Decision Maker

FIM: At the Forefront of Identity Management

A look at what FIM, Microsoft's latest evolution of meta-directory services for active directory, might be able to do for your shop.

• By Don Jones
• 10/01/2010

Several years ago, Microsoft purchased a company called Zoomit, which made a meta-directory product. The idea behind the meta-directory was to add a layer atop Active Directory where you would manage user accounts in your environment. In addition to replicating account changes to AD, the meta-directory could also replicate them to other systems and directories, helping to create a unified identity for your users, easing log-on pains and making for a more consistently configured environment.

Microsoft has subsequently released enhanced versions of the meta-directory product in the past few years, continually adding new features and functionality -- and changing its name almost every time. Microsoft Identity Integration Server became Microsoft Identity Lifecycle Manager, which has now become Forefront Identity Manager (FIM), reflecting the product's position as part of the Microsoft security-product family. You might be surprised by what FIM can offer your organization.

Meta-Directory, Sure
FIM still provides robust meta-directory capabilities through an included set of management agents. It can connect to any version of AD, to Tivoli Directory Server, Novell eDirectory, IBM Directory Server, Exchange Server, Lotus Notes, SAP and more; it also exposes an API so that developers can write custom management agents to integrate with line-of-business or other applications. It can work with any directory that supports LDAP or the Directory Services Markup Language, further broadening the directories and applications it can manage for you.

FIM is designed to enable users to manage some delegated aspects of their own identities through tools such as Office, SharePoint and controls built into newer versions of Windows itself. FIM offers self-service capabilities, such as the ability for users to -- using either a Web-based tool or an interface that integrates with the native Windows log-on process -- perform password resets and account unlocks. This is a must-have capability that can save even midsize organizations a considerable amount of money: Industry estimates are that most help desks spend $30 to service a password-reset call, and that about a third of help-desk calls fall into this category.

FIM provides much-needed capabilities for implementing workflow- and change-management capabilities for identity and access management.

Not the Only Solution
FIM isn't cheap. It requires a 64-bit server and a 64-bit version of Windows Server 2008 or Windows Server 2008 R2; it also requires a 64-bit edition of SQL Server 2008 as its data store. It needs a Web server, such as IIS7, and it integrates with SharePoint Services 3.0 SP1 or later. It needs the latest version of the Microsoft .NET Framework, and mailbox provisioning support requires Windows PowerShell (which ships with Windows Server 2008). FIM itself costs $15,000 per server and $18 per user; even fairly large organizations can get by with one server, and discounts are doubtless available for larger organizations with some bargaining leverage.

Depending on your needs, FIM might not be your only option to access the features I've outlined. Quest Software, for example, offers a solution set in its Quest One family that can give you the same workflow capabilities and self-service features -- even connections to certain non-Windows directories and products.

Still, the capabilities offered by FIM are powerful, and they're definitely a must-have for many companies.