Microsoft Bhold Forefront Identity Manager [EOL] Review

The SharePoint-hosted web UI lacks the features one would normally expect but it does have a PowerShell-aware web API.


Valuable Features

  • Extensible and reliable identity provisioning and synchronisation
  • Extensible workflow and policy engine
  • Extensible delegated access management platform with web UI
  • PowerShell-aware web API

Improvements to My Organization

I consult in the implementation of this product for my customers. I advised where improvements are needed to improve operational efficiency, security compliance and transparency of policy.

Room for Improvement

The SharePoint-hosted web UI, while functional, lacks the features one would normally expect of a modern web application when used in its vanilla form. The BHOLD suite, which is an optional extension for RBAC modelling, should not be implemented without substantial budget being set aside for investment in additional training and understanding, and ensuring access to specialist resources is available when required.

Use of Solution

I've been using FIM 2010 for five years, and prior to that another five years between the 2003 and 2007 versions.

Deployment Issues

FIM is more an Identity and Access Management (IAM) framework rather than an out-of-the-box (OOTB) solution. With customization invariably required, deployment must be carefully planned according to the solution architected.

Stability Issues

The latest R2 release is stable and has no significant issues that affect implementation stability with regards to the core components.

Scalability Issues

The biggest limiting factor is that the sync engine cannot be configured for load balancing or redundancy, followed closely by the through-put limitations that apply to the FIM Service connector (management agent) when dealing with high volumes of objects under synchronization. Nonetheless, FIM has been successfully deployed to manage the entire identity life-cycle for very large sites, such as well over one million staff/student identities under management for the Queensland Education Department in Australia.
Also, when the "declarative" sync rules requiring "expected rule entries" (EREs) are employed, the sync overhead is further exacerbated. As such this type of sync approach should be avoided in lieu of a code-based rules extension or the "scoped" sync rule capability released with R2.

Customer Service and Technical Support

Customer Service:

High, depending on availability. Support is available by subscription to the "Microsoft Premier Support Service" (PSS) and/or third party solution support. In complex scenarios where skilled technicians are required, some delays (while generally minimal) may be experienced in getting a full resolution. A managed service arrangement might be worth considering through a third party such as UNIFY Solutions to mitigate the need for this in most cases.

Technical Support:

High, depending on availability. There is often a dependency on skilled resources that need to be accessed from outside the immediate PSS group.

Previous Solutions

No. Only earlier versions of FIM which are now mostly end-of-life.

Initial Setup

Generally complex in terms of number of components required, number of deployment steps required, and time generally taken with some of those steps.

Implementation Team

We implemented it in-house.

ROI

The knowledge gained to perform more implementations for other clients, and the potential to leverage our own complementary products and services.

Other Solutions Considered

Yes - Novell, Sun (now obsolete) and Oracle.

Other Advice

Be prepared to consider the total cost of ownership (TCO) of a FIM (or any IAM) solution when assessing its comparatively cheaper price-tag over the mainstream alternatives. Be sure to include training and resource development costs are covered in your budget, along with any ongoing "level three" type dependency on specialist resources to maintain and extend the solution once in Production. These costs may be minimized and service delivery/reliability optimised by leveraging a reputable managed service option such as the one available through UNIFY Solutions.

Disclosure: My company has a business relationship with this vendor other than being a customer: Microsoft Gold Identity and Access Microsoft Gold Application Development Microsoft Gold Data Platform Microsoft Gold Intelligent Systems
Add a Comment
Guest
Sign Up with Email