FIM 2010 Management Agents from Partners
FIM 2010 Management Agents from Partners
Forefront Identity Manager includes a number of different management agents to connect to a variety of data sources. To enable you to connect to other data sources, FIM includes the Extensible Connectivity Management Agent (ECMA). To interact with a data source, the ECMA uses a connected data source extension. A connected data source extension is a Microsoft .NET Framework assembly that is implemented in the form of a dynamic link library (.dll) file.
You can create this extension by using any programming language and compiler that creates a .NET Framework assembly. For more information, see Creating Connected Data Source Extensions.
There are a number of partners that have created Management Agents using the ECMA to connect to a number of different systems or just to enhance connectivity options that are available out of the box.
This article was first posted as a blog on http://blogs.technet.com/identitymanagement but now that more and more partners are developing MA's we want to move this to the WIKI so that we can get faster updates to this page.
If you are a partner and have updates, please join the TechNet wiki community and make updates and we will review before the page is updated.
Brjann Brekkan
Technical Product Manager - Identity and Access - Microsoft Corporation
MA's from some of our Identity and Access partners:
(partners sorted alphabetically)
Table of contents
Centrify
"Centrify's core capability is to extend Active Directory's authentication, authorization and group policy capabilities to non-Microsoft platforms such as UNIX, Linux and Mac. In doing this "identity consolidation" into Active Directory, UNIX attributes such as UNIX UIDs, home directories, etc. are stored within Active Directory, including the ability to map multiple UNIX UIDs to a single AD account (this technology is called Centrify Zones). "
In order to simplify provisioning of UNIX user profiles within Active Directory, Centrify provides a Provisioning Agent that leverages Active Directory Groups to automate the management of Centrify Zone profiles. Adding a user to the Active Directory control group for a specific Zone will cause the Zone Provisioning Agent to add a UNIX profile for that user to the Zone, similarly if you remove the user from the group it will delete the UNIX profile, and in this way Forefront Identity Manager only needs to manage an Active Directory Group's membership in order to manage the provisioning of Centrify UNIX profiles.
Also, because Centrify makes the AD username/password the global username/password, FIM's self-service password reset capabilities reach beyond Windows and into hundreds of non-Microsoft systems. For a free version of Centrify's software for Linux/AD integration, check out http://www.centrify.com/express/ . . "
Community:
Management Agents available on blogs as well as on sites like sourceforge.com and Codeplex.com
Microsoft Dynamics AX MA
- Blog post series describing creating a MA for Dynamics AX:
- MIIS/ILM/FIM Code Experiment: Dynamics AX Management Agent (part 1)
- MIIS/ILM/FIM Code Experiment: Dynamics AX Management Agent (part 2)
- MIIS/ILM/FIM Code Experiment: Dynamics AX Management Agent (part 3)
SharePoint List Management Agent (from Steven Kean at Version3)
The SharePoint List Management Agent is an attempt to provide an easy-to-use, familiar interface between ILM 2007 and a WSS 3.0 or MOSS 2007 list. It is deployed as a "PackagedMA" to help alleviate some of the more tedious tasks involved with the development of extensible management agents (ex. run profile configuration, object type configuration, data manipulation, etc.). For more information and to download the code please click here.
OpenLDAP MA (from SourceForge)
The OpenLDAP Extensible Management Agent (XMA) for Microsoft Identity Lifecycle Manager(ILM) enables efficient two-way synchronization of identity information with the OpenLDAP directory. For more information and to download the code please click here.
For other LDAP v3 directories such as Oracle Internet Directory you can use the OpenLDAP MA as starting point for integration with FIM
Ensynch
Company website: http://www.ensynch.com/ida
Ensynch Google Apps MA
The Google Apps MA from Ensynch is capable of managing the entire Google account lifecycle. This MA is not only proficient at provisioning and de-provisioning tens of thousands of accounts, but can also synchronize password and bio-demographical data. With an additional SAML based SSO web site, users can continue to use their directory login to access their Google accounts.
Ensynch XMA for Databases
Ensynch’s Extensible Management Agent (XMA) for Databases is a configurable XMA capable of scaling to millions of objects and offers true delta processing on any database source. The XMA offers both Stored Procedure and XSLT customizations allowing for virtually any database to be queried and processed quickly and efficiently. Observed performance improvements over the built-in SQL or Oracle MA of between 10x and 20x.
Identity Forge
Company website: http://identityforge.com/products/idf-management-agent
ACF2, Top Secret, RACF, i5, ERP and OS Management Agent for FIM
The IdF Management Agent for FIM has been tightly integrated with Microsoft's Forefront Identity Manager as well as ILM and MIIS. The Management Agent works with IdF's Adapter Suite providing Microsoft customers with an "out of the box" solution for ACF2, Top Secret, RACF, i5, SAP ECC, Solaris, AIX, Linux and other target applications
Mainframe MA's - See current MA Datasheet for specs
- IBM-RACF - Currently Available
- CA-ACF2 - Currently Available
- CA-Top Secret - Currently Available
- CICS Target Release Date: September 2011
Midrange MA's - See current MA Datasheet for specs
- IBM-i5 (AS400) - Currently available
- HP Non - Stop Tandem - Currently available
- Open VMS Target Release Date: TBD
Unix MA
- Generic Unix MA Target Release Date: Currently Available (Except HP-UX [September 2011)
- Supported Unix Systems: Oracle-Solaris, HP-UX, IBM-AIX, LINUX RED HAT
- Functionality:
- Create and manage UNIX accounts using UNIX-specific account templates
- Change account passwords and account activations in one place
- Synchronize global users with their roles or synchronize global users' accounts with their account templates
- Assign a UNIX policy to each of your UNIX endpoints
- Use the default Endpoint Type policy to create accounts with the minimum
- Create and manage UNIX groups
- Generate and print reports about UNIX accounts and groups
SAP
-
SAP r3 4.5 and higher
-
ERP - Currently Available
- HR - May 2011
- Web Services- May 2011
-
- SAP ECC 6.0 - Currently Available
- SAP HR 6.0 - May 2011
- SAP GRC - May 2011
Directory Service MA's
- LDAPv3 JNDI - Currently Available
- IBM Directory Integrator - Currently Available
Inceptio
Company website:
PowerShell Management Agent
The PowerShell Management Agent is a diverse Management Agent (MA) that can be used for many different purposes. It allows for PowerShell scripts to be run on addition, modification and/or deletes of objects in the connector space and supports any attribute (single-/multivalue) to be flowed as parameters to scripts.
Intercede
MyID MA for FIM
The MyID Management Agent for Microsoft Forefront Identity Manager allows MyID to simply ‘plug-in’ to FIM, adding MyID card and credential management capabilities to any FIM Identity Management enabled environment.Omada
Visit www.omada.net for more information or contact Omada on email info@omada.net
Omada Connectivity Framework for FIM2010
Omada provides a range of Management Agents (MA's) supporting advanced deployments of FIM2010. The MA's covers integration to SAP, SAP GRC, Exchange, File shares, SharePoint, SCCM, Exchange, Powershell and more.
SAP MA
Omada's SAP MA is based on FIM's extensible connectivity management agent framework. The agent supports both full and delta imports as well as exports. The integration to SAP is performed via web services, and supports interaction directly with the SAP backend such as SAP , SAP HR, SAP BI etc. or via SAP PI. Omada provides web services for various objects in SAP such as Org. Units (organizational structure in SAP HR), Employees, Cost Centers (including the hierarchy), Company Codes, Users (includes Password reset), Roles (With Transaction Codes, Auth. Objects).
Omada also provides advanced integration to SAP GRC.
System Center Configuration Manager MA
Omada's SCCM Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports full import of systems, collections, collection assignments, and installs from a SCCM system. On export, the agent supports the addition of systems to collections, as well as removal of a system from a collection.
Exchange Objects MA
Omada's Exchange Object Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports full import, and can move mailboxes within an Exchange organization. The agent has two modes of export operation: 1) synchronous moves of mailboxes 2) asynchronous moves of mailboxes (i.e., multiple threads moving mailboxes).
File share MA
Omada's File Share Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports import and export operations, and can create, move/rename, and delete file shares. Additionally, the agent can optionally set permissions on file shares, and move file shares between different file system volumes.
Home Folder MA
Omada's Home Folder Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports import and export operations, and can create, move/rename, and delete home folders. Additionally, the agent can optionally set permissions on folders, and move home folders between different file system volumes.
PowerShell MA
Omada's PowerShell Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports export (add) of a script with parameters to execute. The agent is based on the "post processing" approach to creating extensible management agents that execute external (to FIM) commands.
Initial Load MA's
Omada provides a number of Management Agents which are used to populate the FIM Portal with the customer's existing Accounts and group memberships in the target systems such as Active Directory, ADLDS, SAP etc.
SharePoint MA
The SharePoint Management API is based on SharePoint's standard API. The agent supports full import of users, sites, lists, permissions and permission levels. On export, the agent supports adding user permissions and revokes violating permissions.
Oxford Computer Group
Company website: http://www.oxfordcomputergroup.com/OCG_Components
SharePoint MA
Oxford Computer Group's SharePoint MA makes the creation, deletion and maintenance of up-to-date SharePoint profiles significantly easier. The solution allows an organization's SharePoint user profiles to be kept up-to-date by FIM. FIM populates the SharePoint user profiles with data from any of its connected data sources, such as Active Directory, HR systems, company white pages, email Global Address Lists etc. By utilizing FIM's provisioning and deprovisioning power, an organization's SharePoint user profiles can be created and deleted in line with its business rules. That means a new starter can have access to all the required and approved systems from the minute they join the company. It also means their access privileges can be changed as and when required and removed when they leave. This significantly reduces the possibility of data theft.
SAP MA
Oxford Computer Group provides a solution specifically designed for organizations running SAP HR, R/3 and Netweaver. The MA integrates SAP with FIM, uses standard BAPI calls to manager employees, user and roles By combining the power and flexibility of Microsoft Forefront Identity Manager (FIM) with a bespoke connector for SAP OCG have created a cost-effective and easily deployable solution to address issues of identity and access management.
Delta Generator MA
Oxford Computer Group's Delta Generator is a Replacement for the Microsoft SQL and Oracle MA. It specifically adds delta imports for those systems that do not support deltas. Significantly reduces sync time, orders of magnitude faster than the MS MA even for full imports in some cases
Blackberry (BES)
MA - Oxford Computer Group (OCG) provide solutions that use Microsoft Forefront Identity Manager (FIM) to manage Blackberry® identity and security by integrating with Blackberry® Enterprise Server (BES), the management solution for Blackberry®. This allows secure access for Blackberrys to be managed through an integrated solution in the same way as other enterprise systems. To complement FIM, OCG has developed a .NET-based Management Agent for BES (BES XMA). This provides added functionality and tighter integration between FIM and BES. The integration of BES XMA helps increase IT productivity and reduce administrative overheads by enabling centralized control and management of user accounts and mobile devices.
Quest
Company website:http://www.quest.com/
Quest Active Roles MA (Quest MA for FIM )
Quest Management Agent for Forefront Identity Manager allows you to combine the capabilities provided by Quest ActiveRoles Server and Microsoft Forefront Identity Manager (FIM) to automate user management tasks. With Quest Management Agent for Forefront Identity Manager you can benefit from the bi-directional synchronization of user accounts, groups, and other directory objects between FIM and the Active
Directory domains and AD LDS (ADAM) instances managed by ActiveRoles Server.
Schakra
Company website: http://www.schakra.com/Services.aspx
Home Directory Management Agent
With the Home Directory Management Agent (HDMA) for FIM, user home directories can be managed with the same ease and familiar environment as other aspects of the identity lifecycle.
Traxion
Company website:http://www.traxion.com/
Imprivata Enterprise SSO Management Agent
With this solution Traxion and Imprivata offer a seamless integration of ILM/FIM with Imprivata OneSign enterprise single sign-on .
Unify
Company website: http://www.unifysolutions.net/
Identity BrokerTM for FIM Connected Directories
The UNIFY Identity Broker, is a service that solves the following issues:
-
Connectivity to specific systems for which no MA exists - Identity Broker allows UNIFY to easily develop MAs to any system using its own API.
-
Providing a framework of common patterns involved in connecting to sources of identity data, including security models, WCF, SOA, interconnectivity with other platforms, data modeling allowing targeted systems to appear as directories to the identity management platform;
-
Complete implementation of all FIM's extensible management agent interfaces, regardless of the capabilities of the target system;
-
Password synchronisation ability where target system maintains its own identity store for authentication/authorisation; and
-
Real-time capabilities when matched with UNIFY Real-time Broker.
-
Audit capture and reporting within Identity Broker
-
Single Interface for managing all connected Brokers within the ILM/FIM solution
-
GUI management interface for configuration and management, including application schema discovery and mapping
-
Installation and configuration wizard including automated generation of ILM/FIM MA
UNIFY's list of Identity Broker MAs includes (but is not limited to) the following:
- Identity Broker for Microsoft SharePoint;
- Identity Broker for Aurion HRMS (Prevalent Australian Tier 2 HR application);
- Identity Broker for Frontier chris21 (Prevelant Tier 2 HR and Payroll. Clients in APAC and EMEA)
- Identity Broker for HP TRIM;
- IBM Tivoli Access Manager (allows ILM/FIM to manage TAM repository )
- Identity Broker for BigHand Digital Dictation;
- Identity Broker for Aderant Expert
- Identity Broker for LexisNexis InterAction.
- SAP HR (platform and version independent)
Note
To provide feedback about this article, create a post on the FIM TechNet Forum.
ECMA, FIM, FIM 2010, FIM Reference Article, FIM Resources, FIM Resources Page, FIM Technical Article, forefront, Forefront Identity Manager 2010, ILM, Management Agents, MIIS, SAP, SharePoint