In my overview of FIM 2010, I gave a brief run-down of how FIM got to where it was today. I’ve always been a bit more curious about the finer details though, so I went out and did a bit of research to produce this history of Forefront Identity Manager 2010.
Microsoft Forefront Identity Manager started life in November 1996 when a Canadian company called Zoomit released a product named VIA. VIA was originally designed as a meta-directory service which made the revolutionary step of providing directory integration services to combine meta data from a variety of sources into a unified view of identity objects, known as the Metaverse. These objects could then be accessed and controlled through a standard web browser, utilising an in-built security model, with the changes being distributed across the integrated directories.
On June 30, 1999, Zoomit Corporation was acquired by Microsoft, with 12 members of the core development team moving to Redmond to relaunch the product as Microsoft Metadirectory Services (MMS), an early version of what is now the FIM Synchronization Service, and which was only available through Microsoft Professional Services. MMS featured the same Management Agent interface, now with an Active Directory Management Agent, allowing it to connect into a variety of Microsoft and non-Microsoft directories out-of-the-box. The Metaverse was also still accessible through a stand-alone client (Compass Client), an ActiveX client, direct LDAP-compliant user agents and also through a web browser. In MMS, however, support for a number of different protocols was removed, such as its ability to act as a DHCP or DNS server, or to act as an SMTP gateway, as the product evolved to focus on the management of user identities.
On July 2, 2003, Microsoft released a stand-alone product named Microsoft Identity Integration Server (MIIS) 2003. Not to be confused with Microsoft Internet Information Services (Microsoft IIS), MIIS 2003 represented a complete re-write of the VIA product and while it was written by the same team, and incorporated many of the same features and concepts, it was completely new. The Extensible Management Agent (XMA) and provisioning and data flow operations were all now extended using the .NET framework, which retired the previously-used Zscript. MIIS 2003 also introduced support for Active Directory Application Mode (ADAM), DSML 2.0 and even featured the “Identity Management Solution Accelerator” that allowed for easier creation of IAM provisioning solutions using MIIS 2003.
Worth noting is that as of MIIS 2003, access to the Metaverse was now strictly controlled through the MIIS client. The web browser and LDAP connectivity had been removed, and all data flows were now dictated by rules defining authoritative source and attribute flow precedence.
In September 2005, Microsoft acquired a company called Alacris, who had a smart cart and certificate management product known as IDNexus.
In May 2007, Microsoft rebranded and relaunched MIIS 2003 as Identity Lifecycle Manager (ILM) 2007, which now incorporated IDNexus under the name “Certificate Lifecycle Manager” and offered the ability to manage smart cards and provided credential management features to both Windows Server and 3rd party certification authorities (CAs). Minor changes and upgrades were made to the underlying synchronization service provided in MIIS 2003, but this remained mostly unchanged.
In early 2010, Microsoft again re-branded its IAM offering, this time under the name Forefront Identity Manager which we know today. The key feature in this release was the addition of a new portal that allowed codeless provisioning, user self-service, group management and a dynamic request/approval workflow engine. Outlook integration and Self Service Password Reset were also added into this release, the latter of which only available to users through domain-joined Windows machines.
In September 2011, Microsoft acquired ‘certain assets’ of BHOLD, an Identity & Access Governance (IAG) suite that competed with Omada Identity Manager in the ILM/FIM space.
In October 2012, Microsoft released FIM 2010 R2, which added BHOLD to the FIM suite and which also added an improved cross-browser password reset and registration portal, as well as various other improvements and enhancements. Through BHOLD came the ability to provide Role Based Access Control and Attestation, as well as Reporting and Analytics.
So what’s next?
In the last 15 years, we’ve seen FIM evolve from a simple metadirectory to the powerful enterprise level Identity and Access Management platform that it is today. In the short term, some hypothesise that BHOLD will be rebranded and further integrated into the FIM product and this is probably true, though it’s clear that Microsoft is looking to continue to expand its footprint in the Identity space.
With the trend towards Cloud Computing and distributed systems, Microsoft has made a bold move with its Windows Azure platform, which provides Windows Azure Active Directory to further round-out its offerings. That’s not to mention Office 365, and its hosted Exchange platform, which has signfiicantly changed the way organizations manage their e-mail services. Both of these services now have the capability to integrate with FIM 2010 via their respective connectors and Management Agents, and FIM itself is also now supported as installable in the cloud.
Active Directory Federation Services (ADFS), Microsoft’s federated identity and Single Sign-On (SSO) offering is still around, though seems to have taken a back seat with all the hype around “Cloud”. That said, it’s quite possible this product may see a resurgence once Azure Active Directory gains market share.
Personally, I’d like to see Microsoft turn its focus inward and improve upon the existing products in its suite – a more customisable user interface for the FIM Portal, a more powerful and configurable FIM Synchronization Service, greater integration between the separate products, etc. As a specialist ILM and FIM Consultant since 2008, there’s a lot of basic features that myself and others have always felt need to be added into the product if it’s really to compete with other enterprise Identity and Access Management solutions on the market. Well, here’s hoping…