Road Map for Designing and Planning Your Identity Integration Solution This subject explains the process for designing and planning your Microsoft ® Identity Integration Server (MIIS) 2003 system. Everyone who is associated with the deployment process uses this document to become familiar with the design and planning process. This subject is part of the Design and Planning collection of the MIIS 2003 Technical Library. At a Glance Overview of Designing and Planning Your Deployment .................................................. 3 Concepts for Getting Started with Your Solution ............................................................ 5 Steps in the Design and Planning Process ...................................................................... 8 Summary ............................................................................................................................ 12 2 Road Map for Designing and Planning Your Identity Integration Solution Table of Contents Overview of Designing and Planning Your Deployment .................................................. 3 Prerequisite Reading ................................................................................................... 3 Process for Designing and Planning Your Deployment ............................................. 4 Concepts for Getting Started with Your Solution ............................................................ 5 About Microsoft Identity Integration Server 2003 ..................................................... 5 Design and Planning Milestones................................................................................. 7 Steps in the Design and Planning Process ...................................................................... 8 Initiating Your Project................................................................................................... 8 Designing Your Data Flow Model ................................................................................ 9 Planning Your Metaverse ............................................................................................ 9 Planning Your Synchronization Rules ...................................................................... 10 Building Your Rules Extensions ................................................................................ 11 Planning Your Configuration ..................................................................................... 11 Summary ............................................................................................................................ 12 Overview of Designing and Planning Your Deployment 3 Overview of Designing and Planning Your Deployment Identity information is information related to people, applications, and network devices for an enterprise that is stored in various data repositories in the form of objects. Providing a single, integrated view of identity information for each given object has been an industry goal for some time. In the past, organizations envisioned a single enterprise directory that would store and organize all their identity data in a single place. This has so far proved difficult. Organizations are now turning to the concept of metadirectory services. By using a metadirectory, you can integrate the information found in various identity data repositories into a single view and update it as the information changes. Then, you can flow the information to various identity data management systems as necessary. MIIS 2003 provides repository, integration, management and provisioning services between a variety of heterogeneous directory and identity management systems. Before you begin the design and planning process, familiarize yourself with the prerequisite reading listed in this section. Also, familiarize yourself with the Microsoft Solutions Framework (MSF), which is the basis for the design and planning process described in this subject. If you have used MSF in the past for similar deployments, you can benefit from any lessons that you might have learned in the process. Deploying an MIIS 2003 solution can be complex, depending on your selected solution, so following a thoughtful, step-by-step process helps you minimize problems as your deployment progresses. Following this structured approach on your first MIIS 2003 solution will help you during subsequent deployments. The goal of the design and planning process is to use a thorough evaluation of potential identity management data systems so that you can determine the best design to flow data between them using MIIS 2003. Prerequisite Reading Before reading this subject, familiarize yourself with MIIS 2003 and how it operates. The following resources should give you the understanding you need to design and plan your MIIS 2003 solution: “Essential Concepts of Microsoft Identity Integration Server 2003” in the Technical Reference Collection of the Microsoft Identity Integration Server 2003 Technical Library. Documentation for Microsoft Solutions Framework, especially the Process Model. This documentation can be found at http://go.microsoft.com/fwlink/?LinkId=26228. 4 Road Map for Designing and Planning Your Identity Integration Solution Process for Designing and Planning Your Deployment Synchronizing data from various sources is a complicated process, and through careful planning you can avoid a situation in which information does not synchronize the way you envisioned it. Following a structured process for your deployment increases the likelihood of success. For the purposes of this technical library, design and planning refer to two different processes: Design is the process of examining the requirements of the synchronization itself without considering the constraints of the product. It addresses the question of how the solution will work. Planning is the process of considering the constraints of the product and how those constraints affect your actual deployment. It addresses the question of how MIIS 2003 should be configured to implement the design goals. Figure 1 illustrates the process for design and planning. Figure 1 The Design and Planning Process for MIIS 2003 The outcome of the design and planning process is to identify how the identity data will flow between the various data sources in your solution, and determine what settings you will be required to make in MIIS 2003 to achieve that end. You can achieve this outcome by: Concepts for Getting Started with Your Solution 5 Constructing a high-level identity integration solution proposal that is based on your business requirements. Constructing a data flow model that is based on your IT environment and your synchronization goals. Determining a schema for the MIIS 2003 Metaverse which provides the integrated view of all the identity data. Determining how identity data synchronization will take place. Customizing data synchronization behavior within MIIS 2003. Writing a configuration guide of all the system and MIIS 2003 settings that will address your particular solution. The outcome of the process also requires participation of various people in your organization such as system and security architects, data experts, IT operations, and data and system testers. Concepts for Getting Started with Your Solution A solution is an MSF term that refers to the coordinated delivery of all the elements needed to successfully respond to a customer’s business problem. For the MIIS 2003 design and planning process, the solution is an efficient, well-integrated, and smooth-running deployment of the product. For more information about solutions and MSF, see “Initiating Your Project” in this collection of the MIIS 2003 Technical Library. About Microsoft Identity Integration Server 2003 Microsoft® Identity Integration Server 2003 is a service that stores and coordinates identity information from multiple sources (for example, directories, databases, or formatted dump files) in an organization. With Microsoft Identity Integration Server 2003, you can combine that information into a single logical view that represents all of the identity information for a given user or resource. An important element of MIIS 2003 is a namespace called a metadirectory. A metadirectory can integrate and synchronize information that is stored in multiple data sources including directories. MIIS 2003 uses the metadirectory to process identity information from different data repositories such as the Microsoft® Active Directory™ directory service, a Microsoft SQL Server database, IBM® Lotus® Notes, Novell® eDirectory™, or a fixed-width text file. Every data store that provides well-known data access methods is a potential data source candidate for MIIS 2003. The different kinds of identity data systems used by MIIS 2003 are called connected data sources. 6 Road Map for Designing and Planning Your Identity Integration Solution The MIIS 2003 metadirectory uses two namespaces to perform its tasks. Namespaces in this case are database-like structures containing uniquely named objects that store information during the synchronization process. The two namespaces are the connector space and the metaverse (MV), as shown in Figure 2. Figure 2 MIIS 2003 Components The connector space is a storage area where object additions, deletions, and modifications are written before they are synchronized with the metaverse or the connected data source. A portion of the connector space is dedicated to each management agent. It is important to note that the connector space does not contain the connected data source object itself, but a shadow copy of the object that contains a subset of the object's attributes, as defined in the management agent. Not every object in a connected data source is designated for synchronization; for example, inactive employees might not be designated. For objects that are designated, some attributes might not be included because some objects contain numerous attributes that are not used at all or that might not make sense in the data sources with which the data is being synchronized. The connection with the connected data source is not maintained continuously but only connected during communication sessions to update the connected data source or the connector space. Management agents control the data flow between a connected data source and the metaverse. There is a management agent for each supported connected data source. The metaverse is another core component of MIIS 2003. It is a storage area that contains the aggregated identity information from multiple connected data sources. It provides a single, global, integrated view of all combined objects. These metaverse objects are based on the identity information that is retrieved from the connected data sources and a set of synchronization rules that specify how MIIS 2003 creates the metaverse objects. Metaverse objects are used to capture the aggregated data during synchronization so that data can flow to the other data source in the synchronization design. Concepts for Getting Started with Your Solution 7 MIIS 2003 uses a connector space and the metaverse to create an aggregated view of the identity data that is stored in multiple repositories. You can use this aggregated view to synchronize identity information across applications and platforms. For more information about the metadirectory and concepts associated with MIIS 2003, see “Essential Concepts of Microsoft Identity Integration Server 2003” in the Technical Reference collection of the MIIS 2003 Technical Library. Design and Planning Milestones MSF recommends the use of milestones for implementing a large project such as deploying MIIS 2003. The Design and Planning collection of the MIIS 2003 Technical Library is ordered so that each subject has a corresponding specification or worksheet in this technical library. The corresponding milestones require approval by all stakeholders. M0 – Solution Proposal Approved. At this milestone, the scenario for the deployment has been carefully designed, the existing system has been mapped, budget and schedules have been approved, and the solution proposal containing all this information has been signed off by all stakeholders. M1 - System Data Flow Design and Planning Approved. At this milestone, the design for the data flow has been documented and approved by all stakeholders. Rules have been planned and rule extensions have been identified. The objects and attributes to be added to the metaverse schema have been outlined. The system data flow design document records all this information. M2 – Configuration Guide Approved. At this milestone, the Configuration Guide has been approved and all the decisions necessary to prepare this guide have been made and signed off by all the stakeholders in the project. M3 – Capacity Planning Approved. At this milestone, capacity planning has been completed, a document outlining the strategy has been prepared, and the document has been signed off by all stakeholders. M4 – Design and Planning Document Set Complete (Handoff). At this milestone, all Design and Planning documents have been completed, all worksheets have been completed, and all steps have been signed off by the project stakeholders. The documents and worksheets are passed along to the deployment team to be used in carrying out the actual deployment. Following these milestones helps to ensure that everyone on the project team is in agreement about the goals, implementation, costs, and schedule for your project at each step along the way. Versioned releases MSF recommends that you develop solutions by building, testing, and deploying core functionality. You can use these builds, tests, and deployments as a foundation on which you can build features. This is known as a version release strategy. When deploying your MIIS 2003 solutions, consider deploying the most strategic one first, then address additional designs in 8 Road Map for Designing and Planning Your Identity Integration Solution subsequent releases. It is true that some small projects might only need one version. Nevertheless, look for opportunities to prepare for systematically released versions. Steps in the Design and Planning Process The first two steps of the planning process are design-specific steps: Initiate your project to identify a solution Design a data flow model The next five steps are planning steps: Plan the metaverse Plan synchronization rules Build rules extensions Plan the system configuration The following sections describe each step of the MIIS 2003 design and planning process. Initiating Your Project Initiate your project is the first step in the MIIS 2003 deployment process. To initiate your project Identify and assemble a project team consisting of different roles for each phase of the design process. Identify the business goals that motivated your organization to choose the deployment of MIIS 2003 in the first place. Create a project vision statement, and state the project scope. Clarify your identity data synchronization goals. Create an assessment of your current state infrastructure. Worksheets are provided to record this information. Analyze prospective scenarios, and select the solution that best meets your goals. The project architect and other members of your project team identify and document the solution. The process of identifying the solution is documented in the solution proposal. Four worksheets are included in order to help you complete this process, and you should include the completed worksheets as appendices to your solution proposal. Blank copies of the worksheets are included in “Design and Planning Worksheets for Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical Library. Steps in the Design and Planning Process 9 When the project team has completed the tasks associated with identifying the solution, the team creates its portion of the solution proposal, which provides details about your scenario and the project costs and schedules. From this point, the data flow design team can take this information and begin the data flow design. The M0 deployment milestone, Solution Proposal Approved, is accomplished when all the stakeholders sign off and approve the solution proposal. For more information about identifying the solution, see “Initiating Your Project” in this collection of the MIIS 2003 Technical Library. Designing Your Data Flow Model After the project architect and the project team produce the solution proposal and assemble the team, the data flow designer begins to develop the data flow model. This data flow model is the design of the MIIS 2003 metadirectory namespaces. To design your data flow model 1. Define the identity integration policies that need to be in effect for your synchronization to complete successfully. These policies are recorded in the system data flow design document. Complete the worksheets as part of the data flow design. To complete the worksheets, collect and analyze your data, map your object-level data flow, analyze object data flow, map the attribute flow information, and choose your synchronization strategy. Document the required identity integration policies and include the worksheets as appendices to the system data flow design document. Ensure the project team has reviewed and approved the data flow model. The data flow designer passes the completed worksheets and the identity integration policies to the rules planner, who sets up rules that enforce those policies. The data flow designer also passes the system data flow design document to the metaverse planner, who plans and documents extensions to the metaverse schema. For more information about designing a data flow model, see “Designing the Data Flow Model for Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical Library. For blank copies of these worksheets, see “Design and Planning Worksheets for Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical Library. Planning Your Metaverse The metaverse is the namespace that contains integrated views of identity data that is staged in the connector space. You can help ensure efficient and safe data synchronization by carefully planning the metaverse. The choices you make about objects and attributes are crucial to your successful deployment and operation of MIIS 2003 The data gathered during metaverse planning is recorded on worksheets by the metaverse planner and included in the system data flow design 10 Road Map for Designing and Planning Your Identity Integration Solution document, which is then used by the synchronization rules planner to plan the synchronization rules. To plan your metaverse 1. Create a metaverse plan by mapping the objects in each connected data source to their corresponding objects in the metaverse. Include information about how the existing metaverse objects and attributes will be used, and include the new objects and attributes that need to be added to the metaverse for each planned synchronization. Assemble the planning information and policies into a metaverse design specification, which will be included in the system data flow design document. Ensure that the project team has reviewed and approved the metaverse design specification. For more information about metaverse planning, see “Planning the Metaverse for Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical Library. Planning Your Synchronization Rules Data synchronization in MIIS 2003 is based on the processing of synchronization rules. Synchronization rules determine how to process objects and their attributes. You must configure synchronization rules for your deployment before synchronization takes place. You must plan your synchronization rules before you configure them to ensure the validity of data and absence of conflicts between rules. A synchronization rules specification provides specific information about what synchronization rules can be implemented and when they can be implemented. A synchronization rules specification also provides a functional specification of the rules extensions that you have determined are necessary for your MIIS 2003 solution. To plan your synchronization rules 1. Choose the rules that will enact the policies defined in the system data flow design document. If you cannot use an existing rule to produce your desired policies, begin planning rules extensions. Compile the rules planning information and policies into a synchronization rules specification. For worksheets that help you document this information and these policies, see “Design and Planning Worksheets for MIIS 2003” in this collection of the MIIS 2003 Technical Library. Include the synchronization rules specification in the system data flow design document. Ensure the synchronization rules plan is reviewed and approved by the project team. The deployment team uses the synchronization rules specification to select existing rules from the user interface (UI) or build extensions to those rules. The worksheets and specification are included in the System Data Flow document. For more information about planning synchronization rules, see “Planning Synchronization Rules for Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical Library. Steps in the Design and Planning Process 11 Building Your Rules Extensions A rules extension is a software module that adds functionality to MIIS 2003 synchronization rules. MIIS 2003 supports rules extensions for both management agent rules and metaverse rules. The synchronization rules planner can define rules as extension implemented, and you can build rules extensions that are called at appropriate points during an MIIS 2003 synchronization. You implement a rules extension within a Microsoft .NET Framework assembly, saved to a dynamic link library (.dll) file. The two .NET Framework interfaces for synchronization rules— IMASynchronization and IMVSynchronization—enable you to provide: one rules extension .dll for each management agent that calls for any rules to be evaluated by a rules extension, implementing the IMASynchronization interface one rules extension .dll for the metaverse if the solution calls for either a metaverse deletion rule to be evaluated by a rules extension or if any provisioning is required (because provisioning can only be done through a rules extension). After completing all the rules extensions, the rules extensions planner provides the operable and tested files to the project team. They also provide a functional specification to document your rules extensions, which is included in the System Data Flow document. For more information about building rules extensions, see “Building Rules Extensions for Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical Library. Milestone M1 is accomplished when all stakeholders sign off on the System Data Flow document. Planning Your Configuration After the synchronization rules and rules extensions have been added to the system data flow design document, record any specific configuration settings for your MIIS 2003 deployment in a configuration guide, and give the configuration guide to the deployment team. To plan your configuration 1. Obtain copies of the solution proposal and the system data flow design document. Determine and document the security plan. Verify reliable data at both ends of your synchronization. Configure error handling, and plan log levels. Create a backup and recovery plan. Plan system schedules. Configuration planners, in most cases employees already familiar with the tasks for their specific section, write each section of the document. In each case, they spend time doing research and becoming familiar with background material and processes. 12 Road Map for Designing and Planning Your Identity Integration Solution Before the configuration planners begin writing the document, they obtain copies of the solution proposal and the system data flow design document for input. The rules should be planned and the metaverse namespace design specification should be complete. Then, they formulate a plan, have the plan reviewed by the relevant parties, and document the plan. As configuration planners complete their work, they can work on the capacity plan for the deployment. When these two documents are complete and all the rules extensions have been written, the Design and Planning phase objectives have been met, and the entire process should be approved by the stakeholders so that the deployment can begin. For more information about planning your configuration, see “Planning the Configuration of Microsoft Identity Integration Server” in this collection of the MIIS 2003 Technical Library. Milestone M2 is accomplished when the Configuration Guide is approved. Summary Careful design and planning helps minimize problems as your MIIS 2003 deployment progresses. Following the processes that are outlined in the Design and Planning collection of the MIIS 2003 Technical Library increases the likelihood of your success with MIIS 2003. These processes are: 1. Identifying your solution Designing your data flow model Planning your metaverse Planning your synchronization rules Building rules extensions when needed Planning your configuration and writing your configuration guide Milestone M3 is accomplished when a capacity plan has been written and approved. (Capacity planning is not included in this collection of the MIIS 2003 Technical Library.) Milestone M4 is accomplished when all designs and plans have been approved and are handed off to the team that will undertake the actual deployment. When you have finished reading this subject, you can start the process of designing and planning your MIIS 2003 deployment. The first steps are described in “Initiating Your Project” in this collection of the MIIS 2003 Technical Library.