This blog provides a guide to the integration between Microsoft Forefront Identity Manager (FIM) and SailPoint IdentityIQ. This blog is intended for FIM and IdentityIQ System Administrators and assumes a high degree of technical knowledge of these systems.

To execute request and response process, the request from IdentityIQ to FIM follows the following flow diagram:

The following table displays a comparison between terminology used in IdentityIQ and similar objects in Microsoft Forefront Identity Manager:

Note: Microsoft Forefront Identity Manager Administrator must configure Metaverse Extension rule or Synchronization rule to provision data from Metaverse to SailPoint-MA connector space. In addition to this, Administrator must configure required rules to project SailPoint-MA connector space data to Metaverse and to other Management Agent connector space. For more information see, “Operation specific configuration on Microsoft Forefront Identity Manger”.

Supported features

The Microsoft Forefront Identity Manager Provisioning Integration Module provides the ability to provision

Microsoft Forefront Identity Manager Metaverse users, Target Application accounts, and entitlements from IdentityIQ.
The Microsoft Forefront Identity Manager Provisioning Integration Module supports the following functions:
• User Management
-Create, Update, Delete
-Enable, Disable, Unlock, Reset Password
-Aggregation, Delta Aggregation
• Target Application Accounts Management
-Create, Update, Delete
-Enable, Disable, Unlock, Reset Password
-Aggregation, Delta Aggregation
• Account – Group Management
-Aggregation, Delta Aggregation for Groups
-Aggregation, Delta Aggregation for target application Groups
-Add/Remove Entitlement for Users
-Add/Remove Entitlement for target application Accounts

Supported platforms

SailPoint Microsoft Forefront Identity Manager Provisioning Integration Module supports the following versions of Forefront Identity Manager:

• Microsoft® Forefront® Identity Manager 2010 R2
• Microsoft® Forefront® Identity Manager 2010

Configuring Microsoft Forefront Identity Manager for IdentityIQ Integration

The Microsoft Forefront Identity Manager for IdentityIQ integration has dependencies on the following components:
• IQService
• Microsoft® Forefront® Identity Manager (FIM) 2010 Extensible Connectivity 2.0 Management Agent (ECMA 2.0)

IQService

You must install and register an IQService on windows host computer before provision to Microsoft® Forefront® Identity Manager. The IQService is a native Windows service that enables IdentityIQ to participate in a Windows environment and access information from Microsoft® Forefront® Identity Manager Synchronization Engine.

For more information on installation of IQService, see “Appendix F: IQService” of the SailPoint IdentityIQ Direct Connectors Administration and Configuration Guide.

Note:- Do not install IQService on the Windows Computer where Microsoft Forefront Synchronization Service is running.
– The IQService ECMA Port should be allowed to communicate through a firewall on IQService installed host.

To enable provisioning using IQService in Microsoft® Forefront® Identity Manager, perform the following:

Configuring IdentityIQ for Forefront Identity Manager Integration

This section describes the following:
• Create an IdentityIQ application of type Microsoft Forefront Identity Manager
• Run Microsoft Forefront Identity Manager Application Creator Task
• Aggregation from Microsoft Forefront Identity Manager Provisioning Integration Module

Create Forefront Identity Manager application in IdentityIQ
1.Create a new IdentityIQ application of type Microsoft Forefront Identity Manager. Enter the following required attributes of Forefront Identity Manager:

Note:The application name for IdentityIQ application of type Microsoft Forefront Identity Manager must be different than that of any management agent’s name in FIM server side.

2.Click Test Connection to verify the connection to Microsoft Forefront Identity Manager.

Note: You can make use of the “FIM Application creator” task to discover all the application present in FIM environment. The input for this task would be newly created application of type “Microsoft Forefront Identity Manager” and executing this task would result in the creation of all multiplexed applications.
Run Microsoft Forefront Identity Manager Application Creator Task

This task creates an IdentityIQ application for each target system in Microsoft Forefront Identity Manager.
1. Select the Microsoft Forefront Identity Manager application created in step 1. on page 71.
2. Specify Native Object Types of Account this is Object type which is referred as an account on the native managed system (for example, Account, Person, User).
3. Specify Native Object Types of Group this is Object type which is referred as a group on the native managed system (for example, groups, Groups).
4. Click Save and Execute.

Operation specific configuration on Microsoft Forefront Identity Manager

To communicate with Microsoft Forefront Synchronization Service, IQService uses Windows Management Instrumentation (WMI). Hence, ensure that Windows Firewall on Microsoft Forefront Identity Manager Host should allow Windows Management Instrumentation (WMI) traffic.

This section describes the various configurations required for the following operations:
• Aggregation
• Provisioning

Aggregation from Microsoft Forefront Identity Manager Provisioning Integration Module

To aggregate Microsoft Forefront Identity Manager Persons/Groups and target Management Agent accounts/groups, create and execute an IdentityIQ Account Aggregation task for Application of type Microsoft Forefront Identity Manager.

Once aggregation is complete, all Persons/Groups from Microsoft Forefront Identity Manager Metaverse are created as accounts/groups in IdentityIQ and gets associated with IdentityIQ Application of type Microsoft Forefront Identity Manager. Additionally, all of the target Management Agent accounts/groups are aggregated automatically and associated with the respective child applications in IdentityIQ.

To support paging in IdentityIQ Aggregation task, Extensible Connectivity 2.0 Management Agent library supports paging in Export, Full Export run profiles. Maximum batch size supported by Extensible Connectivity 2.0 Management Agent library is 500. The default batch size provided is 100.

Configuration for Aggregation

In Aggregation, SailPoint IdentityIQ does not read users and groups from Microsoft Forefront Identity Manager Metaverse. Instead, it reads users and groups from newly created ECMA 2.0 Management Agent (that is, SailPoint-MA). Before starting aggregation from SailPoint IdentityIQ, provision Microsoft Forefront Identity Manager Metaverse Persons/Groups to newly created ECMA 2.0 Management Agent (that is, SailPoint-MA).

To provisionMetaverse Persons/Groups to newly created SailPoint Management Agent (ECMA 2.0), use Metaverse Rules Extension or Synchronization Rules.

Provisioning from Microsoft Forefront Identity Manager Provisioning Integration Module

In provisioning, SailPoint IdentityIQ pushes users/groups data only to newly created SailPoint Management Agent (ECMA 2.0) connector space.
Configuration for Provisioning

To project SailPoint Management Agent connector space data changes to Microsoft Forefront Identity Manger Metaverse, use the following configuration rules for newly created SailPoint Management Agent (ECMA 2.0) as per their sites specifications:

• Management Agent Rules Extensions
• Mapping rules (Attribute Flow Rules)
• Join Rules
• Projection Rules
• Deprovisioning Rules

Provisioning examples

This section describes the various examples of provisioning.

• Create Account for Microsoft Forefront Identity Manager target Management Agent Active Directory: This operation includes the following steps:

a. IdentityIQ sends the Create Account Request for FIM Active Directory Management Agent.
The request is received by newly created SailPoint Management Agent (ECMA 2.0) on FIM side.

b. SailPoint Management Agent (ECMA 2.0) adds a new account in its own connector space.

c. Microsoft Forefront Identity Manager Synchronization Engine projects these connector space changes to metaverse using configuration rules (rules listed in “Configuration for Provisioning” section).

In Metaverse, new Person is created and a link between Metaverse person and SailPoint Management Agent (ECMA.2.0) Account is created.

d. To provision new Metaverse Person to Active Directory Management Agent connector space, Synchronization Engine uses Metaverse rules Extension or Synchronization rule. If rule condition is satisfied, Synchronization engine provisions Metaverse Person to Active Directory Management Agent connector space.

Note: Depending on the Metaverse rules Extension or Synchronization rule configured in Synchronization Engine, Account on other Management Agent (native system) will be created.

e. Synchronization Engine creates a link between Metaverse Person and Active Directory Management Agent connector space account.

f. After running an Export run profile on FIM Active Directory Management Agent, the Active Directory Management Agent connector space’s account gets created on the native system.

• Enable Account for Microsoft Forefront Identity Manager target Management Agent Active Directory: Enable Account operation from IdentityIQ will set the value for SailPoint Management Agents enableStatus attribute to True. The enable status attribute can be mapped to user-defined Metaverse attribute for propagating the changes to other interested Management Agent’s connector space attributes. After running Export run-profile on interested management agents, status for accounts will be enabled.

• Disable Account for Microsoft Forefront Identity Manager target Management Agent Active Directory: Disable Account operation from IdentityIQ will set the value for SailPoint Management Agents enableStatus attribute to False. The enable status attribute can be mapped to user-defined Metaverse attribute for propagating the changes to other interested Management Agent’s connector space attributes. After running Export run-profile on interested management agents, status for accounts will be disabled.

• Unlock Account for Microsoft Forefront Identity Manager target Management Agent Active Directory: Unlock Account operation from IdentityIQ will set the value for SailPoint Management Agents lockStatus attribute to False. The lock status attribute can be mapped to user-defined Metaverse attribute for propagating the changes to other interested Management Agent’s connector space attributes. After running Export run-profile on interested management agents, status for accounts will be unlocked.

• Change/Reset Account password for Microsoft Forefront Identity Manager target Management Agents: Change Account password operation from IdentityIQ will set the value for SailPoint Management Agents password attribute. The password attribute can be mapped to user-defined Metaverse attribute for the password. The metaverse password attribute should be mapped in metaverse outbound mappings for target management agents export_password attribute. After running Export run-profile on interested management agents, the password gets changed on native system’s accounts.

Troubleshooting

This section provides the resolutions for the following errors that may be encountered while setting up and configuring Microsoft Forefront Identity Manager.

1 – An unexpected error occurred: sailpoint.connector.ConnectorException: Errors returned from IQService. The maximum message size quota for incoming messages (3310720) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.

2 – An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. An error occurred when verifying security for the message.”

3 – While creating Extensible Connectivity 2.0 Management Agent (SailPoint-MA), the following error may be observed in ECMA log file:

Known/Open issue

Following are the known/open issues of Microsoft Forefront Identity Manager:

• User updates to attributes that affect target system accounts require a synchronization rule to be setup and run on the FIM server for the change to propagate.

• Due to Microsoft Forefront Identity Manager Synchronization’s engine behavior, the Provisioning Integration Module will process all the request sequentially.

• Refresh schema action on SailPoint provided Extensible Connectivity 2.0 Management Agent (ECMA2.0) library is not supported.

• Delta Aggregation limitations

-If new delta data is available in the SailPoint Management Agent (SailPoint-MA) connector space and user is unaware of it then there is a possibility that user might run Provisioning operation on the new delta data before running delta aggregation. If the new delta data is Provisioned before delta aggregation then the status of all the new delta data will be changed to Awaiting Export. In this scenario, running delta aggregation will not work since the status delta data is not Pending Export.

-At a given time, only account aggregation or group aggregation is supported in a sequence such that account aggregation must be run first.

Assisted Deployment Integration Modules:

Service Management Integration Modules

IdentityIQ supports Service Management Systems for Service Desk Integration and Service Catalog Integration.

Service Desk Integration

Creates tickets in Helpdesk systems based on compliance and provisioning actions taken in IdentityIQ (For example, new account request).

• “SailPoint HP Service Manager Service Integration Module” on page 81

Service Catalog Integration

Enables enterprises to include LCM requests (for example, access request, password change) in the service catalog of the Service Request Management system.

• “SailPoint ServiceNow Service Catalog Integration” on page 95

Note: A minority of SailPoint customers have deployed the Integration Modules in this section. SailPoint will provide assistance during the deployment of these integrations. Additional troubleshooting, diagnostic, and best practice information beyond what is contained in this document will be provided on Compass, SailPoint’s Online customer portal. In some instances, SailPoint will guide the deployment team and actively participate in the design, configuration, and testing of the integration to the managed system.
For more specific information, refer to the Connector and Integration Deployment Center on Compass.