM Policy retroactively with ROPU “Run on policy update” which we refer to as Rope You.

I attended part of Jackson Shaw’s Evolution of the Identity Market. He had a fascinating story of how the destruction of one company’s directory led to the meta directory concept.

After lunch I delivered my session on FIM Performance Tuning. It was a bit surreal but I was asked to personalize several copies of FIM Best Practices Volume 1.

I enjoyed being able to attend Andreas Kjellman’s how to avoid a FIM support call. I thought the feedback about the common support items was invaluable.

Wednesday we skipped out to some sight seeing.

ADFS v2 Test Report -- Found

Something has happened with the project liberty website and most links to it are now broken, including the link to the test results from last year which includes which profiles ADFS v2 passed. So here it is:

http://projectliberty.org/liberty/content/download/4732/32917/file/SAML_3Q09_%20IOP_Test_Event_Final_Report.pdf

ADFS v2 passed: IDP Lite, SP Lite, eGov 1.5

Accelerate Your Business Now with Identity Management & Single-Sign-On (SSO)

• Jun 10, 2010

  1:00 p.m. Eastern / 10:00 a.m. Pacific (60 minutes)

• To Register follow this link

• 

  Christopher Yeich - Editor, Strategic Content - Ziff Davis Enterprise

  David Lundell - Identity Management Practice Director, Ensynch | Microsoft Identity Management MVP

  Jonathan Sander - IAM and Security Analyst - Quest Software

  Has your business experienced identity theft, with unauthorized access to your systems, data, and/or trade secrets?
  Have you lost business because your customers and/or employees didn’t have access when needed?
  How much time have you wasted in producing compliance/regulatory reports for various auditors?
  These are all real-life situations that business and IT leaders like you are experiencing every day. Breaches lead to millions—sometimes billions—in lost monies every year. Additionally, there's also confusion, frustration, and lost productivity that organizations deal with every day as they fight to manage appropriate access to information and tools that employees, business partners, and customers actually need.
  Join Microsoft Identity MVP David Lundell of Ensynch, and Jonathan Sander, IAM and Security Analyst of Quest Software, for a candid presentation that uncovers ways you can protect and accelerate your business—as well as save money—with identity and secure access management (ISAM).
  Topics of discussion will include:

  • Business Goals of Identity Management
  • Methods for Achieving Identity Management Business Goals
  • Business Value of Single-Sign-On (SSO) and Federation and Overview of Business Ready SSO and Federation Solutions
  • Business Value of Identity and Secure Access Management
    -Value of Automating Identity Management
    *Overview of Business Ready Identity Management Solutions: Quest One ARS and Forefront Identity Manager 2010
    -Value of Strong Authentication
    *Overview of Business Ready Strong Authentication Solution: Quest Defender
  • Real-Life Case Studies
  • How an Identity + SSO Business Accelerator Assessment can help uncover the right solutions for your organization that will solve a variety of business problems

• 

  Ensynch

  Quest Software

To Register follow this link

ADFS v.2 shipped

Active Directory Federation Services v2 Ships!

This is awesome stuff – with ADFS v2 we can help you setup SSO with your SaaS vendors.

 

Here is an example that has been rendered generic.

ADFS 2.0 supports SAML 2.0 (the idp lite profile and rdp lite profile) which opens up many federation doors and WIF allows us to write custom security token services (sts) just in case the idp lite and rdp lite profile support isn’t up to handling the interaction.

TEC Decks Posted!

If you attended TEC you can now get the Slide Decks by registering on TheExpertsCommunity.com

and accessing the following item: TEC 2010 Conference Materials Have Been Posted!

You can find my sessions here:

 http://theexpertscommunity.com/item/list/type/session/meta_expert_tag/speaker%3Adavidlundell

Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS

Without proper care and feeding of your databases (FIM Meta Directory Services, FIM Certificate Services, FIM Web Service, RM... continue reading "Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS"

FIM 2010 Performance Tuning (SQL and more)

Learn how to tune FIM 2010 to make it scream. Take a look at the various architectures and what they buy you. Learn how cruci... continue reading "FIM 2010 Performance Tuning (SQL and more)"

Brad Sessions are here:

http://theexpertscommunity.com/item/view/type/expert/id/1760

Applying Policy Retroactively with FIM 2010
Abstract not available. ...

Using DFS and GPO in ILM High Availability Scenarios
This presentation will demonstrate how ILM Architects, Engineers, and Administrators can leverage Active Directory Distributed File System (DFS) to replicate solution content between the primary ILM server and the warm-standby server as well as...

 

Joe Zamora:

Custom Workflow Development in FIM 2010
Get an in-depth look at the extensibility of Forefront Identity Manager 2010 through the use of custom workflow development. Although FIM 2010 includes a new “codeless provisioning” feature set, you’ll find that you can’...

Other Ensynch Presentations:

Federated SSO Solutions Using SharePoint 2010
In the world of on premise and hosted “cloud based” solutions, how can you best simplify your coexistence strategy? Attend this session presented by Ensynch’s Identity Management and SharePoint teams to see how the combined kn...

 

Building Exchange 2010, Managing and Integrating with Exchange Online via Microsoft Business Productivity Online Services (BPOS)
Microsoft Exchange 2010 is available both as on-premise software and as a hosted service, and you can now choose the right deployment option for your organization, whether you deploy Exchange Server on-premises, host your mailboxes with Exchange Onli...

Technorati Tags: session:fim2010performancetuning,session:databases

AD RMS on R2 -- new Federation Features

AD RMS on Windows Server 2008 R2 adds a really slick feature blogged about here: Group Expansion for Federated Users

Prior to R2 to issue a use license to a federated user they need to specifically be granted permissions. With Windows Server 2008 R2 you can create a contact matching the external federated user and then place the contact in the group and then they have the same RMS permissions as that group.

This is great to be able to include external users in groups, and still without provisioning a user account for them in your domain. Oops, now we need to provision a contact object for them and put that into the group. But perhaps if we combine this capability with custom claims transformation modules to do on demand provisioning the way my coworker Chris Calderon demonstrated on Windows Server 2008 at TEC 2009 (to get his slides go to  http://theexpertscommunity.com/item/show/blog/659/TEC-presentations-now-available  and follow the instructions).

But On-Demand Provisioning only solves half of the battle (and here all of the GI Joe fans thought knowing was half the battle ;)

Even though the user's access has been turned off by their employer disabling or deleting their account, the contact objects on your side still need to get cleaned up. But how to know when to deprovision an account from a federated partner? Perhaps you could use the RMS logging database as a starting point and look for users that haven't accessed the system in a while, email them and see if you get a bounce. After receiving an NDR for a federated user that hasn't accessed anything for months would be a pretty safe bet to delete their contact object.

How to make that happen? Create your own service or scripts to automate querying the logging database and sending the email. Another script to check for NDRs and then write to a table the contacts to be deleted. Then use FIM to read the table and delete the contacts, or your script could do it directly, as appropriate.

H30, Geneva Cola, Sitrus and Orange Fizz

Back in business school I was a connoisseur of fine commercials.  Recently I watched a commercial for Lipton Ice Tea (note I am a teetotaler who doesn't drink tea) and I have to admire their cleverness in coming up with names for competitor products (see the title) in their "Lipton Tea, I think I love you" commercial. (Lyrics here)

Really the names are clever although the best is the H30 -- I just love it, a chemical compound that as far as I can tell can't exist, but we all know they are making fun of flavored water. Of course I also love ordering water by requesting Di-Hydrogen-Oxide.

OK they didn't actually have Geneva Cola it was really Milan Cola, but since I really wanted to blog about Geneva and how "I think I love [it]" well I couldn't resist the name substitution.

Now before I pester you with anymore puns let me tell you why I love Geneva, Microsoft's next evolutionary leap with Federation and SSO.

Of late there has been a lot of buzz about Cloud computing. But there are obstacles, when you host applications in the cloud or use SaS type applications you wind up creating new identity stores.

With Geneva your identities will be almost ubiquitous, in that you can use it anywhere and your applications built using the Geneva framework will be able to accept and use identities from anywhere that you decide to trust.  It won't matter anymore where your applications, are in Microsoft's cloud, your cloud, or your partner's cloud.

In short if Cloud Computing will transform the industry then Geneva is the way to get there. It certainly lowers some of the barriers

Additionally, we can use Geneva to provide SSO for apps within an organization.

Now to tie in the commercial, since Geneva also supports the SAML 2.0 protocol it even inter-operates with Hot Ball of GAS SSO, and "Fiction Books Access Manager"

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

Brad and I are going to cover the value of the whole Identity Management Stack from Microsoft and a few additional pieces from partners.

When:
Thursday, May 28th

Where:
Webinar/Online
(Live Meeting links will be
sent to all registrants) (Click Here to RSVP)

Presenters:
David Lundell – Microsoft MVP for ILM, Ensynch Practice Director
Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect
Time:
9am-10am Pacific/Arizona
10am-11am Mountain
11am-12pm Central
12pm-1pm Eastern

*Convert time zone

 

Webinar: The Business Impact of Identity
and Access Management with Forefront Identity Manager 2010 (formerly ILM "2")

You’re invited to attend an informational webinar showcasing the business benefits associated of Identity and Access Management with the newly named Microsoft Forefront Identity Manager 2010 (Formerly ILM "2").

This webinar is designed for Business and Technology Decision-makers interested in reducing operational costs while increasing security, compliance and overall operational efficiency. If you're interested in how Identity and Access Management solutions can impact business results, this webinar is for you.
Ensynch is proud of our world-class Identity and Access Management practice, boasting 3 Microsoft MVPs (out of only a handful world-wide). This team’s efforts have earned Ensynch back-to-back Microsoft Worldwide Partner Awards for Identity Management in 2007 and 2006. Take advantage of this opportunity to learn from their vast enterprise and mid-market experience in incorporating Best Practices to deliver heightened business results.

---

Agenda:
The Business Value of Microsoft’s Identity Management Stack

• Evaluate the business challenges, the cost and the opportunities for savings with Identity Management

• IDA with Forefront Identity Manager 2010 (ILM 2)

• Maintaining existing ILM 2007 deployments

• Strong Authentication

• Certificate Services

• Quest Defender

• Sharing with Partners and Customers

• Active Directory Federation Services /Geneva

• Reducing the need to provision Accounts for Partners

• Speedier disabling of access for Partner/Customer’s Accounts

• Implications with cloud based applications

• Information Protection (now that you’re sharing your documents, how do you protect them)

• Active Directory Rights Management Services

• Add-ons

Netpro DEC -> Quest TEC -- Ensynch's Sessions

Back in business school we always studied name changes and rebranding, and this one has been interesting

Last summer NetPro deciding to expand the Directory Experts Conference (DEC) to include an exchange conference and so they re-branded the conference NetPro's The Experts Conference. Then Quest acquired NetPro, so it became a completely re-branded conference as Quest's The Expert Conference. 

So NetPro DEC became Quest TEC.

Sunday Mar 22nd - Wed Mar 25th in Vegas www.tec2009.com 

Day	Time	Topic	Speakers
Sunday	1PM - 5 PM	Pre conference Workshop 2 Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal	David Lundell and Brad Turner
Monday	1 PM - 2:15 PM	Designing an Object Expiration & Reconciliation process in ILM 2	Brad Turner
	1 PM - 2:15 PM	Proper Care & Feeding of ILM, CLM and RMS Databases	David Lundell
	Mon 4 PM - 5:15 PM	Rescue Your Identity Metasystem from Chaos Through Reporting against ILM 2 with SSRS	David Lundell Brad Turner
Tue	2:45 PM - 4 PM	ADFS Extensibility	Chris Calderon will probably co-present with Randy Weimar

 

(yes the current schedule has Brad and I speaking on Monday at 1 PM in different rooms)

Live ID's are now Open ID's, Geneva supports SAML 2.0

At the PDC Microsoft's Kim Cameron and colleague Bertocci Vittorio announced that Microsoft Live is now an Open Id provider. Additionally, when signing into Live you can use Information Cards (Info Card, Card Space, Geneva Card Space).

They also demonstrated the new Geneva Framework (formerly known as Zermat) -- essentially a successor to Windows Server 2008 Active Directory Federation Services, and showed it supporting SAML 2.0 the "protocol" not just SAML 2.0 the token.

Other new announcements included the Microsoft Federation Gateway, which allows you to federate with Microsoft,  Live (including both managed domains and individual consumers -- all 400 million of them), other Geneva (ADFS) organizations, and other third party Service Token Services (STS). They also showed issuing LINQ queries against the .Net Access Control Service to retrieve roles to make authorization decisions.

Good show gentlemen! This is a tremendous step forward for interoperability. I just hope that the interoperability between Geneva and other third parties STS's is much easier to implement than the brittle, painful interoperability between ADFS and Shibboleth (that didn't support SAML 2.0). Hopefully, Shibboleth will be one of those 3rd parties!

The Grand Unified Demo of Identity Management

As I was architecting and assembling the Identity All Up workshop (part of the 2008 Directory Experts Conference see the review by Felix Gaehtgens, an analyst for Kuppinger Cole) designed to expose the attendees (or delegates) to all facets of the Microsoft Identity Access Platform, Lori Craw, from Microsoft referred to this as the "Grand Unified Demo". I chuckled, instantly catching the reference to the still undiscovered Grand Unified Field theory that eluded Einstein and even today's theoretical physicists.

In creating and delivering this workshop, I have reinforced, my earlier belief that the Active Directory (AD) is the medium through which most of these interactions happen that allow for interactions between these components of the platform, and Identity Lifecycle Manager (ILM) is the driving force.

Allow me to explain -- In order to manage the lifecycle of smart cards through Certificate Lifecycle Manager (CLM) you must belong to groups in AD that have been assigned permissions to the CLM Service Connection Point, the CLM Profile Template, the CLM Certificate Template, and a group that contains the user upon whom you will act. How do you get into these groups? Through Identity Lifecycle Manager! So AD is the medium and ILM the driver.

In the case of CLM, ILM also has a more direct connection through the Certificate Lifecycle Management agent through which ILM can provision, enroll requests, termination requests, suspend requests, renewal requests, and unblock requests.

Let's take a look at Active Directory Rights Management Services (RMS). With RMS permissions as with most other permissions, they are assigned to Groups in AD. Once more -- AD is the medium and ILM is the driver.

Now please turn your attention to Active Directory Federated Services (AD FS). Users get access to resources at the resource partner by virtue of having claim that gives them access, most of the time this claim will be a group claim. Once more -- ILM is driving through the medium of AD.

Even more, look at AD RMS integration with AD FS. Now we can extend Rights Management protection to documents while sharing them with partners without the unrealistic expectation for the partner to have their own AD RMS infrastructure (the requirement for RMS prior to Windows Server 2008). Once more, access for partners is through being member of a group that establishes an outgoing claim to the resource partner that is then consumed by RMS, and once more the best way to get users into groups is through ILM.

Expand your horizons, once more, now using a smart card (provisioned through an ILM request to CLM), we can authenticate to the Directory build the list of groups to which we belong (managed by ILM), we can access an RMS protected document at a Partner's SharePoint site, and have the appropriate restrictions apply to us.

Wait, what about AD Lightweight Directory Services (AD LDS -- formerly known as ADAM), and Windows Cardspace? Where do they fit in?

AD LDS can be used as another repository for storing identities usually for your extranet, for partners that aren't federation ready (either because of lack of size, technology, or policy). AD FS can use AD LDS as one of its account stores! Hence the same protection of RMS documents can be extended once more to non-federation partners without the need for another RMS infrastructure -- in fact vendors could offer RMS as a service using ADFS and AD LDS to cover the authentication needs.

What about Card Space? Card Space, can also be incorporated, but that is a topic for another day.

I want to give special thanks to Chris Calderon for his tireless efforts in helping me setup the virtual machines and hammering out the AD RMS AD FS integration with Sharepoint. Thanks also to David Wozny (pronounced Wahznee) for improving and delivering the deepdive into CLM. Thanks to Craig Martin for assisting David Wozny in improving the ILM deepdive. Additional thanks to Bob Tucker for helping with the VM setup. Thanks to Hugh Simpson-Wells and James Cowling for editing the labs. Thanks to James Booth for listening and improving while I dreamed up the scenarios used in the labs.