Forefront Identity Manager 2010 R2 Release Candidate Now Available

Cross-posting from the Server and Cloud blog:

Microsoft is pleased to announce the availability of Forefront Identity Manager 2010 R2 release candidate. It is available for download from Microsoft Connect, as described below.

This release candidate includes new and updated features for FIM 2010 R2:

• Historical reporting using integration to the System Center Service Manager data warehouse
• Web-based Self-Service Password Reset
• Scale and performance improvements
• Outlook® 2010 support for the FIM add-ins and extensions and SharePoint® 2010 support for the FIM Portal

In particular, this release candidate introduces numerous functional improvements, including:

• New authentication gates for self-service password reset
• Additional reports
• Extensible Connectivity Management Agent 2

For complete information, see the Release Notes and feature-specific documents.

If you have already joined the FIM 2010 Community Evaluation Program or downloaded the beta, you can obtain FIM 2010 R2 RC from the FIM 2010 Connect web site. The downloads link is in the left column.

To join the program and download the software, click here. Once you answer the survey questions, the Connect site will auto-approve your access.

Thanks,

Mark Wahl

Principal Program Manager

Forefront Identity Manager 2010 R2 Release Candidate Now Available - Microsoft Server and Cloud Platform Blog - Site Home - TechNet Blogs

UAG “Activation will start soon” stuck when joining a node to the array

This one terrorized me all day and just wouldn’t go away no matter what I did:

As it turns out, this is a symptom of having your nodes on different patch levels of UAG. The first node was SP1 with Update 1 while the second node only had SP1 applied. After applying Update 1 to the second node the array converged once I activated the configuration again.

I borrowed the following list from Ben Ari’s blog:

Here are some links that are related to these released:

• Download UAG SP1
• Information about UAG SP1 Rollup 1
• Download UAG SP1 Update 1
• Download TMG SP2
• Instructions for installing UAG SP1 Update 1 (this is important especially if you are installing on an Array!)
• Updated list of clients supported by UAG SP1 Update 1
• What’s new in UAG SP1 Update 1
• Release notes for UAG SP1 Update 1
• What’s new in TMG SP2
• Release notes for TMG SP2

FIM 2010 R2 Beta Feedback Requested

If you aren’t already working with the R2 Beta release of FIM 2010, please download and check it out and then provide feedback in the public forums as to what you like and what you don’t like. Given that this is still the beta release, there is time to get your feature requests heard!

To access the R2 Beta you will need to sign-in to Connect, Microsoft’s site for evaluating and providing feedback on early or pre-released software. You just need a Windows Live ID to sign-in and create your profile. Once you sign-in to the site you’ll be able to browse a list of products accepting feedback or bugs and add those products to your dashboard by clicking Join.

Step-by-Step

(Lifted from Peter Geelen’s post)

You can access the site one of two ways:

1. By following this link: https://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6639&pageType=1, OR
2. Logging into Connect
   1. Browse the Directory for Forefront Identity Manager.
   2. Click on the Join link on the topics you wish to join
   3. Answer the survey questions and then click Submit; this auto-approves you for the Beta connection
   4. Click the Downloads link in the left column

At the download section, you’ll find the following items:

• the FIM 2010 R2 Beta
• the FIM2010 ECMA2 Beta
• Outlook file for FIM CEP Online Meeting Series

As you are evaluating the products, we encourage you to discuss feedback in the forum, but to take the time to open bugs in the Feedback Center of the FIM Connect site. These bugs are triaged directly by the FIM Product Group so it’s important to file them. Use the forum to ask clarifying questions around configuration and experience and please share your positive and negative feedback about your experiences with the betas there.

SaaS and Identity Silos–the new Wolf in Sheep’s Clothing

To borrow another metaphor, the old phrase:

“Beware of Greeks bearing gifts”

…is reborn now as:

“Beware of SasS vendors bearing identity”

In this age of pushing our solutions to the cloud we need to be careful in adopting solutions that involve standing up another identity silo. Having another username and password is a time honored solution to most new applications but in this day and age is no longer acceptable. Stress to your SasS vendors that you need flexibility to:

• Federate with an external Identity Provider (i.e. your enterprise identity)
• Federate with a consumer Identity Provider (i.e. your Facebook/Yahoo/Google/Live identity)

There are certainly cases where SaaS vendors will need to provide both a solution for local username and password (small businesses for example) yet need the forethought to support extended federation scenarios for larger customers.

Another item that SaaS vendors are not immune to is the challenge of profile synchronization. Whenever an application must maintain preference or demographic data (name, title, menu preferences, etc) about you it must either keep that in a local store or rely on all of that data to arrive each time as part of the incoming claim set. In some cases, it’s simply not practical to do everything in the claim as it’s not the Identity Provider’s job to remember preferences for individual applications. The thing to remember here is that the profile data in the cloud must be created and maintained through some process. Look for options other than the manual ones to automate this.

True Single Sign-On

My customer really liked something I had said the other day while discussing strategy around Identity and Access Management. The concept of SSO kept coming up, in dialog as well as in industry briefs on the topic, which we were reviewing, and I basically said,

“SSO isn’t a product you buy, it’s the by-product of a well architected Identity and Access Management strategy.”

That statement has begun to resonate and for good reason. While even I cannot deny that SSO products have their place, I disagree that it should be the first stop in your decision making process. Use an SSO product when you simply have no other choice. There are other options that can reduce complexity as well as the number of logon prompts.

Federating FIM 2010 using UAG/ADFS and KCD - Identity.Junkie() - Site Home - TechNet Blogs

Identity Junkie is back on the air with it’s first post, check it out! It covers the concepts of using UAG to publish the FIM portal using a Federated model. To be clear, this isn’t “how do I authenticate to FIM without an AD account”, it’s “how do I authenticate to the FIM portal when my request is originating from an extranet”. To quote Chris:

Where is this applicable? Say you have a resource forest where FIM resides so how do you provide access to the portal from autonomous security realms without having to create a bunch of NT trusts or maintaining secondary credentials. Because shadow accounts exist within the resource forest as security principals for dependent services (for example BPOS or O365), you can leverage UAG, ADFS, and KCD together to provide secure access. UAG is claims-aware and supports Kerberos protocol extensions for (1) protocol transitioning and (2) constrained delegation.

Federating FIM 2010 using UAG/ADFS and KCD - Identity.Junkie() - Site Home - TechNet Blogs