Lessons learned while configuring the SharePoint Services Connector for FIM 2010 R2

I have now configured many SharePoint Management Agents, and initially I had severe problems finding out which attributes to populate with what. Here is the lessons I learned during this investigation.

Application ID

During configuration of the Management Agent, you are requested to input Application ID. I have never used it, and i guess it is used when you have multiple User Profile Service Applications.

Anchor

Do not bother with anchors. Instead just provision a connector space object and let it get the default anchor. You will never see the anchor anywhere except in FIM and internally in the SharePoint databases.

Manager attribute populating bug

There is a bug in SharePoint, where the manager attribute won’t be populated in the User Profile Service, even though you are flowing it with FIM. The reason is that the timer job “User Profile Service Application – User Profile ActiveDirectory Import Job” is not created if you configure “Enable External Identity Manager” directly. Instead, you have to first choose “Use SharePoint Active Directory Import” on the “Configure Synchronization Settings”, and let this job be created (takes 15 minutes), then switch to “Enable External Identity Manager”.

Parallellism

It is not supported to run multiple SharePoint MAs simultaneously. Not sure why, but a little bit of code snooping shows this is true.

Pictures

Pictures can be a bit difficult, especially when trying with limited permissions. First of all, if you use fiddler the attribute is actually called “PictureURL”. Also, technically it seems as though what actually happens when you use this connector and export a picture, you transfer the binary data (as base64 ofc) out in “PictureURL / Picture” and the API you talk to uploads these data as an original to your mysite, at the location “http://mysitehost.goodworkaround.com/User photos”. And then it stores the url of the picture in the User Profile Service.

First of all, the MySite host MUST BE IN THE SAME FARM. It is not possible to have pictures uploaded to a separate SharePoint farm. Second, there is a requirement for permissions on the mysitehost. You can grant these permissions with the following cmdlet:


$w = Get-SPWebApplication -Identity http://mysitehost.goodworkaround.com
$w.GrantAccessToProcessIdentity("gwrnd\managementAgentAccount")

If you do not give this permissions, FIM will not get any error message from SharePoint saying “sorry, we could not store this picture”. It will simply be “ok” even though the picture was not saved.

Also, as you can see in this TechNet article you need to run a cmdlet to actually generate the thumbnail photos.

ADFS authentication

To configure ADFS authentication the following attributes needs to be flowed from FIM to SharePoint:

SharePoint attribute Value
SPS-ClaimProviderID Name of the trusted identity provider in SP (case sensitive): “SAML Users”
SPS-ClaimProviderType Constant: “Trusted”
SPS-ClaimID Unique identifier – mail, userPrincipalname, employeeID etc. Must be what comes in the nameidentifier claim from ADFS
SID Do not flow anything
ProfileIdentifier someprefix:unique – where “unique” is the same as SPS-ClaimID (not required, but make it unique)
UserName Do not flow anything
AccountName Do not flow anything

Example user

SharePoint attribute Value
SPS-ClaimProviderID SAML Users
SPS-ClaimProviderType Trusted
SPS-ClaimID marius@goodworkaround.com
SID no flow
ProfileIdentifier gwrnd:marius@goodworkaround.com
UserName no flow
AccountName no flow – SharePoint will automatically populate this with something like “i:0\.t|SAML Users|marius@goodworkaround.com

Windows authentication

To configure Windows authentication the following attributes needs to be flowed from FIM to SharePoint:

SharePoint attribute Value
SPS-ClaimProviderID Constant: “Windows”
SPS-ClaimProviderType Constant: “Windows”
SID ObjectSID from Active Directory
ProfileIdentifier DOMAIN\sAMAccountName from Active Directory
UserName sAMAccountName from Active Directory
AccountName Do not flow anything

Example user

SharePoint attribute Value
SPS-ClaimProviderID Windows
SPS-ClaimProviderType Windows
SID – binary data –
ProfileIdentifier GWRND\marius
UserName marius
AccountName no flow

That’s, hope it saves you some time.

2 thoughts on “Lessons learned while configuring the SharePoint Services Connector for FIM 2010 R2”

  1. Hello there, just became alert to your blog through Google, and found that it’s
    truly informative. I’m going to watch out for brussels.
    I’ll be grateful if you continue this in future. A lot of people will be benefited from your writing.
    Cheers!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s