Note:? All references to MIIS in this article also apply to IIFP.

Configuring IIFP to Sync User Attributes

In the first part of this article series I covered installing IIFP.  In this part I will cover configuring IIFP to synchronize attributes of user objects between two different domains.  This entails creating management agents that will communicate with both the source and target domains.  Next run profiles need to be created that execute that tasks of importing and exporting information to and from the domains.  In the third part of this article series I will cover the code required to have IIFP or MIIS actually create users in the target domain.  Without custom code IIFP will only be able to synchronize attributes on existing objects in both domain, this process is the focus of this article.

Creating Management Agents (MAs)

Management agents are used by IIFP/MIIS to define data sources to import or export information to or from the metaverse (SQL database).? A MA can be created so that only certain objects and certain attributes of those objects are imported into the metaverse.? Others can be defined so they both import and export objects to and from the metaverse.? Rules can be defined on the MAs that determine if new objects are created in the metaverse, based on objects that have been discovered in the data source.? These rules can also be used to determine how new or existing connector objects are linked to connectors that might already exist in the metaverse.? For example, John Smith has a JSmith account in the Domain A, JaSmith in Domain B, JS1234 in the HR database, and extension 5467 in the phone system.? If MAs are created for each of these data sources, four total, rules will need to be defined so that MIIS knows how to link all four of these identities together.? When each of the MAs run, they will, in most cases, import a connector object for each instance of the John Smith?s identity into the metaverse.? Rules can also be defined on each of these MAs that will determine if a new connector object will be created in the other data sources, called projecting in MIIS, for John Smith.? Normally only one MA will have a projection rule setup, most commonly an HR system.? In addition, join rules can be defined that tell the MA to look for existing connector objects in the metaverse for John Smith, and to join those connector objects, or identities, together.? For these to work, there must be a field or fields on each connector object that can be used to link the identities together.? For example, in Domain A, John?s employee ID number is stored in the employeeID attribute.? When the MA runs for Domain A, it could query the metaverse for an existing object with a matching employee ID.? If one is found, the connector object for John Smith in Domain A will be linked to the existing object in the metaverse.? If the employee ID was stored on a field or attribute on each of John?s identities in each of the data sources, this one field could be used to link all of the identities together.? MIIS can use any single or multiple attributes from the data source to link objects together.? If an employee ID did not exist in the phone system, then first name and last name could both be used to link John Smith?s object in the metaverse to his telephone system record.? Rules extensions can be used to carryout more complex linking or joining logic inside of VB or C# code.

The MAs also control which attributes and the direction attribute values will flow.? Some attributes can be defined to only import information into the metaverse while others can be used to both import and export values.? To control which objects are processed by the MA, filters are used. ?For the AD and ADAM connectors, OUs or containers are part of the filter.? These filters can be based on any attribute of objects in the data source.? For example, only objects where Department=Sales could be processed by the MA.? Basic deprovisioning options are set on the MA, in most cases a rules extension (code) is used to disable, move, and/or delete objects in the data source.? The last two settings stored with the MA determine what rules extension DLL is used and if password management will be enabled.

With the above knowledge, lets go though the process of creating an MA for the Active Directory.

A.    Creating a MA for the source domain (DOMAIN B in this example)

1.      Open up the Identity Manager console by going to Start\All Programs\Identity Integration feature Pack\Identity Manager

2.      Click the Management Agents button

3.      Click Create under actions to the right

4.      Confirm that ?Active Directory? is selected from the ?Management agent for:? drop-down list and click Next >

5.      Enter the connection properties for the source AD domain

a.       Enter in ?Source Domain? in the Name: field and click Next >

b.      Enter in the DNS name for the source AD in the ?Forest name:? field

c.       Enter in a username, password, and domain for an account that has at least read rights to objects you want to get data from and click Next >

6.      On the Configure Directory Partitions screen, do the following

a.       Check the directory partition shown

b.      Uncheck ?Sign and encrypt LDAP traffic?

?         This requires additional steps not covered in this article.

c.       Click Containers

i)        Unclick the root container, which will unselect all sub-containers

ii)      Select the container that contains the users that you want to sync to the target domain
?

?         Multiple containers can be selected and MIIS will include all objects under the selected containers by default.? For testing purposes, create a new OU and a handful of users in that OU.? Make sure these OUs have several of their attributes populated, such as first name, last name, city, state, street address, etc.? Then select that OU in the step above.

iii)    Click OK once the container is selected

d.      Confirm that the objects selected match those below

?         The directory partition shown will be based on your environment.

e.       Click Next >