Overview of Designing and Planning Your Deployment

advertisement
Road Map for Designing
and Planning Your Identity
Integration Solution
This subject explains the process for designing and planning your Microsoft ® Identity Integration
Server (MIIS) 2003 system. Everyone who is associated with the deployment process uses this
document to become familiar with the design and planning process. This subject is part of the
Design and Planning collection of the MIIS 2003 Technical Library.
At a Glance
Overview of Designing and Planning Your Deployment .................................................. 3
Concepts for Getting Started with Your Solution ............................................................ 5
Steps in the Design and Planning Process ...................................................................... 8
Summary ............................................................................................................................ 12
2 Road Map for Designing and Planning Your Identity Integration Solution
Table of Contents
Overview of Designing and Planning Your Deployment .................................................. 3
Prerequisite Reading ................................................................................................... 3
Process for Designing and Planning Your Deployment ............................................. 4
Concepts for Getting Started with Your Solution ............................................................ 5
About Microsoft Identity Integration Server 2003 ..................................................... 5
Design and Planning Milestones................................................................................. 7
Steps in the Design and Planning Process ...................................................................... 8
Initiating Your Project................................................................................................... 8
Designing Your Data Flow Model ................................................................................ 9
Planning Your Metaverse ............................................................................................ 9
Planning Your Synchronization Rules ...................................................................... 10
Building Your Rules Extensions ................................................................................ 11
Planning Your Configuration ..................................................................................... 11
Summary ............................................................................................................................ 12
Overview of Designing and Planning Your Deployment 3
Overview of Designing and Planning
Your Deployment
Identity information is information related to people, applications, and network devices for an
enterprise that is stored in various data repositories in the form of objects. Providing a single,
integrated view of identity information for each given object has been an industry goal for some
time.
In the past, organizations envisioned a single enterprise directory that would store and organize
all their identity data in a single place. This has so far proved difficult. Organizations are now
turning to the concept of metadirectory services. By using a metadirectory, you can integrate the
information found in various identity data repositories into a single view and update it as the
information changes. Then, you can flow the information to various identity data management
systems as necessary.
MIIS 2003 provides repository, integration, management and provisioning services between a
variety of heterogeneous directory and identity management systems.
Before you begin the design and planning process, familiarize yourself with the prerequisite
reading listed in this section.
Also, familiarize yourself with the Microsoft Solutions Framework (MSF), which is the basis for
the design and planning process described in this subject. If you have used MSF in the past for
similar deployments, you can benefit from any lessons that you might have learned in the
process. Deploying an MIIS 2003 solution can be complex, depending on your selected solution,
so following a thoughtful, step-by-step process helps you minimize problems as your deployment
progresses. Following this structured approach on your first MIIS 2003 solution will help you
during subsequent deployments.
The goal of the design and planning process is to use a thorough evaluation of potential identity
management data systems so that you can determine the best design to flow data between them
using MIIS 2003.
Prerequisite Reading
Before reading this subject, familiarize yourself with MIIS 2003 and how it operates. The
following resources should give you the understanding you need to design and plan your
MIIS 2003 solution:

“Essential Concepts of Microsoft Identity Integration Server 2003” in the Technical
Reference Collection of the Microsoft Identity Integration Server 2003 Technical Library.

Documentation for Microsoft Solutions Framework, especially the Process Model. This
documentation can be found at http://go.microsoft.com/fwlink/?LinkId=26228.
4 Road Map for Designing and Planning Your Identity Integration Solution
Process for Designing and Planning Your
Deployment
Synchronizing data from various sources is a complicated process, and through careful planning
you can avoid a situation in which information does not synchronize the way you envisioned it.
Following a structured process for your deployment increases the likelihood of success.
For the purposes of this technical library, design and planning refer to two different processes:

Design is the process of examining the requirements of the synchronization itself without
considering the constraints of the product. It addresses the question of how the solution will
work.

Planning is the process of considering the constraints of the product and how those
constraints affect your actual deployment. It addresses the question of how MIIS 2003
should be configured to implement the design goals.
Figure 1 illustrates the process for design and planning.
Figure 1 The Design and Planning Process for MIIS 2003
The outcome of the design and planning process is to identify how the identity data will flow
between the various data sources in your solution, and determine what settings you will be
required to make in MIIS 2003 to achieve that end. You can achieve this outcome by:
Concepts for Getting Started with Your Solution 5

Constructing a high-level identity integration solution proposal that is based on your
business requirements.

Constructing a data flow model that is based on your IT environment and your
synchronization goals.

Determining a schema for the MIIS 2003 Metaverse which provides the integrated view of
all the identity data.

Determining how identity data synchronization will take place.

Customizing data synchronization behavior within MIIS 2003.

Writing a configuration guide of all the system and MIIS 2003 settings that will address your
particular solution.
The outcome of the process also requires participation of various people in your organization
such as system and security architects, data experts, IT operations, and data and system testers.
Concepts for Getting Started with Your
Solution
A solution is an MSF term that refers to the coordinated delivery of all the elements needed to
successfully respond to a customer’s business problem. For the MIIS 2003 design and planning
process, the solution is an efficient, well-integrated, and smooth-running deployment of the
product. For more information about solutions and MSF, see “Initiating Your Project” in this
collection of the MIIS 2003 Technical Library.
About Microsoft Identity Integration Server 2003
Microsoft® Identity Integration Server 2003 is a service that stores and coordinates identity
information from multiple sources (for example, directories, databases, or formatted dump files)
in an organization. With Microsoft Identity Integration Server 2003, you can combine that
information into a single logical view that represents all of the identity information for a given
user or resource.
An important element of MIIS 2003 is a namespace called a metadirectory. A metadirectory can
integrate and synchronize information that is stored in multiple data sources including
directories.
MIIS 2003 uses the metadirectory to process identity information from different data repositories
such as the Microsoft® Active Directory™ directory service, a Microsoft SQL Server database,
IBM® Lotus® Notes, Novell® eDirectory™, or a fixed-width text file. Every data store that
provides well-known data access methods is a potential data source candidate for MIIS 2003.
The different kinds of identity data systems used by MIIS 2003 are called connected data
sources.
6 Road Map for Designing and Planning Your Identity Integration Solution
The MIIS 2003 metadirectory uses two namespaces to perform its tasks. Namespaces in this case
are database-like structures containing uniquely named objects that store information during the
synchronization process. The two namespaces are the connector space and the metaverse (MV),
as shown in Figure 2.
Figure 2 MIIS 2003 Components
The connector space is a storage area where object additions, deletions, and modifications are
written before they are synchronized with the metaverse or the connected data source. A portion
of the connector space is dedicated to each management agent. It is important to note that the
connector space does not contain the connected data source object itself, but a shadow copy of
the object that contains a subset of the object's attributes, as defined in the management agent.
Not every object in a connected data source is designated for synchronization; for example,
inactive employees might not be designated. For objects that are designated, some attributes
might not be included because some objects contain numerous attributes that are not used at all
or that might not make sense in the data sources with which the data is being synchronized.
The connection with the connected data source is not maintained continuously but only
connected during communication sessions to update the connected data source or the connector
space.
Management agents control the data flow between a connected data source and the metaverse.
There is a management agent for each supported connected data source. The metaverse is another
core component of MIIS 2003. It is a storage area that contains the aggregated identity
information from multiple connected data sources. It provides a single, global, integrated view of
all combined objects. These metaverse objects are based on the identity information that is
retrieved from the connected data sources and a set of synchronization rules that specify how
MIIS 2003 creates the metaverse objects. Metaverse objects are used to capture the aggregated
data during synchronization so that data can flow to the other data source in the synchronization
design.
Concepts for Getting Started with Your Solution 7
MIIS 2003 uses a connector space and the metaverse to create an aggregated view of the identity
data that is stored in multiple repositories. You can use this aggregated view to synchronize
identity information across applications and platforms.
For more information about the metadirectory and concepts associated with MIIS 2003, see
“Essential Concepts of Microsoft Identity Integration Server 2003” in the Technical Reference
collection of the MIIS 2003 Technical Library.
Design and Planning Milestones
MSF recommends the use of milestones for implementing a large project such as deploying
MIIS 2003. The Design and Planning collection of the MIIS 2003 Technical Library is ordered
so that each subject has a corresponding specification or worksheet in this technical library. The
corresponding milestones require approval by all stakeholders.

M0 – Solution Proposal Approved. At this milestone, the scenario for the deployment has
been carefully designed, the existing system has been mapped, budget and schedules have
been approved, and the solution proposal containing all this information has been signed off
by all stakeholders.

M1 - System Data Flow Design and Planning Approved. At this milestone, the design for
the data flow has been documented and approved by all stakeholders. Rules have been
planned and rule extensions have been identified. The objects and attributes to be added to
the metaverse schema have been outlined. The system data flow design document records all
this information.

M2 – Configuration Guide Approved. At this milestone, the Configuration Guide has been
approved and all the decisions necessary to prepare this guide have been made and signed
off by all the stakeholders in the project.

M3 – Capacity Planning Approved. At this milestone, capacity planning has been
completed, a document outlining the strategy has been prepared, and the document has been
signed off by all stakeholders.

M4 – Design and Planning Document Set Complete (Handoff). At this milestone, all
Design and Planning documents have been completed, all worksheets have been completed,
and all steps have been signed off by the project stakeholders. The documents and
worksheets are passed along to the deployment team to be used in carrying out the actual
deployment.
Following these milestones helps to ensure that everyone on the project team is in agreement
about the goals, implementation, costs, and schedule for your project at each step along the way.
Versioned releases
MSF recommends that you develop solutions by building, testing, and deploying core
functionality. You can use these builds, tests, and deployments as a foundation on which you can
build features. This is known as a version release strategy. When deploying your MIIS 2003
solutions, consider deploying the most strategic one first, then address additional designs in
8 Road Map for Designing and Planning Your Identity Integration Solution
subsequent releases. It is true that some small projects might only need one version.
Nevertheless, look for opportunities to prepare for systematically released versions.
Steps in the Design and Planning
Process
The first two steps of the planning process are design-specific steps:

Initiate your project to identify a solution

Design a data flow model
The next five steps are planning steps:

Plan the metaverse

Plan synchronization rules

Build rules extensions

Plan the system configuration
The following sections describe each step of the MIIS 2003 design and planning process.
Initiating Your Project
Initiate your project is the first step in the MIIS 2003 deployment process.
To initiate your project
Identify and assemble a project team consisting of different roles for each phase of the design
process.
Identify the business goals that motivated your organization to choose the deployment of
MIIS 2003 in the first place.
Create a project vision statement, and state the project scope.
Clarify your identity data synchronization goals.
Create an assessment of your current state infrastructure. Worksheets are provided to record this
information.
Analyze prospective scenarios, and select the solution that best meets your goals.
The project architect and other members of your project team identify and document the solution.
The process of identifying the solution is documented in the solution proposal.
Four worksheets are included in order to help you complete this process, and you should include
the completed worksheets as appendices to your solution proposal. Blank copies of the
worksheets are included in “Design and Planning Worksheets for Microsoft Identity Integration
Server 2003” in this collection of the MIIS 2003 Technical Library.
Steps in the Design and Planning Process 9
When the project team has completed the tasks associated with identifying the solution, the team
creates its portion of the solution proposal, which provides details about your scenario and the
project costs and schedules. From this point, the data flow design team can take this information
and begin the data flow design.
The M0 deployment milestone, Solution Proposal Approved, is accomplished when all the
stakeholders sign off and approve the solution proposal.
For more information about identifying the solution, see “Initiating Your Project” in this
collection of the MIIS 2003 Technical Library.
Designing Your Data Flow Model
After the project architect and the project team produce the solution proposal and assemble the
team, the data flow designer begins to develop the data flow model. This data flow model is the
design of the MIIS 2003 metadirectory namespaces.
To design your data flow model
1.
Define the identity integration policies that need to be in effect for your synchronization to
complete successfully. These policies are recorded in the system data flow design document.
Complete the worksheets as part of the data flow design. To complete the worksheets, collect and
analyze your data, map your object-level data flow, analyze object data flow, map the
attribute flow information, and choose your synchronization strategy.
Document the required identity integration policies and include the worksheets as appendices to
the system data flow design document.
Ensure the project team has reviewed and approved the data flow model.
The data flow designer passes the completed worksheets and the identity integration policies to
the rules planner, who sets up rules that enforce those policies. The data flow designer also
passes the system data flow design document to the metaverse planner, who plans and documents
extensions to the metaverse schema.
For more information about designing a data flow model, see “Designing the Data Flow Model
for Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical
Library.
For blank copies of these worksheets, see “Design and Planning Worksheets for Microsoft
Identity Integration Server 2003” in this collection of the MIIS 2003 Technical Library.
Planning Your Metaverse
The metaverse is the namespace that contains integrated views of identity data that is staged in
the connector space. You can help ensure efficient and safe data synchronization by carefully
planning the metaverse. The choices you make about objects and attributes are crucial to your
successful deployment and operation of MIIS 2003 The data gathered during metaverse planning
is recorded on worksheets by the metaverse planner and included in the system data flow design
10 Road Map for Designing and Planning Your Identity Integration Solution
document, which is then used by the synchronization rules planner to plan the synchronization
rules.
To plan your metaverse
1.
Create a metaverse plan by mapping the objects in each connected data source to their
corresponding objects in the metaverse. Include information about how the existing
metaverse objects and attributes will be used, and include the new objects and attributes that
need to be added to the metaverse for each planned synchronization.
Assemble the planning information and policies into a metaverse design specification, which will
be included in the system data flow design document.
Ensure that the project team has reviewed and approved the metaverse design specification.
For more information about metaverse planning, see “Planning the Metaverse for Microsoft
Identity Integration Server 2003” in this collection of the MIIS 2003 Technical Library.
Planning Your Synchronization Rules
Data synchronization in MIIS 2003 is based on the processing of synchronization rules.
Synchronization rules determine how to process objects and their attributes. You must configure
synchronization rules for your deployment before synchronization takes place. You must plan
your synchronization rules before you configure them to ensure the validity of data and absence
of conflicts between rules. A synchronization rules specification provides specific information
about what synchronization rules can be implemented and when they can be implemented. A
synchronization rules specification also provides a functional specification of the rules extensions
that you have determined are necessary for your MIIS 2003 solution.
To plan your synchronization rules
1.
Choose the rules that will enact the policies defined in the system data flow design
document. If you cannot use an existing rule to produce your desired policies, begin
planning rules extensions.
Compile the rules planning information and policies into a synchronization rules specification.
For worksheets that help you document this information and these policies, see “Design and
Planning Worksheets for MIIS 2003” in this collection of the MIIS 2003 Technical Library.
Include the synchronization rules specification in the system data flow design document.
Ensure the synchronization rules plan is reviewed and approved by the project team.
The deployment team uses the synchronization rules specification to select existing rules from
the user interface (UI) or build extensions to those rules. The worksheets and specification are
included in the System Data Flow document.
For more information about planning synchronization rules, see “Planning Synchronization Rules
for Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical
Library.
Steps in the Design and Planning Process 11
Building Your Rules Extensions
A rules extension is a software module that adds functionality to MIIS 2003 synchronization
rules. MIIS 2003 supports rules extensions for both management agent rules and metaverse rules.
The synchronization rules planner can define rules as extension implemented, and you can build
rules extensions that are called at appropriate points during an MIIS 2003 synchronization.
You implement a rules extension within a Microsoft .NET Framework assembly, saved to a
dynamic link library (.dll) file. The two .NET Framework interfaces for synchronization rules—
IMASynchronization and IMVSynchronization—enable you to provide:

one rules extension .dll for each management agent that calls for any rules to be evaluated by
a rules extension, implementing the IMASynchronization interface

one rules extension .dll for the metaverse if the solution calls for either a metaverse deletion
rule to be evaluated by a rules extension or if any provisioning is required (because
provisioning can only be done through a rules extension).
After completing all the rules extensions, the rules extensions planner provides the operable and
tested files to the project team. They also provide a functional specification to document your
rules extensions, which is included in the System Data Flow document.
For more information about building rules extensions, see “Building Rules Extensions for
Microsoft Identity Integration Server 2003” in this collection of the MIIS 2003 Technical
Library.
Milestone M1 is accomplished when all stakeholders sign off on the System Data Flow
document.
Planning Your Configuration
After the synchronization rules and rules extensions have been added to the system data flow
design document, record any specific configuration settings for your MIIS 2003 deployment in a
configuration guide, and give the configuration guide to the deployment team.
To plan your configuration
1.
Obtain copies of the solution proposal and the system data flow design document.
Determine and document the security plan.
Verify reliable data at both ends of your synchronization.
Configure error handling, and plan log levels.
Create a backup and recovery plan.
Plan system schedules.
Configuration planners, in most cases employees already familiar with the tasks for their specific
section, write each section of the document. In each case, they spend time doing research and
becoming familiar with background material and processes.
12 Road Map for Designing and Planning Your Identity Integration Solution
Before the configuration planners begin writing the document, they obtain copies of the solution
proposal and the system data flow design document for input. The rules should be planned and
the metaverse namespace design specification should be complete. Then, they formulate a plan,
have the plan reviewed by the relevant parties, and document the plan.
As configuration planners complete their work, they can work on the capacity plan for the
deployment. When these two documents are complete and all the rules extensions have been
written, the Design and Planning phase objectives have been met, and the entire process should
be approved by the stakeholders so that the deployment can begin.
For more information about planning your configuration, see “Planning the Configuration of
Microsoft Identity Integration Server” in this collection of the MIIS 2003 Technical Library.
Milestone M2 is accomplished when the Configuration Guide is approved.
Summary
Careful design and planning helps minimize problems as your MIIS 2003 deployment
progresses. Following the processes that are outlined in the Design and Planning collection of the
MIIS 2003 Technical Library increases the likelihood of your success with MIIS 2003. These
processes are:
1.
Identifying your solution
Designing your data flow model
Planning your metaverse
Planning your synchronization rules
Building rules extensions when needed
Planning your configuration and writing your configuration guide
Milestone M3 is accomplished when a capacity plan has been written and approved. (Capacity
planning is not included in this collection of the MIIS 2003 Technical Library.)
Milestone M4 is accomplished when all designs and plans have been approved and are handed
off to the team that will undertake the actual deployment.
When you have finished reading this subject, you can start the process of designing and planning
your MIIS 2003 deployment. The first steps are described in “Initiating Your Project” in this
collection of the MIIS 2003 Technical Library.
Download