When I have discussed shadow account provisioning with Microsoft in the past, their guidance, right or wrong, has been to write a custom attribute store. They also indicated that others have done this already, but I suspect they have just done LDAP writes
to AD DS or LDS.
This is a "function" you would likely call from the Claims Provider Trust claims rules as opposed to the Relying Party trusts claims rule (but it could be either).
Even if Microsoft were to include shadow account provisioning in ADFS in the future, it would likely be limited to AD DS.
David
________________________________
From: tomaszon [email removed]
Sent: December-15-10 12:42 PM
To: David Adshade
Subject: Re: Please! Give us feedback! [FIMAttributeStore:237487]
From: tomaszon
Guys,
David - you have described what I was trying to put in my free thoughts flow in the morning (before the coffee so maybe it is not clear enough :) ). Functionality I could see here is that if identity is not found in a FIM store it could call FIM service with request to create person or other type of object, which will trigger MPRs to provision respective objects to repositories for applications to use. Right. Then it have to return a claim which will tell application that this user was just provisioned for this application, which will have to be handled in some way in application anyway.
This is what Henrik's code could do in this area. Of course it has to take into consideration some general requirements - like FIM call to provision this profile can be different in every case, for some services you may want to do it, for other not, so you have to have some way of configuring it. I'm just not sure if ADFS service and this extensibility point was designed for this case - that's why I've called this a plumbing - which doesn't mean that it can't be done :).
Probably something simple can be done pretty quickly - but to make it really working feature it would require a bit of planning and work.
Definitely it would be useful but in perfect world I would like to see ADFS v2 exposing another extensibility point for this than hacking attribute store library. But it isn't perfect world we live in ;)
My .02 PLN
Read the full discussion online<http://fimattributestore.codeplex.com/Thread/View.aspx?ThreadId=237487&ANCHOR#Post536357>.
To add a post to this discussion, reply to this email ([email removed]<mailto:[email removed]?subject=[FIMAttributeStore:237487]>)
To start a new discussion for this project, email [email removed]<mailto:[email removed]>
You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe<https://fimattributestore.codeplex.com/discussions/237487/unsubscribe/> on CodePlex.com.
Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com
This is a "function" you would likely call from the Claims Provider Trust claims rules as opposed to the Relying Party trusts claims rule (but it could be either).
Even if Microsoft were to include shadow account provisioning in ADFS in the future, it would likely be limited to AD DS.
David
________________________________
From: tomaszon [email removed]
Sent: December-15-10 12:42 PM
To: David Adshade
Subject: Re: Please! Give us feedback! [FIMAttributeStore:237487]
From: tomaszon
Guys,
David - you have described what I was trying to put in my free thoughts flow in the morning (before the coffee so maybe it is not clear enough :) ). Functionality I could see here is that if identity is not found in a FIM store it could call FIM service with request to create person or other type of object, which will trigger MPRs to provision respective objects to repositories for applications to use. Right. Then it have to return a claim which will tell application that this user was just provisioned for this application, which will have to be handled in some way in application anyway.
This is what Henrik's code could do in this area. Of course it has to take into consideration some general requirements - like FIM call to provision this profile can be different in every case, for some services you may want to do it, for other not, so you have to have some way of configuring it. I'm just not sure if ADFS service and this extensibility point was designed for this case - that's why I've called this a plumbing - which doesn't mean that it can't be done :).
Probably something simple can be done pretty quickly - but to make it really working feature it would require a bit of planning and work.
Definitely it would be useful but in perfect world I would like to see ADFS v2 exposing another extensibility point for this than hacking attribute store library. But it isn't perfect world we live in ;)
My .02 PLN
Read the full discussion online<http://fimattributestore.codeplex.com/Thread/View.aspx?ThreadId=237487&ANCHOR#Post536357>.
To add a post to this discussion, reply to this email ([email removed]<mailto:[email removed]?subject=[FIMAttributeStore:237487]>)
To start a new discussion for this project, email [email removed]<mailto:[email removed]>
You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe<https://fimattributestore.codeplex.com/discussions/237487/unsubscribe/> on CodePlex.com.
Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com