Identity Management with Microsoft Identity Integration Server

Have you ever developed a custom data feed that populates employee information in one of your systems? Do you struggle with account management in your Active Directory? If you answered yes to either of these questions, rest assured because identity management can ease your pain. Managing user accounts through identity management not only saves your organization time and money; it also eases the burden on your end-users and enhances security. For example, with an identity management solution, you can configure security using company organizational membership and security credential pass-throughs to minimize the number of accounts a user must remember.

Although clearly an efficient solution, identity management is also involved. It requires adding, modifying, and removing user account information in places such as your Active Directory, Lotus Notes name and address book, and applications. Luckily, some helpful tools make the task easier. One of the more helpful is Microsoft Identity Integration Server (MIIS) 2003.

MIIS enables you to facilitate the identity management process. With MIIS, you can do things such as create and modify accounts in your Active Directory based on data pulled from your human resources database. This article provides an overview of MIIS and then dives into sample code to give you an idea of the development skills and knowledge involved in creating an MIIS solution.

Overview of MIIS

MIIS consists of a service with a back-end SQL Server 2000 database that contains configuration information and data. Figure 1 depicts the logical pieces of MIIS.

Figure 1. The Logical Pieces of MIIS

Data from a data source flows into and out of MIIS to an area called the Connector Space. Objects in MIIS are roughly equivalent to records in a database, and objects in the Connector Space are aptly called connector objects. When connector objects are created in the Connector Space, MIIS assigns them each a GUID.

Connector objects contain attributes. As an object is roughly equivalent to a record, attributes are the fields in the record. The anchor attribute in a connector object is frequently the key field in the data source feeding the Connector.

The Metaverse is the home for any data you want to send to other systems. Outbound objects are data moving out of the Metaverse. Inbound data are objects updating the Metaverse. Data moves out of the Connector Space into the Metaverse through a process called projection. A management agent choreographs the process of moving data into and out of the Connector Space using the following operations:

  • Import (Staging): Moves data into the Connector Space
  • Synchronization: Moves data into and out of the Metaverse
  • Export: Moves data out of the Connector Space

MIIS records whether an object was changed or added as the data moves through the operations above. Recording changes allows MIIS to move only data that has changed, thus allowing processing to work more efficiently.

As data is exported to another data source, a process called provisioning adds new data to the data source and a process called deprovisioning disables or removes the data from the data source. The sections to follow cover more MIIS details, but the next first offers some background on the example code for this article.

Description of the Example

The example code is meant to simulate a typical MIIS scenario. It treats the Northwind data that comes with SQL Server 2000 as a source for employee information. It sends the EmployeeID, FirstName, LastName, and HireDate fields from the Northwind employee table into the Metaverse and then to another SQL Server 2000 database.

Identity Manager: Administration Central

All operations and much of MIIS development are controlled from the identity manager (see Figure 2).

Figure 2. The Identity Manager

Identity manager is divided into three primary tools: operations, management agents, and Metaverse Designer. Operations allow you to view the activity occurring in MIIS. An upcoming section will discuss management agents in more detail. The next looks at Metaverse Designer.

Updating the Metaverse Using Metaverse Designer

As discussed previously, all objects flow into the Metaverse and then out to the target system. The Metaverse contains the data you want to integrate with your various systems. You must create two things in the Metaverse: first, an object and then attributes for the object. The dialog shown in Figure 3 appears when you select the "Create Object Type" option from the Metaverse Designer tool.

Figure 3. The "Create Object Type" Dialog

Once you've selected "Create Object Type", you enter a name for the object and either select existing attributes or create new attributes. The "New Attribute" dialog is straightforward (see Figure 4).

Figure 4. The "New Attribute" Dialog

In the attribute type drop-down, Number contains integer data, Boolean contains Boolean data, and other datatypes can be configured as string attribute types. You also can index data to allow for better database access. Attribute names in the Metaverse must be unique.

Now that you've created a Metaverse object, it's time to populate the Metaverse. Management agents control how data moves into and out of the Metaverse.

Identity Management with Microsoft Identity Integration Server

Configuring a Management Agent

Management agents are the lifeblood of MIIS. They manage Connector Spaces, as well as the configuration of data that flows into the Metaverse. The configuration options in this example have been simplified in keeping with the introductory theme of the article. However, as with many configuration settings in MIIS, you can also customize using the MIIS SDK and Visual Studio.

To create a new management agent, access the Management Agent button on the toolbar and select "Create" from the Actions menu. As you can see in the Management Agent setup dialog in Figure 5, you have a variety of management agents available to you.

Figure 5. The Management Agent Setup Dialog

In fact, you are not limited to the management agents in the list. MIIS ships with an SDK that includes documentation for creating your own management agent.

In this example, you create two management agents: one that controls the data flowing to the HumanResourceData object in the Metaverse, and another that controls data flowing out of the HumanResourceData object. You then will move data into and out of SQL Server 2000 databases, so you must create SQL Server management agents.

The first step to configuring a SQL Server 2000 management agent is choosing a server and a table or view (see Figure 6). A stored procedure is not an option.

Figure 6. Choose a Server and a Table or View

If you select Integrated Authentication, you must enter a user name and domain.

Once you've specified the database information, the MIIS management agent reads the table configuration and sets appropriate information in the Connector Space. The dialog in Figure 7 displays the table column configuration information.

Figure 7. The Table Column Configuration Information

The two major things to configure in this dialog are the anchor (or key field in the originating table) and the object type of the Connector.

The next major piece of information to configure for the MIIS management agent is the projection rules. You can configure information to flow into the Metaverse in two ways: project rules and join rules. The techniques that MIIS uses to determine when to copy new objects to the Metaverse differ for each option. Project rules insert all data from the source to the Metaverse object as specified in the Projection dialog (see Figure 8).

Figure 8. The Projection Dialog

Join rules perform the equivalent of a database update. When you apply join rules, you update existing objects in the Metaverse to match the join rules you configured in the management agent.

The final piece of configuration information for the new management agent is the attribute data flows. Attribute data flows map the incoming or outgoing data to fields (attributes) in the Metaverse. Figure 9 shows the attribute data flow for Northwind data flowing into the Metaverse.

Figure 9. Northwind Data Flowing into the Metaverse

The management agent for data flowing out of the Metaverse differs in the following fundamental ways:

  • It contains no projection rules.
  • The attribute flows point to the outgoing data source from the Metaverse.
  • The anchor value attribute data flow is missing in the configuration information.
  • For deployment and version control, you can export all configuration information to XML.

Now that you've configured a management agent, it's time to define the processes to initiate importing, exporting, and synchronization.

Identity Management with Microsoft Identity Integration Server

Copying Data to the Metaverse: Import and Synchronization

Management agents control importing (staging), exporting, and synchronization through run profiles. Run profiles consist of a series of operations called steps, which can be combined (for example, import and synchronization or separated). Figure 10 shows the configuration screen for a run step.

Figure 10. The Configuration Screen for a Run Step

Run profiles can be executed manually or exported to VBScript to be scheduled in some other tool, such as a job in the SQL Server agent.

The example created a run profile called "Import" that imports (stages) the Northwind object type. It also created a synchronization run profile called "Sync" that moves the staged Northwind objects into the Metaverse according to the projection rules and attribute flows you defined previously. It then continued the synchronization process with the "TestDatabase" Connector Space managed by the agent called "MetaverseToExternalDB." Figure 11 presents a summary of the results you will see when you run the "Sync" run profile.

Figure 11. Results From Running The "Sync" Run Profile

You may have noticed that, when you run a synchronization step, the synchronization process continues with all Connector Spaces impacted by the changes to the data. You may have also noticed the Provisioning Adds section.

MIIS Export and Provisioning

As mentioned previously, provisioning is the process by which the accounts are created. To create new objects in an outbound Connector Space, you must create and configure a Metaverse rules extension assembly using Visual Studio.NET. To begin, select "Options" in the Tools menu. The "Options" dialog will appear (see Figure 12).

Figure 12. The "Options" Dialog

The "Create Rules Extension Project" option opens a new Visual Studio.NET project, complete with a class and the appropriate stub functions. The IMVSynchronization.Provision function is the only function you must code to perform provisioning. Sample code appears below:

void IMVSynchronization.Provision (MVEntry mventry)
{
   CSEntry csentry;
   ConnectedMA ManagementAgent;   // Management agent object
   int Connectors = 0;            // Management agent connectors
   ReferenceValue DN;             // Distinguished name attribute

   csentry = null;

   if(mventry["EmpID"].IsPresent)
   {
         ManagementAgent =
            mventry.ConnectedMAs["MetaverseToExternalDB"];
         Connectors = ManagementAgent.Connectors.Count;

      if ( Connectors == 0 )
      {

         DN = ManagementAgent.EscapeDNComponent
            (mventry["EmpID"].Value.ToString());

         csentry = ManagementAgent.Connectors.StartNewConnector
                   ("TestDatabase");
         csentry.DN = DN;
         csentry["EmployeeID"].Value =
            mventry["EmpID"].Value.ToString();
         csentry.CommitNewConnector();
      }
   }
}

You use two key objects to add new accounts to the Connector Space: MVEntry and CSentry. MVEntry controls access to the object traveling from the Metaverse. CSentry represents the object created in the Connector Space.

When MIIS determines that a new object must be created in the Connector Space, it invokes the provision function, passing the appropriate Metaverse object via the MVentry class. To create a new Connector Space object, simply call "StartNewConnection" on the Connectors Collection in the management agent to create the CSentry object and then call "CommitNewConnector" on the CSEntry object to save the object to the Connector Space.

All that remains is to create a run profile to export from the Connector space to the destination data source.

Debugging and Testing the Management Agent and the Metaverse Rules Extention

As mentioned previously, the Metaverse rules extension is a .NET assembly you build in Visual Studio. Like any Visual Studio.NET assembly project, you can use the processes option on the Visual Studio Tools menu to debug your assemblies. The MIIS process is called MIIserver.exe.

Now, as you make changes to the Northwind database, execute the run profiles to copy the data to the Metaverse and then to the destination database. Observe how records are added and updated when new records are added or updated in Northwind.

Further Investigation

MIIS is well documented. You can download a series of whitepapers on subjects ranging from Metaverse design to designing data flows. Access the whitepapers from the MIIS homepage. You can also download a free trial version on MIIS from the MIIS Web site. You will need the Enterprise or Development edition of SQL Server 2000 to run the trial.

Identity Management for Your Apps

Consider MIIS for identity management with technologies like Active Directory or applications utilizing SQL Server 2000. You can leverage your existing .NET development skills to extend and augment MIIS.



About the Author

Jeffrey Juday

Jeff is a software developer specializing in enterprise application integration solutions utilizing BizTalk, SharePoint, WCF, WF, and SQL Server. Jeff has been developing software with Microsoft tools for more than 15 years in a variety of industries including: military, manufacturing, financial services, management consulting, and computer security. Jeff is a Microsoft BizTalk MVP. Jeff spends his spare time with his wife Sherrill and daughter Alexandra.

Downloads

Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: May 6, 2014 @ 1:00 p.m. ET / 10:00 a.m. PT While you likely have very good reasons for remaining on WinXP after end of support -- an estimated 20-30% of worldwide devices still are -- the bottom line is your security risk is now significant. In the absence of security patches, attackers will certainly turn their attention to this new opportunity. Join Lumension Vice President Paul Zimski in this one-hour webcast to discuss risk and, more importantly, 5 pragmatic risk mitigation techniques …

  • The latest release of SugarCRM's flagship product gives users new tools to build extraordinary customer relationships. Read an in-depth analysis of SugarCRM's enhanced ability to help companies execute their customer-facing initiatives from Ovum, a leading technology research firm.

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds