Chatta subito con l'assistenza
Chat con il supporto

Active Roles 8.1.5 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

How SPML Provider works

With SPML Provider, applications can use SPML documents to look up, retrieve and update directory data in Active Directory, Azure AD, and AD LDS. SPML Provider converts XML elements and attributes into commands used to make changes to Active Directory and retrieve data from Active Directory. SPML Provider can also convert the response received from Active Roles or Active Directory to XML format. These conversions are based on and are in compliance with the OASIS SPML v2 - DSML v2 Profile specification.

SPML Provider runs as a Web application on a Web server running Microsoft Internet Information Services (IIS), and uses SOAP over HTTP to transmit and receive directory requests from client computers.

The SPML Provider environment includes the following components:

  • Clients that use SPML v2: These clients are applications that manage directory objects (for example, user accounts). A client issues SPML requests that describe operations to be performed on the directory object and send these requests to SPML Provider.

  • SPML Provider: Receives and processes client requests, and returns a response to the client.

  • Active Roles: In proxy mode, this is the endpoint for provisioning requests and the actual software that manages directory objects.

  • Active Directory, Azure AD, or AD LDS: In proxy mode, SPML Provider can access Active Directory or Azure AD domains and AD LDS instances that are registered with Active Roles as managed domains, Azure AD tenants, and managed AD LDS instances, respectively. In direct access mode, SPML Provider can access the domain controller or the AD LDS instance defined in the SPML.Config file. For more information, see “Configuring SPML Provider” later in this document.

The following diagram illustrates the flow of requests and responses through the SPML Provider environment components:

Figure 161: Flow of requests and responses through the SPML Provider environment components

As shown in the diagram, the client/SPML Provider communications are based on the simple request/response protocol.

In proxy mode, SPML Provider works in the following way:

  1. A client issues a well-formed SPML request using the SOAP over HTTP protocol. This request goes to a server running IIS, where it is routed to SPML Provider.

  2. SPML Provider examines the request for conformance to the SPML format.

  3. If the request complies with the SPML format, the SPML Provider submits the request to Active Roles. Based on the client request, Active Roles retrieves or modifies data in Active Directory, Azure AD, or in AD LDS.

  4. After performing the requested operation, Active Roles sends the result of the operation back to SPML Provider.

  5. SPML Provider then processes this result data and sends the result of the performed operation back to the client in the form of an SPML response.

In direct access mode, SPML Provider works in the following way:

  1. A client issues a well-formed SPML request using the SOAP over HTTP protocol. This request goes to a server running IIS, where it is routed to SPML Provider.

  2. SPML Provider examines the request for conformance to the SPML format.

  3. If the request conforms to the SPML format, SPML Provider retrieves or modifies the relevant data in Active Directory or in AD LDS (ADAM).

  4. SPML Provider sends the result of the performed operation back to the client in the form of an SPML response.

If the client request does not conform to the SPML format, the client receives an SPML response that describes the encountered error.

Configuring Active Roles SPML Provider

Configuration settings allow the administrator to configure SPML Provider and its schema in order to adjust the SPML Provider behavior. Administrators can, for example, specify the required managed objects and attributes in the schema, or choose the type of execution (disabling or deprovisioning objects) for the Suspend operation.

Configuring SPML Provider settings in the SPML.Config file

The SPML Provider configuration settings can be found in the SPML.Config file located in the Web subfolder of the SPML Provider installation folder. The SPML.Config file contains data in the XML format. You can open and edit the configuration file with a common text editor, such as Notepad.

NOTE: After you modify configuration settings,restart the IIS application pool for the SPML Provider website for the changes to take effect.

The following table describes the XML elements used in the SPML Provider configuration file.

Table 92: XML elements used in the SPML Provider configuration file

Element

Parent element

Description

service

configuration

In proxy mode, specifies the name of the computer running the Active Roles Administration Service. In direct access mode, specifies the name of the AD domain controller or AD LDS server. The name of the AD LDS server must be in the form <servername:portnumber>.

adsiProvider

configuration

Specifies the progID of the ADSI Provider. In proxy mode, the progID is EDMS. In direct access mode, the progID is LDAP.

schemaFile

configuration

Contains the name of the file that defines the DSML Profile schema for SPML Provider. By default, the file name is SPMLSchema.Config. The schema file must be located in the same folder as the SPML.Config file.

defaultMaxSelect

search

Specifies the maximum number of search results that SPML Provider can return without page splitting. The default value is 1000.

pageSize

search

Specifies the maximum number of search results per page. The default value is 25.

NOTE: If pageSize is set to 0, SPML Provider returns search results without page splitting.

class

password

Contains the LDAP display name of the schema class of objects on which SPML Provider is expected to perform the Password Capability-related operations such as setPassword and expirePassword.

class

suspend

Contains the LDAP display name of the schema class of objects on which SPML Provider is expected to perform the Suspend Capability-related operations such as suspend, resume, and active.

suspendAction

suspend

Possible values: disable or deprovision. The default value is disable.

If suspendAction is set to disable, SPML Provider disables the specified user account on the target.

If suspendAction is set to deprovision, SPML Provider deprovisions the specified user account in accordance with the deprovisioning policies defined by Active Roles.

checkOutput

configuration

Possible values: true or false. The default value is false.

true causes SPML Provider to check the string attribute values retrieved from the underlying directory before adding them to a response. If an attribute value contains illegal characters that could break the XML parser on the client side, SPML Provider converts the attribute value to the base64binary format and then adds the result of the conversion to the response. Note that this option may result in performance degradation of SPML Provider as checking every attribute value is a resource-intensive operation.

false causes SPML Provider not to check the string attribute values retrieved from the underlying directory. An attribute value is added to the response without any conversion even if the value contains illegal characters.

NOTE: In accordance with the XML specification, the legal character range is as follows: #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]. With checkOutput set to true, SPML Provider ensures that attribute values in a response contain only characters from the legal character range.

Sample SPML Provider configuration file

The following is an example of the configuration file for SPML Provider configured to operate in proxy mode. If SPML Provider and the Active Roles Administration service are installed on the same computer, the default configuration settings look as follows:

<?xml version="1.0"?>
  <configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:quest:names:SPMLProvider">
    <service>localhost</service>
    <adsiProvider>EDMS</adsiProvider>
    <schemaFile>SPMLSchema.Config</schemaFile>
    <capabilities>
      <search>
        <defaultMaxSelect>1000</defaultMaxSelect>
        <pageSize>25</pageSize>
      </search>
      <password>
        <appliesTo>
          <class>user</class>
        </appliesTo>
      </password>
      <suspend>
        <appliesTo>
          <class>user</class>
        </appliesTo>
        <suspendAction>disable</suspendAction>
      </suspend>
    </capabilities>
    <checkOutput>false</checkOutput>
  </configuration>
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione