Have you ever developed a custom data feed that populates employee information in one of your systems? Do you struggle with account management in your Active Directory? If you answered yes to either of these questions, rest assured because identity management can ease your pain. Managing user accounts through identity management not only saves your organization time and money; it also eases the burden on your end-users and enhances security. For example, with an identity management solution, you can configure security using company organizational membership and security credential pass-throughs to minimize the number of accounts a user must remember.
Although clearly an efficient solution, identity management is also involved. It requires adding, modifying, and removing user account information in places such as your Active Directory, Lotus Notes name and address book, and applications. Luckily, some helpful tools make the task easier. One of the more helpful is Microsoft Identity Integration Server (MIIS) 2003.
MIIS enables you to facilitate the identity management process. With MIIS, you can do things such as create and modify accounts in your Active Directory based on data pulled from your human resources database. This article provides an overview of MIIS and then dives into sample code to give you an idea of the development skills and knowledge involved in creating an MIIS solution.
Overview of MIIS
MIIS consists of a service with a back-end SQL Server 2000 database that contains configuration information and data. Figure 1 depicts the logical pieces of MIIS.
Figure 1. The Logical Pieces of MIIS
Data from a data source flows into and out of MIIS to an area called the Connector Space. Objects in MIIS are roughly equivalent to records in a database, and objects in the Connector Space are aptly called connector objects. When connector objects are created in the Connector Space, MIIS assigns them each a GUID.
Connector objects contain attributes. As an object is roughly equivalent to a record, attributes are the fields in the record. The anchor attribute in a connector object is frequently the key field in the data source feeding the Connector.
The Metaverse is the home for any data you want to send to other systems. Outbound objects are data moving out of the Metaverse. Inbound data are objects updating the Metaverse. Data moves out of the Connector Space into the Metaverse through a process called projection. A management agent choreographs the process of moving data into and out of the Connector Space using the following operations:
- Import (Staging): Moves data into the Connector Space
- Synchronization: Moves data into and out of the Metaverse
- Export: Moves data out of the Connector Space
MIIS records whether an object was changed or added as the data moves through the operations above. Recording changes allows MIIS to move only data that has changed, thus allowing processing to work more efficiently.
As data is exported to another data source, a process called provisioning adds new data to the data source and a process called deprovisioning disables or removes the data from the data source. The sections to follow cover more MIIS details, but the next first offers some background on the example code for this article.
Description of the Example
The example code is meant to simulate a typical MIIS scenario. It treats the Northwind data that comes with SQL Server 2000 as a source for employee information. It sends the EmployeeID, FirstName, LastName, and HireDate fields from the Northwind employee table into the Metaverse and then to another SQL Server 2000 database.
Identity Manager: Administration Central
All operations and much of MIIS development are controlled from the identity manager (see Figure 2).
Figure 2. The Identity Manager
Identity manager is divided into three primary tools: operations, management agents, and Metaverse Designer. Operations allow you to view the activity occurring in MIIS. An upcoming section will discuss management agents in more detail. The next looks at Metaverse Designer.
Updating the Metaverse Using Metaverse Designer
As discussed previously, all objects flow into the Metaverse and then out to the target system. The Metaverse contains the data you want to integrate with your various systems. You must create two things in the Metaverse: first, an object and then attributes for the object. The dialog shown in Figure 3 appears when you select the "Create Object Type" option from the Metaverse Designer tool.
Figure 3. The "Create Object Type" Dialog
Once you've selected "Create Object Type", you enter a name for the object and either select existing attributes or create new attributes. The "New Attribute" dialog is straightforward (see Figure 4).
Figure 4. The "New Attribute" Dialog
In the attribute type drop-down, Number contains integer data, Boolean contains Boolean data, and other datatypes can be configured as string attribute types. You also can index data to allow for better database access. Attribute names in the Metaverse must be unique.
Now that you've created a Metaverse object, it's time to populate the Metaverse. Management agents control how data moves into and out of the Metaverse.