To be or not to be – AppStored

October 16, 2009 at 8:25 AMHenrik Nilsson

I’ve had a long discussion with Markus Vilcinskas on the FIM Forum on a thread started by Carol Wapshere maybe better known as MissMiis on the subject ”Selective provisioning to FIM”.

Carol wanted a way of bringing only a subset of users into the FIM AppStore and I really understand why, the reasons could be to save money on CAL’s - 30.000 users * 25$ = 750.000$, or maybe you already have perfectly working legacy sync rules.

Think before you try to do this, the best practice is that AppStore is should be a mirror of the Metaverse except of course for the resource types that live exclusively in the AppStore.

My first idea was it could be fairly simple to filter out users from the AppStore by the filter you could find in the declarative input sync rule but that was not a good idea at all, if you have 32.000 resources and you filter out 30.000 of these all of the filtered resources will be hit during sync since they're disconnectors. This is bad!

I also must admit I had a silly belief that the “Create Resource in FIM” checkbox, unchecked would project resources into the Metaverse and I was all wrong and for that I’ve promised to wear a silly hat all day.


So how should it be done then?
The best practice is to bring all your objects into AppStore but you could bring objects you don’t want to manage in the AppStore as separate object types into Metaverse using legacy rules but remember you won’t get the management of unique identifiers and group management might become a nightmare so think before you plan on not bringing all your objects into AppStore!

Posted in: Forefront Identity Manager | Identity Management | Sync Rules


Where’s U-Prove?

October 9, 2009 at 8:28 AMHenrik Nilsson

One and a half years ago Microsoft bought the U-Prove technology from Credentica for integrating in Geneva and Windows Communication Foundation according to the press release on the Credentica home page but it’s been very quiet about what’s happening.

The last we ever heard was in the end of August when Kim Cameron replied to Felix Gaehtgens at Kuppinger Colein this blog post: Microsoft: minimum disclosure about minimum disclosure?:

…The complexity must be tamed for the technology to succeed. There is more to this than brilliant formulas or crypto routines. We need to understand not only how minimal disclosure technology can be used - but how it can be made usable…
…So we’ve been working hard on figuring this stuff out. In fact, a lot of progress has been made, and I’ll write about that in my next few posts. I’ll also reach out to anyone who wants to become more closely involved.

…Then nothing…

For those of you that haven’t heard about U-Prove should definitely check it out, it’s going to be revolutionizing!

Technorati Tags: ,

Posted in: ADFS | Federation

Tags: ,

Welcome Paolo

October 7, 2009 at 12:59 PMHenrik Nilsson

A new blog has shown up in the FIM2010 sphere, Paolo Tedesco at the European Organization for Nuclear Research, CERN near Geneva - the ones with The Large Hadron Collider has started a blog about their work with identity management. So far Paolo have made a couple of interesting posts on the FIM2010 Web Service Client, maybe we’ll se other content as well in the future!?

You can find the blog here:
Identity Management at CERN

Posted in: Forefront Identity Manager | Identity Management | Web Services


FIM 2010 RC1 Breaking change, DesignerHostProvider :-(

October 4, 2009 at 1:20 PMHenrik Nilsson

In my activities I’ve been using the ProcessParameterPicker extensively, a control that show’s a button with the text “Lookup” and when clicked you would have the possibility to select from different available attributes.

In RC0 this control was available by calling base.DesignerHostProvider.CreateParameterPickerControl() from a class that inherited ActivitySettingsPart since the DesignerHostProvider property was protected, with other words available from inherited classes.

designerHostProvider RC0

In RC1 the Product Team don’t want us too use the ProcessParameterPicker control from custom activities anymore so they’ve made it internal. This made all my activities useless in RC1 unless the ProcessParameterPicker is removed from the code.

designerHostProvider RC1

Another breaking change is that the Microsoft.IdentityManagement.WebBase.dll has been removed and what it used to contain has been moved to Microsoft.IdentityManagement.WFExtensionInterfaces.dll but this is simply solved by removing the reference to Microsoft.IdentityManagement.WebBase.dll and updating the reference to Microsoft.IdentityManagement.WFExtensionInterfaces.dll.

Currently I’m waiting for the VHD to be released before I’ll update my library for RC1 and we’ll see how I’ll be able to handle the ProcessParameterPicker…

They’ve also forgotten to update the SDK with this change.
(On the “Using Custom Activities in FIM” page, ActivitySettingsPart):

I’ve added a request to the make the ProcessParameterPicker available again because I don’t see the reason why this has been taken away for custom activities:

Update 2009-10-05: Microsoft have chosen to make the ProcessParameterPicker internal with this explanation...

As part of the changes between RC0 and RC1 we locked down the vast majority of our classes, including the class that you identified here, as a best practice of exposing only supported interfaces publically.

Posted in: Forefront Identity Manager | Workflow


Great Geneva/ADFSv2 news!

October 1, 2009 at 10:05 AMHenrik Nilsson

From the ForeFront Team Blog

Active Directory Federation Services 2.0  passed SAML 2.0 interoperability testing

This commitment includes other solutions, such as Forefront Unified Access Gateway, and capabilities in the Windows platform, such as Active Directory Federation Services 2.0 (formerly known by codename “Geneva.”) ADFS 2.0 uses identity federation to extend Active Directory authentication and single sign-on to cloud-based services, hosted by Microsoft or others, so IT can gain flexibility and cost savings but avoid managing extra user accounts and passwords.

Another key part of our efforts in identity and access management is work across the industry to ensure interoperability.  Today, for example, Microsoft was part of a Kantara Initiative and Liberty Alliance announcement.  ADFS passed SAML 2.0 interoperability testing, meaning it will interoperate with heterogeneous environments and provide federation.

Technorati Tags: ,,

Posted in: ADFS | Federation