Introduction to Outbound Synchronization
Applies To: Forefront Identity Manager 2010
In Microsoft® Forefront® Identity Manager (FIM) 2010, you can configure and fine-tune the object and attribute flow between FIM 2010 and the related connected data sources by configuring synchronization rules. There are two different types of synchronization rules in the architectural model of FIM 2010: inbound synchronization rules and outbound synchronization rules. This document provides a detailed introduction to outbound synchronization rules based on a simple lab environment.
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
This document assumes that you have already a working instance of FIM 2010 running on a computer. For more information about installing FIM 2010, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkID=165845).
This document assumes that you have a basic understanding of the synchronization process. For more information, see Understanding Data Synchronization with External Systems
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
This guide is intended for information technology (IT) professionals who are interested in getting some initial hands-on experience with FIM 2010 outbound synchronization rules in a lab environment.
The scenario outlined in this document has been simplified to address the requirements of a simple lab environment. The focus is on helping the reader obtain a basic understanding of the technologies. This scenario is not intended for deployment in a production environment.
The procedures in this document require 90 to 120 minutes for a new user to complete. These time estimates assume that the testing environment is already configured, and they do not include the time required to set up the test environment.
If you have questions regarding the content of this document or if you have general feedback, post a message to the Forefront Identity Manager 2010.
Fabrikam, a fictitious company, is investigating how to easily deploy and maintain digital identities by using FIM 2010. As part of this investigation, Fabrikam wants to explore the new outbound synchronization rule concept in the corporate lab environment based on a simple scenario. The goal of this scenario is to synchronize one user object that is created manually in FIM 2010 Portal to a file-based connected data source. The required synchronization rule is applied to members of a scenario set. This scenario is representative for cases where FIM 2010 R2 is authoritative for creating users in external systems.
The following illustration outlines this scenario.
The following sections describe the scenario design, the scenario preparation, and the scenario steps.
To implement the simple lab solution in this document, you implement two management agents:
Fabrikam FIMMA. This management agent for the FIM 2010 R2 Service contributes the source scenario objects.
Fabrikam FileMA. This management agent for the Attribute-value pair text file is the target for the sample user in this document.
The following illustration outlines the logical architecture of this scenario.
For the outbound synchronization rule, the following conceptual elements are required:
File Outbound Synchronization Rule—The synchronization rule to manage objects in the Fabrikam FileMA connector space. The following attributes are populated by this synchronization rule:
|
|
All Contractors—A Set with dynamic membership for all the objects with an EmployeeType attribute of Contractor. |
|
File Workflow—The Workflow to invoke the File Outbound Synchronization Rule. |
|
File Management Policy Rule—The Management Policy Rule (MPR) that is triggered by updates to person objects that invokes the File Workflow. |
The scenario outlined in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory® forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration outlines the domain configuration.
To perform the procedures in this document, the domain controller has been configured with the following characteristics:
Windows Server 2008 or Windows Server 2008 R2 64-bit Standard or Enterprise
Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
Microsoft SQL Server® 2008 64-bit Standard or Enterprise, Service Pack 1 (SP1) or later
Windows SharePoint® Services 3.0 SP1, 64-bit
Windows PowerShell™ 1.0
FIM 2010
Note
A description of the installation of FIM 2010 and the required software components is out of the scope of this document. For a complete description of the installation process for FIM 2010, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkID=165845).
The scenario roadmap in this document consists of three main building blocks:
Configuring the scenario. In this section, you create all required scenario components, including the required management agents, run profiles, an outbound synchronization rule, an action process, and a management policy.
Initializing the scenario. In this section, you deploy your initial configuration inside FIM 2010.
Testing the scenario. In this section, you verify the declarative provisioning prerequisites and you deploy one newly created scenario user from the FIM 2010 R2 Service database to the data file that is associated with the Fabrikam FileMA.
The configuration of the scenario in this document consists of the following building blocks:
Creating the management agents
Creating the run profiles
Creating the outbound synchronization rule
Creating the Workflow
Creating the MPR
Enabling synchronization rule provisioning
The following sections provide detailed instructions for each configuration building block.
In this section, you find instructions for creating the two scenario management agents:
Fabrikam FileMA
Fabrikam FIMMA
The following sections provide detailed instructions for creating these management agents.
The Fabrikam FileMA is a management agent for a delimited text file. To create this management agent, you need a text file that contains the schema information for this management agent.
The following code sample shows the schema for this management agent.
"EmployeeID","EmployeeType","FirstName","LastName"
Open Notepad.
From the previous code sample, copy the schema structure and paste it into your new Notepad file.
Save the file as C:\Fabrikam File MA Data.txt.
Open Synchronization Service Manager, and, in the Tools menu, select Management Agents.
To open the Create Management Agent Wizard, in the Actions menu, click Create.
On the Create Management Agent page, provide the following configuration settings, and then click Next:
Management agent for: Delimited text file
Name: Fabrikam FileMA
On the Select Template Input File page, provide the following configuration settings, and then click Next:
Template Input File: C:\Fabrikam File MA Data.txt
Code Page: Western Europe (Windows)
On the Delimited Text Format page, provide the following configuration settings, and then click Next:
Use first row for header names: selected
Delimiter: Comma
Text qualifier: “
On the Configure Attributes page, provide the following configuration settings, and then click Next:
To open the Set Anchor dialog box, click Set Anchor.
In the Available attributes list, select Employee ID.
To set Employee ID as the anchor, click Add.
To close the Set Anchor dialog box, click OK.
On the Define Object Types page, click Next.
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules page, click Next.
On the Configure Attributes pages, click Next.
On the Configure Deprovisioning page, click Next.
To create the management agent, on the Configure Extensions page, click Finish.
The Fabrikam FIMMA is a management agent for FIM 2010 R2 Service Management Agent. To create this management agent, you use the Create Management Agent Wizard.
Important
To create the FIM 2010 R2 management agent, you need a separate user account to run it.
Open Active Directory Users and Computers.
In the directory tree, select Users.
To open the New Object – User dialog box, in the Action menu, click New, and then point to Users.
In the First name text box, type fimma.
In the User logon name text box, type fimma, and then click Next.
In the Password and the Confirm password text boxes, type a password of your choice.
Clear the User must change password at next logon check box.
Select Password never expires, and then click Next.
To create the user account, click Finish.
Important
If your server running FIM 2010 R2 is also a domain controller, the account that you use must have the right to log on locally. For more information, see Grant a Member the Right to Log On Locally (https://go.microsoft.com/fwlink/?LinkID=182205). For more details about the FIM 2010 management agent account, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkId=134023).
Open Synchronization Service Manager and, on the Tools menu, click Management Agents.
To open the Create Management Agent Wizard, on the Actions menu, click Create.
On the Create Management Agent page, provide the following configuration settings, and then click Next:
Management agent for: FIM 2010 R2 Service Management Agent
Name: Fabrikam FIMMA
On the Connect to Database page, provide the following configuration settings, and then click Next:
Server: .
Database: FIMService
FIM Service base address: https://localhost:5725
Authentication mode: Windows-integrated authentication
User name: fimma
Password: <the accounts’ password>
Domain: fabrikam
On the Selected Object Types page, verify that the following object types are selected, and then click Next:
ExpectedRuleEntry
Person
SynchronizationRule
On the Selected Attributes page, verify that all listed attributes are selected, and then click Next.
On the Configure Connector Filter page, click Next.
On the Configure Object Type Mappings, add the following mapping, and then click Next:
In the Data Source Object Type list, select Person.
To open the Mapping dialog box, click Add Mapping.
In the Metaverse object type list, select person.
To close the Mapping dialog box, click OK.
On the Configure Attribute Flow page, apply the following attribute flow mappings, and then click Next:
Data source attribute Metaverse attribute DisplayName
displayName
EmployeeID
employeeID
EmployeeType
employeeType
ExpectedRulesList
expectedRulesList
FirstName
firstName
LastName
lastName
Select Person as Data source object type.
Select person as Metaverse object type.
Select Direct as Mapping Type.
Select Import as Flow Direction.
For each row in the previous table, complete the following steps:
Select the Data source attribute for that row in the table.
Select the metaverse attribute for that row in the table.
To apply the flow mapping, click New.
On the Configure Deprovisioning page, click Next.
To create the management agent, on the Configure Extensions page, click Finish.
This section lists the steps for configuring the scenario run profiles. For the scenario outlined in this document, you configure run profiles for the Fabrikam FileMA and the Fabrikam FIMMA.
The following table lists the run profiles for the Fabrikam FileMA:
Profile | Run profile name | Step type |
---|---|---|
Profile 1 |
Full Import |
Full Import (Stage Only) |
Profile 2 |
Export |
Export |
On the Tools menu, click Management Agents.
In the Name column, select Fabrikam FileMA.
For each row in the previous table, perform the following steps:
To open the Configure Run Profiles for Fabrikam FileMA dialog box, on the Actions menu, click Configure Run Profiles.
To open the Configure Run Profile dialog box, click New Profile.
On the Profile Name page, select the Step Type for that row in the table, and then click Next.
On the Management Agent Configuration page, provide the following configuration settings, and then click Finish:
Partition: default
Input file name: Fabrikam File MA Data.txt
Important
Because the data files for the import and the export run profile have not been created yet, you must type the name of the data file in the Input file name text box.
The following table lists the run profiles for the Fabrikam FIMMA:
Profile | Run profile name | Step type |
---|---|---|
Profile 1 |
Full Import |
Full Import (Stage Only) |
Profile 2 |
Full Synchronization |
Full Synchronization |
Profile 3 |
Delta Import |
Delta Import (Stage Only) |
Profile 4 |
Delta Synchronization |
Delta Synchronization |
Profile 5 |
Export |
Export |
On the Tools menu, click Management Agents.
In the Name column, select Fabrikam FIMMA.
For each row in the previous table, perform the following steps:
To open the Configure Run Profiles for Fabrikam FIMMA dialog box, on the Actions menu, click Configure Run Profiles.
To open the Configure Run Profile dialog box, click New Profile.
On the Profile Name page, select the Step Type for that row in the table, and then click Next.
To create the run profile, on the Management Agent Configuration page, click Finish.
In this section, you create the required outbound synchronization rule. The following table summarizes the synchronization rule configuration for the scenario in this document.
To open the FIM 2010 R2 Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.
To open the Synchronization Rules page, in the Administration bar, click Synchronization Rules.
To open the Create Synchronization Rules Wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
Display Name: FileMA Outbound Synchronization Rule
Data Flow Direction: Outbound
On the Scope tab, provide the following information, and then click Next:
Metaverse Resource Type: person
External System: Fabrikam FileMA
External System Resource Type: person
On the Relationship tab, provide the following information, and then click Next:
Relationship Criteria:
MetaverseObject:person(Attribute): employeeID
ConnectedSystemObject:person(Attribute): Employee ID
Create Resource in External System: selected
On the Workflow Parameters tab, click Next.
On the Outbound Attribute Flow tab, provide the following information, and then click Next:
Source Destination employee ID
EmployeeID
employee Type
EmployeeType
first Name
FirstName
last Name
LastName
For each row in the previous table, perform the following steps:
To open the Flow Definition dialog box, click New Attribute Flow.
On the Source tab, select the attribute for that row in the table.
On the Destination tab, select the attribute shown for that row in the table.
To apply the attribute flow configuration, click OK.
In the Outbound Attribute Flow configuration table, select Initial Flow Only for the following flow:
employeeID =>Employee IDTo move to the summary page, click Finish.
To submit your request, click Submit.
The following illustration shows the correct configuration of your export attribute flow rules.
On the Summary tab, click Submit.
In this section, you create the required workflow. For the scenario in this document, the workflow contains the FileMA outbound synchronization rule for the Add action. The following table summarizes the action process configuration for the scenario in this document.
To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.
To open the Workflows page, in the Administration bar, click Workflows.
To open the Create Workflow Wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
Workflow Name: Fabrikam File Workflow
Workflow Type: Action
On the Activities tab, provide the following information, and then click Next:
In the Activity Picker, select Synchronization Rule Activity, and then click Select.
In the Synchronization Rule list, select FileMA Outbound Synchronization Rule.
In Action Selection, select Add, and then click Save.
To move to the summary page, click Finish.
On the Summary tab, click Submit.
In this section, you create the MPR. The following table summarizes the MPR configuration for the scenario in this document:
The objective of the scenario in this document is to provision contractors into the File MA data source. This requires an MPR that is triggered when a resource transitions into the All Contractors set.
To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.
To open the Management Policy Rules page, in the Administration bar, click Management Policy Rules.
To open the Create Management Policy Rule Wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
Display Name: Fabrikam File Management Policy Rule people
Type: Set Transition
On the Transition Definition tab, provide the following information, and then click Next:
Transition Set: All Contractors
Transition Type: Transition In
On the Policy Workflows tab, provide the following information, and then click Next:
Action Workflows
- Selected Objects: Fabrikam File Workflow
On the Summary tab, click Submit.
To enable the configured synchronization rules during a synchronization run, you must enable synchronization rule processing in the Synchronization Service Manager.
Open Synchronization Service Manager.
To open the Options dialog box, on the Tools menu, click Options.
Select Enable Synchronization Rule Provisioning.
To close the Options dialog box, click OK.
The initialization of your scenario consists of the following steps:
Importing data from the FIM 2010 R2 Service database
Initializing the FIM 2010 R2 Synchronization service
Exporting to the FIM 2010 R2 Service database
Confirming the FIM 2010 R2 Service database
The objective of the full import is to bring the already existing objects, including the newly created synchronization rule, into the connector space of the Fabrikam FIMMA. After a successful full import on the Fabrikam FIMMA, the synchronization statistics report three added objects. The following illustration shows the synchronization statistics for a full import run.
On the Tools menu, click Management Agents.
In the Name column, select Fabrikam FIMMA.
To open the Run Management Agent dialog box, in the Actions menu, click Run.
In the Run profiles list, select Full Import, and then click OK.
By using a connector space search, you can examine the properties of the new objects. Next to the synchronization rule, you also find two additional Person objects to be imported. The objects are representations of the Built-in Synchronization Account and the account you have used to install FIM 2010.
The following illustration shows the result of a connector space search on the Fabrikam FIMMA.
To open the Search Connector Space dialog box, in the Actions menu, click Search Connector Space.
To retrieve a list of the available connector space objects, click Search.
A full synchronization run is always required when a synchronization rule is updated. You apply updates to these synchronization rules during the configuration of the Fabrikam FIMMA management agent. By design, each FIM 2010 R2 Service management agent has a preconfigured projection rule. During the initial full synchronization run, the three staged connector space objects are projected into the metaverse. The preconfigured export attribute flow rule stages the metaverse object ID for an export in the Fabrikam FIMMA connector space. The following illustration shows the synchronization statistics for a full synchronization run.
By using the metaverse search, you can examine the properties of the newly projected objects.
To open the Run Management Agent dialog box, on the Actions menu, click Run.
In the Run profiles list, select Full Synchronization, and then click OK.
By using a metaverse search, you can examine the properties of the newly projected objects.
On the Tools menu, click Metaverse Search.
If necessary, adjust the column settings by selecting the Column Settings link.
To search the metaverse, click Search.
To open the Metaverse Object Properties dialog box, in the Search Results list, select FileMA Outbound Synchronization Rule, and then, on the Actions menu, click Properties.
As a result of the FIM 2010 R2 Service database initialization, updates have been staged to the connector space of the FIM 2010 R2 management agent. These pending exports must be pushed out to the FIM 2010 R2 Service database. The following illustration shows the synchronization statistics of a successful export run:
To open the Run Management Agent dialog box, on the Actions menu, click Run.
In the Run profiles list, select Export, and then click OK.
To complete the initialization sequence, you run a delta import on your Fabrikam FIMMA. The delta import is required to confirm the exported data in the connector space. The following illustration shows the synchronization statistics of a successful confirming import run.
To open the Run Management Agent dialog box, on the Actions menu, click Run.
In the Run profiles list, select Delta Import, and then click OK.
Note
At this point, your scenario is fully initialized.
The goal of the scenario in this document is to create one sample user in the data source file that is associated with the Fabrikam FileMA. The complete deployment cycle of a sample user consists of the following building blocks:
Creating the scenario user
Verifying the Declarative Provisioning Preconditions
Deploying the scenario user
The following sections provide instructions for each building block.
In this section, you create the test user for this scenario. The scenario user has the attribute settings in the following table.
Attribute | Value |
---|---|
First Name |
Britta |
Last Name |
Simon |
Display Name |
Britta Simon |
Domain |
fabrikam |
Employee ID |
007 |
Employee type |
Contractor |
To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.
To open the Users page, on the navigation bar, click Users.
To open the Create User Wizard, on the All Users menu, click New.
On the General tab, provide the following information, and then click Next:
First Name: Britta
Last Name: Simon
Display Name: Britta Simon
Domain: fabrikam
On the Work Info tab, provide the following information, and then click Finish:
Employee Type: Contractor
Employee ID: 7
On the Summary tab, click Submit.
In the case of outbound synchronization, there are two prerequisites for provisioning to function properly:
The synchronization rule object must have been projected into the metaverse.
Each affected object must have the ExpectedRulesList attribute values that you want.
Because the synchronization rule has already been projected successfully during the initialization phase of this scenario, you should verify now whether your sample user object satisfies the remaining preconditions for a successful provisioning attempt. The following sections outline the related steps:
Verifying the Set membership
Verifying the Expected Rules List value
In this section, you verify that the scenario object is a member of the All Contractors set. The All Contractors set should list Britta Simon as a member of the set, as shown in the following illustration:
To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.
To open the Sets page, in the Management Policy Rules section of the navigation bar, click Sets.
To open the All Contractors property page, in the DisplayName list, click All Contractors.
To display the list of calculated members, click the Criteria based Members tab, and then click View Members.
Verify that Britta Simon appears in the list.
Important
If this condition is not met, the related management policy is not triggered.
The MPR in this scenario is configured to invoke the Fabrikam File Workflow when an object becomes a member of the All Contractors set. Because this condition is satisfied, the object Britta Simon should be added to the scope of the FileMA Outbound Synchronization Rule. You can verify this by checking the Provisioning state of the object. The following illustration shows the Expected Rules List (ERL) setting of Britta Simon.
To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.
To open the Users page, on the navigation bar, click Users.
To open the object’s configuration dialog box, in the Display Name list, click Britta Simon.
Select the Provisioning tab.
Verify that FileMA Outbound Synchronization Rule appears in the list of Expected Rules List attribute values.
Close the dialog box.
Important
At this point, you have verified that the sample user Britta Simon satisfies the Outbound Synchronization Precondition. The object is now ready to be processed by the FIM 2010 R2 Synchronization Service.
To deploy Britta Simon to the file-based connected data source, perform the following steps:
Import the object into the connector space of the Fabrikam FIMMA.
Synchronize the object inside the FIM 2010 R2 Synchronization Service.
Export the object to the data file of the Fabrikam FileMA.
Confirm the object from the data file of the Fabrikam FileMA.
As soon as all four steps are completed successfully, Britta Simon can be considered to be deployed to the target data source
To import the scenario user into the FIMMA connector space, you run a delta import run profile. The import statistics for this run reports two added objects:
One person object for Britta Simon
One ExpectedRuleEntry object that establishes a link between Britta Simon and the FileMA Outbound Synchronization Rule outbound synchronization rule
Note
An ExpectedRuleEntry (ERE) object is a specialized object that sits in the middle of an Identity Object -> ERE -> SR construct. Because its purpose is not relevant for an understanding of how outbound synchronization rules are associated with identity objects, a detailed discussion of EREs is outside the scope of this document.
The following illustration shows the synchronization statistics of a successful delta import run.
To open the Run Management Agent dialog box, on the Actions menu, click Run.
In the Run profiles list, select Delta Import, and then click OK.
Important
In accordance with best practices for newly staged connector space test objects, verify the actual attribute values in the connector space. To verify the attribute values, perform the following steps:
- To open the Object Details dialog box, in Synchronization Statistics, click the Adds link.
- To open the Connector Space Object Details dialog box, in the Distinguished Name list, select the object of interest, and then click Properties.
During the synchronization run, Britta Simon is projected into the metaverse. If a provisioning-related problem occurs during a synchronization run, you should perform a metaverse search for an affected object and verify that the object has a valid value for the expectedRulesList attribute. As mentioned previously in this document, the synchronization engine must have this attribute to apply the correct synchronization rule object to an object. The following illustration shows the metaverse object information for Britta Simon after a successful synchronization run.
In addition to the new user being projected into the metaverse, Britta Simon is also provisioned to the target connector space during the delta synchronization run. The following illustration shows the synchronization statistics of a successful delta synchronization run.
To open the Run Management Agent dialog box, on the Actions menu, click Run.
In the Run profiles list, select Delta Synchronization, and then click OK.
Important
In accordance with best practices for newly projected metaverse objects, verify the actual attribute values in the metaverse. To verify the attribute values, you perform the following steps:
- On the Tools menu, click Metaverse Search.
- If necessary, adjust the Column Settings by selecting the Column Settings link.
- To search the metaverse, click Search.
- To open the Metaverse Object Properties dialog box, in the Search Results list, select the object of interest, and then on the Actions menu, click Properties.
Important
In accordance with best practices for newly provisioned connector space test objects, verify the actual attribute values in the target connector space. To verify the attribute values, perform the following steps:
- On the Tools menu, click Management Agents.
- In the Management Agents list, select the affected management agent.
- To open the Search Connector Space dialog box, on the Actions menu, click Search Connector Space.
- If necessary, adjust the Column Settings by selecting the Column Settings link.
- To search the connector space, click the Search button.
- To open the Connector Space Object Properties dialog box, in the Search Results list, select the object of interest, and then select Properties.
Because there is a pending Add staged in the connector space, you can run an export run profile to export the pending object to your data file. The following illustration shows the export statistics after a successful export run.
To open the Run Management Agent dialog box, on the Actions menu, click Run.
In the Run profiles list, select Export, and then click OK.
As a result of a successful export, Britta Simon has been added to the Fabrikam FileMA data file. The following illustration shows this.
To complete the deployment cycle for the scenario user, you run a confirming import on the Fabrikam FileMA. The synchronization statistics for this run reports one Add. The following illustration shows an example of this.
At this point, the outbound synchronization scenario is completed.