Manage SP2010 with FIM2010 without the use of SP2010's User Profile Sync?
Hi,
What if a customer already has a full FIM setup and wants to get user profile/role data in Sharepoint 2010? From what I've read the User Profile Syncrhonization feature in SP2010 also installs FIM sync service (which you may not touch). But I don't want
that FIM instance that comes with SP2010, there already is one...
Is there a supported way to use the existing FIM infrastructure to deal with SP2010?
Thanks,Danny Alvares, Solutions Architect
May 19th, 2011 8:48am
Have you seen this
http://technet.microsoft.com/en-us/library/ff959234.aspx
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2011 11:44am
Have you seen this
http://technet.microsoft.com/en-us/library/ff959234.aspx
Hi Robert Louis. Yes I've seen it, it seems to be intended for other LDAP environments (eDirectory, OpenLDAP etc) from which one wants to derive information. It also seems to rely on the User profile service application (and creation of it) and thus
a FIM instance specific for SP2010.
I'll study the article(s) more in depth to see if there is a way to get it to work with an existing FIM architecture.
Thanks! Danny Alvares, Solutions Architect
May 19th, 2011 11:59am
Unfortunately I think you only have one real option, which comprises two parts:
Utilise the SharePoint user profile synchronisation application to synchronise user profile information (and basically forget about FIM on the app server, other than maybe re. some basic backup, etc.).
Develop a solution to manage roles and permissions.
Unfortunately #2 is not really straightforward. Especially if you want to write something scalable and resuable.
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2011 3:54pm
Unfortunately I think you only have one real option, which comprises two parts:
Utilise the SharePoint user profile synchronisation application to synchronise user profile information (and basically forget about FIM on the app server, other than maybe re. some basic backup, etc.).
Develop a solution to manage roles and permissions.
Unfortunately #2 is not really straightforward. Especially if you want to write something scalable and resuable.
Thanks Paul, it suddenly occurred to me: why not have ADFSv2 using WIF/WS-Fed/WIA against (a claims-aware) SP2010 bring the attributes ('sAMAccountName' and 'Token-Groups – Unqualified Names' and everything else required). I am not a SP2010 expert but
I do know how to configure it for CBAC. What I then need to find out is how the token and claims can be consumed for use with profiles and roles within SP and have it refreshed when required.
It does leave to question how to clean up profiles in hire/fire scenarios...Danny Alvares, Solutions Architect
May 19th, 2011 4:22pm
for user profile you can develop simple extensible management agent that only deals with user objects by utilizing the SharePoint SDK.
and for permission I just use Active Directory groups as members in SharePoint groups and thus manage the membership of the groups by FIM portal and normal AD management agent.
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2011 6:22pm
I have built a custom RBAC solution for MOSS using FIM to manage AD groups which are members of MOSS groups (which FIM manages). We found that at least two different group nesting designs simply couldn't scale, i.e. we hit token bloat issues which
caused major issues for the end users, i.e. unable to access MOSS, Exchange, etc.
Going forward I believe the only scalable and effective way of granularly managing SharePoint access is via claims-based authn, i.e. define a rigid model for what claim type and value are granted access to what site or library within the site provisioning
process and build complex claims via custom claim rules (in AD FS 2.0) that target a SQL database attribute store. FIM can populate and manage this database.
I have a rough prototype of this for a customer now. We're just fleshing out how best to manage role information, i.e. is FIM a consumer and broker or will it actually manage roles (as in my previous engagement).
May 20th, 2011 3:24am
is it practical to control all the access and permissions of SharePoint sites and lists using external system ? I don't know if its doable and feasible
I think only some basic SharePoint roles and permissions can be controlled by external system like FIM, and the advanced permissions and access rights should be the responsibility of the SharePoint administrator. but it depends on the size and complexity
of the SharePoint environment.
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2011 6:25am
for user profile you can develop simple extensible management agent that only deals with user objects by utilizing the SharePoint SDK.
and for permission I just use Active Directory groups as members in SharePoint groups and thus manage the membership of the groups by FIM portal and normal AD management agent.
Hi Amer, after reading this tip on using the SDK I went to search for the specific example(s); can you hint me on which part of the SDK you are referring to? I am glad to see there are alternative solutions! Thanks for that ;-)Danny Alvares, Solutions Architect
May 21st, 2011 4:34am
I have built a custom RBAC solution for MOSS using FIM to manage AD groups which are members of MOSS groups (which FIM manages). We found that at least two different group nesting designs simply couldn't scale, i.e. we hit token bloat issues which
caused major issues for the end users, i.e. unable to access MOSS, Exchange, etc.
Going forward I believe the only scalable and effective way of granularly managing SharePoint access is via claims-based authn, i.e. define a rigid model for what claim type and value are granted access to what site or library within the site provisioning
process and build complex claims via custom claim rules (in AD FS 2.0) that target a SQL database attribute store. FIM can populate and manage this database.
I have a rough prototype of this for a customer now. We're just fleshing out how best to manage role information, i.e. is FIM a consumer and broker or will it actually manage roles (as in my previous engagement).
Hi Paul, this is in my opinion an good solution too, thanks for the insights; in this case I would want the customer to express if he feels the need to have a fined-grained access model for SP. I have even heard talks about utilizing XACML for even more fine-grained
access, for which there are vendors who deliver tools for it, like BiTKOO and Axiomatics.Danny Alvares, Solutions Architect
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2011 4:45am
for creating and updating user profiles check this:
http://msdn.microsoft.com/en-us/library/bb847941.aspx
to create custom management agent:
http://msdn.microsoft.com/en-us/library/ms695385.aspx
May 21st, 2011 7:35am
for creating and updating user profiles check this:
http://msdn.microsoft.com/en-us/library/bb847941.aspx
to create custom management agent:
http://msdn.microsoft.com/en-us/library/ms695385.aspx
Thanks :-) I've read about it (you pointed to the SP2007 variant, but there is also a SP2010 one ofcourse); there is also an 'OrganizationProfile' for which I see great use.Danny Alvares, Solutions Architect
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2011 7:51am
At the risk of pimping the company I work for out on these forums twice in one day, can I recommend you take a look at
UNIFY Identity Broker for SharePoint?
It sounds like it might fit exactly with what you're trying to do, particularly around groups, roles and permissions. the real-english description of the product capabilities are along these lines:
It allows for synchronisation with systems other than just Active Directory It allows for full integration across all enterprise systems using a centralised identity management platform.
It is fully bi-directional, allowing SharePoint to be the source of identity information for certain attributes.
It permits for provisioning, synchronisation and de-provisioning of all user profile information, in a manner congruent with the timing of the identity management solution. As such, if the identity management solution is real-time, due to regulatory or
auditing requirements, SharePoint can be kept compliant in real-time. It deals with user profile migration in a controlled manner by automatically handling a change of profile name using business rules defined in the central identity management system, requiring no administration.
It handles multi-forest domain user synchronisation. It allows Organization Profiles to be managed in SharePoint 2010 - thus allowing organisation and group management sourced directly from HR systems. This permits ease of organisation structure.
Reduce costs of SharePoint administration by automating a lot of SharePoint user profile processes through the centralised identity management system.
Permits SharePoint to act as part of a work flow system through the identity management platform.
Anyway, might be an option that will prevent you from having to re-invent the wheel.
- Ross Currie
May 22nd, 2011 9:25pm
At the risk of pimping the company I work for out on these forums twice in one day, can I recommend you take a look at
UNIFY Identity Broker for SharePoint?
It sounds like it might fit exactly with what you're trying to do, particularly around groups, roles and permissions. the real-english description of the product capabilities are along these lines:
It allows for synchronisation with systems other than just Active Directory It allows for full integration across all enterprise systems using a centralised identity management platform.
It is fully bi-directional, allowing SharePoint to be the source of identity information for certain attributes.
It permits for provisioning, synchronisation and de-provisioning of all user profile information, in a manner congruent with the timing of the identity management solution. As such, if the identity management solution is real-time, due to regulatory or
auditing requirements, SharePoint can be kept compliant in real-time. It deals with user profile migration in a controlled manner by automatically handling a change of profile name using business rules defined in the central identity management system, requiring no administration.
It handles multi-forest domain user synchronisation. It allows Organization Profiles to be managed in SharePoint 2010 - thus allowing organisation and group management sourced directly from HR systems. This permits ease of organisation structure.
Reduce costs of SharePoint administration by automating a lot of SharePoint user profile processes through the centralised identity management system.
Permits SharePoint to act as part of a work flow system through the identity management platform.
Anyway, might be an option that will prevent you from having to re-invent the wheel.
- Ross Currie
Thanks for hinting Ross. I'll talk it into advise as well when dealing with customer requirements.Danny Alvares, Solutions Architect
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 5:17pm