Forefront Identity Manager includes a number of different management agents to connect to a variety of data sources. To enable you to connect to other data sources, FIM includes the Extensible Connectivity Management Agent (ECMA). To interact with a data source, the ECMA uses a connected data source extension. A connected data source extension is a Microsoft .NET Framework assembly that is implemented in the form of a dynamic link library (.dll) file.
You can create this extension by using any programming language and compiler that creates a .NET Framework assembly. For more information, see Creating Connected Data Source Extensions.
There are a number of partners that have created Management Agents using the ECMA to connect to a number of different systems or just to enhance connectivity options that are available out of the box.
This article was first posted as a blog on http: //blogs.technet.com/identitymanagement but now that more and more partners are developing MA's we want to move this to the WIKI so that we can get faster updates to this page.
If you are a partner and have updates, please join the TechNet wiki community and make updates and we will review before the page is updated.
Brjann Brekkan Technical Product Manager - Identity and Access - Microsoft Corporation
MA's from some of our Identity and Access partners: (partners sorted alphabetically)
"Centrify's core capability is to extend Active Directory's authentication, authorization and group policy capabilities to non-Microsoft platforms such as UNIX, Linux and Mac. In doing this "identity consolidation" into Active Directory, UNIX attributes such as UNIX UIDs, home directories, etc. are stored within Active Directory, including the ability to map multiple UNIX UIDs to a single AD account (this technology is called Centrify Zones). "
In order to simplify provisioning of UNIX user profiles within Active Directory, Centrify provides a Provisioning Agent that leverages Active Directory Groups to automate the management of Centrify Zone profiles. Adding a user to the Active Directory control group for a specific Zone will cause the Zone Provisioning Agent to add a UNIX profile for that user to the Zone, similarly if you remove the user from the group it will delete the UNIX profile, and in this way Forefront Identity Manager only needs to manage an Active Directory Group's membership in order to manage the provisioning of Centrify UNIX profiles.
Also, because Centrify makes the AD username/password the global username/password, FIM's self-service password reset capabilities reach beyond Windows and into hundreds of non-Microsoft systems. For a free version of Centrify's software for Linux/AD integration, check outhttp: //www.centrify.com/express/ . . "
Management Agents available on blogs as well as on sites like sourceforge.com andCodeplex.com
The SharePoint List Management Agent is an attempt to provide an easy-to-use, familiar interface between ILM 2007 and a WSS 3.0 or MOSS 2007 list. It is deployed as a "PackagedMA" to help alleviate some of the more tedious tasks involved with the development of extensible management agents (ex. run profile configuration, object type configuration, data manipulation, etc.). For more information and to download the code please click here.
The OpenLDAP Extensible Management Agent (XMA) for Microsoft Identity Lifecycle Manager(ILM) enables efficient two-way synchronization of identity information with the OpenLDAP directory. For more information and to download the code please click here.
For other LDAP v3 directories such as Oracle Internet Directory you can use the OpenLDAP MA as starting point for integration with FIM.
The Granfeldt PowerShell Management Agent (MA) is a diverse Management Agent (MA) that can be used for many different purposes. Basically, any task that can be done in PowerShell can be triggered through this MA, making it very flexible and a regular hybrid MA. Source: http: //blog.goverco.com/p/powershell-management-agent.html
But has the following extra functionality:
Based on the ECMA 2.0 framework and can be found here and has the following functionality:
Management Agents developed and maintained for Forefront Identity Manager (FIM)
The following lists Management Agents Directory Concepts has developed and maintains under software maintenance agreement. For further information regarding how these and other Directory Concepts products compliment your Microsoft FIM solution please refer to our web site. If your requirement is not on this list, please feel free to contact us and we will develop it for you.
Source: http: //www.directoryconcepts.com.au/
Company website: http: //www.ensynch.com/ida
The Google Apps MA from Ensynch is capable of managing the entire Google account lifecycle. This MA is not only proficient at provisioning and de-provisioning tens of thousands of accounts, but can also synchronize password and bio-demographical data. With an additional SAML based SSO web site, users can continue to use their directory login to access their Google accounts.
Ensynch’s Extensible Management Agent (XMA) for Databases is a configurable XMA capable of scaling to millions of objects and offers true delta processing on any database source. The XMA offers both Stored Procedure and XSLT customizations allowing for virtually any database to be queried and processed quickly and efficiently. Observed performance improvements over the built-in SQL or Oracle MA of between 10x and 20x.
Company website: Identity Forge solutions for FIM
The IdF Management Agent for FIM has been tightly integrated with Microsoft's Forefront Identity Manager as well as ILM and MIIS. The Management Agent works with IdF's Adapter Suite providing Microsoft customers with an "out of the box" solution for ACF2, Top Secret, RACF, iSeries, SAP ECC, Solaris, AIX, Linux, Cloud-Based and other target applications
Company website: www.inceptio.dk
The PowerShell Management Agent is a diverse Management Agent (MA) written using ECMA 2.0. It can be used for many different purposes. It allows for PowerShell scripts to be run on addition, modification and/or deletes of objects in the connector space and supports any attribute (single-/multivalue) to be flowed as parameters to scripts. Delta import is supported. Download it here.
The Directory Management Agent is extensible management agent used to physically manage user’s home directories or other (create / move / remove) by calling customizable scripts for each operation and it will update home directory information on the Active Directory user object accordingly when scripts have executed succesfully. You'll be able to write the scripts in the scripting language of your desire. Download it here.
TheMyID Management Agent for Microsoft Forefront Identity Manager allows Intercede MyID to simply ‘plug-in’ to FIM, adding secure device and credential management capabilities to any FIM enabled environment.
Connecting MyID to FIM via the management agent allows:
Website: www.intercede.com Contact: info@intercede.com
Visitwww.omada.net for more information or contact Omada on email info@omada.net
Omada provides a range of Management Agents (MA's) supporting advanced deployments of FIM2010. The MA's covers integration to SAP, SAP GRC, Exchange, File shares, SharePoint, SCCM, Exchange, Powershell and more.
Omada's SAP MA is based on FIM's extensible connectivity management agent framework. The agent supports both full and delta imports as well as exports. The integration to SAP is performed via web services, and supports interaction directly with the SAP backend such as SAP , SAP HR, SAP BI etc. or via SAP PI. Omada provides web services for various objects in SAP such as Org. Units (organizational structure in SAP HR), Employees, Cost Centers (including the hierarchy), Company Codes, Users (includes Password reset), Roles (With Transaction Codes, Auth. Objects).
Omada also provides advanced integration to SAP GRC.
Omada's SCCM Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports full import of systems, collections, collection assignments, and installs from a SCCM system. On export, the agent supports the addition of systems to collections, as well as removal of a system from a collection.
Omada's Exchange Object Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports full import, and can move mailboxes within an Exchange organization. The agent has two modes of export operation: 1) synchronous moves of mailboxes 2) asynchronous moves of mailboxes (i.e., multiple threads moving mailboxes).
Omada's File Share Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports import and export operations, and can create, move/rename, and delete file shares. Additionally, the agent can optionally set permissions on file shares, and move file shares between different file system volumes.
Omada's Home Folder Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports import and export operations, and can create, move/rename, and delete home folders. Additionally, the agent can optionally set permissions on folders, and move home folders between different file system volumes.
Omada's PowerShell Management Agent is based on FIM's extensible connectivity management agent framework. The agent supports export (add) of a script with parameters to execute. The agent is based on the "post processing" approach to creating extensible management agents that execute external (to FIM) commands.
Omada provides a number of Management Agents which are used to populate the FIM Portal with the customer's existing Accounts and group memberships in the target systems such as Active Directory, ADLDS, SAP etc.
The SharePoint Management API is based on SharePoint's standard API. The agent supports full import of users, sites, lists, permissions and permission levels. On export, the agent supports adding user permissions and revokes violating permissions.
Company website: http: //oxfordcomputergroup.com/ Information: info@oxfordcomputergroup.com
Oxford Computer Group's Exchange MA makes it significantly easier to create, maintain, disconnect and delete Exchange Mailboxes (user, resource mailboxes and contacts). The MA is able to check and guarantee the uniqueness of mail addresses (mail and proxies). Furthermore it supports mailbox quota and protocol settings management (OWA, MAPI, IMAP etc.). The administration of distribution groups is additionally also possible. The mailbox permissions can be kept up-to-date by FIM. It allows managing mailbox permissions like send-as, send-on-behalf, full-access, etc. The solution allows forest-wide mailbox provisioning as well as forest-wide and cross-forest mailbox relocation.
The Management Agent serves the following functions:
The Management Agent serve the following functions:
OCG's Oracle System Management Agent is based on native Oracle.NET library. The agent supports export and import operations and can create, delete and modify account objects, manage database permissions, user profiles and schemas on database level. It can import accounts, roles and role assignments for reporting and attestation processes.
The OCG PowerShell MA enables the execution of various tasks that can be also performed in the PowerShell Shell. It is a universal PowerShell Management Agent that allows the provisioning of various systems to be managed by PowerShell (e.g. Lync, SharePoint, Exchange, Office 365, NetApp…) Any PowerShell script can be used as part of provisioning, modification or deprovisioning logic by integrating it into the PowerShell Script called during Export by the Management Agent. Modules can be loaded locally on the fly to enable the use of extended Commandlets. The Import Script supports Delta Imports to speed up the Import process. Errors can be logged into EventViewer, to a file or directly into the Synchronization Engine. The agent also supports outbound password changes as part of the Password Change Notification Service (PCNS) system, by using Password Management Script.
The OCG PowerShell Transaction Management Agent enables the execution of any PowerShell command inclusive additional userdefined parameters and arguments for all systems supporting PowerShell interface. Based on object information commands will be executed local or using different endpoint systems. Additional PowerShell modules can be loaded during the runtime executing a single object or a bundle of objects. Authentication modes, user and credential infomation can be added if necessary for each operation. After sending the PowerShell command result collection and error streams will be catched by the Management Agent and provided for further execution.
OCG RSA 7 Management Agent provides functionality for RSA 7 SecureID Lifecycle Management on enterprise level. The RSA 7 SecureID MA can manage multiple RSA Systems, realms and data sources. The agent supports export and import operations and can create, delete and modify account objects, manage tokens and token assignments incl. token change und pin reset functionality, manage groups and group memberships.
Oxford Computer Group provides a solution specifically designed for organizations running SAP R/3 and Netweaver. The MA integrates SAP with FIM, uses standard BAPI calls to manage users and roles by combining the power and flexibility of Microsoft Forefront Identity Manager (FIM) with a bespoke connector for SAP. OCG have created a cost-effective and easily deployable solution to address issues of identity and access management. The Management Agent serves the following features:
Oxford Computer Group's SharePoint MA makes the creation, deletion and maintenance of up-to-date SharePoint profiles significantly easier. The solution allows an organization's SharePoint user profiles to be kept up-to-date by FIM. FIM populates the SharePoint user profiles with data from any of its connected data sources, such as Active Directory, HR systems, company white pages, email Global Address Lists etc. By utilizing FIM's provisioning and deprovisioning power, an organization's SharePoint user profiles can be created and deleted in line with its business rules. That means new Starters get access to all the required and approved systems from the minute they join the company. It also means their access privileges can be changed when required and removed when they leave. This significantly reduces the possibility of data theft.
OCG SSH System Management Agent is based on standard .NET library. The agent supports creation, deletion and modify of unix-based systems account objects and user profiles. Combined with OCG Password Change Notification Service (PCSN) the solution provides the ability to synchronize account passwords between active directory and the connected unix systems. The MA functionality is easily and free extensible.
The OCG Simple LDAP MA (based on Extensible Connectivity MA 2.0) allows the import of Active Directory Partitions or Global Catalog Structures into FIM. The Management Agent has automatic AD Schema discovery. It is therefore possible, in the FIM User Interface, to select which object types and attributes are imported from AD or GC.
The OCG Sync Monitor Solution MA (based on Extensible Connectivity MA 2.0) generates Metaverse data which make the monitoring and troubleshooting of Sync issues straightforward. For example, the MA generates a multi-value list for each object in the Metaverse, showing which Management Agents are connected to this Metaverse object. Similarly, errors in synchronization or export also result in Metaverse Objects which are related to the object which expeirenced the error – this increases the visibility of the error message, and makes troubleshooting more straightforward. OCG has many other Management Agents that are available as part of a service engagement, and is developing new ones all the time - for example Google MA, File Share MA, Unix, Oracle RBAC, various Telephone systems, Sharepoint, Office365, Exchange 2010 Resources, custom LDAP MA, GPO Link MA, AD DACL - please contact us!
Visit our company website: http: //www.predica.pl/ for more information on our FIM related solutions or e-mail us for additional information at kontakt@predica.pl.
Predica has created a specialized management agent for integration of Cisco Unified Communications Manager into FIM 2010 based solutions eco-system. CUCM management agent extends FIM with full management capabilities for CUCM user accounts for import and export operations in all scenarios: provisioning, information management and de-provisioning process. CCUM MA provides also password management capabilities to manage both CUCM user PIN and password for initial account provisioning and password synchronization / reset. In addition to user management agent can be used also to retrieve information about user's devices, lines assigned to devices and service profiles assigned to these lines and hunt lists with its members. For its management capabilities CUCM MA uses native web service interfaces of Cisco Unified Communications Manager and doesn't require any additional elements to be deployed in the managed system. All information are retrieved using configurable queries, which can be adjusted for each object type. The agent was proven through deployments where it manages thousands of user accounts. Currently supported with CCUM version 7.x and 8.x.
Agent is available in Extensible MA and ECMAv2 versions. You can read more about agent and its configuration on dedicated blog post. Fully supports: FIM 2010, FIM 2010 R2 and SP1
Agent enables following scenarios (not limited only to those):
Company website: http: //www.quest.com/
Quest Management Agent for Forefront Identity Manager allows you to combine the capabilities provided by Quest ActiveRoles Server and Microsoft Forefront Identity Manager (FIM) to automate user management tasks. With Quest Management Agent for Forefront Identity Manager you can benefit from the bi-directional synchronization of user accounts, groups, and other directory objects between FIM and the Active Directory domains and AD LDS (ADAM) instances managed by ActiveRoles Server.
Company website: http: //www.schakra.com/Services.aspx
With the Home Directory Management Agent (HDMA) for FIM, user home directories can be managed with the same ease and familiar environment as other aspects of the identity lifecycle.
Company website: http: //www.traxion.com/
Advanced framework that contains standard used functions, converters, configuration, logging and codeless provisioning & synchronization. These features can be controlled trough an XML-file.
This management agent can retrieve information from text files or sql databases or through a custom implementation (e.g. a web service) and validate the input and references to other objects. All the object attributes are validated (via an xsd schema) and filtered before even entering the connector space. Together with the IM Sequencer scheduling and synchronization solution (see www.imsequencer.com) , this information can be logged in reports. (This agent can be easily used in combination with other extensible agents.)
Using the Liferay web services this management agent is able to provision portal user accounts and roles (incl. members).
The group MA is used to generate Active Directory groups based on attribute values within the metaverse, for instance generate a group based on org units or generate a group based on users working in specific departments.
The AEOS extensible management agent connects to Nedap AEOS using an ODBC connection. Employee information can be added, modified and removed using specific import function codes.
If a web service meets the requirements of a predefined WSDL, the Generic Web Service MA can be used to connect it to FIM without the need to write custom code. The predefined WSDL consists of a basic object model that is easily translated to other systems.
This agent fully manages the mailboxes for MS Exchange 2003, 2007 and 2010 , this agent has standard support for creating, deleting and managing all the mailbox capabilities. Mailboxes can also be distributed evenly over different mailbox stores.
This agent imports or exports data from or to multiple SQL tables, you can easily configure how connector space objects should be exported or imported. This management also supports delta imports.
This agent manages folders, file shares, DFS links and all the security rights for users and groups. This management agent also supports delta imports.
With this solution Traxion and Imprivata offer a seamless integration of ILM/FIM with Imprivata OneSign enterprise single sign-on .
We have also built an extensive list of other MA’s for specific customer scenarios. Examples are MA’s using Webmethods, SAP web services and Powershell commands.
Company website: http: //www.unifysolutions.net/
The UNIFY Identity Broker, is a service that solves the following issues:
UNIFY's list of Identity Broker MAs includes (but is not limited to) the following:
Gokan Ozcifci edited Revision 128. Comment: Tag & Title
Peter Geelen - MSFT edited Revision 129. Comment: FIM is NOT sharepoint 2010
Tomasz Onyszko edited Revision 114. Comment: Added link to blog post on CUCM MA from Predica
Tomasz Onyszko edited Revision 113. Comment: Updated information on Predica CUCM MA
Tomasz Onyszko edited Revision 112. Comment: Updated information on Predica CCUM MA
Richard Mueller edited Revision 110. Comment: Fix duplicate <a name> tags in headings in HTML