Additional OOB and Custom Sync Rule Functions… Again!

April 6, 2011 at 9:45 PMHenrik Nilsson

One of the wishes for additional functionality in FIM I’ve had since ILM2 has been custom Sync Rule Functions and except for adding a feature request to Connect that got a lot of votes (and was closed with “Won’t Fix) I blogged about it here.

Why?

The reason I want preferably custom and more OOB functions is simply the available functions are way too limited and much too often you’ll have to fall back on MA Extensions or creating custom workflows/activities where the Function Evaluator can’t help.

I’ve discussed this with a member of the product team and he claims that even though there is a public Sync Service interface allowing for this and a FIM Service system resource type (Function) this has never been a plan, instead this has just been a way of implementing the current functions that remains in the Functionlibrary.dll that is hardcoded to both the FIM service and the Sync Service.

The Survey

Since I’m not a person that takes no as an answer I did a little survey that I addressed my MVP friends and some other FIM initiated friends (and their friends within Microsoft) giving them my ideas for new OOB functions since I’ve got the hint that custom functions are far away from being a reality and asked them to suggest functions they would like to see in FIM in a not too far future.

The Answers

Even though the hint I got and communicated in the survey that custom functions are far away and instead asked for ideas for OOB functions they wished almost everyone said that custom and reusable functions is the only way to satisfy our demands, here are some of the comments …

  • Quite frankly I don't see how they could ever satisfy all the requirements we could come up with. Allowing us to add functions is the only logical solution.
  • Please allow an extension to provide our own custom functions - this was also suggested during the summit. And while we're at it, please allow the same extension to be used for relationship criteria.
  • Could not agree more :), it's what's missing.. I can't stand sync rules.... this would help with the pain...
  • However, I totally agree that custom functions are the only way to satisfy all our requirements, including those that we can't think of right now but that we will have to face some day. In this way, no matter how many more functions we get, we won't be able to use only codeless provisioning.

As you can see above, there’s also a demand for allowing functions in the Sync Rule relationship and I totally agree, as it is now it could be hard to get usable “joins” when having similar but not perfectly equal values for joining on!

OOB functions?

Except for custom functions there’s a demand for more OOB functions that could be used by those who isn’t considering themselves developers. Some of the ideas were so similar that I took the freedom to join them. I got an answer with code examples where I choose not to include the code for readability and I hope it is clear enough anyway.

  • Delete()
    Issue a .Delete on the MV Attribute to clear out unwanted or orphaned data due to removal of flow rules
  • ToInt(string)
    Cast the string to an integer, useful when you have to change an integer based anchor into a string to contribute elsewhere but need to provision it out
  • GetBitOperator(int bitmask, mask)
    Returns true/false of whether or not a bit is active in the mask
  • ConvertGeneralTimeToISO8601(string generalizedtime)
    Converts a flat string date
  • ConvertFileTimeToISO8601(datetime filetime)
    Converts a FileTime attribute to a format the FIM WS can accept
  • GeneratePassword(number length)
    Generate complex password from some predefined character group.
  • GeneratePassword(number length, string chargroup1)
    Generate complex password using characters from chargroup1.
  • GeneratePassword(number length, string chargroup1, string chargroup2)
    Generate complex password using characters from chargroup1 and chargroup2.
  • GeneratePassword(number length, string chargroup1, string chargroup2, string chargroup3)
    Generate complex password using characters from chargroup1 and chargroup2 and chargroup3.
  • IsUnique
  • AddDays(Now(), 15)
  • AddMonths(Now(), 6)
  • Len (string value)
    Function that returns the length of a string, 0 if null or empty.
  • ToString (any type value)
    Function that converts any datatype to string.
    (it’s so irritating trying to map an integer value to a string during inbound sync, for example to employeeID and you get an error)
  • Split (string value, string separators)
    Function that splits a string into a multi-valued string.
  • Join (string multi-valued value, optional string separator)
    Function that joins a multi-valued string value into a single-valued value with an optional separator string.
  • Index (any type multivalued value, number index)
    Function that returns a single value of the same datatype as the multi-valued input value by index.
  • Add (any type multivalued value,  any type single-valued value to add)
    Function that adds a single-valued value to a multi-valued value of the same type (one use could be for handling object classes in LDAP directories)
  • Remove(any type multivalued value, any type single-valued value to remove)
    Function that removes a single-valued value from a multi-valued value of the same type.
  • RegexReplace(string value, string pattern, string replace)
    Function that does a string replace using a regex pattern.
  • StartsWith(string value, string startswith)
    Function useful for finding out if a string starts with a specific string when doing IIF’s.
    Could maybe be solved using the already available Mid function but this is easier.
  • EndsWith(string value, string endswith)
    Function useful for finding out if a string ends with a specific string when doing IIF’s.
    Could maybe be solved using the already available Mid function but this is easier.
  • IsValid(string value, string pattern)
    Function for validating an input value using a regex pattern when doing IIF’s
  • Format(string format, string value1, string value2, string value3… )
    Function that replaces the format item in a specified string with the string representation of a corresponding string in a specified parameter. I just love this function on the .Net string object and I think it could be really useful even thought I understand it could be hard implementing a user interface for and since the FIM functions can’t accept arbitrary number of parameters.
  • Now()
    Function that returns the current date and time.
  • Normalize(string value)
    Function for normalizing characters like ÅÖÄÜ etc. and removing all kinds of diacritics when for example creating email addresses. I’m told this could be done using the EscapeDNComponent function but that’s only available for outbound sync rules.
  • Word (string value, number index, string separators)
    This already available function doesn’t allow you to use an attribute as value only a fixed string.

Conclusion

I’m not the only one asking for this functionality but in order to make a change we need to get votes for it on Connect therefore I’ve made a new request that you can find here:

Custom and additional OOB Sync Rule Functions (again)...

Go ahead and vote for it but don’t forget to make a comment why you wish to be able to create custom functions that can be reused and have a larger set of OOB functions. Also don’t be afraid inviting you friends to vote and publish this or the connect feature request on any social media! Smile

Posted in: Forefront Identity Manager | Sync Functions | Sync Rules | Workflow

Tags:

MCT and FIM Courses in Sweden

January 3, 2011 at 9:29 PMHenrik Nilsson
image

I’m proud to announce I’m now a Microsoft Certified Trainer and this spring I’ll hold the 4 day Implementing Forefront Identity Manager 2010course at Cornerstonein Stockholm, Gothenburg and Malmö (in Swedish). If you’re interested to attend the course go ahead and visit Cornerstone and don’t be confused Cornerstone calls the course T207.

 

These are the preliminary course dates:

  • 22-25 February in Malmö
  • 15-18 March in Stockholm
  • 5-8 April in Gothenburg
  • 3-6 May in Stockholm

Posted in: Forefront Identity Manager | Identity Management

Tags: , ,

SQL Server 2008 R2 is supported for FIM

December 9, 2010 at 2:33 PMHenrik Nilsson

A little bird whispered in my ear that SQL Server 2008 R2 is now supported for FIM 2010 from yesterday, still no update of the Hardware and Software Requirements and nothing about an update for making the installer work but hopefully we’ll hear about it soon.

Posted in: Forefront Identity Manager | Identity Management

Tags: ,

ADFS 2.0 Attribute Store for FIM

December 5, 2010 at 11:47 AMHenrik Nilsson

I know, I haven’t been blogging as much as I should but a lot of work and a whole bunch of interesting development projects have been taking up my time but I’m very pleased I can finally report that one of these projects have reached it’s first release to CodePlex.

FIM is of course the ultimate place for attributes to issue as claims using ADFS 2.0 since you typically store attributes from all different kinds of connected directories there. Not only will you be able to issue standard attributes - you can do lookups for groups, sets or roles and publish these as claims as well, perfect for authorization scenarios.

The footprint on ADFS 2.0 is minimal and it doesn't require more than the usual attribute store configuration. The attribute store also comes with a command-line test client that allows you to get the communication with FIM correct and also enables you to run custom queries against FIM. The test client is pretty much a command-line version of the FIM Query Tool once published by Joe Zamora from Ensynch except it uses the attribute store under the hood that also can be attached directly to ADFS 2.0.

It's currently in Beta so please try it out and report issues to the project page on CodePlex so that I can make it better!

http://fimattributestore.codeplex.com/

The ADFS 2.0 configuration of the attribute store.

ADFS 2.0 Attribute Store for FIM

Example output from the Test client.

Test client example output

Posted in: ADFS | Federation | Forefront Identity Manager

Tags: , ,

PowerShell Activity for FIM

September 4, 2010 at 8:31 AMHenrik Nilsson

Carol(MissMiis) has created a really nice activity for executing PowerShell scripts, both local and remote and it opens up for all kinds of possibilities! Check it out!

http://www.wapshere.com/missmiis/powershell-activity

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , ,

ADFS 2.0 is RTW

May 5, 2010 at 6:03 PMHenrik Nilsson

Go ahead and download it here:  Active Directory Federation Services 2.0 RTW

Posted in: ADFS | Federation

Tags: ,

I’ve been awarded as MVP on Identity Lifecycle Manager!!!

April 1, 2010 at 6:38 PMHenrik Nilsson

Dear Henrik Nilsson,
Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Identity Lifecycle Manager technical communities during the past year.

mvp

I hoped it would have happened in January but no email showed up and I had totally given up the idea I would be awarded especially since I have had way too much work lately and haven’t had the time to keep myself active in the community.

I became really surprised today when I found the email from Microsoft… in my junk email folder! :-)

Posted in: Forefront Identity Manager | ILM

Tags: , ,

FIM 2010 is RTM

March 2, 2010 at 3:41 PMHenrik Nilsson

Posted in:

Tags:

Detecting Non-Authoritative Accounts

January 7, 2010 at 12:45 AMHenrik Nilsson

I’m currently working with Markus Vilcinskas on a couple of FIM Experts articles on how to detect non-authoritative accounts. Today we published the first two parts were the second part also contains an in depth description on how object state detection works. Enjoy!

Detecting Non-Authoritative Accounts – Part 1: Envisioning

Detecting Non-Authoritative Accounts – Part 2: Design

 

Technorati Tags:

Posted in: Forefront Identity Manager | Sync Rules | Non-Authoritative Accounts | Object State Detection

Tags:

ADFS 2.0 RC is here

December 18, 2009 at 7:11 PMHenrik Nilsson

The news:

  • IDP initiated communication
  • Single logout
  • Artifact resolution protocol
  • And a lot more…

See the announcement here:
http://channel9.msdn.com/shows/Identity/ADFS-20-RC-is-Here/

Posted in:

Tags: