Just What is a Virtual Directory Anyway?

Posted on

I often get asked what a virtual directory server is and how it can help. It’s surprisingly hard to get a basic, all-encompassing description of virtual directory technology. So, I thought I would take a stab at offering up my version. The description comes from information accumulated from several sources, including Radiant Logic, Wikipedia and my own write-ups.

A virtual directory or virtual directory server is a technology that provides a consolidated view of user identity and related information without having to migrate users into a single enterprise directory infrastructure. It serves as a lightweight service that operates between identity consumers and the various identity repositories across the environment. These identity repositories can be LDAP directories, databases or even web services and access to information can be either proxied through the virtual directory or correlated and cached through a complex set of rules. Think of it as a one-stop shop for everything you need to know about your users and their associated data and attributes. So, if you wanted to create a view of all your customers, what they have purchased and which sales rep sold them the product, the virtual directory allows you to pull together this data into a hierarchy that represents these relationships.

The following diagram shows how identity consumers leverage the virtual directory instead of being coded to talk directly to the back-ends:

virtual directory diagram

Instead of building static representations of the information, a virtual directory receives queries and directs them to the appropriate backend identity repositories. The retrieved information appears to be coming from a single source and logic can then be applied such as re-mapping the information to make it compatible across applications without modifying the backend data or the applications. This ability to reach into native disparate repositories makes virtual directory technology ideal for consolidating data stored in a distributed environment.

The most commonly used protocol for virtual directory servers is LDAP. Some virtual directories like RadiantOne allow access through other mechanisms like ODBC/JDBC and through web services. Additionally, RadiantOne Virtual Directory Server is able to provide structure to unstructured information in order to understand the context of the identity and related information in the backend repositories.

The advantages of virtual directories include:

  • Faster deployment by avoiding synchronization
  • Leverage existing investments and high-availability for authoritative data stores
  • Provide application specific views of identity data that can help avoid the need to develop a master enterprise schema
  • Allow a single view of identity data without violating internal or external regulations governing identity data
  • Act as identity firewalls – preventing denial of service attacks on the primary data-stores and providing further security on access to sensitive data
  • Changes made in authoritative sources are reflected in real-time

Directory virtualization technologies are an alternative to other directory replication technologies such as Microsoft Identity Lifecycle Manager (ILM – formerly MIIS), IBM Tivoli Identity Manager (ITIM) and IBM Directory Integrator (IDI). Instead of replicating information from one directory or database to another, virtualization dynamically presents information from multiple sources as a single view. This concept is similar to a view in SQL Server, except that virtualized views support both read and write operations. This approach is extremely flexible as a large number of different views can be presented without impacting the underlying data stores.

There are many situations, though, where there is no common identifier to tie a user together across identity repositories:

nocommonid

Radiant Logic’s Identity Correlation and Synchronization (ICS) component further extends the reach of VDS by allowing complex joining of identities to build an identity hub of correlated user identities and allows organizations to build a global profile for their users. It enables aggregation and correlation of identity information, the ability to build unique global identifiers and identification and indexing of orphaned identities.

This allows me to now create a correlated identifier for the users and pull together a unified view of attributes:

correlatedid

This enables things like single sign-on (SSO) because without a common identifier there is no way to pass the correct identity information to the underlying application or web access control product (e.g. CA SiteMinder Web Access Manager).

ICS also allows synchronization through replication (e.g. directory to directory, database to database), point-to-point and/or subscriber-to-publisher and ESB/JMS messaging. So, you get the best of both worlds and can choose when to virtualize and when to synchronize information.

I hope this has been helpful. If you would like to see additional clarifications, please let me know.

-Todd

11 thoughts on “Just What is a Virtual Directory Anyway?

  1. Pingback: Extending Augmented Reality with a Virtual Directory | CoreBlox Blog

  2. Its an informative writeup…just wanted to add another point,ICS can be used not only to replicate/synchronize among same data source types but also among different data source types as well(directory to database etc).

  3. A virtual directory or virtual directory server in this context is a software layer that delivers a single access point for identity management applications and service platforms. A virtual directory operates as a high-performance, lightweight abstraction layer that resides between client applications and disparate types of identity-data repositories, such as proprietary and standard directories, databases, web services, and applications.

  4. In our organization, we use virtual directory because it has great advantageous features. But thanks for providing further ideas about it.

  5. Can you provide a little more insight into how the identities are correlated? Is this something that can be done using SiteMinder Federation Manager?

  6. Hi Brett,

    It is not really the same thing. You could leverage the correlation to provide the correct ID mappings to Federation Manager (as an example). Then Federation Manager will have the correct identity information to pass over to the service partner.

    Correlation is not a function of SSO. However, a common GUID to map identities -OR- correlation is needed for SSO to happen. As you cross from application to application (whether internal or federated), the application being accessed needs to know the correct identity. If there is no straightforward mapping uing a common GUID, then using a product like Radiant Logic ICS helps because to can build the logic to dynamically map the user’s identities across systems.

    Does that help?

    Todd

  7. Another prominent VDS solution is Optimal IdM’s Virtual Identity Server (VIS) , http://www.optimalidm.com/Products/VIS/Virtual-Directory-Server-VDS.aspx. Unlike Radiant and other solutions, Optimal IdM’s Virtual Identity Server (VIS) does not sync data into a database. With VIS, the data resides in its authoritative source. Any changes made to the backend data are reflected in the VIS virtual directory instantaneously, as opposed to other VDS solutions which require synchronization and the data staleness associated with that. The Optimal IdM solution works seamlessly with Microsoft technologies (SharePoint, Office 365, AD FS).

  8. Actually, Radiant Logic’s VDS virtualizes the contents of all of an organization’s data sources and integrates them into a federated directory, with a single complete profile for each user in the organization. Underlying identity silos maintain their independence, and whenever an entry in one of those silos is inserted, updated, or removed, the RadiantOne connector detects that change and updates the VDS in real time.

    As a result, the VDS is never stale, but is instead an always up-to-date representation of all of an organization’s identities. The virtual directory is stored as an LDAP, meaning an organization’s identities can be queried at the speed of a directory.

    Here’s a quick 4 minute video on how it works: http://rdn.tl/fidvid

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>