Identity & Access Management
5 Essential Tools for MIIS
At a Glance:
- MIIS 2003 Design and Planning Collection
- MIIS Provisioning Assistant
- MIIS Preview
- Oxford MIIS Documentor
- MIIS Service Monitor
Identity and access management. These are important issues as your business implements systems that provide corporate
information to employees, business partners, and customers.
Each solution introduces new applications with their own authorization requirements and potentially their own authentication mechanisms. As these disparate systems proliferate throughout an organization, managing digital identity—determining when users are on-boarded, when they are off-boarded, and what privileges and access they have while active in the environment—becomes an increasingly complicated process.
Microsoft® Identity Integration Server (MIIS) 2003 lets you manage identity information across multiple platforms and applications. It ships with management agents that can be used to integrate identity information across many different data repositories and provides synchronization functionality that lets integrated systems maintain data consistency based on business rules. MIIS gives you provisioning capabilities so identities can be added or removed across repositories, along with password management features to ensure password consistency across integrated systems and platforms.
As you approach an identity management project, it is important to have the right technical and team resources available. You'll need an in-depth understanding of your overall business processes to design and architect a solution based on MIIS. You'll also need the development skills to implement complex business logic in the rules extension assemblies used by MIIS. Once you've assembled the right team, there are a number of useful resources that can assist you during design and implementation. Here are five tools to simplify the design process, reduce custom coding, facilitate deployment, keep documentation current, and help with daily operations and monitoring.
Design: MIIS 2003 Design and Planning Collection
As you begin to tackle an identity management project, the first challenge you're likely to run into is determining where you should start. Typically, identity management solutions are strategic. Translating that strategy into concrete activities requires some experience. To address this challenge, Microsoft has developed the MIIS 2003 Design and Planning Collection—a series of documents and worksheets that can aid in scoping your project, gathering requirements, and configuring a solution based on MIIS 2003. It is especially useful if you're new to this type of project.
The Design and Planning Collection contains an introductory document that explains how to use the series, seven separate documents that address particular design components, templates to be used in conjunction with the documents, and completed sample templates so you can see what the finished templates should look like. You can download the entire collection from go.microsoft.com/fwlink/?LinkId=65986
This collection is intended to provide you with the building blocks for designing and documenting your MIIS 2003 implementation. The introductory document is brief but informative. It outlines what you will find in each of the seven guides and even advises you on which of your project shareholders should read which guide. It suggests that everyone on the team read the Roadmap Guide, for example. If you are going to use the templates, this should be a requirement. You'll save significant effort understanding the rest of the documents and templates if you take the time to read the twelve-page Roadmap Guide. And each template has an accompanying guide you should read before starting to use that template.
If you have experience designing and documenting identity management solutions, the MIIS 2003 Design and Planning Collection may offer some interesting pieces of information for you. But in general, this collection is really intended for people who are new to defining and implementing identity management projects.
Even with these planning tools, remember that for the best chance of success you should tackle a large identity management project in bite-sized chunks. While all identity management projects need a high-level strategy, complex designs often come together better when implemented in a phased approach.
Develop: MIIS 2003 Provisioning Assistant
As a result of
your design efforts, you've identified the data flow for both attributes and objects. If your design requires creating or deleting objects in connected data sources, you'll need to develop a method of provisioning and deprovisioning these objects. In MIIS 2003 this means implementing that logic in a metaverse rules extension. Rules extensions are implemented as DLLs and stored in the Extensions subfolder of the MIIS root folder.
To reduce the amount of development work necessary for simple provisioning and deprovisioning, you can take advantage of the MIIS Provisioning Assistant, part of the Microsoft Identity Integration Server 2003 Resource Tool Kit 2.0 (see go.microsoft.com/fwlink/?LinkId=65991
). Prior to the release of this tool, all provisioning extensions had to be developed in Visual Studio®
MIIS Provisioning Assistant is a wizard-based tool that generates a metaverse rules extension to perform simple provisioning and deprovisioning actions. All configurations are done through the wizard's user interface, so no development is necessary. But this tool generates a Visual Basic® or Visual C#® project so you can configure additional complex provisioning rules using Visual Studio, if you prefer.
When you create a metaverse rules extension with this tool, a series of templates are created in the project. These templates are used to store your configuration and, based on the information in the templates, a metaverse assembly is created.
There are a few actions that must be completed before you can use the wizard. The metaverse schema must be configured with the object types and attributes that will be used for provisioning, and any management agent that will be configured for provisioning or deprovisioning must exist in the Identity Manager. Once these configuration tasks are completed, the next step is to generate server export files. These files contain all the necessary information about the management agents and metaverse schema.
When the server export is available, you can launch Provisioning Assistant and configure a new metaverse extension project. The wizard prompts you for the name of your extension, the programming language (C# or Visual Basic), and the location for the project. Note that regardless of the project's location, the compiled assembly will be placed in the Extensions folder.
As you progress through the wizard, you provide conditions that must be met to trigger provisioning on a particular metaverse object type. For example, if you are provisioning mail-enabled contacts into your Active Directory® environment, you want to make sure that a person in the metaverse has his mail attribute populated (see Figure 1).
Figure 1 Provisioning Assistant
You also define object templates that specify the connector space object type you are provisioning to and the metaverse object type that should be evaluated. In the example of creating mail-enabled contacts, the connector space object type is contact, and if the users are person objects in the metaverse, the object type is person. In this template you also specify the initial attribute population. This is important because some attributes can't be included in regular attribute flow, but instead must be configured when an object is created in the connector space. One such example is setting the initial password on a connector. In general, a password attribute cannot be configured in export attribute flow, but it can be set initially during the provisioning process (see Figure 2).
Figure 2 Setting Password Attribute
While running the wizard, you also need to configure the format of the distinguished name (DN) in the target connector space. You can define both constant and variable components for the DN. For example, you may decide to create a DN where the first component contains "last name, first name", the second component is the user's department, and the rest is constant. Such a configuration would look like this:
Provisioning Assistant includes two advanced features for managing distinguished name conflicts and changes. The simple conflict-resolution option specifies that a number will be appended to the DN if the name of the object you are trying to provision already exists in the target connector space. The renaming existing connectors option specifies whether an existing connector will be renamed if a portion of the DN changes. If a user changes departments or changes his name, for example, selecting this option will propagate that change to the DN.
As a final step in the wizard, you specify any deprovisioning rules. These are conditions that must be met on a metaverse object type before deprovisioning will occur. After defining the conditions, you can then select the management agents from which the object will be deprovisioned.
After stepping through the templates for each object type you want to provision and deprovision, click the Generate Extension button to create the metaverse custom extension. Before provisioning will actually occur, you need to do the following:
- Enable the metaverse extension.
- Specify the name of the assembly you just created.
- Enable the provisioning rules extension.
These three tasks are performed through commands that are accessible from the Options submenu of the Tools menu within the Identity Manager console. If you need to reuse this configuration on another MIIS instance, you can export the project to a single XML file that can be easily imported into Provisioning Assistant on a different server.
Without MIIS Provisioning Assistant, even the simplest of synchronization designs requires custom development work. But by using MIIS Provisioning Assistant, you can create a Microsoft Identity Integration Server implementation with provisioning that does not require any custom development work at all.
Deploy: MIIS Preview
Both new and existing
MIIS implementations have the same challenge: ensuring that what you roll out does not negatively impact your existing production systems or the metaverse. MIIS addresses this challenge with MIIS Preview, a powerful deployment tool that ships in the box. Preview enables you to model how configuration changes might impact a single object in a given connector space. Having that information accessible before committing changes to a production system is invaluable. Preview displays all rules that were applied as well as those that did not apply during a synchronization process. You can drill into a rule's details and analyze the results for potential errors before any changes are committed to the metaverse or connector space.
To run Preview, select a connector space object and view its properties. You can select a connector space object in many different places within the Identity Manager interface. If errors occur during an import or export process, you can select the connector space object by clicking on the hyperlink in the Synchronization Errors pane. If a connector space object isn't joining to a metaverse object, you can locate that connector space object on the Joiner tab and view its properties. If you want to spot-check objects, you can search the metaverse or connector space and randomly select objects. Note that if you search the metaverse for objects, you'll need to get properties on the metaverse object, then click the Connectors tab to locate the connector space object you want to run a preview on and get its properties.
Once you've selected a connector space entry, you choose whether to preview a full or delta synchronization. Full synchronization is typically selected when deploying new systems or changing configurations. You can then generate the preview and review all synchronization steps—from the import connector filters to the export attribute flow (see Figure 3).
Figure 3 Previewing Attribute Flow for Synchronization
I use Preview most often to test advanced rules because it's a great way to debug code that isn't doing what you anticipated. Not only can you see what data is passing through an object, you can also attach the debugger and step into your advanced rules without having to launch a run profile. If you run the management agent, you might have to step through the processing of many other objects before you can debug the one with issues. With Preview, you can select that object, attach the debugger, generate the preview, and step into the code being applied to that specific object.
Although Preview is not a substitute for lab development and thorough testing, it does let you review data before any changes are committed. So, when your production data is not as clean as the lab you're developing in, the Preview feature provides a means to catch any errors before they become production issues.
Document: Oxford MIIS Documentor
As you build these
complex management agents and metaverse configurations, the business logic sometimes gets locked away in the UI and the rules extension assemblies. There are tools in the MIIS Resource Tool Kit that allow you to view your configuration—these include MA Configuration Viewer, Attribute Flow Viewer, and MV Configuration Viewer. These tools are very useful for viewing their targeted configurations, but they do not produce the detailed information that you will need for system documentation and auditing purposes.
Oxford MIIS Documentor, from Oxford Computer Group, can automatically generate reports of your MIIS installation, which are suitable for creating or updating deployment documentation (see Figure 4
). You can install it on any computer running Microsoft Word; it is not installed on the server running MIIS. A demonstration version of Oxford MIIS Documentor is available for download at www.oxfordcomputergroup.com
. You can obtain additional functionality by purchasing a license.
Figure 4 Oxford MIIS Documentor Settings
Before you generate the documentation, you'll need to export your MIIS configuration. To ensure advanced flow rules are included in the report, your rules extensions projects must also be available. Oxford MIIS Documentor expects a specific folder hierarchy: the server export files must be in a folder called \MVExport and the rules extension projects must be in the same root folder. For example, if you have two rules extensions called HR MAExtension.dll and AD MAExtension.dll, and your root folder is \MIIS Config, you'd need this folder structure for the tool to work:
- \MIIS Config\MVExport\ contains all of the XML files that result from your server export.
- \MIIS Config\HR MAExtension\ contains the source code file HR MAExtension.vb.
- \MIIS Config\AD MAExtension\ contains the source code file AD MAExtension.vb.
When you run the application, it provides automated documentation of your MIIS installation, including definitions of all object classes, attribute flows, and management agent configurations. Any references between sections are represented as hyperlinks in the report document. This is handy because these documents are typically over 100 pages long and navigating between sections is much easier with the clickable references.
Additionally, the portion of code used in any advanced rules definition will automatically be placed in the proper section of the document. This is one of the most powerful features, as it saves a significant amount of time spent on documenting new implementations, and it also ensures all changes are captured when an existing implementation is modified. This tool also lets you customize the report and provide any additional content that should be incorporated into the final document.
Monitor: MIIS Service Monitor
Once you have
designed and deployed an enterprise identity management solution, downstream data sources and applications will expect consistency in their data. To ensure these expectations are met, you need to implement an operational plan.
Organizations that are currently using or planning on investing in Microsoft Operations Manager (MOM) can take advantage of a management pack designed specifically for MIIS 2003. This management pack monitors for service outages, management agent errors, and issues with connected data sources. It additionally provides notifications for errors in password management and account provisioning. You can download the Microsoft Identity Integration Server 2003 Management Pack for MOM 2000 SP1 from Microsoft
If you are not planning on using MOM, you'll still want a full-featured monitoring and auditing solution for MIIS. A third-party product called MissionControl for MIIS from NetPro Computing includes core monitoring and auditing functions, and provides a graphical representation of MIIS to assist with diagnostics, troubleshooting, and service-level reporting. You can learn more about MissionControl at www.netpro.com/products/missioncontrol/index.cfm
But if your organization does not employ an enterprise-wide operational platform or strategy, MIIS Service Monitor can help you get some baseline MIIS service statistics. Like a number of the other tools I've discussed, MIIS Service Monitor ships with the MIIS Resource Tool Kit. It can be installed on any computer running Windows Server™ 2003 or Windows® XP. Service Monitor regularly polls the configured MIIS 2003 server and returns information on server status, resource statistics, management agent activity, and MIIS application events.
The main view of MIIS Service Monitor provides information about the MIIS Service and statistics on the performance of the MIIS server, SQL Server™
, and management agents (see Figure 5
). You can stop, start, and refresh the MIIS service. You can also view MIIS events in the application event log on the MIIS server. The events that are returned to MIIS Service Monitor can be filtered by number of days, then copied or saved. The statistics reported on MIIS and SQL Server include:
- The current state of MIIS or SQL Server.
- The current working memory set size and peak working set size.
- The total number of handles MIIS or SQL Server currently have open.
- The number of threads currently active in the MIIS or SQL Server processes.
- The current virtual memory size and peak virtual statistics.
Figure 5 MIIS Status
Additionally, the Service Monitor window displays the open Identity Manager sessions and allows you to disconnect those sessions. All MIIS and SQL monitoring configurations can be changed by updating the configuration options in this application.
The management agent statistics provide information on the total number of management agents on the MIIS 2003 server. This number is a link that can be clicked to open the Management Agents page, which displays the last run information for each management agent as it would appear on the Operations tab in Identity Manager (see Figure 6). This statistics module also displays the number of management agents that are currently running. To actually modify, run, or query a management agent, you must use the Identity Manager interface.
Jenn Goth is an identity management subject matter expert within Microsoft Consulting Services (MCS). She joined MCS in New York eight years ago and has been designing, developing, and deploying enterprise directory and identity management solutions for government, commercial, and financial services customers.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited
Figure 6 Monitoring Management Agents