Quantcast
Channel: TechNet Blogs
Viewing all articles
Browse latest Browse all 34890

SharePoint connector for FIM 2010 R2

$
0
0

SharePoint Connector Setup and Install

 

Introduction:

Be aware that the setup and configuration
steps below for the SharePoint connector are laid out by describing a fictional
example.

 

Scenario & Assumptions:

 

The fictional scenario being described is
one where a company Contoso, has an existing investment in FIM 2010 R2.

 

In this fictional illustration, Contoso
uses their existing FIM infrastructure in the following way:


  • Authoritative
    employee information is entered/keyed in by helpdesk staff via the FIM Portal
    interface.

  • FIM
    uses this data to automatically create AD accounts for new hires.

  • Users
    can use the self-service features of FIM to update their personal information.

  • Changes
    to employee information is automatically reflected in AD via the FIM sync
    process.

 

Contoso also has an existing investment in
SP2013. They are aware of the default sync option but they want to eliminate
the duplicate sync effort and would like to be able to integration user profile
provisioning into their existing business logic.

 

Contoso is excited to find out that they
now can with the new SharePoint connector.

 

The following demo shows how to provision
users from FIM and have an account and a user profile created for that user in
AD and SharePoint.

 

Requirements:


  1. FIM 2010
    R2 SP1 server (SP1 not released yet) with Portal and Synchronization components
    installed

  2. SharePoint
    Connector installer package (not released yet)

  3. SharePoint
    2013 with UPA (User Profile Synchronization service should not be started)

  4. Domain
    Controller

 

Over the next several pages, the following
necessary steps will be expanded upon.

  1. Attribute Planning
  2. Configuring AD
  3. Configuring the FIM
    Sync Engine
  4. Configuring FIM
    Portal
  5. Creating a test
    user
  6. Enabling sync rule
    provisioning
  7. Perform initial
    sync and verification steps
  8. Configuring
    SharePoint
  9. Testing the
    configuration

 

 

 



 

Attribute Planning:

 

Attribute
planning is an extremely important step. For this scenario, attributes will
need to flow from:


  •  The FIM Portal to the Metaverse
    enroute to AD and SharePoint.

In
addition, certain attributes will need to flow from:


  • AD to the Metaverse enroute to SharePoint and the FIM Portal.

Here are
the minimum/mandatory set of attributes that have to be specified/mapped for
each connected directory (ie AD and SharePoint).

Outbound to
Active Directory:


  • givenname

  • sn

  • Display name

  • Samacctname

  • UnicodePwd (1 time only)

  • userAccountControl (1 time only)

  • DN (1 time only)



Inbound from Active Directory:


  • DN

  • ObjectSid

SharePoint:


  • FirstName

  • LastName

  • PreferredName

  • SPS-DistinguishedName

  • Sid

  • ProfileIdentifier

  • Anchor

  • AccountName

With this
information, it is recommended to build an attribute planning worksheet such as
the following:



FIM to AD sync rule planning (to be configured on the Sync Rule in
FIM Portal)

FIM attributes

AD required Attributes

Initial Flow Only

Examples

FirstName

givenname

No

Bob

lastName

sn

No

Smith

Display Name

Display name

No

Bob Smith

AccountName

Samacctname

No

bsmith

"stringPassword"

UnicodePwd

Yes

Password!

"integer value"

userAccountControl

Yes

512

concatenated string

Dn

Yes

cn=displayName,ou=OU_Name,dc=domain_Name,

dc=local

 

 

FIM to MV attribute planning (to be configured on the FIM MA
itself)

FIM attributes

MV attributes

Direction

FirstName

givenname

Import

lastName

sn

Import

Display Name

Display name

Import

AccountName

Samacctname

Import

 

AD to MV attribute planning (to be configured on the AD MA itself)

AD Attributes

MV attributes

Direction

dn

distinguishedName

Import

objectSid

objectSid

Import

 

MV to SharePoint attribute planning (to be configured on the SP MA
itself)

 

MV Attributes

SharePoint attributes

Direction

FirstName

FirstName

Export

LastName

LastName

Export

DisplayName

PreferredName

Export

distinguishedName

SPS-DistinguishedName

Export

objectSid

SID

Export

-

Anchor

Set by MV Extension

-

ProfileIdentifier

Set by MV Extension

-

AccountName

Set by MV Extension

 



 

Configure AD:


  1. On the
    domain controller, create an OU called FIM_Provisioned_Users

 

 

Configure FIM Sync Engine:

Configuring the FIM sync engine is a
multistage process that consists of the following substeps. See corresponding
pages below for detailed steps.

 


  • Create
    a FIM MA

  • Create
    and configure run profiles for the FIM MA

  • Create
    an AD MA

  1. Create
    and configure run profiles for the AD MA

  2. Run
    initial AD MA sync steps



 

Create FIM MA


  1. Provide a name

  2. Provide database information and credentials






     
     
     
     
     
     
     
     
     
     
     
     




 


  1. Select Person under object types:




 


  1. On Select Attributes tab, accept defaults. Click
    OK.




  2. On the configure connector filter tab, select
    Person. Click New and specify the following filters to prevent provisioning the
    administrator account and Built-in synchronization account from coming from
    FIM.




 


  1. On the Object type mapping tab, add a Person to
    person mapping.




 


  1. Configure the “Attribute Flow” tab as follows.
    What you will be configuring here are attribute mappings between FIM and the
    Metaverse. Refer to your FIM to MV attribute planning worksheet.



    Note: Any attribute you intend on flowing out to AD or other connected system
    must be mapped here in addition to being mapped in the Sync Rules.



    The Sync Rules control the mapping between the MV and the connected system, but
    the MV needs to get its data from FIM and these mappings are how the data gets
    into the MV.



    Last note: Don’t map the initial flow attributes here.




 

  1. 8.     
    Click Next on the remaining tabs and finish
    creating the connector.

  2. In the FIM Synchronization service manager,
    select the FIM MA. Click the Configure Run Profiles link and configure run
    profiles like so:




Create run profiles for FIM MA

 

Create AD MA


  1. Create an Active Directory MA like so:




 


  1. Provide credentials on the next tab.




  2. Select the domain you wish to synchronize. Click
    containers to select the OU  you wish to
    create objects in…ie the OU you created earlier.




  3. Click next on the Provisioning Hierarchy tab




  4. Select user on the object types tab




  5. On the select attributes tab, select the
    attributes you’ve configured in your worksheets for import/export to AD.




  6. Leave the Connector filter and Join/Projections
    rules at their defaults.




  7. On the Attribute flow tab, configure the flows
    from your AD to MV attribute planning worksheet.




  8. On the deprovisioning tab, select the stage a
    delete option.

Click next on remaining tabs and finish.

Create run profiles for AD MA


  1. In the FIM Synchronization service manager,
    select the AD MA. Click the Configure Run Profiles link and configure run
    profiles like so:




 

Run initial AD MA sync steps


  1. Run the Full Import and Full Sync steps on the
    AD MA to create the parent containers in the AD connector space.

Configure the FIM Portal

Configuring the FIM portal is a multistage
process that consists of the following sub steps. See corresponding pages below
for detailed steps.



  • Create the AD Synchronization Rule
  • Create a workflow
  • Create a management policy rule
  • Sync the initial FIM settings

 

 

Create AD Synchronization rule

The Sync Rule controls the flow of
attributes between the MV and AD. Alternatively, the attribute mappings can be
done on the AD MA instead of through the FIM portal. However, that is not
covered here.




  1. In the FIM portal, click the Synchronization
    rules link, click create New.

  2. Select the following options:




 


  1. Configure the Scope tab as follows:




 


  1. Configure the Relationship tab as follows:







  1. On the workflow Parameters tab, select next.




  2. Configure the outbound attribute flow as
    follows:










  3. Leave the Inbound Attribute flow tab blank and
    finish out the wizard.







 

Create a workflow

A workflow is used here to associate the sync rule with a
newly created user.



1. In the FIM portal, click the Workflows link. Click New.



2. Configure the General tab as follows:



 

 

3. Configure the Activities tab as follows:




 

Create an MPR

An MPR makes the connection
between the workflow and the set of users it will run against. A workflow by
itself only knows what it should do not but not against whom. The MPR defines
who.




  1. Click the Management Policy Rules link.




  2. Configure the General tab as follows:



 


Viewing all articles
Browse latest Browse all 34890

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>