Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Exchanging provisioning information with Active Roles SPML Provider

Active Roles SPML Provider is designed to exchange the user, resource, and service provisioning information between SPML-enabled enterprise applications and Active Directory.

Active Roles SPML Provider supports the Service Provisioning Markup Language Version 2 (SPML v2), an open standard approved by the Organization for the Advancement of Structured Information Standards (OASIS). SPML is an XML-based provisioning request-and-response protocol that provides a means of representing provisioning requests and responses as SPML documents. The use of open standards provides the enterprise architects and administrators with the flexibility they need when performing user management and user provisioning in heterogeneous environments.

Key SPML Provider features

The key features of Active Roles SPML Provider are as follows:

  • Support for two operation modes: SPML Provider can be configured to operate in proxy mode or in direct access mode. In proxy mode, SPML Provider accesses Active Directory or Active Directory Lightweight Directory Services (AD LDS, formerly known as ADAM) through Active Roles used as a proxy service, while in direct access mode, SPML Provider directly accesses Active Directory or AD LDS.

  • Support for equivalent LDAP operations: SPML Provider can perform equivalent LDAP operations such as addRequest, modifyRequest, deleteRequest, and lookupRequest.

  • Support for Azure AD, AD, and AD LDS data management: SPML Provider enables SPML-conformant applications to read from and write to Azure AD, Active Directory (AD), and AD LDS.

  • Search Capability support: SPML Provider allows SPML-enabled applications to search for relevant directory objects based on various search criteria.

  • Password Capability support: SPML Provider allows SPML-enabled applications to perform basic password management tasks such as setting and expiring user passwords.

  • Suspend Capability support: SPML Provider allows SPML-enabled applications to effectively enable, disable and deprovision user accounts in Active Directory.

  • Flexible Configuration options: There is support for many different configuration options that enable the administrator to adjust the behavior and optimize the SPML Provider performance.

  • IIS Security Support: SPML Provider supports all IIS security configurations, including integrated Windows authentication, basic authentication, and basic authentication over Secure Sockets Layer (SSL).

  • Support for using Active Roles controls: In proxy mode, you can send Active Roles controls to the Active Roles Administration Service with an SPML request to perform an administrative operation. In your request, you can also define the Active Roles controls that the Administration Service must return in the SPML response.

SPML Provider usage scenarios

SPML Provider can be used for a variety of purposes. Some common scenarios for using SPML Provider are as follows:

  • Non-Windows applications: The systems running non-Windows applications that need to communicate with Active Directory can do this through SPML Provider. For example, with SPML Provider, Unix applications can manage Unix-enabled user accounts in Active Directory. In proxy mode, SPML Provider allows existing SPML-compatible provisioning systems, such as SUN Java System Identity Manager and IBM Tivoli Directory Integrator to take advantage of the functionality of Active Roles.

  • Web services: The use of directories in Web services is growing rapidly. Additionally, XML is becoming the default language for use with Web services. SPML Provider fills the gap between XML documents and Active Directory services, enabling applications that must provide or use Web services to communicate with Active Directory.

  • Handheld and portable devices: Data-enabled cell phones or PDAs that need an access to directory data may not contain a client for the ADSI LDAP Provider but might be able to use the SPML communication protocol to access Active Directory over the Internet.

  • Firewall access: Certain firewalls cannot pass LDAP traffic because they cannot audit it, but these firewalls can pass XML. In such cases, applications can use SPML Provider to communicate with Active Directory across a firewall.

Basic SPML Provider concepts and definitions

Active Roles SPML Provider operates based on the concepts defined in SPML v2. This section introduces and describes these key concepts and definitions as applied to SPML Provider.

A Client (Requesting Authority or Requestor) is any SPML-compliant application that sends well-formed SPML requests to the Active Roles SPML Provider and receives responses from it. Clients can include various business applications, such as human resources (HR) databases or Identity Management systems. There is no direct contact between a client and the target (Active Roles or an Active Directory server).

Active Roles SPML Provider (Provisioning Service Provider or PSP) is a Web service that uses the Simple Object Access Protocol (SOAP) over HTTP for communications. SPML Provider can directly access Active Directory data or communicate with Active Directory using the Active Roles proxy service. SPML Provider acts as an intermediary between a client and the target (Active Directory domain controller or Active Roles).

In proxy mode, Active Roles represents the Provisioning Service Target (or Target) that is available for provisioning actions through SPML Provider. The target has a unique identifier (targetID) that is maintained by SPML Provider and is used in a request or a response.

AD Objects (Provisioning Service Objects or PSO) represent directory objects that SPML Provider manages. A client can add, delete, modify, or look up a directory object. Each object has a unique identifier (PSO ID). In SPML Provider, an object DN is used as a PSO ID.

NOTE: The Requestor, Provisioning Service Provider, Provisioning Service Target, and Provisioning Service Objects are key notions described in the official SPML v2 specification.

For detailed information on the concepts defined in SPML v2, see Section 2 “Concepts” of the OASIS SPML v2 specification, available for download at

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating