Embed Size (px)
Citation preview
Identity Management:
The Legacy and
Real Solutions
MIIS
Implementation
Copyright @ 2007Washington State UniversityThis work is the intellectual propertyOf WSU. Permission is grantedfor this material to be shared fornon-commercial, educationalpurposes, provided that this copyright statement appears on the reproduced materials andnotice is given that the copyingis by permission of the copyrightowner. To disseminate otherwise or to republish requires writtenpermission.
Implementation Approach
• Define the project
Implementation Approach
• Define the project
• Build the team
Implementation Approach
• Define the project
• Build the team
• Training
Implementation Approach
• Define the project
• Build the team
• Training
• Determine extent of the project
Implementation Approach
• Define the project
• Build the team
• Training
• Determine extent of the project
• Plan the design
Implementation Approach
• Define the project
• Build the team
• Training
• Determine extent of the project
• Plan the design
• Coding
Implementation Approach
• Define the project
• Build the team
• Training
• Determine extent of the project
• Plan the design
• Coding
• Getting help
Define the project
• Why are we doing this
Define the project
• Why are we doing this
• What directories are involved
Define the project
• Why are we doing this
• What directories are involved
• Who is the custodian of the data
Define the project
• Why are we doing this
• What directories are involved
• Who is the custodian of the data
• Which product to use
Training
• MIIS training: Oxford Computer Group viaSQLSoft+
Training
• MIIS training: Oxford Computer Group viaSQLSoft+
• Beginning and Advanced classes
Determine extent of the project
• Break the project into manageable pieces
Determine extent of the project
• Break the project into manageable pieces
• Start with a simple beginning
Determine extent of the project
• Break the project into manageable pieces
• Start with a simple beginning
• Revise the plan after the first phase
Planning
• One authority: the Metaverse
Planning
• One authority: the Metaverse
• Need unique ID
Planning
• One authority: the Metaverse
• Need unique ID
• Which directories contribute to the MV
Planning
• One authority: the Metaverse
• Need unique ID
• Which directories contribute to the MV
• Which directories draw from the MV
Design and Planning Worksheets
• Utilize the MIIS 2003 Sample Worksheetshttp://download.microsoft.com/download/9/e/0/9e0c929d-10dc-42cb-aaa6-bb501a92ea20/MIIS_Worksheets.doc
Connected Data Sources
Prepared By Date
Management Agent Type
Connected Data Source
Owner
Contact (who can change)
Backup and restore policy
Security Issues
All connection and container details appropriate for this MA type
INSTRUCTIONS: Complete one data sheet for each connected data source in the solution. Include a row for each object. Do not include objects that are not part of your solution. List all objects in the specified connected data source that represent any real-world objects.
Name Unique ID Notes and Other Policies
Included Attributes
Prepared ByDate
Management Agent
Connected Data Source Object
INSTRUCTIONS: Complete one data sheet for each object in the connected data source directory. List all appropriate attributes. Include a row for each attribute, and leave out those attributes that are not appropriate. For those attributes that are required to follow from the metadirectory to the connected data source, complete the Outbound Attribute section of the table.
Inbound Attribute Outbound Attribute
Name Data Type
Multi-
Values
Y/NContent
Structure Outbound Y/NRequires
Validation Y/N
May be Overwritten
with Null Y/NBusiness
Justification
Quality and
Precedence Notes
Notes
Outbound Attribute Flow
Management Agent Date
INSTRUCTIONS: Complete one worksheet for each object in the solution. List all outbound attributes Fill out one worksheet for each connected data source. Map each metaverse attribute to a data source attribute in the outbound attribute flow.
Connected Data Source Attribute Metaverse Attribute
Name Validation Transformation Name(s)Considerations orPolicies Needed
Design and Planning Worksheets
• Utilize the MIIS 2003 Sample Worksheetshttp://download.microsoft.com/download/9/e/0/9e0c929d-10dc-42cb-aaa6-bb501a92ea20/MIIS_Worksheets.doc
• Keep them up to date
Design and Planning Worksheets
• Utilize the MIIS 2003 Sample Worksheetshttp://download.microsoft.com/download/9/e/0/9e0c929d-10dc-42cb-aaa6-bb501a92ea20/MIIS_Worksheets.doc
• Keep them up to date
• Consider the Oxford Computer Group’s Documentorhttp://www.oxfordcomputergroup.com/
Metaverse attributes
Attribute Connector space
WSUEduEmailAddress Manual precedence used
Imported using AD Update from user object using a custom flow rule called mail which uses mail, msExchHomeServerName.
Imported using UPStest from organization object using a custom flow rule called UPSmail which uses mail.
Exported to user.mail using AD Update using a custom flow rule called mail
case "StudentPhone":try { if (csentry["STUDENT-PHONE"].IsPresent) { string stdtphone2 =
csentry["STUDENT-PHONE"].Value; if (stdtphone2 != "UNLISTED") mventry["StudentPhone"].Value =
csentry["STUDENT-PHONE"].Value; } } catch (Exception e) { Logging.LogException(e, "ADW832SQL MA import
StudentPhone", mventry["WSUNID"].Value, true); } break;
Coding
• Settle on a language within the group C# or VB
Coding
• Settle on a language within the group C# or VB
• One person on a Management Agent
Phase 2 - Groups
Phase 2 - Groups
• Active Administrative Professional, Appointed Faculty, Admitted Graduate Students,Enrolled Undergraduate Students, etc, etc,
Phase 2 - Groups
Phase 3 - Provisioning
Provisioning
Gotchas
• Group Populator Takes a long time
Gotchas
• Group Populator Takes a long time
7 days for 160,000 users and 19 groups
Gotchas
• Group Populator Takes a long time Users can get separated
Gotchas
• Group Populator Takes a long time Users can get separated Groups get disconnected
Gotchas
• Group Populator Takes a long time Users can get separated Groups get disconnected Placeholders
Gotchas
• Group Populator
• Provisioning
Gotchas
• Group Populator
• Provisioning Can only run one provisioning agent at a time
IMVSynchronization[] myMVDlls; string PREFIX = "MVExtension";
void IMVSynchronization.Initialize() {
string[] fileNames = Directory.GetFiles( Utils.ExtensionsDirectory, PREFIX + "*.dll");
int numFiles = fileNames.Length;
Gotchas
• Group Populator
• Provisioning Can only run one provisioning agent at a time Sun requires additional care
Container = ",ou=People,o=wsu.edu";CN = mventry["cn"].Value;RDN = "uid=" + CN + Container;if (0 == Connectors){
ValueCollection oc; oc = Utils.ValueCollection("top"); oc.Add("account"); oc.Add("pipuserinfo"); oc.Add("organization"); DN = ManagementAgent.CreateDN(RDN); csentry = ManagementAgent.Connectors.
StartNewConnector("organization", oc); csentry.DN = DN; csentry["o"].Value = "wsu.edu"; csentry.CommitNewConnector();}
Gotchas
• Group Populator
• Provisioning
• Not real time…for us…
Disaster Recovery
• SQL backup of data
Disaster Recovery
• SQL backup of data
• Keep the key secure
Disaster Recovery
• SQL backup of data
• Keep the key secure
• Backup of the Visual Studio source
Futures
• We plan on doing deprovisioning next
Futures
• We plan on doing deprovisioning next
• Replacing the Core Programs
Futures
• We plan on doing deprovisioning next
• Replacing the Core Programs
• Provisioning to directories in other units
Help
• MIIS Experts pagehttp://www.miisexperts.org/
Help
• MIIS Experts pagehttp://www.miisexperts.org/
• Technet Forum http://forums.microsoft.com/technet/
Help
• MIIS Experts pagehttp://www.miisexperts.org/
• Technet Forum http://forums.microsoft.com/technet/
• Users Grouphttp://www.microsoft.com/communities/newsgroups/
Help
• MIIS Experts pagehttp://www.miisexperts.org/
• Technet Forum http://forums.microsoft.com/technet/
• Users Grouphttp://www.microsoft.com/communities/newsgroups/
• MS Tech·Ed Presentations
The Team
• Diane Dickinson ([email protected])
• Wanda Zeng ([email protected])
• Dean Guenther ([email protected])
• Many, many others….
