Step 10: Create FIM management agents

  • Article

 

Applies To: Forefront Identity Manager

To complete the configuration of the test lab, you must create nine Forefront Identity Manager 2010 (FIM) management agents that provide the interface between FIM and the external data systems whose identity data is synchronized by FIM.

To create the HRPerson MA

  1. Log on to FIM1 as CORP\Administrator.

  2. Click Start, click All Programs, click Microsoft Forefront Identity Manager, and then click Synchronization Service.

  3. In Synchronization Service Manager, click Management Agents.

  4. Under Actions, click Create.

  5. In the Create Management Agent wizard, in the Management agent for list, click SQL Server.

  6. In Name, type HRPerson, and then click Next.

  7. On the Connect to Database page, in Server, type APP1, in Database, type HR, and then in Table/View, type emp.

  8. In User name, type Administrator, in Password, type the password of the CORP\Administrator account, in Domain, type CORP, and then click Next.

  9. On the Configure Columns page, click Next.

  10. On the Configure Connector Filter page, click Next.

  11. On the Configure Join and Projection Rules, click New Join Rule.

  12. In the Join Rule for Person dialog box, in the Data source attribute list, click EmpAccountName, in the Metaverse object type list, click person, in the Metaverse attribute list, click accountName, and then click Add Condition. In the warning that appears, click OK.

  13. Click OK to close the Join Rule for Person dialog box.

  14. On the Configure Join and Projection Rules page, click New Projection Rule.

  15. In the Projection dialog box, click OK.

  16. On the Configure Join and Projection Rules page, click Next.

  17. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click EmpAccountName, click Direct, click Import, in the Metaverse attribute list, click sn, and then click New.

  18. Repeat the preceding step, substituting the settings in the following table:

    Data Source attribute Metaverse attribute
    EmpAccountName givenName
    EmpAccountName cn
    EmpDepartment department
    EmpEmployeeID employeeID
    EmpName displayName
    EmpFunction jobTitle
    EmpName description
    <dn> csObjectID
    EmpAccountName accountName
    EmpAccountName objectID
    EmpEmail email
    EmpType employeeType

  19. On the Configure Attribute Flow page, click Next.

  20. On the Configure Deprovisioning page, click Next.

  21. On the Configure Extensions page, click Finish.

  22. In Synchronization Service Manager, click HRPerson, and then, under Actions, click Configure Run Profiles.

  23. In the Configure Run Profiles for “HRPerson” dialog box, click New Profile.

  24. In the Configure Run Profile wizard, on the Profile Name page, type Import Employees from HR, and then click Next.

  25. On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.

  26. On the Management Agent Configuration page, click Finish.

  27. In the Configure Run Profiles for “HRPerson” dialog box, click OK.

To create the HROrg MA

  1. In Synchronization Service Manager, click Management Agents.

  2. Under Actions, click Create.

  3. In the Create Management Agent wizard, in the Management agent for list, click SQL Server.

  4. In Name, type HROrg, and then click Next.

  5. On the Connect to Database page, in Server, type APP1, in Database, type HR, and then in Table/View, type org.

  6. In User name, type Administrator, in Password, type the password of the CORP\Administrator account, in Domain, type CORP, and then click Next.

  7. On the Configure Columns page, click Set Anchor.

  8. In the Set Anchor dialog box, in the Available attributes list, click OrgID, and then click Add.

  9. In the Selected attributes list, click id, click Remove, and then click OK.

  10. On the Configure Columns page, click Object Type.

  11. In the Set Object Type dialog box, click Fixed object type, type organization, and then click OK.

  12. On the Configure Columns page, click Next.

  13. On the Configure Connector Filter page, click Next.

  14. On the Configure Join and Projection Rules, click New Projection Rule.

  15. In the Projection dialog box, in the Metaverse object type, click organization, and then click OK.

  16. On the Configure Join and Projection Rules page, click Next.

  17. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click Organization, click Direct, click Import, in the Metaverse attribute list, click description, and then click New.

  18. Repeat the preceding step, substituting the settings in the following table:

    Data Source attribute Metaverse attribute
    Parent company
    Organization displayName

  19. On the Configure Attribute Flow page, click Next.

  20. On the Configure Deprovisioning page, click Next.

  21. On the Configure Extensions page, click Finish.

  22. In Synchronization Service Manager, click HROrg, and then, under Actions, click Configure Run Profiles.

  23. In the Configure Run Profiles for “HROrg” dialog box, click New Profile.

  24. In the Configure Run Profile wizard, on the Profile Name page, type Import orgunits from HR, and then click Next.

  25. On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.

  26. On the Management Agent Configuration page, click Finish.

  27. In the Configure Run Profiles for “HROrg” dialog box, click OK.

To create the AMCOrgunits MA

  1. In Synchronization Service Manager, click Management Agents.

  2. Under Actions, click Create.

  3. In the Create Management Agent wizard, in the Management agent for list, click Access Management (Microsoft).

  4. In Name, type AMCOrgunits, and then click Next.

  5. On the Connectivity page, in the Authentication Mode list, click Integrated Authentication, in User Name, type Administrator, in Password, type the password for the CROP\Administrator account, in Domain, type CORP, in B1 Database Server , type APP1, in Database Name, type B1, and then click Next.

  6. On the Configure Partitions and Hierarchies page, click Next.

  7. On the Select Object Types page, select Organizational unit, and then click Next.

  8. On the Select Attributes page, select all attributes, and then click Next.

  9. On the Configure Anchors page, click Next.

  10. On the Configure Connector Filter page, click Next.

  11. On the Configure Join and Projection Rules page, click New Projection Rule.

  12. In the Projection dialog box, in the Metaverse object type list, click organization, and then click OK.

  13. On the Configure Join and Projection Rules, click Next.

  14. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click bholdDescription, click Direct, click Export, in the Metaverse object type list, click organization, in the Metaverse attribute list, click description, and then click New.

  15. In the Data source attribute list, click Parent, click Direct, click Export, in the Metaverse attribute list, click company, and then click New.

  16. On the Configure Attribute Flow page, click Next.

  17. On the Configure Deprovisioning page, click Next.

  18. On the Configure Extensions page, click Finish.

  19. In Synchronization Service Manager, click AMCOrgunits, and then, under Actions, click Configure Run Profiles.

  20. In the Configure Run Profiles for “AMCOrgunits” dialog box, click New Profile.

  21. In the Configure Run Profile wizard, on the Profile Name page, type Export to BHOLD, and then click Next.

  22. On the Configure Step page, in the Type list, click Export, and then click Next.

  23. On the Management Agent Configuration page, click Finish.

  24. In the Configure Run Profiles for “AMCOrgunits” dialog box, click OK.

To create the AMCUsers MA

  1. In Synchronization Service Manager, click Management Agents.

  2. Under Actions, click Create.

  3. In the Create Management Agent wizard, in the Management agent for list, click Access Management (Microsoft).

  4. In Name, type AMCUsers, and then click Next.

  5. On the Connectivity page, in the Authentication Mode list, click Integrated Authentication, in User Name, type Administrator, in Password, type the password for the CROP\Administrator account, in Domain, type CORP, in B1 Database Server , type APP1, in Database Name, type B1, and then click Next.

  6. On the Configure Partitions and Hierarchies page, click Next.

  7. On the Select Object Types page, select the User check box, and then click OK.

  8. On the Select Attributes page, select all the attributes in the list, and then click Next.

  9. On the Configure Anchors page, click Next.

  10. On the Configure Connector Filter page, click New.

  11. In the Filter for person dialog box, in the Data source attribute list, click bholdDefAlias, in the Operator list, click Is not present, click Add Condition, and then click OK.

  12. On the Configure Connector Filter page, click Next.

  13. On the Configure Join and Projection Rules page, click New Projection Rule.

  14. In the Projection dialog box, in the Metaverse object type list, click person, and then click OK.

  15. On the Configure Join and Projection Rules page, click Next.

  16. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click bholdDescription, click Direct, click Export, in the Metaverse attribute list, click displayName, and then click New.

  17. Repeat the previous step, substituting the values in the following table:

    Data source attribute Metaverse attribute
    OrganizationalUnit department
    BholdDefAlias accountName
    bholdDomain domain
    JobTitle jobTitle
    Email email

  18. In the Data source attribute list, click Domain, click Advanced, click Export, and then click New.

  19. In the Advanced Export Attribute Flow Options dialog box, click Constant, in Value type CORP, and then click OK.

  20. On the Configure Attribute Flow page, click Next.

  21. On the Configure Deprovisioning page, click Stage a delete on the object for the next export run, and then click Next.

  22. On the Configure Extensions page, click Finish.

  23. In Synchronization Service Manager, click AMCUsers, and then, under Actions, click Configure Run Profiles.

  24. In the Configure Run Profiles for “AMCUsers” dialog box, click New Profile.

  25. In the Configure Run Profile wizard, on the Profile Name page, type Export to BHOLD, and then click Next.

  26. On the Configure Step page, in the Type list, click Export, and then click Next.

  27. On the Management Agent Configuration page, click Finish.

  28. In the Configure Run profiles for “AMCUsers” dialog box, click New Step.

  29. In the Configure Run Profile wizard, on the Configure Step page, in the Type list, click Delta Synchronization, and then click Next.

  30. On the Management Agent Configuration page, click Finish.

  31. In the Configure Run Profiles for “AMCUsers” dialog box, click OK.

To create the ADUsers MA

  1. In Synchronization Service Manager, click Management Agents.

  2. Under Actions, click Create.

  3. In the Create Management Agent wizard, in the Management agent for list, click Active Directory Domain Services.

  4. In Name, type ADUsers, and then click Next.

  5. On the Connect to Active Directory Forest page, in Forest Name, type corp.contoso.com, in User name, type Administrator, in Password, type the password for the CORP\Administrator account, in Domain, type corp, and then click Next.

  6. On the Configure Directory Partitions page, select the DC=corp,DC=contoso,DC=com check box, and then click Containers.

  7. In the Select Containers dialog box, clear the DC=corp,DC=contoso,DC=com check box, select the FIMManaged check box, and then click OK.

  8. On the Configure Directory Partitions page, click Next.

  9. On the Configure Provisioning Hierarchy page, click Next.

  10. On the Select Object Type page, select the following check boxes, and then click Next:

    • container

    • domainDNS

    • organizationalUnit

    • user

  11. On the Select Attributes page, select the Show All check box, select the following check boxes, and then click Next:

    • department

    • description

    • displayName

    • employeeID

    • mail

    • objectSid

    • sAMAccountName

    • title

    • unicodePwd

    • userAccountControl

    • userPrincipalName

  12. On the Configure Connector Filter page, click Next.

  13. On the Configure Join and Projection Rules page, under Data Source Object Type, click user, and then click New Join Rule.

  14. In the Join Rule for user dialog box, in the Data source attribute list, click sAMAccountName, in the Metaverse object type list, click person, in the Metaverse attribute list, click accountName, click Add Condition, in the warning click OK, and then in the dialog box, click OK.

  15. On the Configure Join and Projection Rules page, click New Projection Rule.

  16. In the Projection dialog box, in the Metaverse object type list, click person, and then click OK.

  17. On the Configure Join and Projection Rules page, click Next.

  18. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source object type list, click user, in the Data source attribute list, click description, click Export, select the Allow Nulls check box, in the Metaverse object type list, click person, in the Metaverse attribute list, click description, and then click New.

  19. Repeat the previous step, substituting the values in the following table:

    Data source attribute Row Direction Allow Nulls Metaverse attribute
    displayName Export Yes description
    employeeID Export Yes employeeID
    sAMAccountName Export Yes accountName
    mail Export Yes email
    title Export Yes jobTitle
    department Export Yes department
    userPrincipalName Export No accountName
    objectSid Import No objectSid
    <dn> Import No objectID

  20. In the Data source attribute list, click userAccountControl, click Advanced, click Export, and then click New.

  21. In the Advanced Export Attribute Flow Options dialog box, click Constant, type 66048, and then click OK.

  22. In the Data source attribute list, click unicodePwd, click Advanced, click Export, and then click New.

  23. In the Advanced Export Attribute Flow Options dialog box, click Constant, type T3mpP@55, and then click OK.

  24. In the Metaverse attribute list, click domain, click Advanced, click Import, and then click New.

  25. In the Advanced Import Attribute Flow Options dialog box, click Constant, type CORP, and then click OK.

  26. On the Configure Attribute Flow page, click Next.

  27. On the Configure Deprovisioning page, click Stage a delete on the object for the next export run, and then click Next.

  28. On the Configure Extensions page, click Finish.

  29. In Synchronization Service Manager, click ADUsers, and then, under Actions, click Configure Run Profiles.

  30. In the Configure Run Profiles for “ADUsers” dialog box, click New Profile.

  31. In the Configure Run Profile wizard, on the Profile Name page, type Export and import AD users, and then click Next.

  32. On the Configure Step page, in the Type list, click Export, and then click Next.

  33. On the Management Agent Configuration page, verify the following settings, and then click Finish:

    Setting Value
    Partition DC=corp,DC=contoso,DC=com
    Bach size (objects) 100
    Page size (objects) 500
    Timeout (in seconds) 120

  34. In the Configure Run Profiles for “ADUsers” dialog box, click New Step.

  35. In the Configure Run Profile wizard, on the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.

  36. On the Management Agent Configuration, ensure that the settings match the previous table, and then click Finish.

  37. In the Configure Run Profiles for “ADUsers” dialog box, click New Profile.

  38. In the Configure Run Profile wizard, on the Profile Name page, type Sync, and then click Next.

  39. On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.

  40. On the Management Agent Configuration, ensure that the settings match the previous table, and then click Finish.

  41. In the Configure Run Profiles for “ADUsers” dialog box, click OK.

Next step

To continue building the BHOLD Access Management Connector test lab, see Step 11: Verify the installation.