Professional Documents
Culture Documents
Microsoft Identity Lifecycle Manager 2007 Product Overview
Microsoft Identity Lifecycle Manager 2007 Product Overview
Microsoft Identity Lifecycle Manager 2007 Product Overview
Identity Lifecycle Manager (ILM) 2007 enables IT organizations to reduce the cost of managing the
identity and access life cycle by providing a single view of a user's identity across the heterogeneous
enterprise and through the automation of common tasks. ILM 2007 builds on the metadirectory and
user provisioning capabilities in Microsoft Identity Integration Server (MIIS) 2003 and adds new
capabilities for managing strong credentials such as smartcards, providing an integrated approach
that pulls together metadirectory, certificate and password management, and user provisioning
across Windows® and other enterprise systems.
ILM 2007 simplifies the process of matching and managing identity records from disparate data
repositories, and prevents anomalies, such as active records for employees who have left the
organization. ILM 2007 provides IT with a policy framework to control and track the identity and
access data that helps manage compliance. It also includes self-help tools for end users, enabling IT
to improve efficiency by securely delegating many tasks to end users. Another key feature of ILM
2007 is that it includes a Windows-based certificate management solution that integrates with the
Windows Server 2003 operating system and Active Directory® to provide a turnkey solution for
managing the end-to-end life cycle of smart cards and digital certificates for the Windows Server
2003 Certificate Authority.
Key Benefits
ILM 2007 is designed to simplify and automate some of the most costly aspects of Identity Lifecycle
Management. ILM 2007 enables organization to:
Synchronize Identity Information. Organizations that have many different directories and
other data repositories such as a Human Resources (HR) data repository, mainframe systems,
or databases, can use ILM 2007 to synchronize user accounts and attributes in all of those
systems, including synchronization of passwords. Directory synchronization saves time and
money that is currently spent on keeping data consistent and enforcing data ownership
rules.
Provision and Deprovision Users. In many organizations, information about new employees is
entered in a HR database first. Then, the IT department creates user accounts, mailboxes,
and other identity information in different database systems. ILM 2007 automatically creates
these user accounts, mailboxes, and other identity information in target systems in real-time
so new employees are productive immediately, and also ensures that corporate resource
access is instantly revoked for employees who leave the organization.
Manage Certificates and Smart Cards. ILM 2007 includes a workflow and policy based
solution that enables organizations to easily manage the life cycle of digital certificates and
smart cards. ILM 2007 leverages Active Directory Directory Services and Active Directory
Certificate Services to provision digital certificates and smart cards, with automated
workflow to manage the entire life cycle of certificate-based credentials. ILM 2007
significantly lowers the costs associated with digital certificates and smart cards by enabling
organizations to more efficiently deploy, manage, and maintain a certificate-based
infrastructure. It also streamlines the provisioning, configuration, and management of digital
certificates and smart cards, while increasing security through strong, multifactor
authentication technology.
Key Benefits of ILM 2007
Feature Benefit
Provision User End users can be more productive by accessing needed systems faster while
Key Benefits of ILM 2007
Feature Benefit
Manage ILM 2007 reduces the costs associated with digital certificates and smart cards by
Certificates and enabling organizations to more efficiently deploy, manage, and maintain a
Smart Cards certificate-based infrastructure. IT benefits through streamlined provisioning,
deprovisioning, configuration, and auditing of digital certificates and smart cards,
along with increased security through the use of strong, multi-factor
authentication technology.
Connectivity Capabilities
ILM 2007 creates and distributes an integrated view of identity information from multiple data
sources. Broad connectivity capabilities give you the power to connect to the plethora of disparate
identity information sources in your company-all without the need to install software of any kind on
the target systems.
Connectivity Capabilities of ILM 2007
Network Operating Systems and Microsoft Active Directory Windows Server 2003 R2, 2003,
Directory Services and 2000
Microsoft Active Directory Application Mode Windows Server
2003 R2 and 2003
Microsoft Windows NT 4.0
IBM Tivoli Directory Server
Novell eDirectory 8.6.2, 8.7, and 8.7.x
Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x
Email and Messaging Microsoft Exchange 2007, 2003, 2000, and 5.5
Lotus Notes 6.x, 5.0, and 4.6
ILM 2007 has two central components, one that includes metadirectory and user provisioning
capabilities and another for certificate and smart card management.
Identity Synchronization and User Provisioning
The identity synchronization and user provisioning component of ILM 2007 manages identity
information across multiple stores by aggregating this information in a central repository called the
metaverse. Management agents serve as connectors that translate data from these connected stores
to the metaverse. For example, the e-mail system can be linked to its HR database through the
metaverse. When an employee joining the organization is added to the HR database, ILM 2007 can
automatically provision that employee to the e-mail system. Each employee's attributes, from the e-
mail system and the HR database, are imported into the connector space through management
agents.
The e-mail system can then use individual attributes, from the employee entry that originated in the
HR database, such as the employee telephone number. If an employee's telephone number changes
in the HR database, the new number will automatically be propagated to the e-mail system.
Certificate and Smart Card Management
ILM 2007 also provides sophisticated credential management features to Windows Server 2003
Certificate Authorities (CA) by acting as an administrative proxy. Once installed within an
organization, all digital certificate and smartcard management functions pass through ILM 2007. The
certificate management solution in ILM 2007 consists of three components:
1) Server component: Provides a Web interface and is the focal point of administrative functions.
2) Certificate Authority plug-in: Communicates with the server, controls the behavior of the CA(s),
and provide rich logging and auditing in a central location.
3) Client-side components:
• Smartcard Self Service Control, which provides certificate management capabilities.
• Smartcard Personalization Control, which provides Java card management.
• Bulk Smartcard Issuance Tool, which is an application for centralized large scale smart card
deployment scenarios.
Q&A
How does ILM 2007 relate to MIIS 2003?
ILM 2007 includes and enhances the functionality of MIIS 2003. By integrating the
metadirectory and user provisioning features of MIIS 2003 with a management solution for
strong credentials, ILM is a powerful solution for managing the entire identity life cycle of
users and credentials.
What is Certificate Lifecycle Manager?
Certificate Lifecycle Manager (CLM) is a policy- and workflow-driven technology that helps
organizations manage the lifecycle of digital certificates and smart cards. This technology is
being released as a key component of ILM 2007.
How can I obtain Certificate Lifecycle Manager?
Certificate Lifecycle Manager will be made available as part of ILM 2007. By acquiring ILM
2007 you will gain all of the features and technologies of CLM.
What languages will ILM 2007 be available in?
ILM 2007 will initially be released in English only. Language packs for the certificate
management functionality will be released at a later date. Certificate management language
packs are planned for the following languages: German, French, Spanish, Japanese, Chinese,
Italian, Dutch, and Portuguese.
System Requirements
. Required Software
Windows Server ILM 2007 requires Windows Server 2003, Enterprise Edition, and Windows
2003 Server 2003 client access licenses (CALs).
SQL Server ILM 2007 requires SQL Server 2005 or 2000, Enterprise or Standard Edition,
Service Pack 3 (SP3).
Required Hardware
• 350 MB of available hard-disk space or more for the default installation. An additional 1
GB of available hard-disk space is recommended for the log file.
• 8 GB of available hard-disk space on the partition that contains the database files for ILM
2007 metadirectory services and user provisioning
• At least one network interface card (NIC) is required. If a private network is used, the
head node requires at least two NICs, and each compute node requires at least one NIC.
Each node may also require a high-speed NIC for a Message Passing Interface (MPI)
network.
Can SQL Server run on the same server on which ILM 2007 is running?
Yes, SQL Server may be run on the same server on which ILM 2007 is running. Typically,
performance is enhanced when SQL Server and ILM 2007 run on the same server.
Can the server-side certificate management components of ILM 2007 run on the same
server as the ILM 2007 metadirectory and user provisioning components?
Yes. All of the server-side components of ILM 2007 may run on the same server. However,
depending on the security requirements on your environment and the processing required
by your ILM 2007 server configuration, you may find it beneficial to run the components on
different servers.
When are CALs needed in ILM 2007?
You must acquire and assign a user CAL for each user person for whom the software Identity
Lifecycle Manager 2007 issues or manages one or more digital certificates. Otherwise, you do
not need user CALs only to access instances of the server software. Furthermore, the only
types of CALs available with ILM 2007 are user CALs. Device CALs are not available.
Is there an external connector license available for ILM 2007? If not, when will it be
available?
An ILM 2007 external connector license is not available for ILM 2007 at this time.
How do I license SQL Server for use with ILM 2007?
Please consult the SQL Server Product site in the Shop for up-to-date information on how
SQL Server is licensed, including answers to frequently asked questions.
Do I need to purchase a new SQL Server license to run ILM 2007?
No. You may use a copy of SQL Server that you have already licensed. ILM 2007 does not
require a copy for its own exclusive use. It may be shared with other applications.
A.
Upgrading from Microsoft Identity Integration Server (MIIS) 2003
Is there an upgrade path from MIIS 2003 to ILM 2007?
. Setup for ILM 2007 is designed to perform upgrades where appropriate. For example, ILM 2007
Volume License can upgrade an existing MIIS 2003 installation, Identity Integration Feature Pack
(IIFP), ILM 2007 Evaluation Edition, and ILM 2007 MSDN. IIFP cannot upgrade anything except a
previous IIFP. ILM 2007 MSDN cannot upgrade anything except a previous MIIS 2003 MSDN, etc.
Below is a matrix that shows the upgrade paths available.
Upgrade paths for MIIS 2003, IIFP, and ILM 2007 Versions
Product Being
Installed
Preexisting Product MIIS 2003 MIIS 2003 IIFP ILM ILM 2007 ILM 2007
SP2 SP2 2007 MSDN Evaluation
Web
Upgrade
Q.A.
Management Agents
Which management agents or connectors will be available with ILM 2007?
. Connectivity Capabilities of ILM 2007
Network operating systems and Microsoft Active Directory Windows Server 2003 R2, 2003,
directory services and 2000
Microsoft Active Directory Application Mode Windows
Server 2003 R2 and 2003
Microsoft Windows NT 4.0
IBM Tivoli Directory Server
Novell eDirectory 8.6.2, 8.7, and 8.7.x
Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and
5.x
1 These file formats allow for integration with a variety of applications, databases, telephone
switches, X.500 systems, and metadirectory products or underlying systems that can produce a
file.