Thursday, May 02, 2013

Using ADFS to Authenticate FIM Users

Been working on a neat FIM application lately that uses ADFS to authenticate the users.  This buys us some really neat functionality, such as:

  • Dynamic Provisioning – we can use claims as a source for creating new Person objects in the FIM Service, so when the user comes to our application we know enough about them through claims to create the person objects.
  • Claims to Windows Tokens – we can use C2WTS to turn the UPN claim back into a Windows identity which we can then impersonate when calling the FIM web services.
  • FIM Claims – with the ASP.NET request pipeline we can use a ClaimsAuthenticationModule to post-process the identity by adding claims from FIM, neatly packaging up details about the Person in the claims.

Of course none of this is really possible when using the FIM Portal, but that isn’t such a bad thing once you bite the custom FIM application bullet.  All of the above become possible when you throw away the FIM Portal and create a custom FIM application.

At the moment I don’t have code to share but rest assured the above works (it took me a while to believe it). 

Now on Amazon: A Guide to Claims-Based Identity and Access Control, 2nd Edition

I’ve been spending a lot of time with claims lately, and really enjoying how simple ADFS feels compared to FIM (which is obviously a demonstration of my lack of understanding).  Anyhow, the manual is freely available on MSDN (HTML and PDF) but you can also RTFM in condensed lumber at Amazon:

Now on Amazon: A Guide to Claims-Based Identity and Access Control, 2nd Edition

Get the Free ebooks!

I consider myself a competent sheller but after attending the PowerShell Summit last week I am now more aware there are many more cool things to learn (and better ways to do my job).

Want to learn more too?  Turns out it doesn’t cost that much…

The Big Book of PowerShell Gotchas (free)