Microsoft Architecture for Identity and Access Management (IAM) - Part 1 - Overview

By Jerry Chapman ·

For the past year and a half, Microsoft has created and gone to market with a suite of products that allow for Identity and Access Management (IAM) architecture to be successful for Microsoft infrastructure clients. Although the products that support the architecture have been available for a few years, only a few organizations have deployed the complete architecture. This type of architecture will support a large infrastructure and a growing number of users within an organization, but also a growing number of federated clients.

There are three Microsoft products, and a fourth product — Virtual Identity Server by Optimal IdM — to support the architecture. The Microsoft products include Forefront Identity Manager 2010 (FIM 2010), Active Directory Federation Services (ADFS2), Unified Access Gateway (UAG) and Virtual Identity Server (VIS). It’s worth noting that Microsoft recently released the R2 version of FIM 2010, which now includes their recently acquired Identity Governance solution, BHOLD.

Through a series of 6Labs blogs, we’ll examine how a collection of products can help organizations successfully use existing and new Microsoft technology to support a complete IAM infrastructure. (Please note this is not a technology recommendation, but rather the intention is to educate how Microsoft solves issues for IAM.) This will include Basic Identity Management (Provisioning, De-Provisioning, Role Management, etc.), web-based Access Control and Federation.

This illustration covers all of the fundamental IAM services and represents a Microsoft-based solution. 

Single Sign-On (SSO) and Access Control is represented by two pieces of technology: for Federation Services, Active Directory Federation Services 2.0 (ADFS2) provides standard SAML 2.0 compliance and WS* Federation compliance. Additionally, complex claims augmentations can be supported by Virtual Identity Server (VIS). This allows for an easier management of claims without complex scripting to support claims augmentation. Unified Access Gateway (UAG) allows for the organization to provide SSO to external users for web-based applications hosted by the client. UAG brings other services, but for the purpose of this discussion we will limit it to the SSO capabilities.

Identity Management is provided by FIM 2010, which includes User Management across disparate systems. In the illustration, two Active Directory Forests — without trusts established — can be managed. FIM 2010 provides an interface for User Management, externally and internally, if necessary. Finally, Access Request can be managed via the FIM Portal. These Access Requests can be for any data system supported by FIM directly or indirectly.

Further detail for each of these systems will be discussed in subsequent posts, so please check back soon.

Continue to Part 2