FIM 2010 RC1 Breaking change, DesignerHostProvider :-(

October 4, 2009 at 1:20 PMHenrik Nilsson

In my activities I’ve been using the ProcessParameterPicker extensively, a control that show’s a button with the text “Lookup” and when clicked you would have the possibility to select from different available attributes.

In RC0 this control was available by calling base.DesignerHostProvider.CreateParameterPickerControl() from a class that inherited ActivitySettingsPart since the DesignerHostProvider property was protected, with other words available from inherited classes.

designerHostProvider RC0

In RC1 the Product Team don’t want us too use the ProcessParameterPicker control from custom activities anymore so they’ve made it internal. This made all my activities useless in RC1 unless the ProcessParameterPicker is removed from the code.

designerHostProvider RC1

Another breaking change is that the Microsoft.IdentityManagement.WebBase.dll has been removed and what it used to contain has been moved to Microsoft.IdentityManagement.WFExtensionInterfaces.dll but this is simply solved by removing the reference to Microsoft.IdentityManagement.WebBase.dll and updating the reference to Microsoft.IdentityManagement.WFExtensionInterfaces.dll.

Currently I’m waiting for the VHD to be released before I’ll update my library for RC1 and we’ll see how I’ll be able to handle the ProcessParameterPicker…

They’ve also forgotten to update the SDK with this change.
(On the “Using Custom Activities in FIM” page, ActivitySettingsPart):

I’ve added a request to the make the ProcessParameterPicker available again because I don’t see the reason why this has been taken away for custom activities:

Update 2009-10-05: Microsoft have chosen to make the ProcessParameterPicker internal with this explanation...

As part of the changes between RC0 and RC1 we locked down the vast majority of our classes, including the class that you identified here, as a best practice of exposing only supported interfaces publically.

Posted in: Forefront Identity Manager | Workflow


FIM 2010 RC1 is out!!!

September 30, 2009 at 8:18 PMHenrik Nilsson

Download it here
A VHD will be available in 7-10 days at the same location…

Documentation could be found at the Connect site.

  • RC1 Release Notes
  • RC1 Installation Guide
  • RC1 SDK

Edit 2009-10-03: Documentation could now be found at

Posted in: Forefront Identity Manager


Updated web service client samples

September 29, 2009 at 10:54 PMHenrik Nilsson


The IDA Guys have posted a new FIM 2010 RC1 ready version of the web service client sample applications to:

Identity Management Extensibility Samples

Edit 2009-09-30: There's another update today!

Posted in: Forefront Identity Manager | Web Services


Codeless Provisioning Sync Rules – The Patent

September 21, 2009 at 8:28 PMHenrik Nilsson

Want to learn codeless provisioning the FIM 2010 way? Have a look at:

Register and you’re able to download the patent as pdf with pictures.

Posted in: Forefront Identity Manager | Sync Functions | Workflow

Tags: ,

The need for custom FIM 2010 sync rule functions

September 20, 2009 at 2:32 PMHenrik Nilsson

All of you that have been working with the ILM”2”/FIM 2010 sync rules have found the functions and custom expressions in sync rules and in the Function Activity (Ok, the Function Activity wasn’t very useful but there was a workaround, see Cortego Update Value Activity, this bug will be fixed in RC1) extremely helpful for extracting and formatting attributes or evaluation but most of you have also realized the functions are limited and in many cases you have to fall back on custom workflow activities or legacy flow rules for this.

For those of you out there that aren’t familiar with the functions and custom expressions could have a look at these excellent blog posts for more info:

During the session What’s New in FIM 2010 RC1 held by Mark Wahl at TEC 2009 Europe in Berlin we were told that custom functions wont make it to RTM but during the FIM 2010 Chalktalk session I called out for this to be added as soon as possible and I got strong support for this by Markus Vilcinskas (Thanks Markus!!!). The not perfect but positive answer I got was that this might end up in a future Feature Pack that the product team already seems to be planning and these Feature Packs might even be pushed out using Windows Update.

So why is this something I find so important?

The functions are simple and powerful but the available functions in RC0 are limited, maybe they’ll add more functions within RC1 but it wont be enough for all possible cases you’ll get into. Those of you that have had a look at my Activity Library could see that Normalize Diacritic Characters Activity, Regex Replace Activity and Generate Password Activity would make more sense as function calls but except for the Regex Activity they probably wouldn’t be suitable as a built in functions. The remaining two activities in my library, Unique Name Activity and LDAP Search Activity (the Update Value Activity will be removed from RC1 since the Function Activity included in FIM will be able to update values from RC1) would probably not be suitable as functions since they call out for external information.

Having a look at some of the functions found in the common .Net objects and compare this to what is available in RC0 you probably understand what I mean:

  • Conversion functions – For example converting accountExpires, lastLogonTimeStamp and pwdLastSet to and from Int64.
  • IndexOf or Contains - To find out if a string is contained and where, without this the included Mid function isn’t useful unless you’re absolutely certain your attribute has an exact format.
  • Len - To be able to find out the length of a string, useful to find out if for example the userAccountName attribute is longer than the allowed 20 characters in AD.
  • StartsWith, EndsWith - similar to IndexOf and Contains but could be easier to use in some cases.
  • Format - I just love this function on the .Net string object and I think it could be really useful even thought I understand it could be hard implementing a user interface for because it takes any number of input values.
  • Now – Date function to get the current date and time.
  • AddDays, AddHours, etc – System.DateTime functions for decreasing and increasing date and time values perfect for setting ExpirationTime attribute.
  • DayOfWeek, DaysInMonth, IsLeapYear, etc. – Other date time functions that could be useful in some cases.
  • Any more advanced function you might be in need of as long it’s kept simple and static.

If you have an idea of your own of what could maybe be implemented as function please add a comment to this blog post.

Am I alone in this wish?

I don’t think so, if you have a closer look at the feedback session at the ILM”2” connect site (you must have a connect account for access) or the ILM”2” forum at TechNet you’ll find a lot of request for this and cases where this could have helped out.

With custom functions FIM 2010 will be a lot more complete product!

What's the problem then?

If you have a look at Administration/All Resources in the portal you’ll see there’s already an object type called Function and when having a closer look at any of the functions you can see there’s a referenced dll and namespace, pretty much like with workflows so I believe custom functions are already prepared for unless this is for presenting functions in the UI only but then the reference to namespace and dll would be unnecessary. Personally I think the product team found out it was going to be hard to evaluate and execute function calls not to mention the possibility for abuse if they were allowing for custom functions since the function calls are executed on behalf of the sync engine.

Functions from within the portal

Having a deeper look at the bits and pieces of the current implementation the available functions together with the code for evaluating and executing the functions are implemented in the FunctionLibrary.dll, the dll referenced from the portal. Inside the FunctionLibrary.dll there is a class named AttributeFlowMappingHandler that derives from the interface IMASyncRuleCallout that is a part of the Microsoft.MetadirectoryServicesEx.dll – the same library you reference when creating MV and MA extensions! This is interesting because then there’s already an extension point from within the sync engine to a custom function library but unfortunately that’s not enough unless you wish to disassemble the FunctionLibrary.dll and make your own additions to it and then replacing the original one but that’s nothing I recommend even thought you’re an experienced developer and I’m not sure it would work anyway. What we need is a simple extension point, like for workflow activities where we reference our function library (the functions only), maybe evaluation code for each function and documentation.


If you agree with me on this you’re welcome to join the struggle! You could for example make a comment on this blog post, make a post on your own blog, talk to any FIM 2010 team members you might know or meet, post a feedback to the connect website (Feedback is still open) or why not all of the alternatives! :-)

Posted in: Forefront Identity Manager | Identity Management | Sync Functions


I'm back!

September 18, 2009 at 8:50 AMHenrik Nilsson

After a lot of struggling with ILM"2" RC0 in the beginning of the summer that has way too much problems I decided to take a break, vacation and other work conveniently came in the way. I've just attended TEC 2009 (Kudos to Quest and all the presenters for a great conference) and that really inspired me to get going again and right now I'm impatiently waiting for RC1 that should be a lot more stable release. According to Microsoft RC1 will be released 30/9.

What got me going again I think was the TEC presentations around auditing (thanks to Gil Kirkpatrick, Quest and Tomasz Onyszko, Microsoft Poland) and RBAC (thanks to Jan Macherzyński, Microsoft Poland) on FIM2010 and hopefully I'll get the time to try it out in depth and maybe even have the opportunity to blog about it.

About the Cortego Workflow Activity Library it's on hold until RC1 is released then I'll port it to reflect any changes in RC1, fix some bugs and unless there’s added support for managing multi-value attributes in the sync-rules I'll add an “update multi-value activity” that’s already working for RC0 but not yet released but if anyone out there really needs a way to manage multi-value attributes right now, drop me a message and I'll send you the code.

About RC1 there are a lot of changes and here are a couple of things changed (thanks to Mark Wahl for the TEC presentation)

  • New database structure(This has been known for months).
  • OVC’s are now RCDC (Can’t remember what RCDC stands for).
  • There will be a MPR explorer in order to simplify the search of and finding out what any MPR was created to do.
  • You’ll be able to disable MPR’s
  • There will be PowerShell configuration migration tools, not only for extracting and writing configuration but also for merging extracted configurations from different environments.
  • Health parameters for MOM and SCOM.
  • Patching of FIM 2010 over Windows Update.
  • MPR’s for password reset out of the box (only they’re disabled).
  • A lot of changes to historic data. I’ve understood that except for the already known changes in the XPath dialect the historic requests won’t be stored forever and how long time they’re supposed to be stored might be configurable. I was told more details around this might be found on Nima’s Blog after the release.
  • More control over workflows from application configuration (Unfortunately I don’t remember the details around this).
  • The EnumerateResourceIterationActivity and the ScriptHostActivity are gone but a new Requestor validation activity is added for group self service scenarios.

Posted in: Forefront Identity Manager | Identity Management

Tags: , ,

Introduction to WF 4.0 webcast

May 19, 2009 at 5:48 PMHenrik Nilsson

My former collegue and Biztalk MVP Alan Smith have posted the first in a series of webcasts about Workflow Foundation 4.0 that I believe will be the version we'll see in the final version of Forefront Identity Manager 2010.

Visit Alan's blog or go directly to where Alan publishes his webcasts and more...

Posted in: Forefront Identity Manager | Workflow

Tags: ,

Using the Normalize Diacritic Characters Activity

May 11, 2009 at 10:13 AMHenrik Nilsson

I got a comment from Joe Stepongzi today and he didn’t like my Normalize Diacritic Characters Activity that is a part of my Cortego ILM 2 Workflow Activity Library:

I am not sure I like the Normalize Diacritic Characters Activity..
As certain values could be changed to multiple characters instead of one..
I think email addresses should be done at the source and not handled in ILM "2"

The use of the Normalize Diacritic Characters Activity is to normalize characters with different kinds of diacritics into pure characters or how I should define it? The main reason I've created this activity is that I'm from Sweden and must handle "ÅÄÖ" but I'm also working for a company that has a lot of employees in the eastern European countries and that is a nightmare when trying to create for example email addresses. This could be hard to understand for Britain’s and Americans since English is a language where diacritics are sparsely used and this wouldn't have been a problem if the Americans would have understood from the beginning there are other languages than English and a need for other standards than ASCII. Here are a couple of examples of what could be accomplished (I do hope your browser supports Unicode otherwise you'll probably see a lot of boxes):

As you see the activity is only normalizing diacritics by removing any Unicode spacing marks and this is how it works code wise using the System.Globalization namespace for normalization of diacritics:

public static string NormalizeDiacriticChars(string input)
   string formD = input.Normalize(NormalizationForm.FormD);
   StringBuilder sb = new StringBuilder();
   for (int i = 0; i < formD.Length; i++)
      UnicodeCategory uc = CharUnicodeInfo.GetUnicodeCategory(formD[i]);
      if (uc != UnicodeCategory.NonSpacingMark)
   return (sb.ToString().Normalize(NormalizationForm.FormC));

First of all the input string is normalized into Form D that decomposes characters in this way:

  • å –> aRing
  • Ё –> E + Umlaut
  • æ –> a + e (Used in Danish, Norwegian and old English more)
  • –>  ++ (Hangul letter used in Korea)

Then all characters defined as Unicode spacing marks are removed and in the example above the ring and the dots (umlaut) are removed. Finally the remaining string is normalized into Form C, composing characters back, for example:

  • a -> a (The ring is already removed)
  • E -> E (The umlaut is already removed)
  • a + e –> æ (Note: if the original input would have been “ae” it would not become “æ”)
  • + + –>

Normalizing a eastern European name like "Lāčkāja Lapiņš" would end up as "Lackaja Lapins" and a typical Swedish name like "Åsa Öberg" would end up as "Asa Oberg", a lot easier to handle for creating different kind of names and also widely accepted in the countries where diacritic characters are used.

As you can see, characters are not as Joe thought changed into multiple characters but he do have a point in that for example email addresses should be handled at the source and not in ILM2/FIM2010... But if you would like accounts and mailboxes to be automatically created from for example an HR system, one of the best practices of Identity Management... You might be forced to create the email addresses and other system names following your naming standards unless you trust your HR personnel having full control over all existing email addresses and names. It’s up to you to make sure input characters are valid but by using this activity you don’t have to worry about macrons, curls, dots, accents and so on but as you can see the  and æ characters is not changed or removed so they would still a be problem when creating email addresses.

A solution to make sure you get valid strings after normalization could be to use my Regex Replace Activity to remove or replace any remaining characters that isn’t valid in the context you’re using it. In order to get unique names or email addresses you could use my Unique Name Activity. Both these activities is contained in the Cortego ILM 2 Workflow Activity Library. The pattern "[^a-zA-Z0-9\s]" could be used in the Regex Replace Activity to find and remove or replace all characters that is not within a-z, A-Z, 0-9 and whitespace characters.  

If you would like to know more about Unicode Normalization this is a great guide: Unicode Normalization Forms. If you would like to know how different characters from different scripts including Cyrillic, Greek, Latin, Thai, Katakana, and so on are composed/decomposed you could have a look at these Normalization Charts. A description of different kinds of diacritics could be found at Diacritic - Wikipedia.

Finally, do you trust your HR personnel or do you have a Catbert at your company? Laughing

Posted in: Workflow | Forefront Identity Manager

Tags: , , , , ,

Cool feature using the RegexReplaceActivity

April 30, 2009 at 1:28 PMHenrik Nilsson

The RegexReplaceActivity that is introduced in the Cortego ILM 2 Workflow Activity Library is using the Regex class of System.Text.RegularExpressions namespace and by using the Replacement parameter of the Replace function we could actually do some real cool stuff. The Replacement parameter of the Replace function is translated into the Replacement property of the RegexReplaceActivity and there is no requirement the Replacement parameter must contain a plain text, it could in fact contain a replacement pattern as well and here is an example taken from the MSDN - Regular Expressions Examples used to change the format of dates. Please notice it's just an example, you're the one that must know how actual values are formatted and I don't know if using the EmployeeEndDate attribute with this example is appropriate.

Replace dates of the form mm/dd/yy with dates of the form dd-mm-yy.

Input value (from Expression): 04/30/09 or 04/30/2009 (there's a 2 to 4 characters quantifier for year in the Regex Pattern)
RegEx Pattern: \b(?<month>\d{1,2})/(?<day>\d{1,2})/(?<year>\d{2,4})\b
Replacement: ${day}-${month}-${year} 

Regex Replace MDYToDMY  

Output value (Destination expression): 30-04-09 or 30-04-2009 – isn’t that cooljQuery15207980085869857615_1318365216111?
What happens is that the input data is captured into variables that are then used to format a new value.

Realize what you could do with this, you could in fact simply extract parts from or format input data to what ever you like!
A good source for more info about regular Expressions is .NET Framework Regular Expressions.

Posted in: Forefront Identity Manager | Workflow

Tags: , , ,

How to use EnumerateResourcesActivity in RC0

April 29, 2009 at 6:56 AMHenrik Nilsson

I have been working with Joe Zamora by mail contact and this forum thread to try and find out how the EnumerateResourcesActivity that comes with ILM2 RC0 work and yesterday Joe managed to get it working with some additional help from Nima in the product team.

It is really great we have got some info about this activity and now know how it works since it could be used to find resources within ILM from workflows without having to use the WS client. My first use of this will be to extend my UniqueName Activity to be able to search the ILM DB for free names.

Here's Joe's blog post about it, check it out!!!
How to use EnumerateResourcesActivity in RC0

Posted in: Workflow | Forefront Identity Manager

Tags: , ,