Step 10: Create FIM management agents
Applies To: Forefront Identity Manager
To complete the configuration of the test lab, you must create nine Forefront Identity Manager 2010 (FIM) management agents that provide the interface between FIM and the external data systems whose identity data is synchronized by FIM.
To create the HRPerson MA
Log on to FIM1 as CORP\Administrator.
Click Start, click All Programs, click Microsoft Forefront Identity Manager, and then click Synchronization Service.
In Synchronization Service Manager, click Management Agents.
Under Actions, click Create.
In the Create Management Agent wizard, in the Management agent for list, click SQL Server.
In Name, type
HRPerson
, and then click Next.On the Connect to Database page, in Server, type
APP1
, in Database, typeHR
, and then in Table/View, typeemp
.In User name, type
Administrator
, in Password, type the password of the CORP\Administrator account, in Domain, typeCORP
, and then click Next.On the Configure Columns page, click Next.
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules, click New Join Rule.
In the Join Rule for Person dialog box, in the Data source attribute list, click EmpAccountName, in the Metaverse object type list, click person, in the Metaverse attribute list, click accountName, and then click Add Condition. In the warning that appears, click OK.
Click OK to close the Join Rule for Person dialog box.
On the Configure Join and Projection Rules page, click New Projection Rule.
In the Projection dialog box, click OK.
On the Configure Join and Projection Rules page, click Next.
On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click EmpAccountName, click Direct, click Import, in the Metaverse attribute list, click sn, and then click New.
Repeat the preceding step, substituting the settings in the following table:
Data Source attribute Metaverse attribute EmpAccountName givenName EmpAccountName cn EmpDepartment department EmpEmployeeID employeeID EmpName displayName EmpFunction jobTitle EmpName description <dn> csObjectID EmpAccountName accountName EmpAccountName objectID EmpEmail email EmpType employeeType On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, click Next.
On the Configure Extensions page, click Finish.
In Synchronization Service Manager, click HRPerson, and then, under Actions, click Configure Run Profiles.
In the Configure Run Profiles for “HRPerson” dialog box, click New Profile.
In the Configure Run Profile wizard, on the Profile Name page, type
Import Employees from HR
, and then click Next.On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
In the Configure Run Profiles for “HRPerson” dialog box, click OK.
To create the HROrg MA
In Synchronization Service Manager, click Management Agents.
Under Actions, click Create.
In the Create Management Agent wizard, in the Management agent for list, click SQL Server.
In Name, type
HROrg
, and then click Next.On the Connect to Database page, in Server, type
APP1
, in Database, typeHR
, and then in Table/View, typeorg
.In User name, type
Administrator
, in Password, type the password of the CORP\Administrator account, in Domain, typeCORP
, and then click Next.On the Configure Columns page, click Set Anchor.
In the Set Anchor dialog box, in the Available attributes list, click OrgID, and then click Add.
In the Selected attributes list, click id, click Remove, and then click OK.
On the Configure Columns page, click Object Type.
In the Set Object Type dialog box, click Fixed object type, type organization, and then click OK.
On the Configure Columns page, click Next.
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules, click New Projection Rule.
In the Projection dialog box, in the Metaverse object type, click organization, and then click OK.
On the Configure Join and Projection Rules page, click Next.
On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click Organization, click Direct, click Import, in the Metaverse attribute list, click description, and then click New.
Repeat the preceding step, substituting the settings in the following table:
Data Source attribute Metaverse attribute Parent company Organization displayName On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, click Next.
On the Configure Extensions page, click Finish.
In Synchronization Service Manager, click HROrg, and then, under Actions, click Configure Run Profiles.
In the Configure Run Profiles for “HROrg” dialog box, click New Profile.
In the Configure Run Profile wizard, on the Profile Name page, type
Import orgunits from HR
, and then click Next.On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
In the Configure Run Profiles for “HROrg” dialog box, click OK.
To create the AMCOrgunits MA
In Synchronization Service Manager, click Management Agents.
Under Actions, click Create.
In the Create Management Agent wizard, in the Management agent for list, click Access Management (Microsoft).
In Name, type
AMCOrgunits
, and then click Next.On the Connectivity page, in the Authentication Mode list, click Integrated Authentication, in User Name, type
Administrator
, in Password, type the password for the CROP\Administrator account, in Domain, typeCORP
, in B1 Database Server , typeAPP1
, in Database Name, typeB1
, and then click Next.On the Configure Partitions and Hierarchies page, click Next.
On the Select Object Types page, select Organizational unit, and then click Next.
On the Select Attributes page, select all attributes, and then click Next.
On the Configure Anchors page, click Next.
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules page, click New Projection Rule.
In the Projection dialog box, in the Metaverse object type list, click organization, and then click OK.
On the Configure Join and Projection Rules, click Next.
On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click bholdDescription, click Direct, click Export, in the Metaverse object type list, click organization, in the Metaverse attribute list, click description, and then click New.
In the Data source attribute list, click Parent, click Direct, click Export, in the Metaverse attribute list, click company, and then click New.
On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, click Next.
On the Configure Extensions page, click Finish.
In Synchronization Service Manager, click AMCOrgunits, and then, under Actions, click Configure Run Profiles.
In the Configure Run Profiles for “AMCOrgunits” dialog box, click New Profile.
In the Configure Run Profile wizard, on the Profile Name page, type
Export to BHOLD
, and then click Next.On the Configure Step page, in the Type list, click Export, and then click Next.
On the Management Agent Configuration page, click Finish.
In the Configure Run Profiles for “AMCOrgunits” dialog box, click OK.
To create the AMCUsers MA
In Synchronization Service Manager, click Management Agents.
Under Actions, click Create.
In the Create Management Agent wizard, in the Management agent for list, click Access Management (Microsoft).
In Name, type
AMCUsers
, and then click Next.On the Connectivity page, in the Authentication Mode list, click Integrated Authentication, in User Name, type
Administrator
, in Password, type the password for the CROP\Administrator account, in Domain, typeCORP
, in B1 Database Server , typeAPP1
, in Database Name, typeB1
, and then click Next.On the Configure Partitions and Hierarchies page, click Next.
On the Select Object Types page, select the User check box, and then click OK.
On the Select Attributes page, select all the attributes in the list, and then click Next.
On the Configure Anchors page, click Next.
On the Configure Connector Filter page, click New.
In the Filter for person dialog box, in the Data source attribute list, click bholdDefAlias, in the Operator list, click Is not present, click Add Condition, and then click OK.
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules page, click New Projection Rule.
In the Projection dialog box, in the Metaverse object type list, click person, and then click OK.
On the Configure Join and Projection Rules page, click Next.
On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click bholdDescription, click Direct, click Export, in the Metaverse attribute list, click displayName, and then click New.
Repeat the previous step, substituting the values in the following table:
Data source attribute Metaverse attribute OrganizationalUnit department BholdDefAlias accountName bholdDomain domain JobTitle jobTitle Email email In the Data source attribute list, click Domain, click Advanced, click Export, and then click New.
In the Advanced Export Attribute Flow Options dialog box, click Constant, in Value type
CORP
, and then click OK.On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, click Stage a delete on the object for the next export run, and then click Next.
On the Configure Extensions page, click Finish.
In Synchronization Service Manager, click AMCUsers, and then, under Actions, click Configure Run Profiles.
In the Configure Run Profiles for “AMCUsers” dialog box, click New Profile.
In the Configure Run Profile wizard, on the Profile Name page, type
Export to BHOLD
, and then click Next.On the Configure Step page, in the Type list, click Export, and then click Next.
On the Management Agent Configuration page, click Finish.
In the Configure Run profiles for “AMCUsers” dialog box, click New Step.
In the Configure Run Profile wizard, on the Configure Step page, in the Type list, click Delta Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
In the Configure Run Profiles for “AMCUsers” dialog box, click OK.
To create the ADUsers MA
In Synchronization Service Manager, click Management Agents.
Under Actions, click Create.
In the Create Management Agent wizard, in the Management agent for list, click Active Directory Domain Services.
In Name, type
ADUsers
, and then click Next.On the Connect to Active Directory Forest page, in Forest Name, type
corp.contoso.com
, in User name, typeAdministrator
, in Password, type the password for the CORP\Administrator account, in Domain, typecorp
, and then click Next.On the Configure Directory Partitions page, select the DC=corp,DC=contoso,DC=com check box, and then click Containers.
In the Select Containers dialog box, clear the DC=corp,DC=contoso,DC=com check box, select the FIMManaged check box, and then click OK.
On the Configure Directory Partitions page, click Next.
On the Configure Provisioning Hierarchy page, click Next.
On the Select Object Type page, select the following check boxes, and then click Next:
container
domainDNS
organizationalUnit
user
On the Select Attributes page, select the Show All check box, select the following check boxes, and then click Next:
department
description
displayName
employeeID
mail
objectSid
sAMAccountName
title
unicodePwd
userAccountControl
userPrincipalName
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules page, under Data Source Object Type, click user, and then click New Join Rule.
In the Join Rule for user dialog box, in the Data source attribute list, click sAMAccountName, in the Metaverse object type list, click person, in the Metaverse attribute list, click accountName, click Add Condition, in the warning click OK, and then in the dialog box, click OK.
On the Configure Join and Projection Rules page, click New Projection Rule.
In the Projection dialog box, in the Metaverse object type list, click person, and then click OK.
On the Configure Join and Projection Rules page, click Next.
On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source object type list, click user, in the Data source attribute list, click description, click Export, select the Allow Nulls check box, in the Metaverse object type list, click person, in the Metaverse attribute list, click description, and then click New.
Repeat the previous step, substituting the values in the following table:
Data source attribute Row Direction Allow Nulls Metaverse attribute displayName Export Yes description employeeID Export Yes employeeID sAMAccountName Export Yes accountName mail Export Yes email title Export Yes jobTitle department Export Yes department userPrincipalName Export No accountName objectSid Import No objectSid <dn> Import No objectID In the Data source attribute list, click userAccountControl, click Advanced, click Export, and then click New.
In the Advanced Export Attribute Flow Options dialog box, click Constant, type
66048
, and then click OK.In the Data source attribute list, click unicodePwd, click Advanced, click Export, and then click New.
In the Advanced Export Attribute Flow Options dialog box, click Constant, type
T3mpP@55
, and then click OK.In the Metaverse attribute list, click domain, click Advanced, click Import, and then click New.
In the Advanced Import Attribute Flow Options dialog box, click Constant, type
CORP
, and then click OK.On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, click Stage a delete on the object for the next export run, and then click Next.
On the Configure Extensions page, click Finish.
In Synchronization Service Manager, click ADUsers, and then, under Actions, click Configure Run Profiles.
In the Configure Run Profiles for “ADUsers” dialog box, click New Profile.
In the Configure Run Profile wizard, on the Profile Name page, type
Export and import AD users
, and then click Next.On the Configure Step page, in the Type list, click Export, and then click Next.
On the Management Agent Configuration page, verify the following settings, and then click Finish:
Setting Value Partition DC=corp,DC=contoso,DC=com Bach size (objects) 100 Page size (objects) 500 Timeout (in seconds) 120 In the Configure Run Profiles for “ADUsers” dialog box, click New Step.
In the Configure Run Profile wizard, on the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.
On the Management Agent Configuration, ensure that the settings match the previous table, and then click Finish.
In the Configure Run Profiles for “ADUsers” dialog box, click New Profile.
In the Configure Run Profile wizard, on the Profile Name page, type
Sync
, and then click Next.On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.
On the Management Agent Configuration, ensure that the settings match the previous table, and then click Finish.
In the Configure Run Profiles for “ADUsers” dialog box, click OK.
Next step
To continue building the BHOLD Access Management Connector test lab, see Step 11: Verify the installation.