I am trying to develop a solution for Password Reset from Thin-Clients. I realize this has been asked before, but I might be able to achieve this for our environment if I had some more information.
My question is, what are all the ways I can launch the Password Reset client? With the client software installed it can be invoked from the Portal and from the WinXP Gina / Win7 Credential Provider. Can it be executed via command line or by a script?
My goal is to have the thin clients launch a citrix app that will execute the Password Reset Client itself, passing it whatever information needed. We do not want to present the user with a web-page / browser.
I was able to invoke the activeX control via powershell, but not sure what exactly to pass to the ResetPassword method? It expects the first string to be the domain\username, but what should the second string be?
hey guys,
i have 2 lab environments going, but now i'm trying to move some things into production. how do you guys handle the initial export to AD? I'm worried about accidentally overwriting group memberships or pushing out old users (they're in FIM because of our HR system). I've set my flows and what not so i'm "pretty" sure it won't happen. However, I just want to becareful.
I noticed that I can limit the number of objects in the run profile, but is there anything else I can do or should do for my first export?
thanks,
-PD
I have a situation where some of my dynamic security groups are getting the manually-managed members populated by the builtin synchronization account when it is synced. I remove the manual members so users can update the filter, but a few days later for whatever reason, the manual members get changed by the synchronization engine. I have screen shots documenting what I am seeing that hopefully help.
I do have other groups that come in with manual members and are managed that way just fine. I suspect this is getting changed when group membership calculation happens and it is adding those users to the members attribute in the metaverse and then importing those members into the group for manual membership.
I am also not using sync rules to import/export the attributes for the groups.
If there is any other information that could be helpful let me know.
Hello,
I did an export to the FIM portal. i wanted to verify that the data exported was using the FIM Service databse to store the information. Which table can i look at to view the data. If possible, can you provide any links on the FIM export? Thanks
We are trying to installing the FIM Add-ins and Extensions - Localized Version for SSPR.
English and Polish - Localized
Working with a customer who has sites in both Ireland (English language) and Poland (Polish Language).
Polish Add-in Show English Language
We have installed but the english FIM Add-in password reset extension in Ireland and they work correctly, but when we install the polish language it does not use the polish language but English.
Looking for Direction on using the Localized Version
Does anybody have any experience with these localized Add-in and give us some pointers and what we are doing incorrectly?
We have already follow the instructions:
http://technet.microsoft.com/en-us/library/ff512688(v=ws.10).aspx
Got an interesting situation that I haven't seen before.
Have inherited a system where there's an IAF from FIM MA -> MV on Email. In the MV, Email has several contributing MA's with the FIM MA providing a value where none of the 3 authoritive systems (1 per user class) provide one.
Have realised that the value the FIM MA is providing really isn't relevant and so deleted the flow from Email on that MA.
Then I commit a preview on the FIM MA CS object, but notice that the email attribute is still set in the MV object, with the FIM MA as the contributing MA.
"Don't recall attribute when disconnected" is turned on, so I switch that off just in case and do another commit preview. Same result - email still in MV with FIM MA contributing.
Does anyone else think this is odd behaviour? In times past when I've done similar operations, I believe the contributed attribute has been cleared in the MV when a full sync is performed after the flow rule is cleared. Then again, in those times I may have cleared the connector space before doing a FIFS again to ensure it's all properly sync'ed - these days, I try to avoid clearing the FIM CS where I can
MCTS: Forefront Identity Manager 2010, Configuring
Hey guys,
I’m getting the DN must be set error below.I've seen a lot of posts on it, but i'm not sure how to handle it in my situation.
When I check one of the accounts, it’s looking for it in the FIMObjects OU. It’s not there, but in a different OU. I’m assuming I need to somehow add the path of every place I have Users (for my outbound user AD sync rule) is that correct? Below is the DN i'm using. I have it set that way because i'm provisioning users from our HR system. Based on their location they need to drop into a specific OU.
How do I account for my existing AD users that are throwing up errors when I sync?
Thanks!
Background
Internal Users in "Domain A" are synchronised and created in "Domain B". A group is created in "Domain B". Users from Domain A are added to Domain B using the FIM Portal.
ie. domaina\user's synchronised account domainb\user is a member of group domainb\group.
The FIM Syncrhonisation Service deals with this fine and quite happily populates the group in Domain B with the correct user objects, but the FIM portal complains that they are invalid. I understand why the Portal is doing this, it is assuming that because the user object has a domain of "Domain A" and the group is in "Domain B" it is therefore invalid. I've tried disabling the group validation MPR to see if that prevents Invalid Members from displaying - but it does not.
Questions
Let me know if I can be clearer with my question!
Screenshot
Hi,
We have followed both the articles to the last line, 'before you begin' (http://technet.microsoft.com/en-us/library/ff512685(v=ws.10).aspx) and 'installing the FIM server components' (http://technet.microsoft.com/en-us/library/ff512686(WS.10).aspx) - and unfortunately we still cannot connect to the FIM Portal.
This is the IE error message: HTTP Error 401. The requested resource requires user authentication.
To recap:
1. Created a WSS service account S-WSS
2. Selected the correct identity for the SharePoint Application Pool using Central Admin (even retyped the password in both AD and in Central Admin). Verified that the Sharepoint - 80 app pool reflects this new account. Reset IIS.
3. Registered the SPNs (we have one FIM Sync and one FIM Portal server on separate VMs, no NLB).
setspn –S HTTP/FIMPortal Adatum\S-WSS
setspn –S HTTP/FIMPortal.adatum.com Adatum\S-WSS
setspn –S FIMService/FIMServer Adatum\S-FIMSVC
setspn –S FIMService/FIMServer.adatum.com Adatum\S-FIMSVC
4. Enabled both accounts listed above for Kerberos Delegation to Any Service
5. Enabled Kernel-mode authentication for IIS Windows Authentication, reset IIS
6. Modified Web.config file to include: <resourceManagementClient requireKerberos="true" . . . />, reset IIS again (even tried it without this setting)
6.
No matter what we type in: http://localhost/identitymanagement orhttp://FIMPortal/identitymanagement we get the same error message: HTTP Error 401. The requested resource requires user authentication.
Are there any steps we missed?
Thank you,
SK
I understand that to include a reason text in the owner's approval notification workflow and template, I need to bind reason to group and extend the FIM schema so that it can be used. I also understand that I would need to edit the RCDC for Group edit to include that reason. This can be done. With all that I can then include reason in the approval notification template.
My question is this: If a user or admin chooses to simply check off the group in a list of SG's/DG's...then clicks Join....what should be edited to include Reason in this situation. Right now the web service simply takes your signed in username and inserts it into the request without any further action needed by the user. I would like to slightly interrupt that process to require a reason given for the request before the workflow continues. Any help would be appreciated.
I'm receiving the following error when trying to run the Start-FIMReportingInitialSync.ps1:
mscorlib: System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary. at System.ThrowHelper.ThrowKeyNotFoundException() at System.Collections.Generic.Dictionary`2.get_Item(TKey key) at Microsoft.ResourceManagement.Reporting.RequestParameterParser.ConvertRequestParameterToExportLogEntries(Guid requestIdentifier, Int32 sequenceIndex, String parameter) at Microsoft.ResourceManagement.Reporting.DataManager.InitialDataManager.ReadBatchAndAdvance(Int32 batchSize) at Microsoft.ResourceManagement.Reporting.ReportingManager.ExecuteBatchOfExtractTransformLoad(IDataManager dataManager) at Microsoft.ResourceManagement.Reporting.ReportingManager.ExportInitialData(IDataManager dataManager) at Microsoft.ResourceManagement.Reporting.ReportingManager.ExportInitialData() at Microsoft.ResourceManagement.Reporting.JobManager.Run()
I've run the data warehouse scripts and they completed successfully.
I also ran the MPSync job and that didn't show any errors.
Any ideas on how to troubleshoot this?
Many thanks,
Sami
I have a simmilar issue as per http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b2de9b59-0ce4-4c9b-bfec-95662a4aa373.
The setup is on a LAB environment with AD, SQL 2008 R2, Exchange 2010 and the FIM server is on different servers. FIM Synchronization completed succesfully on the same server and there is no connection problem with SQL.
The FIM Server details:
OS:Windows Server 2008 R2 SP1,
SQL Native Client 2008 R2 is install
SQL Envirinment:
SQL 2008 R2
The Installation account of the "FIM Service & Portal" is the FIM Service account and have SYSADMIN rights on SQL,
There is a mailbox for the FIM service account and it can access owa. The EWS certifacte was aso added to "Trusted People - Local Computer". The FIM Service and Portal Setup run and then give the following errors:
The first error screen:
The second error screen:
After the setup has performed a rollback the following error is found in the Application Log:
Product: Forefront Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action DeployAndPopulateDatabase, location: C:\Windows\Installer\MSI40E7.tmp, command: installApp=FIM action=DeployAndPopulateDatabase databaseName=FIMService namespaceName="fim" datFilesInstallDir="C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Data" sqlserverName=****sql01.***.***.com FIMServiceAccountDomain=tlab FIMServiceAccountName=fimsvc SyncServiceAccountDomain=**** SyncServiceAccountName=fimma RunningUserDomain=**** RunningUserName=FIMsvc RunningUserEmail=CreateDatabase=True
This is the same as "Yoann-78" posted on, but teh FIM Service account does have a mailbox and it does show in AD.
Regards Andre van der Westhuizen
I am working with a new install, running version 4.0.2592.0 of the Portal. The "Service Partition Name" attribute does not exist at all as described in this article:
http://social.technet.microsoft.com/wiki/contents/articles/understanding-fim-service-partitions.aspx?wa=wsignin1.0
I've taken a look at a couple other lab envrionments, running the same version of the Portal and they do include that attribute. I haven't been able to identify what/when that attribute may have been added, but it was not added manually.
In addition, in the environments that the attribute does exist, it is not populated.
It's also curious that the schema for the Request object on MSDN does not inlcude the attribute:
http://msdn.microsoft.com/en-us/library/ee652273.aspx
Is there additional configuration that I'm missing that would trigger FIM to begin populating this value? I already have multiple Service instances setup.
-Ryan
Looking to setup a test evenviornment with FIM 2010 and will have several questions through out my reading.
1st Question - Regarding Password synchronization. What are real world examples of using this service? I have read in another forum that you can Synch passwords between ADDS and ERP, however currently ERP is integrated into ADDS so all users have the same username and password in both Active Directory and ERP. So whats the difference?
I have AD groups sync'd into my FIM portal. I would like to add users to that group based on a criteria. Is there a way to add the criteria based users to the group without losing the existing users that are already in there?
I guess basically, I would like to use criteria based groups without losing the ability to manage the groups from AD.
If you ever go to export objects to Active Directory and get a "permission-issue" error message in the Synchronization Service Manager Console, review this document to help isolate and resolve the issue.
GALSYNC: Permission-Issue: Insufficient access rights to perform the operation
http://social.technet.microsoft.com/wiki/contents/articles/7612.galsnc-permission-issue-insufficient-access-rights-to-perform-the-operation.aspx
Timothy P Macaulay, MCSD, MCSD.NET, MCAD, MCP
I spent yesterday trying to import my security groups into the FIM portal. I finally got it working and saw all of my groups in the FIM portal. This morning I hop into the console and my groups are all missing. I search the FIMMA connector space and none of my groups are there anymore. They’re still in my AD connector space though.
I have not manually set up any kind of schedule. This happened in my lab and my production environment so I’ve obviously missed something.
Any ideas what I may have missed?
Thanks,
Hello Every body ,
I'm trying to add a custom configuration section in the miiserver.exe.config, to read from a rule extension. I read a lot of questions and blog posts but no one gets the same results I get.
I made the ConfigurationSection class and it worked perfectly in a sample project were I put the configuration in the web.config,but when I tried to do the same ( I even copied and pasted the class and the code) in the miiserver.exe.config it gives me the exception
System.Configuration.ConfigurationErrorsException: An error occurred creating the configuration section handler for GroupMemberShipURL: Could not load file or assembly 'GroupURLConfigurationSection' or one of its dependencies. The system cannot find the file specified. (C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe.Config line 10) ---> System.IO.FileNotFoundException: Could not load file or assembly 'GroupURLConfigurationSection' or one of its dependencies. The system cannot find the file specified. File name: 'GroupURLConfigurationSection' at System.Configuration.TypeUtil.GetTypeWithReflectionPermission(IInternalConfigHost host, String typeString, Boolean throwOnError) at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactory.Init(RuntimeConfigurationRecord configRecord, FactoryRecord factoryRecord) at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactory.InitWithRestrictedPermissions(RuntimeConfigurationRecord configRecord, FactoryRecord factoryRecord) at System.Configuration.RuntimeConfigurationRecord.CreateSectionFactory(FactoryRecord factoryRecord) at System.Configuration.BaseConfigurationRecord.FindAndEnsureFactoryRecord(String configKey, Boolean& isRootDeclaredHere)
here is the assembly I use to add the configuration section
using System; using System.Collections.Generic; using System.Web; using System.Configuration; using System.Xml; namespace GroupURLConfigurationSection { /// <summary> /// The Class that will have the XML config file data loaded into it via the configuration Manager. /// </summary> public class GroupSection : ConfigurationSection { /// <summary> /// The value of the property here "Groups" needs to match that of the config file section /// </summary> [ConfigurationProperty("GroupURL")] public GroupCollection GroupURL { get { return ((GroupCollection)(base["GroupURL"])); } } } /// <summary> /// The collection class that will store the list of each element/item that /// is returned back from the configuration manager. /// </summary> [ConfigurationCollection(typeof(GroupElement))] public class GroupCollection : ConfigurationElementCollection { protected override ConfigurationElement CreateNewElement() { return new GroupElement(); } protected override object GetElementKey(ConfigurationElement element) { return ((GroupElement)(element)).Group; } public GroupElement this[int idx] { get { return (GroupElement)BaseGet(idx); } } } /// <summary> /// The class that holds onto each element returned by the configuration manager. /// </summary> public class GroupElement : ConfigurationElement { [ConfigurationProperty("group", DefaultValue = "", IsKey = true, IsRequired = true)] public string Group { get { return ((string)(base["group"])); } set { base["group"] = value; } } [ConfigurationProperty("url", DefaultValue = "", IsKey = false, IsRequired = false)] public string URL { get { return ((string)(base["url"])); } set { base["url"] = value; } } } }
and I copied the dll file to the "C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin"folder so it will be with the config file in the same directory. and I read it using the following code from the rule extension
GroupSection config = (GroupSection)System.Configuration.ConfigurationManager.GetSection( "GroupMemberShipURL");
and here is the miiserver.exe.config file
<configuration> <!-- Configuration section-handler declaration area. --> <configSections> <!-- name = This needs to match the name of the section that the settings are stored type = is a 2 part value. Part 1 is the full path (w/ namespace to the class that will hold this data. Part 2 is the name of the assembly this class is found in. --> <section name="GroupMemberShipURL" type="GroupURLConfigurationSection.GroupSection , GroupURLConfigurationSection"/> </configSections> <startup> <requiredRuntime version="v2.0.50727"></requiredRuntime> <supportedRuntime version="v2.0.50727"></supportedRuntime> </startup> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" /> <bindingRedirect oldVersion="3.3.0.0" newVersion="4.0.0.0" /> </dependentAssembly> </assemblyBinding> </runtime> <GroupMemberShipURL> <add group="TestURL1" url="type=TestURL1 username=%SamAccountname%_AD password=%SamAccountname%_AD"/> <add group="TestURL2" url="type=TestURL2 username=%SamAccountname%_AB password=%SamAccountname%_AB"/> <add group="TestURL3" url="type=TestURL3 username=%SamAccountname%_AC password=%SamAccountname%_AC"/> </GroupMemberShipURL> </configuration>
I know it must be trivial error , but I spent a lot of time trying to figure out what is going on and can't figure why it work in the sample project and not in the production project.
Thanks
Ali Saleh
Recently i moved the FIM Sync Database and FIM Sync engine to a new physical server. I was able to setup a FIM Sync Engine on the restored DB.
All of my existing MAs [AD, LDAP, Oracle and SQL MAs] are running fine. But two of my MAs [Lotus Notes MA and one XMA] started failing with the below error message
ACCESS_DENIED
A user was denied access for an operation.
attempted:"CManagementAgent::ExecuteAsyncEx"
After the DB restoration, I used miisactivate to activate FIM sync with my old server key and the service account. I tried to create a new XMA but still getting the same access denied error.
please advise what i would need to change to fix this issue.
From user side if they create group in FIM and group not provision in AD, then there is no indication that group creation was successful unless the user does not get the feeling that group is not working at all or some one from IT get into it to investigate.
As I have experienced user created group with scope universal and domain local group as member, the group failed to sync and if the user want to delete the group in FIM, it errors out ObjectSIDString is either null and empty, cannot delete the group at this time.
To delete the group I have to go advanced view of the group in FIM, locate the field for “ObjectSIDString Gropu binding”, and type any number in it (for example 1234).Click OK and submit the change.
The group got deleted at last.
It would be great if we can apply some work flow that indicates about the successful provision of the group in other data store. I am new to FIM may be I am wrong in my observation, correct me.
____________ Anirban(India)
I'm trying to sync my groups from AD to FIM. I'm getting the policy error. I checked the 2 MPR's
Both are enabled and i've even set the resource attribute to All attributes. I have also been able to bring users into the portal so I don't think there's anything wrong with my fimma account.
I tried running Markus' powershell script, and it found some errors. Problem is that I don't quite understand where the misconfig is. It appears that it wants me to add the attributes to the target\ resource attributes (i tried adding each one manually and it disappeared from the list when i reran the script). However, I already have them set to ALL ATTRIBUTES.
Can anyone please help me out?
I thought I had MPR's down but maybe not. I have the builtin and main admin account only at this point and I get an ERE each time I make a change to one of them. At this rate, the MV will get filled with thousands in no time. THat can't be right.
I have the "Request" MPR set to Create, modify, [all of the check boxes]. I have the set "All People" that is a target resourse for before and after. Requestors set is "All People" as well. The "Action" workflow activity is for the AD Outbound sync. I don't appear to have an MPR\workflow for the AD Inbound sync though it does appear to work.
Do I need to break these two functions (Inbound\Outbound) into to different MPR\Workflow combinations?
I've setup a lab environemnt with a connected HR datasource, the FIM 2010 RTM, one DC which holds a replica of the live domain, and 3 ADDS MA & SR & sets & MPRS with the following roles: one for the initial join of the AD users with the HR data, one for provisiong contacts for certain employees that are not using PCs and one for regular employees with domain accounts.
The joining and projection into the MV and FIM works fine. Flowing changes to existing joined AD objects works fine, contacts deprovisioning works fine, user renames (when AD user DN changes) works fine, OUs get created if necesssary. Didn't tested yet acocunts deprovisiong.
I'am having issues with users and contacts provisioning. What I'm trying to do is use a custom attribute of the person object in the portal to trigger the account or contact creation using sets, I don't want to have a domain user for every person object.
I can see the EREs importing from FIM MA into the MV with pending status during import (full or delta), but during the sync on FIM MA the status changes to Not Applied. Yes, I have checked the create resource box and I'm only using declarative rules. I don't get any error of any kind.
Is there something I am missing here? Any help is greatly appreciated.
Thanks a lot or the trouble, Cristian
I currently have FIM 2010 version 4.0.3531.2 installed with Sync and Portal. I figured I would do an in place upgrade to R2.
I downloaded the latest R2 RC bits, when I run the FIM sync service setup.exe (or the *.msi) I immediately get the below error.
-- Error 25201.Forefront Identity Manager Synchronization Service is installed on this computer. Remove it before installing Forefront Identity Manager Synchronization Service Evaluation.
I've got the log file in case you're interested. any ideas?
Peter
The password registration portal works wonderfully BTW! The only problem I have is when going to the password registration portal, I get prompted to enter my username and password. When I enter my credentials, it takes me to the page to click "Next", then it takes me to the page where it ask to enter my password. I don't get the first credentials prompt when I'm locally logged into the FIM server, only when remotely connecting to the password registration page.
I have installed R2(which fixed all the problems I was having trying to get FIM 2010 working.)
FIM R2 is fully functional.
I am now trying to move on to SSL.
The problem I am having is with the instructions for Host Headers and SSL Cert Binding for the password sites and can be found here:
http://technet.microsoft.com/en-us/library/hh322875(WS.10).aspx
When I bind the passwordregister and reset sites to the same certificate, it sets the FIM admin site(Users\Groups\Config,etc)
to opening the password registration portal.
Everything works regarding the password reg and reset portals, I just can no longer get to the FIM Admin site.
I suspect that is because the SSL port is 443 for all three and it is binding them all.
I do not know enough IIS to fix this issue.
I thought of using a different port for the FIM site, I looked up the list of ports commonly used for SSL but am very hesitant to use one.
Does anyone have any suggestions or a workaround for this?
The instructions just skip over this as if it will not be a problem.
I was wondering if someone could please give me an example of how you would setup run profiles for the scenario below. Carol has a great post on the run profiles that can be found herehttp://www.wapshere.com/missmiis/run-profiles, but because of some issues with my rules not being applied as expected I am questioning how I have mine set up.
The core of my FIM setup is an HR system (SQL) that synchronizes active employees to FIM and then provisions active employees to FIM. As employees are marked terminated in HR they will be disabled in AD. I will also have a custom SQL application where depending on user roles for the application the users will be added to certain AD groups.
How would you setup your run profiles for?
Also, what would your schedule be? I know it depends on the business, but in your experience what do you find is typical?
Thanks for your help,
Opper ...don't stop.
I'm deploying the following scenario
I would like to know what are the specific steps in order to install FIMService&Portal&PasswordReset in NLB(hardware) using SSL at the portal. Actually SSL Certificate (CertificateSSL) has been issued pointing to the Name "Server3"
Actually i have installed the two servers (Server1, Server2) with WSS; and the NLB-HW has created the NLB cluster with "ClusterName" and "IPcluster".
This is the first time i'll do it (and precisely in production environment) and want to be sure about how to do it, so my main doubts here are:
Sorry for so much detailed doubts but please if somebody here has worked with this scenario i would appreciate a lot his clarification.
Thanks in advance.
Anyone know of an official MS update on the ability to upgrade from FIM 2010 R2 RC to RTM?
Keith
I am working towards a solution to enter location information into AD (address, department, etc.) based on a location field in our HR system. I have two solutions that I have thought of so far:
1. Use all Declarative Rules within FIM. So lets say I have about 50 locations, that would be 50 sets, 50 synchronization rules, 50 workflows, 100 MPR's (1 transition in, 1 transition out). Each Synchronization rule would be exactly the same except the string constants would be different for address, city, state, etc. One user can only be in one set at a time.
2. Classic provisioning leveraging maybe an XML file with all the locations and corresponding address information.
Any suggestions, comments, alternatives, advantages, disadvantages of each.
Brian
I'm assuming since I can't get this to work that it never will. Can I get confirmation?
/Person(ObjectID = /Set[ObjectID = '790e713b-5f76-4b35-87fd-8f5e5b8e5588']/Owner)
The Set referenced is one with Groups without Members....
So I want to know who the owners are of all our groups without members.
Hi All,
We are provisioning/Synchronization the user from HRMS to FIM and then FIM to AD and other sql table.
Could anyone please suggest me in case of failure of webservices during the scyncronization process.
How Workflow / system will behave when webservices fails for example timeout, shutdown of database/FIM server etc. What are the steps will be taken care with these scenario?
Appreciate your help and thanks in Advance !!!!!!!
Regards
Harry
Flowing users to specific OU
Guys,
I’m trying to flow users to specific OU’s in AD based on a employee location column from our HR System.
From my HR MA I am flowing the “employee location” column to a emplLocation attribute that I created.
In AD, I created 2 OU’s (FIFTH and GULFTON). These two names match locations from the emplLocation (FITH and GULFTON).
I’m trying to use a function to flow the users to the appropriate OU based on the location they are in. If the user has an emplLocation of FIFTH to place that user in the FIFTH OU. If the user is not, the drop the user in the FIMobjects OU. I replaced the very basic string that I copied from the technet labs. That had me dropping all users directly to the FIMobjects OU.
Below is my attempt, but it didn’t move any of my users. These users are already in the FIMObjects OU though, so I’m not sure if that has anything to do with it. I’m not sure if this is supposed to work because I have not yet tried to use any functions (other than what I find in the technet labs).
Function -> IIF
Condition -> Custom Expression -> Eq(emplLocation,"FIFTH")
ValueTrue -> Custom Expression -> "cn=" + accountName+” OU=FIFTH,DC=Domain,DC=COM"
ValueFalse -> Custom Expression -> "cn=" + accountName +",OU=FIMobjects, DC=Domain,DC=COM
Can anyone please tell me if this function should do what I want it to do or if I need to do something else?
I've configured a FIM lab environment based on FIM Test Lab guides. While configuring the inbound synchronization rule for the HR Management agent, i'm unable to provide required for the scope information. I've i missed something?
I have successfully synced user info into FIM from AD with all expected fields populated.
I can sync to AD from FIM and the displayname and account name sync but the first and last names are missing.
In the FIMMA Management agent, for attribute flow I have tried:
Firstname>givenname and firstname>firstname
lastname>sn and lastname>lastname
Both for import and export.
I have tried setting the ADMA precedence ahead of FIMMA and also choosing equal precedence.
The ADMA has the attributes selected but no flows(following instructions)
I have also tried adding flows under the ADMA to no avail.
For my Outbound Sync Rule I have have the Firstname,Lastname attribute flows.
It seems odd to me that the displayname and account name will flow but not the first and last names.
I have watched the import\sync and export flow. The name fields are populated until we get to the ADMA Import run.
The Updates staging is missing the first and last names.
Any ideas for me to try?
Version 2.0 of the really great “A Guide to Claims-Based Identity and Access Control” by the Microsoft Patterns and Practices Team is available for download here…
A Guide to Claims-Based Identity and Access Control
It’s getting late so I’ll just briefly describe this unless you figured this out already…
It started out with MSFTie Ken St. Cyr published a blog post about a Powershell Attribute Store, a really great idea except he pointed out this could be used for provisioning which is not such a great idea so I made a comment on it. He replied and complained that the ADFS Claims Rule Language lacked more advanced functionality so I just had to show you how the SQL Attribute store can be used for this. Sorry Ken, I just had to make this blog post and I hope you don’t mind me mentioning your great blog and our conversation!?
First of all make sure you have a working connection to a SQL database from ADFS using SQL Attribute store!
Here’s a simple one just to make a claim (Given Name in this case) upper case, other function could be used as well:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"] => issue(store = "SQL", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = "SELECT UPPER({0})", param = c.Value);
And here’s how the famous IsOver21 claim can be created as a scalar valued function in SQL(far from perfect especially date conversion but it works with Swedish date format like 1979-12-23):
CREATE FUNCTION IsOver21 ( @BirthDate nvarchar(10))RETURNS nvarchar(3)BEGINDECLARE @Age int, @ReturnValue nvarchar(3)SET @Age = DATEDIFF(year, CONVERT(DATETIME,@BirthDate,20), GETDATE())IF @Age >= 21SET @ReturnValue = 'Yes'ELSESET @ReturnValue = 'No'RETURN(@ReturnValue)END
You can then use it like this in ADFS (please use more properly named claim types though) and note how the function needs to be prefixed with dbo:
c:[Type == "http://OddClaims.org/ws/2011/11/identity/claims/birthdate"] => issue(store = "SQL", types = ("http://TheCrazyClaimsFactory.com/ws/2011/11/identity/claims/AreYouReallyOver21Punk"), query = "SELECT dbo.IsOver21({0})", param = c.Value);
Read about the news here.
Fellow FIM MVP David Lundell has written a great article about the problem of using wildcards (% and _) in FIM XPath queries (Sets, Groups, Search Scopes etc.). The problem lies in that Microsoft has made the choice to treat these wildcard characters as literals instead of wildcards meaning that installing FIM Hotfix Rollup Package 4.0.3594.0 could break your FIM implementation.
Go ahead and read Davids article:
I’ve been doing some work on Home Realm Discovery lately and I wish to show you how HRD can be performed on the ADFS 2.0 server when you have done the wise decision to centralize all your Claims Providers in ADFS than in each and every application that likely will save you a lot of head ache in the future.
This is what users sees when there are 1 ore more Claim Providers configured in ADFS, The ADFS 2.0 Home Realm Discovery Page…
This might be ok if the user is sure what Claims Provider Trust to use but what if only 1% of the users normally located in a branch office realm are supposed to sign in on another Claim Provider – this will force the remaining 99% at the main office realm to go thru this page and do the selection also.
In ADFS 1.0 you could add a query parameter at the end of your url to select Home Realm and bypass the Home Realm Discovery page when requesting the application like this:https://YourApplication/?whr=TheExactEntityIdOfYourClaimsProvider
Unfortunately WIF won’t forward the whr query parameter to an IdP unless you add or change Global.asax in your WIF enabled application. Add this to Global.asax in the WIF application to make it work:
<%@ Application Language="C#" %><%@ Import Namespace="Microsoft.IdentityModel.Web" %><script runat="server">void Application_Start(object sender, EventArgs e) { FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider += new EventHandler<RedirectingToIdentityProviderEventArgs>(WSFederationAuthenticationModule_RedirectingToIdentityProvider); }public void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e) { e.SignInRequestMessage.HomeRealm = Request["whr"]; }...
<%@ Application Language="C#" %><%@ Import Namespace="Microsoft.IdentityModel.Web" %><script runat="server">void Application_Start(object sender, EventArgs e) { FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider +=
new EventHandler<RedirectingToIdentityProviderEventArgs>(WSFederationAuthenticationModule_RedirectingToIdentityProvider); }public void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e) { e.SignInRequestMessage.HomeRealm = Request["whr"]; }...
From the UI (the picture above) you can see that it has a dropdown list containing the Claims Providers available and then there’s a submit button. The code behind class (not shown due to copyright) of the HomeRealmDiscovery page inherits from the HomeRealmDiscoveryPage class that gives us a property, ClaimsProviders that holds a DataTable object with the display name [name] and entity id [id] columns of available Claims Providers that is used to populate the dropdown list. The HomeRealmDiscoveryPage class also gives us the SelectHomeRealm method that will set the home realm to the entity id of the Claims Provider selected in the dropdown list unless it’s the local ADFS that’s selected, in that case an empty string will be passed to the SelectHomeRealm method.
You can easily change the Home Realm Discovery page used in /adfs/ls/web.config file, allowing you to keep the original untouched.
<homeRealmDiscovery page="HomeRealmDiscovery.aspx" />
As you probably know, the local ADFS 2.0 is acting as a relying party when a remote Claims Provider is selected as home realm, an authentication request is created and sent to the remote Claims Provider and when a response is coming back on a successful sign on the MSISIPSelectionPersistent cookie is by default created as a persistent cookie (in opposite to session cookies it will stay after browser is closed) that will live for 30days in the browser.
How and if the cookie is created and it’s lifetime can be configured in the persistIdentityProviderInformation element in the /adfs/ls/web.config file.
<persistIdentityProviderInformation enabled="true" lifetimeInDays="30" />
Now that you know most of what there is to know about Home Realm Discovery lets go back to the problem stated above where branch office users will be signing in using a different Claims Provider but where everyone has to select anyway.
One solution could be to distribute url’s with the whr query parameter to everyone with different values depending on Home Realm to use but this is a bit unpractical, almost as unpractical as doing the manual selection at the Home Realm Discovery page.
Another solution would be if we could find out something about the user like for example where he’s connecting from, like for example the IP-Address the user’s machine is having and from that make the decision automatically for the user. This is possible since we can get that information from the HTTP request object in a web application. I’m not saying this is a perfect solution since a branch office user might be visiting the main office when the automatic selection is being made and then will be asked to sign in at the wrong Claims Provider.
There are of course more solutions and depending on your requirements there are things that can be made to simplify Home Realm Discovery but I’m going to show you how this can be done by detecting the IP-address of the user as mentioned earlier.
From what I told you before you now know that using the whr query parameter with a slightly modified WIF application will bypass the Home Realm Discovery page and you also know that we easily can replace the Home Realm Discovery page with our own.
Lets just copy the /adfs/ls/HomeRealmDiscovery.aspx and it’s code behind /adfs/ls/HomeRealmDiscovery.aspx.cs and instead name them HomeRealmDiscoveryDeluxe.aspx and HomeRealmDiscoveryDeluxe.aspx.cs.
Before we continue we need something that could help us store the entity Id of our claims providers we wish to assign automatically to users but also an IP address range for knowing between what IP addresses our users should have it’s own IP address for automatically getting a Home Realm. I’ve chosen to call this class AutomatedClaimsProvider and of course it contains some logic to do the IP address calculations. Copy the code below into a new class file named AutomatedClaimsProvider.cs in the App_Code directory (adfs/ls/App_Code)
using System;using System.Net;/// <summary>/// Summary description for IPRange/// </summary>public class AutomatedClaimsProvider{/// <summary>/// Public Constructor/// </summary>/// <param name="entityId">Entity Id of the claims provider.</param>/// <param name="fromIpAddress">IP Address starting the range.</param>/// <param name="toIpAddress">IP Address ending the range.</param>public AutomatedClaimsProvider(string entityId, string fromIpAddress, string toIpAddress) {if (IpAddressToLongBackwards(fromIpAddress) > IpAddressToLongBackwards(toIpAddress)) throw new ArgumentException("fromIP can not be bigger then toIpAddress.", fromIpAddress); EntityId = entityId; FromIpAddress = fromIpAddress; ToIpAddress = toIpAddress; }/// <summary>/// Claim Provider EntityID/// </summary>public string EntityId { get; set; }/// <summary>/// IP Address starting the range./// </summary>public string FromIpAddress { get; set; }/// <summary>/// IP Address ending the range./// </summary>public string ToIpAddress { get; set; }/// <summary>/// Function returning true if in IP is within the specified ip range./// </summary>/// <param name="ipAddress">The ip to check.</param>/// <returns>true if ip is in range otherwise false.</returns>public bool IsInRange(string ipAddress) { var ip = IpAddressToLongBackwards(ipAddress);return ip >= IpAddressToLongBackwards(FromIpAddress) && ip <= IpAddressToLongBackwards(ToIpAddress); }// Convert IPAddress to long backwards for comparison.private static long IpAddressToLongBackwards(string ipAddress) { IPAddress ip;if (!IPAddress.TryParse(ipAddress, out ip)) throw new ArgumentException(string.Format("The value '{0}' could not be parsed as an IP address.", ipAddress)); var byteIp = ip.GetAddressBytes(); var longIp = (long)byteIp[0] << 24; longIp += (long)byteIp[1] << 16; longIp += (long)byteIp[2] << 8; longIp += byteIp[3];return longIp; }}
using System;using System.Net;/// <summary>/// Summary description for IPRange/// </summary>public class AutomatedClaimsProvider{/// <summary>/// Public Constructor/// </summary>/// <param name="entityId">Entity Id of the claims provider.</param>/// <param name="fromIpAddress">IP Address starting the range.</param>/// <param name="toIpAddress">IP Address ending the range.</param>public AutomatedClaimsProvider(string entityId, string fromIpAddress, string toIpAddress) {if (IpAddressToLongBackwards(fromIpAddress) > IpAddressToLongBackwards(toIpAddress)) throw new ArgumentException("fromIP can not be bigger then toIpAddress.", fromIpAddress);
EntityId = entityId; FromIpAddress = fromIpAddress; ToIpAddress = toIpAddress; }/// <summary>/// Claim Provider EntityID/// </summary>public string EntityId { get; set; }/// <summary>/// IP Address starting the range./// </summary>public string FromIpAddress { get; set; }/// <summary>/// IP Address ending the range./// </summary>public string ToIpAddress { get; set; }/// <summary>/// Function returning true if in IP is within the specified ip range./// </summary>/// <param name="ipAddress">The ip to check.</param>/// <returns>true if ip is in range otherwise false.</returns>public bool IsInRange(string ipAddress) { var ip = IpAddressToLongBackwards(ipAddress);return ip >= IpAddressToLongBackwards(FromIpAddress) && ip <= IpAddressToLongBackwards(ToIpAddress); }// Convert IPAddress to long backwards for comparison.private static long IpAddressToLongBackwards(string ipAddress) { IPAddress ip;if (!IPAddress.TryParse(ipAddress, out ip)) throw new ArgumentException(string.Format("The value '{0}' could not be parsed as an IP address.", ipAddress)); var byteIp = ip.GetAddressBytes(); var longIp = (long)byteIp[0] << 24; longIp += (long)byteIp[1] << 16; longIp += (long)byteIp[2] << 8; longIp += byteIp[3];return longIp; }}
using System.Collections.Generic;
protected void Page_Load(object sender, EventArgs e){// First we need somewhere to keep our claim providers and while were on it, lets store some Claim Providers,// this would be better to store in web.config, but for the sake of this example this will have to do. var claimProviders = new List<AutomatedClaimsProvider> {new AutomatedClaimsProvider("", "10.45.2.1", "10.45.12.255"), // Local IdP – Empty String.new AutomatedClaimsProvider(@"https://idp1.com/adfs/services/trust", "10.10.6.1", "10.10.6.255"),new AutomatedClaimsProvider(@"http://idp2.org/adfs/services/trust", "192.168.20.1", "192.168.20.255") };// Get users IPAddress. var ipAddress = Request.UserHostAddress;// Check each AutomatedClaimsProvider if the ip is within its ip range then set Home Realm..foreach (var claimsProvider in claimProviders.Where(claimsProvider => claimsProvider.IsInRange(ipAddress))) {// Match found, Set Home Realm to found identity provider. SelectHomeRealm(claimsProvider.EntityId); }// No match, fall back on Home Realm Discovery page functionality.}
Everything is now in place except one little detail and that is that we have to select the HomeRealmDiscoveryDeluxe.aspx as our Home Realm discovery page in web.config
<homeRealmDiscovery page="HomeRealmDiscoveryDeluxe.aspx" />
Well, that depend on requirements and of course what information is available but I’ve also made Home Realm Discovery decisions based on what the user has written in the user name field since a customer of mine used their email addresses as user name by putting it in the userPrincipalName attribute in AD. What happens in that case is that when the user have written their user name (email) and leaves the user name textbox a modal dialog is shown using ajax that propose the user to sign in using a predefined claims provider based on the email address.
I just picked up on this story today, and I have to say it kind of creeps me out.
The gist of it is that an Apple Store employee in the UK posted some disparaging remarks on a private Facebook page (I’m not sure what “private” really means in the context of Facebook, but that’s a different issue). Someone (a coworker I believe) saw the post, printed it out, took it to the store manager, who then fired the poster. The UK Employment Tribunal upheld the firing.
A critical component of the story is that part of Apple’s employee indoctrination includes specific prohibitions on posting anything negative regarding Apple (the company, it’s employees, or it’s products) on social media sites. So the employee presumably understood that this was a condition of his employment, and he presumably understood that what he was doing was a career-limiting move.
What’s disturbing to me (ignoring the creepiness of Apple’s social media policy for now), is that the Tribunal cited the fact that even though the employee took precautions to make sure his post wasn’t public, the fact that “Once posted, it will be difficult to show the necessary degree of control over Facebook comments as—by the very nature of the Internet—these may be copied and passed on with ease.” was part of the reasoning that the termination was “justified and proportionate”.
My inner Libertarian doesn’t see a problem with this situation… it was a voluntary contract between two parties, the employee understood the terms of employment and violated them, and got fired. That’s how things should work. But the fact that the employee took steps to keep the post private, and it was still considered a public post, gives me the chills. Think about it… his coworker consciously subverted the security mechanisms in Facebook by printing and distributing the post. I assume that cutting and pasting it into an email would have been legally equivalent. What if the employee had simply complained about Apple in an email to his dad, and his dad forwarded the email to a friend, who then forwarded the email to the store manager? Wouldn’t that essentially be the same scenario? Maybe the Apple employment rules specifically define what social media is, but it’s no leap at all to include email in the social media category and emails are just as easy to copy as private Facebook posts. I guess that is the nut of the problem for me. The employee used the available mechanisms to keep the post private (i.e. making it non-social), but that doesn’t matter. The fact that even private Facebook posts can be publicized by printing or copy-and-paste seems to be what made the firing appropriate.
I can’t help but think that the PR fallout of this event will grossly outweigh any negative publicity from a practically invisible post on a private Facebook page. Then again, public opinion (as represented in comments posted on news pages) seems to be running strongly in favor of Apple, with the primary thought being that “if you hate your job, you should quit and get another one.” In the era of nominal 9% unemployment, that seems particularly harsh. Maybe Apple has mobilized the faithful to make sure this doesn’t turn into a PR nightmare.
You can read more here, hereand here.
I just saw thisin the SANS vulnerability alert this week. If you don’t want to parse the text yourself, it is essentially four separate remote denial-of-service vulnerabilities in the MIT Kerberos implementation for krb5-1.8 and later.
It’s amazing to me that we are still finding fatal flaws in a core security service like this. I’m not sure exactly how old the MIT Kerberos implementation is, but the protocol as defined in RFC 1510(which has been obsoleted by RFC 4120) has been around since 1993, and as far as I know, the MIT Kerberos implementation was the original.
Patch your code!
It was definitely time for my blog to get a new look and feel but most of all it needed an update to get rid of all the spam messages I get from all those that wish to sell me SEO services, maybe the captcha will keep them busy.
I hope you like it!?
It was announced today that Microsoft acquires “certain Assets”of BHold company but the roadmap isn’t clear yet.Unaware of all products from BHold I guess it’s BHold’s Role Management pieces Microsoft lays their hands on or at least I hope it is…
Read more here:Microsoft’s “Pathway”Kuppinger Cole’ announcement
I wonder what this means for Omada? Or as Ian Glazer(Gartner) says:If you get acquired by Microsoft (or Quest), you win! If you don’t get acquired, you lose and the risk to your market increases. BHOLD wins the Microsoft IAG lottery
This articledescribes how a disgruntled IT worker used a back-door account he had created to wreak havoc on his former employer. The story is notable not just in how familiar it is, but in all the ways basic identity and access governance (IAG) practices could have prevented the attack.
The story line goes like this (sing along if you’ve heard this one before): David Palmer, an IT administrator, was fired from his job at McLane Advanced Technologies, a military contractor and IT service provider. He had set up a back door account before he was escorted out. Some time later, he used his backdoor account to log into his former employer’s systems via the Wi-Fi at a local restaurant, and deleted the payroll files for one of McLane’s customers, and apparently accessed files belonging to another customer. The customer was unable to process timecard entry or payroll for a few days, and ultimately McClane contacted the US Secret Service to report that their computer systems had been attacked. Palmer admitted his guilt in Federal Court and stated that "The only reason for logging into any of these servers was to create general havoc and disorder for McLane Advanced Technologies the following day.” Just to add a little insult to injury, McLane advertises themselves as “… adhering to a strict set of values and ethical standards by doing what’s right for our customer” in the areas of (among others) “Software Development”, “Data Management”, and “Information Security”. Fine sounding words for a company that apparently couldn’t muster enough ethics to implement even basic identity and access governance processes. Thank goodness it was only a payroll system. What if it had been something more critical?
Ok, I’m being harsh. I don’t know the company, and perhaps there are some extenuating circumstances. But there are so many ways that this attack could have, and should have, been prevented, I can only conclude that no one was paying attention. Let’s see how many simple identity governance practices might have helped prevent this mess:
So that’s eight different IAG activities, any one or two of which would have prevented this attack. All of them are well-known practices, and all but the last one are implementable using commercial off-the-shelf software such as Quest One Identity Manager, Active Roles Server, Quest Privilege Manager, Change Auditor for Active Directory, and Defender. Some of these processes and controls are implementable (with effort and some scripting) just using what’s in the box with Windows. For a Gold Certified Microsoft Partner boasting a CMM Level 3 software development certification as McLane is, putting these processes in place should not have been a problem provided someone was actually paying attention. And there’s the point. If you host sensitive data on your computer systems (and who doesn’t?), someone in executive management has to be paying attention. Typically this would be the CIO or CSO, but at the end of the day it’s on the CEO to ensure that the company is taking due care to ensure that access to critical corporate assets is controlled and audited in a way that ensures the security of the data and of the company. Perhaps that’s something they should be teaching at Famous CEOs School.
In case you didn’t get that last reference, see Famous Artists Schoolon Wikipedia.
Windows Azure AppFabric Access Control Service (ACS) 2.0 received a service update. All customers with ACS 2.0 namespaces automatically received this update, which primarily contained bug fixes in addition to a few new features and service changes:
The ACS management portal is now available in 11 languages. Newly-supported languages include Japanese, German, Traditional Chinese, Simplified Chinese, French, Italian, Spanish, Korean, Russian, and Brazilian Portuguese. Users can choose their desired language from the language chooser in the upper-right corner of the portal.
The ACS 2.0 rules engine now supports a new type of rule that allows up to two input claims to be configured, instead of only one input claim. Rules with two input claims can be used to reduce the overall number of rules required to perform complex user authorization functions. For more information on rules with two input claims, see http://msdn.microsoft.com/en-us/library/gg185923.aspx.
In the initial release of ACS 2.0, the character encoding set for all HTTP responses from the OAuth 2.0 endpoint was US-ASCII. In the July 2011 update, the character encoding of HTTP responses is now set to UTF-8 to support extended character sets.
The previous quotas on configuration data have been removed in this update. This includes removal of all limitations on the number of identity providers, relying party applications, rule groups, rules, service identities, claim types, delegation records, issuers, keys, and addresses that can be created in a given ACS namespace.
Please use the following resources to learn more about this release:
For any questions or feedback please visit the Security for the Windows Azure Platform forum.
If you have not signed up for Windows Azure AppFabric and would like to start using these new capabilities, be sure to take advantage of our free trial offer. Just click on the image below and get started today!
The Access Control Service Product Team
Latest updates on :
Forefront Resources on Edge
Hurry up if you wish to take it, it’s been made available today and the beta period will end the 4:th of August.You can read more on how to sign up at Born To Learn.
Unless you’ll be able to take the beta exam the real exam will according to what I’ve heard be available sometime between September and November.
I just wanted to recommend the terrific SAML Tracer extension for Firefox by Olav Morken at the Norwegian UNINETT, SAML debugging has never been this easy!
It works a bit like Fiddler except it’s simpler and it tags each HTTP request that contains a SAML AuthnRequest or Response. If you mark any of the HTTP Requests marked with the SAML sign you’re able to view the SAML message in clear text.
Check it out here: https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/?src=api or check out the press release from UNINETT: https://rnd.feide.no/2011/06/21/uninett-releases-public-beta-of-saml-tracer/
My colleague Eckhard sent me these pictures from Hamburg, Germany. It is of the construction of a new retail store on the main shopping street in Hamburg. You might think that it would be a new Microsoft store, but you would be wrong. Look carefully at the “Windows” logo. What’s wrong with it? Are the blue and green squares in the right place? Why no, they’re not!
It turns out this is of the new Apple Store. Nice to see someone in a large corporate marketing department has a sense of humor. Good one, Apple!
It is our pleasure to announce the availability of the first CTP release of the WIF (Windows Identity Foundation) Extension for the SAML 2.0 Protocol ! We heard your feedback about the necessity to have support for the SAML 2.0 protocol in WIF. Today, we announce an extension to WIF that delivers on that feedback.
This WIF extension allows .NET developers to easily create claims-based SP-Lite compliant Service Provider applications that use SAML 2.0 conformant identity providers such as AD FS 2.0.
This CTP release includes a set of samples that illustrate how to use the extension. You can download the package that includes the WIF Extension for SAML 2.0 Protocol and samples from here.
Key features of this extension include:
We’ll be looking for your questions, comments, and other feedback on the claims based identity forum here. Watch this blog for future posts about the roadmap of this WIF extension.
Happy coding!
The WIF Team
Sources
RSS Feeds
General overview
Deploying
Group management
Password management
Extending FIM
Troubleshooting
Other
TechEd PresentationsAll TechEd presentations are available on www.msteched.com
We have published an AD FS 2.0 content map wiki page which is intended to act as a content map for all members of the AD FS 2.0 community.
This is an on-going effort. Members of the AD FS product team will monitor this article on a regular basis and will post new links as they become available on Microsoft.com. The following is the current TOC list of this article:
We would like to enlist your help in adding useful links to this article in order to make hot AD FS 2.0 topics and solutions more discoverable to the overall community. If you know any useful AD FS 2.0 content that that is not listed in this article or if you would like to have a hot AD FS 2.0 topic documented, please send your feedback to AD FS Product Team.
We are very happy to announce the general availability of the April release of Windows Azure AppFabric Access Control Service!
The new version of the Access Control Service includes all the great capabilities and enhancements that have been available in the Labs release of the service for several months. Now you can start using these capabilities in production.
The new version of the service adds the following capabilities:
Federation provider and Security Token Service
New authorization scenarios
Improved developer experience
Additional protocol support
This release represents a major enhancement to the previous version of Access Control Service, enabling new web application and web service federation scenarios. What’s more, we are excited to announce that Access Control Service will be offered at no charge during the promotion period ending January 1, 2012!
If you have any questions, be sure to visit the Security for the Windows Azure Platform section of the MSDN forums.
If you have not signed up for Windows Azure AppFabric and would like to start using these great new capabilities, be sure to take advantage of our free trial offer. Just click on the image below and get started today!
We have published a step-by-step guide on how to configure AD FS 2.0 and IBM Tivoli Federated Identity Manager to federate using the SAML 2.0 protocol. You can view the guide as a web page and soon also in Word and PDF formats. This is the fifth in a series of these guides; the guides are also available on the AD FS 2.0 Step-by-Step and How-To Guides page.
The priority of backwards-compatibility in the Microsoft development culture is sometimes overlooked. Check out this video of upgrading a single machine from DOS/Win 1.x through each successive version of Windows up to Windows 7. You can still run many (most?) 20-year old DOS and Win 1 apps on Windows 7. http://www.networkworld.com/community/blog/absolutely-brilliant-windows-upgrades-through
Believe it or not, this is the 10th year for The Experts Conference(formerly The Directory Experts Conference). We (as NetPro at the time) hosted the first DEC in Scottsdale, AZ in 2001 with an audience of about 40 or so who all shared a strong interest in Active Directory. Since then, we’ve tweaked and expanded the conference to reflect changes in the technology landscape as well as the fickle whims of our corporate masters (I exaggerate. But not really. :Q) Today we routinely bring 500 or more people together to provide advanced Microsoft technology training and professional networking, for the experts, by the experts.
Starting in 2008, we expanded the technology scope of the conference beyond Microsoft directory and identity technologies, while maintaining the model that has made TEC so successful. We added a conference for Exchange in 2008 (now moderated by David Sengupta), a conference for Sharepoint in 2009 hosted by Joel Oleson, and new for 2011 is the Experts Conference for Virtualization and Cloud, organized by Dmitry Sotnikov. The agendas for all of the conferences look really strong. Just browsing through the current lineup, several sessions jump out as being particular compelling (yes, in the interest of not showing favoritism, I picked one from each conference).
There are a ton of other sessions of course, and you can check them all out at http://www.tec2011.com.
Another new item this year is the Powershell Deep Dive that will provide “deep technical and strategic engagement within the PowerShell community.” There should be about a half-dozen PS product group members attending, so you can get some quality face time with the guys who are building the next version of PowerShell. You can see that the size and scope of TEC has really expanded in the ten years we’ve been hosting it, and astoundingly, the same two women who organized the first TEC in 2001 for 40 people are laboring behind the scenes to bring you TEC 2011 for upwards of 700. Christine McDermott and Stella Lowe bring the attention to detail and their unique personal touch to each and every conference to make TEC the one conference you have to go to each year. Organizing a conference like TEC is a giant PITA, particularly when you have to juggle competing priorities, recalcitrant vendors, and technical prima donas that don’t know the different between a deadline and a lifeline. If you do make it to TEC in Las Vegas this year, take the time to give them a hug and say thank you. Bring a nice gift, perhaps some flowers or a bottle of wine (keep the Jack Daniels till the last day of the conference, ok?).
I hope to see you at the Red Rock in Las Vegas!
For several years Microsoft has advocated the claims based identity model for more secure access and use of online applications and services. With enhancements to our existing platform, such as Active Directory Federation Services 2.0 and Windows Identity Foundation, we’ve made progress in that initiative. Claims-based identity is used widely inside Microsoft and is now part of many Microsoft products, such as SharePoint, Office 365, Dynamics CRM, and Windows Azure.
Microsoft has been a leading participant in the identity community and an active contributor to emerging identity standards. We have increased our commitment to standardization activities and added support into our products for the SAML 2.0, OpenID 2.0, OAuth WRAP and OAuth 2.0 protocols.
There is one component of our identity portfolio where we have recently decided to make a change. Windows CardSpace was initially released and developed before the pervasive use of online identities across multiple services. Perhaps more importantly, we released the user component before we and others had delivered the tools for developers and administrators to easily create claims-ready services. The identity landscape has changed with the evolution of tools and cloud services. Based on the feedback we have received from partners and beta participants, we have decided not to ship Windows CardSpace 2.0.
Claims-based identity remains a central concept for Microsoft’s identity strategy, and its role in our overall strategy continues to grow. Furthermore, we are not abandoning the idea of a user agent for exchanging claims. As part of our work on claims-based identity we are releasing a new technology preview of U-Prove. This release of U-Prove will take the form of a user agent that takes account of cloud computing realities and takes advantage of the high-end security and privacy capabilities within the extended U-Prove cryptographic technology.
We have published a whitepaper on how to enable Single Sign-On to Windows Azure using WIF and ADFS.
Here is the abstract:
This paper contains step-by-step instructions for using Windows® Identity Foundation, Windows Azure, and Active Directory Federation Services (AD FS) 2.0 for achieving SSO across web applications that are deployed both on premises and in the cloud. Previous knowledge of these products is not required for completing the proof of concept (POC) configuration. This document is meant to be an introductory document, and it ties together examples from each component into a single, end-to-end example.
Download it here!
ACS (Azure Access Control Service) recently added support for the OAuth 2.0 protocol. If you haven’t heard of it, OAuth is an open protocol that is being developed by members of the identity community to solve the problem of allowing 3rd party applications to access their data without providing their passwords. In order to show how this can be done with WIF and ACS, we have posted a sample on Microsoft Connect that shows an end-to-end scenario.
The scenario in the sample is meant to be as simple as possible to show the power of the OAuth protocol to enable web sites to access resource on behalf of a user without the user providing his or her credentials to that site. In our scenario, Contoso has a web service that exposes customer information that needs to be protected. Fabrikam has a web site and wants users to be able to view their Contoso data directly on it. The user doesn’t have to log in to the Fabrikam site, but gets redirected to a Contoso specific site in order to login and give consent to access data on their behalf.
The Contoso web service requires OAuth access tokens from ACS to be attached to incoming requests. The necessary protocol flow for the Fabrikam web site (in OAuth terms – the web server client), including redirecting the user to login and give consent, requesting access tokens from ACS, and attaching the token to outgoing requests to the service is taken care of under the covers. The sample contains a walkthrough that describes the components in more detail.
Try it out here, and tell us what you think!
Source: OLSync with FIM 2010 experiences
As Craig Martin explains:
Approach 1: Install OLSync on ILM 2007, then upgrade to FIM 2010
If you already hav OLSync running on ILM then just upgrade to FIM 2010 and you'll probably find that the system just works, because:
1. The FIM setup process will upgrade the ILM database
2. The FIM setup process will take the stored copies of the DLLs from the database and drop them to the new FIM Sync Server
3. FIM Sync can host the DLLs that were previously run by ILM, even tho they were running on x86 and are now running on x64
Steps :
Approach 2: Perform the 'Extract Files' Install of OLSync the Import the Server Config in FIM Sync
The 'Extract Files' option in the OLSync installation does minimal pre-req checking, and essentially drops the files from the MSI into a folder on your server. You can use the resulting files to deploy OLSync to FIM Sync because those files include:
1. 'Server Exports' which are just XML dumps of a sync server that can be imported into another server.
2. The DLLs you need to put into the 'Extensions' folder on the FIM Sync server
3. The XML files you need to put into the UIShell folder to make FIM understand the 'OLMA' management agent type
Related posts: - how to configure ADMA and galsync forfront identity manager 2010 - Provisioning to Live(at)EDU with FIM 2010 RC1. (How to configure the MA) - Live(at)edu OLSync on FIM 2010 (Dmitry Kazantsev)
We have published a step-by-step guide on how to configure AD FS 2.0 and Ping Identity PingFederate to federate using the SAML 2.0 protocol. You can view the guide in docx, doc, or PDF formats and also as a web page. This is the fourth in a series of these guides; the guides are also available on the AD FS 2.0 Step-by-Step and How-To Guides page. Special thanks to Ping Identity for sponsoring this guide.
With the U.S. release of Windows Phone 7 around the corner, I’m excited to share a sample that shows some of our early thinking around how ACS in LABS can be used to enable sign in to web services… from the phone apps.
This makes it simple to write REST services, for Windows Phone 7 Silverlight applications, that can be used millions of users, including those at Live ID, Facebook, Google, Yahoo and AD FS accounts.
To see it in action, check out Vittorio’s PDC talk. The sample appears in the last few minutes, but I recommend watching the full talk.
As an early sample of how mobile apps may be supported, your feedback is very valuable. Download it and try it out!
Caleb Baker
Program Manager - Access Control Services
We have published a step-by-step guide on how to configure AD FS 2.0 and Shibboleth to federate using the SAML 2.0 protocol. There is also an appendix on federating with the InCommon Federation. You can view the guide in docx format and as a web page. This is the third in a series of these guides; the guides are also available on the AD FS 2.0 Step-by-Step and How-To Guides page.
My name is Peter Kron and I’m a Principal Software Developer on the Windows Identity Foundation team. Over the last year it has been my pleasure to work with Vittorio Bertocci as the technical reviewer for his latest book, Programming Windows Identity Foundation. Many of you will recognize Vittorio from his engaging sessions at PDC, TechEd, IDWorld and other conferences, or follow his popular blog, Vibro.NET. He has also authored or co-authored other books for Microsoft Press.
Vittorio is a Senior Architect Evangelist with Microsoft and over the past five years has been active (and if you know Vittorio, you know that is very active) in helping customers develop SOA based on WCF and, most recently, Identity.
His experience working through real-world scenarios with numerous developers makes him an ideal choice to write this book. He knows the issues they have faced and how Microsoft technologies like WCF and WIF can be brought to bear on them. In this book, Vittorio takes the reader through basic scenarios and explains the power of claims. He shows how to quickly create a simple claims-based application using WIF. Beyond that, he systematically explores the extensibility points of WIF and how to use them to handle more sophisticated scenarios such as Single Sign-on, delegation, and claims transformation, among others.
Vittorio goes on to detail the major classes and methods used by WIF in both passive browser-based applications and active WCF services. Finally he explores using WIF as your applications move to cloud-based Windows Azure roles and RIA futures.
I think you’ll find this book a valuable tool for learning how to build claims-based web applications and services. Or you will keep a copy handy for reference, as I do. The book is available now from Microsoft Press, and all of the sample code described in the book is available for download.
All of us on the WIF team are happy to see this in print (and e-book)!
Robert deLuca and Dean Wells are organizing another Customer-Focused Design (CFD) session for TEC Europe. The CFD session they ran at TEC Europe last year was by far and away the most popular event at the conference, and I’m really excited that we get to have them do it again. For those of you who aren’t familiar with the idea, CFD is a structured process for generating and prioritizing software requirements. In this case, Dean and Robert will lead you through a process of developing requirements for the next version of Active Directory and its related technologies. I expect that a lot of the discussion will be around the connection between Active Directory and the cloud, but even so, I’m sure there will be a lot of features discussed for on-premises AD as well.
Microsoft’s Patterns & Practices group recently wrote about three labs demonstrating federation interoperability between WIF and AD FS 2.0 and three other vendor products – specifically, CA SiteMinder 12.0, IBM Tivoli Federated Identity Manager 6.2, and Sun OpenSSO 8.0.
First, the team took the samples from the Claims Identity Guide and deployed them in a lab. They then configured the lab to use IBM, Computer Associates & Sun identity providers. Finally, they captured videos of demos for each configuration.
You can read about each of the labs here:
· Identity Federation Interoperability – WIF + ADFS + CA SiteMinder
· Identity Federation Interoperability – WIF + ADFS + IBM Tivoli Federated Identity Manager
· Identity Federation Interoperability – WIF + ADFS + Sun’s OpenSSO
Active Directory Federation Services (AD FS) 2.0 has just released its first Management Pack (MP) for Microsoft System Center Operations Manager 2007 Service Pack 1 (SP1) and R2!! We have worked on it for quite some time, and it is exciting to finally get it out! As you may know, there is an MP for AD FS v1. This MP is for AD FS 2.0. The goal of the AD FS 2.0 MP is to help your IT operators easily monitor the health of the AD FS 2.0 service and its different parts as well as to provide them with troubleshooting content in case some issues arise. If it’s your first time hearing about MP, don’t worry. Let’s do a quick overview by first explaining what an MP is and why you may want to use one.Note: if you already have System Center Operations Manager 2007, you can download and use the AD FS 2.0 MP for free! For details about System Center Operations Manager 2007 licensing, see How to Buy Operations Manager 2007 R2.What is a Management Pack?A management pack (MP) contains predefined monitoring rules and other settings to work with System Center Operations Manager. Each product defines its own MP. You must import the product’s MP into System Center Operations Manager to use it. After it is imported, the monitoring agent of System Center Operations Manager will run on the computers to monitor the health of a specific service or application based on the monitoring settings that are defined in the MP. The predefined settings in the MP include the following:· Discovery information that makes it possible for System Center Operations Manager to automatically detect and begin monitoring services and applications· Monitoring and alert rules that change the health state of the monitored services or applications in System Center Operations Manager and generate alerts when the corresponding health condition is detected· A knowledge base that contains error and troubleshooting information that is associated with the alertsFor more information about the MP concept and System Center Operations Manager, see Microsoft Systems Center Operations Manager.Benefit of using a Management PackWe mentioned that an MP provides the monitoring mechanism for services and applications. The audience for a MOM Pack is primarily IT operators. They care about whether their application is healthy, the users of their application are happy, and how well the parts of their applications work together. IT operators can use the MP to pinpoint what is broken so that they do not need to do a manual diagnosis. By using an MP, the IT operators can have a central view of the health of multiple services or applications that they are monitoring, and they can make sure that such health information is up to date as things change. Also, the MP provides a knowledge base, which IT operators can use to quickly troubleshoot a problem without looking at other resources.So, we talked about some basic concepts of MP; let’s take a look at AD FS 2.0 MP. As you may know, AD FS 2.0 is a security token service that authenticates users and generates security tokens. We can logically divide AD FS 2.0 into different parts. You can use the AD FS 2.0 MP to monitor the health of each part of AD FS 2.0 service as well as the overall health of AD FS 2.0 service. The primary mechanism that the AD FS 2.0 MP uses for health monitoring is the AD FS 2.0 events. Of course, you may think “I can use Event Viewer to do the same thing.” However, there are benefits of using AD FS 2.0 MP instead of using Event Viewer: · First, the AD FS 2.0 MP does the filtering and analysis of the events for you. It alerts you only when it is very likely that there is something broken (compared to intermittent problems). Also, it alerts you only once so that you won’t be flooded with hundreds of events, which makes it hard to figure out the root cause of a problem. · Second, besides reactive monitoring, AD FS 2.0 MP also provides proactive monitoring, which can detect a problem before it happens. For example, AD FS 2.0 MP proactively monitors the expiration status of the Secure Sockets Layer (SSL) certificate that is configured for the federation passive website. · Third, the AD FS 2.0 MP separates and scopes down the issues to a particular AD FS 2.0 component and provides rich knowledge about the issues, all of which help you troubleshoot quickly. · Fourth, AD FS 2.0 MP also integrates performance monitoring and provides a diagram view of the performance. It is very easy for you to tell the performance pattern from the diagram. The AD FS 2.0 MP provides 10 localized versions, one for each supported language, including the following: Spanish, French, Italian, Japanese, Korean, Chinese (China), Chinese (Taiwan), Russian, German, and Portugese-Brasilian.Ok, that’s enough conceptual talk. Let’s look at this stuff in action! What’s in the AD FS 2.0 MP?We have talked about what an MP is and what the benefits of using an AD FS 2.0 MP are. So, what’s in an AD FS 2.0 MP, and how do we use it? Let’s take a closer look at the AD FS 2.0 MP. The AD FS 2.0 MP provides an intuitive way for IT operators to get an overview the topology of AD FS 2.0 deployments in a farm, as well as the AD FS 2.0 configurations of a single instance. It also makes it possible for IT operators to monitor the health of AD FS 2.0 deployments and diagnose and fix the issues that affect AD FS 2.0 health. In detail, the AD FS 2.0 MP has the following functionality:• Discovers AD FS 2.0 deployment (in either the federation server role or the federation server proxy role) in a farm or on a single, monitored computer • Discovers different AD FS 2.0 parts that have been deployed on the monitored computer • Monitors the health of different AD FS 2.0 parts and generates appropriate alerts • Monitors the performance of AD FS 2.0 • Provides diagnostic knowledge for each alert AD FS 2.0 Views The following illustration shows what the AD FS 2.0 views in System Center Operations Manager 2007 looks like. As you can see, the views include the State View, Alerts View, Events View, and Performance View. All of these views are defined for each AD FS 2.0 role—federation server or federation server proxy. In the topmost State View, you can see the overall health state of the AD FS 2.0 service, as shown below. In this example, there is no federation server proxy discovered; so, the health state column for Federation Server Proxies is empty.
Active Directory Federation Services (AD FS) 2.0 has just released its first Management Pack (MP) for Microsoft System Center Operations Manager 2007 Service Pack 1 (SP1) and R2!! We have worked on it for quite some time, and it is exciting to finally get it out!
As you may know, there is an MP for AD FS v1. This MP is for AD FS 2.0. The goal of the AD FS 2.0 MP is to help your IT operators easily monitor the health of the AD FS 2.0 service and its different parts as well as to provide them with troubleshooting content in case some issues arise. If it’s your first time hearing about MP, don’t worry. Let’s do a quick overview by first explaining what an MP is and why you may want to use one.
Note: if you already have System Center Operations Manager 2007, you can download and use the AD FS 2.0 MP for free! For details about System Center Operations Manager 2007 licensing, see How to Buy Operations Manager 2007 R2.
A management pack (MP) contains predefined monitoring rules and other settings to work with System Center Operations Manager. Each product defines its own MP. You must import the product’s MP into System Center Operations Manager to use it. After it is imported, the monitoring agent of System Center Operations Manager will run on the computers to monitor the health of a specific service or application based on the monitoring settings that are defined in the MP.
The predefined settings in the MP include the following:
· Discovery information that makes it possible for System Center Operations Manager to automatically detect and begin monitoring services and applications
· Monitoring and alert rules that change the health state of the monitored services or applications in System Center Operations Manager and generate alerts when the corresponding health condition is detected
· A knowledge base that contains error and troubleshooting information that is associated with the alerts
For more information about the MP concept and System Center Operations Manager, see Microsoft Systems Center Operations Manager.
We mentioned that an MP provides the monitoring mechanism for services and applications. The audience for a MOM Pack is primarily IT operators. They care about whether their application is healthy, the users of their application are happy, and how well the parts of their applications work together. IT operators can use the MP to pinpoint what is broken so that they do not need to do a manual diagnosis. By using an MP, the IT operators can have a central view of the health of multiple services or applications that they are monitoring, and they can make sure that such health information is up to date as things change. Also, the MP provides a knowledge base, which IT operators can use to quickly troubleshoot a problem without looking at other resources.
So, we talked about some basic concepts of MP; let’s take a look at AD FS 2.0 MP. As you may know, AD FS 2.0 is a security token service that authenticates users and generates security tokens. We can logically divide AD FS 2.0 into different parts. You can use the AD FS 2.0 MP to monitor the health of each part of AD FS 2.0 service as well as the overall health of AD FS 2.0 service. The primary mechanism that the AD FS 2.0 MP uses for health monitoring is the AD FS 2.0 events. Of course, you may think “I can use Event Viewer to do the same thing.” However, there are benefits of using AD FS 2.0 MP instead of using Event Viewer:
· First, the AD FS 2.0 MP does the filtering and analysis of the events for you. It alerts you only when it is very likely that there is something broken (compared to intermittent problems). Also, it alerts you only once so that you won’t be flooded with hundreds of events, which makes it hard to figure out the root cause of a problem.
· Second, besides reactive monitoring, AD FS 2.0 MP also provides proactive monitoring, which can detect a problem before it happens. For example, AD FS 2.0 MP proactively monitors the expiration status of the Secure Sockets Layer (SSL) certificate that is configured for the federation passive website.
· Third, the AD FS 2.0 MP separates and scopes down the issues to a particular AD FS 2.0 component and provides rich knowledge about the issues, all of which help you troubleshoot quickly.
· Fourth, AD FS 2.0 MP also integrates performance monitoring and provides a diagram view of the performance. It is very easy for you to tell the performance pattern from the diagram.
The AD FS 2.0 MP provides 10 localized versions, one for each supported language, including the following: Spanish, French, Italian, Japanese, Korean, Chinese (China), Chinese (Taiwan), Russian, German, and Portugese-Brasilian.
Ok, that’s enough conceptual talk. Let’s look at this stuff in action!
We have talked about what an MP is and what the benefits of using an AD FS 2.0 MP are. So, what’s in an AD FS 2.0 MP, and how do we use it? Let’s take a closer look at the AD FS 2.0 MP.
The AD FS 2.0 MP provides an intuitive way for IT operators to get an overview the topology of AD FS 2.0 deployments in a farm, as well as the AD FS 2.0 configurations of a single instance. It also makes it possible for IT operators to monitor the health of AD FS 2.0 deployments and diagnose and fix the issues that affect AD FS 2.0 health.
In detail, the AD FS 2.0 MP has the following functionality:
• Discovers AD FS 2.0 deployment (in either the federation server role or the federation server proxy role) in a farm or on a single, monitored computer
• Discovers different AD FS 2.0 parts that have been deployed on the monitored computer
• Monitors the health of different AD FS 2.0 parts and generates appropriate alerts
• Monitors the performance of AD FS 2.0
• Provides diagnostic knowledge for each alert
The following illustration shows what the AD FS 2.0 views in System Center Operations Manager 2007 looks like. As you can see, the views include the State View, Alerts View, Events View, and Performance View. All of these views are defined for each AD FS 2.0 role—federation server or federation server proxy. In the topmost State View, you can see the overall health state of the AD FS 2.0 service, as shown below. In this example, there is no federation server proxy discovered; so, the health state column for Federation Server Proxies is empty.
The following illustration shows the Performance View of one of the AD FS 2.0 federation servers being monitored. The performance area of the AD FS 2.0 service that is being monitored is Token Request per second.
The AD FS 2.0 MP can discover all the AD FS 2.0 instances in a farm. The following illustration shows an example of a State View of two AD FS 2.0 federation servers in a Windows Internal Database (WID) farm. As you can see, the parts that AD FS 2.0 is monitoring for the federation server are Trust Management and Authentication, which contain token issuance and token acceptance monitoring; WID Sync for the synchronization among primary and secondary computers, Web Sites, and Certificate Management. For the federation server proxy, the parts that AD FS 2.0 MP monitors are Authentication and Web Sites.
Besides monitoring the health of these parts, the AD FS 2.0 MP also retrieves the important configuration information for each part (shown in the detail view in the previous illustration). In the previous example, the AD FS 2.0 MP detects that those two computers belong to a WID farm and that the highlighted computer in the farm is the primary computer in the farm. You can also open the Diagram View to get an idea of the overall deployment topologies of the AD FS 2.0 servers and proxies. All the stand-alone federation servers are grouped under a single federation service node, and each farm has its own node. The following illustrationi shows an example. The AD FS 2.0 MP has detected an AD FS 2.0 farm that consists of two federation servers and one stand-alone AD FS 2.0 instance on the Adfsidentity computer.
Besides monitoring the health of these parts, the AD FS 2.0 MP also retrieves the important configuration information for each part (shown in the detail view in the previous illustration). In the previous example, the AD FS 2.0 MP detects that those two computers belong to a WID farm and that the highlighted computer in the farm is the primary computer in the farm.
You can also open the Diagram View to get an idea of the overall deployment topologies of the AD FS 2.0 servers and proxies. All the stand-alone federation servers are grouped under a single federation service node, and each farm has its own node. The following illustrationi shows an example. The AD FS 2.0 MP has detected an AD FS 2.0 farm that consists of two federation servers and one stand-alone AD FS 2.0 instance on the Adfsidentity computer.
The following illustration shows all the monitored AD FS 2.0 parts on one of the federation servers in the AD FS 2.0 farm.
AD FS 2.0 Monitoring The AD FS 2.0 MP monitors the AD FS 2.0 service, based on two mechanisms: Events and Scripts. If any monitored event occurs, it changes the health state of the related AD FS 2.0 component or generates an alert or both. AD FS 2.0 also has its own PowerShell based scripts that run periodically to monitor the health of different AD FS 2.0 parts proactively (See AD FS 2.0 MP Guide for a complete set of AD FS 2.0 monitoring scripts). Also, we have defined custom overrides in the MP for different script-based objects apart from the standard objects that System Center Operations Manager provides. Users can override the default values, such as the frequency, to run the scripts.The health state of AD FS 2.0 parts are changes, based on the rules that are defined in the MP. It is reset to Healthy state in two cases automatically: 1. When there is a clear counter event that indicates that the issue has been resolved. 2. After some period of time, if there is no indication that this problem still persists, the health state resets. The default time for 2 is 15 minutes, which the user can override. Besides these two conditions, you have to manually reset the AD FS 2.0 health state after you make sure that the corresponding issue has been resolved.The following is an illustration of the Alert View that shows the Alerts that the AD FS 2.0 MP generated. The following example is an alert for Trust Management because AD FS 2.0 failed to create the Federation Metadata document. The knowledge for this alert contains a summary of this monitoring, a description of the cause of this alert, and the detailed steps for resolution.
The AD FS 2.0 MP monitors the AD FS 2.0 service, based on two mechanisms: Events and Scripts. If any monitored event occurs, it changes the health state of the related AD FS 2.0 component or generates an alert or both. AD FS 2.0 also has its own PowerShell based scripts that run periodically to monitor the health of different AD FS 2.0 parts proactively (See AD FS 2.0 MP Guide for a complete set of AD FS 2.0 monitoring scripts). Also, we have defined custom overrides in the MP for different script-based objects apart from the standard objects that System Center Operations Manager provides. Users can override the default values, such as the frequency, to run the scripts.
The health state of AD FS 2.0 parts are changes, based on the rules that are defined in the MP. It is reset to Healthy state in two cases automatically:
1. When there is a clear counter event that indicates that the issue has been resolved.
2. After some period of time, if there is no indication that this problem still persists, the health state resets.
The default time for 2 is 15 minutes, which the user can override. Besides these two conditions, you have to manually reset the AD FS 2.0 health state after you make sure that the corresponding issue has been resolved.
The following is an illustration of the Alert View that shows the Alerts that the AD FS 2.0 MP generated. The following example is an alert for Trust Management because AD FS 2.0 failed to create the Federation Metadata document. The knowledge for this alert contains a summary of this monitoring, a description of the cause of this alert, and the detailed steps for resolution.
To avoid duplicate alerts, the AD FS 2.0 MP has implemented a monitoring mechanism, provided by System Center Operations Manager 2007, called Alert Suppression. In events occur, the same events may be generated multiple times for the same issue and continue to be generated as long as the issue still exists. For example, federation passive requests may fail because the web.config file is corrupted. When this issue is mapped to an alert in the AD FS 2.0 MP, only one alert is generated, even when this issue triggers a lot of events. Basically, the AD FS 2.0 MP analyzes the events per root cause and generates an alert per root cause accordingly.Also, to avoid over-alerting, AD FS 2.0 refrains from generating alerts for issues that may be caused by intermittent problems. For example, the AD FS 2.0 MP waits for multiple occurrences of events that indicate that the AD FS 2.0 service cannot reach a domain controller before it generates an alert. For a detailed look at how the AD FS 2.0 MP implements alert suppression and event counting for key monitoring scenarios, see the AD FS 2.0 MP Guide.To summarize:· The AD FS 2.0 MP uses events and scripts to monitor the health of the AD FS 2.0 service. Scripts are used for proactive monitoring, such as detecting whether the federation passive website is up and running and whether the SSL certificate is expiring.· The health state of the AD FS 2.0 service and its parts may be autoreset or need manual reset, depending on the conditions. · The AD FS 2.0 MP generates alerts when an issue is detected. An alert contains rich knowledge that can help troubleshooting.· The AD FS 2.0 MP implements alert suppression and event counting so that your Alert View is not flooded with duplicate alerts or alerts that may not indicate a persistent issue.Where to download AD FS 2.0 MPFeel like you have a good understanding of what AD FS 2.0 MP has to offer? Give it a try! You can download the AD FS 2.0 MP and AD FS 2.0 MP Guide at Active Directory Federation Services 2.0 (ADFS) Monitoring Management Pack. The AD FS 2.0 MP supports localization of 10 languages. Choose the language of the MP in the drop-down list when you download the MP. This action redirects you to the localized download page where you can download the localized MP guide as well.Have fun trying it out! J
To avoid duplicate alerts, the AD FS 2.0 MP has implemented a monitoring mechanism, provided by System Center Operations Manager 2007, called Alert Suppression. In events occur, the same events may be generated multiple times for the same issue and continue to be generated as long as the issue still exists. For example, federation passive requests may fail because the web.config file is corrupted. When this issue is mapped to an alert in the AD FS 2.0 MP, only one alert is generated, even when this issue triggers a lot of events. Basically, the AD FS 2.0 MP analyzes the events per root cause and generates an alert per root cause accordingly.
Also, to avoid over-alerting, AD FS 2.0 refrains from generating alerts for issues that may be caused by intermittent problems. For example, the AD FS 2.0 MP waits for multiple occurrences of events that indicate that the AD FS 2.0 service cannot reach a domain controller before it generates an alert. For a detailed look at how the AD FS 2.0 MP implements alert suppression and event counting for key monitoring scenarios, see the AD FS 2.0 MP Guide.
To summarize:
· The AD FS 2.0 MP uses events and scripts to monitor the health of the AD FS 2.0 service. Scripts are used for proactive monitoring, such as detecting whether the federation passive website is up and running and whether the SSL certificate is expiring.
· The health state of the AD FS 2.0 service and its parts may be autoreset or need manual reset, depending on the conditions.
· The AD FS 2.0 MP generates alerts when an issue is detected. An alert contains rich knowledge that can help troubleshooting.
· The AD FS 2.0 MP implements alert suppression and event counting so that your Alert View is not flooded with duplicate alerts or alerts that may not indicate a persistent issue.
Feel like you have a good understanding of what AD FS 2.0 MP has to offer? Give it a try! You can download the AD FS 2.0 MP and AD FS 2.0 MP Guide at Active Directory Federation Services 2.0 (ADFS) Monitoring Management Pack.
The AD FS 2.0 MP supports localization of 10 languages. Choose the language of the MP in the drop-down list when you download the MP. This action redirects you to the localized download page where you can download the localized MP guide as well.
Have fun trying it out! J
We have published a step-by-step guide on how to configure AD FS 2.0 and Oracle Identity Federation to federate using the SAML 2.0 protocol. You can view the guide either as a web page or in docx format. This is the second in a series of these guides; the guides are also available on the AD FS 2.0 Step-by-Step and How To Guides page.
We have published a step-by-step guide on how to configure AD FS 2.0 and CA Federation Manager to federate using the SAML 2.0 protocol. You can view the guide either as a web page or in docx format. This is the first in a series of these guides; the guides are also available on the AD FS 2.0 Step-by-Step and How To Guides page.
In order to consolidate our support for our Federated Identity platforms, we are removing the 'Email the Blog Author' functionality of this blog and reccomending that anyone with questions related to the AD FS, WIF, or CardSpace head over to our forum, located here.
This forum is actively monitored by members of the product group, as well as MVPs and the community. We hope that we will better be able to provide support and answer your questions by directing them all through this single forum.
-The AD FS, WIF, and CardSpace teams
Vittorio in DPE (Developer Platform and Evangelism) team has been touring the world evangelizing claims based identity model and WIF. As a result, there is an excellent set of resources for you to learn WIF! Check out the 10-part WIF Workshop recordings that cover the topics such as basics of claims-based identity and WIF, the scenarios that WIF enables, how WIF plugs into the ASP.NET pipeline, how WIF plays with WCF, and how WIF plays a key role for identity management in Azure. If you want to grab the presentation decks of these WIF Workshops, check out the latest June 2010 update of the Identity Developer Training Kit.
Eugenio Pace in Patterns & Practices team has published a guide on “Claims-based Identity and Access Control”. It is an excellent guide to understand the benefits of claims-based identity model when you are planning a new application or making changes to existing applications that require user identity information. You can also purchase a hard copy of this guide from your favorite online book stores.
Other References and Resources:
Azure team’s recent blog post on WIF in Azure
WIF Product Documentation on MSDN
WIF Whitepaper for Developers
Happy coding with WIF!
Sesha Mani
On behalf of WIF Team
Trust relationships are of course the sine qua non of AD FS 2.0. Relying Party Trusts or Claims Provider Trusts are necessary before AD FS 2.0 can provide benefit to any organization. That said, the establishment and maintenance of these relationships can be a time consuming task. Fortunately there are methods available that make this job significantly easier. AD FS provides three methods for creating Relying Party Trusts and Claims Provider Trusts. Manual entry of the necessary information is the most familiar method, but also the most time consuming and difficult to maintain. Additionally a trust can be created by importing "federation metadata", that is, data that describes a Relying Party or Claims Provider and allows for easy creation of the corresponding trust. A federation metadata document is an XML document that conforms to the WS-Federation 1.2 schema. Federation metadata may be imported from a file, or the partner may make the data available via https. The latter method provides the most straightforward method for creating a partnership and greatly simplifies any ongoing maintenance that may be required.
Manually creating a Relying Party Trust requires that the Administrator supply a fair amount of information that must be obtained from the partner organization through some out of band communication. This information includes the URLs for the WS-Federation Passive protocol and\or the SAML 2.0 Web SSO protocol, one or more relying party identifiers and, typically, the X.509 Certificate used to encrypt any claims sent to the relying party. Figure 1 below shows the various pages of the Add Relying Party Trust Wizard that must be navigated in order to create a relying party trust.
Figure 1 - Manually adding a relying party trust.
Once the relying party trust is established, it must also be maintained. It is possible that one or more of the URL's that identify the relying party may change, or the set of claims that the relying party will accept might change, but more likely, the X.509 Certificate used for encryption will have to be replaced, either because it has expired or because it has become compromised. Managing the updating of encryption certificates across an organization that might contain hundreds, or thousands, of relying parties presents a daunting challenge.
Lets explore how we create a Relying Party Trust using federation metadata.
Figure 2 - Options for entering data for a Relying Party Trust
As you can see from figure 2, it is possible to provide the metadata in the form of a file, as well as by specifying an https address. For purposes of this article I will confine our discussion to the case where the metadata is provided via https.
Each AD FS 2.0federation servers configured by default to publish metadata describing itself via https. If you click on the Service\Endpoints folder in the AD FS 2.0 snap-in you can see the highlighted endpoint in question as shown below:
Figure 3 -Showing the federation metadata endpoint provided by AD FS 2.0
To see what the actual XML looks like you can enter the endpoint into your web browser, as shown below:Figure 4 - Example of a Federation Metadata document describing the information that is published about a specific Federation Service
I'm not going to review the structure of the federation metadata document here, except to note that it is a signed document and should not be edited or reformatted by hand. Anyone who is interested in the details of the schema, can find the specification at . http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf Instead I want to walk through an example of how to establish a Relying Party Trust using federation metadata.
The first step, of course is to launch the Add Relying Party Trust Wizard and navigate to the select data source page:
Figure 5 - Providing a federation metadata endpoint to the Add Relying Party Trust wizard
If you are interested in creating a trust using federation metadata but don't have a partner handy that provides metadata, it is perfectly feasible to have AD FS create a trust with itself. Of course, this is obviously of little use in the real world, but it's perfectly suitable for purposes of illustration. The first step is to provide the https address of the metadata document. If you know the full URL you can provide it, or you can simply enter the host name, and AD FS will attempt to find the data at the most common location. In this case enter the name of your host machine (not fs.contoso.com) and hit the next button. AD FS will read the available metadata and use it to construct the Relying Party Trust.
Figure 6 - Prompting for the relying party display name after reading federation metadata
As we can see the wizard path is considerably shorter than in the manual entry case. SAML metadata does not typically provide a display name for the relying party trust, so we are prompted to provide one, along with any comments we want to make about the relying party. Then we hit the Next button, which takes us to the Choose Issuance Authorization Rules page.
Figure 7 - The Choose Issuance Authorization Rules page
In this case, we're going to deny all users access to the relying party for now. Later we can add some issuance authorization rules to enable access to the relying party. We hit the Next button to go on to the review page.
Figure 8 - Reviewing the relying party trust that was created from metadata.
Here we can review the Relying Party Trust that we are about to create. If we examine the various tabs on the page, we can see that the Identifier URLs, encryption and signature certificates, list of accepted claims, endpoints etc., have all been provided via the metadata.
Figure 9 - The encryption certificate provided by the federation metadata
Figure 10 - The list of accepted claims provided by federation metadata
After reviewing the configuration of the relying party trust, we hit the Next button to add it to the database. In figure 11, below we see the successfully created relying party trust.
Figure 11 - Showing the newly created relying party trust
Now I mentioned previously that federation metadata not only facilitates the creation of trusts, but also their maintenance. To show this in more detail, let’s open the properties dialog for the Contoso relying party.
Figure 12 - The properties page for the Contoso relying party trust
In figure 12 above we see the properties dialog, with the Monitoring tab displayed. This tab governs how AD FS manages the updating of this relying party trust. You can see that the Monitor relying party check box is checked. This indicates that AD FS will periodically check the Federation Metadata URL shown in the dialog and compare it with the current state of the relying party trust. You will also notice that the Automatically update relying party checkbox is checked. This tells AD FS to automatically update the relying party trust in responses to changes in the metadata. With this option enabled, we do not have to worry about certificates expiring or being replaced - any changes made to the partner will be reflected in the metadata and automatically moved into the database. The Monitoring tab also displays the date on which the metadata was last checked as well as the date upon which the last update was performed. Events are also logged when an update is performed.
Note that if the Automatically update relying party check box was unchecked, then the monitoring would still continue, but AD FS would not be updated. Instead those relying parties that are no longer in sync with their metadata would be indicated in the UI, as well as in the event log.
Figure 13 - Notification that a relying party trust needs to be updated.
If you refer to figure 13, you will notice that one of the actions available for the Contoso relying party is Update from Federation Metadata... This command allows the Administrator to force an update from metadata at will.
Federation Metadata is a powerful tool for managing AD FS 2.0. In future posts we will explore other aspects and techniques for using this data.
For more information about how to create trusts via federation metadata, see the following topics in the AD FS 2.0 Deployment Guide:
Shibboleth is an open-source software project that provides SAML and WS-Federation protocol support, and is commonly found throughout the higher education market. Since it talks standard protocols, AD FS can be configured to grant access to resources protected by Shibboleth.
At the end of this blog post, you'll have a lab machine with an ASP.Net web page protected by Shibboleth and federating to your AD FS identity provider. We'll start from scratch and quickly build a functioning federation.
This is a great way to explore Shibboleth/AD FS interoperability in a test environment before making the corresponding changes on your live Shibboleth site.
For simplicity's sake, this post will install Shibboleth onto the same machine as AD FS. It also assumes the default AD FS identifier is used: https://your-domain.com/adfs/services/trust
Visit the Shibboleth download site and install the 32-bit or 64-bit SP package as appropriate to your server. Restart your computer when prompted.
Edit c:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml as follows (bold indicates text you'll need to change to reflect your environment):
<MetadataProvider type="XML"
uri="https://your-domain.com/FederationMetadata/2007-06/FederationMetadata.xml"
backingFilePath="federation-metadata.xml"
reloadInterval="7200"/>
7. Restart IIS and the Shibboleth Windows service.
a. iisreset b. net stop shibd_Defaultc. net start shibd_Default
We'll use PowerShell to add the Shibboleth SP to AD FS. First, create a file in the current directory called "rules.txt" with the following content. This rule is authored in the AD FS claims policy language, and configures a SAML NameID to be emitted for the Shibboleth SP. If you are interested in configuring transient and persistent NameIDs, refer to our previous blog post on the subject.
@RuleTemplate="LdapClaims"
@RuleName="Send E-mail as Name ID"
c:[Type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue( store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";mail;{0}", param = c.Value);
Next, run the following PowerShell commands:
This will create an AD FS entry for the Shibboleth SP using its metadata. Additionally, it configures the user's e-mail address to be sent as their Name ID and specifies that Shibboleth will be using the SHA-1 hash algorithm for signing its requests.
Visit https://your-domain.com/secure/. Shibboleth should redirect you to AD FS for authentication. Upon success, you'll see... a 404 page.
Create a default page at c:\inetpub\wwwroot\secure\default.aspx, with the following content:
<%@ Page Language="C#" %>
<html>
<head>
<title>Shibboleth Echo Page</title>
</head>
<body>
You are logged in using Shibboleth!
<hr />
<table>
<%
foreach( string key in Request.ServerVariables )
{
if( key.StartsWith("HTTP_SHIB" ) )
%>
<tr>
<td>
<%= key %>
</td>
<%= Request.ServerVariables[ key ] %>
</tr>
}
</table>
<a href="http://blogs.msdn.com/Shibboleth.sso/Logout">Logout</a>
</body>
</html>
Hit refresh. You'll see the server variables that Shibboleth has populated based on your authentication, as well as a Logout link that you can use to test single logout. Congratulations, you have a working federation with Shibboleth!
Of course, in the real world, you'll want to send more than just a NameID. Read on for two common issues you may encounter, and how to work around them.
Shibboleth expects SAML attribute names to have a format of urn:oasis:names:tc:SAML:2.0:attrname-format:uri. By default, AD FS issues attributes with a name format of urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified. If there's a mismatch, Shibboleth will ignore the attribute.
You can fix this on the Shibboleth side by editing the attribute-map.xml file. Rather than:
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
Specify the nameFormat attribute to be unspecified:
<Attribute name="urn:oid:2.5.4.42" id="givenName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" />
Alternately, you can fix this on the AD FS side by writing a custom claim rule to set the name format. Rather than one rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> issue( store = "Active Directory", types = ("urn:oid:1.3.6.1.4.1.5923.1.1.1.6"), query = ";userPrincipalName;{0}", param = c.Value);
Write two rules, one to retrieve the claim from AD, the other to issue it with a modified NameFormat:
c:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add( store = "Active Directory", types = ("urn:oid:1.3.6.1.4.1.5923.1.1.1.6"), query = ";userPrincipalName;{0}", param = c.Value);
c:[ Type == "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"] => issue( Type = c.Type, Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
If you would like more information about the AD FS policy rules above, have a look at the following TechNet articles for details:
Shibboleth supports "scoped attributes". These are attributes in the form of "user@scope". The Shibboleth SP will only process the attribute if the scope portion matches a scope defined in the IdP's metadata.
This is done via a custom Shibboleth extension element. For details, see the Shibboleth Metadata Profile.
If you run into issues, you may wish to check Shibboleth's log files, located at
Still stumped? Check out the SP Troubleshooting document at the Internet2 site.
Since the AD FS 2.0 release candidate (RC), the AD FS product team got feedback that the experience of setting up AD FS proxy server and making it work with AD FS Federation Service is cumbersome, as it involves multiple steps across both AD FS proxy and AD FS Federation Service machines.
In AD FS 2.0 RC, after IT admin installs AD FS 2 proxy server on proxy machine, she runs proxy configuration wizard (PCW) and needs to:
Such above steps are needed to set up a level of trust between AD FS proxy server and AD FS Federation Service. The AD FS proxy server might live in DMZ and provides one layer of insulation from outside attack.
AD FS administrator need to keep track of the proxy identity certificate life time and proactively renew it to make sure it does not expire and disrupt its service.
There are several pain points around AD FS proxy setup and maintaining experience for AD FS 2 RC version:
In RTW, above issues are addressed by:
Several management aspects are involved in the new trust mechanism. Events are added to proxy server for:
Events are added to Federation Service server for:
Generic authorization event will be logged when:
Proxy trust token issuance is audited just as any other issued token when AD FS audit is turned on. There are several knobs to turn to configure various proxy trust parameters:
The following picture shows AD FS admin running PCW and setting up trust from proxy server to Federation Service.
The following screen shows that trust is established from proxy server to AD FS Federation Service.
From event log on proxy machine, you can see proxy server has successfully established trust with AD FS Federation Service.
On the Federation Service machine, you will see following related events.
(Note: There are two 395 events created corresponding to provisioning of one proxy machine. It is a side effect of PCW validating user name and password and establishing trust at the end of the wizard.)
Proxy server automatically renews trust with AD FS Federation Service. When that happens, you will see following event in event log on proxy machine.
When a proxy server is compromised, the administrator of the AD FS Federation Service needs to revoke trust for all proxy machines. The following picture shows how AD FS admin could do it from UI. After proxy trusts are revoked, all proxy machines need to provision again to gain access to AD FS Federation Service.
Several PowerShell cmdlets have been updated to provide PowerShell management of this new functionality:
On the proxy machine:
Get-ADFSProperties, Set-ADFSProperties: (ProxyTrustRenewPeriod) get or set how often proxy server renew proxy trust with AD FS Federation Service
On the Federation Service machine:
Get-ADFSProperties, Set-ADFSProperties: (AddProxyAuthorizationRules, ProxyTrustTokenLifeTime): as property names suggest. Revoke-ADFSProxyTrust: revoke issued proxy trust. Proxy machines need to provision again to gain access to AD FS Federation Service.
Get-ADFSProperties, Set-ADFSProperties: (AddProxyAuthorizationRules, ProxyTrustTokenLifeTime): as property names suggest.
Revoke-ADFSProxyTrust: revoke issued proxy trust. Proxy machines need to provision again to gain access to AD FS Federation Service.
It is our pleasure to announce the general availability of Federation Extensions for SharePoint 3.0 package today. This package enables federation for existing SharePoint 3.0 deployments, both Windows SharePoint Services (WSS) 3.0 and Microsoft Office SharePoint Services (MOSS) 2007. Using this package, enterprise SharePoint administrators can configure their deployments to trust any WS-Federation STS, such as AD FS 2.0, so that an enterprise can offer their services to federation partners.
The setup package of Federation Extensions for SharePoint 3.0 can be downloaded from here.
This package is available in the following 24 languages:
Arabic, Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, English, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish
Here are the additional resources that are helpful to you:
1. Product ReadMe for Federation Extensions for SharePoint 3.0 package
2. Step by Step Guide and VMs for Federated Document Collaboration Using MOSS 2007 and AD FS 2.0
3. AD FS 2.0 Getting Started Guide
4. AD FS 2.0 Design, Deployment, and Troubleshooting Guides
6. A guide to claims-based identity – by Patterns & Practices Team
If you have questions, don’t hesitate to hop on the forum and ask.
See how easy it is to enable federation for your SharePoint 3.0 applications by deploying this package today!
WIF Product Team
I can go to http://localhost/IdentityManagement/aspx/syncrule/AllSyncRules.aspx, new, create inbound Sync rule, General tab, enter info, Scope Tab, enter info, (person, text file, person), Relationship tab, any metaverse object to connectedsystemobject:person, and then when I hit "next" BANG. Unable to process request.
The description for Event ID 8214 from source Windows SharePoint Services 3 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
A request was made for a URL, http://localhost, which has not been configured in Alternate Access Mappings. Some links may point to the Alternate Access URL for the default zone, http://testfim. Review the Alternate Access mappings for this Web application athttp://testfim:36021/_admin/AlternateUrlCollections.aspx and consider adding http://localhost as a Public Alternate Access URL if it will be used frequently. Help on this error: http://go.microsoft.com/fwlink/?LinkId=114854
the message resource is present but the message is not found in the string/message table
and
The portal was unable to complete a request and showed a user the default error page.
An unhandled exception was caught.
Check the product diagnostic log file and then check the SharePoint log file.
The alternate address mappings collections are "sharepoint - 80" and "central administration" and do not havehttp://localhost in them. I added http:/localhost to "sharepoint - 80" and received the same results.
No errors on installation, everything looked good there.
It is our pleasure to announce the availability of Windows Identity Foundation SDK 4.0 package, which is tailored for .NET Framework 4.0 and Visual Studio 2010. We heard your feedback on the necessity for out of the box WIF templates that work with Visual Studio 2010 and samples that work with .NET Framework 4.0. This package addresses these two requests.
You can download the WIF SDK 4.0 setup package from here.
Note that this package is only available in US-English language. Localized versions of this package will be delivered later.
2. New release of the Identity Developer Training Kit – by DPE Team
3. WIF Product Documentation on MSDN – by WIF User Assistance Team
4. A guide to claims-based identity – by Patterns & Practices Team
Enjoy coding with WIF!
WIF Team
Announcing the localization support for WIF SDK 3.5!
We are glad to announce the complete localization support for Windows Identity Foundation SDK 3.5 today. Following are the languages we have localized the SDK to:
1. French (fr-FR)
2. German (de-DE)
3. Japanese (ja-JP)
4. Spanish (es-ES)
5. Italian (it-IT)
6. Russian (ru-RU)
7. Chinese-Simplified (zh-CN)
8. Chinese-Traditional (zh-TW)
9. Korean (ko-KO)
You can obtain the localized WIF SDK setup packages from here.
Happy coding with WIF!!!
We are very happy to announce the general availability of AD FS 2.0! It is our pleasure to offer this release for Windows Server 2008 and 2008 R2 that makes it easier to work across companies, leverage the cloud, and develop secure applications all while using industry standard interoperable protocols. We listened to your feedback from the release candidate and have made AD FS 2.0 even easier to manage by simplifying proxy management. Finally, we’ve hammered this build to ensure you’ll see the rock solid reliability and screaming fast performance that you’d expect from Microsoft.
The setup package for AD FS 2.0 can be downloaded here.
The team behind making AD FS 2.0 can be seen in several Channel 9 videos discussing the features and capabilities of the release.
Check out the following resources to learn more about AD FS 2.0:
· Our official website
· AD FS 2.0 Getting Started Guide
· Step by Step Guide and VMs for Federated Document Collaboration Using MOSS 2007 and AD FS 2.0
· AD FS 2.0 Design, Deployment, and Troubleshooting Guides
· AD FS 2.0 developer documentation and PowerShell reference
· Resources for developing claims based applications with Windows Identity Foundation (WIF)
We’d like to give a big thank you to everyone who’s helped us by providing feedback since we had our first Beta. Stay tuned here as we will continue to blog about AD FS 2.0 features over the coming weeks and months. If you have questions, don’t hesitate to hop on the forum and ask.
See how you can use claims to unleash the power of your identity infrastructure by deploying AD FS 2.0 today!
The AD FS 2.0 Product Team
We have decided to postpone the release of Windows CardSpace 2.0. This is due to a number of recent and exciting developments in technologies such as U-Prove and Open ID that can be used for Information Cards and other user-centric identity applications. We are postponing the release to get additional customer feedback and engage with the industry on these technologies. We will communicate additional details at a later time.
As part of our continued investment in these areas, we will deliver a Community Technology Preview in Q2 2010 that will enable the soon-to-be-released Active Directory Federation Services 2.0 (AD FS 2.0) in Windows Server to issue Information Cards.
Microsoft remains committed in the development of digital identity technologies, interoperable identity standards, the claims-based identity model, and Information Cards. AD FS 2.0 is on track for release shortly. We also continue to actively participate in industry groups such as the Information Card Foundation, the OpenID Foundation, and standards bodies such as OASIS.
I have three custom attributes in my Active Directory schema that are of type "Case Sensitive String." With MIIS 2003 and ILM 2007 (incl FP1) these didn't cause a problem. But FIM is seeing these as type "Binary," which means I can't do a Direct export or import on them like I did in the previous versions.
Case Sensitive String is a valid type in AD -- why would FIM want to treat these as binary?
I'm happy to announce that FIM 2010 is now available for customers. You can read the Forefront blog post here: http://blogs.technet.com/forefront/archive/2010/03/02/rsa-conference-2010-identity-at-the-forefront.aspx
Somewhat hidden within Forefront Identity Manager 2010, there is a very useful feature for action workflows called "Run on Policy Update".
Here are the situations where you may find this feature useful:
1. You are creating a new Management Policy Rule (MPR), such as one to provision all users an AD account, and you want one or more of the action workflows in your new MPR to be applied, upon creation of the MPR, to all the members of the MPR's Resource Final Set (also referred to as "Target Resource Definition After Request" in the portal's MPR wizard). For example, you may be creating a new MPR to apply a new Synchronization Rule to all users. You may want to retroactively enforce this new policy by applying the Synchronization Rule workflow to all users that already exist.
2. You are enabling a previously disabled MPR, and you want one or more of the action workflows in the MPR to be applied, upon enabling of the MPR, to all the members of the MPR's Resource Final Set.
3. You are adding a new action workflow to an existing MPR, and you want the new workflow to be applied to all the members of the MPR's Resource Final Set, immediately upon adding the workflow to the MPR.
4. You are modifying the Resource Final Set of an existing MPR to reference a new set, and you want one or more of the MPR's action workflows to be applied to all the members of the new Resource Final Set, immediately upon modification of the MPR.
5. You are manually modifying the membership of the Resource Final Set of an MPR, either by modifying the set's Filter or ExplictMember attribute, and you want one or more of the MPR's action workflows to be applied to all the *new* members of the new Resource Final Set, immediately upon modification of the set.
The "Run on Policy Update" feature is an option that lives on action workflow definitions, as an attribute labeled "RunOnPolicyUpdate" bound to the WorkflowDefinition resource type. When this boolean attribute is set to "true" for a given action workflow, if any of the 5 scenarios above are encountered with an MPR that uses this workflow, the workflow will be automatically applied to the members of the Resource Final Set of the MPR.
Following is a table that summarizes the cases where a "Run on Policy Update" enabled action workflow is applied, in addition to the normal cases where a new Request satisfies all the criteria of an MPR that uses the workflow.
User Request
Resulting Action by the FIM Service
Create new MPR
Apply each "Run on Policy Update" enabled action workflow referenced by the new MPR to all members of the MPR's ResourceFinalSet.
Enable an existing MPR
Apply each "Run on Policy Update" enabled action workflow referenced by the enabled MPR to all members of the MPR's ResourceFinalSet.
Select a new ResourceFinalSet for an existing MPR
Apply each "Run on Policy Update" enabled action workflow referenced by the MPR, to all members of the new set referenced by the ResourceFinalSet attribute.
Add a new "Run on Policy Update" enabled action workflow to an existing MPR
Apply the newly added action workflow to all members of the MPR’s ResourceFinalSet.
Modify the filter of a set
For all MPRs whose ResourceFinalSet references the set being modified, apply each "Run on Policy Update" enabled action workflow mapped to the MPR to each resource that transitions into the set because of the filter update.
Update explicit membership of a set
For all MPRs whose ResourceFinalSet references the set being modified, apply each "Run on Policy Update" enabled action workflow mapped to the MPR to each resource that that is added to the set.
Note that simply enabling the “Run on Policy Update” option for a workflow does not result in the workflow being automatically run. The workflow will only be run upon completion of one of the requests outlined in the table above.
Disabling the “Run on Policy Update” option for a workflow will allow you to perform any of the user requests outlined above, without the workflow being automatically run.
If you submit one of the user requests outlined above, thereby triggering the execution of a “Run on Policy Update” enabled action workflow, you can cancel all the workflows that have been triggered by simply cancelling the request that triggered them (eg. cancel the request tracking the creation of the MPR).
Cheers,
Nima
I saw this article in TechRepublic today. The gist of it is that a small sample (12) of IT managers, directors, and CIOs said they trusted Microsoft more than Google as a technology partner. Now I don’t really buy this poll.. they picked the first 12 respondents from a population of 90 TechRepublic panelists, which makes the sample neither representative nor random. Be that as it may, some of the quotes from respondents were interesting.
“Microsoft, hands down. They have a real enterprise track record and, while not always perfect, they continue to deliver on real business needs and their products eventually exit the beta stage.”“Microsoft. We are not, nor will we be in the foreseeable future, involved in the ‘cloud’ as an integral part of our internal IT offerings.”“Google seems to be moving too fast into too many areas. I don’t think they really have a focus on security and trust. Microsoft learned that lesson in a most painful manner.”“Google. They’re more hungry.”
“Microsoft, hands down. They have a real enterprise track record and, while not always perfect, they continue to deliver on real business needs and their products eventually exit the beta stage.”
“Microsoft. We are not, nor will we be in the foreseeable future, involved in the ‘cloud’ as an integral part of our internal IT offerings.”
“Google seems to be moving too fast into too many areas. I don’t think they really have a focus on security and trust. Microsoft learned that lesson in a most painful manner.”
“Google. They’re more hungry.”
If you make the following replacements: “Microsoft” –> “IBM” (or “Sun”), “Google” –> “Microsoft”, and “cloud” –> “Windows servers”, this sounds like the same arguments people were making ten years ago when Microsoft and Windows were relative nobody’s in the enterprise data center.
Plus ça change, plus c'est la même chose.
I saw this picture this morning and my coffee nearly came out my nose. Even Linus Torvalds is digging Windows 7!
http://picasaweb.google.com/cschlaeger/JapanLinuxSymposium#5395358413061926434
A couple of weeks ago I was busy setting up ILM “2” RC0 for my session demo at TEC Europe. I’ve installed ILM “2” a bunch of times, and if you have the prerequisites properly installed, it’s pretty much a no-brainer. It normally takes me less than an hour to get from a new machine image to a running ILM “2”. This time was no different. I built my ILM “2” image, populated it, and tested the Quest PowerShell cmdlets for ILM “2” to make sure my session demos were all functioning and ready to go to Europe. Everything was fine. I shut down the machines, copied their Hyper-V images to my external USB hard drive, and moved on to cleaning up my Powerpoint slides to reflect the significant changes in FIM 2010 RC1.
When I got to Berlin, I rounded up a server from our A/V provider (an adventure in itself), cobbled up the networking to work with the hotel wired internet, copied the images, and started fiddling with them to get them to work on the new network. When I got everything sorted, I started testing my Powershell->ILM “2” demos. I couldn’t even connect to the ILM “2” web service. And as a bonus, the ILM “2” Sharepoint portal wouldn’t even start, failing with the infamous “unexpected error”. Hmmm. Why would previously working VMs suddenly start failing?
I had a lots of other things going on leading up to TEC, so I didn’t get to spend a lot of concentrated time on the problem, but ultimately I deduced that the ILM “2'” service wasn’t starting. the event log indicated that SQL “might not be installed”, but SQL clearly was installed and running. I rolled back the images to an earlier snapshhot that only had the prerequisites installed, reinstalled ILM “2”, and everything was swell. Mystery bug, fixed by reinstall, case closed. Or maybe not.
When I came back to my room to walk through my demos one last time before my session, I encountered the same problem. I couldn’t establish a connection to the web service, the portal wouldn’t run, and the ILM “2” service wouldn’t start. I rolled back the images, reinstalled, and everything was fine. I rebooted the ILM “2” server, and I encountered the same failure. I tried the sequence again, just to make sure I was seeing what I thought I was seeing. ILM “2” would run properly after install, but would fail to start after a reboot. Very curious. And I was running out of time.
Maybe there was something wrong with the prerequistes? I rolled back to a bare WS2008 image, and reinstalled the prerequisites, and reinstalled ILM “2” RC0. It worked. I rebooted. It failed. Damn! At this point I started working out how I could move the server down to the conference area without rebooting the images. But as I thought through what was happening, I realized that I was doing something different this time around compared to other times I had installed ILM “2”. In earlier versions, I installed SQL with a default instance. For some reason, this time around, I specified an instance name. So I rolled back to the base OS image, reinstalled the prerequisites, but this time specifying the default SQL instance. ILM “2” started and worked properly. I rebooted the image. And it continued to work. Aha!
So word to the wise: Use the default SQL instance with ILM “2” RC0.
As a lot of you may already know, after 4 years of working on MIIS / ILM / FIM I've decided to leave Microsoft. No, I'm not being fired, nor am I jumping ship to a competitor :) Rather I am leaving Microsoft to pursue a MBA at Columbia starting this fall.
If I have one hope is it that you have found this blog, along with the talks, webcasts and reports I have done to be useful in helping to digest the seemingly endless new concepts coming out with FIM 2010. It can be a lot to take in one shot for sure, as sometimes I even find myself scratching my head as to how something works and even more so when I attempt to describe it,
To all of my colleagues and friends I have made in my time on the MIIS/ILM/FIM teams, I wish you all the best going forward. As for me, its back to the student life for the time being.
Going forward, I'll still be available to help people with FIM (as much as my new student life permits of course!) if you want to reach me, you can email me at bobby.gill (at) gmail.com and you can always find me on facebook at www.facebook.com/jasjeet
Ill be at TechReady tomorrow morning and I should be at the FOX Sports Grill event in the evening, so come grab me if you see me.
In the meantime, I leave this blog in the more than capable hands of my colleague Nima.
Bobby
Question from one of our readers:
From: Sent: Tuesday, July 14, 2009 11:06 AMTo: Bobby GillSubject: (Bobby and Nima's Forefront Identity Manager Blog) : Question about FIM/OutlookImportance: High
Good afternoon Bobby and Nima's.
I read your blog often as I await the release of MMS...I mean MIIS...I mean ILM...I mean FIM :)
I keep seeing things about how nice it is to request to be added to groups or distribution groups through Microsoft outlook. Are all of the features available from inside Outlook available from the web interface?
The reason I'm asking is that a lot of clients may have a need to use identity management to synchronize their Microsoft world with their HR world...and their email world ! (*cough Lotus Notes*). I understand that the level of integration (especially for distribution lists) is probably not the same, but are most other features of the Outlook FIM client available on the web console ?
Thank you and feel free to post the question and answer to your blog, as I think it may help other people.
------
The simple answer to the question above is that the Outlook plug in for FIM 2010 contains a proper subset of functionality available within the web portal. That is everything that is possible through the Outlook interface is available within the web portal.
However the opposite is not true. While the Outlook plug in allows you to manage group memberships and approvals/requests, it does not nearly provide the same level of functionality as the web portal. For instance the creation of groups (both static and dynamic), deletion and modification (outside of membership) can only be done through the FIM portal.
Further, the Outlook plugin requires both Outlook 2007 as well as Exchange 2007 running on the backend. However, if you are using an email client which is not Outlook 2007, or a email server that is not Exchange 2007, you can still send notifications and approvals to email clients via any SMTP server. To perform any operations on said messages will require you to go to the portal and perform .
Yesterday I was eating my bowl of Frosted Miniwheats (by Kellogg) for dinner and out fell a coupon for another free box of Miniwheats. “Oh hot lam!” I exclaimed to myself. I had totally not seen the offer stamped on the front of the box for a free box of Miniwheats when I had purchased the jumbo, bachelor sized box of Miniwheats at Costco last Sunday. A bowl of Miniwheats alone is enough to brighten my days, but winning another 12oz of the half-sugar, half-fiber narcotic ? Well that’s like Christmas in May. I love hidden surprises.
Much like my box of Frosted Miniwheats, FIM 2010 has a few hidden surprises of it’s own that lurk underneath the covers and are often ignored. One of these features is Hierarchical Provisioning. Much like the name would imply, Hierarchical Provisioning allows objects, and more importantly, any missing parent containers, to be provisioned into the connector spaces of LDAP MAs . Previously in MMS, MIIS, and ILM 2007, if one wanted to provision a user into a container in Active Directory, one would need to ensure that they created the container in Active Directory prior to provisioning the user with MMS/MIIS/ILM. However, with Hierarchical Provisioning, you do not need to do this anymore. With some settings configured in the Management Agent (MA), the missing container can be created automatically by the Active Directory Management Agent, and then the object provisioned within it.
The steps to configure this feature are relatively straight forward. Assume that you want to provision the following user into Active Directory: “cn=Bobby Gill, ou=Redmond, ou=Users, dc=fabrikam, dc=com”. In this case, the Redmond OU does not exist in the Active Directory domain. Before the ILM AD MA can provision this new user into the OU specified, the OU needs to be created in Active Directory. This is where Hierarchical Provisioning comes into play.
As an ILM Admin, to enable Hierarchical Provisioning on a LDAP MA, you need to configure a mapping within the MA such that anytime upon export the MA detects that a parent of a object doesn’t exist, it knows what object to create in the connected directory for that parent. This configuration is done within the LDAP MA screens by mapping valid DN components to object classes in the connected directory. In this case, you would set up a mapping between the “OU” DN component to the object class “organizationalUnit”. Thus in the above scenario, when the MA is exporting the object to AD and realizes that the “OU=Redmond” parent is missing, it will look up the mapping for the “OU” component and first create a new organizationalUnit object named “Redmond” and then export the new user into the container.
Steps to configure Hierarchical Provisioning:
4.) Mappings are created by selecting a DN component in the left list box, and a object class in the right list box, and then clicking “new”. You can only create 1 mapping per DN component.
Once setup, Hierarchical Provisioning is transparent to the actual provisioning mechanism. Thus, if you are using Synchronization Rules or even a traditional scripted Metaverse Extension, these settings will be applied to both at export time. Hierarchical Provisioning further reduces the burden on IT Pros by allowing much more flexibility in terms of provisioning decisions made in the FIM Workflows and eliminates an often tedious manual step whenever a new business unit comes online and an associated container or OU needs to be created.
The feature is available to all LDAP Management Agents and is available in the ILM "2" RC0.
The hardest part of this blog is finding topics to write about that would be interesting and useful to the community at large. If you have a topic or a question that you want to see addressed on this blog, please email me and I will see if I can post something up for it.
What's our name again?
Whoa, new product name! For those of you who have been chasing butterflies for the past month, what was once known to us as Identity Lifecycle Manager "2" is now called Forefront Identity Manager. I know, it's not the sexiest name in the world and is probably the 5th different name the product has had since it's conception, but it reflects the combination of Microsoft's security and identity product lines into the Forefront brand announced last year.
Personally, I wanted to name the product "Black Thunder II", but then again there are a myriad of reasons why I am not allowed to name Microsoft products.
But back onto the topic at hand...
Synchronization Rule Dependency
I decided to take some time off today to briefly talk about Synchronization Rule Dependencies, a powerful yet not well understood part of ILM FIM's synchronization capabilities. In brief, a Synchronization Rule Dependency allows one to construct and apply a series of outbound Synchronization Rules ontop of each other. The scenarios that spring to mind whereupon this functionality is useful are things such as adding/removing Exchange mailbox provisioning, or adding/removing VPN access upon a user's Active Directory account (with the former 2 being dependent on the latter).
If an Outbound Synchronization Rule (the dependent) is marked as having a dependency on another Synchronization Rule (the root), the dependent rule will apply itself ontop of the connector that the root Synchronzation Rule is applied on. At run time, when a FIM Action Workflow attempts to add an Expected Rule Entry (ERE) object for the dependent Synchronization Rule onto a FIM Resource's Expected Rules List (ERL) , there needs to also exist an ERE-Add object for the root Synchronization Rule on the ERL. (I am just going to take a minute here and say I don't think there has been that many acronyms stuffed into one sentence since the merger between the wrestling giants WWF and WCW was announced). Conversely, if an Action Workflow adds a ERE-Remove entry for a root Synchronization Rule, all EREs that correspond to Synchronization Rules further up the dependency tree will be removed.
Its important to note that when you design an Action Workflow to add or remove a series of EREs that correspond to a Synchronization Rule dependency chain, the root rule must be added to the workflow surface prior to any other dependent rules.
Multiple levels of dependency can be created, with more than one Synchronization Rule being made to depend on a single Synchronization Rule.
In the Synchronization Rule Designer, to create a Synchronization Rule Dependency is relatively straightforward. The first page of the designer allows you to select another outbound Synchronization Rule to make a new Synchronization Rule depend on. When selected, the Scope and Relationship pages are automatically greyed out. Once a Synchronization Rule is made to depend on another rule, the only settings that are adjustable on that rule are the workflow parameters and the outbound attribute flows. Conceptually, this falls cleanly from the fact that a dependent Synchronization Rule is being applied "on top" of another rule.
I wish I could paste some screenshots of what this looks like, but the FIM UI has changed markedly since the RC 0 release and I dont want to ruin the surprise just yet :)
The canonical scenario in which Synchronization Rule Dependency's are used are around creating business processes to manage the provisioning/deprovisioning of capabilities that stem from attributes set on a Active Directory user account. In a typical provisioning scenario, one would construct a base "Active Directory User Synchronization Rule" which, as the name implies, would create a new AD User object, flow the necessary base DN, samAccountName and name information. On top of that, you could then model a dependent Synchronization Rule for granting an Exchange mailbox. This Synchronization Rule would be dependent on the Active Directory User Synchronization Rule, and as a consequence would only have a single flow to the homeMDB attribute. Modelling the user account provisioning seperately from the mailbox provisioning, through the use of Synchronization Rule dependency, allows you to define independent business processes around the lifecycle management of the two through Management Policy Rules and workflow.
As always, feel free to email me any questions you might have and I will do my best to get back to them.
The product team and I just wrapped up our week at the TechReady event in Seattle. Bobby presented an excellent session on codeless provisioning, focusing on configuration and tips and tricks, and I presented a session on workflow and activity extensibility in ILM "2". We also had the opportunity to solicit feedback about the product from attendees. This event reminded me of just how new so many of the concepts in ILM “2” are, and how much more knowledge there is which can be shared. My last post on the XPath Filter Dialect addressed one area where we frequently get questions, as our use of the xpath language is so pervasive throughout the product.
While many of the common questions and areas of concern are fresh in my memory, I’ll proceed to share some guidance where I can.
Let’s start with some examples that demonstrate the use of the XPath Filter Dialect addressing common queries (for reporting and other scenarios). I’d recommend first reading the previous post on the xpath fundamentals.
Note: The XPath Filter Dialect is case sensitive. Keep this in mind when writing your xpath filters. For example, /Person[displayname = ‘value’] is NOT the same as /Person[DisplayName = ‘value’].
Example 1: A User’s Pending Approvals
You’ll need the following xpath if you want to build a report or page that lists all the approvals that are pending a response from a specific user.
Let’s assume the user, for which you want to see the pending approvals, has an Account Name of ‘mmeyers’ and an ObjectID of ‘11111111-1111-1111-1111-111111111111’.
This first filter demonstrates how to identify the pending approvals based on the user’s ObjectID:
/Approval[ApprovalStatus = ‘Pending’ and Approver = ‘11111111-1111-1111-1111-111111111111’]
This second filter demonstrates how to identify the pending approvals based on the user’s Account Name:
/Approval[ApprovalStatus = ‘Pending’ and Approver = /Person[AccountName = ‘mmeyers’]]
Notice that in the second example we make use of a location path expression, /Person[AccountName = ‘mmeyers’], inside the predicate in order to identify approvals where the Approver is a user with the specified Account Name.
Note that the ApprovalStatus represents the status of an approval and can have one of the following values:
· Pending
· Approved
· Rejected
· Expired
A status of ‘Pending’ means the approval is currently awaiting a response from one of the users listed in the Approvers attribute of the approval.
A status of ‘Approved’ means the Request associated with the approval has been approved by the required number of approvers. After an approval has been created it will only be marked as ‘Approved’ if the minimum number of responses, as specified by the ApprovalThreshold attribute of the approval, is met.
A status of ‘Rejected’ means a user designated as an approver for the approval have rejected the approval. At any point in time if a valid approver rejects an approval, that approval is immediately rejected and the workflow and associated Request is terminated.
A status of ‘Expired’ means the approval has reached the time indicated by the ApprovalDuration attribute on the Approval object as no response to the approval has been submitted.
Example 2: All Security Groups expiring within the next 7 days.
/Group[Type= ‘Security’ and ExpirationTime <= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration(\"P7D\"))]
Example 3: All Orphaned Security Groups
An ‘orphaned’ security group here refers to a group with no owner. The following is the xpath to identify such groups:
/Group[Type = ‘Security’ and Owner != /Person]
Example 4: People who are members of both the "Interns" group and the "Full Time Employees" group:
While my example here may not be a very compelling one, the goal is to demonstrate how we can identify users that are in sets or groups producing conflicting roles or permissions.
/Person[ObjectID = /Group[DisplayName = ‘Interns’]/ComputedMember and ObjectID = /Group[DisplayName = ‘Full Time Employees’]/ComputedMember ]
Note that I used the DisplayName attribute to identify the groups of interest, but the better practice would be to use a unique identifier to identify the groups, such as their ObjectID attribute.
Example 5: People who were EVER members of both the "Interns" group and the "Full Time Employees" group at the same time:
The previous example identified people who are currently members of two conflicting groups. The following example identifies people who were ever members of these conflicting groups at the same time. This example makes use of the historical querying feature of ILM to scope the query to a time in the past.
allTime(/Person[ObjectID = /Group[DisplayName = ‘Interns’]/ComputedMember and ObjectID = /Group[DisplayName = ‘Full Time Employees’]/ComputedMember ])
Example 6: All permissions that Kim Abercombie had in the month of January, 2009.
Again, here we see the use of historical query to check for a condition that was met at some time in the past. This time we are checking for permissions that existed for a user between a specified time period.
betweenTime(/ManagementPolicyRule[GrantRight = 'True' and PrincipalSet = /Set[ComputedMember = /Person[ DisplayName = ‘Kim Ambercrombie’]]] , ‘2009-01-01T00:00’, ‘2009-01-31T00:00’)
Notice that the filter above is looking for any Management Policy Rule, of the type that grants permissions, which granted permissions to a set that contained Kim Ambercrombie in its membership
Example 7: Changes to security groups in the last 10 days
/Request[Target = /Group[Type = 'Security'] and Operation = 'Put' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]
The above filter is returning all Requests that were created, within the last 10 days, to modify a security group. If you want to find only the Requests that were actually ‘completed’, or the ones that were ‘rejected’ or still pending, simply add an additional condition based on the status of the request.
Example 8: All full time employees that were ever contractors (ie. transitioned from one job to another).
/Person[EmployeeType=’Full Time Employee’ and ObjectId = allTime(/Person[EmployeeType=’Contractor’])]
Each of these examples is related to a question I've recieved in the past. As more common scenarios become apparent, I will post examples addressing them.
- Nima
ILM “2” provides a Web Service Enumeration (WS-Enumeration) end point by which client applications can run queries and retrieve the results. Please refer to Joe Schulman’s excellent extensibility blog for more details on using the WS-Enumeration end point in ILM “2”.
This blog focuses on the XPath Filter Dialect, which you can use to create the queries to submit through the ILM Web Services. XPath Filter Dialect is a subset of the XML Path Language (XPath) 2.0, with some additional functions.
Client applications can send WS-Enumeration Enumerate messages to the ILM Service to identify a of resources and attributes. The subsets resources to return are identified by expressions in the XPath Filter Dialect (from here on usually referred to simply as an ‘xpath filter’ in this blog).
If you are developing your own custom client for ILM, or submitting queries to ILM through a custom activity, you will need to use the xpath filter as your query language. In the ILM portal, xpath is the language in which you express the queries for Search Scopes that can be created. Xpath is also used to express the membership conditions of calculated groups and sets.
The following is an example of an xpath filter that identifies all people whose Job Title is ‘Engineer’: /Person[JobTitle = ‘Engineer’]
Rather than continue listing examples of xpath filters you may find useful, I’m going to use this blog post to describe the fundamentals of the ILM Xpath Filter Dialect so that you can understand the expression language and construct any filter you need. I will follow up this blog with another post of some sample filters for commonly requested queries and reports.
Much of the content I include here is probably covered by the ILM “2” SDK in much more detail, but hopefully you’ll also find some of the guidance here conveniently available and useful J. I will build on this topic with examples as people request them, so feel free to make suggestions!
Let’s start by looking at the data types the ILM xpath filters support.
Data Types
The ILM XPath Filter Dialect supports the four data types defined for XPath 1.0, plus the dateTime type that is defined in the XML Schema specification. These types are defined in the following table.
Data type
Definition
node-set
A collection of XML nodes without duplicates. Refer to Joe Schulman’s blog for examples of node sets in ILM WS-Enumeration. Think of a node-set as a collection of resources.
Boolean
true or false
number
A signed integer.
string
Any sequence of characters from the Universal Character Set.
dateTime
The dateTime represents a date and time in Universal Coordinated Time.
reference
A GUID that identifies a reference to a resource.
Now that we know what types of data we can filter on in our expressions, let’s take a look at what types of expressions we can actually define.
Types of Expressions
ILM “2” supports the following types of xpath expressions:
1. Location Path Expressions
A location path expression identifies a node-set (collection of resources). A location path expression consists of one or more location steps. Location step expressions are delimited by a forward slash (/). A location path expression must refer to an object type in ILM, or an attribute of type reference which refers to a resource. Location path expressions have the following form: /step/step/… | step/step/…
A forward slash at the beginning of an expression indicates an absolute location path expression as distinct from a relative location path expression. A relative location path expression identifies a node-set relative to the context node-set. The context node-set is the set of nodes that have already been identified.
Example: /Group/ComputedMember is a location path expression that consists of two location steps: Group and ComputedMember. The result of this filter is all resources that are the ComputedMember of any Group.
Example: /Person[AccountName = ‘nima’]/Manager returns the resource referenced by the Manager attribute of the Person with an Account Name of ‘nima’.
Example: /Person[AccountName = ‘nima’]/DisplayName is not a valid xpath filter because DisplayName is not a reference type attribute.
Union of location path expressions
The union of one or more location path expressions can be obtained by linking the location path expressions with the union operator, which is denoted by the vertical bar character, |.
Example: /Person | /Group returns all people and groups.
Predicates
Predicates are expressions that appear enclosed in brackets at the end of location steps. In the XPath Filter Dialect, predicate expressions must be Boolean expressions, equality expressions, function expressions or relational expressions.
Predicates filter the current node-set to produce a subset. A predicate is evaluated for each node in the current node-set. If the result of the predicate is true for a node, that node is included in the subset yielded by the predicate; otherwise, it is excluded.
Example: /Person/Manager[JobTitle = ‘VP’] returns all people whose Manager’s Job Tile is ‘VP’. The location step here are Person and Manager[JobTitle = ‘VP’] . The second location step consists of a node name, Manager, and a predicate, JobTitle = ‘VP’.
You can even have location path expressions nested inside predicates.
For example, the filter /Person[Manager = /Person[JobTitle = ‘VP’]] returns all people whose Manager is a person with a Job Title of ‘VP’. Note that this returns us the same result as a previous example: /Person/Manager[JobTitle = ‘VP’].
2. Equality Expressions
Equality expressions test the equality of terms. They have the following form: left_hand_term operator right_hand_term
The valid equality operators are as follows:
Operator
Result
=
Yields true if the term on the right and the term on the left are equal; otherwise yields false.
!=
Yields true if the term on the right and the term on the left are not equal; otherwise yields false.
The left-hand term of an equality expression must be the name of an attribute in the ILM schema.
The right-hand term of an equality expression can be one of the following:
· A function call.
· A Boolean value.
· A dateTime value.
· A number.
· A string.
· A reference value.
If the left-hand term is a reference type attribute, the right-hand term can be a location path expression (ie. a filter representing a sub-condition).
Multi-Valued Equality Expressions
When the = operator is used in an equality expression where the left-hand term is a multi-valued attribute and the right-hand term is a literal value, the expression evaluates to true if the value of the right-hand term is any of the values contained in the left_hand_term.
Example: /Group[ComputedMember = ’11111111-1111-1111-1111-111111111111’] returns all groups whose ComputedMember attribute contains the resource with the ObjectID ’11111111-1111-1111-1111-111111111111’.
When the = operator is used in an equality expression where the left-hand term is a reference attribute (multivalued or single valued) and the right-hand term is a location path expression, the expression evaluates to true if the value of the attribute on the left-hand term is any of the values contained in the node-set returned by the right_hand_term.
Example: /Group[Owner = /Person[EmployeeType = ‘Contractor’] returns all groups whose Owner is a Contractor. In other words, this filter returns all groups where any of the values of their Owner attribute is among the set of people whose Employee Type is ‘Contractor’.
3. Relational Expressions
Relational expressions compare the values of two terms. They have the following form: left_hand_term operator right_hand_term
Valid relational operators are: <=, <, >=, >, which are pretty self explanitory.
4. Boolean Expressions
Boolean expressions evaluate the validity of two expressions in a predicate using ‘or’, and ‘and’.
When ‘or’ is used, the predicate evaluates to true if either expression is true.
Example: /Person[JobTitle = ‘VP’ or ‘Senior VP’] returns people whose Job Title is ‘VP’ or ‘Senior VP’.
When ‘and’ is used, the predicate evaluates to true only if both expression are true.
Example: /Person[JobTitle = ‘VP’ and Department = ‘Sales’] returns people who are VPs and are in the Sales department.
5. Function Calls
The ILM XPath Filter Dialect provides the following functions that can be used in location path expressions:
Function Signature
Description
boolean contains(Attribute, string)
Returns true if the value of the first argument, which must be a valid attribute in the ILM schema, contains the second as a substring; otherwise returns false.
boolean starts-with(Attribute, string)
Returns true if the value of the first argument, which must be an attribute in the ILM schema, starts with the second; otherwise returns false.
Boolean ends-with(Attribute, string)
Returns true if the value of the first argument, which must be an attribute in the ILM schema, ends with the second; otherwise returns false.
Boolean not(boolean)
The not function returns true if the argument evaluates to false and false if the argument evaluates to true. The argument must be one of the following expressions which returns a Boolean:
1. Relational expression
2. Equality expression
3. Function call
dateTime current-dateTime()
Returns the current date and time with time zone. For more information see current-dateTime in XPath 2.0.
dateTime dateTime(date, time)
Returns the arithmetic sum of the arguments. For more information see dateTime in XPath 2.0.
dateTime add-dayTimeDuration-to-dateTime(dayTimeDuration,
dateTime)
Returns the result of adding the values of the two arguments. For more information see add-dayTimeDuration-to-dateTime in XPath 2.0.
dateTime add-yearMonthDuration-to-dateTime(yearMonthDuration, dateTime)
Returns the result of adding the values of the two arguments. For more information see add-yearMonthDuration-to-dateTime in XPath 2.0.
dateTime subtract-dayTimeDuration-from-dateTime(dayTimeDuration,
Returns the results of subtracting the value of the second argument from the value of the first argument. For more information see subtract-dayTimeDuration-from-dateTime in XPath 2.0.
dateTime subtract-yearMonthDuration-from-dateTime(yearMonthDuration, dateTime)
Returns the results of subtracting the value of the second argument from the value of the first argument. For more information see subtract-yearMonthDuration-from-dateTime in XPath 2.0.
node-set descendants(locationPathExpression, attributeName)
Returns a node-set (set of resources) that consists of the dereferenced resources obtained by dereferencing the reference attribute specified by attributeName, starting with the resource specified by the location path expression.
Example: descendants(/Person[DisplayName = Nima’], ‘Manager’) returns the manager of the person with the DisplayName of ‘Nima’, and the manager of all those people recursively (ie. everyone ‘Nima’ reports to indirectly)
Bool descendant-in(attributeName, Filter)
This function obtains a set of resources by recursively dereferencing the reference attribute specified by attributeName, starting with the context node. If the set of resources obtained contains the resource identified by Filter (or is among the resources identified by Filter), the function returns true; otherwise, it returns false.
Example: /Person[ descendant-in(‘Manager’ , /Person[DisplayName = ‘Nima’])] returns all people who report to ‘Nima’ (ie. people who have ‘Nima’ in their management chain).
node-set membersof(ObjectID)
The membersof function accepts the unique identifier of a Set as input, and returns the members of that Set.
node-set allTime(locationPathExpression)
The allTime function accepts a valid filter expression in the XPath Filter Dialect as input, and returns the resources matching that expression at any time over the history of the data in the ILM Service database.
node-set atTime(locationPathExpression, dateTime)
The atTime function accepts a valid filter expression in the XPath Filter Dialect and a DateTime as input. It returns the resources matching that matched the expression at the specific DateTime specified.
node-set betweenTime(locationPathExpression, dateTime, dateTime)
The betweenTime function accepts a valid filter expression in the XPath Filter Dialect, two DateTime values as input, and returns the resources matching that expression at any time between the two DateTimes specified.
Hopefully this blog helps you understand the structure of the XPath Filter Dialect expression language. Trust me when I say this knowledge will come in extremely handy if you will be performing any of the following:
· Creating search scopes for the portal. Search scopes are pre-canned searches you can use in the portal.
· Creating advanced calculated sets and groups that cannot be created using the Filter Builder control in the ILM portal. One example of such a set is the set of all resources that contain an Expected Rule Entry for a particular Synchronization Rule in their Expected Rules List.
· Creating custom activities that will query the ILM Service database.
· Creating a WS client that will submit queries to the ILM Web Service. Such clients can be used for purposes such as reporting.
Stay tuned as I will be following up with some xpath ‘tips and tricks’ and sample filters for commonly requested queries.
Nima Ganjeh
For those of you who are MIIS / ILM 2007 pros, when seeing the Codeless Provisioning functionality one of the first questions that comes to mind is "can I use my existing rules extension in ILM "2"?".
Of course.
At a basic level, with ILM "2" RC, you can take an existing ILM 2007 deployment and migrate it's synchronization engine component straight into ILM "2" RC. You can do this by copying the IdentityIntegrationServer DB to a ILM "2" server, and upon installing ILM "2" point to this database instance during the setup of the synchronization component. The installer will then migrate that data forward such that all existing MA and MV configurations are ready to use right away, including rules extensions.
But if you want to go beyond this, its important to note how Codeless Provisioning works side-by-side with existing ILM synchronizaiton concepts. That is, while Codeless Provisioning bubbles up a business process driven approach to synchronization it is inherently underpinned by the same basic mechanics which power the ILM synchronization engine. As such, the adding of this functionality should not in any way change the behaviour of how MA's work, how rules extensions are called or how traditional metaverse provisioning is done.
This side-by-side coexistence is collectively referred to as a hybrid deployment.
Metaverse Provisioning
In fact, it is supported to run Codeless Provisioning based provisioning logic side by side with traditional metaverse extensions. Codeless Provisioning is driven through the processing of Expected Rule Entry (ERE) objects, these determine which MV objects are provisioned a connector and how flows are applied on top. For a MV object being sync'ed, this processing is done prior to the calling of the Metaverse rules extension. Hence if for any reason the ERE's attached to a MV object do not achieve a desired outcome in a CS, you can use a Metaverse extension to provision additional connectors, apply initial flows and deprovision existing connectors just you would have done with ILM 2007.
Custom Functions = Rules Extensions
Metaverse extensions are just one aspect of a hybrid scenario. A more common use case is for scripted flow. ILM "2" RC contains around 20 built in functions, which for the most part should satisfy most basic needs. However if this is not true, then you can always use an traditional Rules Extension to apply a transformation on a outbound flow. Using an MA, you can defined an advanced flow like before. This flow will be applied after any Sync Rule flows have been pushed onto an object, thus allowing you to append or overwrite attribute flow data that was provided by a Sync Rule.
Join / Projection Rules
On the inbound side, the traditional Join/Projection concepts live on as you remember them in ILM 2007. Just like the extension points, you can use traditional declared/advanced join projection rules along side Synchronization Rule concepts. In this case, if you have defined a Inbound Synchronization Rule on an MA that also has traditional join/projection rules defined the Synchronization Rule will be evaluated first. So if a disconnector exists within this MA such that it matches a Synchronization Rule's connected scoping filter, than this disconnector will be attempted to be joined/projected to the MV based on that Synchronization Rule definition. If the evaluation of that disconnector against the Synchronization Rule results in the CS object remaining a disconnector, then the existing declared join/projection rules will be executed against it.
One of the big features of ILM "2" RC are the changes we have made to the portal and server to enable ILM to scale higher. In the portal and in the ILM service we've tuned, and jiggered with the way we interact with SQL and on the wire to make the ILM experience faster and snappier. Out of this, we've both gotten a better idea of what it takes to deploy ILM in such a way to maximize performance as well as key pieces of knowledge to help administrators keep their deployment running zipper quick. I will be writing a series of posts outlining much of this knowledge over the coming days.
Hardware
SQL
SQL is where performance starts and ends in the ILM Service. It is critical to having ILM perform at enterprise scales that SQL is setup such that it can best serve the ILM application. You may wonder why we took the hard dependency on SQL Server 2008 in RC, and the answer is more than it's snappy new logo. SQL Server 2008 introduces a new feature called Filtered Indices which specifically aims to limit index pollution as well improve queries across sparse columns by selectively including values within specified indices. ILM weakly-typed, single-table based storage mechanism begs for the usage of this new capability and we did it. If you only have 1000 objects in your ILM store, well then this isnt much of a deal, but when you start scaling into the 50k+ arena, filtered indices come into their own.
Beyond this, deploying ILM requires a steady eye towards maintaining and monitoring ILM performance. Here are couple of tips off hand which should help you keep ILM screaming:
ILM Service:
The ILM Service itself is actually quite lightweight and very much dependent on the performance of SQL. To help streamline the service further you can try:
That's all for now. Look for some further posts talking about other ways to monitor and manage ILM performance.
In the meantime, we are currently at Tech Ed Europe in Barcelona. You can come find me, or Nima, at the ILM booth located in the main exhibition area for the next couple of days. I will be running an Instructor Led Lab on ILM on Thursday at 1pm.
If you get a chance, I definitely recommend attending one of the many ILM sessions being done over the next couple of days:
Thursday: Identity Lifecycle Manager 2 (Part 3): Extensibility and provisioning with ILM 2 (Nima GanjeH)
2:40-3:55pm
Wednesday: Identity Lifecycle Manager 2 (Part 2): Expressing and enforcing business policy (Alex Weinert)
1:30-2:45pm
We're back! Today we have a guest blogger to announce the Release Candidate for ILM "2":
I’m Lori Craw, group product manager covering identity and security at Microsoft. Today I am pleased to announce the exciting news that the Identity Lifecycle Manager “2” Release Candidate (RC) is now available.
ILM “2” builds on our Identity Lifecycle Manager 2007 investments, and includes solutions that will help IT more efficiently and effectively automate identity policies for users and their associated credentials and entitlements. An important set of features in this release focus on self-service for end users, enabling them to manage some of their own information like their passwords and groups, using self-service tools built into Office. The IT pro tools, combined with end-user self-service in Office and developer experiences using .NET and Visual Studio add up to a very powerful combination.
We’ve received great feedback on these features from our beta and TAP customers so far. We also have seen some great momentum with core partners, including Quest, Omada, and Unisys.
So what’s new in the RC, you ask? Some of the top new additions to the RC include:
- Support for scale out of the ILM "2" middle tier database and portal on separate servers, and support for multiple portal servers- Added support for managing groups across multiple Active Directory forests- Improvements in the request and notification emails, including customizable notification emails and request details baked into the out-of-box request emails- Support for third-party certificate authorities (CAs)- Performance and stability improvements- Localization support for German and Japanese
I’d like to invite you to learn more about ILM “2” and to try out the RC for yourself by visiting www.microsoft.com/ilm2.
Regards,Lori CrawGroup Product ManagerMicrosoft Identity and Security
If you are at the point where you're comfortable with using the functions and various options in attribute flow creation, I'd like to introduce you to a really cool feature to add some efficiency and extra capabilities to your attribute flow creation: Custom Expressions.
The synchronization rule designer provides you the ability to type in any attribute flow you can define using the flow definition user interface. This is supported through the CustomExpression option you'll find under the advanced options in the value selection list when selecting a value for Source in an attribute flow. See the screenshot below for clarification.
So, what syntax exactly do you use to define the flows in this custom expression box? Create an attribute flow in the normal manner (without using CustomExpression) and take a look at the attribute flow summary view when you save the flow, as shown below.
This summary view represents the attribute flow in a short form syntax as follows:
· Constant strings are represented in quotes (“ “)
o Eg. “Nima”
· Constant numbers are represented simply as numbers.
o Eg. 456
· Attributes are represented as the attribute name.
o Eg. FirstName
· Synchronization rule parameters are represented as the parameter name prefixed with ‘$’.
o Eg. $InitialPassword
· Functions are represented as the name of the function and the associated parameters are given values that follow the syntax outlined here.
o Eg. Left(“TestString” , 5)
· The concatenate operator is represented as ‘+’.
o Eg. FirstName + LastName
The syntax above is the exact same syntax you would use with the CustomExpression option. The example below defines an attribute flow for generating a random password.
Hopefully this makes defining flows a bit quicker for some of you.
The use of the CustomExpression option extends beyond just efficiency for power users though. The CustomExpression option also allows you to define attribute flows containing nested functions, as you saw in the example above for generating random passwords. In addition, you can also use CustomExpression with another very cool function available in the synchronization rule designer: The IIF function.
IIF function (Immediate IF) returns one value if a specified condition evaluates to true, and another value if the condition evaluates to false.
The function's signiture is as follows: IIF(condition, valueIfTrue, valueIfFalse). - Note that in beta 3 the function is mispelled as IFF :)
We use this type of functionality in programming all the time, so how does it provide value in the context of an attribute flow? Well, think of any example where you'd want to flow a particular value to an attribute if some condition was true, and another if it was false. One such example is defining the flow for an employee's email address. Let's assume we want to prefix the email alias of a vendor/contractor with a "v-", and for full time employees we leave the alias as is.
In other words, if the employee is a vendor/contractor, his email becomes his mailnickname "@microsoft.com" prefixed with "v-". So, if nimag was a contractor, his email would become "v-nimag@microsoft.com"
In the synchronization rule designer, we can specify this attribute flow as follows:
For the condition, we used the CustomExpression option to allow us to specify an expression to evaluate. Here we used the Eq() function which takes two arguements as inputs and compares them for equality, returning true if the attribute has the given value and false if not. The condition is not very clear from the screenshot above, and its complete form is Eq(managed:EmployeeType, "Contractor"). The condition is checking to see if the managed:EmployeeType attribute has the value "Contractor".
Our return value if the condition ( the result of the Eq() function ) evaluates to true is the employee's email address prefixed with "v-". The return value if the condition evaluates to false is the employee's email address as is (no prefix).
The following are functions available for use as expressions in the IIF function:
Eq - This is the function used in the example above. This function compares two arguements for equality.
NotEquals - This function compares two arguements for inequality, returning true if they are not equal, and false otherwise. Example: NotEquals(managed:EmployeeType, "Contractor")
LessThan - This function compares two numbers, returning true if the first is less than the second and false otherwise. Example: LessThan(Salary, 100000)
GreaterThan - This function compares two numbers, returning true if the first is greater than second and false otherwise. Example: GreaterThan(Salary, 100000)
LessThanOrEquals - This function compares two numbers, returning true if the first is less than or equal to the second and false otherwise. Example: LessThanOrEquals(Salary, 100000)
GreaterThanOrEquals - This function compares two numbers, returning true if the first is greater than or equals to the second and false otherwise. Example: GreaterThanOrEquals(Salary, 100000)
Hopefully this helps bring to light some of the powerful capabilities you now have with the new provisioning features of ILM "2" !
For those of you who have used ILM "2" Beta 3, you have probably used in some form the new codeless provisioning functionality included within it. There is a ton of functionality encapsulated within this one area, and one of the less-talked about and centrally important pieces of this functionality is something we call the Detected Rules Entry (DRE). Do not confuse this with the Expected Rule Entry (ERE) object as they are two ends of two different sticks. The DRE very simply is an object that is created by the ILM "2" synchronization engine and associated to an ILM managed object when the synchronization engine detects that the flows as defined within a specific Synchronization Rule have been confirmed to exist within the connected system. More simply, the DRE is designed to provide the truth with regards to an object's state in a connected system, with the lingua franca in this case being communicated via definitions of logic which are Synchronization Rules. If the ERE can be thought of what we want the desired state of an object to be in a connected system, the DRE is the actual state of the object.
How are DRE's created?
You may have noticed within the Synchronization Rule designer a check box on the attribute flow page which says "Use as Existence Test?". When checked, the conjunction of all flows marked as being Existence Tests are evaluated by the synchronization engine against all connectors associated with any ILM object. This evaluation is done during synchronization of a management agent and obviously done on connector objects which are being processed as part of that synchronization run. If a connector space object is detected as having met the conditions of the Synchronization Rule, the synchronization engine creates a DRE object in the Metaverse, and places a forward link from the ILM Metaverse object to which the aformentioned connector object is joined to. From an ILM Metaverse object perspective, it has an attribute called "Detected Rules List", which is a multi-valued reference attribute to all DRE objects associated with it.
Ok, so why should I care?
Aha. This is the important part. DRE's allow you to create and launch business processes after a particular state is confirmed to exist within a connected system. (Think of needing to create a home directory after an AD user account is created) DREs are only ever created based off of changes that are confirmed within the connected system (i.e. brought in through in an import), this allows you to then launch actions after having a particular state pushed to a connected system. After creation, DRE's are pushed via the ILM MA to the ILM Resource Management service. They are then subject to MPR and Process evaluation just like every other change coming to the web service.
So if we take an example of an Active Directory User Account synchronization rule. You may have anywhere from 5-20 flows for an AD User account synchronization rule. However, ask yourself this, what's the limited set of flows that you need in order to confirm that a particular ILM object is associated with a confirmed AD user account? Probably 2, one for detecting the state of the userAccountControl attribute being set to 512 and the other matching the samAccountName on the user account with the managed:AccountName attribute on the Person object. By setting these 2 flows as existence flows within the Synchronization Rule designer, you can then trigger the creation of DRE's anytime the Synchronization Engine confirms those two flows on a connector object.
Some scenarios where this may be useful:
- Triggering the granting of other out-of-band provisioning tasks that require an Active Directory user account to be present prior to launch.
- Compliance detection. DRE's are triggered on changes brought in from other systems. You can use DRE's to detect if somebody has an account in a system which was not granted via ILM, and then use MPR and Process to launch a workflow notifying their manager or an administrator of the existence of such an account.
Caveats in Beta 3:
- Existence flows cannot be defined for function flows and reference attribute flows
- Currently no mechanism to trigger workflow decisions based on the parent object of a DRE
If you read the post on setting up the synchronization rule for the flowing of Computers to AD, you'll notice we make use of a concatenation option to concatenate multiple values and flow them to a destination attribute. Concatenation is an example of a data transformation function that allows you to operate on and transform data you wish to use in the context of an attribute flow or workflow. In ILM "2" you have over a dozen such functions available for you to use. These functions are a critical aspect of "codeless" provisioning in ILM "2".
In future posts I will dive into detail on specific functions and how you can use them to support your scenarios. For now I want to introduce you all to this piece of functionality you may not be aware of. To begin using these functions, either a)create an action workflow with the function activity or b)create an attribute flow for a synchronization rule.
The inclusion of functions in attribute flows means you can construct flows that involve more than just a simple attribute to attribute flow without writing any code. For those of you that are familiar with writing scripted attribute flow in ILM 2007, you'll immediately appreciate some of these functions as they remove the need for writing custom code for many of the attribute flows you require.
It's easy to identify a case where you require the use of a function. Perhaps you wish to generate a random password to flow for a new user account that is provisioned. The screenshot below, from the synchronization rule designer, demonstrates the use of the concatenation and random number functions to create a password that consists of the string "Password" concatenated with a random number. Of course we could define a more complex password, but this illustrates a simple example of how we can use functions.
Stay tuned for a detailed overview of specific functions.
One of the many changes we made across the ILM to support the new declarative synchronization and provisioning concepts (aka 'codeless provisioning') was with the ILM Management Agent (hence forth referred to as ILM MA) configuration experience.
While at first glance the ILM MA may walk like, look like and act like any one of the many management agents that we have all come to know and love from the MIIS/ILM days, this resemblance is, at best, superficial. In fact the ILM MA is not your typical Management Agent, and has a unique design experience tailored to fit within the broader conceptual relationship between the ILM Application Store and the ILM Metaverse. While the two stores co-exist as independent stores in ILM "2", the relationship between the two should not be thought of in the same vein as the typical relationship between a connected system and the Metaverse. Instead, it is envisioned that the ILM Application Store is in fact conceptually equivalent to the ILM Metaverse. Taking this notion one step further you should view the Metaverse serving as a transient storage mechanism on the road to and from the ILM Application Store, the ultimate location for any data being synchronized into ILM. Seeing this, we can then very easily imagine data moving from Active Directory or another third party system into the ILM realm and immediately coming under the control of the policy and process framework which applies to all data within the ILM Application Store and is at the conceptual heart of ILM application. (In order for this statement to be valid is for all data to make it to the Application Store)
With this view in mind, when we looked at the ILM MA, we wanted to make the experience of setting up the Management Agent between the Metaverse and Application Store to both provide a simple and "replication" like experience as possible. Thus, when you configure the ILM MA, you do not set up join and projection rules, nor do you need to write provisioning code or use Synchronization Rules to move data between the ILM MA connector space and the ILM Metaverse. Instead, you simply map object types from the Metaverse to object types in the Application Store, and then setup the attribute flow relationships between the two. After this point in time the ILM MA will automatically make sure that any new objects which are created in the ILM Application Store of the type specified in the mapping are replicated to the ILM Metaverse as an instance of the second type specified in the aforementioned mapping (and vice versa). The ILM MA thus allows customers the flexibility to connect newly defined ILM Application Store types to existing schema elements that they have created with their existing ILM Metaverse deployments.
Some of you may wonder if you are able to use scripted attribute flow and other extension mechanisms within the ILM MA. The answer to this is no. The reason for this is that transforming data as it flows between the ILM Metaverse and the Application Store would violate the conceptual tenant that the two are logically equivalent. Instead, any desired data transformation should be done either upon inbound flow from a connected system into the Metaverse (via a Synchronization Rule or scripted flow) or in the ILM Application Store (as part of a workflow or through a web service call).
If we look at Nima's example of setting up the flowing of Computers, his configuration of the ILM MA demonstrates the new mapping functionality. You will notice in the ILM MA that the projection and join screens have been replaced by a Object Type Mapping screen. It is in this screen in which you map a Application Store type to its associated Metaverse type. (a known issue in Beta 3 is that your Metaverse type must be pre-fixed with "managed:" to be visible in the object type selection).
On the next page, you will then need to configure the attribute flows between the two types. ILM does not attempt to automatically map the attributes themselves and leaves it up to the user to determine how the attributes should be flowed. (Note: only direct flows are supported). The ILM MA also automatically adds a set of built in flows needed to support the replication functionality of the ILM MA, do not delete these!
One topic for ILM “2” that came up repeatedly at TechEd IT Pro North America this year was extensibility. Specifically, many customers asked how the system can be configured to manage an arbitrary resource, enabling them to apply policies to and provision any resource they care about. To demonstrate this, I included a demo in Fred Delombaerde’s extensibility breakout session where we demonstrated how ILM can be configured to manage computers. Part of this demo involved managing computer security group memberships and provisioning new computers to Active Directory.
A few people asked if we had the steps to perform that scenario documented anywhere. Since we didn’t publish a hands on lab for this, I’ve included a step by step to accomplish the scenario below.
What is the objective?
Our goal is to manage computers assets.
Steps to accomplish our goal:
1. Create a Computer object type.
2. Create objects of type Computer.
3. Add the computer objects to a security group called “All Computers”.
4. Have computers provisioned automatically to AD.
How to do it?
1. The first thing we need to do is extend the schema to support computer object types. Create a computer object type.
a. Go to http://localhost/identitymanagement/aspx/schema/Schema.aspx
b. Click on “New” and fill in the details for the new object type as below.
c. Click “Finish” and “Submit”.
d. A computer object type is created now, and we can actually now begin creating and managing computers. If additional attributes beyond those on the base Resource type are desired for computers, you can create them and bind them to the computer object type.
2. Create a new search scope “All Computers”. The search scope will enable selecting computers to add to a group later on.
a. Go to Administrative Settings > Search Scope Configuration: http://localhost/identitymanagement/aspx/customized/CustomizedObjects.aspx?type=SearchScopeConfiguration&display=Search+Scope+Configuration
b. Click on “New” and fill in the fields as below.
Click “Finish” and “Submit”
c. Go to Run->Cmd and run “iisreset”.
Syncing Computers to the Metaverse:
To provision computers to downstream systems, we must first represent them in the metaverse. Computer objects can be sync’ed to the metaverse through a combination of configuration in the portal and in the ILM MA screens within the Identity Manager. The overall steps for replicating Computer objects in the portal are:
1.) Add the Computer object type to the Synchronization Filter (such that the ILM MA can see it).
2.) Configuring the App Store <-> Metaverse object type mapping within the ILM MA that will replicate computers into the metaverse.
1. Go to the “All Resources” page.
2. Click on Page 2, and click on Synchronization Filter.
3. There will be a single Synchronization Filter object defined.
4. Add Computer to the Synchronize ObjectType Description reference attribute.
At this point, Computer objects should now be visible from the ILM MA. Return to Identity Manager and follow these steps:
1.) Click on the ILM MA, and select “Refresh Schema”
2.) You should see a new schema update being pulled back as a result of the previous action.
3.) Go to the MA properties, go to Object Types, click “Show All” and you will see the computer object type.
The next thing you need to do is configure the mapping between the object type in the app store and that in the metaverse. This is new in Beta 3, in that by creating this mapping you will automatically replicate objects from the App store into the Metaverse and vice versa.
Before we can add a mapping for the Computer object, we must first define an object type to represent it in the metaverse.
1. Go to the Metaverse Designer page in Identity Manager and select "Create Object Type" from the list of actions.
2. Specify a name for the new object type and select any attributes you want in the metaverse for this object.
3. Now go back to the ILM MA properties, go to Object Types, click “Show All” and you will see the computer object type. Select it. Note: You will need to repeat this step for the AD MA as well, so that you can define attribute flows for Computers in AD.
4. Go to "Configure Object Type Mappings" in the ILM MA properties and "Add Mapping” between the Computer object and an object type in the metaverse. (Note in beta 3, your metaverse object type has to be prefixed with ‘managed:’ in order to be visible here.)
5. Go to Attribute Flow, you will see the mapping you selected on the previous page visible here. Set up all necessary attribute flows to replicate a Computer object into the managed:Computer object type. Note if you want data to flow both ways you will need to setup flows in both directions.
In order to being provisioning computers to AD using processes in ILM, you need to first define a synchronization rule for computers, along with the provisioning process and Management Policy that triggers it.
1. Create a new synchronization rule for computers.
a. Go to http://localhost/IdentityManagement/aspx/syncrule/AllSyncRules.aspx
b. Click on “New”
c. Specify general information for the synchronization rule and indicate this is an outbound synchronization rule. If we were importing data from AD into ILM this would be an inbound synchronization rule.
d. Proceed to the Scope page, selecting the managed object type representing computers in the metaverse, your AD MA, and the computer object type on the MA as below.
e. Proceed to the Relationship page and specify the relationship criteria used to identify related computers. The example below uses DisplayName as the criteria. Select the object creation option and if desired, the relationship termination options as below.
f. Proceed to the Outbound Attribute Flow page to define the flows for this synchronization rule. For this example, we will provide the minimum flows required to provision the computer to AD: We’ll define a flow for our relationship criteria (DisplayName), and for the dn of the computer.
g. Define the flow for the DisplayName. Click on the “Click to define flow” link and specify the flow as below. Click OK when finished.
h. Define the flow for the dn attribute. Click “New Attribute Flow” and click on the “Click to define flow” link to bring up the flow definition page again.
i. Select “dn” as the “Destination” for the flow.
ii. For the flow’s “Source”, specify the value that should be used.
i. Make sure you’ve selected “Initial Flow Only” for both the flows defined above.
2. Create a new action process to add the synchronization rule to computers that should be provisioned.
a. Go to the processes page in the portal: http://localhost/IdentityManagement/aspx/process/AllProcesses.aspx
b. Click on “New”.
c. Specify some general info about the process as below. Select “Action” as the process type. Click Next to proceed to define the activity.
d. From the list of available activities, select the Synchronization Rule Activity and click “Select”.
e. Select the computer synchronization rule created previously as below, and click save.
f. Now we’re finished defining the provisioning workflow, so click Finish and submit the new process.
3. Create a new set that will contain the computer objects you want to provision.
a. Go to the sets page in the portal: http://localhost/IdentityManagement/aspx/sets/AllSets.aspx
c. Specify some general info about the process as below and proceed to define the Dynamic Membership of the set.
d. Select the “Enable dynamic membership in current set” option and define the set’s membership criteria. In the example below we’re creating a set of all computers, so we simply select “All computers” from the first line of the filter statement, and do not add any statements or sub conditions to further filter the membership.
e. Click Finish and submit the request to create the new set.
4. Create a new Management Policy Rule to kick off the provisioning process when a new computer is created in ILM.
a. Go to the Management Policies page in the portal: http://localhost/IdentityManagement/aspx/policy/AllPolicies.aspx
c. Specify some general info about the Management Policy as below and proceed to define the Operation and Users.
d. Specify the operation and users that should trigger the computer provisioning process. In the image below we’ve indicated that the operation we care about is the creation of new objects (computers), and the requestor of the operation can be anyone. Proceed to the Condition After page when finished with this page.
e. Now you must specify the set of resources whose creation should trigger our provisioning process. Here we select the set of “All computers” we defined earlier.
f. Finally we select the provisioning action process we want to run in the Policy Workflows page. Click Finish and we’re done!
Now let’s create a new computer and a security group containing it as its member and see them provisioned to AD.
1. Create instance of Computer object type “Comp0001”
a. Go to http://localhost/identitymanagement/aspx/customized/AllCustomizedObjectTypes.aspx - All Resources
Click on “Computer”
c. Fill in as below
d. New object of type computer “Comp0001” is created
2. Create a Group named “All Computers”
a. Go to the Security Groups page in the portal: http://localhost/identitymanagement/aspx/Groups/CreateSecurityGroup.aspx?Previous=..%2fGroups%2fAllGroups.aspx
b. Fill in as below
Click “Next”.
Deselect “Adminstrator”
From the drop down select “All Computers”
Select “Comp0001” and click “Finish” , “Submit”.
3. Go to the created group “All Computers” @ http://localhost/identitymanagement/aspx/Groups/AllGroups.aspx
a. Click on the group “All Computers”
b. Go to members section
c. So the computer object “Comp0001” is part of “All Computers” group.
Make sure the sync script that came installed on the beta 3 vpc is running. After waiting a short while for the data to be sync’d out to AD, open the AD Users and Computers console and verify the computer was provisioned successfully.
This is us! We're Nima Ganjeh, and Bobby Gill, two Program Managers working on Microsoft's Identity Lifcycle Manager "2" product. We started this blog to serve as a resource to all of you for both learning about how the product works as well how to use ILM to solve specific scenarios.
Topics will be driven by both feedback we receive from you, the beta 3 newsgroup, requests from customers as well things we think would be great sources of knowledge for you.
If you're scratching your head wondering what ILM is right now, we urge you to check out http://www.microsoft.com/windowsserver/ilm2/default.mspx
If you dont feel like reading check out these videos below which will give you a very brief outline about what ILM is all about:
In the following video Bobby walks through some of the core ILM "2" IT Pro scenarios as well as dives into using ILM 's codeless provisioning feature to provision users into Active Directory.
Next up is Alym, who in this video talks about how ILM "2" impacts end-users and knowledge workers, specifically focusing in on ILM "2" group management capabilities and password reset functionality:
Want more? Join the ILM "2" public beta program! Doing so will get you not only access to the Beta 3 bits of ILM "2" as well as give you access to a wealth of knowledge being shared amongst other Beta program participants. You can sign up for the Beta at:
http://connect.microsoft.com/