I have a few thoughts around Identity Broker based on relatively recent interactions with the product. Hopefully I won't have doubled up too much with others or missed functionality that might already be there.

COMMON TRANSFORMATIONS
Over time I have seen quite a bit of work needing to be done in SQL to prepare or cleanse data prior to Broker (or straight ILM) being involved. This may just be simple views or complex changes. Currently views need to be developed still with Broker when things could perhaps be solved with a few common simple transformations such as:

• Trimming leading and / or trailing spaces
• Case changes (toupper, tolower)

DATA LOADING and management

• Ability to specify a query (akin to a SQL view definition) when retrieving data from a SQL repository)
• Ability to archive / age data out of the store so the connector space is reduced (e.g. if a record is inactive for more than 90 days don't present through to the adapter interface)

INTERFACE and OPERATIONAL MANAGEMENT

• Ability search for individual records rather than having to return all adaper or connector space records
• More visibility of teh transformations (I think this has already been referenced but thought I would support it)
• Better scheduling. We need to be able to schedule daily and time based delta and full loads. i.e. akin to what is being delivered with the newer Event Broker.
• Timing: Please at least let us work in seconds (and minutes and hours) rather than "ticks"
• Better visibility around what is happenning and what is in the data repository

I am sure there are a few others, but this is a start.
thanks,
Craig Gilmour

To achieve similar configuration speed/ease benefits of Event Broker v3.1, an auto-configuration process should be considered for Identity Broker v4.1.

This issue has an explicit prerequisite for IDB-932, as being able to talk to target systems will be a prerequisite to describe their object classes.

Unlike FIM Event Broker where we have to ask a number of questions about each management agent, we could describe the partitions of a Chris21 or TRIM etc. in a standard manner. This means no custom UI per instance.

Definitions of connectors are much closer to schema providers, namely many connectors can be described by dynamic/static unique identifiers. Those that can't could be described away with bespoke Alerts.

With our definitions of connectors defined in concrete, we can systematically define standard adapters. Whether they're standard would be debatable, but they would at least be a backbone for the implementation, and hopefully get us the 80/20.

I get the following error when trying to perform a Full Import of the configured SAP Employee Connector

20121121,01:02:23,Change detection engine import all items failed.,Change detection engine,Warning,"Change detection engine import all items for connector Employee Connector failed with reason An attempt was made to load a program with an incorrect format. (Exception from HRESULT: 0x8007000B). Duration: 00:00:00
Error details:
System.BadImageFormatException: An attempt was made to load a program with an incorrect format. (Exception from HRESULT: 0x8007000B)
at SAP.Connector.Connection.Open()
at Unify.Communicators.SapHRCommunicator.SapHrCommunicator.Open()
at Unify.Communicators.SapHRCommunicator.SapHrCommunicator.GetEmployees(String statusType, DateTime startDate, DateTime endDate, String infoType, IEnumerable`1 subTypes, IEnumerable`1 employeeIdRecords)
at Unify.Connectors.SapHrEmployeeConnector.ProcessGetEntities(IEnumerable`1 employeeRecords)
at Unify.Framework.ConnectorToReadingConnectorBridge.GetAllEntities(IStoredValueCollection storedValueState)
at Unify.Framework.EventNotifierReadingConnectorDecoratorBase`1.GetAllEntities(IStoredValueCollection storedValues)
at Unify.Framework.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Framework.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.MutexJobDecorator.Run()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal

I originally had the x64 version of Identity Broker installed and later realised that this is unsupported by the SAP Connector. Uninstalled it and went with an x86 version, as well as the x86 installer of the SAP connector. The net rrsult being that my environment has:
[*] Identity Broker 3.0.7.6 x86
[*] Identity Broker for SAP HCM 3.0.1.3 x86

I've attached my connector config.

The error appears to be identical to that reported at https://unifysolutions.jira.com/browse/ALDMLS-20 for previous Identity Broker versions.

After failing to resolve this in the DSEWPaC environment, I installed an x86 version of Identity Broker locally and the SAP connector and reproduced the error on my own system.

If a adapter DN template is generated using the IdBID, a LDAP client cannot add entities as the add request requires a DN, which includes a new guid value, however the IdBID is still generated for the entities creation. This means the DN supplied doesn't match the newly created entities generated DN, resulting in the following error.

Handling of LDAP add request.
Handling of LDAP add request from user Admin on connection 192.168.16.54:53591 to add an entity with a distinguished name of UID=EA866F73-1AFD-483C-9D8B-37DE4A982A38,OU=childCon,DC=IdentityBroker failed with error "Add request failed as the converted DN UID=7f30b4c7-dd4d-4aef-9200-ee9570282069,OU=childCon,DC=IdentityBroker does not match the request DN UID=EA866F73-1AFD-483C-9D8B-37DE4A982A38,OU=childCon,DC=IdentityBroker.". Duration: 00:00:00.0250182.

The current design of Identity Broker commits updates to entities to the database at internally defined intervals. This additional feature will allow the connector to run cleanup functions on the source system after it is certain that the commit on Identity Broker has succeeded.

The change should add something like the following method to the Unify.Framework.Collections.EnumerableExtensions library:

public static IEnumerable<T> ActionAfterCommit<T>(this IEnumerable<T> source, Action actionOnLast);

Edit (Adam): Another possible pattern is another interface that connectors could optionally implement.

Identity Broker timings allows us to specify how often a particular operation runs... however (to my knowledge) it does not allow us to specify when to commence the timer for that timing. By default, timings start from the time the service starts.

For example, we can set a connector to perform a full import every 24 hours... but we cannot set the connector to import every 24 hours AT MIDNIGHT.

The ability to specify a start time for operations in Identity Broker (and also Event Broker 3) would be beneficial, as clients often ask us to schedule operations for out-of-hours.

See the following stack trace:

System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Framework.ArrayEqualityComparer`1.GetHashCode(T[] obj) in S:\hg\Framework\Core\v3.0.4\Source\Collections\Unify.Framework.Collections\Comparers\ArrayEqualityComparer.cs:line 65
   at Unify.Framework.MultiKeyValue.GetHashCode() in S:\hg\Framework\Core\v3.0.4\Source\Entity\Unify.Framework.Entity.Interfaces\MultiKeyValue.cs:line 98
   at System.Collections.Generic.GenericEqualityComparer`1.GetHashCode(T obj)
   at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
   at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
   at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
   at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector)
   at Unify.Repository.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IQueryable`1 sourceEntities, Guid connectorId, IEnumerable`1 originalEntities) in C:\hg\Framework\Core\Master\Source\Entity\Unify.Repository.Entity\EntityRepositoryExtensions.cs:line 94
   at Unify.Framework.Adapter.SaveEntities(IEnumerable`1 entities, Boolean reflect) in S:\hg\Framework\Core\v3.0.4\Source\Adapter\Unify.Framework.Adapter\Adapter.cs:line 463
   at Unify.Framework.Adapter.SaveEntity(IAdapterEntity entity, Boolean reflect) in S:\hg\Framework\Core\v3.0.4\Source\Adapter\Unify.Framework.Adapter\Adapter.cs:line 387
   at Unify.Framework.CompositeAdapter.SaveEntity(IAdapterEntity entity) in S:\hg\Framework\Core\v3.0.4\Source\Adapter\Unify.Framework.Adapter\CompositeAdapter.cs:line 215
   at Unify.Framework.AdapterNotifierDecorator.SaveEntity(IAdapterEntity entityToSave) in S:\hg\Framework\Core\v3.0.4\Source\Adapter\Unify.Framework.Adapter\AdapterNotifierDecorator.cs:line 200
   at Unify.Framework.LDIFAdapter.ExportAdapterEntity(IAdapterEntity adapterEntity, Guid adapterId) in S:\hg\Framework\Core\v3.0.4\Source\Adapter\Unify.Framework.Adapter.Remoting\LDIFAdapter.cs:line 118
   at Unify.Framework.LDIFAdapterServiceHostDecorator.ExportAdapterEntity(IAdapterEntity adapterEntity, Guid adapterId) in S:\hg\Framework\Identity Broker\v3.0\Source\Unify.Framework.ConnectEngine\LDIFAdapterServiceHostDecorator.cs:line 69
   at SyncInvokeExportAdapterEntity(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)",Normal

Related to issue IDBSP-6

As reported by customer:

We started to have an issue with the Unify Connector on Friday night.

The connection between UMC and IdM has failed with the following error;

30/10/2015 20:42:39        Warning        Adapterrequest to get entity from adapter space failed.        Adapter        "Adapter request to get attribute changes from adapter space 53e85508-7648-409c-bd3a-0737028eba29 failed with reason Warning: Fatal error 9001 occurred at Oct 30 2015  8:42PM. Note the error and time, and contact your system administrator

The rest of the error is listed below. Is this an error that you’ve seen before? Would you know how to resolve this?

We have UNIFY Identity Broker v3.0.6 service running.

Reason: System.Data.SqlClient.SqlException:Warning: Fatal error 9001 occurred at Oct 30 2015  8:42PM. Note the errorand time, and contact your system administrator.   at
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean
breakConnection)   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject
stateObj)   at
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand
cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler,
TdsParserStateObject stateObj)   at
System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName,
Boolean async)   at
System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result,
String methodName, Boolean sendToPipe)  at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()   at
Unify.Repository.ChangesItemContext.CreateContext(SqlConnection connection)   at
Unify.Framework.LinqWhereQuery`5.GetEnumerator()   at
System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()   at System.Linq.Enumerable.<DistinctIterator>d__7a`1.MoveNext()   at
Unify.Framework.EnumerableExtensions.<ProduceAutoPages>d__9`1.MoveNext()   at
System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()   at
System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()   at
Unify.Framework.EnumerableExtensions.<ActionOnLast>d__16`1.MoveNext()   at
Unify.Framework.EnumerableExtensions.<ActionOnFirst>d__1c`1.MoveNext()   at
System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()   at Unify.Framework.ActionOnExceptionEnumerator`1.MoveNext()   at
Unify.Framework.EnumerableExtensions.<ActionOnLast>d__16`1.MoveNext()   at
System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)   at
Unify.Adapters.NovellIdentityManagerIdentityBrokerDriverAdapter.Publish(Guid
adapterId)   at
Unify.Adapters.NovellIdentityManagerIdentityBrokerDriverNotificationDecorator.Publish(Guid
adapterId)   at
Unify.Adapters.NovellIdentityManagerIdentityBrokerDriver.Publish(Guid
adapterId)   at SyncInvokePublish(Object ,
Object[] , Object[] )   at
System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance,
Object[] inputs, Object[]& outputs)   at
System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&
rpc)   at
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&
rpc)   at
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc&
rpc)   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean
isOperationContextSet)"

I am currently experiencing the same issue mentioned in ACMA-11 - WAMIKey not populating via IdB Aurion connector and now receiving "Aurion API error -1: Employee No not found in Aurion" which i did not believe was required for security users

From the looks of this issue it indicates that some changes were performed in order to get this working. Can we confirm these changes have followed on the 4.1 release?

I'm 99% sure my configuration is spot on..
I've spent a lot of time modifying this and trying different things to no avail.

Any help would be appreciated as this is currently holding up my production go-live

Please see configuration attached below

<connectorconfiguration>
      <connector id="34bfc0b6-1dd1-4254-80b0-53932487d505" connector="Unify.Connectors.Aurion.SecurityUser" name="Aurion Security Users" queueMissed="false" enabled="true" auditLevel="None">
        <entitySchema>
          <field name="User" key="true" readonly="true" required="true" validator="string" id="925ce35d-f275-4dd6-a115-d03b58d00b5d">
            <Extended xmlns="" />
          </field>
          <field name="OsUserId" key="false" readonly="false" required="false" validator="string" id="9016c684-2a1c-4471-bdec-4f4d916ea191">
            <Extended xmlns="" />
          </field>
          <field name="Name" key="false" readonly="false" required="false" validator="string" id="8dddc336-e7bd-443f-9707-d0b83ee88a64">
            <Extended xmlns="" />
          </field>
          <field name="WamiKey" key="false" readonly="false" required="false" validator="string" id="66c5aa11-eb9b-4e90-ab5b-0612bbdc428c">
            <Extended xmlns="" />
          </field>
          <field name="Status" key="false" readonly="false" required="false" validator="string" id="e0d63812-ebcc-4ef9-90dd-16081cade845">
            <Extended xmlns="" />
          </field>
          <field name="Password" key="false" readonly="false" required="false" validator="string" id="c998cf42-49f5-4206-aaf8-6a9e91e7d812">
            <Extended xmlns="" />
          </field>
          <field name="PasswordExpired" key="false" readonly="false" required="false" validator="boolean" id="1c1cabfd-2efb-4720-84c7-e8ba0fd09c6b">
            <Extended xmlns="" />
          </field>
          <field name="ExternalMailType" key="false" readonly="false" required="false" validator="string" id="a177f794-2395-461b-b2f7-03a22afdf7ab">
            <Extended xmlns="" />
          </field>
          <field name="EmailAddress" key="false" readonly="false" required="false" validator="string" id="a98935fc-b53d-4122-be9e-68e72a76324b">
            <Extended xmlns="" />
          </field>
          <field name="MessageGroupCode" key="false" readonly="false" required="false" validator="string" id="a4d1b16e-dbd9-453b-9ef9-fa206aac4f99">
            <Extended xmlns="" />
          </field>
        </entitySchema>
        <Extended>
          <apiSchema name="AQT_Output">
            <queries>
              <query queryId="LIFEHOUSESECUSER" />
            </queries>
            <attribute name="User_Id" target="User" />
            <attribute name="OS_User_Id" target="OsUserId" />
            <attribute name="User_Name" target="Name" />
            <attribute name="Person_Number" target="WamiKey" />
            <attribute name="User_Status" target="Status" />
            <attribute name="User_Password" target="Password" />
            <attribute name="Password_Expired_Flag" target="PasswordExpired" />
            <attribute name="Email_Address" target="EmailAddress" />
          </apiSchema>
        </Extended>
        <Groups />
        <Agents>
          <Agent id="fc40e36f-7431-4d7f-9654-ae1e34a4727f" type="Unify.Agent.Aurion" />
        </Agents>
      </connector>
      <getAllEntities />
      <polling />
    </connectorconfiguration>

<AdapterConfiguration AdapterId="aeeff3fe-ea0a-4326-8f65-291419d2c66e" AdapterName="Aurion Sec Users" enabled="true" BaseConnectorId="34bfc0b6-1dd1-4254-80b0-53932487d505" class="sec_user" AdapterImportSettings="CoupledProcess">
      <dn template="CN=[User]" />
      <Groups />
    </AdapterConfiguration>

It seems that the IDB Lite and IDaaS system fail to handle the following scenario:

1. Create a new account in chris21 and make the account’s manager someone who do not and will not exist in AD.
2. Let it sync and create the user, when it attempts to update the user’s manager, it fails with the error that the manager could not be found.
3. Now change the account’s manager (mgrdetnumber) to someone who do exist in AD.
4. The system will continue to resolve the previous manager and will permanently fail to update this user.

Workaround: Run a baseline operation against AD, this is a bad workaround because baselines can usually only be run over weekends.