Forefront Identity Manager Service Overview
Updated: April 7, 2010
Microsoft® Forefront Identity Manager 2010 (FIM) provides connectors, delegation, workflow, and a Web service API on a common platform called the Identity Management Platform (IDM Platform). The IDM Platform enables developers to integrate user management, credential management, policy management, and access management activities. FIM builds on the technology of the synchronization engine that was included in Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) to synchronize and converge data among many different external databases and systems through a management agent framework. The FIM Service builds upon that functionality by providing a portal that provides turnkey solutions for credential, access, user, and policy management. The FIM Service also provides Web service APIs, which developers may use to create custom clients that interact with FIM. The API also provides extensible activities, workflow, and schema.
The following illustration shows the components of the IDM Platform and their relationship to external databases and client applications.
Workflows and Activities
FIM lets users create workflows that model business processes and attach those workflows to requests. A user can then audit compliance with business procedures by monitoring how FIM workflows are run. The FIM Portal provides a graphical user interface, named the Process Designer, which is used to model business procedures by building workflows that consist of various activities. In addition, activities and workflows that use Windows Workflow Foundation (WF) can be used in FIM. Developers who use Microsoft .NET Framework can develop new WF activities within the Microsoft Visual Studio 2008® development system.
Example activities include:
Approval activity. An approval activity can be used to ask one or more people for consent to allow a workflow to continue.
Notification activity. A notification activity is used to notify people of a workflow process.
Activities can be included in authentication, authorization, and action workflows, which can be mapped to events.
Objects and Request Processing
All users, groups, requests, workflows, and other resources used in FIM are stored as objects in the FIM Service database. These objects can be modified through Create, Read, Update, and Delete (CRUD) requests made to the FIM Service IDM Platform. For more information, see Web Services Overview. Web service requests are turned into Request objects in the FIM system. If a CRUD request on the object store passes the rights, authentication, and authorization checks, the CRUD operation will be run on the object store and the associated Request object will itself be committed to the object store. After this step, additional "Action" workflows (for example, notification activities) are run. These workflows can include actions performed by the synchronization engine, which manages synchronization of object changes with identity stores external to FIM.
For more information, see Request Processing.
Management Policy, Rights and Events
Management Policy Rules (MPRs) model the management policy for objects managed by FIM and provide a mechanism for to model business processing rules for incoming requests to the FIM Service. Each ManagementPolicyRule can define permissions for requesting operations on FIM objects together with the workflows that are triggered by these requests.
For more information, see Management Policy in FIM.
FIM organizes objects (including people and groups for example) into Sets so that management policies can be mapped to the appropriate resources. An object can be included in an unlimited number of sets. Sets can be defined either dynamically based on XPath queries or object attribute values; or they can be defined statically as containing a list of specific resources. They can also be defined as a combination of all these attributes.
Extending Forefront Identity Manager Functionality
Developers can extend FIM functionality in several ways:
Web service APIs let developers create custom applications to interact with FIM and make CRUD operations to the FIM Service database. Because configuration, synchronization, management policy, and all remaining resources are all stored as objects, the Web service APIs let users modify FIM configuration and behavior. For more information, see Web Services Overview and How to: Retrieve the FIM Service Schema Using WS-MetadataExchange. A FIM administrator can modify the portal to display custom objects and attributes to end users.
A default object schema is provided. However, the schema can be modified and extended through CRUD operations on the FIM Service database.
Custom workflows and activities can be built using Visual Studio and run by Windows Workflow Foundation. For more information, see Custom Activities and Workflows.
Management agents can be created that communicate between the synchronization engine and external databases and systems. The MSDN Library documentation for ILM 2007 contains more information about this. See Forefront Identity Manager Synchronization Service Developer Reference.
Forefront Identity Manager Certificate Management Developer Reference provides extensible support for managing strong credentials such as smartcards. The version included in FIM 2010 includes support for third-party certification authorities. See FIM Certificate Management Overview.
For more information about extending FIM, see Forefront Identity Manager 2010 Extensibility Roadmap.