My TEC 2012 highlights

Posted on by Carol

Some of my memorable moments from TEC this year…

Most fun helping out a fellow MVP

I arrived a couple of days early so was able to do a run through of Craig Martin’s half-day workshop on managing FIM with PowerShell. Craig claimed to be worried about the labs and the text and whether there was enough and whether it would work…. I don’t know why because he’d clearly put enourmous amounts of effort into it and the payoff was an incredibly useful, practical learning experience for the attendees. Great work Craig, and I hope you get to deliver it again!

Coolest FIM Ideas

FIM is not the most fashionable of products, but these sessions did really make everyone sit up and say “now that is cool!”

Eihab Isaac’s replacement for selected RCDC forms

When I’ve heard talk of designing a web form to replace the underwhelming user experience of the FIM Portal I imagined something completely seperate to the Portal. The genius of Eihab’s solution is that he is selectively replacing RCDC-based forms, while still using all the other functionality of the Portal. The forms are actually hosted on IIS outside the Portal, and communicate with the Portal via web services, but to the user they appear seamlessly integrated. So when you click the “New User” button you get what we all wish would pop up – a form with immediate data validation including helpful messages to the user, dynamic modification of controls and drop-down lists based on other options chosen, and a wider variety of controls than we get in the RCDC.

At the same time he also solved the problem of allowing an Approver to go in and modify some details before approving – now that is cool!

For more info talk to the lovely people at Zeva.

Rob Allen’s FIM phone app

Rob demonstrated a pair of impressively snazzy looking apps, for iPhone and Windows mobile, that allow FIM tasks such as approving a request, resetting your password, and adding a user to a group. Both apps are available on their respective app stores (look for “FIM Mobile”) if you want to take a look. Unfortunately I have Android so will have to wait until Rob and the other clever boys at ActiveIDM write one of those too.

Bob Bradley’s Replay MA

Bob is my colleague at Unify, and I even had a hand in this presentation, so including this does seem a little self-congratulatory – but it is a really cool idea! Essentially Bob takes the import drop file from FIM MA import jobs (full and delta), converts them to LDIF using an XSLT stylesheet, and feeds them back into the Sync Service via a second MA (the “Replay MA”). This is a completely normal (albeit import-only) MA to which you can apply advanced import flow rules and manual precedence rules to data generated in the FIM Portal. The number of people sitting there saying “now why didn’t I think of that?!” made me laugh – the simplest ideas are often not self-evident at all.

There will be more details on this coming soon, including the scripts and stylesheets.

Most fun dissing a fellow MVP

You have to hand it to David Lundell for being a great sport. His “Declarative vs Classic” FIM showdown was always going to be controversial, but then to try and claim that declarative was the winner??? Clearly he was just trying to wind us all up ;-)  I think everyone had a lot of fun in that session.

Weirdest 1am conversation

Those Powershell dudes can talk PowerShell any time of the day or night. This is the second year running I’ve ended up in some kind of intense PowerShell related conversation, including whipped-out laptops and kamikaze demos, at well past the time I should have been in bed. This year I was hearing all about James Brundage‘s mad-scientist type plans to take over the entire world using his PowerShell super-powers… at least the websites for starters. Gotta love all that crazy passion and inspiration!

R2 Snippet of the week

It was all a little light-on for R2, and in particular I think a lot of us would have appreciated a session from Microsoft on the BHold aquisition and integration… but there was one excellent little snippet in Eric Huebner’s talk. Apparently R2 will include “Request Splitting”.

My understanding, and I really do hope I got this right, is that this will overcome the current problem of all changes being bundled into a single request object and, if any approvals are needed, FIM sends all changes to all approvers, any one of which being able to approve or reject the entire list.

What we really want of course is for changes that don’t need approval to go through unobstructed. And where changes do need approval they should go to the correct approver for that particular change – which may mean a couple of different people getting to approve seperate attribute changes.

This made me super happy as the single request architecture has been a big thorn in my side lately!

Most Interesting Sponsor Solution

I really like OptimalIDM‘s solution for multi-forest/multi-environment and Office 365. Regular readers of this blog will know I did a big, messy, multi-forest BPOS project in 2010-2011, and if I were doing that same project now I would be looking seriously at this product. At a high level, they solve some of the key problems faced by any complex organisation trying to move to Office 365:

  • Their Virtual Directory presents a unified source directory to DirSync, taking objects from whatever directories you have about the place, not just AD – so if you have a Lotus Notes LDAP directory they can DirSync your users up to Office 365 without needing to also create them in a local AD!
  • You can control which objects from your source directories make it into the Virtual Directory, overcoming the vacuum cleaner tendencies of DirSync.
  • They solve the “public UPN” problem of federating with Office 365 by allowing you to map the UPN in the Virtual Directory. So if your local AD is myorg.local but the public domain is myorg.com you won’t have to rename all your user UPN’s – just let the Virtual Directory simulate it. Also for non-AD users it can provide a virtual UPN in the correct format.
  • Following on from the last point, non-AD users can in fact use the federated login to Office 365. By acting as an account store for ADFS, OptimalIDM’s product can proxy the authentication request to any other directory. Again really great if you’re migrating from non-Exchange to Office 365.

For more info see http://www.optimalidm.com/Products/VIS/VirtualIdentityServerforOffice365/

General best thing about going to TEC

Seeing people who feel like old friends now even though I only see them once a year, and making new friends!

 

 

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.

2 Replies to “My TEC 2012 highlights”

  1. Nice summary Carol, and I second the last comment of all. For me the biggest thought provoker (aside from the 2 UI ideas you mention) was the introduction of reporting with R2 and what that would mean in terms of adoption for existing FIM customers, in terms of both the potential backlog of history, and in terms of making up for the few pieces missing from the first release.

  2. … actually that’s not entirely true, since reporting was probably a close second behind the impending Windows 2012 “Dynamic Access Control” idea based on claims, and the implications in terms of necessary normality and density of claims meta data necessary. Claims based ideas will depend entirely on the integrity of the meta data on which they depend, and this means the task of getting your FIM Sync house in order becomes mission critical and no longer something that can be put off.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image

*