Microsoft Virtual Labs

Microsoft Identity Integration

Server 2003
2 Microsoft Identity Integration Server 2003

Table of Contents

Microsoft Identity Integration Server 2003............................................................................................... 3

Exercise 1 Create a new employee via a .Net Web-Application .........................................................................4
Exercise 2 Create a new identity person object in MIIS and set its attributes.....................................................9
Exercise 3 MIIS creates new user accounts in the connected directories..........................................................13
 Microsoft Identity Integration Server 2003 3

Microsoft Identity Integration Server

2003

Objectives The goal of this lab is to:

„ Provide a hands-on experience on Microsoft Identity Integration Server
2003.
„ Demonstrate the potential usage scenarios of the product.
„ Show how easy it is to setup MIIS to synchronize different directories and
data sources.
„ Learn how to automate identity management tasks.
„ Use MIIS to maintain a consistent state of the directories over the lifetime of
accounts.

Estimated time to
complete this lab: 55
minutes
4 Microsoft Identity Integration Server 2003

Exercise 1
Create a new employee via a .Net Web-Application

Scenario
Create and approve user accounts for a new employee in Active Directory and iPlanet Directory
Server 5.1.
The Malelane Corporation has a web application that they use to add new employees and create
accounts for them in the Active Directory and iPlanet. You are a recruiter who works in the Human
Resources (HR) department. The CEO, Super Boss, just hired Jane Smith for the Marketing team
and Peter Pan for the Sales Team.

What will we cover?

This workshop will demonstrate how MIIS enables the creation and flow of the user identity data
across directories. During this Exercise you will:
ƒ Create a new employee in a simulated HR application.
ƒ See how MIIS is configured to flow objects and attributes from source to target data
sources/directories.
ƒ Run a Management Agent (MA) to interactively trigger rules in MIIS.
ƒ Connect to iPlanet and Active Directory to view the newly created users.
The basic process flow is outlined in the illustration below:
ƒ Create a new employee via a .Net Web-Application
ƒ A new identity person object is created in MIIS and its attributes are set.
ƒ MIIS creates new user accounts in the connected directories.

Create New User Active Directory

3
1

MIIS 2003

3 iPlanet
Directory
Approval 2 Data

Tasks
1. Launch the Internet
Explorer.
2. Note that you were a
recruiter who works in the
HR department. You are
now ready to add the 2 new
employees into the system
via this web page.
3. Submit the new accounts to
MIIS 2003.
4. Investigate the import using
MIIS.
Microsoft Identity Integration Server 2003 5
Detailed steps
a. In the Quick Launch menu click the Internet Explorer icon.
b. Browse to http://miishol/miisapproval/employee.aspx to launch the
Microsoft Identity Integration Server 2003 Employee Account
Provisioning with one-step workflow demo home page.
a. Enter the following information next to the related fields:
ƒ Firstname : Jane
ƒ Lastname : Smith
ƒ Department : Marketing
ƒ Manager : Super Boss (1000)
b. Click the Save Account for new hire button to continue.
c. Repeat the steps above to create another employee:
ƒ Firstname : Peter
ƒ Lastname : Pan
ƒ Department : Sales
ƒ Manager : Super Boss (1000)
d. Click the Save Account for new hire button to continue.
We have now added the employee information for Jane and Peter who are
in different departments but are reporting to the same manager.
a. Click the Submit new accounts to MIIS button.
This will submit new accounts to MIIS 2003 and prepare them for the
“approval” phase (which will be explained later).
b. Close the Internet Explorer window.
a. Double click the Identity Manager icon on your desktop.
This launches the MIIS Identity Manager console. From there, you can
configure and manage the MIIS 2003 components.
b. Click the Operations view.
You should see two entries on top of the operations list. This is
WorkflowSTX and ERP. These are the two Management Agents that were
executed when we created the two new employee accounts and submitted
them to MIIS.
c. Click the ERP entry.
On the bottom portion of the screen (as indicated in the illustration below),
you’ll see the synchronization statistics Staging, Inbound Synchronization
and Outbound Synchronization.
Note that 2 adds and 2 projections were reported. This indicates that the
two employee accounts successfully got imported from the ERP
management agent and got created in the MIIS Metaverse – which is the
central identity store.
Note also that 2 provisioning adds happened to the WorkflowSTX
Management Agent during outbound synchronization. This indicates that
based on the two additions into the MIIS Metaverse, two new entries were
created in the WorkflowSTX system.
MIIS keeps track of all operations, ingoing and outgoing in its SQL Server
2000 database.
6 Microsoft Identity Integration Server 2003
5. Check Active Directory
Users and Computers for
the new users.
6. Approve the accounts for
the new employees.
7. Add new agent to iPlanet.
d. Click WorkflowSTX in the Operations view.
On the left-hand side you’ll see 2 run steps: Step 1 and Step 2. That means
when WorflowSTX management got executed, it completed its execution in
2 different run steps.
e. Click Step 1.
See that Step Type is Export.
Note that during the import run of ERP management agent 2 objects were
created in the WorkflowSTX system. Now, those objects are pushed out to
the actual WorkflowSTX directory. Hence you see 2 adds in the export
statistics.
f. Click Step 2.
See that 2 objects exported in the first step are successfully confirmed with
an import run.
g. Minimize the MIIS Identity Manager console.
a. Double click the Active Directory Users and Computers
management console on your desktop.
b. Navigate to the MIIS2003HOL container.
c. Open the Managers container.
You’ll see the user account for the CIO, Boss, Super. If you select the
People container, you’ll find no entries.
This shows that our 2 new employees created and submitted to MIIS 2003
in Task 4 still haven’t been provisioned to the Active Directory store. They
are waiting to be approved.
a. In the Quick Launch menu click the Internet Explorer icon.
b. Browse to http://miishol/miisapproval or select the MIIS 2003 –
New Employee Approval item from the Favorites menu.
See that 2 new employee accounts we submitted to MIIS 2003 have their
status waiting.
c. Select the Edit icon on Peter Pan.
d. Select approved from the combo box and enter the new alias PeterP
for the new employee.
e. Type peterp for Email alias:.
f. Click on the ; for approval.
g. Select the Edit icon on Jane Smith.
h. Select approved from the combo box and enter the new alias JaneS for
the new employee.
i. Type janes for Email alias:.
j. Click on the ; for approval.
k. Click the Submit changes to MIIS button.
l. Close the Internet Explorer.
a. Switch to the Identity Manager console and click Management
Agents.
In this view all Management Agents used in the scenario are listed.
Management Agents in MIIS maintain the connectivity to other data
sources.

8. Verify that the
corresponding user accounts
have been created at
iPlanet.
9. Verify successful Active
Directory account creation.
10. Take a closer look into
MIIS to see how some of
the rules were configured to
flow information between
the directories. You will see
how easy it is to define the
synchronization of identity
information within MIIS.
Microsoft Identity Integration Server 2003 7
Submitting approvals to MIIS in Step 7 triggered the execution of a
number of management agents in MIIS 2003. Netscape management agent
was one of them.
b. Click Netscape.
On the bottom of the screen you will see the statistics of the last
Management Agent run.
c. Click Step1.
Under Export statistics you’ll see that one new account was added to the
iPlanet system.
d. Minimize all windows.
a. Double click the iPlanet console icon on your desktop.
b. Enter the following credentials in the login dialog:
ƒ User ID : cn=Directory Manager
ƒ Password : password
c. Click OK.
d. Navigate down the tree view to “Directory Server” (iPlanerHOL).
e. Click Open.
f. Click the Directory tab.
g. Open miishol and click People.
h. The People OU will have the following users:
ƒ Superboss
ƒ PeterP
ƒ JaneS
Note that 2 new user accounts – PeterP and JaneS – were successfully
created in iPlanet server.
i. Close the iPlanet console.
a. Switch to the Active Directory Users and Computers management
console.
b. Click the People container and click Refresh.
We see that Jane and Peter’s Active Directory accounts were successfully
created.
a. Switch to the MIIS Identity Manager console and click Management
Agents.
b. Click the ERP management agent.
c. Click Actions | Properties.
The Properties dialog will appear.
d. Click the Configure Attribute Flow tab.
We see that a flow rule is defined between the employee object type in ERP
data source and the person object in the metaverse.
e. In the details pane click the + sign to expand the flow rule.
This view shows in detail, which attributes in the data source object are
flowed to which attributes of the metaverse object. Notice that all the flows
are defined as import flows, this means data will flow only into MIIS.
f. Click Cancel to close the Properties dialog.
8 Microsoft Identity Integration Server 2003

g. In MIIS Identity Manager click the Active Directory management

agent.
h. Click Action | Properties.
i. Select the Configure Attribute Flow tab.
We see that a flow rule is defined between the user object type in Active
Directory and the person object in the metaverse.
j. In the details pane click the + sign to expand the flow rule.
Notice that this time, some attribute flows are defined inbound and some
others are defined outbound. This means we can both import attributes for
an object from Active Directory and export attributes to it.
k. Click Cancel to close the Properties dialog.
l. In MIIS Identity Manager select the Netscape management agent.
m. Click Action | Properties.
n. Select the Configure Attribute Flow tab.
We see that a flow rule is defined between the inetOrgPerson object type in
iPlanet and the person object in the metaverse.
o. In the details pane click the + sign to expand the flow rule.
We see that all the attribute flows in Netscape management agent are
export only. This means no objects contribute any attributes to the
metaverse from the iPlanet directory.
p. Click Cancel to close the Properties dialog.

Summary
We have examined the synchronization of identity information between different data sources
based on an HR driven account provisioning scenario. You’ve seen how MIIS keeps track of the
operations performed in different identity systems.
You’ve also seen how to perform a simple one-step workflow. Finally you’ve seen how MIIS
Identity Manager lets you easily define attribute flow between the connected systems.
Note that this is only one scenario that showcases some of the basic functionalities of MIIS. Of
course more sophisticated identity integration and management applications can be built with MIIS
2003.
To learn more on how to configure MIIS, continue with Exercise 2.
 Microsoft Identity Integration Server 2003 9

Exercise 2
Create a new identity person object in MIIS and set its attributes

Scenario
In this exercise, you will learn how to add additional information into the identity integration
process, change identity data flow rules in the MIIS system and add a new directory into the
scenario.

Continuing from where we took off from Exercise 1, The Melane Corporation has the need to keep
employees phone numbers and address information in sync between the various systems. They
want the information they have in the HR system to be used throughout.

What will we cover?

This workshop will demonstrate how MIIS helps you control your environment from a central
location.
During this LAB you will:
ƒ Select additional information for usage in MIIS.
ƒ Change the MA to flow the new information between the connected systems.
ƒ Run MIIS Management Agents and validate that the changes are reflected to all the
directories.
ƒ Use Visual Studio.Net to set up more advanced rules in MIIS.

Make change to the user object

Active Directory
User Object
Run MA to Sync MV
and iPlanet

MVExtension MIIS 2003

2
5 iPlanet
Make change to MVExtension
Directory
Data

Visual Studio.Net
3
Change MA
10 Microsoft Identity Integration Server 2003

Tasks Detailed steps

1. Open the Visual a. Click Start | All Programs | Microsoft Visual Studio .NET 2003 |
Studio.NET project. Microsoft Visual Studio.NET 2003.
b. Open the project MVExtension by clicking on it in the projects list.
This is the actual provisioning script used in the scenario.
2. Modify the provisioning a. To remove the comment from the statement to enable provisioning to
script. AD/AM replace:
‘*** ProvisionAccountToAdam (mventry)
with:
ProvisionAccountToAdam (mventry)
3. Rebuild the project. a. Click Build | Rebuild MVExtension.
b. Close Visual Studio.NET.
4. Add new attributes to an a. Switch to Active Directory Uses and Computers.
employee object in Active b. Open the People container under hol.com | MIIS2003HOL.
Directory.
c. Double click Peter Pan to bring up the Properties dialog.
d. Click the Address Tab.
e. Add new Street address, City, Zip and Country information in the
appropriate fields.
f. Click OK.
5. Define flow rules. a. Switch to the Identity Manager.
b. Click the Management Agents tab.
c. Click ActiveDirectory.
d. Click Action | Properties.
e. Click Select Attributes.
f. Click to select co, postalCode and streetAddress.
g. Click OK.
h. Click ActiveDirectory.
i. Click Action | Properties.
j. Click Configure Attribute Flow.
k. In the details pane click the + sign to expand the flow rule.
Now we’ll define flow rules for the attributes we just added in the previous
task.
l. Click to select the co attribute under the Data source attribute section.
m. Click to select the co attribute under the Metaverse Attribute section.
n. Make sure Flow direction is defined as Import.
o. Click New.
We just defined an import flow rule from co attribute in data source to co
attribute in metaverse.
p. Create import flow rules for the following attributes as well:
ƒ From postalCode in data source to postalCode in metaverse.
ƒ From streetAddress in data source to postalAddress in
metaverse.
q. Close the Properties dialog and define the flow rules for the following
 Microsoft Identity Integration Server 2003 11

MAs:
ƒ For Netscape MA:
ƒ From postalCode in data source to postalCode in metaverse. But
this time the flow direction should be Export.
r. For ADAM MA:
ƒ From co in data source to co in metaverse. The flow direction
should be Export.
ƒ From postalCode in data source to postalCode in metaverse. The
flow direction should be Export.
ƒ From postalAddress in data source to street in metaverse. The
flow direction should be Export.
6. Run the Management Agent. a. Click the Management Agents tab in Identity Manager.
b. Click ActiveDirectory.
c. Click Actions | Run.
d. Click the FullImport run profile and click OK.
The management agent will start running. Once the MA run is complete,
the run result is displayed on the bottom portion of the screen.
7. Confirm that attributes have a. Click the Metaverse Search tab.
been updated in the b. Click Search.
metaverse.
This will bring up all the objects in the metaverse.
c. Double-click Pan, Peter.
You will notice that the additional attributes with the fields we updated in
Active Directory are now in the meteverse.
d. Click Close.
8. Run the Management a. Click the Management Agents tab.
Agents. b. Click ADAM.
c. Click Actions | Run.
d. Click the Export run profile and click OK.
e. Click Netscape.
f. Click Actions | Run.
g. Click the Export run profile and click OK.
Note: If a warning dialogue appears, click No to continue with an Export
run profile.
h. Minimize all windows.
9. Bind LDP to the Domain. a. Double click the LDP icon on your desktop.
b. Click Connection | Connect.
c. Enter the following connection information:
ƒ Server : miishol
ƒ Port : 50002
d. Click OK
e. Select Connection | Bind.
f. Click OK to bind to Domain.
g. Select View | Tree.
12 Microsoft Identity Integration Server 2003

h. Use BaseDN DC=MIIS2003HOL,DC=COM.

i. Expand the tree and double click on OU=People.
You’ll see 3 users successfully created in AD/AM directory. These users
were created after we modified the provisioning script and ran the MAs.
 Microsoft Identity Integration Server 2003 13

Exercise 3
MIIS creates new user accounts in the connected directories

Scenario
In this exercise, you will Configure and use the MIIS Password Management functionality.
Password Management is a feature of MIIS 2003. This demo has also shipped with the product and
can be found under Password Management.
This application allows Help Desk personnel to change a user’s password via a webpage. In this
example, the password is set in MyMIIS Active Directory and ADAM Extranet.

What will we cover?

This workshop will demonstrate how MIIS helps you control your directory environment from a
central location.
During this LAB you will change a user’s password from a web-page and flow the new password to
different directories through MIIS.

Tasks Detailed steps

1. Employ Password a. In the Quick Launch menu click the Internet Explorer icon.
Management. b. Click Favorites and select Microsoft Identity Integration Server
2003 - Password Management.
Using the Web application, the help desk operator uses the user and
domain name of a caller to search and retrieve a list of connector space
objects that are joined to the user’s metaverse object.
c. Enter the following user:
ƒ User Name : JaneS
ƒ Domain : HOL
d. Click Search.
The account information for Jane will be displayed.
e. Enter a password of SeeMonkey1 and confirm the change by hitting
Submit.
f. Click the History link on Mymiis Active Directory Domain.
You’ll see when the last changes occurred on this user object.