Using ADFS to Authenticate FIM Users

Been working on a neat FIM application lately that uses ADFS to authenticate the users.  This buys us some really neat functionality, such as:

• Dynamic Provisioning – we can use claims as a source for creating new Person objects in the FIM Service, so when the user comes to our application we know enough about them through claims to create the person objects.
• Claims to Windows Tokens – we can use C2WTS to turn the UPN claim back into a Windows identity which we can then impersonate when calling the FIM web services.
• FIM Claims – with the ASP.NET request pipeline we can use a ClaimsAuthenticationModule to post-process the identity by adding claims from FIM, neatly packaging up details about the Person in the claims.

Of course none of this is really possible when using the FIM Portal, but that isn’t such a bad thing once you bite the custom FIM application bullet.  All of the above become possible when you throw away the FIM Portal and create a custom FIM application.

At the moment I don’t have code to share but rest assured the above works (it took me a while to believe it). 

Now on Amazon: A Guide to Claims-Based Identity and Access Control, 2nd Edition

I’ve been spending a lot of time with claims lately, and really enjoying how simple ADFS feels compared to FIM (which is obviously a demonstration of my lack of understanding).  Anyhow, the manual is freely available on MSDN (HTML and PDF) but you can also RTFM in condensed lumber at Amazon:

Now on Amazon: A Guide to Claims-Based Identity and Access Control, 2nd Edition

Get the PowerShell.org Free ebooks!

I consider myself a competent sheller but after attending the PowerShell Summit last week I am now more aware there are many more cool things to learn (and better ways to do my job).

Want to learn more too?  Turns out it doesn’t cost that much…

The Big Book of PowerShell Gotchas (free)

The Three A’s of Identity Management

The first three A’s of identity management I learned were something like:

• Authentication
• Authorization
• Auditing

These A’s helped me explain identity management to customers at a conceptual level, but rarely helped me deliver the solutions to the problems I was tasked with (I’m not a strategy consultant – I design and deliver working stuff). 

Recently I realized that I spend a LOT of time on a different three A’s:

• Arrange
• Act
• Assert

If you follow my blog you know the first A’s but get bonus points for knowing the second set. 

Identity management tends to be solutions to automate the integration disparate systems and their identities.  Any crafted solution must have a measure of quality.  Small systems deployed by one person may get by without it, but measuring quality is critical to systems especially when team development is involved.  This is obvious to development teams, but onerous for deployment teams.  Over the years I’ve grown from onerous to frustratingly obvious.  Frustrating because testing has such a negative connotation, and is perceived as a tax nobody wants to pay.

So if you find yourself in the business of deploying identity solutions such as FIM, I suggest adding time to your projects for test automation.  No, it won’t be easy.  You will deliver slower at first, but your test automation turtle will win the race.

BTW – some of the test helpers I use are already available on CodePlex, my favourites are:

• Get-MIIS_CSObject
• Assert-CSAttribute
• Create-ImportfileFromCSEntry

Using New-IsoFile to Put Files into an ISO

I use Hyper-V all the time and love the convenience of just attaching an ISO to get files into my VMs, because I don’t have to worry about networks or credentials.

Sometimes the files I need are not already on an ISO, and I used to use various utilities to create new ISOs, until I found New-IsoFile.

Here is how it works:

 

###

### Copy a single file into an ISO

###

dir 'E:\wheres\SharePoint2013.exe' |

New-IsoFile -Path c:\ISO\SharePoint2013.ISO -Title 'SharePoint 2013'

 

###

### Copy an entire folder into an ISO

###

dir 'E:\HoofHearted' |

New-IsoFile -Path c:\ISO\HoofHearted.ISO -Title 'HoofHearted'

 

When the command finishes, you have your new ISO file ready to be attached to VMs. Cool!

FYI – when I first ran it on Win8 I hit this error:

Add-Type : Cannot add type. The 'CompilerParameters' parameter and the 'IgnoreWarnings' parameter cannot both be specified.

At line:38 char:7

+       Add-Type -IgnoreWarnings -CompilerParameters $cp -TypeDefinition @"

+       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidArgument: (System.CodeDom....pilerParameters:CompilerParameters) [Add-Type], Exception

    + FullyQualifiedErrorId : COMPILERPARAMETERS_AND_IGNOREWARNINGS,Microsoft.PowerShell.Commands.AddTypeCommand

 

The fix is just to change line:38 so it looks like this:

 

      Add-Type -CompilerParameters $cp -TypeDefinition @"

 

What's New in Forefront Identity Manager 2010 R2 SP1

Last week we got the bits on MSDN (TechNet for me actually) and now we have some reading to go through:

What's New in Forefront Identity Manager 2010 R2 SP1

Lots of support for Microsoft’s latest and greatest OS and server applications.  I’d probably trade a lot of it for .NET 4.5 support so we could mash-up PowerShell WF with FIM WF, but am certainly glad to see the huge increase in support.  I can just hear the tester when they shared the plan to support all that stuff, “You want me to increase my matrix by WHAT?!”.

My Canadian MVP colleagues will be happy to see that even FIM CM saw some SP1 love:

FIM Certificate Management (CM)

Support for the DataCard CD800 printer has been added.

FIM Sync: Deprecated Features And Planning For The Future

Hot off the press is a very interesting TechNet article:

Deprecated Features And Planning For The Future

This is a signal that big changes are about to happen in the product (or at least in the Sync Engine).  I’m willing to trade a lot of those deprecated features for new features in that future release of FIM. The big questions are:

• When is the future release of FIM?
• What will the upgrade/migration story look like?

My opinion is that the Sync Engine gave us a decade of pretty good upgrade experiences (MIIS—>ILM—>FIM) so now is probably a reasonable time to introduce a version of the product that breaks compatibility, but only if those new features are sufficiently awesome!  If I had to spend money on either a nice upgrade experience or awesome new functionality, then as an integrator I’d opt for the awesome new functionality.

Scrum and FIM Deployments

Been using Scrum for FIM deployments lately and believe it to be a major success factor, but also a great stabilizer for an otherwise seemingly crazy deployment cycle. 

Another practitioner summarizes it somewhat positively in this post:

Scrum: Even Better than Getting Slapped

In my case, I really enjoy the quick deployments, and the relief of only doing detailed design work in smaller chunks.  Makes it way easier to break something down into tasks that are much easier to estimate in hours instead of days or weeks.

My experience has also been that a strong Scrum master is required to really drive the process for a team, at least for the first few iterations until the rhythm is established and everybody understands what they are responsible for and when.  Coming from an IT Pro / Sys-Admin background, the Dev overhead doesn’t seem natural at first (in fact it can be quite onerous) but a quick dose of DevOps and some doctrine from Jeffrey Snover leads me to believe that every FIM deployment should be done with Scrum, if anything to avoid getting slapped.

FIM 2010 R2 SP1 Ships–New PowerShell Commands!

Paul Smith installed SP1 and ran get-command over miis.ma.config and voila!  New commands!  they seem to be related to the ADMA and password sync configuration, but unfortunately they shipped without help (boo!) so one can’t be sure yet.
The bits on TechNet and MSDN ship ahead of documentation, which is fine, so we’ll have to wait to see the docs for the new PowerShell goodness.

UPDATE:

I cornered somebody and got more detail ;-)  The new commands support a new feature that was hinted at on some of the slides we saw at the Redmond Identity and Access Summit whereby DirSync synchronizes objects and attributes, AND passwords.  Not sure if anybody else noticed it, but it was simply the word 'Passwords' on one of the slides.  That hints at a solution for customers that do not want to use ADFS with Office 365, but would rather have password synchronization.  As far as I know, this isn't real password synchronization (phew!) so DirSync will not be messing with clear-text passwords, but instead dealing with hashes, which explains the keyword 'hash' in the new commands. 
The new commands for this feature are:

• Get-PasswordHashSyncConfiguration 
• Set-PasswordHashSyncConfiguration
• Remove-PasswordHashSyncConfiguration

Dispatching Puppies

I mentioned in a talk I gave yesterday how bunnies did not fare so well when people use Write-Host.  That was guidance I  gleaned from Don Jones’ (PowerShell MVP) Proverbs:

Every time someone writes a PowerShell script that outputs text, rather than objects, God kills a puppy.

This came out in one of Don's PowerShell classes at a conference, as a way of driving home the fact that PowerShell is an object-based shell, not a text-parsing system. Working with the shell, rather than against it, makes for a more efficient administrator and a better experience for all.

In general when you’re using Write-Host, you should usually be using Write-Verbose or Write-Warning.

Also, if you find yourself formatting output, chances are you’re doing it wrong.  PowerShell is all about objects, so output objects.  Formatting should be the very last thing that happens (if at all).