none
Send message or call out to FIM Synchronization from external BPM application to add user to Active Directory in "real-time" Transactionally? RRS feed

  • Question

  • We have a need for an external BPM application to remotely call FIM synchronization engine (FIM 2010), or to be able send a message to FIM to add a user to Active Directory as one of BPM's process flow steps.  Can FIM be set up to listen on a WebSphere MQ queue for a message, read the message, and sync to AD?  Or, can an external application call a web service within FIM synchronization to add a user to AD?  This needs to be done in a "real-time"/transactional fashion.   Thanks.

    Friday, August 10, 2012 2:55 PM

Answers

  • Thanks, Paul.  But I don't want to use the FIM Portal (I think it is goofy and confusing) and do not want to purchase yet another product.  The current directory integration/sychronization product we currently have will sync in real-time "out-of-the-box" with MQ, web services, etc.,  and is much more flexible than FIM.  We might just stick with that.  Thanks again for the information.
    Wednesday, August 15, 2012 4:51 PM

All replies

  • FIM doesn't support per-user operations, although it would be possible to initiate import/sync/export steps with some glue scripts between MQ and FIM.  However, any/all of these steps might fail if a given Management Agent is already running--and it's really not a "transaction" in the usual sense at all.
    Friday, August 10, 2012 5:18 PM
  • Thanks.  That is what I thought.  Is there a way via a web service call to FIM?
    Friday, August 10, 2012 6:38 PM
  • You could call into FIM's web service APIs but that's going to be pretty difficult and not especially well documented. You might want to just have an app listen to the WebSphere queue and drop the messages into a SQL/Oracle table that FIM can pick up through a straight SQL/Oracle MA.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Friday, August 10, 2012 6:52 PM
    Moderator
  • But then I would have to schedule the MA import/sync to run very frequently to try to make it somewhat "real-time" transactional.  Plus there will be extra parts and pieces for possibly failure points.  We might have to look at a different solution other than FIM for this.  Thanks, Brian. 
    Friday, August 10, 2012 7:29 PM
  • It might be better to build a point solution for transactional provisioning of single users in this case--or, move some of the business workflow into a FIM workflow.  The FIM Sync Engine is more oriented towards batch processing and synchronization.
    Friday, August 10, 2012 7:42 PM
  • Thanks. I will bring that up to my management here, and I have mentioned to them already about using FIM Portal as the place for centralized user management.  But, they are commited to using our BPM solution/product to kick off and flow the whole process of on-boarding/provisioning new users.  We are currently provisioning users in LDAP in a "real-time"/transactional fashion using MQ (JMS) messaging, but with a different directory synchronization product.  So, they would have new architectural, high-level design considerations.

    Friday, August 10, 2012 7:53 PM
  • Have a look at our approach to event-driven FIM synchronization by following the links below, and if you have any questions on the approach I'll be happy to answer them.  While the statements above are mostly correct in that operations using the FIM Sync service can not be targeted to specific objects, it is possible to achieve what you are looking for by ensuring changes are detected and replicated on a just-in-time basis.  I have been arguing for some time that this scenario is a valid use case for FIM, have been implementing this approach since 2005, and I will continue to do so.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Saturday, August 11, 2012 2:30 PM
  • Thanks, UNIFYBob.  So, you have a product to sell, and you say it will do the things we are loooking for such as trigger a MA sync from a message delivered to a MQ queue?  I will check out your link and read through the documentation. 

    It seems that Microsoft should have that functionality built in to the synchronization engine.

    Thanks again.

    Monday, August 13, 2012 4:41 PM
  • Just something to consider - FIM run profiles don't guarantee any particular outcome in any particular timeframe or order, so you would need to write additional scripts to verify the result of the transaction you expect to happen and to notify the business workflow to continue / retry / error-out.  E.g., you can tell FIM "import and sync data from HRMS", but this might take half an hour or more, or the user records might turn out to be incomplete or erroneous, but FIM doesn't expose object-level results like you might expect from a broker-oriented approach: the FIM Sync Service is a fundamentally different architecture from a broker or transacted service.  In most regards this is a very good thing for sync, but it may not fit every business.
    Monday, August 13, 2012 4:57 PM
  • The FIM Sync service is a perfectly good state engine to drive workflow.  When used in this way, together with management agents and corresponding configuration that provide efficient delta import capability (and half an hour doesn't cut it for me - I am talking a good sync design where a DI/DS takes seconds or at worst minutes), and a precedence model that says a BIG NO to the concept of equal precedence, then you can achieve the kind of outcomes you desire.  If you can't optimise your FIM Sync design in this way then Steve's points ring true - but don't give up if you hit this stumbling block.  Don't work harder, work smarter.

    It comes down to the use cases you are designing a FIM solution to accommodate.  I am not saying for a minute that I am presumptuous enough to understand your environment or business requirements based on a couple of paragraphs, but if you are willing to consider a more efficient variation on the default FIM sync model then you should find the roadblocks start to come down.


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Monday, August 13, 2012 10:08 PM
  • We have done a proof of concept using Webmethods to create 'tickets' within the FIM portal, FIM portal logic converted this in actions and that means create user or update group membership, this worked very well. 

    Using the IM Sequencer we can real time sync the data from the FIM portal to whatever target you need.


    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    Tuesday, August 14, 2012 9:49 AM
  • Thanks, Paul.  But I don't want to use the FIM Portal (I think it is goofy and confusing) and do not want to purchase yet another product.  The current directory integration/sychronization product we currently have will sync in real-time "out-of-the-box" with MQ, web services, etc.,  and is much more flexible than FIM.  We might just stick with that.  Thanks again for the information.
    Wednesday, August 15, 2012 4:51 PM
  • Unfortunately you are just reinforcing the argument we've been making for years ... this feature arguably should have been "baked in" from the start.  We have been making this point since MIIS, but Microsoft have never seen it as a significant priority, and disappointingly continue to lose business as a result.  Still, even with the outlay of a 3rd party complementary FIM product to achieve this outcome, I wouldn't have thought the expense was prohibitive by any means, and FIM still compares favourably with any other Gartner magic quadrant option.  Interested to hear which product you are currently using?

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Wednesday, August 15, 2012 10:26 PM
  • One thing to remark, if you don't want to use the FIM portal you can still have some 'near real time' synchronization using FIM sync and our commercial product (see link below).

    What you need is a Management Agent that imports the data from a source you desire (or where you BPM solution can deliver information, for instance SQL or LDS)

    Then you can call the webservice from our product to start synchronization, this can then start the management agent and start synchronization, just to give you a thought that is also what unifybob solutions offers to give you multiple solutions.

    FIM Sync is an excellent synchronization product so like Unifybob mentioned i am also curious which product you are using

    Thursday, August 16, 2012 8:23 AM
  • Sorry for the confusion i posted the last message with the incorrect account :) below is the correct information.

    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    Thursday, August 16, 2012 8:25 AM