ADFS 2.0 Attribute Store for FIM

December 5, 2010 at 11:47 AMHenrik Nilsson

I know, I haven’t been blogging as much as I should but a lot of work and a whole bunch of interesting development projects have been taking up my time but I’m very pleased I can finally report that one of these projects have reached it’s first release to CodePlex.

FIM is of course the ultimate place for attributes to issue as claims using ADFS 2.0 since you typically store attributes from all different kinds of connected directories there. Not only will you be able to issue standard attributes - you can do lookups for groups, sets or roles and publish these as claims as well, perfect for authorization scenarios.

The footprint on ADFS 2.0 is minimal and it doesn't require more than the usual attribute store configuration. The attribute store also comes with a command-line test client that allows you to get the communication with FIM correct and also enables you to run custom queries against FIM. The test client is pretty much a command-line version of the FIM Query Tool once published by Joe Zamora from Ensynch except it uses the attribute store under the hood that also can be attached directly to ADFS 2.0.

It's currently in Beta so please try it out and report issues to the project page on CodePlex so that I can make it better!

The ADFS 2.0 configuration of the attribute store.

ADFS 2.0 Attribute Store for FIM

Example output from the Test client.

Test client example output

Posted in: ADFS | Federation | Forefront Identity Manager

Tags: , ,

PowerShell Activity for FIM

September 4, 2010 at 8:31 AMHenrik Nilsson

Carol(MissMiis) has created a really nice activity for executing PowerShell scripts, both local and remote and it opens up for all kinds of possibilities! Check it out!

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , ,

I’ve been awarded as MVP on Identity Lifecycle Manager!!!

April 1, 2010 at 6:38 PMHenrik Nilsson

Dear Henrik Nilsson,
Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Identity Lifecycle Manager technical communities during the past year.


I hoped it would have happened in January but no email showed up and I had totally given up the idea I would be awarded especially since I have had way too much work lately and haven’t had the time to keep myself active in the community.

I became really surprised today when I found the email from Microsoft… in my junk email folder! :-)

Posted in: Forefront Identity Manager | ILM

Tags: , ,

Detecting Non-Authoritative Accounts

January 7, 2010 at 12:45 AMHenrik Nilsson

I’m currently working with Markus Vilcinskas on a couple of FIM Experts articles on how to detect non-authoritative accounts. Today we published the first two parts were the second part also contains an in depth description on how object state detection works. Enjoy!

Detecting Non-Authoritative Accounts – Part 1: Envisioning

Detecting Non-Authoritative Accounts – Part 2: Design


Technorati Tags:

Posted in: Forefront Identity Manager | Sync Rules | Non-Authoritative Accounts | Object State Detection


FIM 2010: How to let non-admin group owners manage their groups

December 2, 2009 at 6:57 PMHenrik Nilsson

I turns out there’s a lot of things that needs to be in place before this is made possible…

Usage Keyword

Usage keywords are required for letting non-admin users see portal design elements like navigation bar and home page resources but also for letting them being able to use search scopes. The keyword for letting non-admin users take part of these objects is BasicUI…

1. Under Administration and Home Page Resources select the “Manage my SG’s” and add the keyword BasicUI as usage keyword.


2. Go back to Administration and select Navigation Bar Resources. Select the “My SG’s” navigation bar resource and add the BasicUI keyword to this one as well.

3. Go back to Administration again and select Search Scopes. Add BasicUI as Usage keyword to the “My Security Groups” Search Scope


There is two MPR’s that allows for group owners to manage their groups. Both of these are disabled by default.

4. Go back to Administration and in to Management Policy Rules. Open and enable these two MPR’s:

  • Security group management: Owners can read selected attributes of group resources
  • Security group management: Owners can update and delete groups they own


5. Done!


The usage keyword stuff is poorly documented but I hope this will be better…

Posted in: Forefront Identity Manager | Portal Management

Tags: , , ,

How to load balance FIM

November 23, 2009 at 11:26 AMHenrik Nilsson

Darryl Russi have posted a great article on how to configure for more than one instance of the FIM Service.
If you haven’t discovered Darryl’s blog yet, make sure you bookmark it or add a feed subscription!

Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: ,

EnumerateResourcesActivity - the follow-up

November 16, 2009 at 10:13 PMHenrik Nilsson

A couple of months ago Joe Zamora (the CShark) was trying to solve the mysteries around the EnumerateResourcesActivity, a great activity that you could use from your own custom activities/workflows but not from the FIM workflow designer, read Joe’s post here. After a lot of work, some help from Nima in the product team and a couple of not that useful tips from me Joe got it working. See the forum post where me and Joe was trying to accomplish this here.

The EnumerateResourcesActivity is the only activity that could search for and return resources in FIM and it does so simply by you giving it an XPath query. It’s a really nice activity except it’s got limitations in that it can only contain a single child activity (actually not strange at all, the same goes for the ReplicatorActivity) and it has a got a designer that doesn’t allow for adding the child activity declaratively so you’re forced to add the single child using code. The EnumerateResourcesActivity work pretty much as the ReplicatorActivity in that it iterates bunch of values only in the case of the EnumerateResourcesActivity it finds the values (resources) before iterating them. An important aspect of workflow crafting is that an activity can’t be executed twice and that is handled by the EnumerateResourcesActivity by creating duplicates of the child activity objects (and descendant objects of the child activity) for each iteration before the iteration is started therefore you can’t use the original activity object references for getting activities within the iterations.

Joe used a CodeActivity as the single child but the solution I’m going to show you will use a SequenceActivity instead making it possible to add more than one single activity because you will probably want to do work suited for other activities like add a user to the group you have found or something like that.

I won’t go through all the stuff around activity crafting, for this you’ll have to turn to the Windows Workflow Foundation developer center , the Forefront Identity Manager 2010 Developer Reference or maybe the oracle scrapheap's named Google and Bing. First of all we need some code in the designer part of our custom Activity class (A custom activity is usually created from two partial classes when you create it in Visual Studio). In the InitializeComponent method I create a EnumerateResourcesActivity, add a SequenceActivity to it and to the SequenceActivity I add a CodeActivity but I leave for you to create more child activities to the SequenceActivity after the CodeActivity. Finally I add the EnumerateResourcesActivity to the custom activity I’m currently creating:

private void InitializeComponent()
    this.CanModifyActivities = true;

    // codeActivity
    this.codeActivity = new CodeActivity();
    this.codeActivity.ExecuteCode += new System.EventHandler(this.codeActivity_ExecuteCode);

    // sequenceActivity
    this.sequenceActivity = new SequenceActivity();

    // enumResourcesActivity 
    this.enumResourcesActivity = new Microsoft.ResourceManagement.Workflow.Activities.EnumerateResourcesActivity();
    this.enumResourcesActivity.PageSize = 100;
    this.enumResourcesActivity.XPathFilter = "/Person";
    // MyCustomActivity
    this.Name = "MyCustomActivity";

    this.CanModifyActivities = false;

Did you notice the XPathFilter property of the EnumerateResourcesActivity that I’ve set to return all person objects? You might think it’s strange that I add a CodeActivity as the only child of the SequenceActivity but I use this for getting the resource for the current iteration and it also gives a method that you could use for assigning values to siblings further down the execution chain from the CodeActivity that I leave up to you to add.

Here’s how I extract the value from the EnumerateResourcesActivity:

void codeActivity_ExecuteCode(object sender, EventArgs e)
    SequenceActivity s = (SequenceActivity)((CodeActivity)sender).Parent;
    ResourceType resource = EnumerateResourcesActivity.GetCurrentIterationItem(s) as ResourceType;

    // Perform initialization of any sibling activities here but remember you must reference
// them as I’ve done above with the SequenceActivity
// and a good way of doing it could be for example...
// UpdateResourceActivity u = s.Activities.OfType<UpdateResourceActivity>().First();
// or other generic “queries”.

First of all we need to get the SequenceActivity of the current iteration and since we know it’s the parent of the CodeActivity we could get the Parent property object of the current CodeActivity object instance that we’ve got from the sender parameter. Then we call the static GetCurrentIterationItem method passing in the SequenceActivity object instance and this should return the resource for the current iteration.

Next I leave up to you to use the values of the found resources to do whatever you wish and that could be for example update the resources found, delete the resources found or maybe create new resources from whatever values the found resources contain.

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , ,

Working with RCDC’s in Visual Studio

November 14, 2009 at 2:14 PMHenrik Nilsson

Not all of you out there know that Visual Studio is a great tool for editing XML and that goes for Resource Control Display Configurations as well. If you’re using Notepad for editing RCDC’s you should definitely rethink what you’re doing because wouldn’t it be nice to have Intellisense, Schema validation while you type, and a lot of other nice features?

In order to accomplish this you need the schema for RCDC’s and that could be found as Appendix A in Resource Control Display Configuration XML Reference. I’ve prepared the schema so that it’s ready for use in Visual Studio, download it here.

Before you start editing RCDC make sure you read and understood the Introduction to Resource Control Display Configurations and the Resource Control Display Configuration XML Reference.

How to create the XML schema file RCDCSchema.xsd (unless you have downloaded it here):

  1. Open Visual Studio and choose to create a new file from the file menu, select XML Schema and click open.
  2. Remove everything from the new file except the top row:
    <?xml version="1.0" encoding="utf-8"?>
  3. Paste in the contents from the Appendix A in the Resource Control Display Configuration XML Reference.
  4. Save the file as RCDCSchema.xsd in the location of your choice.

How to edit an existing RCDC:

  1. In the portal, go to Administration/Resource Control Display Configuration.
  2. Open the RCDC of your choice.
  3. Click the “Click here to view the value of this attribute” link above the file upload control for the Configuration Data attribute and a new window opens and shows the XML for the RCDC.
  4. Save the page with .xml file extension in a place of you choice.
  5. Open the file with Visual Studio.
  6. In the properties for the document there’s a Schemas property. click the button with the ellipsis within the value field for this property and a dialog with available schemas shows up.
  7. Click the Add button, browse and select the RCDCSchema.xsd file.
  8. Click Ok to close the schemas dialog.
  9. If you have done everything correct you’ll now be able to edit your RCDC xml file with Intellisense and schema validation.


How to upload a finished RCDC:

  1. In the portal, go to Administration/Resource Control Display Configuration.
  2. Open the RCDC of your choice.
  3. Click the Browse button in the file upload control for the Configuration Data attribute and select the file you have edited in Visual Studio.
  4. Close the RCDC page by clicking the ok button.

How to improve the schema

Unfortunately the schema isn’t perfect, I would really like to have the available options for the different attributes to be present in the schema so that you could select for example the value “UocTextBox” for the my:TypeName attribute, this would make the editing even simpler and less error prone. Is there anyone out there that has the time and interest for taking this schema a bit further?

What I mean is for example if we add the following type definition to the schema (not complete):

<xsd:simpleType name="controlTypes">
   <xsd:restriction base="xsd:token"> 
      <xsd:enumeration value="UocTextBox"/> 
      <xsd:enumeration value="UocFileUpload"/> 
      <xsd:enumeration value="UocPictureBox"/> 
      <xsd:enumeration value="UocDropDownList"/>


…and map this type to the my:TypeName attribute like this:

<xsd:attribute name="TypeName" type="my:controlTypes"/>


…We could easily use Intellisense for selecting a value for the my:TypeName attribute like this:

A known issue with the schema
A while ago was helping out on the forum (this thread) and as I hope you all know XML is case-sensitive. Usually boolean values are entered using lower-case but in the RCDC schema some attributes like for example the Required attribute requires you to enter the boolean value with an initial capitalized letter and improving the schema could help many avoid this problem.

For more info on the XML Tools in Visual Studio go here

Posted in: Forefront Identity Manager | RCDC

Tags: ,

To be or not to be – AppStored

October 16, 2009 at 8:25 AMHenrik Nilsson

I’ve had a long discussion with Markus Vilcinskas on the FIM Forum on a thread started by Carol Wapshere maybe better known as MissMiis on the subject ”Selective provisioning to FIM”.

Carol wanted a way of bringing only a subset of users into the FIM AppStore and I really understand why, the reasons could be to save money on CAL’s - 30.000 users * 25$ = 750.000$, or maybe you already have perfectly working legacy sync rules.

Think before you try to do this, the best practice is that AppStore is should be a mirror of the Metaverse except of course for the resource types that live exclusively in the AppStore.

My first idea was it could be fairly simple to filter out users from the AppStore by the filter you could find in the declarative input sync rule but that was not a good idea at all, if you have 32.000 resources and you filter out 30.000 of these all of the filtered resources will be hit during sync since they're disconnectors. This is bad!

I also must admit I had a silly belief that the “Create Resource in FIM” checkbox, unchecked would project resources into the Metaverse and I was all wrong and for that I’ve promised to wear a silly hat all day.


So how should it be done then?
The best practice is to bring all your objects into AppStore but you could bring objects you don’t want to manage in the AppStore as separate object types into Metaverse using legacy rules but remember you won’t get the management of unique identifiers and group management might become a nightmare so think before you plan on not bringing all your objects into AppStore!

Posted in: Forefront Identity Manager | Identity Management | Sync Rules


Welcome Paolo

October 7, 2009 at 12:59 PMHenrik Nilsson

A new blog has shown up in the FIM2010 sphere, Paolo Tedesco at the European Organization for Nuclear Research, CERN near Geneva - the ones with The Large Hadron Collider has started a blog about their work with identity management. So far Paolo have made a couple of interesting posts on the FIM2010 Web Service Client, maybe we’ll se other content as well in the future!?

You can find the blog here:
Identity Management at CERN

Posted in: Forefront Identity Manager | Identity Management | Web Services