Thursday, May 02, 2013

Using ADFS to Authenticate FIM Users

Been working on a neat FIM application lately that uses ADFS to authenticate the users.  This buys us some really neat functionality, such as:

  • Dynamic Provisioning – we can use claims as a source for creating new Person objects in the FIM Service, so when the user comes to our application we know enough about them through claims to create the person objects.
  • Claims to Windows Tokens – we can use C2WTS to turn the UPN claim back into a Windows identity which we can then impersonate when calling the FIM web services.
  • FIM Claims – with the ASP.NET request pipeline we can use a ClaimsAuthenticationModule to post-process the identity by adding claims from FIM, neatly packaging up details about the Person in the claims.

Of course none of this is really possible when using the FIM Portal, but that isn’t such a bad thing once you bite the custom FIM application bullet.  All of the above become possible when you throw away the FIM Portal and create a custom FIM application.

At the moment I don’t have code to share but rest assured the above works (it took me a while to believe it). 

No comments: