IBM Tivoli Identity Manager SharePoint Adapter 5.1.4 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Tivoli Identity Manager SharePoint Adapter.
These Release Notes contain information for the following products that was not available when the IBM Tivoli Identity Manager manuals were printed:
IBM Tivoli Identity Manager SharePoint Adapter Installation and Configuration Guide
The SharePoint Adapter is designed to create
and manage User Accounts on the SharePoint platform. The adapter
runs in "agentless" mode and communicates using HTTP/S and LDAP
protocol. The SharePoint adapter supports stand-alone and Active
Directory backed user registries. Other user registries
supported by SharePoint have not been tested.
IBM recommends the installation of this Adapter (and the prerequisite IBM Security Directory Integrator, previously known as IBM Tivoli Directory Integrator) on each node of IBM Tivoli Identity Manager WAS cluster. A single copy of the adapter can handle multiple IBM Tivoli Identity Manager Services. The optimum deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Tivoli Identity Manager Provisioning Policies and Approval Workflow process. Please refer to the IBM Tivoli Identity Manager Knowledge Center for a discussion of these topics.
The IBM Tivoli Identity Manager Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Tivoli Identity Manager server will fail if the Adapter is not given sufficient authority to perform the requested task. IBM recommends that this Adapter run with administrative (root) permissions.
Component |
Version |
Build Date | 2014 May 29 03.16.38 |
Adapter Version | 5.1.4 |
Component Versions | Adapter build:
5.1.4.35 Profile: 5.1.4.35 Connector: 5.1.4.35 Dispatcher 5.1.8 (or higher, packaged separately) |
Documentation | Microsoft SharePoint Adapter
Installation and Configuration Guide as contained within
the adapter package as supplied |
Enhancement # |
Description |
|
Items included in current release |
RFE 34875 (20165) |
SIM Adapter for Sharepoint 2013 |
Items included in 5.1.1 release |
|
MR072010382 |
MS SharePoint - MS Sharepoint Adapter for
TIM |
MR0413093833 |
MS SharePoint - TIM adapter for Microsoft
SharePoint |
MR0415112029 |
Sharepoint Adapter |
Internal# |
APAR# |
Description |
|
|
Items closed in current version |
Items closed in 5.1.2 version |
||
INT65217 |
Clarification of the site field on the
service form. User guide has been modified to clarify the
usage of the site field on the service form. |
|
IV24999 |
ITIM form designer does not manage the
Account form correctly. |
|
IV36774 |
Adapter does not honor the "EnableSSL" flag
and fails to use HTTPS. |
|
Items closed in 5.1.1 version |
||
INT47751 |
Under certain conditions the users are
unable to be removed from SharePoint as outlined in PMR
86470,004,000. |
Known Issues
Internal# |
APAR# |
Description |
Internal |
N/A |
The SharePoint UserGroup webservice does
not provide the same function as the SharePoint GUI. As a
result some features that are available through the
SharePoint GUI are not available through the SharePoint
WebService |
Internal |
N/A |
If there are two users with the same
user name in different Domains. Then the reconciliation
will only return one of the users. For example the
Administrator account exists both for the SharePoint
Server and the Active Directory domain. Only one of
these accounts will be returned to Identity Manager |
Attribute erspusernotes is hidden
The management of erspusernotes attribute is deprecated. The
attribute is removed from the account form in this release, but
is still reconciled by the SharePoint 2010 connector.
For SharePoint 2010 only:
To re-enable this attribute, edit the account form (erspaccount.xml)
in the profile package or using the Form Designer in Identity
Manager. Add the erspusernotes attribute back into the form. If
editing the account form manually, insert the following 3 lines
into the account form:
<formElement label="$erspusernotes" name="data.erspusernotes" direction="inherit" required="true">
<input size="50" type="text" name="data.erspusernotes"/>
</formElement>
See the IBM Tivoli Identity Manager Adapter Installation Guide for detailed instructions.
The following corrections to the Installation Guide apply to this release:
After you finish the adapter installation as instructed in the
Installation Guide, perform the following tasks.
You must configure the adapter with one of the authentication providers that is supported by the SharePoint Web Application. Authentication providers can be AD Domains or a claims provider.
The following SharePoint Servers and their corresponding
authentication providers are supported:
Table: Supported SharePoint Servers and corresponding
authentication providers
Server version |
Authentication mode |
Authentication Provider |
SharePoint 2010 |
Classic Mode |
Integrated Windows (AD) |
SharePoint 2013 |
Classic Mode |
Integrated Windows (AD) |
SharePoint 2013 |
Claims Based Authentication |
Integrated Windows (AD), Forms Based Authentication (FBA), Trusted Identity Provider |
Information about authentication providers is stored in a
configuration file, which is in JSON format. The adapter reads
this file and reconciles the list of authentication providers as
supporting data.
The configuration file must have a single JSON array only. Each
authentication provider is stored as a JSON Object element in
the array with the following keys:
Example of a configuration file with information about the
authentication providers.
Note: White spaces added for readability.
[
{
"DisplayName" : "Windows Authentication (EXAMPLEDOMAIN)",
"NameOfOriginalIssuer" : "EXAMPLEDOMAIN",
"IssuerType" : "w",
"ClaimsValueType" : ".",
"ClaimsType" : "#",
"Prefix" : "i:0#.w|EXAMPLEDOMAIN"
},
{
"DisplayName" : "Some Membership Provider",
"NameOfOriginalIssuer" : "SomeMembershipProvider",
"IssuerType" : "f",
"ClaimsValueType" : ".",
"ClaimsType" : "#",
"Prefix" : "i:0#.f|SomeMembershipProvider|"
},
{
"DisplayName" : "Example ACS",
"NameOfOriginalIssuer" : "Example ACS",
"IssuerType" : "t",
"ClaimsValueType" : ".",
"ClaimsType" : "5",
"Prefix" : "i:05.t|Example ACS|"
}
]
The previous example shows different providers for each JSON
Object element.
Table: Authentication providers listed in the example
JSON Object element in the
previous example |
Authentication provider |
Element #1 |
Windows Authentication provider |
Element #2 |
Forms-Based Authentication provider that is
using a String logon name as Claims Value |
Element #3 |
Trusted Identity Provider that is using
email as Claims Value |
For a full explanation on the valid values for IssuerType,
NameOfOriginalIssuer, ClaimsValueType, and ClaimsType, see the Microsoft
SharePoint Products and Technologies Protocol
Documentation. With the four values, it is then trivial to
create the Prefix. If the site runs on a Classic Mode
authentication web application, the configuration file typically
looks like the following example:
[
{
"DisplayName" : "EXAMPLEDOMAIN",
"NameOfOriginalIssuer" : "",
"IssuerType" : "",
"ClaimsValueType" : "",
"ClaimsType" : "",
"Prefix" : "EXAMPLEDOMAIN"
}
]
A Powershell script is provided to assist with generating the configuration file. Run the script on the SharePoint server with administrator privilege in a command prompt:
powershell authprovimport.ps1 -WebApplication http://[sharepointserver]:[port] -SaveAs [filename.json]
Copy the configuration file to a location on the server that is
running the Adapter Dispatcher service. For example, save the
file under TDI_HOME\timsol\SharePointAdapter folder. Create the
SharePointAdapter folder if it does not exist.
The following table replaces Table 4 in the Verifying the
Adapter for SharePoint Installation section.
Table 4. Adapter components
Directory |
Adapter Components |
tdi_home\jars\connectors |
SharePointConnector.jar |
tdi_home\jars\3rdparty\IBM\Websphere |
com.ibm.ws.webservices.thinclient_7.0.0.jar |
tdi_home\timsol\SharePointAdapter |
JSON files containing authentication
providers configuration |
The following two additional fields appear in the Service Form's Adapter Details tab:
Authentication Mode
Specify the authentication mode corresponding to your site.
Authentication Provider Configuration File
The file name that includes the full path to the authentication
provider file. For more information, see "Authentication
providers configuration" in the previous section. If the file is stored in
the same location as Dispatcher home, for example,
TDI_HOME/timsol, you can omit the path and provide only the file
name.
The management of SharePoint Groups disabled in
this release due to lack of SharePoint 2013 Client API to
properly manage Groups.
For SharePoint 2010 only
To re-enable group management functionality in the Adapter, edit
the service.def file in the Adapter profile package.
Locate the ServiceGroups element then look for the Managed
property and set the value to true. The following code shows the
ServiceGroups element after editing the value:
<ServiceGroups>
<GroupDefinition profileName="SharePointGroups" className="erSPGroupAccount" accountAttribute="erSPGroupList" rdnAttribute="erSPGroupName">
<AttributeMap>
<Attribute name="erGroupId" value="erSPGroupName" />
<Attribute name="erGroupName" value="erSPGroupName" />
<Attribute name="erGroupDescription" value="erSPGroupDescription" />
</AttributeMap>
<properties>
<property name="Managed">
<value>true</value>
</property>
</properties>
<form location="erspgroups.xml" />
</GroupDefinition>
</ServiceGroups>
For more information on how to edit the Profile
package, see the Adapter Installation Guide.
The IBM Tivoli Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Getting Started
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
IBM Tivoli Identity Manager administration
IBM Security Directory Integrator management
IBM Security Directory Integrator assemblyline development
LDAP schema management
Working knowledge of Java scripting language
Working knowledge of LDAP object classes and attributes
Working knowledge of XML document structure
Note: If the customization requires a new IBM Security Directory Integrator connector, the developer must also be familiar with IBM Security Directory Integrator connector development and working knowledge of Java programming language.
IBM Tivoli Identity Manager Resources:
Check the "Training" section of the IBM Tivoli Identity Manager Support web site for links to training, publications, and demos.
IBM Security Directory Integrator Resources:
The integration to the IBM Tivoli Identity Manager server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Installation Platform
The IBM Tivoli Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
IBM Tivoli Directory Integrator 7.1.1 with Fix Pack 1
Note: The adapter supports IBM Security Directory Integrator 7.2, which is available only to customers who have the correct entitlement. Contact your IBM representative to find out if you have the entitlement to download IBM Security Directory Integrator 7.2
Managed Resource:
SharePoint Server 2010
IBM Tivoli Identity Manager:
IBM Tivoli Identity Manager v5.1 with Fix pack 10
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information,
contact the IBM Intellectual Property Department in your country
or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement
may not apply to you.
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the
information herein; these changes will be incorporated in new
editions of the publication. IBM may make improvements and/or
changes in the product(s) and/or the program(s) described in
this publication at any time without notice.
Any references in this information to non-IBM Web sites are
provided for convenience only and do not in any manner serve as
an endorsement of those Web sites. The materials at those Web
sites are not part of the materials for this IBM product and use
of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in
any way it believes appropriate without incurring any obligation
to you.
Licensees of this program who wish to have information about it
for the purpose of enabling: (i) the exchange of information
between independently created programs and other programs
(including this one) and (ii) the mutual use of the information
which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms
and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all
licensed material available for it are provided by IBM under
terms of the IBM Customer Agreement, IBM International Program
License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a
controlled environment. Therefore, the results obtained in other
operating environments may vary significantly. Some measurements
may have been made on development-level systems and there is no
guarantee that these measurements will be the same on generally
available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their
specific environment.
Information concerning non-IBM products was obtained from the
suppliers of those products, their published announcements or
other publicly available sources. IBM has not tested those
products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be
addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com?® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are
either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the
Central Computer and Telecommunications Agency which is now part
of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel
Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel
SpeedStep, Itanium, and Pentium are trademarks or registered
trademarks of Intel Corporation or its subsidiaries in the
United States and other countries.
Linux is a trademark of Linus Torvalds in the United States,
other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are
trademarks of Microsoft Corporation in the United States, other
countries, or both.
ITIL is a registered trademark, and a registered community
trademark of the Office of Government Commerce, and is
registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United
States and other countries.
Java and all Java-based trademarks and logos are trademarks or
registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer
Entertainment, Inc. in the United States, other countries, or
both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium
logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Other company, product, and service names may be trademarks or
service marks of others.