• Illustration: Identity and Access Management Roadmap

The release of Identity Lifecycle Manager (ILM) 2007 starts the integration of Microsoft's enterprise identity management and access management products. Identity management systems maintain user identity data, such as group memberships and addresses, across all the applications and OS services that use the data, while access management systems control what users can do with computer resources such as applications, files, and printers. Although ILM 2007 begins the integration of identity and access management, further integration is planned, and customers considering ILM might want to wait until that work is complete, even though it could take longer than Microsoft predicts.

Identity Lifecycle Manager 2007

Released in May 2007, ILM 2007 provides administrators with tools for the end-to-end management of identity data by combining Microsoft Identity Integration Server (MIIS) 2003 and the recently acquired Certificate Lifecycle Manager (CLM).

The newly integrated ILM provides three key identity management and access functions:

Directory synchronization to manage changes to user accounts and attributes, including passwords, and enforce identity data ownership rules, such as which value is taken as correct if two directories are in conflict, across multiple directories in an organization. Directory synchronization ensures that identity data is consistent across all of the directories in an organization.

User provisioning to help administrators create and maintain user accounts, mailboxes, and other identity information in the appropriate directories to ensure a new employee has timely access to resources and data. Likewise, when an employee leaves the company, deprovisioning ensures access to all resources and also that data is revoked in a timely manner.

Certificate management to simplify the deployment, management, and maintenance of an organization's certificate infrastructure, which supports applications such as e-mail, Rights Management Services (RMS), and certificate-based credentials, such as smart cards.

ILM Components Largely Unchanged

ILM 2007 supports the first two identity life-cycle management functions, directory synchronization and user provisioning, by incorporating the MIIS product (MIIS 2003 SP2).

Like MIIS, ILM 2007 can connect to and synchronize identity data with third-party OSs and directories, including IBM Tivoli, Novell eDirectory, and Sun Directory Server; mainframes using the Resource Access Control Facility (RACF); e-mail servers such as IBM Lotus Notes and Microsoft Exchange; business applications such as SAP 4.7 and 5.0; and many other stores of identity information. If the more than 30 supplied connectors are insufficient to connect all of the directories in an organization, an Extensible Management Agent can be used to create a customized connection.

ILM 2007 adds two other useful user provisioning features. First, an organization can use ILM to streamline the provisioning of new user accounts, reducing the time it takes to give a new employee access to the resources they need for their job. For example, rather than having a human resources (HR) department enter the information about a new employee in the HR directory first, and then having IT create the necessary user IDs, mailboxes, and other identity data, ILM can be used to perform all the necessary provisioning. Second, ILM provides a Web-based self-service portal for users to reset forgotten passwords.

The certificate management function is provided by an updated CLM, which provides a front end to Windows Server Certificate Services for all digital certificate and smartcard management functions. ILM lets administrators create and revoke certificates, issue and revoke smartcards and their associated personal identification numbers (PINs), and reset of PINs. ILM provides a Web-based administrative management console, a certificate authority plug-in that controls the behavior of the Windows Server Certificate Authority, and client components for bulk smartcard deployment and self-serve smartcard management.

Perhaps the biggest technical change to the formerly separate products is that the unified product uses a single instance of SQL Server to store data. (The separate products would both have required their own instances of SQL Server.)

Integration to Continue

ILM 2007 represents the first step in the integration of Microsoft's identity and access management products—Microsoft plans to release a new version of ILM, code-named ILM 2, in 2008. (For a roadmap of the various Microsoft identity and access management services, see the illustration "Identity and Access Management Roadmap".)

Although customers will have to wait to see exactly what features are included in ILM 2, it will likely continue to expose self-service tools for identity management so that IT can delegate the appropriate level of identity management tasks to users, and add a business process or workflow framework to ensure the right levels of approvals are provided before a new user ID is created or additional authorizations are granted.

In addition, several components of the underlying infrastructure for identity and access management, such as Active Directory (AD) and the Internet Information Service (IIS) Web server, are changing in Windows Server 2008 and newer services, such as the Windows Workflow Foundation (WWF) and the WS* Web Service APIs, will also be available for ILM 2.

Microsoft is also working with several security and management products, such as Forefront Client Security, to reduce the number of separate management consoles needed to configure and administer the product. It would seem likely the ILM could also provide more unified consoles for identity life-cycle management tasks, as well as reduce or eliminate redundant infrastructure components and technologies, such as IIS.

Because the changes in ILM 2 could be fairly significant, unless customers have an urgent need for identity life-cycle management tools, they should wait until this integration is completed. Moreover, although Microsoft claims that the integration will be finished next year, integration projects often take longer than expected, and Microsoft product groups do not have a great track record for releasing two versions of a product within a single year.

ILM 2007 Licensing

ILM 2007 is available through Volume Licensing channels and is licensed on the server plus user Client Access License (CAL) model. There is no device CAL for ILM 2007.

An ILM Server license costs US$15,000 per server based on Open Volume Licensing (VL) pricing levels. Customers must acquire a US$25 CAL for each user who gets a certificate managed by ILM. But if ILM is being used for directory synchronization and password resetting, no CAL is required. If ILM is being used for smartcard deployment or to deploy certificates for e-mail access, a CAL is required.

Select, Enterprise, Open License, and Open Value customers with active Software Assurance (SA) for MIIS 2003 as of April 30, 2007, will be entitled to one ILM 2007 server license for each qualifying MIIS 2003 processor license. In addition, all customers with SA on either MIIS 2003 or ILM 2007 will get a 25% discount on CALs if they purchase more than 250 CALs.

An ILM 2007 license granted under SA will include SA coverage that will expire when the corresponding MIIS 2003 coverage expires. Upon expiration of that coverage, SA can be renewed on the ILM 2007 license. Customers must acquire ILM 2007 CALs separately.

Availability and Resources

ILM 2007 was released for general availability in May 2007.

Setup for ILM 2007 is designed to perform upgrades where appropriate. For example, ILM 2007 acquired under a volume license can upgrade an existing MIIS 2003 installation, Identity Integration Feature Pack (IIFP), ILM 2007 Evaluation Edition, or ILM 2007 MSDN.

A Microsoft brochure describing its overall identity and access management framework is available at download.microsoft.com/download/8/4/3/84373c1b-8ad4-41fb-93db-f8e55e3fdec2/IDM_brochure.pdf.

A Microsoft brochure describing ILM 2007 is available at download.microsoft.com/download/6/d/9/6d9af151-a489-470a-88f2-2f1a800f6a91/DS_ILM.pdf.

Microsoft's overview of ILM 2007 is available at www.microsoft.com/windowsserver/ilm2007/overview.mspx.

A FAQ on ILM 2007 is located at www.microsoft.com/windowsserver/ilm2007/faq.mspx#EKD.