Microsoft Identity Integration Server 2003

  • April 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Microsoft Identity Integration Server 2003 as PDF for free.

More details

  • Words: 3,000
  • Pages: 13
Microsoft Virtual Labs ®

Microsoft Identity Integration Server 2003

2

Microsoft Identity Integration Server 2003

Table of Contents Microsoft Identity Integration Server 2003............................................................................................... 3 Exercise 1 Create a new employee via a .Net Web-Application .........................................................................4 Exercise 2 Create a new identity person object in MIIS and set its attributes.....................................................9 Exercise 3 MIIS creates new user accounts in the connected directories..........................................................13

Microsoft Identity Integration Server 2003

3

Microsoft Identity Integration Server 2003 Objectives

Estimated time to complete this lab: 55 minutes

The goal of this lab is to: „

Provide a hands-on experience on Microsoft Identity Integration Server 2003.

„

Demonstrate the potential usage scenarios of the product.

„

Show how easy it is to setup MIIS to synchronize different directories and data sources.

„

Learn how to automate identity management tasks.

„

Use MIIS to maintain a consistent state of the directories over the lifetime of accounts.

4

Microsoft Identity Integration Server 2003

Exercise 1 Create a new employee via a .Net Web-Application Scenario Create and approve user accounts for a new employee in Active Directory and iPlanet Directory Server 5.1. The Malelane Corporation has a web application that they use to add new employees and create accounts for them in the Active Directory and iPlanet. You are a recruiter who works in the Human Resources (HR) department. The CEO, Super Boss, just hired Jane Smith for the Marketing team and Peter Pan for the Sales Team.

What will we cover? This workshop will demonstrate how MIIS enables the creation and flow of the user identity data across directories. During this Exercise you will: ƒ

Create a new employee in a simulated HR application.

ƒ

See how MIIS is configured to flow objects and attributes from source to target data sources/directories.

ƒ

Run a Management Agent (MA) to interactively trigger rules in MIIS.

ƒ

Connect to iPlanet and Active Directory to view the newly created users.

The basic process flow is outlined in the illustration below: ƒ

Create a new employee via a .Net Web-Application

ƒ

A new identity person object is created in MIIS and its attributes are set.

ƒ

MIIS creates new user accounts in the connected directories.

Create New User

3

Active Directory

3

iPlanet Directory Data

1

MIIS 2003

Approval

2

Microsoft Identity Integration Server 2003

Tasks 1.

Launch the Internet Explorer.

5

Detailed steps a.

In the Quick Launch menu click the Internet Explorer icon.

b. Browse to http://miishol/miisapproval/employee.aspx to launch the

Microsoft Identity Integration Server 2003 Employee Account Provisioning with one-step workflow demo home page. 2.

Note that you were a recruiter who works in the HR department. You are now ready to add the 2 new employees into the system via this web page.

a.

Enter the following information next to the related fields: ƒ

Firstname

: Jane

ƒ

Lastname

: Smith

ƒ

Department

: Marketing

ƒ

Manager

: Super Boss (1000)

b. Click the Save Account for new hire button to continue. c.

Repeat the steps above to create another employee: ƒ

Firstname

: Peter

ƒ

Lastname

: Pan

ƒ

Department

: Sales

ƒ

Manager

: Super Boss (1000)

d. Click the Save Account for new hire button to continue.

We have now added the employee information for Jane and Peter who are in different departments but are reporting to the same manager. 3.

Submit the new accounts to MIIS 2003.

a.

Click the Submit new accounts to MIIS button.

This will submit new accounts to MIIS 2003 and prepare them for the “approval” phase (which will be explained later). b. Close the Internet Explorer window.

4.

Investigate the import using MIIS.

a.

Double click the Identity Manager icon on your desktop.

This launches the MIIS Identity Manager console. From there, you can configure and manage the MIIS 2003 components. b. Click the Operations view.

You should see two entries on top of the operations list. This is WorkflowSTX and ERP. These are the two Management Agents that were executed when we created the two new employee accounts and submitted them to MIIS. c.

Click the ERP entry.

On the bottom portion of the screen (as indicated in the illustration below), you’ll see the synchronization statistics Staging, Inbound Synchronization and Outbound Synchronization. Note that 2 adds and 2 projections were reported. This indicates that the two employee accounts successfully got imported from the ERP management agent and got created in the MIIS Metaverse – which is the central identity store. Note also that 2 provisioning adds happened to the WorkflowSTX Management Agent during outbound synchronization. This indicates that based on the two additions into the MIIS Metaverse, two new entries were created in the WorkflowSTX system. MIIS keeps track of all operations, ingoing and outgoing in its SQL Server 2000 database.

6

Microsoft Identity Integration Server 2003 d. Click WorkflowSTX in the Operations view.

On the left-hand side you’ll see 2 run steps: Step 1 and Step 2. That means when WorflowSTX management got executed, it completed its execution in 2 different run steps. e.

Click Step 1.

See that Step Type is Export. Note that during the import run of ERP management agent 2 objects were created in the WorkflowSTX system. Now, those objects are pushed out to the actual WorkflowSTX directory. Hence you see 2 adds in the export statistics. f.

Click Step 2.

See that 2 objects exported in the first step are successfully confirmed with an import run.

5.

Check Active Directory Users and Computers for the new users.

g.

Minimize the MIIS Identity Manager console.

a.

Double click the Active Directory Users and Computers management console on your desktop.

b. Navigate to the MIIS2003HOL container. c.

Open the Managers container.

You’ll see the user account for the CIO, Boss, Super. If you select the People container, you’ll find no entries. This shows that our 2 new employees created and submitted to MIIS 2003 in Task 4 still haven’t been provisioned to the Active Directory store. They are waiting to be approved. 6.

Approve the accounts for the new employees.

a.

In the Quick Launch menu click the Internet Explorer icon.

b. Browse to http://miishol/miisapproval or select the MIIS 2003 –

New Employee Approval item from the Favorites menu. See that 2 new employee accounts we submitted to MIIS 2003 have their status waiting. c.

Select the Edit icon on Peter Pan.

d. Select approved from the combo box and enter the new alias PeterP

for the new employee. e.

Type peterp for Email alias:.

f.

Click on the ; for approval.

g.

Select the Edit icon on Jane Smith.

h. Select approved from the combo box and enter the new alias JaneS for

the new employee. i.

Type janes for Email alias:.

j.

Click on the ; for approval.

k. Click the Submit changes to MIIS button.

7.

Add new agent to iPlanet.

l.

Close the Internet Explorer.

a.

Switch to the Identity Manager console and click Management Agents.

In this view all Management Agents used in the scenario are listed. Management Agents in MIIS maintain the connectivity to other data sources.

Microsoft Identity Integration Server 2003

7

Submitting approvals to MIIS in Step 7 triggered the execution of a number of management agents in MIIS 2003. Netscape management agent was one of them. b. Click Netscape.

On the bottom of the screen you will see the statistics of the last Management Agent run. c.

Click Step1.

Under Export statistics you’ll see that one new account was added to the iPlanet system. d. Minimize all windows. 8.

Verify that the corresponding user accounts have been created at iPlanet.

a.

Double click the iPlanet console icon on your desktop.

b. Enter the following credentials in the login dialog:

c.

ƒ

User ID

: cn=Directory Manager

ƒ

Password

: password

Click OK.

d. Navigate down the tree view to “Directory Server” (iPlanerHOL). e.

Click Open.

f.

Click the Directory tab.

g.

Open miishol and click People.

h. The People OU will have the following users:

ƒ

Superboss

ƒ

PeterP

ƒ

JaneS

Note that 2 new user accounts – PeterP and JaneS – were successfully created in iPlanet server.

9.

Verify successful Active Directory account creation.

i.

Close the iPlanet console.

a.

Switch to the Active Directory Users and Computers management console.

b. Click the People container and click Refresh.

We see that Jane and Peter’s Active Directory accounts were successfully created. 10. Take a closer look into

MIIS to see how some of the rules were configured to flow information between the directories. You will see how easy it is to define the synchronization of identity information within MIIS.

a.

Switch to the MIIS Identity Manager console and click Management Agents.

b. Click the ERP management agent. c.

Click Actions | Properties.

The Properties dialog will appear. d. Click the Configure Attribute Flow tab.

We see that a flow rule is defined between the employee object type in ERP data source and the person object in the metaverse. e.

In the details pane click the + sign to expand the flow rule.

This view shows in detail, which attributes in the data source object are flowed to which attributes of the metaverse object. Notice that all the flows are defined as import flows, this means data will flow only into MIIS. f.

Click Cancel to close the Properties dialog.

8

Microsoft Identity Integration Server 2003

g.

In MIIS Identity Manager click the Active Directory management agent.

h. Click Action | Properties. i.

Select the Configure Attribute Flow tab.

We see that a flow rule is defined between the user object type in Active Directory and the person object in the metaverse. j.

In the details pane click the + sign to expand the flow rule.

Notice that this time, some attribute flows are defined inbound and some others are defined outbound. This means we can both import attributes for an object from Active Directory and export attributes to it. k. Click Cancel to close the Properties dialog. l.

In MIIS Identity Manager select the Netscape management agent.

m. Click Action | Properties. n. Select the Configure Attribute Flow tab.

We see that a flow rule is defined between the inetOrgPerson object type in iPlanet and the person object in the metaverse. o.

In the details pane click the + sign to expand the flow rule.

We see that all the attribute flows in Netscape management agent are export only. This means no objects contribute any attributes to the metaverse from the iPlanet directory. p. Click Cancel to close the Properties dialog.

Summary We have examined the synchronization of identity information between different data sources based on an HR driven account provisioning scenario. You’ve seen how MIIS keeps track of the operations performed in different identity systems. You’ve also seen how to perform a simple one-step workflow. Finally you’ve seen how MIIS Identity Manager lets you easily define attribute flow between the connected systems. Note that this is only one scenario that showcases some of the basic functionalities of MIIS. Of course more sophisticated identity integration and management applications can be built with MIIS 2003. To learn more on how to configure MIIS, continue with Exercise 2.

Microsoft Identity Integration Server 2003

9

Exercise 2 Create a new identity person object in MIIS and set its attributes Scenario In this exercise, you will learn how to add additional information into the identity integration process, change identity data flow rules in the MIIS system and add a new directory into the scenario.

Continuing from where we took off from Exercise 1, The Melane Corporation has the need to keep employees phone numbers and address information in sync between the various systems. They want the information they have in the HR system to be used throughout.

What will we cover? This workshop will demonstrate how MIIS helps you control your environment from a central location. During this LAB you will: ƒ

Select additional information for usage in MIIS.

ƒ

Change the MA to flow the new information between the connected systems.

ƒ

Run MIIS Management Agents and validate that the changes are reflected to all the directories.

ƒ

Use Visual Studio.Net to set up more advanced rules in MIIS.

Make change to the user object

1 Active

Directory

User Object Run MA to Sync MV and iPlanet

4

MIIS 2003

MVExtension

2 5

Make change to MVExtension

Visual Studio.Net 3 Change MA

iPlanet Directory Data

10

Microsoft Identity Integration Server 2003

Tasks 1.

Open the Visual Studio.NET project.

Detailed steps a.

Click Start | All Programs | Microsoft Visual Studio .NET 2003 | Microsoft Visual Studio.NET 2003.

b. Open the project MVExtension by clicking on it in the projects list.

This is the actual provisioning script used in the scenario. 2.

Modify the provisioning script.

3.

Rebuild the project.

To remove the comment from the statement to enable provisioning to AD/AM replace: ‘*** ProvisionAccountToAdam (mventry) with: ProvisionAccountToAdam (mventry) a. Click Build | Rebuild MVExtension. a.

b. Close Visual Studio.NET. 4.

Add new attributes to an employee object in Active Directory.

a.

Switch to Active Directory Uses and Computers.

b. Open the People container under hol.com | MIIS2003HOL. c.

Double click Peter Pan to bring up the Properties dialog.

d. Click the Address Tab.

5.

Define flow rules.

e.

Add new Street address, City, Zip and Country information in the appropriate fields.

f.

Click OK.

a.

Switch to the Identity Manager.

b. Click the Management Agents tab. c.

Click ActiveDirectory.

d. Click Action | Properties. e.

Click Select Attributes.

f.

Click to select co, postalCode and streetAddress.

g.

Click OK.

h. Click ActiveDirectory. i.

Click Action | Properties.

j.

Click Configure Attribute Flow.

k. In the details pane click the + sign to expand the flow rule.

Now we’ll define flow rules for the attributes we just added in the previous task. l.

Click to select the co attribute under the Data source attribute section.

m. Click to select the co attribute under the Metaverse Attribute section. n. Make sure Flow direction is defined as Import. o.

Click New.

We just defined an import flow rule from co attribute in data source to co attribute in metaverse. p. Create import flow rules for the following attributes as well:

ƒ

From postalCode in data source to postalCode in metaverse.

ƒ

From streetAddress in data source to postalAddress in metaverse.

q. Close the Properties dialog and define the flow rules for the following

Microsoft Identity Integration Server 2003

11

MAs:

r.

6.

Run the Management Agent.

a.

ƒ

For Netscape MA:

ƒ

From postalCode in data source to postalCode in metaverse. But this time the flow direction should be Export.

For ADAM MA: ƒ

From co in data source to co in metaverse. The flow direction should be Export.

ƒ

From postalCode in data source to postalCode in metaverse. The flow direction should be Export.

ƒ

From postalAddress in data source to street in metaverse. The flow direction should be Export.

Click the Management Agents tab in Identity Manager.

b. Click ActiveDirectory. c.

Click Actions | Run.

d. Click the FullImport run profile and click OK.

The management agent will start running. Once the MA run is complete, the run result is displayed on the bottom portion of the screen. 7.

Confirm that attributes have been updated in the metaverse.

a.

Click the Metaverse Search tab.

b. Click Search.

This will bring up all the objects in the metaverse. c.

Double-click Pan, Peter.

You will notice that the additional attributes with the fields we updated in Active Directory are now in the meteverse. d. Click Close. 8.

Run the Management Agents.

a.

Click the Management Agents tab.

b. Click ADAM. c.

Click Actions | Run.

d. Click the Export run profile and click OK. e.

Click Netscape.

f.

Click Actions | Run.

g.

Click the Export run profile and click OK.

Note: If a warning dialogue appears, click No to continue with an Export run profile. h. Minimize all windows. 9.

Bind LDP to the Domain.

a.

Double click the LDP icon on your desktop.

b. Click Connection | Connect. c.

Enter the following connection information: ƒ

Server

: miishol

ƒ

Port

: 50002

d. Click OK e.

Select Connection | Bind.

f.

Click OK to bind to Domain.

g.

Select View | Tree.

12

Microsoft Identity Integration Server 2003 h. Use BaseDN DC=MIIS2003HOL,DC=COM. i.

Expand the tree and double click on OU=People.

You’ll see 3 users successfully created in AD/AM directory. These users were created after we modified the provisioning script and ran the MAs.

Microsoft Identity Integration Server 2003

13

Exercise 3 MIIS creates new user accounts in the connected directories Scenario In this exercise, you will Configure and use the MIIS Password Management functionality. Password Management is a feature of MIIS 2003. This demo has also shipped with the product and can be found under Password Management. This application allows Help Desk personnel to change a user’s password via a webpage. In this example, the password is set in MyMIIS Active Directory and ADAM Extranet.

What will we cover? This workshop will demonstrate how MIIS helps you control your directory environment from a central location. During this LAB you will change a user’s password from a web-page and flow the new password to different directories through MIIS.

Tasks 1.

Employ Password Management.

Detailed steps a.

In the Quick Launch menu click the Internet Explorer icon.

b. Click Favorites and select Microsoft Identity Integration Server

2003 - Password Management. Using the Web application, the help desk operator uses the user and domain name of a caller to search and retrieve a list of connector space objects that are joined to the user’s metaverse object. c.

Enter the following user: ƒ

User Name

: JaneS

ƒ

Domain

: HOL

d. Click Search.

The account information for Jane will be displayed. e.

Enter a password of SeeMonkey1 and confirm the change by hitting Submit.

f.

Click the History link on Mymiis Active Directory Domain.

You’ll see when the last changes occurred on this user object.

Related Documents