Posts Tagged ‘directory virtualization’

3 Building Blocks for Managing Cloud Applications

Monday, March 29th, 2010

header

Now that my webinar with Mike Donaldson and Lisa Grady is over I wanted to post up some additional information and also a video of the working demo. Thanks to Ping Identity and Radiant Logic for working with us on this demo.

Overview:

As a recap of the demo scenario, our theoretical company, MyComany, is looking to leverage cloud-based services and their strategy is to continue to migrate a significant amout of infrastructure to the cloud. The first application they have migrated is Salesforce CRM for Sales management. After that, they plan on expanding into Google Apps, a hosted provider for time and expense submission, HR, etc. The company has an internal Enterprise Directory (LDAP) which stores Employee profile information and the sales region and list of accounts for a Sales Rep is stored in Salesforce CRM. Since not all employees have access to Salesforce, there is also an internal portal that employees use to find Sales Rep and customer information.

Since they started using Salesforce, they are noticing these main problems:

  1. Managing the provisioning/de-provisioning of internal users in Salesforce is a time consuming manual process and in one case an terminated employee was not de-provisioned correctly and wound up getting access to information they should not have been able to access as a non-employee.
  2. They have a high number of password management issues since users have a separate account in Salesforce.
  3. Certain pieces of information are managed about salespeople and accounts in Salesforce and are not visible through the portal. This limited access to information required for the distribution of new leads and to contact the correct Sales Rep in case of a customer issue.

So, they want a solution that provides the following benefits:

  1. Automates the provisioning and de-provision of users in Salesforce based upon membership in a group in LDAP
  2. Centralized view of internal user information with attributes coming from LDAP and Salesforce that can be surfaced through the portal
  3. Centralized view of customer information that shows both the information coming from Salesforce but also includes the information from the accounts payable database for the complete view of the customer
  4. Single Sign-on into Salesforce from the MyCompany Portal

Solution:

  • Ping Identity PingFederate for provisioning and de-provisioning of users based upon group membership in the salesforce group in VDS
  • Ping Identity PingFederate for Internet SSO using VDS as the LDAP directory for the Identity Provider (IdP) and Salesforce as the Service Provider (SP) using SAML

Salesforce-Provisioning

  • Radiant Logic VDS Context Edition to create a single view of the employee information with cached attributes coming from LDAP and Salesforce
  • Radiant Logic VDS Context Edition to create a single view of the customer with cached attributes coming from the Salesforce Users and Accounts tables

Virtual-Directory-Entry

For larger images, please see the slides from the presentation included below.

Results:

Once implemented, this simplified their environment and provided greater flexibility as they looked to expand into the other cloud services, minimized trouble tickets for Salesforce password resets and improved internal access to information.

Demonstration:

The following video shows the working demo which addresses the requirements above. This is just the starting point of what will eventually become a centralized hub for access to critical user and contextual data across repositories both internal to your company and also across cloud services outside of your firewall.

3 Building Blocks for Managing Cloud Applications – Video Demo

Webinar Recording:

A recording of the webinar is available on Ping Identity website. Note that registration is required.

View the Replay

I have also uploaded the slides to SlideShare so that you can more easily see the larger images:

I would love to hear what you have to say about this concept. Special thanks to Ian Barnett (Ping Identity) and Prashanth Godey (Radiant Logic) for helping to get this demo set up.

Thanks,
Todd

Tags: , , , , , , , , , , ,
Posted in Federation, Identity and Access Management, Virtual Directory | No Comments »

Just What is a Virtual Directory Anyway?

Thursday, September 10th, 2009

I often get asked what a virtual directory server is and how it can help. It’s surprisingly hard to get a basic, all-encompassing description of virtual directory technology. So, I thought I would take a stab at offering up my version. The description comes from information accumulated from several sources, including Radiant Logic, Wikipedia and my own write-ups.

A virtual directory or virtual directory server is a technology that provides a consolidated view of user identity and related information without having to migrate users into a single enterprise directory infrastructure. It serves as a lightweight service that operates between identity consumers and the various identity repositories across the environment. These identity repositories can be LDAP directories, databases or even web services and access to information can be either proxied through the virtual directory or correlated and cached through a complex set of rules. Think of it as a one-stop shop for everything you need to know about your users and their associated data and attributes. So, if you wanted to create a view of all your customers, what they have purchased and which sales rep sold them the product, the virtual directory allows you to pull together this data into a hierarchy that represents these relationships.

The following diagram shows how identity consumers leverage the virtual directory instead of being coded to talk directly to the back-ends:

virtual directory diagram

Instead of building static representations of the information, a virtual directory receives queries and directs them to the appropriate backend identity repositories. The retrieved information appears to be coming from a single source and logic can then be applied such as re-mapping the information to make it compatible across applications without modifying the backend data or the applications. This ability to reach into native disparate repositories makes virtual directory technology ideal for consolidating data stored in a distributed environment.

The most commonly used protocol for virtual directory servers is LDAP. Some virtual directories like RadiantOne allow access through other mechanisms like ODBC/JDBC and through web services. Additionally, RadiantOne Virtual Directory Server is able to provide structure to unstructured information in order to understand the context of the identity and related information in the backend repositories.

The advantages of virtual directories include:

  • Faster deployment by avoiding synchronization
  • Leverage existing investments and high-availability for authoritative data stores
  • Provide application specific views of identity data that can help avoid the need to develop a master enterprise schema
  • Allow a single view of identity data without violating internal or external regulations governing identity data
  • Act as identity firewalls – preventing denial of service attacks on the primary data-stores and providing further security on access to sensitive data
  • Changes made in authoritative sources are reflected in real-time

Directory virtualization technologies are an alternative to other directory replication technologies such as Microsoft Identity Lifecycle Manager (ILM – formerly MIIS), IBM Tivoli Identity Manager (ITIM) and IBM Directory Integrator (IDI). Instead of replicating information from one directory or database to another, virtualization dynamically presents information from multiple sources as a single view. This concept is similar to a view in SQL Server, except that virtualized views support both read and write operations. This approach is extremely flexible as a large number of different views can be presented without impacting the underlying data stores.

There are many situations, though, where there is no common identifier to tie a user together across identity repositories:

nocommonid

Radiant Logic’s Identity Correlation and Synchronization (ICS) component further extends the reach of VDS by allowing complex joining of identities to build an identity hub of correlated user identities and allows organizations to build a global profile for their users. It enables aggregation and correlation of identity information, the ability to build unique global identifiers and identification and indexing of orphaned identities.

This allows me to now create a correlated identifier for the users and pull together a unified view of attributes:

correlatedid

This enables things like single sign-on (SSO) because without a common identifier there is no way to pass the correct identity information to the underlying application or web access control product (e.g. CA SiteMinder Web Access Manager).

ICS also allows synchronization through replication (e.g. directory to directory, database to database), point-to-point and/or subscriber-to-publisher and ESB/JMS messaging. So, you get the best of both worlds and can choose when to virtualize and when to synchronize information.

I hope this has been helpful. If you would like to see additional clarifications, please let me know.

-Todd

Tags: , , , , , , ,
Posted in Identity and Access Management | 2 Comments »

Thank you, SiteMinder

Tuesday, August 19th, 2008

Seven years ago when I was working for Onyx Software, I led a CRM implementation for a Waltham, MA based company called Netegrity. Netegrity had made an early arrival to the Identity & Access Management (IAM) party, and its SiteMinder solution for single sign-on (SSO) had been wildly successful with Fortune 500 companies. About a year later when I was looking to reduce my travel load and get a view of the CRM world from the other side, I joined Netegrity’s Business Systems group where I began working with my fellow CoreBlox co-founders. Three years later CA acquired Netegrity, and shortly after that we launched CoreBlox.

Normally I would end that last paragraph with “And the rest is history…”, but it’s important to recognize a major component that has allowed our start-up to defy the odds and celebrate three years as a self-funded business: SiteMinder. There’s no doubt that having a strong, smart, versatile team has been a key to our success, but it would be difficult to pursue our Web 2.0 initiatives (such as our I Have Kids app which is up to 60,000 users!) if we were unable to find consistent sources of revenue to fund them. Our team’s SiteMinder expertise has allowed us to establish ourselves as a boutique firm in a niche market, and it has opened doors in other spaces such as directory virtualization and SAML/federation. In a down economy, IAM spending has remained strong enough to provide us with the engagements we need to drive our business forward:

… the number of organizations planning to roll out identity and access management solutions in the next 12 to 18 months increased 11 [percentage points], moving from 49 percent in 2006 to 60 percent in 2008.

As with any product or service that one works with on a daily basis, it’s easy to focus on gaps and frustrations. Sometimes we need to step back and recognize that what makes the solution complex leads to the opportunities that those who know it well can enjoy.

So on behalf of the entire CoreBlox team, I’d like to offer a sincere THANK YOU to SiteMinder. May you continue to send great opportunities and clients our way!

Tags: , , , , , , , ,
Posted in General | No Comments »