The Ultimate FIM File Connector

May 15, 2012 at 12:37 AMHenrik Nilsson

It’s available on CodePlex now - FIM Ultimate File Connector


  • Just the basic File Connector supporting the following OOB file formats:
    Attribute Value Pair (AVP)
    Directory Services Markup Language (DSML)
    LDAP Data Interchange Format (LDIF)

    …But has the following extra functionality:
    Full Export that before ECMA had to be handled externally from FIM/ILM/MIIS
    Files can be managed at FTP, FTPS, SFTP, SCP and File System Locations (remote from the Extensions folder)
    Files can be compressed/extracted with or without encryption/decryption
    Substitution of date and time values in file names

I would love all possible input like suggestions on how it could get better, ideas for new functionality but also the bad things otherwise how can I make it better…

Go check it out: FIM Ultimate File Connector

Posted in: Connector | FIM 2010 R2 | Identity Management


Role Management in FIM?

September 23, 2011 at 4:38 PMHenrik Nilsson

It was announced today that Microsoft acquires “certain Assets”of BHold company but the roadmap isn’t clear yet.
Unaware of all products from BHold I guess it’s BHold’s Role Management pieces Microsoft lays their hands on or at least I hope it is…

Read more here:
Microsoft’s “Pathway”
Kuppinger Cole’ announcement

I wonder what this means for Omada? Or as Ian Glazer(Gartner) says:
If you get acquired by Microsoft (or Quest), you win! If you don’t get acquired, you lose and the risk to your market increases.  BHOLD wins the Microsoft IAG lottery

Posted in: Forefront Identity Manager | FIM 2010 R2 | Identity Management

Tags: , ,

MCT and FIM Courses in Sweden

January 3, 2011 at 9:29 PMHenrik Nilsson

I’m proud to announce I’m now a Microsoft Certified Trainer and this spring I’ll hold the 4 day Implementing Forefront Identity Manager 2010course at Cornerstonein Stockholm, Gothenburg and Malmö (in Swedish). If you’re interested to attend the course go ahead and visit Cornerstone and don’t be confused Cornerstone calls the course T207.


These are the preliminary course dates:

  • 22-25 February in Malmö
  • 15-18 March in Stockholm
  • 5-8 April in Gothenburg
  • 3-6 May in Stockholm

Posted in: Forefront Identity Manager | Identity Management

Tags: , ,

SQL Server 2008 R2 is supported for FIM

December 9, 2010 at 2:33 PMHenrik Nilsson

A little bird whispered in my ear that SQL Server 2008 R2 is now supported for FIM 2010 from yesterday, still no update of the Hardware and Software Requirements and nothing about an update for making the installer work but hopefully we’ll hear about it soon.

Posted in: Forefront Identity Manager | Identity Management

Tags: ,

PowerShell Activity for FIM

September 4, 2010 at 8:31 AMHenrik Nilsson

Carol(MissMiis) has created a really nice activity for executing PowerShell scripts, both local and remote and it opens up for all kinds of possibilities! Check it out!

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , ,

How to load balance FIM

November 23, 2009 at 11:26 AMHenrik Nilsson

Darryl Russi have posted a great article on how to configure for more than one instance of the FIM Service.
If you haven’t discovered Darryl’s blog yet, make sure you bookmark it or add a feed subscription!

Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: ,

EnumerateResourcesActivity - the follow-up

November 16, 2009 at 10:13 PMHenrik Nilsson

A couple of months ago Joe Zamora (the CShark) was trying to solve the mysteries around the EnumerateResourcesActivity, a great activity that you could use from your own custom activities/workflows but not from the FIM workflow designer, read Joe’s post here. After a lot of work, some help from Nima in the product team and a couple of not that useful tips from me Joe got it working. See the forum post where me and Joe was trying to accomplish this here.

The EnumerateResourcesActivity is the only activity that could search for and return resources in FIM and it does so simply by you giving it an XPath query. It’s a really nice activity except it’s got limitations in that it can only contain a single child activity (actually not strange at all, the same goes for the ReplicatorActivity) and it has a got a designer that doesn’t allow for adding the child activity declaratively so you’re forced to add the single child using code. The EnumerateResourcesActivity work pretty much as the ReplicatorActivity in that it iterates bunch of values only in the case of the EnumerateResourcesActivity it finds the values (resources) before iterating them. An important aspect of workflow crafting is that an activity can’t be executed twice and that is handled by the EnumerateResourcesActivity by creating duplicates of the child activity objects (and descendant objects of the child activity) for each iteration before the iteration is started therefore you can’t use the original activity object references for getting activities within the iterations.

Joe used a CodeActivity as the single child but the solution I’m going to show you will use a SequenceActivity instead making it possible to add more than one single activity because you will probably want to do work suited for other activities like add a user to the group you have found or something like that.

I won’t go through all the stuff around activity crafting, for this you’ll have to turn to the Windows Workflow Foundation developer center , the Forefront Identity Manager 2010 Developer Reference or maybe the oracle scrapheap's named Google and Bing. First of all we need some code in the designer part of our custom Activity class (A custom activity is usually created from two partial classes when you create it in Visual Studio). In the InitializeComponent method I create a EnumerateResourcesActivity, add a SequenceActivity to it and to the SequenceActivity I add a CodeActivity but I leave for you to create more child activities to the SequenceActivity after the CodeActivity. Finally I add the EnumerateResourcesActivity to the custom activity I’m currently creating:

private void InitializeComponent()
    this.CanModifyActivities = true;

    // codeActivity
    this.codeActivity = new CodeActivity();
    this.codeActivity.ExecuteCode += new System.EventHandler(this.codeActivity_ExecuteCode);

    // sequenceActivity
    this.sequenceActivity = new SequenceActivity();

    // enumResourcesActivity 
    this.enumResourcesActivity = new Microsoft.ResourceManagement.Workflow.Activities.EnumerateResourcesActivity();
    this.enumResourcesActivity.PageSize = 100;
    this.enumResourcesActivity.XPathFilter = "/Person";
    // MyCustomActivity
    this.Name = "MyCustomActivity";

    this.CanModifyActivities = false;

Did you notice the XPathFilter property of the EnumerateResourcesActivity that I’ve set to return all person objects? You might think it’s strange that I add a CodeActivity as the only child of the SequenceActivity but I use this for getting the resource for the current iteration and it also gives a method that you could use for assigning values to siblings further down the execution chain from the CodeActivity that I leave up to you to add.

Here’s how I extract the value from the EnumerateResourcesActivity:

void codeActivity_ExecuteCode(object sender, EventArgs e)
    SequenceActivity s = (SequenceActivity)((CodeActivity)sender).Parent;
    ResourceType resource = EnumerateResourcesActivity.GetCurrentIterationItem(s) as ResourceType;

    // Perform initialization of any sibling activities here but remember you must reference
// them as I’ve done above with the SequenceActivity
// and a good way of doing it could be for example...
// UpdateResourceActivity u = s.Activities.OfType<UpdateResourceActivity>().First();
// or other generic “queries”.

First of all we need to get the SequenceActivity of the current iteration and since we know it’s the parent of the CodeActivity we could get the Parent property object of the current CodeActivity object instance that we’ve got from the sender parameter. Then we call the static GetCurrentIterationItem method passing in the SequenceActivity object instance and this should return the resource for the current iteration.

Next I leave up to you to use the values of the found resources to do whatever you wish and that could be for example update the resources found, delete the resources found or maybe create new resources from whatever values the found resources contain.

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , ,

To be or not to be – AppStored

October 16, 2009 at 8:25 AMHenrik Nilsson

I’ve had a long discussion with Markus Vilcinskas on the FIM Forum on a thread started by Carol Wapshere maybe better known as MissMiis on the subject ”Selective provisioning to FIM”.

Carol wanted a way of bringing only a subset of users into the FIM AppStore and I really understand why, the reasons could be to save money on CAL’s - 30.000 users * 25$ = 750.000$, or maybe you already have perfectly working legacy sync rules.

Think before you try to do this, the best practice is that AppStore is should be a mirror of the Metaverse except of course for the resource types that live exclusively in the AppStore.

My first idea was it could be fairly simple to filter out users from the AppStore by the filter you could find in the declarative input sync rule but that was not a good idea at all, if you have 32.000 resources and you filter out 30.000 of these all of the filtered resources will be hit during sync since they're disconnectors. This is bad!

I also must admit I had a silly belief that the “Create Resource in FIM” checkbox, unchecked would project resources into the Metaverse and I was all wrong and for that I’ve promised to wear a silly hat all day.


So how should it be done then?
The best practice is to bring all your objects into AppStore but you could bring objects you don’t want to manage in the AppStore as separate object types into Metaverse using legacy rules but remember you won’t get the management of unique identifiers and group management might become a nightmare so think before you plan on not bringing all your objects into AppStore!

Posted in: Forefront Identity Manager | Identity Management | Sync Rules


Welcome Paolo

October 7, 2009 at 12:59 PMHenrik Nilsson

A new blog has shown up in the FIM2010 sphere, Paolo Tedesco at the European Organization for Nuclear Research, CERN near Geneva - the ones with The Large Hadron Collider has started a blog about their work with identity management. So far Paolo have made a couple of interesting posts on the FIM2010 Web Service Client, maybe we’ll se other content as well in the future!?

You can find the blog here:
Identity Management at CERN

Posted in: Forefront Identity Manager | Identity Management | Web Services


The need for custom FIM 2010 sync rule functions

September 20, 2009 at 2:32 PMHenrik Nilsson

All of you that have been working with the ILM”2”/FIM 2010 sync rules have found the functions and custom expressions in sync rules and in the Function Activity (Ok, the Function Activity wasn’t very useful but there was a workaround, see Cortego Update Value Activity, this bug will be fixed in RC1) extremely helpful for extracting and formatting attributes or evaluation but most of you have also realized the functions are limited and in many cases you have to fall back on custom workflow activities or legacy flow rules for this.

For those of you out there that aren’t familiar with the functions and custom expressions could have a look at these excellent blog posts for more info:

During the session What’s New in FIM 2010 RC1 held by Mark Wahl at TEC 2009 Europe in Berlin we were told that custom functions wont make it to RTM but during the FIM 2010 Chalktalk session I called out for this to be added as soon as possible and I got strong support for this by Markus Vilcinskas (Thanks Markus!!!). The not perfect but positive answer I got was that this might end up in a future Feature Pack that the product team already seems to be planning and these Feature Packs might even be pushed out using Windows Update.

So why is this something I find so important?

The functions are simple and powerful but the available functions in RC0 are limited, maybe they’ll add more functions within RC1 but it wont be enough for all possible cases you’ll get into. Those of you that have had a look at my Activity Library could see that Normalize Diacritic Characters Activity, Regex Replace Activity and Generate Password Activity would make more sense as function calls but except for the Regex Activity they probably wouldn’t be suitable as a built in functions. The remaining two activities in my library, Unique Name Activity and LDAP Search Activity (the Update Value Activity will be removed from RC1 since the Function Activity included in FIM will be able to update values from RC1) would probably not be suitable as functions since they call out for external information.

Having a look at some of the functions found in the common .Net objects and compare this to what is available in RC0 you probably understand what I mean:

  • Conversion functions – For example converting accountExpires, lastLogonTimeStamp and pwdLastSet to and from Int64.
  • IndexOf or Contains - To find out if a string is contained and where, without this the included Mid function isn’t useful unless you’re absolutely certain your attribute has an exact format.
  • Len - To be able to find out the length of a string, useful to find out if for example the userAccountName attribute is longer than the allowed 20 characters in AD.
  • StartsWith, EndsWith - similar to IndexOf and Contains but could be easier to use in some cases.
  • Format - I just love this function on the .Net string object and I think it could be really useful even thought I understand it could be hard implementing a user interface for because it takes any number of input values.
  • Now – Date function to get the current date and time.
  • AddDays, AddHours, etc – System.DateTime functions for decreasing and increasing date and time values perfect for setting ExpirationTime attribute.
  • DayOfWeek, DaysInMonth, IsLeapYear, etc. – Other date time functions that could be useful in some cases.
  • Any more advanced function you might be in need of as long it’s kept simple and static.

If you have an idea of your own of what could maybe be implemented as function please add a comment to this blog post.

Am I alone in this wish?

I don’t think so, if you have a closer look at the feedback session at the ILM”2” connect site (you must have a connect account for access) or the ILM”2” forum at TechNet you’ll find a lot of request for this and cases where this could have helped out.

With custom functions FIM 2010 will be a lot more complete product!

What's the problem then?

If you have a look at Administration/All Resources in the portal you’ll see there’s already an object type called Function and when having a closer look at any of the functions you can see there’s a referenced dll and namespace, pretty much like with workflows so I believe custom functions are already prepared for unless this is for presenting functions in the UI only but then the reference to namespace and dll would be unnecessary. Personally I think the product team found out it was going to be hard to evaluate and execute function calls not to mention the possibility for abuse if they were allowing for custom functions since the function calls are executed on behalf of the sync engine.

Functions from within the portal

Having a deeper look at the bits and pieces of the current implementation the available functions together with the code for evaluating and executing the functions are implemented in the FunctionLibrary.dll, the dll referenced from the portal. Inside the FunctionLibrary.dll there is a class named AttributeFlowMappingHandler that derives from the interface IMASyncRuleCallout that is a part of the Microsoft.MetadirectoryServicesEx.dll – the same library you reference when creating MV and MA extensions! This is interesting because then there’s already an extension point from within the sync engine to a custom function library but unfortunately that’s not enough unless you wish to disassemble the FunctionLibrary.dll and make your own additions to it and then replacing the original one but that’s nothing I recommend even thought you’re an experienced developer and I’m not sure it would work anyway. What we need is a simple extension point, like for workflow activities where we reference our function library (the functions only), maybe evaluation code for each function and documentation.


If you agree with me on this you’re welcome to join the struggle! You could for example make a comment on this blog post, make a post on your own blog, talk to any FIM 2010 team members you might know or meet, post a feedback to the connect website (Feedback is still open) or why not all of the alternatives! :-)

Posted in: Forefront Identity Manager | Identity Management | Sync Functions