Background

• On number of occasions, when using claims authentication, Trusted provider bases its authentication on Active Directory LDS.

• In these cases, profile  data from LDS needs to be imported into SharePoint

Design

SharePoint 2010 supports synchronization , offers mechanism to integrate with different directory services like Active Directory Domain Services, SunOne, Novell directory etc. But out of the box there is no support for synchronizing user profiles with Active Directory Light Directory Services (AD LDS). Hence in scenarios where it is necessary to synchronize with AD LDS, it is recommended to make use of LDIFDE utility (available with Windows 2008 server OS) to extract the profile attributes into flat file and then follow the process as documented in Configure profile synchronization using a Lightweight Directory Interchange Format (LDIF) file (SharePoint Server 2010) - http://technet.microsoft.com/en-us/library/ff959234.aspx

Integration Design and Process

Listed below are the high level details associated with the profile synchronization process

Potential Issue

• Once imported,  these profiles need to be linked up with individual users logging into SharePoint using configured Tursted Identity Provider. If this link is absent, then SharePoint ends up creating another profile based on data of the logged user (this contains nothing but the account name)

Requirement

• One profile per user should exist in SharePoint (not multiple)

Resolution

• My colleague Bryan Porter is the one who pointed me to the solution (noted in his blog http://blogs.msdn.com/b/brporter/archive/2010/07/19/trusted-identity-providers-amp-user-profile-synchronization.aspx). This blog talks about how to link profile data coming from Active Directory.
• For linking profiles coming from LDS, listed below are the values which need to be hard coded in ForeFront Identity Manager.