Share via


FIM CM Provision API Architecture

The Forefront Identity Manager Certificate Management (FIM CM) Provision API is a rich set of Microsoft .NET Framework interfaces. Developers can use this API to create certain types of requests related to provisioning users, manage requests through their lifecycles, and customize request processing. This allows for FIM CM workflows to be extended, adds user verification steps and performs additional tasks after a request has been approved and is being run. You can also create applications that perform their own communication with the smart card during the request execution phase. This allows you to perform additional smart card operations. For example, you may choose to include biometric information or create non-certificate data objects on the smart card. This allows for great flexibility to modify FIM CM workflows in a way that meets the unique security and management requirements of each enterprise. For example, you could implement a smart card management application compliant with Personal Identity Verification (PIV) requirements defined by the U.S. Federal Government.

The FIM CM Provision API is a server based API that enables both local calls to the interfaces and can be configured for distributed invocation by using .NET Framework remoting. There are two main ways to use the Provision API:

  1. Create a web application that calls the Provision API. This web application can be collocated in the same IIS web as the FIM CM web service or can be on a separate IIS web and use remoting to connect to the FIM CM web service.

  2. Create a stand-alone application that uses remoting to invoke Provision API interfaces on the FIM CM server.

For more information about remoting, see FIM CM Remoting Configuration.

Provision API Assemblies

The following DLLs contain the implementation of the Provision API and supporting classes:

Assembly Description

Microsoft.Clm.Provision.dll

Contains implementation of the Microsoft.Clm.Provision namespace classes

Microsoft.Clm.Shared.dll

Contains implementation of the Microsoft.Clm.Shared namespace classes

In order to program by using the FIM CM Provision API you will have to make sure that the common language runtime can locate these assemblies when your application runs. The assemblies are deployed in the FIM CM application directory.

Identity management operations handled through Provision API

The functionality offered by the Provision API can be grouped into the following areas:

  • Find operations – interfaces for searching for requests, certificates, smart cards and profiles (see FindOperations).

  • Request operations – interfaces for creating and managing requests through their life cycle (see RequestOperations). Note that an applicant cannot submit a request on their own behalf; a request must be submitted by someone who is configured as a manager in the profile template.

  • Permission operations – interfaces for verifying permissions on users and requests (see PermissionOperations).

  • Request execution – interfaces for performing the actions designated by each request (see ExecuteOperations). Note that a request cannot be executed unless it has satisfied all its required approvals.

The Provision API can also be used in your notification handlers and FIM CM interfaces to obtain detailed information about FIM CM objects within that environment. FIM CM objects may include requests, smart cards, certificates, and profile templates. For example, invoking the methods and properties associated with these objects enables you to programmatically examine the details of FIM CM requests and associated data (see Request, Smartcard and Profile classes). It also enables you to examine the profile templates and the specific configurations for each of the life cycle management policies (see ProfileTemplate class).

You can use the Provision API request processing interfaces to operate on both smart card and software-based requests. A subset of the request types that are used by FIM CM can be handled by the Provision API. The Provision API supports processing for enroll, recover, unblock, offline unblock and retire policy types. For more information about request types, see RequestType.

Sensitive APIs

The FIM CM Provision API enforces strict permission verification on callers of the interfaces. The Provision API validates the identity of the caller to make sure they contain the required permission. The calls execute in the security context of the caller who performed the calls. In general, you require the same permissions to call the interfaces as if you would be performing the action through the FIM CM web interface. A group of sensitive Provision API methods require specific permission configuration in the server’s web.config file. For more information, see Sensitive API Configuration.

See Also

Concepts

Programming with the FIM CM Provision API
FIM CM Remoting Configuration

Other Resources

FIM CM Provision API Overview