I have a situation where we have several custom applications running on various technologies (Classic ASP, ASP.NET, Oracle, etc...).Each of the legacy applications has its own users and roles (for both internal employees and non employees). I have come up with two possible approachesthat I think could work but want to make sure I am thinking about what FIM can correctly. Which option works better (feel free to correct)?Option 11. leave legacy registration and login code as is within each of the legacy application and make calls to the FIM Web Service to kick of the process.2. Create a service layer that FIM and the legacy apps can communicate through (facade)3. Each application will be responsible for calling out to the web service layer.4. Let FIM handle workflow and sync'ing (adding users to AD etc...)Option 21. Centralize all the users and roles in FIM (not sure if this can be done).2. Create one registration and password reset screen in SharePoint (keep in mind we have many custom applications with very different registration and access logic)3. Create all the workflows and sync'ing in FIM (adding users to AD etc...).Any help is greatly appreciated.

As far as I understand your main objective to realize is registration & PW reset. Correct?FIM2010 can help you- sync'ing data (user attributes, passwords possibly,memberships to groups/roles, etc.)- provision / deprovision objects (that might be required for AuthN & AuthZ processes inconnected apps)- implement workflow, approval and registration processes- deploy aportal that enables business users & IT pros to manage accounts, startapprovals/registrations, offers selfservicesWhat FIM2010 is not intended to be isAuthentication & Authorization plattformWhith this in mind you can- centralize all users / groups in FIM. Of course you have to analyze your apps and decide how to connect them to FIM (which Management Agent to use)- Once you have all users / groups (especially groups) in FIM2010 you can start designing your registration processes. A user logs on to the portal and requests membership to a specifivc group/role - an approval / registration workflow starts -at the end the a group membership change will be synchronized to your legacy appOne thing you should take care of is: how will external employees mayconnect to your registration & selfservice plattform? Do you have to provide seperate portals for internal and external? Are you able to host external accounts in your Active Directory?/Matthias

Let me start be explaining the Microsoft IDA stack: At the bottom you have the runtime layer, such as AD and ADFS.At layer two you have your identity aware apps.At the top you have management products, such as FIM. FIM is not designed for applications to make run time decisions. FIM is designed to manage users and roles in the runtime layer.Applications should integrate with AD and ADFS and consume users/roles in this layer. I would suggest Option 3: Change your applications to use AD or ADFS for identity and access Use FIM to control user and groups in the infrastructure. Andreas This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/copyright.htm