Microsoft Forefront Identity Manager: Review

Forefront Identity Manager is the result of Microsoft’s latest effort to untangle the mesh of identity procedures and policies that wrap around high value business assets.

The trick is to keep identity management costs reasonable while outwitting phishers and satisfying auditors. Forefront Identity Manger 2010— the successor to Identity Lifecycle Manager 2007— succeeds largely through the extensive use of wizards and streamlined management processes that should let lower-level staff implement sufficiently challenging and flexible access policies.

Forefront Identity Manager 2010 (FIM 2010) started shipping in the US on April 1. FIM 2010 has a list price of $15,000 (£9,700) per server and $18 (£12) per user CAL (Client Access License). It is currently only available to download in beta form as a free trial in the UK.

Best suited to Microsoft tools

As you might imagine, FIM 2010 carries a “better together” tradition that makes it most appropriate for shops that are already users of other Microsoft infrastructure including Active Directory, Sharepoint and Exchange. While FIM 2010 can interact with a variety of other directory, collaboration and email notification tools, it is optimised for use with Microsoft’s tools.

These Microsoft infrastructure components made up the test environment that I used to evaluate FIM 2010. I ran FIM on a Dell PowerEdge R610 server with 2 quad-core Intel Xeon 5520 processors, 32GB of RAM and six 146GB drives. Using Microsoft Windows 2008 R2 64-bit edition my test environment was composed of 12 virtual systems that provided Sharepoint, Active Directory, Exchange along with a number of Windows 7 systems that accessed various resources by using identity services that were enabled through FIM 2010.

FIM 2010 is much more than a password or credential management system, although it does enable user self-service password reset. I used the product to manage remote access to test documents, create federated access to resources between different organisations, and streamlined the onboarding and offboarding process of employees.

While FIM 2010 was significantly easier to use than Identity Lifecycle Manager 2007, my work with the product indicates that significant IT resources will still be needed for FIM 2010 daily operations use. Full implementation of the product will almost certainly require a services engagement. As might be expected, installing a new version of FIM 2010 or— more likely— upgrading to FIM 2010 from a previous generation identity management system is no small task. Even where Microsoft was able to streamline setup tasks, FIM 2010 operates in highly sensitive and usually highly regulated territory.

Group management

FIM 2010 is a web service and synchronisation platform. One of the first steps I took in my evaluation of the product was to use FIM 2010 to create dynamic groups based on user attributes. This feature uses FIM 2010 integration with Microsoft Exchange and Outlook to automate the approval process. I was able to create a workflow that granted access to customer data when approval was granted by a specific manager. It was easy enough to create a process in FIM 2010 that accomplished this process in the same way that knowing how my car works I’m able to drive a rental car of a make and model that I’ve never driven. Those who have a passing familiarity with identity management tools should, however haltingly at first, be able to pick up the basics without much trouble.