ILM2 Unique Name Workflow Activity

March 31, 2009 at 2:29 PMHenrik Nilsson

I’m currently working with ILM2 for a customer and realized there was no way to ensure usernames are unique except by writing a custom workflow activity, my first except for the LDAP search activity that resides in the same library and is used by the unique name activity. It has been a struggle to complete this because of enormous problems with the Workflow Designer in VS2008 so I decided to go ahead write a code only activity. It turns out the problem with an evil MessageBox within the designer that showed up until I killed the VS2008 task was because I had set the DesignerSerializationVisibility attribute to DesignerSerializationVisibility.Content instead of DesignerSerializationVisibility.Visible.

Writing an activity for ILM2 isn’t rocket science, you first decide what information it needs and create Dependency properties and bind these to usual properties, you create a web UI with whatever logic it needs and finally you write the activity that does the work.

This is how it looks…


So what is is good for then…
Looking at the picture you see that it first take an ILM Target attribute, this is for example “AccountName” and this is where the first found unique value will be written.

The Expression Evaluator makes it possible to a number of different values to be evaluated from top to bottom, if the first attribute value shows up to already be existing in the target LDAP catalog the next one is tested for. After a little peeking inside the ILM2 assemblies I managed to find out how to add the lookup button that when pressed shows up this familiar dialog…


The control is named ProcessParameterPicker and could easily be added to your activity UI by calling base.DesignerHostProvider.CreateParameterPickerControl() and then give it a TextBox object to write to.

The Remove Characters checkbox and the Remove Characters Regex Textbox allows you to remove special characters that might sneak into the source values, for example the sAMAccountName attribute doesn’t allow characters like /\@+*? and so on. Just check the checkbox and add a regular expression for finding the invalid characters and they are trimmed away before the evaluation is made.
The sAMAccountName attribute is also a little bit picky about the length that can’t exceed 20 characters but how to sort that out is up to you.

The Normalize Diacritics checkbox is especially useful in countries like Sweden where I live and where non ASCII characters like ÅÄÖ needs to be normalized before used in for example email addresses.

Then there are a bunch of LDAP attributes that are used to make up the search for the attribute value within a catalog…

  • LDAP Search Root – Where in the catalog you wish to begin you search.
  • LDAP Object Class – If you wish to filter your search to a special object type (currently only supports a single object class).
  • LDAP Target Attribute – The attribute you wish to check for uniqueness.
  • LDAP Server – Self explaining.
  • LDAP Server Port – Self explaining, 389 by default and currently there is no support for LDAPS.
  • LDAP User Name – Self explaining.
  • LDAP Password – Self explaining.
  • Last but not least a button that enables you to try LDAP connectivity.

I’ll publish the library with source code as soon as I been able to test it more but if you would like to help me test it out send me a mail from the contact page and I’ll send it to you.

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , , ,

HP and the death of IDM.

March 5, 2008 at 9:27 AMHenrik Nilsson

Hewlett Packard has decided not to continue their IDM product (I didn´t really know they had any) and Jackson Shaw (IDM Guru at Quest, former Microsoft)  have in his last blog post declared Metadirectory dead since it never have and never will been internet ready... 

Already 2006 Jackson Shaw wrote this about Identity Management...
"is only the aspirin to the headache we have engineered for ourselves. What are we (end-users, companies, ISVs and platform vendors) doing to solve the root cause of that headache - interoperable authentication, authorization and identity protocols? Identity management is still meta-directory on steroids except we have built our house of cards even higher now."

Sad but this is a fact and the future will be "Identity 2.0" - Webb Services, OpenID, Identity Cards, CardSpace etc. The questions for the future that believe it or not is already here is how we IDM consultants should handle this, how this fits within "Enterprise Identity" and how the products we know and work with can be used with and coexist with "Identity 2.0"?

Posted in: Identity Management


The first entry

February 23, 2008 at 10:06 PMHenrik Nilsson

So I have started blogging and the reason is because I finally have found a topic to focus on in my career and that is Identity Management using Microsoft products.

So far I have been working with MIIS/ILM for two years but as a general dotnet developer I have had to take almost any assignment from ASP.Net development to architecture to database design and I'm really glad I've had the oppurtunity to gain such wide knowledge during the years I've been working with software development and I'm sure I will have use for most of it in the future even thought Identity Management will be my main concern.

A lot of things seem to happen in the Identity Management area from Redmond, a brand new product is about to be released later this year, the ILM2 and it has a lot more functionality than previous versions and I have been struggling to set up a beta environment but have not finished yet since there has been a lot of problems on the way, for example the dotnet framework beta 2 requirement and I can tell you getting hold of the beta from a released software is not as easy as it sounds.

Identity Management has as I see it mainly been a task for the IT department to simplify thier work but now there is a change where IM is becoming more of a business requirement due to Sarbanes Oxley and other regulatory acts like 21 CFR Part 11, Gramm-Bliley, HIPAA, and HSPD-12.

My goal with this blog is to spread my knowledge how to write code for MIIS/ILM since that is what I know and hopefully that will help some of you out there and for that I would appreciate any feedback!

Posted in: