Identity Broker for chris21, how to configure the connector configuration for attribute containing binary data (photo), validator="binary"

Hi Shane,
Would you be able to help passing this question to the appropriate person to answer the question please.

Thank you.

Hi Shane,

Yes, there is a "binary" validator, however the chris21 connector does not support binary fields. I don't know why this is, and the original developer and expert is no longer available, but there's probably a good reason for it. As such, I suggest we proceed as follows:

1. Supply us with the form/field information for the photo data. It may be that the field is not accessible by the API, which would render any possible effort from us useless.
2. If the field is accessible, you could potentially configure it as a string in the connector, and convert it to/from binary data in your FIM extension before the field reaches the metaverse.
3. If that is not possible (or desirable), we could provide a new version of the connector that does support the binary type, but I would consider this a last resort - as I said, there's probably a reason it doesn't support it now and it will be difficult for us to test with the resources we currently have available.

Thanks Johannessen, much appreciate your answer and suggestion for possible approaches to resolve this.

For point #1 from Johanessen's comment above, the following email is sent to Anthony Miller (Tatts Group)

Hi Anthony,

Could you please help to provide us the chris21’s form/field information for the photo data for further investigation/analysis whether Identity Broker for chris21 can support binary data. A small sample data export from chris21 would be great.

Thank you.

Shane Lim

For point #2 from Johanessen's comment above, it seems that it is possible and probably the most quickest approach. See How to: Convert Attribute Value Types.

Point #3 will only be considered as a last resort.

I did some online earch into what are the attributes in AD that normally use to store photo image (binary data).

Apparently the following two AD attributes can be used:

• photo
• jpegPhoto

From what indicated the jpegPhoto attribute can be used to render the image in Outlook 2010 and Sharepoint. See the following articles for further details.

• Photos in Active Directory
• The thumbnailPhoto Active Directory Attribute Explained

Is this still and active question or should it be closed?

Still active.

I am awaiting follow up with Tatts Group. Anthony was sick and has not respond to my other emails.

Shane Day suggested that I may pass this back to Product Group to take this question to Frontier for assistant in understand how binary data is included in chris21 GRT forms, which field that can hold binary data and how to extract it.

I am hanging on to it now until I get a chance to follow up with Anthony again. Hopefully soon.

Sent follow up email to Anthony

Hi Anthony,

I would like to follow up on binary data in chris21.

As I have discussed with you previously, Identity Broker for chris21 currently is not support importing binary data flow from chris21.
Thus to be able to extract the binary data from chris21 into Identity Broker for chris21 and flow it through FIM and finally to AD we will need to do some feasibility study.
In order for us to do the feasibility study we need you assist is with the following:

• Provide us the chris21 Form and field/attribute that is used to store this binary data (photo)
• Provide us detailed instruction on how to input/import the binary data (photo) into chris21 field/attribute
• A sample of this binary data exported from chris21.

Note: If the field/attribute is not part of a chris21 Form we cannot extract the data.

Regards,

Shane Lim

I have performed investigation into how a photo file may be input/imported into a chris21 field.
It seems the photo can only be inserted as an attachment to chris21 user record. The attachment is not part of a particularly chris21 forms that Identity Broker for chris21 uses to extract data from.

Thus based on this it seems that we cannot extract this particularly data from chri21 into Identity Broker for chris21.

Here is another thought - I am curious as to whether Tatts Group is willing to place the photo file on a shared server such that it can be shared between the chris21, FIM and AD and only the shared filename is needed to be flow.

Research more into how photo is import and stored in AD and displayed in Outlook. Perhaps if we can have a photo filename on a file shared server and if we are be able to write code custom code to invoke cmdlet through FIM to import the photo from the file shared server into AD, then this could be a possible solution.

Apparently to display the photo in outlook (it requires Exchange Server 2010 and Outlook 2010) it required that the image is uploaded into thumbnailPhoto attribute in AD.

Now you can start uploading pictures to Active Directory using the Import-RecipientDataProperty cmdlet, as shown in this example:
http://blogs.technet.com/b/exchange/archive/2010/03/10/3409495.aspx

Import-RecipientDataProperty -Identity "Bharat Suneja" -Picture -FileData ([Byte[]]$(Get-Content -Path "C:\pictures\BharatSuneja.jpg" -Encoding Byte -ReadCount 0))

There is also VB script for performing the importing see (NB: The VB script is in the comment/feedback section)
http://blogs.technet.com/b/exchange/archive/2010/03/10/3409495.aspx

However, at this point I believe this is not something that we would want to spend time pursuing for a once-off requirement which is not yet being purchased.

Anthony response to my follow up.

Hi Shane

Thanks for the followup – I was off work all of last week.

I have sought information from our HR team on the first two points below. For the third point, a sample of the data exported seems to be the goal of the Unify feasibility study so while I understand what you’re asking, it sounds like we are being asked to investigate the Unify product.

Thanks,
Anthony

Responding to Anthony email

Hi Anthony,

My apologies for interrupting your leave.

The information we have requested are the information necessary for us to perform feasibility of our product in regarding to extracting binary data from chris21 and flow it to AD. Without the assistant from you to provide us the necessary information we cannot proceed with the feasibility study. The feasibility investigation will be based on our time, not charge to Tatts Group.

Thank you.

Shane Lim

Followed up with Anthony Miller by phone (since there is no response yet by email).

Anthony did not fully understand my request for information and sample data. Thus I explained to him again.
He said he will pass on the request to HR team to obtain the information as requested.

I also explained to Anthony that since I have spent significant time investigating the feasibiliy of extracting binary (photo) data from chris21 and flow it to AD (for use in SharedPoint), once the requested information provided to us we may require that Tatts Group to commit with purchasing this IdM solution extension in order for us to continue with the feasibility study.

As expected, the photo filename is available as an attachment to the DET FORM in chris21. See attached document, "To add images to CHRIS21.doc" for further details.

Since Identity Broker for chris21 can only support extracting data that is on a FORM, it will not be able to extract the attachment file. In addition, the attachment itself if referencing the filename, not actually storing the binary data of the file itself.

Thus conclusion is that the binary data (photo file) cannot be extract by Identity Broker for chris21 and pass into FIM.

Hi Shane,

Please confirm that you are happy for me to communicate back to Tatts Group that we cannot extract the photo file as binary data from chris21 and flow it into FIM and then to AD. For the reason please see my summary in the comment I made on 15/08/2011.

Adam, are you satisfied with Shane's analysis?

As Shane Lim mentions, the standard API would not be capable of performing this function.

I see the following possibilities:

1. Customise the solution to retrieve the file from the file name.
2. Create a new IValue data type.
3. Create a custom version of chris21 that retrieves the file.

The custom logic solution would make the most sense, but the viability of this option is something I couldn't comment on.

The custom data type would not be available until IdB v4 and only if it would be of value elsewhere (unlikely).

The customised version of chris21 would be difficult and most likely require Identity Broker be on the same machine as chris21 and will make maintenance of the connector very difficult.

Before Shane goes back to the client, I'd like to have a discussion about what we can talk to Frontier about. I'd like to have a sensible answer first, instead of just a no.

How the photo file is attached to the DET form.

After discussion with Shane and reading through this issue, it has been determined that the Product Group will arrange a meeting with Frontier to determine the correct course of action.

Hi Shane,

I have received correspondence from Frontier suggesting that the image can indeed be retrieved via the API.

This is by no means a guarantee that it will work for our purposes, but is something we will be looking at including in a future version of the product if possible.

I have created IDBCHRS-29 for this issue.

Thanks.

Hi Adam,

As Tatts Group made enquiry in regarding to this requirement would you be able to advise me when IDBCHRS-29 it may become available?

Basically, do you have a recommend response to the customer?
Is there any particular condition/agreement that the custom must make? Eg They will need to go ahead order for this functionality if we are to commence immediately, what is the estimate cost to them etc.

Or we could say simply it is not supported at this point in time and will look to include this in the next release version of the product, estimate release time is currently not available.

Thank you.

Hi Adam,

Sorry I just noticed that IDBCHRS-29 is marked for version 4.0.

Is there currently an ETA for version 4.0 to be released?

IdB v4 and chris ²¹ v4 are quite some time off.

There is the possibility of base64 encoding the image and storing it as a string in IdB. With the identity management solution converting the string to a binary. All this would require is a new version of Identity Broker for chris ²¹.

As I mentioned before, there is no guarantee that the API will work for our purposes, and a POC will have to be developed first.

Does this sound like a more attractive option than waiting for IdB v4.0?

Hi Adam,

A version new of Identity Broker for chris21 certainly sound better than waiting for IdB v4.0.
But it come down to when it might be available and what the effort would be to make the appropriate decision.
Would you be able to provide estimate what the effort would be?
I need these information to in order to get back to Shane Day and the customer.

Thank you in advance for your time and help.

Hi Shane,

I have not yet heard back from Frontier. Without seeing the sample code, it will be difficult to estimate the effort required. And that is if it will even be suitable for our needs.

Thanks Adam. I'll get Shane Day's input on how to move further with this.

Hi Shane,

Based on response from Adam and my further queries on this subject starting from 25/08/2011. If you could review and advise us the most approach to move forward and the response I should provide to Tatts Group.

Thank you.

Shane,

The feedback to give to Tatts Group is the following:

UNIFY has discussed the feature request with Frontier, and the assessment is that the request is functionally possible.

We are currently undergoing a non-functional requirement assessment, including considerations such as performance, in order to determine if we will implement the feature, and if feasible to schedule when such a feature will be included in the road-map of Identity Broker for Frontier chris²¹. Once this assessment has been undertaken, we will advise Tatts Group of the outcome and the schedule for implementation.

UNIFY Solutions actively encourages a collaborative ecosystem for its Broker suite of products, and as Tatts Group have a maintenance subscription, we invite them to participate directly in the collaborative effort. As discussed in previous meetings, we would be happy to provision access to our knowledge and issue management system to two representatives from Tatts Group, and open up access to up-to-date documentation of our products and allow them to track progress of our assessment of this feature request.

If you would like me to send this off to them, please let me know.

Thank you very much Shane. Much appreciated. I will pass this on to Anthony Millers.

This functionality is not yet available thus it not fixed.

Customer has been informed.

Closed.