Export (0) Print
Expand All
0 out of 1 rated this helpful - Rate this topic

IdentityManager.config

Connected Services Framework

The following diagram shows how the Web.config file references the Common.config, EnterpriseInstrumentation.config, TraceSessions.config, PolicyCache.config, and IdentityManager.config configuration files:

Please see the previous sections for Web.config, Common.config, EnterpriseInstrumentation.config, TraceSessions.config, and PolicyCache.config. These files are used by all of the Connected Services Framework components.

IdentityManager.config

The IdentityManager.config file is located in the directory specified by the IdentityManager property of the Web.config file that is located in the Identity Manager deployment directory:


<Microsoft.Csf>
 …
 <ConfigFiles>
 …
 <add key="IdentityManager" value="C:\Program Files\Microsoft\Microsoft Csf\Configuration\IdentityManager.config" />
 …
 </ConfigFiles>
 …
</Microsoft.Csf>

 

 Here is an example of IdentityManager.config:

 

<?xml version="1.0" encoding="utf-8"?>
<IdentityManagerConfigurationSettings>
 
<SSOSettings>
    <!-- The recommended value for this setting is “Domain\Domain Users” group of your domain.
    If you do not want this value, then specify any other domain group which can contain all
    the users for whom the secondary credential may be created.-->
    <DefaultSSOApplicationUserGroup><![CDATA[csf.com\Domain Users]]></DefaultSSOApplicationUserGroup>

    <!-- The recommended value for this “Domain\SSO Affiliate Administrators”
    group that you specified while installing SSO.-->
    <DefaultSSOApplicationAdminGroup><![CDATA[csf.com\SSO Affiliate Administrators]]></DefaultSSOApplicationAdminGroup>

</SSOSettings>

    <!-- The UpdateUsers API allows caller to change attributes of a user or list of users.
    This configuration section allows the developer to specify "special attributes" whose
    update is to be handled through a set of associated assemblies that implement the
    IUpdateUserProperties interface, GetCurrent() & Update(). See the CSF 2.1 Devevelopment
    Guide for more information about the IUpdateUserProperties interface.
    -->
<UserAttributeUpdateHandlerTable>
    <UserAttributeUpdateHandlers>
        <UserAttributeUpdateHandler>
            <!--
            Custom attribute for moving user(s) from one organization to another
            -->
            <AttributeName>ou</AttributeName>
            <!--
            GetCurrent() - returns the current "ou" attribute value and the current roles that the user belongs to.
            Update() - update the "ou" attribute value, move the specified user(s) to the new organization and

            reset their  roles.
            -->
            <TypeName>Microsoft.Csf.IdentityManager.CustomAttributes.UserOrganizationChange,         Microsoft.Csf.UserOrganizationChange, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f2b89264d4ceee5c</TypeName>
        </UserAttributeUpdateHandler>
        <UserAttributeUpdateHandler>
            <!--
               Custom attribute for moving user(s) from one group to another
            -->
            <AttributeName>memberof</AttributeName>
            <!--
            GetCurrent() - returns the current roles the user(s) belongs to.
            Update() - move the user(s) to the specified group(s).
            -->
            <TypeName>Microsoft.Csf.IdentityManager.CustomAttributes.UserRoleChange, Microsoft.Csf.UserRoleChange, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f2b89264d4ceee5c</TypeName>
        </UserAttributeUpdateHandler>
    </UserAttributeUpdateHandlers>
</UserAttributeUpdateHandlerTable>

<ADSettings>
    <UPNRestrictions>
    <!-- Setting this to “1” will force an upn-suffix to be assigned
    to only one organization while creating organization.
    Else set this to “0”.-->
    <UpnBelongsToOneOrganizationOnly>0</UpnBelongsToOneOrganizationOnly>
 
    <!-- Setting this to “1” will force at least one UPN to be specified
    to create an organization. Else set this to “0”.-->
    <AtleastOneUpnPerOrganization>0</AtleastOneUpnPerOrganization>
 
    <!-- Setting this to “1” will force the upn-suffix specified
    during user creation to be one amongst those assigned to the
    organization under which he is created. -->
    <UsersUpnIsOneOfOrganizationSuffixes>0</UsersUpnIsOneOfOrganizationSuffixes>
 
    </UPNRestrictions>
 
    <!-- Path of "OrgCreateMaster.xml" file. -->
    <OrganizationCreationMasterTemplateFile>C:\CsfConfig\OrgCreateMaster.xml</OrganizationCreationMasterTemplateFile>
 
    <!-- Please specify a preferred domain controller that Identity Manager
    should use to connect to for its operations (If you have just one DC in
    your domain, this setting is not required). Leave this blank if you want
    most available DC to be chosen dynamically. -->
    <PreferredDomainController></PreferredDomainController>
 
    <!-- Please specify the current domain in which Identity Manager is installed.
    For example, if people in the domain use "DomainName\UserLoginName" for
    logging into this domain, then you should specify "DomainName" here. -->
    <CurrentDomainForLogin>csf</CurrentDomainForLogin>
 
    <!-- Every organization created will have a group “AllUses@OrganizationID”
    created under it unless you have modified the default organization
    creation template. Setting this flag to “1” will force every new user created
    under that organization to be automatically added to the AllUsers group -->
    <AddNewUserToAllUsersGroup>1</AddNewUserToAllUsersGroup>
 
    <!-- Please provide the name of the hosting organization.
    This is the same organization Id that you specified when you created the
    hosting organization using script.-->
    <HostingOrganizationId>Bt.com</HostingOrganizationId>
 
</ADSettings>
 

<PasswordAdaptorSettings>
    <!--
    This is a collection of mappings from an inbound address to an outbound address.
    The inbound address is the From of a password adaptor response message and the
    forward to is the address of the password adaptor service that will manage the
    response. Only those that are active will be considered for redirection. Add
    in as many entries as you have password adaptors.
    -->
    <PasswordResponseForwardTos>
        <PasswordResponseForwardTo active="true" from="http://localhost/MockPasswordTestVas/MockPasswordTestVas.ashx" forwardTo="soap.tcp://localhost:4006/CsfSsoPassword" />
    </PasswordResponseForwardTos>
</PasswordAdaptorSettings>
 

</IdentityManagerConfigurationSettings>
 

IdentityManager.config configuration values:

 DefaultSSOApplicationUserGroup

Description

The Microsoft® Active Directory® group for SSO users.

How it is used

Members of this group can look up their credentials in the affiliate application.

Members of this group can manage their credential mappings in the affiliate application.

Default value

csf.com\Domain Users

Needs to be changed for each deployment

Yes

 DefaultSSOApplicationAdminGroup

Description

Active Directory group for all SSO application administration

How it is used

There is one application administrators group per affiliate application.

Members of this group can change the application users group account.

Members of this group can create, delete, and manage credential mappings for all users of the specific affiliate application.

Members of this group can set credentials for any user in the specific affiliate application users group account.

Members of this group can perform all the administration tasks that the application users can.

Default value

csf.com\SSO Affiliate Administrators

Needs to be changed for each deployment

Yes

 UserAttributeUpdateHandler

Description

This set of configuration properties supports the special processing done when updating attributes of the user.

How it is used

When the attribute specified in the <AttributeName> tag is encountered in a request, the associated type is loaded and the processing of that attribute is delegated to the class.  This allows for special processing that is different from the standard attribute changes performed by the user manager. In the case of the ou attribute, the changing of the users organization will also move the user to that new organization in AD.  The memberOf attribute will move the user between groups in AD.  

Default value

Supplied in config file.

Needs to be changed for each deployment

No

UpnBelongsToOneOrganizationOnly

Description

1 or 0corresponding to true or falsedetermines if a User Principle Name (UPN) suffix can only belong to a single organization.

How it is used

The Identity Manager component needs to know if a UPN suffix can be shared, or if it can only be used by a single organization.

Default value

0

Needs to be changed for each deployment

No

 AtleastOneUpnPerOrganization

Description

1 or 0corresponding to true or falsedetermines if at least one User Principle Name (UPN) suffix needs to be specified when creating an organization.

How it is used

The Identity Manager component can create organizations with or without a UPN suffix. This setting allows the Identity Manager to make use of the UPN suffix mandatory when creating an organization.

Default value

0

Needs to be changed for each deployment

No

 UsersUpnIsOneOfOrganizationSuffixes

Description

1 or 0corresponding to true or falsedetermines if a User Principle Name (UPN) suffix must be one of the UPN suffixes specified when the user’s organization was created.

How it is used

The Identity Manager component can create users with UPN suffixes that are included in their organization’s list of UPN suffixes, or it can create users with UPN suffixes that are not in their organization’s list of UPN suffixes. When this setting is set to “1”, users can only have a UPN suffix that is in their organization’s list of UPN suffixes.

Default value

0

Needs to be changed for each deployment

No

 OrganizationCreationMasterTemplateFile

Description

File path to the OrgCreateMaster.xml file.

How it is used

The OrgCreateMaster.xml file contains the path to the templates for different types of organizations. This will be used to apply a template to organization creation. By default it has the location of the CustomerSettings.xml, PartnerSettings.xml, and ResellerSettings.xml files.

Default value

C:\CsfConfig\OrgCreateMaster.xml

Needs to be changed for each deployment

Yes

 PreferredDomainController

Description

Name of the preferred domain controller.

How it is used

In domains where there are multiple domain controllers, the preferred domain controller for the Identity Manager component to use can be specified. When this is empty, the most available domain controller will be automatically chosen by the Identity Manager component.

Default value

<<empty>>

Needs to be changed for each deployment

Yes

 CurrentDomainForLogin 

Description

String containing the current domain name in which the identity manager is installed and used.

How it is used

While creating and modifying users in SSO, the Identity Manager component needs to specify the current domain name.

Default value

csf

Needs to be changed for each deployment

Yes

 AddNewUserToAllUsersGroup

Description

1 or 0corresponding to true or falsedetermines if a new user should be added to the All Users Group.

How it is used

This setting enables the Identity Manager component to add users to the All Users Group when they are created. This can be a great convenience for many deployments.

Default value

1

Needs to be changed for each deployment

No

 HostingOrganizationId

Description

String specifying the hosting organization.

How it is used

The Identity Manager component needs to know the organization that is hosting it. This is the “master” hosting organization, under which child organizations of type customer, partner, or reseller organizations are created.

Default value

Anydomain.com

Needs to be changed for each deployment

Yes

PasswordResponseForwardTo

Description

An entry to forward password adaptor requests to the adaptor windows service.

How it is used

The Identity Manager may be optionally used in the password change notification process to forward http messages from external systems back to the password adaptor service which runs as a TCP windows service.  This deals with issues where a TCP address may not be exposed outside the CSF domain.  Consult the operations guide for the details on the setup and configuration of the password adaptor.

Default value

none

Needs to be changed for each deployment

The password adaptor is optional and these values are ignored unless the password change message is received by the Identity Manager.

 

 

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.