Introduction to Inbound Synchronization

Applies To: Forefront Identity Manager 2010

In Microsoft® Forefront® Identity Manager (FIM) 2010, you can configure and fine-tune the object and attribute flow between FIM 2010 and the related connected data sources by configuring synchronization rules. There are two main types of synchronizations rules in the architectural model of FIM 2010: inbound synchronization rules and outbound synchronization rules. The objective of this document is to provide a detailed introduction to inbound synchronization rules, based on a simple lab environment.

Before You Begin

This document assumes that you already have a working instance of FIM 2010 on a computer.

For a complete description of the installation process for FIM 2010, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkId=165845).

Prerequisite Knowledge

This document assumes that you have a basic understanding of the synchronization process. For more information, see Understanding Data Synchronization with External Systems

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Audience

This guide is intended for information technology (IT) professionals who are interested in getting some initial hands-on experience with FIM 2010 R2 inbound synchronization rules in a lab environment.

Scope

The scenario outlined in this document has been simplified to address the requirements of a simple lab environment. The focus is on helping the user obtain a basic understanding of the technologies. This scenario is not intended for deployment in a production environment.

Time Requirements

The procedures in this document require 30 to 40 minutes for a new user to complete. These time estimates assume that the testing environment is already configured. They do not include the time required to set up the test environment.

Getting Support

If you have questions regarding the content of this document or if you have general feedback, post a message to the Microsoft Identity Lifecycle Manager Discussion Forum (https://go.microsoft.com/fwlink/?LinkID=163230).

Scenario Description

Fabrikam, a fictitious company, is investigating how to easily deploy and maintain digital identities by using FIM 2010. As part of this investigation, Fabrikam wants to explore the new inbound synchronization rule concept in the corporate lab environment with a simple scenario. The goal of this scenario is to deploy one manually created user object from a data file to FIM 2010. This scenario is representative for cases in which you have an authoritative Human Resources (HR) database in your system.

The following illustration outlines this scenario.

The following sections describe the scenario design, the scenario preparation, and the scenario steps.

Scenario Design

To implement the simple lab solution outlined in this document, you use two management agents:

• Fabrikam FIMMA. This FIM 2010 R2 Service Management Agent contributes the source scenario objects.

• Fabrikam FileMA. This management agent for the Attribute-value pair text file is the source for the sample user in this document.

The following illustration outlines the logical architecture of this scenario.

Testing Environment

The scenario that is described in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory® forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration outlines the domain configuration.

To perform the procedures in this document, the domain controller has been configured with the following characteristics:

• Windows Server 2008 or Windows Server 2008 R2 64-bit Standard or Enterprise

• Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

• Microsoft SQL Server® 2008 64-bit Standard or Enterprise, Service Pack 1 (SP1) or later

• Windows SharePoint® Services 3.0 SP1, 64-bit

• Windows PowerShell™ 1.0

• FIM 2010

Scenario Roadmap

The scenario roadmap in this document consists of three main building blocks:

1. Configuring the scenario. In this section, you create all required scenario components, including the required management agents, run profiles, and an inbound synchronization rule.

2. Initializing the scenario. In this section, you deploy your initial configuration inside FIM 2010.

3. Testing the scenario. In this section, you verify the declarative provisioning prerequisites and you deploy one user from your data file to the FIM 2010 Portal.

Configuring the Scenario

The configuration of the scenario in this document consists of the following building blocks:

1. Creating the management agents

2. Creating the run profiles

3. Creating the inbound synchronization rule

4. Enabling synchronization rule provisioning

The following sections provide detailed instructions for each configuration building block.

Creating the Management Agents

In this section, you find instructions for creating the two scenario management agents:

• Fabrikam FileMA

• Fabrikam FIMMA

The following sections provide detailed instructions for creating these management agents.

Creating the Fabrikam FileMA

The Fabrikam FileMA is a management agent for a delimited text file. To create this management agent, you need a text file that contains the schema and the data information for this management agent.

The following code sample shows the schema data file for this management agent.

"EmployeeID","EmployeeType","FirstName","LastName"
"7","Contractor","Britta","Simon"

To create the Fabrikam FileMA

1. Open Notepad.

2. Copy the content of the previous code sample, and then paste it into your new Notepad file.

3. Save the file as C:\Fabrikam File MA Data.txt.

4. Open the Synchronization Service Manager, and in the Tools menu, click Management Agents.

5. Open the Create Management Agent Wizard: on the Actions menu, click Create.

6. On the Create Management Agent page, provide the following configuration settings, and then click Next:

   • Management agent for: Delimited text file

   • Name: Fabrikam FileMA

7. On the Select Template Input File page, provide the following configuration settings, and then click Next:

   • Template Input File: C:\Fabrikam File MA Data.txt

   • Code Page: Western Europe (Windows)

8. On the Delimited Text Format page, provide the following configuration settings, and then click Next:

   • Use first row for header names: selected

   • Delimiter: Comma

   • Text qualifier: “

9. On the Configure Attributes page, provide the following configuration settings, and then click Next:

   1. To open the Set Anchor dialog box, click Set Anchor.

   2. In the Available attributes list, select Employee ID.

   3. To set Employee ID as the anchor, click Add.

   4. To close the Set Anchor dialog box, click OK.

10. On the Define Object Types page, click Next.

11. On the Configure Connector Filter page, click Next.

12. On the Configure Join and Projection Rules page, click Next.

13. On the Configure Attributes pages, click Next.

14. On the Configure Deprovisioning page, click Next.

15. To create the management agent, in the Configure Extensions page, click Finish.

Creating the FIMMA

The Fabrikam FIMMA is a management agent for the FIM 2010 R2 Service Management Agent. To create this management agent, you use the Create Management Agent Wizard.

To create a user account for the Fabrikam FIMMA

1. Open Active Directory Users and Computers.

2. In the console tree, select Users.

3. To open the New Object – User dialog box, in the Action menu, click New, and then point to Users.

4. In the First name text box, type fimma.

5. In the User logon name text box, type fimma, and then click Next.

6. In the Password and Confirm password text boxes, type a password of your choice.

7. Clear the User must change password at next logon check box.

8. Select Password never expires, and then click Next.

9. To create the user account, click Finish.

To create the Fabrikam FIMMA

1. Open Identity Manager, and on the Tools menu, click Management Agents.

2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

3. On the Create Management Agent page, provide the following configuration settings, and then click Next:

   • Management agent for: FIM 2010 R2 Service Management Agent

   • Name: Fabrikam FIMMA

4. On the Connect to Database page, provide the following configuration settings, and then click Next:

   • Server: .

   • Database: FIMService

   • FIM Service base address: https://localhost:5725

   • Authentication mode: Windows integrated authentication

   • User name: fimma

   • Password: <the accounts’ password>

   • Domain: fabrikam

5. On the Selected Object Types page, verify that the following object types are selected, and then click Next:

   • ExpectedRuleEntry

   • Person

   • SynchronizationRule

6. On the Selected Attributes page, verify that all listed attributes are selected, and then click Next.

7. On the Configure Connector Filter page, click Next.

8. On the Configure Object Type Mappings, add the following mapping, and then click Next:

   1. On the Data Source Object Type list, select Person.

   2. To open the Mapping dialog box, click Add Mapping.

   3. On the Metaverse object type list, select person.

   4. To close the Mapping dialog box, click OK.

9. On the Configure Attribute Flow page, apply the following attribute flow mappings, and then click Next:

   Data source attribute	Metaverse attribute
   DisplayName	displayName
   EmployeeID	employeeID
   FirstName	firstName
   LastName	lastName

   1. Select Person as Data source object type.

   2. Select person as Metaverse object type.

   3. Select Direct as Mapping Type.

   4. Select Export as Flow Direction.

   5. For each row in the previous table, complete the following steps:

      1. Select the Data source attribute shown for that row in the table.

      2. Select the metaverse attribute shown for that row in the table.

      3. To apply the flow mapping, click New.

10. On the Configure Deprovisioning page, click Next.

11. To create the management agent, on the Configure Extensions page, click Finish.

Creating the Run Profiles

This section lists the steps for configuring the scenario run profiles. For the scenario in this document, you configure run profiles for Fabrikam FileMA and Fabrikam FIMMA.

Creating run profiles for the Fabrikam FileMA

The following table lists the run profiles for the Fabrikam FileMA.

To configure the run profiles for the Fabrikam FileMA

1. To save the import data file in the FileMA’s MaData folder, copy your source data file, C:\Fabrikam File MA Data.txt, to %ProgramFiles%\ Microsoft Forefront Identity Manager\2010\Synchronization Service\MaData\Fabrikam FileMA.

2. On the Tools menu, click Management Agents.

3. In the Name column, select Fabrikam FileMA.

4. For each row in the previous table, perform the following steps:

   1. To open the Configure Run Profiles for Fabrikam FileMA dialog box, on the Actions menu, click Configure Run Profiles.

   2. To open the Configure Run Profile dialog box, click New Profile.

   3. On the Profile Name page, select the Step Type shown for that row in the table, and then click Next.

   4. On the Management Agent Configuration page, provide the following configuration settings, and then click Finish:

      1. Partition: default

      2. Input file name: Fabrikam File MA Data.txt

   Note

   You can either type the name of the data file into the Input file name text box or, to manually select the file name, click the Select button.

Creating run profiles for the Fabrikam FIMMA

The following table lists the run profiles for the Fabrikam FIMMA.

To configure the run profiles for the Fabrikam FIMMA

1. On the Tools menu, click Management Agents.

2. In the Name column, select Fabrikam FIMMA.

3. For each row in the previous table, perform the following steps:

   1. To open the Configure Run Profiles for Fabrikam FIMMA dialog box, on the Actions menu, click Configure Run Profiles.

   2. To open the Configure Run Profile dialog box, click New Profile.

   3. On the Profile Name page, select the Step Type for that row in the table, and then click Next.

   4. To create the run profile, on the Management Agent Configuration page, click Finish.

Creating the inbound synchronization rule

In this section, you create the inbound synchronization rule. The following table summarizes the synchronization rule configuration for the scenario in this document.

To create the inbound synchronization rule

1. To open the FIM 2010 R2 Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

2. To open the Synchronization Rules page, in the Administration bar, click Synchronization Rules.

3. To open the Synchronization Rules wizard, on the toolbar, click New.

4. On the General tab, provide the following information, and then click Next:

   • Display Name: FileMA Inbound Synchronization Rule

   • Data Flow Direction: Inbound

5. On the Scope tab, provide the following information, and then click Next:

   • Metaverse Resource Type: person

   • External System: Fabrikam FileMA

   • External System Resource Type: person

6. On the Relationship tab, provide the following information, and then click Next:

   1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): EmployeeID

   2. Create Resource In FIM: selected

7. On the Inbound Attribute Flow tab, provide the following information, and then click Next:

   Source	Destination
   EmployeeID	employeeID
   EmployeeType	employee Type
   FirstName	first Name
   LastName	last Name

   1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

      5. To move to the Summary tab, click Finish.

   1. To flow the Display Name attribute, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select First Name.

      3. Click Concatenate Value.

      4. Select String.

      5. In the String text box, type a space.

      6. Click Concatenate Value.

      7. Select Last Name.

      8. Click the Destination tab.

      9. Select Display Name.

      10. To apply the attribute flow configuration, click OK.

8. On the Summary tab, click Submit.

Enabling Synchronization Rule Provisioning

To enable the configured synchronization rules during a synchronization run, you must enable synchronization rule processing in the Synchronization Service Manager.

To enable Synchronization Rule Provisioning

1. Open Synchronization Service Manager.

2. To open the Options dialog box, on the Tools menu, click Options.

3. Select Enable Synchronization Rule Provisioning.

4. To close the Options dialog box, click OK.

Initializing the Scenario

The initialization of your scenario consists of the following steps:

1. Importing data from the FIM 2010 R2 Service database

2. Initializing the FIM 2010 R2 Synchronization Service

3. Exporting to the FIM 2010 R2 Service database

4. Confirming the FIM 2010 R2 Service database

Importing data from the FIM Service database

The objective of the full import is to bring the already existing objects, including the newly created synchronization rule, into the connector space of the Fabrikam FIMMA. After a successful full import on the Fabrikam FIMMA, the synchronization statistics report three added objects. The following illustration shows the synchronization statistics for a full import run.

To import data from the FIM Service database

1. Open Synchronization Service Manager.

2. On the Tools menu, click Management Agents.

3. In the Name column, select Fabrikam FIMMA.

4. To open the Run Management Agent dialog box, on the Actions menu, click Run.

5. In the Run profiles list, select Full Import, and then click OK.

By using a connector space search, you can examine the properties of the new objects. Next to the synchronization rule, you also find two additional Person objects to be imported. The objects are representations of the Built-in Synchronization Account and the account that you have used to install FIM 2010.

The following illustration shows the result of a connector space search on the Fabrikam FIMMA.

To run a connector space search on the Fabrikam FIMMA

1. To open the Search Connector Space dialog box, on the Actions menu, click Search Connector Space.

2. To retrieve a list of the available connector space objects, click Search.

Initializing the FIM Synchronization Service

A full synchronization run is always required in case there is an update to the synchronization rules. You applied updates to these synchronization rules during the configuration of the Fabrikam FIMMA management agent. By design, the FIM 2010 R2 Service Management Agent has a preconfigured projection rule. During the initial full synchronization run, the three staged connector space objects are projected into the metaverse. The preconfigured export attribute flow rule stages the metaverse object ID for an export in the Fabrikam FIMMA connector space. The following illustration shows the synchronization statistics of a full synchronization run.

By using the metaverse search, you can examine the properties of the newly projected objects.

To initialize the FIM Synchronization Service

1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

2. In the Run profiles list, select Full Synchronization, and then click OK.

By using a metaverse search, you can examine the properties of the newly projected objects.

To run a metaverse search

1. On the Tools menu, click Metaverse Search.

2. If necessary, adjust the column settings by selecting the Column Settings link.

3. To search the metaverse, click Search.

4. To open the Metaverse Object Properties dialog box, on the Search Results list, select FileMA Inbound Synchronization Rule, and then on the Actions menu, click Properties.

Exporting data to the FIM Service database

As a result of the initialization, updates have been staged to the connector space of the FIM 2010 R2 management agent. These pending exports must be pushed out to the FIM 2010 R2 Service database. The following illustration shows the synchronization statistics of a successful export run.

To export data to the FIM Service database

1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

2. In the Run profiles list, select Export, and then click OK.

Confirming the FIM Service database

To complete the initialization sequence, you run a delta import on your Fabrikam FIMMA. The delta import is required to confirm the exported data in the connector space. The following illustration shows the synchronization statistics of a successful confirming import run.

To confirm the FIM Service database

1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

2. In the Run profiles list, select Delta Import, and then click OK.

Testing the Scenario

The goal of the scenario in this document is to create one sample user in the data source file that is associated with the Fabrikam FileMA. The complete deployment cycle of a sample user consists of the following building blocks:

1. Importing the scenario user from the data file

2. Synchronizing the scenario user inside the FIM 2010 R2 Synchronization Service

3. Exporting the scenario user to the FIM 2010 R2 Service database

4. Verifying the scenario user deployment

5. Confirming the export

The following sections provide instructions for each building block.

Importing the scenario user from the data file

In this section, you import the scenario user from your data file. After a successful full import on the Fabrikam FileMA, the synchronization statistics reports one added object. The following illustration shows the synchronization statistics for a full import run.

To import the scenario user from the data file

1. Open Synchronization Service Manager.

2. On the Tools menu, click Management Agents.

3. In the Name column, select Fabrikam FileMA.

4. To open the Run Management Agent dialog box, on the Actions menu, click Run.

5. In the Run profiles list, select Full Import, and then click OK.

Synchronizing the scenario user inside the FIM Synchronization Service

In this section, you project the scenario user into the metaverse and you provision the scenario user into the connector space of your FIM 2010 R2 Service management agent. After a successful full synchronization on the Fabrikam FileMA, the synchronization statistics report the following:

• One projection

• One connector with flow updates

• One provisioning adds

• One export attribute flow

The following illustration shows the synchronization statistics for a full synchronization run.

To synchronize the scenario user inside the FIM Synchronization Service

1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

2. In the Run profiles list, select Full Synchronization, and then click OK.

Exporting the scenario user to the FIM Service database

In this section, you export the scenario user into the FIM 2010 R2 Service database. After a successful export, the export statistics report one added object.

The following illustration shows the synchronization statistics for an export run.

To export the scenario user to the FIM Service database

1. In the Name column, select Fabrikam FIMMA.

2. To open the Run Management Agent dialog box, on the Actions menu, click Run.

3. In the Run profiles list, select Export, and then click OK.

Verifying the scenario user deployment

In this section, you verify the successful deployment of the scenario user. The scenario user has been successfully deployed when the account appears in the FIM 2010 R2 Synchronization Service database. To verify the successful user deployment, you use the FIM 2010 R2 Portal.

The following illustration shows an example of a successfully deployed sample user.

To verify the scenario user deployment

1. To open the FIM 2010 R2 Portal, open Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

2. To open the Users page, on the navigation bar, click Users.

3. To retrieve a list of the existing users, leave the Search for text box empty, and click the Search button next to the text box.

4. Select Britta Simon.

5. To open the object’s configuration dialog box, click the object’s Display Name.

6. Verify that Britta Simon has the expected attribute values.

7. Close the dialog box.

Confirming the export

In this section, you confirm the most recent export operation. In FIM 2010, each run of an export run profile requires you to also run an additional import. Typically, a delta import is sufficient for this. After a successful delta import on the Fabrikam FIMMA, the synchronization statistics report one added object. The following illustration shows the synchronization statistics for a delta import run.

To confirm the export

1. Open Synchronization Service Manager.

2. On the Tools menu, click Management Agents.

3. In the Name column, select Fabrikam FIMMA.

4. To open the Run Management Agent dialog box, on the Actions menu, click Run.

5. In the Run profiles list, select Delta Import, and then click OK.