none
SQL >> FIM R2 Provisioning RRS feed

  • Question

  • Hello, i've been diging FIM a lot lately, I've managed (god bless this forums and google) to set up FIM>AD+exchange2010, group sync works, sspr works, rich client works.

    I've found a few topics covering SQL to FIM provisioning, but i just cant seem to get it. Everything works, but in a kinky way. For example when i was starting to experiment with SQL > FIM i created a table with 4 columns in it. EmployeeID, Employee Status, First Name, Last Name. In SQL MA properties i've only chosen anchor, and nothing else, created SQL Synch Rule (First Name > First Name, Last Name > Last Name, EmployeeID > EmployeeID, Employee Status > Employee Status). EmployeeID and Employee Status DID flow into FIM, others 2 didnt (the hell?).

    Then I added mappings in SQL MA, FN (first name) > given name, LN > sn... after that 2 others did flow into FIM.

    While expecting metaverse i found out that all of the rules I configured in Synch rule did apply to the test user (i configured rules like string: f1m > domain, String: First Name+" "+Last Name > Account Name, etc) but they didn't flow into FIM. In fact I cant get anything to flow into FIM except for things that are straight forward... but again, in a kinky way.

    If i setup SQL MA to flow First Name > First Name, Last Name > Last Name... they dont (at first they did, but now they dont, no idea why). To flow something into FIM I have to call a column something weird (like FN instead of First Name) and then flow it, if the name matches they dont flow. I tried advanced mappings, to flow constant to title and domain, doesn't work. If i try to populate user attributes with Synch rule, nothing "custom" gets populated. example Account Name > mailNickname flows, "First Name+"_"+Last Name" > mailNickname - doesn't.

    At this point I'm really puzzled and confused. I don't really like to ask for help, but it's been a week and i have no progress whatsoever on this issue, so i turn to you, folks. Help me please, because I'm lost. Thank you in advance.


    Monday, August 20, 2012 12:21 PM

Answers

  • ok, disregard my question. I finally found out the solution. its just me being silly.

    so if any1 finds this topic and is curious for an answer.

    what i am doing now

    sql > metaverse

    Flows domain as a constant (sql ma attribute flow properties), for further outbound synch from fim to ad to happen. Because it's used to generate dn and upn.

    metaverse > portal > metaverse > ad

    Nothing changed. Just flow everything you need.

    ad > metaverse.

    After we've successfully exported user to ad we flow it back to complete the synch process. at this point for the domain field to get populated you have to create a custom expression in inbound synch rule on portal to populate domain field (described here http://social.technet.microsoft.com/wiki/contents/articles/648.how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx). If this doesn't work for you, try checking domain attribute precendence. set AD MA precedence to 1.

    • Marked as answer by 4c74356b41MVP Wednesday, August 22, 2012 10:10 AM
    • Edited by 4c74356b41MVP Wednesday, August 22, 2012 10:15 AM
    Wednesday, August 22, 2012 10:10 AM

All replies

  • Make sure when you change your sync rule, you import it before starting synchronizing, then run a preview for a specific object and see the import attribute flow, take a close look at each attribute, maybe this will give you a idea why information is not imported.

    It could also be that there is precedence configured and the SQL MA is the lowests in line (and FIM already provided the values) this will show up within the preview option.

    ps. Please reformat your first post it is not easily readable.


    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    Tuesday, August 21, 2012 6:26 AM
  • precedence is set to 1. i do import-sync beforehand. i'll return with more info today in the eve, really busy now, sorry. thanks for the effort.
    Tuesday, August 21, 2012 10:21 AM
  • Hello, sorry I wasn't able to come back yesterday, I decided to revert to snapshot and rebuild it. This is how things are rolling so far:

    SQL MA - imports data into Metaverse. everything flows ok, except for constant > domain. when i check attribute flow, it says domain skipped: not precedent, so when user appears in FIM Portal domain field is empty.

    AD MA - exports users into AD, and this is where it gets strange. export completes successfully thou i use domain field to generate UPN and DN.

    This puzzles me. So it appears that constant DOES flow into domain value but why doesn't it flow into FIM Portal in that case? And is there a way to import domain value out of AD as a workaround (i wasn't able to find domain attribute in AD MA)?

    ok, disregard title thing. I was flowing constant to title instead of jobtitle. works now. might be the same mistake with domain? -..-

    Wednesday, August 22, 2012 7:18 AM
  • ok, disregard my question. I finally found out the solution. its just me being silly.

    so if any1 finds this topic and is curious for an answer.

    what i am doing now

    sql > metaverse

    Flows domain as a constant (sql ma attribute flow properties), for further outbound synch from fim to ad to happen. Because it's used to generate dn and upn.

    metaverse > portal > metaverse > ad

    Nothing changed. Just flow everything you need.

    ad > metaverse.

    After we've successfully exported user to ad we flow it back to complete the synch process. at this point for the domain field to get populated you have to create a custom expression in inbound synch rule on portal to populate domain field (described here http://social.technet.microsoft.com/wiki/contents/articles/648.how-do-i-synchronize-users-from-active-directory-domain-services-to-fim.aspx). If this doesn't work for you, try checking domain attribute precendence. set AD MA precedence to 1.

    • Marked as answer by 4c74356b41MVP Wednesday, August 22, 2012 10:10 AM
    • Edited by 4c74356b41MVP Wednesday, August 22, 2012 10:15 AM
    Wednesday, August 22, 2012 10:10 AM