Setting up the ADFS 2.0 Attribute Store for Forefront Identity Manager Test Client
Contents
When you download a copy of the ADFS 2.0 Attribute Store for Forefront Identity Manager it will typically be a zip-file and within that there's a folder called FIMAttributeStore Test Client, this folder contains the following files:- Cortego.ADFS.FIMAttributeStore.Tests.exe - This is the test client
- Cortego.ADFS.FIMAttributeStore.Tests.exe.config - The test client config file, here you edit the connectivity parameters against FIM
- Cortego.ADFS.FIMAttributeStore.dll - The attribute store that is used by the test client under the hood
- Microsoft.ResourceManagement.Client.dll - The FIM 2010 WS client that is used by the attribute store for communicating with FIM
- Microsoft.ResourceManagement.ObjectModel.dll - The FIM 2010 WS client object model.
Editing the config file
The config file Cortego.ADFS.FIMAttributeStore.Tests.exe.config contains the same parameters you'll normally would set when configuring the attribute store in ADFS 2.0. Note that the parameter names are case sensitive!| Name | Description | Default value | Required | Example |
|---|---|---|---|---|
| Endpoint | The path to the FIM Web Service | http://localhost:5725 | N/A | http://fimserver:5725 |
| FIMServiceSPN | Allows the Attribute Store to connect to the FIM Web Service by it's SPN. You typically use this if you have problems authenticating with FIM WS | N/A | No | FIMService/FIMServer |
| UserName | The username you wish to connect to FIM WS with | The ADFS 2.0 Service account in that he own the calling thread | No | Administrator |
| Password | The password for your user | N/A | No | P@ssw0rd |
| UserDomain | The domain your user is a member of | N/A | No | CONTOSO |
| TracingEnabled | If True the attibute store will trace information to the event log | False | N/A | True or False |
The parameters might seem a little bit odd especially the UserName, UserDomain and Password but the attribute store is built so that the ADFS 2.0 service account will normally be the caller of the FIM WS but that requires that the account is avaialble in FIM with it's SID and this is hardly the best way to solve this. A better way is that you supply all three parameters: UserName, Password and UserDomain, if all these are set these credentials will be used instead but this user will as well have to be available in FIM with it's SID. As you can see above there's actually no required parameters but then you'll have to live with the default values and the ADFS 2.0 service account.
This is what the config file will look like:
<?xml version="1.0"?>
<configuration>
<configSections>
<sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
<section name="Cortego.ADFS.FIMAttributeStore.Tests.Properties.Settings"
type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
allowExeDefinition="MachineToLocalUser" requirePermission="false" />
<section name="ADFS2FIM.Tests.Properties.Settings"
type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
allowExeDefinition="MachineToLocalUser" requirePermission="false" />
</sectionGroup>
</configSections>
<startup>
<supportedRuntime version="v2.0.50727"/></startup>
<userSettings>
<Cortego.ADFS.FIMAttributeStore.Tests.Properties.Settings>
<setting name="TracingEnabled" serializeAs="String">
<value>True</value>
</setting>
<setting name="UserName" serializeAs="String">
<value>Administrator</value>
</setting>
<setting name="UserDomain" serializeAs="String">
<value>CONTOSO</value>
</setting>
<setting name="Password" serializeAs="String">
<value>P@ssw0rd</value>
</setting>
<setting name="FIMServiceSPN" serializeAs="String">
<value>FIMService/FIMServer</value>
</setting>
<setting name="Endpoint" serializeAs="String">
<value>http://localhost:5725</value>
</setting>
</Cortego.ADFS.FIMAttributeStore.Tests.Properties.Settings>
</userSettings>
</configuration>Running the test client
Note that you should should configure the Cortego.ADFS.FIMAttributeStore before you run the test client.The test client has the following usage, you'll see this usage notes if you call the test client with the /? switch:
Cortego ADFS FIMAttributeStore Test client. Allows for testing of queries and connectivity against FIM. Cortego.ADFS.FIMAttributeStore.Tests.exe /Q query [/A] attributes /Q query The query to execute /A attributes The attributes to return from FIM (optional) Note:Connection parameters are edited in the application config file. Usage: Cortego.ADFS.FIMAttributeStore.Tests.exe /Q query /A attributes Examples: Cortego.ADFS.FIMAttributeStore.Tests.exe /Q "/Person[ObjectID='fb89aefa-5ea1-47f1-8890-abe7797d6497']" /A "DisplayName,ObjectID" Cortego.ADFS.FIMAttributeStore.Tests.exe /Q "/Group[ComputedMember = /Person[ObjectID='fb89aefa-5ea1-47f1-8890-abe7797d6497']]" /A "DisplayName" Cortego.ADFS.FIMAttributeStore.Tests.exe /Q "/Set[ComputedMember = /Person[DisplayName='John Doe']]" /A "DisplayName" Cortego.ADFS.FIMAttributeStore.Tests.exe /Q "/SearchScopeConfiguration[ObjectID='2d66d066-47ed-4736-bce1-b840eb7156d4']" /A "DisplayName,UsageKeyword"
If you run the test client without a switch it will perform three queries:
- Person with ObjectID=fb89aefa-5ea1-47f1-8890-abe7797d6497 (Built-in Synchronization Account)
- Sets for person with ObjectID=fb89aefa-5ea1-47f1-8890-abe7797d6497 (Built-in Synchronization Account)
- UsageKeywords of SearchScope with ObjectID=2d66d066-47ed-4736-bce1-b840eb7156d4 (All Users)
These three queries should be able to run on FIM out of the box since it'll query for resources that should be available OOB. This is what should be displayed:
You might think the output looks like a christmas tree but this is because I wish to be the output as readable as possible. These colors are used:
- Yellow - Query explanation, if this is a custom query (see below) the query and attributes are displayed
- Magenta - Value delimiters. Information is retrieved as a table and each value and column name is displayed within magenta colored square brackets
- White - Column names
- Green - Values retrieved from FIM
- Red - null values. Since values are retrieved as a table it's ok with null values and a good example of this is the query that retrieves the All Users Search Scope where both DisplayName and the first value of the multi-valued attribute UsageKeyword is displayed on the first row but on the following rows only UsageKeyword values are displayed. ADFS 2.0 will not publish null values as claims so this is just how it should be expressed.
Running custom queries
The test client takes two swiches for running custom queries:- /Q query - The XPath query to execute against FIM
- /A attributes - (optional) comma separated list of attributes to retrieve.
Note that the /Q switch and the query must be placed before the /A switch and the attributes.
Check out the usage description above for example queries.
If you call the test client like this:
Cortego.ADFS.FIMAttributeStore.Tests.exe /Q "/Person[ObjectID='fb89aefa-5ea1-47f1-8890-abe7797d6497']" /A "DisplayName,ObjectID"
You might en up with this result:
Problems connecting to FIM?
This could be because you haven't configured FIM 100% correct according to the Installation Guide 'Before You Begin' section. A description for a possible reason could be found at Brad Turners blog -SOAP security negotiation with 'http://fim:5725/ResourceManagementService/Resource'