Integrating On-Premise and Cloud Active Directories with FIM 2010
Now that cloud based solutions are gaining awareness in both the SMB space as well as medium and larger sized enterprises an additional requirement of service providers is continuing to surface - Directory Synchronization.
Companies with 200+ employees looking for hosted solutions commonly have an active directory deployment as part of their internal infrastructure. This on-premise AD is typically required to support and manage existing line of business applications that will remain a part of the customer's internal infrastructure. The IT and HR groups of mid-sized companies have existing processes they use to manage accounts for new employees, enable/disable applications, etc. Today most cloud based services would require IT groups to manage accounts and services in two separate processes for the on-premise and hosted environments. User accounts may or may not have the same naming conventions between on-premise and hosted, typically passwords are not synchronized and it can lead to an overall confusing process for end users and be error prone and tedious for IT admin teams.
With the recent release of Forefront Identity Manager (FIM) which includes licensing options for service providers via SPLA (Service Provider License Agreement) there is at least some movement toward a solution to this challenge.
Based on testing we have completed in our labs, FIM is a viable option to enable hosted service providers with a solution to this issue. A base deployment of FIM helps to resolve a couple of key functional items that will help make cloud services more manageable for both service providers and IT admin teams of hosted organizations.
At a basic level FIM can be used to ensure account password synchronization between hosted & on-premise locations. - In this scenario, the solution validates that email@example.com is using the same credentials for both their on-premise AD as well as the hosted AD. Then the solution will synchronize the passwords between the two environments such that when the user launches their email, OCS, SharePoint or other hosted service they will have the same credentials and password they use to login to their on-premise AD.
The next level of functionality would provide Password and account synchronization - this provides for the same functionality as listed above but will also allow for accounts to be synchronized when add, delete, changes are made within the on-premise AD. As an example, when firstname.lastname@example.org is created in the on-premise AD at the customer site, that account is also created in the customer OU of the Hosted AD with the same password/credentials.
The remaining piece off the puzzle to provide for full automation would be a FIM management agent developed for the hosted provisioning system. In developing the management agent, this would also enable the new hosted account to be provisioned for a set of hosted services. Without the management agent, the customer admin team would need to go to the hosted service portal and then enable hosted services (exchange, SharePoint, OCS, etc.) for the newly created account. If there was a provisioning management agent (listening) for new accounts to be created in a given OU, it would then provision that user with a default set of functionality or could potentially receive a set of parameters to provision a given new user with the appropriate set of hosted services as defined by the customer business arrangement. The same scenario would hold true for account deletions and changes.
At implement.com we are working with a number of our service provider customers as they work through this scenario and determine the appropriate solution and architecture for their environment. I am very optimistic that this will continue to gain momentum over the course of the next couple of quarters with production deployments in place by the end of 2010.