FIM CM 2010 Technical Overview
Updated: October 22, 2010
Applies To: Forefront Identity Manager, Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management
This document is intended for Technical information technology (IT) managers, IT architects, and IT security analysts. It provides a technical overview of the certificate and smart card management capabilities that Microsoft® Forefront Identity Manager Certificate Management (FIM CM) provides. Specifically, this document provides the following:
Information about the business and technical drivers for the adoption of strong (multifactor) authentication management systems products, such as FIM CM
An architecture-level overview
Information about the tight product integration with the rest of the Microsoft environment
The benefits of using a FIM CM solution
User names and passwords have been around since the beginning of enterprise computing. They are pervasive because of their simplicity. At the same time, the strategic value of IT environments is increasing. Therefore, organizations are driven to consider stronger authentication across a wide range of applications and user scenarios. This includes user authentication, data encryption, and digital signatures, as a starting point. These scenarios require sophisticated management because certificate management must also be included as an attribute of the broader identity management challenge.
Microsoft has approached the broader identity management challenge with the vision that an enterprise identity within the IT environment has many attributes that must all be managed. This includes such things as provisioning those identities into any applications that require knowledge of the user. However, it also includes other attributes of the user, such as digital certificates.
Certificates are an important component of a longer-term identity management implementation because they provide many features that are valuable to the enterprise. One of the properties of certificates is that they are difficult to forge. The fact that they are a mature technology makes them an ideal authentication solution in a wide variety of situations. This includes using certificates as a second-factor authenticator for users (with or without smart cards). However, they can also be used to authenticate devices, such as web servers, workstations, networking devices, and many others. Certificates can also be used for more advanced functionality, such as digital signatures, which makes them even more valuable from a business perspective. As a result, most new applications today that require some form of strong authentication use certificates as the foundation of that functionality.
This concept is a key element in the design of FIM CM, which provides a robust certificate life-cycle management capability to address many of these scenarios. FIM CM can also provide some management functionality for computer-based certificates, such as web servers, for example. Certificate management has many components, including enrollment, key escrow, certificate recovery, revocation, and others, that are technically complex but important to the functionality of the solution. FIM CM implements all of these features in a simple web-based interface that is configurable and flexible. The result is a full-featured certificate life cycle management capability that delivers the value of certificates without the management complexity.
Certificates can be stored on a computer. For more security, they can also be stored on a smart card. The benefit of the smart card is that it can provide better portability of the certificate and also better protection of the cryptographic keys. These two benefits come at the price of more complexity due to the management requirements of the smart card. FIM CM also addresses this management challenge by providing rich management functionality for the smart card that hides these complex details.
FIM CM certificate and smart card management capabilities provide an integral component of an organization’s overall identity management approach by synchronizing the provisioning of multi-factor authentication credentials. For example, in a typical identity management workflow, an account name and password would be created and provisioned to authorized target applications. FIM CM certificate augments this process by providing the rich management infrastructure that is required to issue and manage certificates and smart cards that are linked to user accounts in a synchronized provisioning process.
This series contains the following topics: