SharePoint Connector Setup and Install
Introduction:
Be aware that the setup and configuration
steps below for the SharePoint connector are laid out by describing a fictional
example.
Scenario & Assumptions:
The fictional scenario being described is
one where a company Contoso, has an existing investment in FIM 2010 R2.
In this fictional illustration, Contoso
uses their existing FIM infrastructure in the following way:
Authoritative
employee information is entered/keyed in by helpdesk staff via the FIM Portal
interface.
FIM
uses this data to automatically create AD accounts for new hires.
Users
can use the self-service features of FIM to update their personal information.
Changes
to employee information is automatically reflected in AD via the FIM sync
process.
Contoso also has an existing investment in
SP2013. They are aware of the default sync option but they want to eliminate
the duplicate sync effort and would like to be able to integration user profile
provisioning into their existing business logic.
Contoso is excited to find out that they
now can with the new SharePoint connector.
The following demo shows how to provision
users from FIM and have an account and a user profile created for that user in
AD and SharePoint.
Requirements:
FIM 2010
R2 SP1 server (SP1 not released yet) with Portal and Synchronization components
installed
SharePoint
Connector installer package (not released yet)
SharePoint
2013 with UPA (User Profile Synchronization service should not be started)
Domain
Controller
Over the next several pages, the following
necessary steps will be expanded upon.
- Attribute Planning
- Configuring AD
- Configuring the FIM
Sync Engine - Configuring FIM
Portal - Creating a test
user - Enabling sync rule
provisioning - Perform initial
sync and verification steps - Configuring
SharePoint - Testing the
configuration
Attribute Planning:
Attribute
planning is an extremely important step. For this scenario, attributes will
need to flow from:
The FIM Portal to the Metaverse
enroute to AD and SharePoint.
In
addition, certain attributes will need to flow from:
AD to the Metaverse enroute to SharePoint and the FIM Portal.
Here are
the minimum/mandatory set of attributes that have to be specified/mapped for
each connected directory (ie AD and SharePoint).
Outbound to
Active Directory:
givenname
sn
Display name
Samacctname
UnicodePwd (1 time only)
userAccountControl (1 time only)
DN (1 time only)
Inbound from Active Directory:
DN
ObjectSid
SharePoint:
FirstName
LastName
PreferredName
SPS-DistinguishedName
Sid
ProfileIdentifier
Anchor
AccountName
With this
information, it is recommended to build an attribute planning worksheet such as
the following:
FIM to AD sync rule planning (to be configured on the Sync Rule in
FIM Portal)
FIM attributes | AD required Attributes | Initial Flow Only | Examples |
FirstName | givenname | No | Bob |
lastName | sn | No | Smith |
Display Name | Display name | No | Bob Smith |
AccountName | Samacctname | No | bsmith |
"stringPassword" | UnicodePwd | Yes | Password! |
"integer value" | userAccountControl | Yes | 512 |
concatenated string | Dn | Yes | cn=displayName,ou=OU_Name,dc=domain_Name, dc=local |
FIM to MV attribute planning (to be configured on the FIM MA
itself)
FIM attributes | MV attributes | Direction |
FirstName | givenname | Import |
lastName | sn | Import |
Display Name | Display name | Import |
AccountName | Samacctname | Import |
AD to MV attribute planning (to be configured on the AD MA itself)
AD Attributes | MV attributes | Direction |
dn | distinguishedName | Import |
objectSid | objectSid | Import |
MV to SharePoint attribute planning (to be configured on the SP MA
itself)
MV Attributes | SharePoint attributes | Direction |
FirstName | FirstName | Export |
LastName | LastName | Export |
DisplayName | PreferredName | Export |
distinguishedName | SPS-DistinguishedName | Export |
objectSid | SID | Export |
- | Anchor | Set by MV Extension |
- | ProfileIdentifier | Set by MV Extension |
- | AccountName | Set by MV Extension |
Configure AD:
On the
domain controller, create an OU called FIM_Provisioned_Users
Configure FIM Sync Engine:
Configuring the FIM sync engine is a
multistage process that consists of the following substeps. See corresponding
pages below for detailed steps.
Create
a FIM MA
Create
and configure run profiles for the FIM MA
Create
an AD MA
Create
and configure run profiles for the AD MA
Run
initial AD MA sync steps
Create FIM MA
Provide a name
Provide database information and credentials
Select Person under object types:
On Select Attributes tab, accept defaults. Click
OK.
On the configure connector filter tab, select
Person. Click New and specify the following filters to prevent provisioning the
administrator account and Built-in synchronization account from coming from
FIM.
On the Object type mapping tab, add a Person to
person mapping.
Configure the “Attribute Flow” tab as follows.
What you will be configuring here are attribute mappings between FIM and the
Metaverse. Refer to your FIM to MV attribute planning worksheet.
Note: Any attribute you intend on flowing out to AD or other connected system
must be mapped here in addition to being mapped in the Sync Rules.
The Sync Rules control the mapping between the MV and the connected system, but
the MV needs to get its data from FIM and these mappings are how the data gets
into the MV.
Last note: Don’t map the initial flow attributes here.
- 8.
Click Next on the remaining tabs and finish
creating the connector.
In the FIM Synchronization service manager,
select the FIM MA. Click the Configure Run Profiles link and configure run
profiles like so:
Create run profiles for FIM MA
Create AD MA
Create an Active Directory MA like so:
Provide credentials on the next tab.
Select the domain you wish to synchronize. Click
containers to select the OU you wish to
create objects in…ie the OU you created earlier.
Click next on the Provisioning Hierarchy tab
Select user on the object types tab
On the select attributes tab, select the
attributes you’ve configured in your worksheets for import/export to AD.
Leave the Connector filter and Join/Projections
rules at their defaults.
On the Attribute flow tab, configure the flows
from your AD to MV attribute planning worksheet.
On the deprovisioning tab, select the stage a
delete option.
Click next on remaining tabs and finish.
Create run profiles for AD MA
In the FIM Synchronization service manager,
select the AD MA. Click the Configure Run Profiles link and configure run
profiles like so:
Run initial AD MA sync steps
Run the Full Import and Full Sync steps on the
AD MA to create the parent containers in the AD connector space.
Configure the FIM Portal
Configuring the FIM portal is a multistage
process that consists of the following sub steps. See corresponding pages below
for detailed steps.
- Create the AD Synchronization Rule
- Create a workflow
- Create a management policy rule
- Sync the initial FIM settings
Create AD Synchronization rule
The Sync Rule controls the flow of
attributes between the MV and AD. Alternatively, the attribute mappings can be
done on the AD MA instead of through the FIM portal. However, that is not
covered here.
In the FIM portal, click the Synchronization
rules link, click create New.
Select the following options:
Configure the Scope tab as follows:
Configure the Relationship tab as follows:
On the workflow Parameters tab, select next.
Configure the outbound attribute flow as
follows:
Leave the Inbound Attribute flow tab blank and
finish out the wizard.
Create a workflow
A workflow is used here to associate the sync rule with a
newly created user.
1. In the FIM portal, click the Workflows link. Click New.
2. Configure the General tab as follows:
3. Configure the Activities tab as follows:
Create an MPR
An MPR makes the connection
between the workflow and the set of users it will run against. A workflow by
itself only knows what it should do not but not against whom. The MPR defines
who.
Click the Management Policy Rules link.
Configure the General tab as follows: