Поделиться через


Forefront Identity Manager 2010 Extensibility Roadmap

This document summarizes the extensibility points of Microsoft Forefront Identity Manager 2010 (FIM) and describes which common tasks can be performed using these extensibility points.

Extensibility in Forefront Identity Manager 2010

FIM provides extensibility to address many custom scenarios. The following diagram has each extensibility point outlined in a red box and numbered so that it can be referenced in the rest of this document.

Forefront Identity Manager Extensibility

Extensibility Area Number in diagram Description

PowerShell

1

It is possible to use the PowerShell cmdlets as supported web service clients in PowerShell or standard .NET applications. This web service client can perform Create, Read, Update, Delete, and Enumerate operations and is especially helpful for bulk import, bulk export, and reporting.

The Configuration Migration Tool Deployment Guide document on TechNet documents how to use the PowerShell cmdlets to migrate the FIM Service configuration from one environment to another, for example, from a test environment to a production environment.

Additional documentation on these cmdlets will be added to TechNet. The underlying object model of the cmdlets will be added to MSDN developer documentation.

Portal

2

The FIM Portal is designed as the primary administrator and information worker interface. It is possible to configure the presentation of FIM resources (such as Person objects), add localized information, and modify schema. It is also possible to change some visual components of the FIM Portal such as the top-level navigation links. See Introduction to Configuring the FIM Portal for more information on extending the FIM Portal.

Windows

3

An example of Windows extensibility is the Credential plugin for Password Reset, also known as the Gate Framework (for more information, see Winlogon Credential Provider). This generic component allows developers to write custom UIs to use in the password reset process. These custom UIs should use the gate framework to communicate with custom authentication activities.

Web Service Client

4

FIM does not provide a custom client for communicating with the web service interface in the FIM SDK. If you would like to build a web service client please review the description of the input and output SOAP messages (see Web Services API). If you would like to replace the FIM Portal or integrate the FIM Portal functionality into existing portals, you will need to construct and interpret these SOAP messages in your custom client code. Many libraries exist in multiple platforms for reading and writing SOAP messages, but it is not possible to rely upon output from Visual Studio, svcutil, or these libraries.

The Web Services API section includes information on the Create, Read, Update, Delete, and Enumerate operations. Also, this section includes information on the Approval scenario but not the Password Reset scenario. See Web Services Overview for more information about the web service interface.

Schema

5

FIM provides a default schema of resources that satisfy many common customer scenarios. This schema is represented as XML schema in the Metadata Exchange Endpoint and as XML fragments when interacting with data via the web service interface. The Forefront Identity Manager Schema documents the default schema for FIM. It is possible to modify the existing schema and to extend the schema with new attributes or objects through a web service client (see Web Services Overview) or through PowerShell cmdlets reference.

Authentication Workflows

6

Authentication workflow activities are used to identify the person making a request. For example, the Q&A gate in the password reset scenario is an authentication workflow activity. To extend the password reset scenario with an additional workflow activity, it is necessary to implement a custom authentication activity and implement a custom Credential plug-in to present the authentication challenges that are used by that activity.

See Custom Activities and Workflows and Developing Custom Activities and Workflows for more information about custom activities and workflows.

See Request Processing for more information about how authentication workflows are processed.

Authorization Workflows

7

Authorization workflow activities determine whether the requestor has permission to perform the requested action. For example, the Approval activity is an authorization workflow activity. To extend the approval scenario or to perform additional validation on all requests, it is necessary to implement custom authorization activities.

See Custom Activities and Workflows and Developing Custom Activities and Workflows for more information about custom activities and workflows. The topic How to: Create a Custom Logging Activity is an end-to-end example of creating a custom activity.

See Request Processing for more information about how authorization workflows are processed.

Action Workflows

8

Action workflows define actions that occur after changes are committed to the FIM Service database. A Notification activity is an example of an action workflow. Custom action workflows can be created that perform additional actions that are beyond the scope of the out-of-box action workflows provided with FIM.

See Custom Activities and Workflows and Developing Custom Activities and Workflows for more information about custom activities and workflows. The topic How to: Create a Custom Logging Activity is an end-to-end example of creating a custom activity.

See Request Processing for more information about how action workflows are processed.

Workflow Activity Designer

9

All FIM workflow activities can provide a useful UI in the FIM Portal for FIM administrators to configure the activity behavior. This UI is a result of the custom workflow activities also being present on the FIM Portal, implementing a specific interface, and registering the activity with the portal. See Rendering Custom Activities in the FIM Portal Workflow Activity Design UI.

Adapters ("Management Agents")

10

Resources stored in FIM can be synchronized with multiple connected systems using adapters called Management Agents (MA). Many different out-of-box MAs are shipped with FIM, for example, an MA that connects with Active Directory. However, it is also possible to write a custom MA using the Extensible MA or providing well-structured text input for the File MA. See How to: Create Management Agents for more information on the Extensible MA. For more information on the File MA, see Introduction to Inbound Synchronization.

Customer Extensibility Scenarios

This section includes common customer scenarios and what extensibility points can be used to implement those scenarios in FIM. These scenarios use the fictitious company Contoso that is featured in many Microsoft code examples.

Customer Scenario Example FIM Solution

How do I enforce specific Contoso business policy when my employees create groups?

Many companies have specific business policies that FIM does not enforce by default. To apply custom policy, a business can create a custom Authorization Workflow Activity (#7 in diagram) that evaluates all incoming group requests. See Management Policy Example and Custom Activities and Workflows.

I would like to provide FIM Portal UI for custom resource types and attributes.

Contoso creates a custom resource, Role, to solve key business scenarios by extending the FIM Schema (#5 in diagram). Contoso also extends the FIM Portal (#2 in diagram) to provide an intuitive interface for this custom resource.

I would like to require Smart Cards to reset passwords.

Contoso creates a custom Credential plug-in for Password Reset (#3 in diagram) and a custom Authentication Workflow Activity (#6 in diagram) that validates the presence of a Smart Card prior to resetting passwords.

I would like to integrate group management into my existing portal.

Contoso has an existing internal portal and would like to expose group management functionality as an integrated experience. Contoso creates a custom web service client (#4 in diagram) and integrates this client inside the existing portal.

I would like to create workflow activities I can sell.

Contoso creates custom workflow activities (#6, #7, #8 in diagram) for resale. In addition to creating the business logic, Contoso creates custom workflow UI (#9 in diagram) so that these workflow activities can be rendered in the FIM Portal. The topic How to: Create a Custom Logging Activity is an end-to-end example of creating a custom activity.

I would like to automate requests in FIM.

Contoso would like to bulk import groups from a previous group management solution. To accomplish this task, Contoso creates PowerShell scripts that invoke the PowerShell client (#1 in diagram).

I would like to create reports to demonstrate compliance.

Contoso creates PowerShell scripts (#1 in diagram) that export group membership and transform the XML into an auditor-ready HTML report.

See Also

Concepts

Forefront Identity Manager Service Overview
How to: Create a Custom Logging Activity