Pull management is performed by using a KeyCredentialManagement Object (see 8.4.3). It allows Clients to request credentials for Authorization Services or Brokers which are supported by the KeyCredentialService. The interactions between the Client and the KeyCredentialService during pull management are illustrated in Figure 16.

Figure 16 – The Pull Model for KeyCredential Management

The Application Administration component may be part of the Client or a standalone utility that understands how the Client persists its configuration information in its Configuration Database. The administration and database components are examples to illustrate how an application could be built and are not a requirement.

Requesting credentials is a two stage process because some KeyCredentialServices require a human to review and approve requests. The calls to the FinishKeyCredentialRequest Method may not be periodic and could be initiated by events such as a user starting up the application or interacting with a UI element such as a button.

KeyCredentials can only be requested for Clients which are trusted by the KeyCredentialService.

Security in pull management requires an encrypted channel and the use of administrator credentials for the KeyCredentialService that ensure only authorized users can request KeyCredentials.