The Role of Virtual Directories High-Volume, High-Diversity Identity Deployments
Gartner analyst Kevin Kampman’s recent report (G00227151) explores the importance of a virtual directory in high-volume identity environments. Kampman writes, “For larger organizations and in customer-facing environments, the quantity and size of datasets are increasing along with performance expectations and data diversity,” and he urges readers to “use virtual directories wherever there is ready access to data and to manage complex relationships.” We couldn’t agree more, and we’ve been talking about the importance of virtual directories in high-volume, high-diversity, and mega-challenging identity environments for years. When it comes to large-scale customer facing initiatives, you need an identity solution that can scale, that can deal with heterogeneity, and that won’t fade with the next power outage. That’s why an advanced virtual directory with sync and persistent cache—like our RadiantOne—is the best choice for the challenging environment of the modern infrastructure.
Identity Integration: A Drive in the Slow Lane?
While directories scale well, not all directories scale the same way, and what if you start throwing in non-directory sources? When you’re storing identities for externally-facing initiatives, you would traditionally store them in a SQL database, which may be slowest of all. So how can you pick up the pace when you’re integrating slower sources with your LDAP directories—and can your identity management system navigate this kind of diversity? In his report, Kampman writes, “A virtual directory plus a cache is optimal for many high-performance, high-volume situations. A synchronization service provides comparable performance. Both are limited by the responsiveness of the source repositories and underlying network infrastructure.”
With identity virtualization, speed of the underlying source repository isn’t even an issue. Virtualization allows you to create one global LDAP list of identities from across all data stores that the client application can query. And, because it’s stored in a power-boosting persistent cache, one lookup in the global list immediately returns the results, while back-ends are shielded from excessive queries, and the even the slowest database can be reached at the speed of a directory.
Add Extra Horsepower with for Scalability
Enriching identity profiles is where the extra performance becomes especially handy, like when you need to create identity profiles based on multiple sources—which means joining identity attributes. Kampman writes, “The use of a cache with a virtual directory may be required as performance expectations grow. An example of this might include aggregating profile information across dissimilar repositories or where the performance or availability of the source repositories isn’t sufficient.” Large-scale WAM deployments that must integrate large, heterogeneous populations usually require a performance-enhancing cache to help power those attribute joins on the fly. Effective joins means you get the complete view of each identity, which is essential not only for security processes, but also for most information about each customer.
For a sizable, attribute-rich system with an extensive set of profiles, then high availability, scalability, and stability are essential. With the ability to transform, rationalize, and stabilize the choppiest of identity management waters, RadiantOne’s federated identity service is purpose-built to handle the kind of environments Kampman describes.
A key benefit of a federated identity service is being able to easily identify all the users in your infrastructure—without relying on outdated or incorrect user information. Our new RadiantOne 6 release
makes this process easy with the Virtual Identity Wizard, which walks you through the process of building a robust global profile for all users from multiple heterogeneous data sources. With the wizard, you can now quickly and easily aggregate and correlate users without expensive customization—even if there’s no existing common identifier. Along with the complete user profile, VDS creates an index of users for fast and easy lookup, giving you the speed you need to flexibly handle all user requests. You end up with a unique list where all of your users are listed once—and only once—giving you critical information for all of your authentication and authorization needs.
The Virtual Identity Wizard walks you through the steps needed to configure one of the most common virtual directory use cases: creating a global list of users from across multiple heterogeneous data sources. These steps include:
- Building a unique list of users, including correlation logic if needed, so that each identity is represented only once.
- Defining which attributes should comprise the user profile (and setting attribute precedence when there are conflicts).
- Configuring authentication (bind) order in cases where a user is found in more than one backend data source.
- Mounting the virtual view in the VDS tree so client applications can access the list of users for authentication, authorization, and additional user information.
- Configuring the caching option that best suites the environment.
The Virtual Identities Wizard provides this union compatible set of complete profiles, without the heavy custom coding typically required for such a list. It enables you to deliver the required information to your applications, even when identity data comes from multiple authoritative sources.
We’d be happy to walk you through the new wizards, so just send us an email to set up a hands-on demo.
Bridging On-Premise Identities with Web and Cloud Applications
 Mark Diodati, Research VP Gartner, Inc |
 Elle Griffin, Marketing Director Radiant Logic, Inc |
Gone are the days when your identity and applications were securely stored behind the firewall. Going forward, every application you deploy will be web or cloud-based—and the people accessing them could be inside their cubicles, or across the world. You need a federated identity hub to shield such applications from the complexity of your identity sources—but where should that hub live?
Find out at our next webinar on April 12, when featured speaker Mark Diodati, Research VP at Gartner, will explore the use of identity bridges to address business demands for SaaS-based applications. Elle Griffin of Radiant Logic will discuss why deploying a federated identity service is an important step for rationalizing and managing a chaotic identity infrastructure behind the firewall, while also enabling a secure connection to cloud and federated applications.
Date: April 12, 2012
Time: 8 AM PST, 11 AM EST
>> Register here!
From Virtual Directory to a Federated Identity Service
Identity ecosystems today are more complicated than ever, as companies try to authenticate and authorize a diverse user base—including internal, external, and mobile users—across multiple security protocols, identity stores, and usage patterns. That’s why we built RadiantOne 6.0, the first federated identity service purpose-built to tackle the most complex authentication and authorization challenges. This identity service features a dynamic set of capabilities including identity remapping, aggregation, correlation, and synchronization, wrapped in a sophisticated wizard-driven workflow that makes it powerfully easy to build, deploy, and manage. The new line-up includes our advanced virtual directory (VDS+), the Cloud Federation Service (CFS) to connect identities with the cloud, and an identity correlation and synchronization engine.
Bridging On-Premise Identities for Web and Cloud Applications
Gone are the days when your identity and applications were securely stored behind the firewall. Going forward, every application you deploy will be web or cloud-based—and the people accessing them could be inside their cubicles, or across the world. You need a federated identity hub to secure such applications—but where should that hub live? Find out at our next webinar on April 12, when Gartner’s Mark Diodati will explore the use of identity bridges to address business demands for SaaS-based applications, and provide use cases drawn from Gartner client experiences. Radiant Logic’s Elle Griffin will discuss why deploying a federated identity service is an important step for rationalizing and managing a chaotic identity infrastructure behind the firewall, while also enabling a secure connection to cloud and federated applications.
>> Join us
The cloud can be a big boost for your business, allowing you to access specialized software for crucial business processes, while avoiding the hassle or expense of managing it in-house. But it’s hard to harness the cloud’s advantages when your identities are scattered across multiple Active Directory domains and forests, databases, and applications. However, RadiantOne’s new Cloud Federation Service is your ticket to cloud SSO, and it’s ready for you to test drive. CFS turns your RadiantOne VDS into a connector to the cloud, building one system to enable SSO—even from outside devices like smartphones or tablets. So your users can use their AD credentials, along with their identities from databases and other silos. Many identity sources, one secure login—it’s just part of what we call the RadiantOne federated identity service.
The Challenge: Authentication and Authorization Across Silos and the Cloud
While cloud applications deliver a given function, such as CRM or payroll, as an external service, securing these applications poses the same challenges as securing internal applications. You must still integrate identities from across a variety of disparate sources, as well as federate with partner applications. To engage with the cloud, you have to go the “last mile” into disparate enterprise endpoints to authenticate users, and to collect identity attributes for authorization. This is tough enough within the enterprise itself, with its heterogeneous mix of existing identity and authentication silos, including multiple AD domains and forests, other LDAP directories, databases, and applications. Adding access to cloud-based or partner applications only increases the complexity.
The typical identity infrastructure: many applications and many security means
Once you’ve gone into your silos, you have to transform the security means generated by your existing infrastructure into a vendor-appropriate industry standard format and deliver it to the cloud-based application. This might be one of several different methods of authentication, including form-based, a SAML token, or a Kerberos token. With so many standards already in the protocol mix, SaaS applications only cloud the picture even more.
The Solution: One Federated Identity Service to Unify Your Entire Identity Infrastructure
RadiantOne virtualization delivers identity as a complete, on-premise service, giving you a local identity hub for all your applications, whether they’re enterprise, web-based, or in the cloud. This lets you federate your identities to deliver a single point of access for all your applications, no matter what they do or where they’re located. With a federated identity service, cloud applications can authenticate users against the authoritative sources within your organization—and your essential identity data doesn’t have to cross the firewall every time you synchronize user accounts.
The RadiantOne Cloud Federation Service (CFS) creates secure tokens to meet the vendor-specific needs of SaaS applications, such as Salesforce and SharePoint. CFS can either leverage your ADFS deployment or replace it, creating a federation of all your identity sources. Powered by model-driven virtualization, our complete federated identity service delegates authentication and authorization to a common layer. Then our Cloud Federation Service connects this virtualized view of identity to the cloud through a sophisticated STS (secure token service).
Cloud Today, Intercloud Tomorrow
In a recent article in Network World, Sevcik and Wetzel suggest that the “intercloud” might be the way of the future, but they also mention that “realizing the intercloud vision requires overcoming formidable technical and organizational challenges”—including authentication across a federated cloud environment. However, they name Radiant Logic’s federated identity service as a critical part of a common authentication solution, thanks to our identity virtualization technology. With the ability to authenticate identities across a huge number of identity sources, and then generate claims for users stored in these diverse sectors, RadiantOne’s federated identity service is an on-premise identity management solution for federated environments today, and the intercloud environment of tomorrow. RadiantOne gives you all the tools you need to federate identity, achieve SSO with your SaaS apps, and even build a common authentication solution for tomorrow’s take of cloud computing—all without disrupting your infrastructure.
