The Microsoft Identity Integration Server 2003 technical reference is an in-depth documentation collection about identity information management concepts. It is not intended as an operations or implementation guide. Instead, it provides information managers, system architects and IT generalists with the necessary background they will need to analyze and develop their own identity management solutions.
Every connected data source has a corresponding management agent. Each management agent acts to control the flow of information between its connected data source and MIIS. If you modify synchronized data in either the connected data source or within MIIS, the management agent will keep MIIS 2003 and the connected data sources consistent. Since there is a management agent for each supported connected data source type, the types of management agents are the same as the types of connected data sources supported by MIIS 20@If you need to connect a data source, MIIS also provides a generic management agent that can be configured to connect to any system that provides programmatic access to its data, called the extensible connectivity management agent.
Implementation steps provides a procedural walkthrough for building the MIIS 2003 management agents (MAs) used to develop the MIIS 2003 infrastructure in the scenario.
A connected data source is a system that provides information to or receives information from MIIS 20@Many systems can act as a connected data source including directory services, databases and even individual files. The connected data sources currently supported by MIIS 2003 Service Pack 1.
Integration Server (MIIS) 2003 allows you to synchronize identity information from many different directories and services into a single, organization-wide solution. This can help protect your network's security and simplify management.
Microsoft Identity Integration Server 2003 is most commonly employed to integrate data between connected data sources.
The design of this scenario involves the following three components:
There are 5 essential tools for MIIS:
The metaverse is a collection of tables that contains information about connected identities from the connected data sources. These tables are stored in a SQL Server database and contain all the aggregated information about a specific entity as it exists in all of the connected data sources. Attributes and objects flow into and out of the metaverse. Updates flowing in are used to update the metaverse, updates going out are used to update the connected data sources through their respective connector space. The metaverse contains its own schema, which defines which object types and attributes the metaverse can contain. All objects in the metaverse must be of one of the types defined in the metaverse schema.
Identity and access management are important issues as your business implements systems that provide corporate information to employees, business partners and customers.
Each solution introduces new applications with their own authorization requirements and potentially their own authentication mechanisms. As these disparate systems proliferate throughout an organization, managing digital identity determining when users are on-boarded, when they are off-boarded, and what privileges and access they have while active in the environment becomes an increasingly complicated process.
Scenario design describes the fictional company and the specific directory problem you solve in the scenario. This section provides a high-level conceptual and procedural overview of how MIIS 2003 facilitates data flow between connected data sources and Microsoft Identity Integration Server 2003.
Some of the major capabilities of MIIS 2003 include:
By implementing Microsoft Identity Integration Server 2003, company hopes to accomplish the following two goals:
The connector space is a staging area for information coming into or going out from a given management agent. The information that is staged in a management agent's connector space is used to synchronize with the metaverse or is exported out to its connected data source. Each connected data source has its own reserved logical area within the connector space that is used by its corresponding management agent.
The connector space does not actually contain the connected data source as an object itself but rather contains a subset of the connected data source's attributes, as defined on the management agent. MIIS uses the connector space object instead of making direct queries to the connected data source when processing business rules. This improves synchronization speed between the metaverse and the connected data sources.
The following are the minimum hardware requirements for the two servers used in this scenario:
The management of passwords is a costly and time-consuming process for many administrators. Fortunately, this process has been greatly enhanced with a new feature in MIIS 2003 SP1-the Password Change Notification Service (PCNS). This new service allows for the secure updating of password resets to be sent to an MIIS 2003 server.
When a password reset is initiated on a domain controller, either by a user who presses Ctrl+Alt+Del or by an administrator, the request is intercepted. The intercepted request is encrypted and then forwarded on to the MIIS 2003 server and from there to all connected data sources (that are configured for password management) through synchronization. To see how to install the PCNS and configure a management agent.
Passwords are one of the weakest security points in a network but the use of secure passwords can become a source of contention between administrators and users. Users would rather have nice, easy-to-remember passwords, whereas administrators want to implement more restrictive password requirements. This is of even more concern on networks with disparate directories where users may have several accounts with varying levels of password requirements to access each of these directories or services. MIIS 2003 SP1 has a number of new password management and synchronization features that can help.
As you begin to tackle an identity management project, the first challenge you are likely to run into is determining where you should start. Typically, identity management solutions are strategic. Trlating that strategy into concrete activities requires some experience. To address this challenge, Microsoft has developed the MIIS 2003 Design and Planning Collection. A series of documents and worksheets that can aid in scoping your project, gathering requirements and configuring a solution based on MIIS 20@It is especially useful if you are new to this type of project.
The design and planning collection contains an introductory document that explains how to use the series, seven separate documents that address particular design components, templates to be used in conjunction with the documents and completed sample templates so you can see what the finished templates should look like.
This documentation set includes walkthroughs that help you with proof of concepts and detailed analyses of features and functionalities of MIIS 20@You also get information that helps you make business cases when choosing MIIS 2003.
When you run a management agent, you can specify that a join rule be applied to each object in the connector space. By specifying a join rule, Microsoft Identity Integration Server 2003 searches the metaverse and attempts to find a corresponding object to which the connector space object can be joined.
When a search returns any results, the resolution rules determine whether:
The metaverse schema contains the following default objects, but can be easily extended:
To administer the Microsoft Identity Integration Server 2003 infrastructure, perform the following administration tasks:
As a result of your design efforts, you have identified the data flow for both attributes and objects. If your design requires creating or deleting objects in connected data sources, you will need to develop a method of provisioning and deprovisioning these objects. In MIIS 2003 this me implementing that logic in a metaverse rules extension. Rules extensions are implemented as DLLs and stored in the Extensions subfolder of the MIIS root folder.
Administering MIIS 2003 Infrastructure provides common administrative tasks related to maintaining the MIIS 2003 infrastructure in the scenario.
There are four major components of MIIS 2003:
The following software should be available:
You will create the MAs in the following order:
Lab setup lists the hardware and software requirements for the scenario walkthrough procedures. Includes detailed instructions for setting up the different connected data sources, as well as setting up MIIS 2003.
The password management and synchronization capabilities help you control passwords and reduce administrative efforts:
Instructions to install Microsoft Identity Integration Server 2003:
Microsoft Identity Integration Server 2003 technical reference provides information about:
The individual responsible for setting up the lab for this scenario should have a complete knowledge of the following: