The Alternate endpoint allows anonymous (unauthenticated) users to send Put requests to Forefront Identity Manager (FIM) to modify individual objects. It is similar to the Resource endpoint except that it allows access by anonymous users. This functionality allows the Alternate endpoint to be used to reset the password for a user that has forgotten their password.
Password Reset Scenario
In order for client web applications to perform a password reset for unauthenticated users they need to use the Alternate endpoint. A typical use of the Alternate endpoint to provide password reset functionality is described as follows. The password reset client submits a Put request to change the ResetPassword attribute on a Person resource. A management policy rule (MPR) mapped to the ResetPassword attribute triggers a password reset authentication workflow. The user eventually be able to reset her password if she can be authenticated based on the criteria set in that workflow (which typically involves answering a series of security questions). The initial Put request must be made anonymously since the user cannot log in without knowing his or her password.
In order to enable the password reset scenario described in this section, FIM would be configured in the following manner.
- Each Person resource (or each Person that
needs to be able to reset their own password) would need to
register for password reset by providing answers to a set of
security questions. This is typically done by running the Reset
Password workflow (in register mode) for each user, which
can be accomplished in the FIM Portal.
- A FIM administrator must enable the MPR to
enable anonymous users to modify the ResetPassword attribute
resources (see Management Policy
Example). By default, FIM does not grant rights to anonymous
users. That same MPR should run the Reset Password workflow.
Comparison to the Resource endpoint
Both the Alternate endpoint and the Resource endpoint of FIM implement the WS-Transfer Extensions for Identity Management Operations specification (WS-Transfer IMO). The Alternate endpoint accepts Get, Delete, and Put requests just like the FIM Resource endpoint except as described here.
- A client connecting to the Resource endpoint
must be an authenticated Active Directory user on the network with
a valid Kerberos token. The Alternate endpoint does not require
network authentication; however, it requires that the client be
hosted on an authenticated Active Directory computer.
- Get and Delete requests are rejected with a
WS-Addressing EndpointUnavailable fault.
- Target objects in Put requests must be
referenced using NT4 aliases (for example, “domain\user”) instead
of ObjectID. Both endpoints store this text in the
rm:ResourceReferenceProperty that is passed in as a SOAP header in
Aside from these differences, the Alternate endpoint is identical to the Resource endpoint. Requests to the alternate endpoint are governed by management policy rules (see Request Processing) as are all requests to FIM web service endpoints. The message formats, the extensions supported and the types of objects that may be modified are identical.
Default Endpoint Address
The default endpoint address is
The FIM web service only accepts UTF-8 encoding of strings and SOAP messages. Other encodings will be converted to UTF-8 if possible. If an encoding cannot be converted to UTF-8 then the web service will return wxf:InvalidRepresentationFault (see WS-Transfer Extensions for Identity Management Operations specification).