IBM Security Verify Governance Adapter 10.0.2 for SharePoint Server is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Security Verify Governance Adapter for SharePoint.
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance manuals were printed:
The SharePoint Adapter is designed to create and manage User Accounts on the SharePoint platform. The adapter runs in "agentless" mode and communicates using HTTP/S and LDAP protocol. The SharePoint adapter supports stand-alone and Active Directory backed user registries. Other user registries supported by SharePoint have not been tested.
The IBM Security Verify Governance Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Verify Governance and IBM Security Verify Governance Identity Manager will fail if the Adapter is not given sufficient authority to perform the requested task.
Review and agree to the terms of the IBM Security Verify Governance License prior to using this product.
The license can be viewed from the "license" folder included in the product package.
Adapter Version
|
Component |
Version |
|
Build Date |
2023 March 08 21.14.41 |
|
Adapter Version |
10.0.2 |
|
Component Versions |
Adapter build: 10.0.2.1 Profile: 10.0.2.1 Connector: 10.0.2.1 Dispatcher 7.1.39 or higher (packaged separately) |
|
Documentation |
The following guides are available in the IBM Security Verify Governance Adapters Knowledge Center: � Microsoft SharePoint Adapter Installation and Configuration Guide |
New Features
|
Internal # |
Enhancement # (RFE / Idea) |
Description |
|
|
|
Items included in current release (10.0.2) |
|
None |
||
|
|
|
Items included in release (10.0.1) |
|
RTC 187957 |
RFE 139882 (60930)
RFE 131322 (58088) |
SharePoint Online Adapter
SharePoint for O365 |
|
|
|
Items included in release (7.1.9) |
|
Bug 2963 TS002370664 |
RFE 134608 (59299) |
SharePoint Integration with IGI and ISAM' [s] Note: For configuration details check SharePoint Site Configuration |
|
|
|
Items included in release (7.1.8) |
|
|
|
None |
|
|
|
Items included in release (7.1.7) |
|
|
|
None |
|
|
|
Release v7.1.6 |
|
RTC 154248 |
SharePoint Server 2016 Support |
|
|
Bug 2848 |
|
NTLM Authentication Support Note: For NTLM Authentication support needs � 7.1.1 LAIF 41 http://www.ibm.com/support/docview.wss?uid=ibm10878657 � 7.2.0 LAIF 20 http://www.ibm.com/support/docview.wss?uid=ibm10878456 � Direct Fix central links � 7.11. Limited Availability Interim Fix 41: https://ibm.biz/Bd2NeZ � 7.2.0 Limited Availability Interim Fix 20 : https://ibm.biz/Bd2Ne2 |
|
|
|
Release v7.1.5 |
|
|
|
Add support for IGI 5.2.2
This adapter is now designed for use with IBM Security Identity Manager, IBM Security Privileged Identity Manager, IBM Security Identity Governance and Intelligence, IBM Security Verify Identity and IBM Security Verify Governance. |
Closed Issues
|
Internal # |
APAR # /Case # |
Description |
|
|
|
Items closed in current release (10.0.2) |
|
RTC 191058 / Bug 3975 |
TS010849873 |
ISVG Sharepoint Adapter to communicate with Sharepoint Online. (Refer "Configuring SharePoint Online for Adapter" section of SharePoint Adapter installation and configuration guide) |
|
RTC 191022 / Bug 3953 |
TS010506380 |
Recon failing for Sharepoint Host named site collection (Refer "Configuring Adapter with Host Named Site Collection" section of SharePoint Adapter installation and configuration guide) |
|
RTC 190897 / Bug 3853 |
TS009402430 |
Integrate with SharePoint Host-named Site collections (Refer "Configuring Adapter with Host Named Site Collection" section of SharePoint Adapter installation and configuration guide) |
|
|
|
Items closed in release (10.0.1) |
|
Bug 3346 |
|
IGI does not add user to the SharePoint group |
|
|
|
Items closed in 7.1.9 release |
|
|
|
None |
|
|
|
Items closed in 7.1.8 release |
|
Bug 3015 TS002574599 |
|
SharePoint server error |
|
Bug 3072 TS002851426 |
|
Filtering does not work on Sharepoint adapter 6.0.7 |
|
|
|
Items closed in 7.1.7 release |
|
Bug 2892 |
IJ16315 |
TS002574599 / SharePoint recon failed with "'decoded' is
null" |
|
Release v7.1.6 |
||
|
RTC 155612 |
|
Added TDI 7.1.1 FP5 and SDI 7.2 support |
|
Bugz 2272 |
|
SharePoint Adapter recon user and add user problem |
Known Limitations
|
Internal # |
APAR # |
Case # / Description |
|
Internal |
NA |
The information about SharePoint authentication modes/providers are stored in a configuration file. The adapter reads this file and reconciles the list of authentication providers as supporting data. For details of this file check the topic Configuring authentication providers in SharePoint adapter�s Installation and Configuration guide. With version 7.1.9 release of adapter, the adapter profile has been updated to expose these SharePoint Authentication modes as Support data list on IGI. The Authentication mode value can be selected from the list.
This change will work on IGI 5.2.5 and above versions. For IGI 5.2.4 and earlier versions there will be text box for authentication mode attribute (erspdomain). The values will not be listed. To overcome this issue, while assigning value to this attribute, use the Authentication Mode�s Prefix value from the configuration file.
For e.g.: "i:0#.w|EXAMPLEDOMAIN "i:0#.f|SomeMembershipProvider|"
|
|
Internal |
NA |
With version 7.1.7 release of the
adapter, the adapter profile has been updated to expose SharePoint Groups as
permissions in IGI. This update exposes a situation in the IGI product
when a user requests a permission and the user does not have an account on
SharePoint. IGI will generate two out events: Create SharePoint account
and Assign the permission to the account. Since the Group membership is
a required attribute on the account, the account creation will fail. |
|
Internal |
N/A |
The SharePoint UserGroup webservice does not provide the same function as the SharePoint GUI. As a result some features that are available through the SharePoint GUI are not available through the SharePoint WebService |
|
Internal |
N/A |
If there are two users with the same user name in different Domains. Then the reconciliation will only return one of the users. For example the Administrator account exists both for the SharePoint Server and the Active Directory domain. Only one of these accounts will be returned to Identity Manager. |
See the Installation Guide for IBM Security Verify Governance SharePoint adapter for detailed instructions.
Corrections to Installation guide:
Chapter 1: Overview
No updates for the current release
Chapter 2: Planning
Prerequisites:
Please consult the release notes for the currently supported versions of the below products
Directory Integrator:
Remove IBM Security Directory Integrator Version 7.1.1 + 7.1.1-TIV-TDI-FP0004 + 7.2.0-ISS-SDI-LA0008 and Version 7.2 from the description
Identity
server Verify Governance Server:
Update description as below:
The following servers are supported:
- IBM Security Verify Governance Identity Manager
- IBM Security Verify Governance
Microsoft SharePoint Server:
Remove the description
Chapter 3: Installing
Configuring authentication providers
SharePoint Site Configuration
Add below note the end of the content
Note: Basic Authentication contains credentials sent in clear text, it is highly recommended to configure the Adapter to communicate with SharePoint over Secure Sockets Layer (SSL) to protect the credentials.
Installing ILMT-Tags File
Before you begin:
The Dispatcher must be installed
Procedure:
Copy the files from ILMT-Tags folder to the specified location:
1. Windows: <SDI-HOME>\swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
Chapter 4: Upgrading
No updates for the current release
Enabling TLSv1.2 in Security Directory Integrator
Procedure:
1. Apply recommended fix packs and limited availability (LA) versions on the Security Directory Integrator. See Recommended fixes for IBM Tivoli Directory Integrator (TDI) & IBM Security Directory Integrator (SDI).
2. After applying the appropriate updates, modify the /solution.properties file by appending the following text to the bottom of the file:
#####################
# # Protocols to enforce SSL protocols in a SDI Server
# # Optional values for com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a multi-valued comma separated property
# # Optional values for com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2, TLSv1,TLSv11,TLSv12).
# # This is a single value property.
#####################
-
com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1
com.ibm.jsse2.overrideDefaultTLS=true
#####################
Configuring SharePoint Online for Adapter
To configure adapter with SharePoint Online, Client ID and Secret needs to be generated. Along with this appropriate permissions should be granted to the Client ID.
Please find below steps to generate Client ID and Secret with proper permissions:
1. Register site as an app using below URL. This will generate Client ID and Secret:
https://<orgName>.sharepoint.com/_layouts/15/appregnew.aspx
2. Grant tenant scope permission using the permission XML shared below to the Client ID generated in Step 1 using Client ID in the Lookup in below URL:
URL: https://<orgName>-admin.sharepoint.com/_layouts/15/appinv.aspx and Client Id from Step 1 for Lookup.
Permission xml: <AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
3. Configure SharePoint Adapter using the Client ID and Secret from Step 1:
4. After completing above steps, if below error is encountered during reconciliation then execute steps 5 through 7:
{"error":"invalid_request","error_description":"Token type is not allowed."}
5. Install SharePoint Module using PowerShell:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
6. Connect to SharePoint Admin using below command in PowerShell, when prompted for credentials, provide SharePoint Online Administrator credentials:
Connect-SPOService -Url https://<orgName>-admin.sharepoint.com
7. Run below command in PowerShell, after the session is successfully established in Step 6, to enable Azure Access Control (ACS) app-only feature:
set-spotenant -DisableCustomAppAuthentication $false
Configuring Adapter with Host Named Site Collection
To configure adapter with Host Named Site Collection for SharePoint On-Prem target, below configuration needs to be set in SharePoint Adapter Service form:
|
SharePoint Adapter Service Form Attributes |
Expected values |
|
Sharepoint hostname/ Site URL |
DNS Host Name for Host Named site collection |
|
Admin Login/ Client ID |
DOMAIN_NAME\ADMIN_USER_ID |
|
Admin Password/ Client Secret |
Admin Password |
|
Sharepoint port (On-prem only) |
Host Named site collection port number |
|
SharePoint On-premises / SharePoint Online |
OnPrem Claims-Based Authentication OR OnPrem Windows Classic Mode Authentication based on the authentication mode |
|
Authentication Provider Configuration File (On-prem only) |
Path to configuration file |
Customizing the adapter
The adapters can be customized or extended or both. The type and method of this customization varies depending on the adapter.
Customizing and extending adapters requires a number of skills. The developer must be familiar with the following concepts and skills:
- IBM Security Verify Governance Identity Manager administration
- IBM Security Verify Governance administration
- IBM Security Directory Integrator management
- Security Directory Integrator Assembly Line development
- LDAP schema management
- Working knowledge of Java� scripting language
- Working knowledge of LDAP object classes and attributes
- Working knowledge of XML document structure
Note: If the customization requires a new Security Directory Integrator connector, the developer must also be familiar with Security Directory Integrator connector development and working knowledge of Java programming language.
Support for custom adapters
The integration to IBM Security Verify Governance servers "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Chapter 6: Troubleshooting
Enabling DEBUG Logs on SDI Server
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
4. Start the SDI Server process
5. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Chapter 7: Reference
No updates for the current release
Installation Platform
The IBM Security Verify Governance SharePoint Adapter was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your ISVG or ISVGIM servers, the following SDI releases are the officially supported versions:
Note: Earlier SDI supported version may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters
For NTLM authentication use:
� 7.2.0 LAIF 20 http://www.ibm.com/support/docview.wss?uid=ibm10878456
� Direct Fix central links
� 7.2.0 Limited Availability Interim Fix 20 : https://ibm.biz/Bd2Ne2
Managed Resource:
� SharePoint Server 2016
� SharePoint Online
IBM Security Verify Governance Servers:
IBM Security Verify Governance Identity Manager v10.0
IBM Security Verify Governance v10.0
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.