Benefits of a FIM CM Approach

Applies To: Forefront Identity Manager Certificate Management

FIM CM provides enterprise organizations with an integrated and comprehensive set of management tools that enable customers to address a range of business and technical challenges associated in deploying digital certificate and smart card based strong authentication solutions.

The certificate and smart card management capabilities of FIM CM were inherently designed to reduce the cost and complexities of deploying strong authentication technologies such as smart cards and digital certificates within a single integrated lifecycle management solution.

The key business benefits of using a FIM CM approach to deploying digital certificate and smart card based strong authentications include:

  • Compliance with Corporate Security Policies and Regulatory Requirements

    An increasingly popular approach to addressing identity assurance compliance requirements is to deploy digital certificate technology in combination with smart cards. The smart card and the associated management process that are delivered by FIM CM provide better transparency into who has strong authentication devices, and of course the devices themselves provide better protection in terms of who can authenticate to corporate resources. FIM CM provides provisioning services and management processes that can be implemented and audited in relation to corporate security policy and compliance requirements.

  • Increased Operational Efficiency and Reducing the Help Desk Burden

    Deploying smart cards and/or certificate-based credentials within an integrated user provisioning experience provided by FIM CM can help IT organizations drive greater operational efficiency. FIM CM provides an integrated and comprehensive solution for managing the entire lifecycle of user identities and their associated credentials. Additionally, FIM CM includes self-service certificate and smart card management features that can further reduce cost and overall efficiency by empowering the user and reducing help desk calls.

  • Enhanced IT Security Infrastructure

    Organizations are starting to plan beyond user names and passwords to stronger techniques that include digital certificates and smart cards. Digital certificates and smart cards provide an excellent approach to deploying stronger authentication solutions. However, these benefits do come at a price of additional complexity due to the issuance and lifecycle management requirements associated with these technologies. FIM CM simplifies the deployment and lifecycle management of strong (multi-factor) authentication technologies such as certificates and smart cards in a manner that leverages an organization’s existing IT infrastructure.

  • Business Enablement

    Digital certificates enable organizations to implement stronger trust relationships with partners that can improve and increase collaboration and therefore new business opportunities. Deploying strong authentication solutions with integrated management systems such as FIM CM also enables organizations to leverage new technologies as they evolve over time – which in turn presents opportunities to drive new customer innovation. Organizations that are able to effectively deploy strong authentication in a more integrated and automated approach also free up valuable IT resources that are then able to focus on high value business activities.

The key technical benefits of using a FIM CM approach to deploying digital certificate and smart card based strong authentications include:

  • Providing an Integrated Identity Lifecycle Management Solution

  • FIM CM provides IT administrators an integrated user provisioning and credential management experience throughout the entire lifecycle of the user’s identity. Identity is increasingly becoming one of the most central and critical IT infrastructure components. As a result, it is increasingly important that certificate and smart card management features are tightly integrated with the rest of the organization’s IT environment. FIM CM does this by being tightly integrated with Active Directory (AD) and using AD user information, permissions and group information. This eliminates the need to create a separate collection of users, permissions and groups and the associated additional management overhead.

  • Ability to Select the Correct Authentication Technology and Platform Vendor

    FIM CM provides a hardware-independent solution that has the flexibility to support a range of strong authentication technologies and platform vendors – as well as leveraging new technologies as they become broadly available – using a standardized interface to the smart card called Microsoft BaseCSP and mini-drivers. Most major smart card vendors support mini-drivers and therefore FIM CM provides easy-to-implement hardware independence. This in turn provides significant value to enterprise organizations by enabling them to select the right strong authentication technology and vendor that best meets the unique requirements of the business – both today and in the future.

  • Provides Full Certificate and Smart Card Lifecycle Management

    While the use of digital certificates and smart cards provides an excellent approach to deploying stronger authentication over traditional username / password based systems, the use of these technologies inherently requires a robust management system with rich workflows and the flexibility to meet a wide range of organizational requirements. FIM CM provides an integrated and comprehensive solution for the provisioning and full lifecycle management of digital certificates and smart cards. FIM CM provides the ability to apply policies against common certificate and smart card management tasks from any given certificate or grouping of certificates through the use of profile templates. Profile templates provide a common set of policies for certificate enrollment, renewal, update, recovery, revocation and retirement. In addition, specialized policies have been created to handle lifecycle management challenges related to the management of smart cards such as temporary issuance of smart cards, smart card duplication, personalization and retirement.

  • Flexibility to Meet a Organization’s Unique Requirements

    Every organization is unique and as a result, their identity and credential management system requirements will in turn be unique. Organizations vary based on size, geographic distribution and security requirements, as just a few relevant examples. Each of these elements will have an impact on how the organization manages their certificates and smart cards. This might include centralized management, or highly distributed management. It could also include self-service scenarios or multiple approvals. The key point is the management system needs to be flexible to support these capabilities without requiring customized development. FIM CM provides the flexibility to support a range of deployment scenarios and can be easily configured to use different workflows and approaches as an organization plans and continues to evolve their deployment.

  • Leveraging Existing Microsoft Infrastructure

    FIM CM is tightly integrated with underlying Microsoft technologies including the two Windows Server components Certificate Services and Active Directory. FIM CM integrates with Certificate Services by acting as a higher-level management interface (commonly referred to as a Registration Authority or RA) between administrators and certificate services through the use of a FIM CM policy and exit modules. This allows FIM CM to perform all day to day certificate management tasks which would previously be performed through the Certificate Services MMC. Integration with Active Directory is supported by extending the schema to support FIM CM objects and permissions. This allows enterprises to leverage existing infrastructure to the fullest extent and to extend the functionality of their existing investment.

Previous topic

FIM CM Deployment Scenarios

See Also


FIM CM 2010 Technical Overview

Other Resources

Windows Vista Smart Card Infrastructure
Enterprise Smart Card Deployment in the Microsoft® Windows® Smart Card Framework
Description of the software update for Base Smart Card Cryptographic Service Provider
Forefront Identity Manager Product Page