TFS Integration Platform - “EnableValidation” does it make more sense?

  • Article

This is one of the very last TFS Integration Platform “documentation” posts, because the latest product contains detailed documentation and the next major release will include consolidated documentation containing product documentation, guidance and the readiness package. In future we will drill down on new or special features, in favour of documenting the product overall as in the past.

EnableValidation … replacing the confusing UserIdLookupEnabled attribute

What is the Lookup Service? Q&A-27 Errata 1 and What is the Lookup Service? Q&A-27 are two related posts, both focusing on the Lookup Service.

Looking at the first line in the configuration extract below we notice the UserIdLookupEnabled and EnableValidation attributes. The former is deprecated, no longer supported and replaced with EnableValidation. The schema change is intended to give the attribute a more meaningful name.

    1: <UserIdentityMappings UserIdLookupEnabled="false" EnableValidation="false">
    2:   <UserIdentityLookupAddins>
    3:     <UserIdentityLookupAddin>CDDE6B6B-72FC-43b6-BBD1-B8A89A788C6F</UserIdentityLookupAddin> 
    4:   </UserIdentityLookupAddins>
    5:   <AliasMappings DirectionOfMapping="LeftToRight">
    6:     <AliasMapping Left="*" Right="*" MappingRule="SimpleReplacement" /> 
    7:   </AliasMappings>
    8:   <DomainMappings DirectionOfMapping="LeftToRight">
    9:     <DomainMapping Left="s-domain" Right="t-domain" MappingRule="SimpleReplacement" /> 
   10:   </DomainMappings>
   11: </UserIdentityMappings>

But … what does EnableValidation entail?

The intention of this attribute is to configure whether the user identity lookup service, as part of the mapping, should reach out to actual active directory server to validate that the user account is a valid account on the target system.  When enabled (true) the service will search for the user in the target system to determine that the user account is valid and to raise an exception if the validation fails. When disabled (false), the User Identity Lookup Service only performs a static transformation specified in the UserIdentityMappings section.

The default value for the EnableValidation attribute is true.

Questions relating to this configuration section

  • What is the difference between the <UserMappings>, <AliasMapping> and <DomainMappings> in the configuration?

    • UserMapping works on specific user(s), whereas AliasMapping and DomainMapping applies to all user accounts and maps alias and domain separately on all identities passing through the pipeline.
    • UserMappings and AliasMapping are similar in behaviour, whereby the evaluation precedence is User Mapping, then DisplayName or DomainAlias.

  • What is the difference between DisplayName and DomainAlias?

    • The DefaultUserIdProperty DisplayName is specific to TFS WIT migration sources, whereas DomainAlias is to TFS VC migration sources.