Tuesday, June 21, 2016

Manually adding admins to the FIM/MIM Service

One of the first things I do when building a new FIM service instance is to create an admin account for myself, so I can use PowerShell tools, log into the portal etc without having to use things like runas to log in as the built-in admin account.

While you can create a resource manually in the portal, you can't easily set the binary ObjectSID value on the resource, and without that, you can't log in. Manipulating binary attributes quite tricky to do with the out of box tools. To set the users up properly, you usually have to flow them in from the AD MA with the ObjectSID present. Which can take quite a bit of effort.

I prefer to cheat, and get my own account into the portal via script. The Lithnet FIM/MIM Service PowerShell Module has first-class support for binary attributes, so using this to add the ObjectSID is just as easy as it is to set a string value.

This script will add the specified AD user to the FIM/MIM service and add them to the administrators set. They can then log in using their own credentials.

Saturday, February 20, 2016

Powering though bulk object updates with Lithnet FIM/MIM Service PowerShell Module

The Lithnet FIM/MIM Service PowerShell module (LithnetRMA) allows you to not only drastically reduce the code you have to write to perform basic create, update and delete operations, but it’s significantly faster than the out-of-box FimAutomation module too. I love hearing reports from people about how they were able to cut hours off the execution time of their existing scripts by converting them to use LithnetRMA!

One of the biggest speed advantages that LithnetRMA has over the out-of-box FIMAutomation module is that it supports composite updates. Composite updates combine multiple updates for different objects into a single message that is sent to the server, providing a far more efficient approach than sending one message per object. Combining composite updates with the ability to selectively request only the attributes you need to work with, we reduce the processing effort and amount of data transferred to a bare minimum. Let’s have a look at a real world scenario.
Recently, I needed to delete a custom attribute from the schema. As luck would have it, this attribute had a value present on about 120,000 user objects, so all those values has to be cleared before I could remove the attribute from the schema. I could have been waiting for hours, if not days, had I used the FIMAutomation module. Instead, I wrote a quick script to do the job using LithnetRMA. It managed to do the job in a little under 20 minutes.
This script will get all the objects with a value present for myAttribute, in batches of 500, save them to the server, and repeat the process until there are no objects left. Note the use of the AttributesToGet parameter. We are only interested in the myAttribute value – so we can tell the server to only send us that attribute.
The MaxResults and PageSize parameters can be tuned to suit the operation you need to perform. In general, the larger these values, the faster the operation will be – but make them too large, and you risk timeout errors if the operation takes too long. You will need to tune these values to get the right balance between performance and reliability. There are no recommended values for these parameters as it varies based on many factors, including;
  • How many attributes are being requested
  • How many updates are being made
  • The hardware specifications of the FIM service server and database
A good starting point is probably to set the parameters at 200, and work your way up from there.
Get LithnetRMA today and start saving time with your bulk updates!

Saturday, November 14, 2015

Resources from WIN332 Microsoft Ignite Session

Thanks to all who came along to my session at Microsoft Ignite today. Here are the resources I presented at today’s session WIN332 – From Fortran to FIM: Dragging your identity management system of our the dark ages.

Resources for Engineers and Admins

Lithnet ACMA Codeless business rules engine

ACMA is a fast, efficient, codeless way of implementing business rules that can create and transform information within your FIM/MIM implementation. ACMA comes with a UI editor for your rules file, a PowerShell module for modifying ACMA objects directly, and a unit testing engine that allows you to test all the rules you have created. Check out the video link below for a more detailed demonstration of the capabilities of ACMA

Lithnet Universal MA Rules Extension (UMARE)

UMARE is a codeless rules extension for FIM/MIM. It can be used on any MA to perform transform operations on incoming and outgoing identity data. With over 40 transforms available out of the box, including very common scenarios we all need to support like converting an ‘accountDisabled’ attribute to a bitmask on the AD userAccountControl attribute, and converting the FIM Service group type strings into the right groupType value in AD. If there is a transform that’s missing, let me know and I can add it in.

Granfeldt FIM Metaverse Rules Extension

Forget DREs, EREs and sync rules. Get a hold of Soren’s Metaverse Rules Extension. It’s a very powerful and flexible component that can reduce the complexity of your provisioning time. Create a provisionToAD attribute in ACMA, flow it out to the metaverse, and add a provisioning rule to the MRE to provision when that flag is true. Keep the complexity in ACMA, and let MRE handle the ‘acting’.

Visual Studio Online

If you don’t have GIT or TFS in your organization, you can get a Visual Studio Online account from Microsoft that is free for up to 5 users. A version control system is a must-have for tracking your documents, scripts and code versions for your various components

Lithnet FIM Service PowerShell Module (LithnetRMA)

The FIMAutomation module can do a lot, I find it is just overly complicated when we want to simply add, update, create and delete objects in the FIM service. It’s also very very slow. The Lithnet PowerShell module abstracts the complexity of the FIM service, and exposes a more natural and much faster set of cmdlets for working with the FIM service. It also comes with cmdlets to help you build XPath queries correctly, as well as the Import-RMConfig cmdlet for importing your configuration from files, as demonstrated in todays session.  People using this module have reported their scripts improving from hours to minutes using this module. It’s also many orders of magnitude less PowerShell code to write and maintain.

Resources for Developers

Lithnet FIM Service Client (LithnetRMC)

If you have had to write .NET code to talk to the FIM service endpoints, you know how daunting this can be. The fim2010client on codeplex took us partially there by setting up the scaffolding for us, but still left us having to deal with the internals of the FIM service. The Lithnet FIM Service client is a nuget package you can install in your project, and start using simple, get, update, save operations. It’s fast, supports multi-threading out of the box, and has a complete MSDN-style documentation with examples on how to use it. The LithnetRMA PowerShell module, as well as the REST API are both lightweight wrappers for the functionality contained in this module.

Lithnet FIM Service REST API (LithnetRMWS)

Ever tried talking to the FIM service endpoints from a non-windows device such as linux? I don't recommend trying. The Lithnet FIM Service REST API exposes the FIM service using very simple JSON and standard REST API calls. 

Further learning

FIM User group presentation on ACMA

Want to see ACMA in action? Check out my presentation to the FIM team user group. You’ll get to see how you can easily create business rules, unit tests, and see some more advanced topics like creating admin accounts with the shadow object feature, and inheritance of values between referenced objects.

FIM User group presentation on the Lithnet FIM Service Toolkit

The Lithnet FIM Service toolkit contains the .NET client, PowerShell module, and REST API. You can see how these all work in this presentation to the FIM team user group.

FIM Team User Group

I highly recommend that you join the FIM Team User Group. The group meets monthly and experts from around the world present on various topics relating to FIM/MIM. It’s a great way to make connections, and learn how other people are solving challenges in the identity management space