The FIM Windows Azure Active Directory (WAAD) connector uses the SourceAnchor field as the identifier of the Azure object. The SourceAnchor field is derived in WAAD via attribute flow extension from the Objectguid of the user object. In a multi-forest
Exchange organization where linked mailboxes are used, the user will have an account in the Exchange forest (disabled) and an account in the user forest. It is important that the objectGuid from the user forest is used when single sign on (SSO) is also use
for cloud authentication. The SSO application will pass the SourceAnchor as the ImmutableID to the user’s forest.
If you have a perfect Exchange resource forest model where there are no user accounts in the Exchange forest that need to be synced to the Azure then the sync and SSO works well. If you have user accounts or mailboxes in the Exchange forest that also
need to be synced then it becomes challenging controlling which objectGuid will be used to create the SourceAnchor for the user and you may begin to see users complaining about SSO issues. The scenario below is an example of such a case and offers a solution
or how to mitigate the issue.
Contoso is a multi-forest Exchange organization. There is an Exchange forest and three user account forests. The Exchange forest is known as Contoso and it also contains user accounts. There are mailboxes for users in the Contoso forests and linked
mailboxes for users in other forests. Contoso uses FIM Windows Azure Active Directory (WAAD) connector to synch all its forests with Azure. ADFS Federation is used for single sign on (SSO). The WAAD SourceAnchor field from the
user home forest is used as the ADFS ImmutableID.
Contoso would like the following requirements for the synchronization of linked mailboxes
Create a binary field in MV for person Object called msExchMasterAccountSid
Add a direct attribute flow in Contoso to flow CS.msExchMasterAccountSid to MV.msExchMasterAccountSid
Create a join in the user forest CS.Objectguid to MV.msexchMasterAccountSid
Create a Boolean field in MV for person Object called SAChangeStatus
Add an advanced attribute flow in Contoso and user forest to flow CS. objectSid to MV.SAChangeStatus. The name of the flow rule name is “CheckSAStatus”. Update the template MA xml file for user forest and Contoso.
Go to Metaverse designer, Person object, Source Anchor, in the attribute flow precedence set Contoso to the bottom of the list. Remember to do this when you connect a new user forest.
The WAAD connector package comes with some default extension files which will be
Check if the MV.SourceAnchor is present and CS Management agent is not Contoso then check if the SourceAnchor value from the Azure is different from what is derived from the CS.Objectguid. if different then set MV.SAChangeStatus to TRUE else MV.SAChangeStatus
First time import/projection If not first time (if MV.SourceAnchor already exists) then check if the CS Management agent is not Contoso and if the SourceAnchor value from the CS is different from what is in the MV.
Check if MV.SAChangeStatus is TRUE. If so, then deprovision the Azure object.
//TODO determine Where to get sourceAnchor from
string OldSourceAnchor =
string newSourceAnchor =
string nameofCSMA = csentry.MA.Name;
ConnectedMA controllerMA = mventry.ConnectedMAs[
].IsPresent & nameofCSMA !=
CSEntry WAADcsentry = controllerMA.Connectors.ByIndex;
OldSourceAnchor = WAADcsentry[
newSourceAnchor = Convert.ToBase64String(csentry[
(OldSourceAnchor != newSourceAnchor)
//set the mventry for change in SourceAnchor to true.
//Only process if it is not from the Exchange Forest and the SourceAnchor is different
//meaning that Exchange forest has already projected first
string nameoftheCSMA = csentry.MA.Name;
].IsPresent & nameoftheCSMA !=
string TheOldSourceAnchor = mventry[
string ThenewSourceAnchor = Convert.ToBase64String(csentry[
(TheOldSourceAnchor != ThenewSourceAnchor)
//set the mventry SourceAnchor.
].StringValue = Convert.ToBase64String(csentry[
//If the user does not exist in MV - first time projection
].StringValue = convert.ToBase64String(csentry[
//check if the SAChangeStatus is true, if so deprovision the WAAD csentry
ConnectedMA controllerMA = mvEntry.ConnectedMAs[
//set the SAChangeStatus to false