Update 11 October 2010: This blog post has been converted into a Wiki page instead so that we can provide a more living document. Please go to: http://social.technet.microsoft.com/wiki/contents/articles/fim-2010-management-agents-from-partners.aspx
Forefront Identity Manager includes a number of different management agents to connect to a variety of data sources. To enable you to connect to other data sources, FIM includes the Extensible Connectivity Management Agent (ECMA). To interact with a data source, the ECMA uses a connected data source extension. A connected data source extension is a Microsoft .NET Framework assembly that is implemented in the form of a dynamic link library (.dll) file.
You can create this extension by using any programming language and compiler that creates a .NET Framework assembly. For more information, see Creating Connected Data Source Extensions.
There are a number of partners that have created Management Agents using the ECMA to connect to a number of different systems or just to enhance connectivity options that are available out of the box.
This is the first blog post on MA and I will follow up with a similar post with MA’s that Microsoft Consulting Services have developed as part of their engagements.
MA’s from some of our great Identity and Access partners:
ACF2, Top Secret, RACF, i5 Management Agent for FIM
The IdF Management Agent for FIM has been tightly integrated with Microsoft’s Forefront Identity Manager as well as ILM and MIIS. The Management Agent works with IdF’s Adapter Suite providing Microsoft customers with an “out of the box” solution for ACF2, Top Secret, RACF, i5 and legacy applications
Mainframe MA’s – See current MA Datasheet for specs
IBM – RACF Currently Available
CA – ACF2 Currently Available
CA-Top Secret Currently Available
CICS Target Release Date: February 2011
Midrange MA’s – See current MA Datasheet for specs
IBM-i5 (AS400) Currently available
HP Non – Stop Target Release Date: November 2010
Open VMS Target Release Date: February 2011
Generic Unix MA Target Release Date: February 2011
Supported Unix Systems: Oracle-Solaris, HP-UX, IBM-AIX, LINUX
- Create and manage UNIX accounts using UNIX-specific account templates
- Change account passwords and account activations in one place
- Synchronize global users with their roles or synchronize global users’ accounts with their account templates
- Assign a UNIX policy to each of your UNIX endpoints
- Use the default Endpoint Type policy to create accounts with the minimum
- Create and manage UNIX groups
- Generate and print reports about UNIX accounts and groups
SAP r3 4.5 and higher – Available November 2010
- Web Services
SAP ECC 6.0 – Available October 2010
SAP HR 6.0
- Retrieve existing users from the SAP repository
- Display, create, modify, or delete a user
- Retrieve the existing authorization profiles from the SAP repository
- Display authorization profiles
- Assign or unassign an authorization profile to a user
- Retrieve the existing SAP roles from the SAP repository
- Display SAP roles
- Assign or unassign a SAP role to a user
- Register endpoints, explore them for objects to manage, and correlate their accounts with global users
- Create and manage SAP accounts using SAP-specific account templates
- Change account passwords and account activations in one place
- Assign a SAP account template to each of your SAP endpoints
- Use the default endpoint type account template to create accounts with the minimum level of security needed to access a SAP endpoint
- Harvest SAP accounts, SAP profiles, and SAP roles
- Manage SAP CUA environments information real time for reporting services.’
Directory Service MA’s
- Active Directory – Currently Available
- LDAPv3 JNDI – Currently Available
- IBM Directory Integrator – Target Release Date November 2010
Omada Connectivity Framework for FIM2010
Omada provides a range of Management Agents (MA’s) supporting advanced deployments of FIM2010. The MA’s covers integration to SAP, SAP GRC, Exchange, File shares, SharePoint, SCCM, Exchange, Powershell and more.
Omada’s SAP MA is based on FIM’s extensible connectivity management agent framework. The agent supports both full and delta imports as well as exports. The integration to SAP is performed via web services, and supports interaction directly with the SAP backend such as SAP ERP, SAP HR, SAP BI etc. or via SAP PI. Omada provides web services for various objects in SAP such as Org. Units (organizational structure in SAP HR), Employees, Cost Centers (including the hierarchy), Company Codes, Users (includes Password reset), Roles (With Transaction Codes, Auth. Objects).
Omada also provides advanced integration to SAP GRC.
System Center Configuration Manager MA
Omada’s SCCM Management Agent is based on FIM’s extensible connectivity management agent framework. The agent supports full import of systems, collections, collection assignments, and installs from a SCCM system. On export, the agent supports the addition of systems to collections, as well as removal of a system from a collection.
Exchange Objects MA
Omada’s Exchange Object Management Agent is based on FIM’s extensible connectivity management agent framework. The agent supports full import, and can move mailboxes within an Exchange 2003/2007 organization. The agent has two modes of export operation: 1) synchronous moves of mailboxes 2) asynchronous moves of mailboxes (i.e., multiple threads moving mailboxes).
File share MA
Omada’s File Share Management Agent is based on FIM’s extensible connectivity management agent framework. The agent supports import and export operations, and can create, move/rename, and delete file shares. Additionally, the agent can optionally set permissions on file shares, and move file shares between different file system volumes.
Home Folder MA
Omada’s Home Folder Management Agent is based on FIM’s extensible connectivity management agent framework. The agent supports import and export operations, and can create, move/rename, and delete home folders. Additionally, the agent can optionally set permissions on folders, and move home folders between different file system volumes.
Omada’s PowerShell Management Agent is based on FIM’s extensible connectivity management agent framework. The agent supports export (add) of a script with parameters to execute. The agent is based on the “post processing” approach to creating extensible management agents that execute external (to FIM) commands.
Initial Load MA’s
Omada provides a number of Management Agents which are used to populate the FIM Portal with the customer’s existing Accounts and group memberships in the target systems such as Active Directory, ADLDS, SAP etc.
The SharePoint Management API is based on SharePoint’s standard API. The agent supports full import of users, sites, lists, permissions and permission levels. On export, the agent supports adding user permissions and revokes violating permissions.
“Centrify’s core capability is to extend Active Directory’s authentication, authorization and group policy capabilities to non-Microsoft platforms such as UNIX, Linux and Mac. In doing this “identity consolidation” into Active Directory, UNIX attributes such as UNIX UIDs, home directories, etc. are stored within Active Directory, including the ability to map multiple UNIX UIDs to a single AD account (this technology is called Centrify Zones).
In order to simplify provisioning of UNIX user profiles within Active Directory, Centrify provides a Provisioning Agent that leverages Active Directory Groups to automate the management of Centrify Zone profiles. Adding a user to the Active Directory control group for a specific Zone will cause the Zone Provisioning Agent to add a UNIX profile for that user to the Zone, similarly if you remove the user from the group it will delete the UNIX profile, and in this way Forefront Identity Manager only needs to manage an Active Directory Group’s membership in order to manage the provisioning of Centrify UNIX profiles.
Also, because Centrify makes the AD username/password the global username/password, FIM’s self-service password reset capabilities reach beyond Windows and into hundreds of non-Microsoft systems. For a free version of Centrify’s software for Linux/AD integration, check out http://www.centrify.com/express/ .”
Oxford Computer Group
For more information: http://www.oxfordcomputergroup.com/OCG_Components
Oxford Computer Group’s SharePoint MA makes the creation, deletion and maintenance of up-to-date SharePoint profiles significantly easier. The solution allows an organization’s SharePoint user profiles to be kept up-to-date by FIM. FIM populates the SharePoint user profiles with data from any of its connected data sources, such as Active Directory, HR systems, company white pages, email Global Address Lists etc. By utilizing FIM’s provisioning and deprovisioning power, an organization’s SharePoint user profiles can be created and deleted in line with its business rules. That means a new starter can have access to all the required and approved systems from the minute they join the company. It also means their access privileges can be changed as and when required and removed when they leave. This significantly reduces the possibility of data theft.
Oxford Computer Group provides a solution specifically designed for organizations running SAP HR, R/3 and Netweaver. The MA integrates SAP with FIM, uses standard BAPI calls to manager employees, user and roles By combining the power and flexibility of Microsoft Forefront Identity Manager (FIM) with a bespoke connector for SAP OCG have created a cost-effective and easily deployable solution to address issues of identity and access management.
Delta Generator MA
Oxford Computer Group’s Delta Generator is a Replacement for the Microsoft SQL and Oracle MA. It specifically adds delta imports for those systems that do not support deltas. Significantly reduces sync time, orders of magnitude faster than the MS MA even for full imports in some cases
MA – Oxford Computer Group (OCG) provide solutions that use Microsoft Forefront Identity Manager (FIM) to manage Blackberry® identity and security by integrating with Blackberry® Enterprise Server (BES), the management solution for Blackberry®. This allows secure access for Blackberrys to be managed through an integrated solution in the same way as other enterprise systems. To complement FIM, OCG has developed a .NET-based Management Agent for BES (BES XMA). This provides added functionality and tighter integration between FIM and BES. The integration of BES XMA helps increase IT productivity and reduce administrative overheads by enabling centralized control and management of user accounts and mobile devices.
For more information: http://www.unifysolutions.net
Identity Broker™ for FIM Connected Directories
The UNIFY Identity Broker, is a service that solves the following issues:
- Connectivity to specific systems for which no MA exists – Identity Broker allows UNIFY to easily develop MAs to any system using its own API.
- Providing a framework of common patterns involved in connecting to sources of identity data, including security models, WCF, SOA, interconnectivity with other platforms, data modeling allowing targeted systems to appear as directories to the identity management platform;
- Complete implementation of all FIM’s extensible management agent interfaces, regardless of the capabilities of the target system;
- Password synchronisation ability where target system maintains its own identity store for authentication/authorisation; and
- Real-time capabilities when matched with UNIFY Real-time Broker.
- Audit capture and reporting within Identity Broker
- Single Interface for managing all connected Brokers within the ILM/FIM solution
- GUI management interface for configuration and management, including application schema discovery and mapping
- Installation and configuration wizard including automated generation of ILM/FIM MA
UNIFY’s list of Identity Broker MAs includes (but is not limited to) the following:
- Identity Broker for Microsoft SharePoint;
- Identity Broker for Aurion HRMS (Prevalent Australian Tier 2 HR application);
- Identity Broker for Frontier chris21 (Prevelant Tier 2 HR and Payroll. Clients in APAC and EMEA)
- Identity Broker for HP TRIM;
- IBM Tivoli Access Manager (allows ILM/FIM to manage TAM repository
- Identity Broker for BigHand Digital Dictation;
- Identity Broker for Aderant Expert
- Identity Broker for LexisNexis InterAction.
- SAP HR (platform and version independent)
Home Directory Management Agent
With the Home Directory Management Agent (HDMA) for FIM, user home directories can be managed with the same ease and familiar environment as other aspects of the identity lifecycle.
Management Agents available on blogs as well as on sites like sourceforge.com and Codeplex.com
Microsoft Dynamics AX MA
Blog post series describing creating a MA for Dynamics AX:
SharePoint List Management Agent (from Steven Kean at Version3)
The SharePoint List Management Agent is an attempt to provide an easy-to-use, familiar interface between ILM 2007 and a WSS 3.0 or MOSS 2007 list. It is deployed as a “PackagedMA” to help alleviate some of the more tedious tasks involved with the development of extensible management agents (ex. run profile configuration, object type configuration, data manipulation, etc.). For more information and to download the code please click here.
OpenLDAP MA (from SourceForge)
The OpenLDAP Extensible Management Agent (XMA) for Microsoft Identity Lifecycle Manager(ILM) enables efficient two-way synchronization of identity information with the OpenLDAP directory. For more information and to download the code please click here.
For other LDAP v3 directories such as Oracle Internet Directory you can use the OpenLDAP MA as starting point for integration with FIM.
I will keep updating this post going forward and I hope this helps in finding the MA’s that you need for your projects.
// Brjann Brekkan
Follow me on Twitter as well twitter.com/bbrekkan
Post updated 29 July with info on Omada’s SharePoint MA