Identity Broker for Microsoft SharePoint Use Cases

Overview

Identity Broker for Microsoft SharePoint enables a number of operations for managing human resource data. In addition to Create, Read, Update and Delete (CRUD) operations for user profiles, lists, and organization profiles, the following can be achieved:

  • Removes need for Active Directory synchronization
  • Multi-forest domain synchronization
  • Automation of the user profile migration process
  • Support for SharePoint's dynamic schema
  • Bidirectional SharePoint flows
  • Membership resolution 

Removes need for Active Directory synchronization

The built-in mechanism of Active Directory Synchronization has some limitations in that it is time-based and requires every SharePoint attribute to be connected to a source directory attribute. Identity Broker for Microsoft SharePoint enables more immediate updates through its ability to poll for changes (a much more lightweight operation), as well as giving direct control of SharePoint attributes to the identity management solution. More information is available below.

Multi-forest domain synchronization

Users from multiple forests are able to be synchronized against a single SharePoint instance as the synchronization is not bound by the Active Directory synchronization platform.

Automation of the user profile migration process

When SharePoint account names change, the user profile connectors immediately perform profile migration that would otherwise have to be manually performed. See http://technet.microsoft.com/en-us/library/cc262141(v=office.12).aspx for more information.

Support for SharePoint's dynamic schema

The SharePoint connectors are able to support the various value types present in SharePoint, as well as easily incorporate updates to the schema through the use of schema providers.

Bidirectional SharePoint flows

Where other mechanisms for SharePoint synchronization are one-way only, Identity Broker for Microsoft SharePoint enables data to flow back into the identity management system, allowing white pages functionality and SharePoint to be authoritative for certain fields.

Membership resolution

Prior to v5.0, the use of composite adapters was required for SharePoint memberships resolution. With Identity Broker acting as an LDAP server, this is no longer the case and entities across adapters can be resolved by the identity management system.

Advantages over Active Directory Synchronization

One of the most commonly asked questions of Identity Broker for Microsoft SharePoint is:

Why would I use this when SharePoint 2007/2010 has Active Directory synchronisation?

In order to address this question, it's first important what SharePoint offers out of the box.

  • SharePoint 2007 (MOSS) has a synchronisation engine with Active Directory.
    • This engine is one way only. That is to say, it can only source data from Active Directory for use in SharePoint user profiles. SharePoint user profile data cannot be self-service.
    • The engine is a heavy process, and can only be used as a scheduled service.
    • The engine does not allow for migration of User Profiles. This is a very common issue with SharePoint.
  • SharePoint 2010 allows the use of a cut down version of FIM for user profile synchronisation.
    • This is only for use with SharePoint 2010 to synchronise against Active Directory, and cannot be used as part of a larger identity management system.
    • This still has the User Profile migration issue of SharePoint 2007.
    • It does not allow for management of the Organization Profiles which have been added to SharePoint 2010.
    • It is still only a scheduled service.

Identity Broker for Microsoft SharePoint has the following benefits:

  • It allows for full integration across all enterprise systems using a centralised identity management platform.
  • It is fully bi-directional, allowing SharePoint to be the source of identity information for certain attributes.
  • It permits for provisioning, synchronisation and de-provisioning of all user profile information, in a manner congruent with the timing of the identity management solution. As such, if the identity management solution is real-time, due to regulatory or auditing requirements, SharePoint can be kept compliant in real-time.
  • It deals with the user profile migration issue in a controlled manner by automatically handling a change of profile name using business rules defined in the central identity management system, requiring no administration.
  • It handles multi-forest domain user synchronisation.
  • It allows Organization Profiles to be managed in SharePoint 2010 - thus allowing organisation and group management sourced directly from HR systems. This permits ease of organisation structure.
  • Reduce costs of SharePoint administration by automating a lot of SharePoint user profile processes through the centralised identity management system.
  • Permits SharePoint to act as part of a work flow system through the identity management platform.
  • It is supported by the knowledge gained from UNIFY Solutions' experience of identity management in large, highly-regulated enterprises.

Is this article helpful for you?