basic question on functionality
My employer recently signed an enterprise MS agreement and is looking at implementing the MS identity management "stack". I have done some preliminary reading and can't find a definitive answer to a question I have. I am wondering if forefront
(or one of the other associated MS apps) is capable of securing web based applications, both in house developed and commercial off the shelf type web apps. The development platform varies, but for this question lets assume java, .net based apps.
Can Forefront be configured to handle both the authentication and authorization of those applications? Is there self registration functionality that can be integrated into these applications? Is there a work flow type approval process
to either approve or deny access of self registrations? Thanks in advance for any insight you can provide!
April 19th, 2012 4:39pm
Easy to ask, difficult to answer. You can't find a straight answer because the answer is "it depends". Yes there's a lot that the Microsoft application stack and Forefront components can do for securing your applications, but the 3rd party ones will have
to support the appropriate authentication method/s, and the in-house ones may need some element of redevelopment. This forum is specifically for FIM which is probably not directly relevant to your question.http://www.wapshere.com/missmiis
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2012 9:36pm
Thanks very much for the information Carol and apologies for the off topic post. Which forum do you think would be more appropriate?
April 20th, 2012 10:57am
I think it's not going to be just one forum, but several, including this one for when it comes to managing the integrity of your user identities across both Microsoft and non-Microsoft platforms.
EXTERNAL ACCESS: When it comes to constructing a secure access model for externally facing web applications, for instance, I suggest you have a look
here.
UNIFORM AUTHORIZATION: When it comes to designing a consistent authorization model, a federated claims-based approach is a modern way of approaching the problem of how to provide a consistent framework, and forums for the Microsoft answer to this (ADFS)
can be found here and
here.
Interestingly FIM (with its extensible framework, policy and workflow engine) can be used to provide an effective model for centralizing and delegating claims administration. My most recent FIM project did just that for a large Australian government
organisation, where they have targeted several dozen in-house and 3rd party applications for consolidation on an ADFS model.
UNIFORM AUTHENTICATION: One thing FIM is definitely NOT is an authentication store. FIM presently uses Active Directory (Windows Integrated) security, and all authorization services are provided by AD using either NTFS or Kerberos authentication to
the hosting SharePoint/IIS website. You will probably find not one but several forums on AD.
SELF REGISTRATION: While FIM does not deliver self-registration capabilities out-of-the-box, it can be used to build one, and I am aware of several organisations that have already looked into this (e.g.
this post)
Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2012 9:54am