Forefront Identity Manager (FIM) Custom Management Agent for CRM 2011 - Part 1

In this post I will share my experiences in developing a custom management agent for CRM 2011 in FIM. Since there is quite a bit to cover I have split this post into two parts, this being part 1.
Integration with FIM was quite a steep learning curve for me because I had little or not knowledge of how FIM works but after some playing around, reading articles, banging my head, i finally figured out and got something working. So to get started I will explain a little bit of what FIM does and what we are going to achieve by building a Management Agent for CRM 2011 in FIM.

FIM is the identity management solution from microsoft, but it does a whole lot of other stuff as well such as certificate management, self service password resets etc. It used to be called Identity Lifecycle manager and before that Microsoft Identity Integration server. It has four components

• FIM Syncronization Service
• FIM Service
• FIM Portal 
• FIM Certificate Management

I am not going to go into detail of all the components, I am just going to stick to what we really need for the purpose of creating a management agent for CRM 2011. You can read about the rest on MSDN and blogs etc. The FIM Synchronization Service is responsible for  passing identity information from one source to the other. This could be from a database such as Oracle  to AD, or from AD to other system such as the HR system or something else, in our case CRM 2011. FIM calls them connected data source or CDS. FIM Sync service can run by itself without the need for other components. To consume data from the CDS's FIM uses adapters which it calls Management Agents (MA). Some MA come pre packed with FIM such as for Active Directory, SQL, Flat Files, Oracle, SAP etc. What we don't have is a MA for CRM 2011, but this is quite straight forward to develop once you know how FIM works. FIM allows developers to create what it calls Extensible Connectivity Management Agent (ECMA) 2 which basically is some .net code that implements interfaces that FIM provides.

Implementation is good but understanding how FIM Sync service stores and pushes data between systems is in my mind critical to understanding how to create a Management Agent for CRM 2011. For this I refer you to these technet articles 1 , 2, 3 which explain the FIM Sync Service inner workings. After reading them you would know that FIM Sync service stores data in "Connector Space" and then pushes it to the "Metaverse". It is from the Metaverse that data is pushed to external system. In short inbound synchronization is populating authoritative data in the metaverse and outbound synchronization is populating from metaverse to external systems.
The msdn articles above also talk about FIM Service and Portal and use what is called declarative synchronization which is configured through the portal and FIM Service. I am going to show you  non-declarative synchronization in which we will be writing code.

What I wanted to achieve using FIM sync service was to automate the user creation process in CRM 2011, i.e. whenever a new user is created in Active Directory

• it is added as a user in CRM 2011
• put in appropriate business unit or team
• get appropriate security roles
• is disabled as soon as the the user is deleted in AD or account is disabled

This can be extended to whatever degree one wishes to, for example rules can be applied which can add / remove user to teams within CRM based on group membership in AD or SQL or some other system. The whole goal is automation and keeping all the systems in sync all the time without manual intervention.

Now that we have some background knowledge on FIM and our end goal, lets break down the steps that are involved.

1. Create MA for Active Directory (this is out of box)
2. Import Data (i.e. populate metaverse)
3. Create custom MA for CRM
1. Map attributes
4. Create metaverse Rules extension

The first thing we have to do is create an MA for Active Directory. This will allow us to pull data from AD into the FIM sync service data base (i.e. the metaverse). Once the data is there we will be ready to export it to our external system aka CRM 2011.
To create a MA for AD, on the MA tab click "Create", This will bring up the "Create Management Agent" box.

Next type in the active directory details, in my case it is contoso.com.

Next select the AD containers, in my case, it is ECMA2, which is an OU that I created specifically for testing purposes, you could leave it empty and that would select everything.

In the next screen, select the AD objects, ensuring that you select "user".

In the next screen, you need to select the AD attributes as shown below. It is an extensive list of attributes so you really should know which ones are needed, in my case since it was just an example, I am selecting only a few attributes such as the sAMAccountName which corresponds to your AD login.

In the screen "Connector Filter" just hit next as we are not going to specify any filters. In the "Join and Projection Rules" project "user" as shown below.

In the "Configure Attribute flow" map the attributes, here you will be mapping the AD attributes to the metaverse attributes. Since we are only interested in users we will be mapping "user" attributes to metaverse's "person" attributes as shown below.

Click next and in the Deprovisioning just select "make them disconnectors". Finally click okay.

This will create your AD MA. Now we will move onto creating the custom (aka ECMA 2) MA for CRM 2011.

To create the CRM MA we need to create a c# project, assuming that you have installed the FIM syncronization service, all you need to do is, go to  "Actions" -> Create Extension Projects ->  Extensible Connectivity 2.0 Extension

This will bring up a box to provide name of the project and select the type of project and Visual Studio version that you want to use, just select 2010.  The project created will contain a class with all the interfaces commented out as shown below:

using System;
using System.IO;
using System.Xml;
using System.Text;
using System.Collections.Specialized;
using Microsoft.MetadirectoryServices;

namespace FimSync_Ezma
{
    public class EzmaExtension :
    //IMAExtensible2CallExport,
    //IMAExtensible2CallImport,
    //IMAExtensible2FileImport,
    //IMAExtensible2FileExport,
    //IMAExtensible2GetHierarchy,
    //IMAExtensible2GetSchema,
    //IMAExtensible2GetCapabilities,
    //IMAExtensible2GetParameters,
    //IMAExtensible2GetPartitions
    {
        //
        // Constructor
        //
        public EzmaExtension()
        {
            //
            // TODO: Add constructor logic here
            //
        }
    };
}

We will need to uncomment IMAExtensible2CallExport, IMAExtensible2GetSchema, IMAExtensible2GetCapabilities, IMAExtensible2GetParameters, next we will have to right click and get Visual Studio to implement these interfaces for us.
The remainder will be covered in part 2 where we will writing the acutal code to create users and also implement the metaverse rules extension to populate the metaverse.
Till next time, Happy CRMing!