Group ID Synchronize from imanami

This looked to me to be a good product for small to medium organisations (say up to a few thousand users) where AD users and groups need to be provisioned and updated based on information from a single data source, such as an HR database. There’s no metadirectory – objects are created and updated directly in AD. There’s a nice looking interface for creating your flow and provisioning rules, and if you want to do anything a bit more complicated you can insert vbscripts. And of course, as the product name suggests, there’s functionality based around groups – both auto-populated and user-managed. The interface looked intuitve and simple to use, and I think it would be a nice solution for companies that don’t need the full complexity of the IdM market-leader products.

EmpowerID from The Dot Net Factory

This product is a direct competitor to FIM 2010 and priced similarly. It brings in many of the key features of FIM – metadirectory, multiple data sources, password sync and reset, Sharepoint portal, workflow, de/provisioning, group management… It also natively includes features that FIM is sorely lacking – in particular decent reporting and the native ability to manage resources such as home folders, Exchange mailboxes and Sharepoint sites. The product comes with a long list of procedures and workflows already programmed out of the box, but you can also add your own.  I was particularly impressed with the way they’d encorporated Windows Workflow Foundation directly into the product, allowing you to build your workflows right there in the interface, without have to muck around with Visual Studio, compiling and importing dll’s. This is an impressive looking product and I’d be interested to see how it performs in a large-scale environment.

Brian Kormar’s PKI session

PKI and cert services is something I’ve had to figure out to certain extent as it literally pops up as part of every project I do these days. I’ve done the Windows 2008 AD Configuration exam which supposedly covers cert services, but actually sticks to a pretty simplistic line based on what you can do in the GUI. I had definite gaps in my knowledge around policy files, and what all those % symbols meant in the config batch files you sometimes see. Brian filled some of that in for me, as well as driving home the need for protection, recoverability and audit compliance - topics I would have ignored in the past, expecting whoever ”the security guy” was to pick them up, but which I may well make enquiries about in the future.

Jack Kabat’s FIM session on “modelling entitlements”

This was the FIM session in which I learnt the most. I was aware of the new “Transition In” and “Transition Out” MPRs, but hadn’t thought through the implications. I had several penny-drop moments in this session, including:

• Request MPRs should typically trigger only AuthN and AuthZ workflows. The request part is all about asking for something – object creation, object change, object deletion. So it makes sense that the key MPR tasks are “is the requestor who they say they are?”, “do they have the rights?”, “is extra authorization needed?”.
• Transition MPRs can only run Action workflows. Transitions occur at the point an object changes from one state to another – eg., the person was in the “HR Users” set, and now they are not. Transition MPRs are concerned with processes that should run at this point of change, such as group membership or provisioning changes.

I really like this way of handling MPRs. In the RC releases which only had one type of MPR I ran into a few problems by tying what should happen with who had asked for it. For example when a normal user requested a new account the workflows would run, but when the Administrator created the account a different MPR applied and the workflows did not run. I had definite concerns about the confusion this may cause, and I am glad the actions have now been decoupled from the requestor, and have in fact been made more state-based. Hmmm…

Some questions from Jeremy Palanchar did make me think that this is still a very black and white way of looking at status, and there could be plenty of requirements for a temporal addition to this model (such as “People who joined this set within the last 6 hours”, used for checking if their new entitlements were actually added in that time; and “People who left that set over 1 month ago”, which could be used for delaying group membership changes) however it is certainly a step in the right direction.

Jackson Shaw’s session on SSO protocols / Pam Dingle’s session on Claims

For my third top session I’m actually choosing two – because together they made me understand something about network authentication and authorization protocols, and why they are important.

I’ve always thought about SSO pretty much in terms of user convenience, and if anyone asked me about it I’d say “I can give you password sync with ILM” and “there’s something called Federation, but your applications have to support it”.

So now it’s starting to dawn on me that all this re-entering of passwords (even if they are the same one – in fact in some cases especially if it’s the same one) can reduce the security of your network and your data. Far better to authenticate locally and have the rest of the story handled by tokens that are passed around and exchanged in a secure manner. Between the user and their applications there may be an increasing number of breakpoints where the session is handed off to a different system, or a new session started on behalf of the user. Clearly, as applications move into the cloud, part of the connection may cross the internet. Technologies and standards now exist to support converting tokens and proxying sessions so you better make sure your applications support them!

And finally…

This was a lot of fun too.

And I’m going to try and do it in french!

Actually I’ll only be doing the demo and my collegue will do most of the talking through the slides (fortunately!). The demo is going to focus on self-service group population, which I do believe to be absolutely the best OOB feature of ILM “2″ RC0. Now if I can just get all my verbs and nouns in the right order and tenses, I should do ok. Wish me luck!

This was the first year that Quest were running the show, and as far as I could tell it was very much business as usual for the conference, with the welcome addition of an Exchange track to the usual Directory and ILM tracks.

This conference is well-known for emphasizing practical, BTDT sessions from consultants working in the field over marketing and “slide-ware”, and in that aspect it did not disappoint – and while the shock of the new ILM 2 release date did put a dampener on day one for me, at least the conference also gave me the opportunity to speak directly to Microsoft ILM product team people on the subject.

Following are a few of my personal highlights.

ILM 2 Customer Password Reset, Jeremy Palenchar

Jeremy demonstrated his custom workflow that sends a reset password directly to the user’s mobile phone. The second part of this demo showed how the user could dial an automated helpdesk system to request a password reset. As long as they punched in the correct information, the password was automatically reset and sent to their phone, without any need for human intervention.

This was a great demo and it gave a taste of the incredible power and flexibility we will be able to use when we do finally get our hands on ILM 2!

Jeremy has posted the code on codeplex – the link is on his blog here: http://identitynotes.palenchar.net/2009/03/custom-workflow-activities-speech.html.

Virtual Directory Case Study, Todd Clayton

This talk completely opened my eyes on directory virtualization and I am very excited by the concept. As I now understand it, the idea is to put an abstraction layer between the directory and the application so that the application can have the data in the format it is expecting.

So think about this – you have various applications, some of which use particular flavours of LDAP, some use AD, some use SQL databases etc. The ILM approach is to sync information around between all these actual directories. With the Virtual Directory approach you keep all your data where it best suits you (and this can be more than one place) and then you present it in such a way that the application thinks it is binding to LDAP or eDirectory, or running select queries against a SQL database, but on the backend it’s all just the same data. Cool huh?

I can see so many uses for this. I will be finding out more!

Migrate Exchange Public Folders to Sharepoint, Ilsa Van Criekinge

Ilsa was the veritable well of information on Public Folders and how they may be redesigned in Sharepoint. I’m pretty sure she could have gone on all day with tips, explanations and demonstrations – and I would have been very happy to listen to her. I certainly learnt a lot in this session. Public Folders have never been something I’ve had a lot to do with, but Exchange migrations are, and sooner or later someone is going to have a long list of PFs there.

Fortunately the support for PFs has been extended for another 10 years, so they will be around for a long time yet, but as Ilsa showed, there are many more options for collaboration and access methods if the data is in Sharepoint rather than PFs. Her final advice made good sense – assess the PFs for current usage, look into redesigning the most active ones in Sharepoint, and let the others die a natural death as PFs, some time in the next decade.

And the rest

I went to many other excellent sessions as well – Laura Hunter’s hands-on workshop on Federation Services was packed with concepts, how-to’s and troubleshooting advice; Gil Kirkpatrick presented the beta versions of Quest’s very cool ILM 2 powershell cmlets, which will be available for free download at some point; The Ensynch guys gave several in depth sessions on ILM 2; and I went to a very lively Q&A with the ILM product team. I also missed many great sessions due to my complete inability to be in two places at the same time!

I’m definitely hoping to be there again next year.

I asked if there were any technical reasons for this, hoping to hear of some impressive new development that they figured they couldn’t go to market without - but the answer was no, the features list is set. Why the long delay then? There was something about needing more real-world testing, and the need to develop scenario guidelines (I suppose that means walkthroughs), but that was the only explanation.

There is apparently some way you can get a pre-release license from Microsoft if you’re really determined to go ahead with ILM 2 in production, but I expect most organisations will not accept this, putting ILM 2 well and truly off the cards for 2009.

I will be presenting a session on ILM “2″ of course.

Probably the best attended talks in the IdM stream concerned ILM 2007 and the so-called ILM r2. I think it’s fair to say that most of people there were running MIIS 2003 and wanted to get the goods on where the product is headed.

ILM or MIIS?

The first thing I noticed is that even the Microsoft guys are still talking about MIIS. A lot of the development seems to be in adding extra packages around the product which remains, at its heart, the sync engine that we all know (and love?) from MIIS 2003.

So it seems that Identity Lifecycle Manager is really a collection of packages grouped around MIIS, and for ILM 2007 that collection basically consists of …

Certificate Lifecycle Manager 

I went to the CLM demo and found it to be more of a standalone product than I had expected, considering all the ILM hype. The actual management of the certificates themselves is done in CLM via its Sharepoint interface. The relationship with MIIS is just that of an ordinary MA-connected directory, and the objects that MIIS syncs out to CLM are requests – essentially requests for cert creates and cert deletes. All the automation concerning cert renewal and lifecycle is done in CLM itself.

ILM r2

While ILM 2007 is really no different to MIIS 2003, the plans for ILM r2 do indicate a major shift in scope. MIIS is still in there as the sync engine, but a lot of work is going into pushing identity tasks out to the end user, with password reset and management of user-owned distribution lists being featured in the presentation.

The way they achieve this is by, again, bolting on an extra, MA-connected directory, which they call the “Object Store” and is just another SQL database. Configurable Sharepoint forms are used to modify data in the Object Store and to introduce workflow, such as Approval cycles. Once the data is updated it is sync’d back through MIIS in the normal way.

The beta 1 version of ILM r2 was demo’d by Fred Delombaerde, Program Manager for the ILM group at Microsoft. There wasn’t enough time for questions, but I managed to corner him in the lift and squeeze a few extra tidbits out of him:

• ILM r2 will have much improved logging and auditing capabilities – well it could hardly be worse. Fred assured me that logging is now considered a “first-class citizen”, which I guess means they’ve realised it’s important. (Fred is also very fond of words like “rationalize” and “leverage” when “use” would probably function just as well – do they have some sort of MS training course to learn how to speak like this?  )
• The management of the sync engine is to be improved – he said that Identity Manager is headed for the trash heap. I’m guessing more Sharepoint-esque management tools, but we shall have to wait and see.
• The “codeless provisioning” will, as is hardly surprising, just apply to Microsoft applications.

Unfortunately he got away from me before I managed to understand the difference between “Adaptors” and good ol’ fashioned Management Agents, and before I could ask him about task scheduling.

Predicted release date is end 2008.

I’m also looking forward to being back in Brussels where I lived for three years. Anyone up for a moules-frites at Chez Leon?