FIM & FIM CM Integration RRS feed

  • General discussion

  • Anybody integrated FIM with FIM CM to provide a complete IdM solution?
    I would like to use FIM to automatically provision users & issue smart cards.

    Tom Houston
    Wednesday, January 12, 2011 4:40 PM

All replies

  • well... i tried it in a lab with EFS certificates and it worked.

    you can create a request and export it to the FIM CM, but with a smartcards I believe you can only proviosion requests to FIM CM and users will have to complete an enrollement process

    actually, Paul Adare and Brian Komar have a good example how to do this for EFS certs in their CLM training course :)


    Wednesday, January 12, 2011 6:59 PM
  • for the smartcard logon itself - GPO with autoenroll settings is enough. even enough for renewal.

    if you don't need SMIME signatures then FIM CM/CLM will be usefull for 'forgotten PIN' scenarios if your cards support smartcard mini-drivers architecture. otherwise - go with GPO.

    Thursday, January 13, 2011 9:35 AM
  • I am talking more about the whole smart card management lifecycle. More really about the capability of the 'MA for Certificate and Smart Card Management' when combined with the end-to-end provisioning process through FIM 2010. I'd like to be able to automatically provision the usual users, mailboxes, filestore.. and smart cards for logon. Yes I have a BaseCSP compatible card. Any info greatly appreciated.


    Tom Houston

    Thursday, January 13, 2011 10:16 AM
  • Some experiences from one of my previous projects:

    We’ve started using the built-in FIM CM MA to set up a complete certificate lifecycle

    • enroll
    • disable (suspend)
    • re-enable (reinstate)
    • and revoke (retire) certificates

    but found some limitations, which we couldn’t accept in the project:

    • Unable to include Data Collection Items in an enrollment request
    • Unable to initiate a request at the FIM CM Portal / DB and immediately start it (execute) afterwards via the FIM CM MA
    • Some smartcard processes cannot be managed by the CM MA
    • The behavior the FIM CM interprets completed requests. It simply deletes the request in the FIM CM Connector Space. Could be okay, in our scenario we needed something else.

    For these reasons – and some others (e.g. performance) we extended our CM lifecycle solution with the FIM CM Remote Provisioning API. Using this API, we were much more flexible within the enrollment and revocation processes. However, the Remote API does not support Suspend & Reinstate processes.

    So we end up using the FIM CM MA as well as the Remote API and - yes - set up a complete CM lifecycle solution

    Monday, January 17, 2011 8:36 AM