Single Sign-On and Virtual Directories: A Match Made in Heaven

Single sign-on (SSO) alone is not enough to deliver a unified customer experience. This becomes more apparent as companies attempt to implement cross application SSO for disparate sets of users. SSO falls short as companies expand beyond a defined set of internal-only users into cross business unit applications and especially for applications geared towards external users. While SSO tools allow companies to interweave applications running on disparate platforms into complex mashups presenting a unified view of information, they often lack the mechanism to relate users across the systems. Enter the virtual directory server. By combining the power of SSO with the abilities of a virtual directory server to correlate user information based upon complex matching rules, companies gain a unique ability to easily bring together applications while reducing integration costs and time to market. The concept dubbed "Identity Acquisition" exemplifies these benefits. In essence, this is the ability for companies to quickly subsume applications and users into a broader infrastructure that allows easy presentation of a unified appearance and linking of application functions. Through the use of a virtual directory, companies can create a unified view of a user across all of their applications and leverage that information to present a single set of security roles to SSO applications. This allows SSO products to pass the correct identity to the underlying application regardless of the differences in user directories and attributes. Without a mechanism for identifying these users in a composite view, SSO provides superficial benefits lacking the ability to deliver a common experience as a user moves across these disparate applications. Just because a user may be in one application, they could be identified as id=130203 in another. Although SSO can grant the user access to both applications, without a correlation established and a way to leverage that correlation to create a unified profile, the ability to deliver a common experience to that user across both systems is lost.

Typically companies have a set of key objectives when looking to deliver a common user experience. These may include the ability to:

  • Efficiently roll-in newly identified applications
  • Integrate multiple user bases into a common delivery platform and exploit the "up-sell" factor.
  • Expedite the integration of newly acquired identities and applications to reduce confusion and increase satisfaction
  • Create a repeatable process with known costs and timelines
  • Reduce security concerns and increase compliance of managing multiple identifies and non-centralized application policies

A combined SSO and virtual directory infrastructure enables companies to meet these requirements and to provide an agile platform for changes in business objectives and processes.

How to Put the Pieces Together

The key to laying this foundation is to create a technology stack that includes a flexible set of tools that allows for easy acquisition of identities into a common platform. Recently, we were faced with the challenge of assisting a company that was making multiple acquisitions. They needed to continue to give their customers a common view of technical support during the assimilation period of the acquired systems into the broader application environment. Upon closer examination of the support tools currently in use the company discovered that they:

  • Needed to increase customer satisfaction
  • Needed to drive down technical support costs
  • Found too few customers utilizing self-help options (approximately 20%)
  • Were losing revenue due to a lack of ability to perform entitlement checking
  • Had too many environments to effectively manage and no centralized control
  • Found it difficult to support customers who had products from different business units because they were supported by different systems
  • Had increasing demands upon limited resources such as legacy applications

One of the key goals of the project was to entice customers to use self-help options. The objectives included:

  • Single Sign-on, for customers to login only once
  • Global Search, so that customers could search view content-rich knowledgebase content across all support systems
  • Unified issue resolution capabilities across business units
  • A new base security architecture to accommodate future expansion

The overall solution was made up of the following components:

  • RadiantLogic RadiantOne Virtual Directory

Consolidates and caches user profiles (including all necessary attributes) from all user repositories into a single LDAP source, enabling the Policy Server to authenticate and authorize users against a single directory

  • CA SiteMinder

Enables enterprise security and single sign-on capabilities across all application platforms

  • SAP Portal

Allows a single front-end presentation layer across all legacy systems

  • IBM WCDS/OmniFind

Unified 3rd-generation knowledgebase across all acquired systems

  • CA eTrust Directory/MS SQL/Sybase/MySQL/ADAM

Backend application user stores containing the various disparate identities specific to that application

The following diagram highlights the solution landscape:

Solution Overview

Each of these components allowed the company to establish a base platform for current requirements while also creating capacity for future acquisitions. RadiantOne played a key role by providing to SiteMinder a central location for user authentication and authorization through virtualizing multiple instances of the same user distributed across all systems, into a single global profile.

Measurable Results

The new system greatly increased the company's ability to meet the desired goals. The platform ensured that:

  • All external technical support systems are available through a single login and through single sign-on
  • They are able to present unified entitlements and system access for customers owning multiple products
  • Customer have the ability to search across all content regardless of differences in physical location of the data, improving self-service
  • The enhancements to the identity security infrastructure reduced costs

The effort yielded an increase both in customer and employee satisfaction as well as a significant reduction in the time required to make system changes. This combination of SSO and virtual directory technology delivered a match made not only in heaven, but also right here in our data centers.