Test Lab Guide: BHOLD Access Management Connector
Updated: January 15, 2013
Applies To: Forefront Identity Manager
Authored by: The Microsoft® Forefront® Identity Manager documentation team
Microsoft® Forefront Identity Manager (FIM) 2010 enables organizations to manage the entire lifecycle of user identities and their associated credentials. It can be configured to synchronize identities, centrally manage certificates and passwords, and provision users across heterogeneous systems. With FIM 2010, IT organizations can define and automate the processes used to manage identities from creation to retirement.
Microsoft BHOLD Suite extends these capabilities of FIM 2010 by adding role-based access control to FIM 2010, enabling organizations to define user roles and to control access to sensitive data and applications in a way that is appropriate for those roles. BHOLD Suite includes services and tools that simplify the modeling of the role relationships within the organization, map those roles to rights, and to verify that the role definitions and associated rights are correctly applied to users. These capabilities are fully integrated with FIM 2010, providing a seamless experience for end users and IT staff alike.
The BHOLD Suite Access Management Connector module supports both initial and ongoing synchronization of data into BHOLD. The Access Management Connector works with the FIM Synchronization Service to move data among the BHOLD Core database, the FIM 2010 metaverse, and target applications and identity stores.
This guide contains instructions for setting up a test lab based on the BHOLD Access Management Connector module of the Microsoft BHOLD Suite SP1 and deploying BHOLD Access Management Connector on a server running FIM 2010 by using three preexisting server computers. The resulting BHOLD Access Management Connector test lab demonstrates the capabilities of the Access Management Connector.
The following instructions are for configuring a BHOLD Access Management Connector test lab using a scaled-out deployment. That is, the BHOLD Core portal will be located on a server running Forefront Identity Manager 2010, while the BHOLD Core database will reside on a separate server that also hosts the FIM database. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
In this test lab, BHOLD Access Management Connector is deployed with:
One preexisting computer named FIM1 that is running the FIM Service, FIM Synchronization Service and FIM Portal. BHOLD Core and BHOLD Access Management Connector will be installed on FIM1 in this test lab. FIM1 uses the Windows Server® 2008 R2 Enterprise Edition operating system.
One preexisting computer named APP1 that is running SQL Server® 2008 Enterprise with Service Pack 2.
One preexisting computer named DC1 that is the domain controller for the test lab forest.
One optional preexisting server named EX1 that is running Microsoft Exchange Server 2010 with Service Pack 1. The EX1 server is not used in the BHOLD Access Management Connector test lab but is included as part of the FIM test lab guide setup on which the BHOLD Access Management Connector test lab is based.
One optional client computer named CLIENT1 that is running Windows 7 Professional Edition. The client computer is not used in the BHOLD Access Management Connector test lab.
The BHOLD Access Management Connector test lab uses an intranet established by the Base Configuration Test Lab Guide, referred to as the Corpnet subnet (10.0.0.0/24). Computers on the subnet connect by using a hub or switch, as shown in the following figure.
The test lab will guide you through the BHOLD Core and Access Management Connector installation process. The purpose of this test lab is to create a basic test lab environment that demonstrates how to use the Access Management Connector. This test lab guide can be used as a building block for additional test lab guides that demonstrate additional features of Microsoft BHOLD Suite.
In addition to the components required by Test Lab Guide: Base Configuration [SolutionTOC] and Test Lab Guide: Installing Forefront Identity Manager 2010, the following are required components of this test lab:
The files for Microsoft Silverlight 4 or later
The files for Microsoft BHOLD Suite SP1
The product disc or files for Visual Studio Professional 2012
The files for Forefront Identity Manager 2010 R2 SP1
The files for Microsoft .NET Framework 4
The following table provides a summary of the Microsoft software that is used in this guide.
|Silverlight 4 or later||Silverlight is required by the BHOLD Core Portal. For more information and to download the latest version of Silverlight, see the Silverlight web page.|
|Microsoft BHOLD Suite SP1||Microsoft BHOLD Suite SP1 is available as part of Forefront Identity Manager 2010 R2.|
|Microsoft Visual Studio 2012 Professional||Microsoft Visual Studio is required to build a metaverse rules extension dynamic-link library (DLL) that is used in the test-lab guide demonstration scenario. This test lab guide was developed and tested by using Microsoft Visual Studio 2012 Professional.|
|Forefront Identity Manager 2010 R2 SP1 Synchronization Service||BHOLD Access Management Connector depends on features introduced in Forefront Synchronizaton Service in Service Pack 1 for Forefront Identity Manager 2010 R2.|
|Microsoft .NET Framework 4||.NET Framework 4 must be installed before BHOLD Access Management Connector can be installed. For information about obtaining and installing .NET Framework 4, see Microsoft .NET home page.|
There are nine steps to follow when setting up the BHOLD Access Management Connector test lab.
Step 1: Set up the base configuration test lab—The base configuration is the core of all test lab guide scenarios. The first step is to complete the base configuration.
Step 2: Set up the Forefront Identity Manager 2010 test lab—The Forefront Identity Manager 2010 test lab builds upon the base configuration test lab and provides the server and client infrastructure on which the BHOLD Access Management Connector test lab is constructed.
Step 3: Perform BHOLD Core prerequisite tasks—BHOLD Core from Microsoft BHOLD Suite SP1 is a prerequisite for using the Access Management Connector. Before installing BHOLD Core, you must prepare the FIM1 server for the installation. This includes enabling Windows authentication on Internet Information Services (IIS), installing Silverlight 4 or later, and performing other configuration tasks.
Step 4: Install BHOLD Core on FIM1—The BHOLD Access Management Connector provides the primary interface between BHOLD Core and FIM, and so BHOLD Core must be installed prior to installing BHOLD Access Management Connector. The Connector does not function with Microsoft BHOLD Suite versions prior to Microsoft BHOLD Suite SP1.
Step 5: Install Access Management Connector prerequisite software—As noted earlier in this guide, Microsoft .NET Framework 4 is required to be installed before BHOLD Access Management Connector. In addition, the Access Management Connector requires the FIM Synchronization Service in Forefront Identity Manager 2010 R2 SP1.
Step 6: Install BHOLD Access Management Connector —In this step, you will install the BHOLD Access Management Connector module on the FIM1 server.
Step 7: Perform postinstallation tasks—Following installation of BHOLD Access Management Connector, to prepare for the test lab guide scenario, you must install Visual Studio and configure the Windows registry, Active Directory, the FIM metaverse, and BHOLD Core.
Step 8: Create a sample HR database—The BHOLD Access Management Connector test lab guide scenario illustrates provisioning from a sample corporate human relations (HR) database to Active Directory. In this step, you create a simple SQL Server database to represent the HR database.
Step 9: Create a FIM metaverse rules extension—The test lab guide scenario uses a metaverse rules extension to control provisioning of objects to the connected data stores. This step provides sample code and instructions for creating and installing the metaverse rules extension file.
Step 10: Create FIM management agents—In this step, you completes the configuration of the test lab by creating the management agents that control data flow between the FIM metaverse and the HR, BHOLD, and Active Directory data stores.
Step 11: Verify the installation—The final step is to create and modify various objects to observe how BHOLD FIM Provisioning works with FIM to manage role-based access control in the test lab guide environment.
The following section is a list of additional information on configuring the test lab. It also includes items that may be omitted from the test lab guides that this test lab builds upon. This is to allow for quicker deployment.
The Base Configuration TLG—CLIENT1, EDGE1 and INET1 are not required. The steps requiring setup and configuration of these computers may be excluded from the setup of the base configuration. If CLIENT1 is not included in your test lab setup, it is not necessary to configure DC1 as a DHCP server because all computers in the test lab are assigned fixed IP addresses.
The Exchange Server 2010 with Service Pack 1 TLG— When configuring the Forefront Identity Manager 2010 test lab, EX1 is not required, even though you must provide mail addresses for the FIMService and b1user accounts. These mail addresses are not used in the test lab guide scenario, however. Note that future test lab guides that demonstrate workflow and notification will probably use an Exchange server.
To begin setting up the BHOLD Access Management Connector test lab, see Step 1: Set up the base configuration test lab.