Integrating Forefront Identity Manager with my Web Application

Integrating Forefront Identity Manager with Your Web Application

Learn how to integrate Microsoft Forefront Identity Manager (FIM) with your ASP.NET web application for robust federated identity management and streamlined user provisioning.

Microsoft Forefront Identity Manager (FIM), now known as Microsoft Identity Manager (MIM), provides a comprehensive solution for managing user identities, credentials, and group memberships across heterogeneous systems. Integrating FIM/MIM with your web application, especially in an ASP.NET environment, can significantly enhance security, simplify user provisioning, and enable federated identity scenarios. This article will guide you through the key concepts and practical steps involved in achieving this integration, focusing on common patterns like web services and federated authentication.

Understanding FIM/MIM's Role in Identity Management

FIM/MIM acts as a central identity hub, synchronizing identity data between various connected systems (e.g., Active Directory, HR databases, LDAP directories, custom applications). It offers features like user provisioning/deprovisioning, password synchronization, self-service password reset, and group management. For web applications, FIM/MIM can serve as the authoritative source for user attributes, manage access rights, and facilitate single sign-on (SSO) through federation protocols.

flowchart TD
    A[Web Application] -->|User Request| B(FIM/MIM Portal/Service)
    B -->|Provision/Deprovision| C[Connected Data Source 1 (e.g., AD)]
    B -->|Sync Attributes| D[Connected Data Source 2 (e.g., HR DB)]
    B -->|Federated Auth| E[Identity Provider (e.g., ADFS)]
    E -->|SAML/WS-Fed Token| A

High-level overview of FIM/MIM's role in a federated identity ecosystem.

Integration Patterns for Web Applications

There are several common patterns for integrating your web application with FIM/MIM, depending on your specific requirements:

1. Direct Web Service Calls: Your application can interact directly with FIM/MIM's web services (e.g., FIM Service WCF endpoint) to perform operations like creating users, updating attributes, or checking group memberships. This is suitable for custom provisioning or attribute synchronization.

2. Federated Authentication: For single sign-on (SSO), FIM/MIM often works in conjunction with an Identity Provider (IdP) like Active Directory Federation Services (ADFS). Your web application trusts ADFS, which in turn relies on FIM/MIM for user identity and attribute data. This enables claims-based authentication.

3. Synchronization Service Extensions: For more complex scenarios, you might develop custom management agents or extensions within the FIM/MIM Synchronization Service to push/pull data to/from your application's data store.

Implementing Direct Web Service Integration (ASP.NET Example)

For direct integration, your ASP.NET application will consume the FIM Service's WCF endpoint. This typically involves adding a service reference to your project and then using the generated proxy classes to interact with FIM/MIM objects. You'll need appropriate permissions for the service account your web application uses to connect to FIM/MIM.

Here's a simplified example of how you might create a new user object in FIM/MIM using its web service. This assumes you have added a service reference to http://<FIMServiceHost>:5725/ResourceManagementService/.

using System;
using System.Collections.Generic;
using System.Linq;
using System.ServiceModel;
using FIMServiceReference; // Your service reference namespace

public class FimUserService
{
    private ResourceManagementClient _client;

    public FimUserService()
    {
        // Configure the binding and endpoint for the FIM Service
        BasicHttpBinding binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
        binding.MaxReceivedMessageSize = 20000000; // Adjust as needed

        EndpointAddress endpoint = new EndpointAddress("http://localhost:5725/ResourceManagementService/");
        _client = new ResourceManagementClient(binding, endpoint);
        _client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
    }

    public Guid CreateUser(string firstName, string lastName, string accountName)
    {
        try
        {
            // Create a new Request object
            RequestType request = new RequestType();
            request.Operation = OperationType.New;
            request.TargetType = "Person";

            // Add attributes for the new user
            List<AttributeType> attributes = new List<AttributeType>();
            attributes.Add(new AttributeType { Name = "FirstName", Value = firstName });
            attributes.Add(new AttributeType { Name = "LastName", Value = lastName });
            attributes.Add(new AttributeType { Name = "AccountName", Value = accountName });
            attributes.Add(new AttributeType { Name = "DisplayName", Value = $"{firstName} {lastName}" });
            attributes.Add(new AttributeType { Name = "ObjectType", Value = "Person" });

            request.Attribute = attributes.ToArray();

            // Execute the request
            RequestTypeResponse response = _client.Execute(request);

            // The response contains the GUID of the newly created object
            return new Guid(response.CreatedResourceId);
        }
        catch (FaultException ex)
        {
            Console.WriteLine($"FIM Service Error: {ex.Message}");
            throw;
        }
        catch (Exception ex)
        {
            Console.WriteLine($"General Error: {ex.Message}");
            throw;
        }
    }

    public void Close()
    {
        if (_client != null)
        {
            _client.Close();
        }
    }
}

C# code snippet for creating a new user in FIM/MIM via its WCF service.

Federated Authentication with ADFS and FIM/MIM

For federated identity, FIM/MIM often populates user attributes in Active Directory, which ADFS then uses to issue security tokens (e.g., SAML, WS-Federation) to your web application. Your ASP.NET application, configured as a Relying Party (RP) in ADFS, trusts these tokens. This offloads authentication to ADFS and allows your application to consume claims about the user.

Configuring an ASP.NET application for federated authentication typically involves:

1. Setting up ADFS: Configure ADFS as your Identity Provider, ensuring it trusts your web application as a Relying Party.
2. FIM/MIM Synchronization: Ensure FIM/MIM is synchronizing the necessary user attributes from your authoritative source to Active Directory, which ADFS will then read.
3. Web Application Configuration: Use Microsoft.IdentityModel (for .NET Framework) or Microsoft.AspNetCore.Authentication.WsFederation (for .NET Core) to configure your application to trust ADFS and process incoming security tokens.

sequenceDiagram
    participant User
    participant WA as Web Application
    participant ADFS as ADFS (IdP)
    participant AD as Active Directory
    participant FIM as FIM/MIM

    User->>WA: Access protected resource
    WA->>ADFS: Redirect for authentication
    ADFS->>AD: Authenticate User & Retrieve Attributes
    ADFS-->>WA: Issue Security Token (SAML/WS-Fed)
    WA->>WA: Validate Token & Create Claims Principal
    WA->>User: Grant Access

    FIM->>AD: (Background) Sync User Attributes

Sequence diagram for federated authentication flow using ADFS and FIM/MIM.

This approach provides a robust and scalable solution for SSO, allowing your web application to focus on business logic rather than managing user credentials directly. FIM/MIM ensures that the identity data ADFS relies on is consistent and up-to-date across your enterprise.