I have now configured many SharePoint Management Agents, and initially I had severe problems finding out which attributes to populate with what. Here is the lessons I learned during this investigation.
During configuration of the Management Agent, you are requested to input Application ID. I have never used it, and i guess it is used when you have multiple User Profile Service Applications.
Do not bother with anchors. Instead just provision a connector space object and let it get the default anchor. You will never see the anchor anywhere except in FIM and internally in the SharePoint databases.
Manager attribute populating bug
There is a bug in SharePoint, where the manager attribute won’t be populated in the User Profile Service, even though you are flowing it with FIM. The reason is that the timer job “User Profile Service Application – User Profile ActiveDirectory Import Job” is not created if you configure “Enable External Identity Manager” directly. Instead, you have to first choose “Use SharePoint Active Directory Import” on the “Configure Synchronization Settings”, and let this job be created (takes 15 minutes), then switch to “Enable External Identity Manager”.
It is not supported to run multiple SharePoint MAs simultaneously. Not sure why, but a little bit of code snooping shows this is true.
Pictures can be a bit difficult, especially when trying with limited permissions. First of all, if you use fiddler the attribute is actually called “PictureURL”. Also, technically it seems as though what actually happens when you use this connector and export a picture, you transfer the binary data (as base64 ofc) out in “PictureURL / Picture” and the API you talk to uploads these data as an original to your mysite, at the location “http://mysitehost.goodworkaround.com/User photos”. And then it stores the url of the picture in the User Profile Service.
First of all, the MySite host MUST BE IN THE SAME FARM. It is not possible to have pictures uploaded to a separate SharePoint farm. Second, there is a requirement for permissions on the mysitehost. You can grant these permissions with the following cmdlet:
$w = Get-SPWebApplication -Identity http://mysitehost.goodworkaround.com
If you do not give this permissions, FIM will not get any error message from SharePoint saying “sorry, we could not store this picture”. It will simply be “ok” even though the picture was not saved.
Also, as you can see in this TechNet article you need to run a cmdlet to actually generate the thumbnail photos.
To configure ADFS authentication the following attributes needs to be flowed from FIM to SharePoint:
|SPS-ClaimProviderID||Name of the trusted identity provider in SP (case sensitive): “SAML Users”|
|SPS-ClaimID||Unique identifier – mail, userPrincipalname, employeeID etc. Must be what comes in the nameidentifier claim from ADFS|
|SID||Do not flow anything|
|ProfileIdentifier||someprefix:unique – where “unique” is the same as SPS-ClaimID (not required, but make it unique)|
|UserName||Do not flow anything|
|AccountName||Do not flow anything|
|AccountName||no flow – SharePoint will automatically populate this with something like “i:0\.t|SAML Usersemail@example.com“|
To configure Windows authentication the following attributes needs to be flowed from FIM to SharePoint:
|SID||ObjectSID from Active Directory|
|ProfileIdentifier||DOMAIN\sAMAccountName from Active Directory|
|UserName||sAMAccountName from Active Directory|
|AccountName||Do not flow anything|
|SID||– binary data –|
That’s, hope it saves you some time.
2 thoughts on “Lessons learned while configuring the SharePoint Services Connector for FIM 2010 R2”
Excellent way of explaining, and nice paragraph to get facts on the topic of my presentation topic, which i
am going to convey in school.
Hello there, just became alert to your blog through Google, and found that it’s
truly informative. I’m going to watch out for brussels.
I’ll be grateful if you continue this in future. A lot of people will be benefited from your writing.