DOC

MIIS Design Specs v1.0

By Jeanette Martin,2014-09-13 20:13
34 views 0
1 OVERVIEW 4 2 DESIGN GOALS/REQUIREMENTS 4 3 CONCEPTUAL DESIGN 5 3.1 Assumptions 5 3.2 Conceptual Architecture 5 4 ARCHITECTURE 6 4.1 Metaverse Schema 7 4.2 Rules 7 4.3 Rules Extension 8 4.4 Synchronization Process 8 4.5 MIIS Management Agents 9 4.5.1 Connected Directories 9 4.5.2 Oracle HR System 10 4.5.2.1 Database Connection 10 4.5.2.2 Column Configuration 10 4.5.2.3 Connector Filter 11 4.5.2.4 Join and Projection Rules 12 4.5.2.5 Attribute Flow 14 4.5.2.6 Deprovisioning 20 4.5.3 Subsidiary3 (MLG) 20 4.5.4 Active Directory 21 4.5.4.1 Connectivity to Active Directory Forest 22 4.5.4.2 Object Types Selection 22 4.5.4.3 Join and Projection Rules 22 4.5.4.4 Attribute Flow 24 4.5.4.5 Deprovisioning 28 4.5.4.6 Group Objects 28 4.5.5 iPlanet 29 4.5.5.1 Object Type Selection 29 4.5.5.2 Attribute Selection 29 4.5.5.3 Join Rules 30 4.5.5.4 Attribute Flow 31 4.5.5.5 Deprovisioning 32 4.5.6 Windows NT (Join only) 32 4.5.7 AD for TAO Global Address List (GAL) Sync 34 4.6 Provisioning Rules 37 4.7 Deprovisioning Rules 40 5 MMS SOLUTION CONFIGURATION 43 5.1 Hardware Configuration 43 5.2 Software Required 44

    Microsoft Identity

    Integration Server

    Design Specifications

    Cherif Djerboua, Senior Consultant

    Enterprise Directory Team, EC3

    National Practices, Microsoft Consulting Services

    Last Revised 9/13/2010 8:14:00 PM

    Last Revised By Cherif Djerboua

    ? 2003 Microsoft Corporation. All rights reserved.

    The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

    Microsoft is a registered trademark of Microsoft in the United States and/or other countries. Fictitious Disclaimer:

    The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.

    Microsoft Identity Integration Server

    DOCUMENT INFORMATION:

    Doc Name: MIIS Functional Specifications

    Description:

    Current Owners: Cherif Djerboua

    Reviewer

    Status: Version 1.0

    Comments:

    PROJECT PERSONNEL:

    Project Executive Sponsor

    Product Capability Manager

    -EDS

    Project Sponsor, AAB

    Project Sponsor, AAB

    Delivery Project Manager

    EDS Analyst

    Microsoft Engagement

    Management

    Microsoft Strategy

    Consultant

    RELATED DOCUMENTS:

    Doc Location

    V:\Corp\IS\941040\RES\Directory Services\MMS Vision/Scope Phase-1\00ProjectManagement\Plan\MMS Vision (3.0).doc

    V:\Corp\IS\941040\RES\Directory Services\MMS Master Mapping Table Phase-1\02Design\MIIS Master Mapping v1.xls

    V:\Corp\IS\941040\RES\Directory Services\MMS High Level Design

    Phase-1\02Design\High Level Design1.vsd

    V:\Corp\IS\941040\RES\Directory Services\MMS MIIS Project Plan

    Phase-1\00ProjectManagement\Plan\MMS Project Plan.mpp

    V:\Corp\IS\941040\RES\Directory Services\MMS Risk Assessment

    Phase-1\00ProjectManagement\Risks\Risk Assessment.xls

    REVISION HISTORY

    Version Source Description Date 0.1 cherifd Initial Draft 5/12/2003 0.4 cherifd Conceptual Design 5/14/2003 0.9 cherifd Architecture and MAs 6/12/2003 1.0 cherifd Final touches based on 6/19/2003

    feedback

    th June 13, 2003 PAGE 2

Microsoft Identity Integration Server

    TABLE OF CONTENTS

    1 OVERVIEW ............................................................................................................................................ 4 2 DESIGN GOALS/REQUIREMENTS ....................................................................................................... 4 3 CONCEPTUAL DESIGN ........................................................................................................................ 5 3.1 Assumptions .................................................................................................................................................. 5 3.2 Conceptual Architecture ................................................................................................................................. 5 4 ARCHITECTURE ................................................................................................................................... 6 4.1 Metaverse Schema ......................................................................................................................................... 7 4.2 Rules ............................................................................................................................................................. 7 4.3 Rules Extension ............................................................................................................................................. 8 4.4 Synchronization Process ................................................................................................................................. 8 4.5 MIIS Management Agents .............................................................................................................................. 9 4.5.1 Connected Directories ................................................................................................................................ 9 4.5.2 Oracle HR System .................................................................................................................................... 10 4.5.2.1 Database Connection ............................................................................................................................ 10 4.5.2.2 Column Configuration .......................................................................................................................... 10 4.5.2.3 Connector Filter .................................................................................................................................... 11 4.5.2.4 Join and Projection Rules ...................................................................................................................... 12 4.5.2.5 Attribute Flow ...................................................................................................................................... 14 4.5.2.6 Deprovisioning ..................................................................................................................................... 20 4.5.3 Subsidiary3 (MLG) .................................................................................................................................. 20 4.5.4 Active Directory ....................................................................................................................................... 21 4.5.4.1 Connectivity to Active Directory Forest ................................................................................................ 22 4.5.4.2 Object Types Selection ......................................................................................................................... 22 4.5.4.3 Join and Projection Rules ...................................................................................................................... 22 4.5.4.4 Attribute Flow ...................................................................................................................................... 24 4.5.4.5 Deprovisioning ..................................................................................................................................... 28 4.5.4.6 Group Objects ...................................................................................................................................... 28 4.5.5 iPlanet ...................................................................................................................................................... 28 4.5.5.1 Object Type Selection ........................................................................................................................... 29 4.5.5.2 Attribute Selection ................................................................................................................................ 30 4.5.5.3 Join Rules ............................................................................................................................................. 30 4.5.5.4 Attribute Flow ...................................................................................................................................... 31 4.5.5.5 Deprovisioning ..................................................................................................................................... 32 4.5.6 Windows NT (Join only) .......................................................................................................................... 32 4.5.7 AD for TAO Global Address List (GAL) Sync.......................................................................................... 34 4.6 Provisioning Rules ....................................................................................................................................... 37 4.7 Deprovisioning Rules ................................................................................................................................... 40 5 MMS SOLUTION CONFIGURATION ................................................................................................... 43 5.1 Hardware Configuration ............................................................................................................................... 43 5.2 Software Required........................................................................................................................................ 44

    th June 13, 2003 PAGE 3

    Microsoft Identity Integration Server

    This document describes the architecture and design of the metadirectory solution that will replace the different PERL Scripts and implement an infrastructure for identity management providing group, group membership and user object synchronization and provisioning amongst Oracle HR, Active Directory, iPlanet directory, Windows NT and the flat files generated from the Mainframe of Subsidiary3 (MLG) brand users. The metadirectory is based on Microsoft Identity Integration Server (MIIS) version 2003, formerly known as Microsoft Metadirectory Services (MMS).

    This document assumes a level of familiarity with the MIIS architecture, and a basic fluency in terms such as metaverse, connector space, connected directory, and other terms. See http://www.microsoft.com/mms for whitepapers that describe and define these terms in more detail.

    In its original proposal for this project, Microsoft had planned to deliver a tactical metadirectory solution providing group membership and attribute synchronization among Active Directory, Windows NT, and iPlanet, with basic provisioning (hire/fire) occurring into iPlanet. During the Envisioning process, the Microsoft project team and Contoso determined there were additional synergies that could be leveraged to deliver enhanced functionality, business value, and capabilities to Contoso within the original timeline of this project. These included:

     Base Contoso‟s metadirectory on the next version of Microsoft‟s technology, MMS

    2003 (later renamed MIIS 2003). This recommendation eliminated all throw-away

    work and redesign that would have been required with a deployment of MMS 2.2.

    MIIS 2003 also provides functionality enhancements that in fact accelerated time-

    to-market with the solution.

     Connect directly to the true sources of enterprise identity at Contoso, including

    Oracle HR. Based on its discovery information, the Microsoft team and Contoso

    believe this will lay the best groundwork for identity management at Contoso. This

    design incorporates the original systems for synchronization (Active Directory,

    Windows NT, and iPlanet), but these systems are utilized in their proper role as

    connected directory systems, not as ultimate sources of enterprise identity (which

    they are not).

    The Identity Management solution around MIIS must provide:

     Connectivity, to enable the sharing of identity information between many different

    directory services, databases, and applications.

     Brokering functionality, to distribute changes made in one directory or application to

    other identity repositories in the enterprise affected by the change.

     Integrity mechanisms, to ensure that related data remains consistent throughout the

    enterprise and observes ownership and referential integrity rules.

     Ownership relationships, it is recognized that there are important ownership

    relationships that must be maintained between applications and data. For example, a

    person‟s mailbox name is owned by the e-mail system that hosts the mailbox while

    Human Resources (HR) system owns the data corresponding to whether or not a person

    is an active employee. Since Contoso has multiple authoritative sources, there is a need

    to define and enforce ownership relationships at the object and attribute level.

    th June 13, 2003 PAGE 4

    Microsoft Identity Integration Server

    A phased approach was selected to meet the requirements that were identified and to address the change in the schedule.

    3.1 Assumptions

    These are the assumptions that were made in order to meet all requirements for the first phase as well as all subsequent phases :

     The design is based on MIIS 2003 to allow for easier expansion and integration with

    other data sources and to address strategic requirements that were scheduled for

    future phases.

     Utilize data from true sources of enterprise identity to establish a foundation and a

    roadmap for identity management at Contoso. Oracle HR being the main authoritative

    owner for identity information for both employees and contractors at Contoso corporate

    (excluding Subsidiary1, Subsidiary2, and Subsidiary3), will act as the main authoritative

    source for those employees. MLG users extracted from the mainframe will also have a

    source for those employees. The rest of the brands will be integrated into the identity

    management solution in future phases.

     Windows 2000 Active Directory (AD) is the central point of administration for accounts

    and Groups. All changes to groups and users in AD will be synchronized to Windows

    NT and iPlanet using MIIS.

     Contractors, vendors and exception accounts (Subsidiary1 and Subsidiary2 employees

    as well as non-Itiliti contractors) that do not exist in one of the authoritative sources and

    requiring synchronization will have AD as an administration point and will be projected

    to the MIIS Metaverse thus Active Directory acting as a source for those objects.

     Administrative and special accounts as well as groups in Active Directory not requiring

    synchronization with the other systems will reside under a specific Organizational Unit

    (OU) structure that will be filtered out from discovery in MIIS.

     The Active Directory Connector (ADC) for Microsoft Exchange will synchronize

    Exchange 5.5 with Active Directory through connection agreements and AD will be

    extended with Exchange 2000 schema.

     For employees still with TAO mail, the mail attribute is owned by their corresponding

    contact objects residing in AD.

    3.2 Conceptual Architecture

    The following statements describe at a high level the conceptual architecture of the Metadirectory solution that meets the requirements described in the Vision/Scope document. Some of the key characteristics of the architecture are summarized below:

    th June 13, 2003 PAGE 5

    Microsoft Identity Integration Server

    A diagram of the high-level architecture is included below:

    Phase IIJoins, Provisioning, de-provisioning