Gartner analyst Kevin Kampman’s recent report (G00227151) explores the importance of a virtual directory in high-volume identity environments. Kampman writes, “For larger organizations and in customer-facing environments, the quantity and size of datasets are increasing along with performance expectations and data diversity,” and he urges readers to “use virtual directories wherever there is ready access to data and to manage complex relationships.” We couldn’t agree more, and we’ve been talking about the importance of virtual directories in high-volume, high-diversity, and mega-challenging identity environments for years. When it comes to large-scale customer facing initiatives, you need an identity solution that can scale, that can deal with heterogeneity, and that won’t fade with the next power outage. That’s why an advanced virtual directory with sync and persistent cache—like our RadiantOne—is the best choice for the challenging environment of the modern infrastructure.

Identity Integration: A Drive in the Slow Lane?

While directories scale well, not all directories scale the same way, and what if you start throwing in non-directory sources? When you’re storing identities for externally-facing initiatives, you would traditionally store them in a SQL database, which may be slowest of all. So how can you pick up the pace when you’re integrating slower sources with your LDAP directories—and can your identity management system navigate this kind of diversity? In his report, Kampman writes, “A virtual directory plus a cache is optimal for many high-performance, high-volume situations. A synchronization service provides comparable performance. Both are limited by the responsiveness of the source repositories and underlying network infrastructure.”

With identity virtualization, speed of the underlying source repository isn’t even an issue. Virtualization allows you to create one global LDAP list of identities from across all data stores that the client application can query. And, because it’s stored in a power-boosting persistent cache, one lookup in the global list immediately returns the results, while back-ends are shielded from excessive queries, and the even the slowest database can be reached at the speed of a directory.

Add Extra Horsepower with for Scalability

Enriching identity profiles is where the extra performance becomes especially handy, like when you need to create identity profiles based on multiple sources—which means joining identity attributes. Kampman writes, “The use of a cache with a virtual directory may be required as performance expectations grow. An example of this might include aggregating profile information across dissimilar repositories or where the performance or availability of the source repositories isn’t sufficient.” Large-scale WAM deployments that must integrate large, heterogeneous populations usually require a performance-enhancing cache to help power those attribute joins on the fly. Effective joins means you get the complete view of each identity, which is essential not only for security processes, but also for most information about each customer.

For a sizable, attribute-rich system with an extensive set of profiles, then high availability, scalability, and stability are essential. With the ability to transform, rationalize, and stabilize the choppiest of identity management waters, RadiantOne’s federated identity service is purpose-built to handle the kind of environments Kampman describes.

The Virtual Identity Wizard walks you through the steps needed to configure one of the most common virtual directory use cases: creating a global list of users from across multiple heterogeneous data sources. These steps include:

• Building a unique list of users, including correlation logic if needed, so that each identity is represented only once.
• Defining which attributes should comprise the user profile (and setting attribute precedence when there are conflicts).
• Configuring authentication (bind) order in cases where a user is found in more than one backend data source.
• Mounting the virtual view in the VDS tree so client applications can access the list of users for authentication, authorization, and additional user information.
• Configuring the caching option that best suites the environment.

The Virtual Identities Wizard provides this union compatible set of complete profiles, without the heavy custom coding typically required for such a list. It enables you to deliver the required information to your applications, even when identity data comes from multiple authoritative sources.

We’d be happy to walk you through the new wizards, so just send us an email to set up a hands-on demo.

Mark Diodati, Research VP Gartner, Inc

Elle Griffin, Marketing Director Radiant Logic, Inc

Gone are the days when your identity and applications were securely stored behind the firewall. Going forward, every application you deploy will be web or cloud-based—and the people accessing them could be inside their cubicles, or across the world. You need a federated identity hub to shield such applications from the complexity of your identity sources—but where should that hub live?
 
Find out at our next webinar on April 12, when featured speaker Mark Diodati, Research VP at Gartner, will explore the use of identity bridges to address business demands for SaaS-based applications. Elle Griffin of Radiant Logic will discuss why deploying a federated identity service is an important step for rationalizing and managing a chaotic identity infrastructure behind the firewall, while also enabling a secure connection to cloud and federated applications.

Date: April 12, 2012
Time: 8 AM PST, 11 AM EST
 
>> Register here!

Identity ecosystems today are more complicated than ever, as companies try to authenticate and authorize a diverse user base—including internal, external, and mobile users—across multiple security protocols, identity stores, and usage patterns. That’s why we built RadiantOne 6.0, the first federated identity service purpose-built to tackle the most complex authentication and authorization challenges. This identity service features a dynamic set of capabilities including identity remapping, aggregation, correlation, and synchronization, wrapped in a sophisticated wizard-driven workflow that makes it powerfully easy to build, deploy, and manage. The new line-up includes our advanced virtual directory (VDS+), the Cloud Federation Service (CFS) to connect identities with the cloud, and an identity correlation and synchronization engine.

>> Press Release

Gone are the days when your identity and applications were securely stored behind the firewall. Going forward, every application you deploy will be web or cloud-based—and the people accessing them could be inside their cubicles, or across the world. You need a federated identity hub to secure such applications—but where should that hub live? Find out at our next webinar on April 12, when Gartner’s Mark Diodati will explore the use of identity bridges to address business demands for SaaS-based applications, and provide use cases drawn from Gartner client experiences. Radiant Logic’s Elle Griffin will discuss why deploying a federated identity service is an important step for rationalizing and managing a chaotic identity infrastructure behind the firewall, while also enabling a secure connection to cloud and federated applications.

>> Join us

The Challenge: Authentication and Authorization Across Silos and the Cloud

While cloud applications deliver a given function, such as CRM or payroll, as an external service, securing these applications poses the same challenges as securing internal applications. You must still integrate identities from across a variety of disparate sources, as well as federate with partner applications. To engage with the cloud, you have to go the “last mile” into disparate enterprise endpoints to authenticate users, and to collect identity attributes for authorization. This is tough enough within the enterprise itself, with its heterogeneous mix of existing identity and authentication silos, including multiple AD domains and forests, other LDAP directories, databases, and applications. Adding access to cloud-based or partner applications only increases the complexity.

The typical identity infrastructure: many applications and many security means

Once you’ve gone into your silos, you have to transform the security means generated by your existing infrastructure into a vendor-appropriate industry standard format and deliver it to the cloud-based application. This might be one of several different methods of authentication, including form-based, a SAML token, or a Kerberos token. With so many standards already in the protocol mix, SaaS applications only cloud the picture even more.

The Solution: One Federated Identity Service to Unify Your Entire Identity Infrastructure

RadiantOne virtualization delivers identity as a complete, on-premise service, giving you a local identity hub for all your applications, whether they’re enterprise, web-based, or in the cloud. This lets you federate your identities to deliver a single point of access for all your applications, no matter what they do or where they’re located. With a federated identity service, cloud applications can authenticate users against the authoritative sources within your organization—and your essential identity data doesn’t have to cross the firewall every time you synchronize user accounts.

The RadiantOne Cloud Federation Service (CFS) creates secure tokens to meet the vendor-specific needs of SaaS applications, such as Salesforce and SharePoint. CFS can either leverage your ADFS deployment or replace it, creating a federation of all your identity sources. Powered by model-driven virtualization, our complete federated identity service delegates authentication and authorization to a common layer. Then our Cloud Federation Service connects this virtualized view of identity to the cloud through a sophisticated STS (secure token service).

Cloud Today, Intercloud Tomorrow

In a recent article in Network World, Sevcik and Wetzel suggest that the “intercloud” might be the way of the future, but they also mention that “realizing the intercloud vision requires overcoming formidable technical and organizational challenges”—including authentication across a federated cloud environment. However, they name Radiant Logic’s federated identity service as a critical part of a common authentication solution, thanks to our identity virtualization technology. With the ability to authenticate identities across a huge number of identity sources, and then generate claims for users stored in these diverse sectors, RadiantOne’s federated identity service is an on-premise identity management solution for federated environments today, and the intercloud environment of tomorrow. RadiantOne gives you all the tools you need to federate identity, achieve SSO with your SaaS apps, and even build a common authentication solution for tomorrow’s take of cloud computing—all without disrupting your infrastructure.

I’m looking forward to RSA this year, where we’ll announce a major breakthrough in the way companies manage their identity in this increasingly web and cloud-centric world. I’m also proud to see that RSA is integrating our solution into its excellent IdM stack.

I’ll tell you all about it below, but first, I’d like to address a topic that’s been burning up the blogosphere lately.

The Virtual Directory is Dead. Long Live the Virtual Directory!

We all know that it’s not enough to innovate; the success of a new technology is also measured by its degree of integration within the existing ecosystem. I’ve been reflecting on that challenge lately, after reading this piece on Ping Federate’s new authentication chaining capability, which suggests the virtual directory is no longer necessary. Hmm, we know our good friends at Ping Identity are not that radical—just check out the slides from their latest webinar—but I guess you know the old joke: Groucho was a Marxist and Lenin was a Beatle. I will leave it to Nishant Kaushik’s excellent response to explain why authentication chaining is only a very small part of the answer.

Mostly, I’m struck by the fact that the virtual directory—technology my friend Claude and I invented back in the dark ages of last decade—is now such an accepted part of today’s identity infrastructure that people feel free to proclaim its demise. After years of trying to explain what a virtual directory was, that feels like a victory!

Okay, now let me share some news I’m really excited about.

From Virtual Directory to a Federated Identity Service Powered by Virtualization

Over the years, we’ve advanced virtual directory technology from a proxy-driven routing and remapping engine to a model-driven virtualization solution, which enables you to design the exact identity views required by your applications. Now we’ve taken it a step further, delivering a federated identity service based on virtualization that’s key to the deployment of any secure web application or identity provider (IdP) in a federation—all without disrupting your existing systems. This service hides the heterogeneity of your existing identity sources, and exposes a logical, coherent, secure, and application-friendly view of your users to both internal and external applications. And it drives any business initiative where a global view of identity is essential, including web access management, portal, and cloud integration.

Sounds like a great solution, right? But first, let’s take a look at the problem we’re solving.

Applications, Security Protocols, and Identity Sources—Oh, My!

In any sizeable modern organization, there are many links tying applications, via disparate security and access protocols, to all the different identity sources. I call this the “Star Wars” effect:

For such companies, many internal, external, web, and cloud-based applications (A) must talk to many identity sources (I) using different security protocols (S), with every factor representing some number (N) of links—and every link costing lots of money ($$$) to develop, manage, and maintain.

When you do the math—A x I x S = N links (x $$$)—it’s basically a shoot-out at the Not-OK Corral, where you’re left with a brittle network of links, protocols, and identity representations that require a whole IT team to maintain. And whether your company is revamping its portal, adding a critical cloud-based application, or acquiring a partner, any changes put incredible (and incredibly expensive!) demands on a critical infrastructure.

An Identity Hub to Reduce Complexity and Rationalize your Infrastructure

Fortunately, there is a well-established pattern for solving the problem of too many links. By creating an intermediate layer—a hub—you can reduce the complexity of M x N interactions to more manageable and linear M + N connections. After all, this is why the airlines fly you through Denver or Charlotte or Chicago, instead of offering the chaos of thousands of direct flights between destinations.

Our federated identity service acts as a virtual identity hub, anchoring your identity infrastructure and enabling you to interconnect all the identities across the enterprise, no matter where or how they’re stored, for smarter security, better authentication, and more finely-grained authorization.

Now, this idea of an identity hub is not new—in fact, identity vendors have been trying to develop (or reinvent) some form of an identity hub for years, from the over-centralization of the ”enterprise directory,” to the efficient but inflexible meta-directory, and more recently the flexible but limited “classical” virtual directory based on simple mapping, routing, and proxy. After many years of experience with customer integrations, we know you need to combine the strengths of all these different approaches, and add a little special sauce on top, so let’s take a quick look at the technologies and processes underlying our solution.

Under the Hood: What Drives the RadiantOne Identity Hub

At the foundation level, you need a virtualization layer that’s rich enough to abstract the variety of identity representations, and smart enough to project them into the specific views your applications need for strong authentication and smart authorization. This is what we call virtualization by model.

But beyond the abstraction layer and a rich toolset, you need also a well-defined process. When you build a common layer shared by applications and existing identity sources, you also need to satisfy a complex set of new requirements. Ideally, your hub must be able to route and delegate credentials, automatically synchronize attributes, aggregate and disambiguate identities, and provide some sort of advanced caching and storage for better performance. And to build a solid federated identity infrastructure, these capabilities must be deployed in a well-considered order. To make it all easier, we’ve automated this workflow through a set of powerful wizards in VDS+, which guide you through the steps required. These wizards take once-complex configurations and turn them into quick and simple point-click-done operations—they’re real gamechangers, and it’s worth stopping by booth 345 at RSA for a demo. You can also read more about this new solution in our latest press release.

But there’s still one important consideration we need to address. While every vendor agrees you need some form of identity hub, there’s great debate about where that hub should live.

Elvis May Have Left the Building—But Your User Credentials Need to Stay On-Premise

Of course, cloud vendors are eager to prove the merits of their SaaS approach. “Just host it in the cloud!” they say, which is great for greenfield deployments or homogeneous environments. But most medium to large organizations have built up an existing infrastructure with many applications and identity sources, each responding to different security methods and protocol—all held together with costly customizations, long nights on the help desk, and no small amount of hope. For such companies, hosting on the cloud is risky, because too much identity has to be synchronized across the firewall.

In these cases, we know it’s better—in fact, it’s imperative from a security sense—to begin by hosting the identity hub on-premise, so your cloud apps get the identity they need, and your critical enterprise data doesn’t have to walk a tightrope across your firewall every time someone logs on to Salesforce. The beauty of RadiantOne’s on-premise service is that you can consolidate and rationalize all your identity, no matter where it’s required—enterprise, web, mobile, cloud—without disrupting your existing infrastructure. With this approach, you get immediate wins for your current identity initiatives and can also evolve your identity in whatever direction you choose.

Take a Test-Drive at RSA: Join Us at Booth 345

There’s a lot more to say about our federated identity service, and I’ll be taking a closer look at some of the technological underpinnings in blogposts to come, including model-driven virtualization, identity correlation through union, identity extension through join, as well as synchronization, data remapping, and advanced caching.

For now, come see RadiantOne in action at RSA!

We’ll be in booth 345, so please either drop by or schedule a session with my team at info@radiantlogic.com or at 1.877.727.6442.

See you at RSA,

-Michel Prompt, founder and CEO, Radiant Logic

The RSA conference is right around the corner, and we’re looking forward to seeing you! We’d like to offer you a front row seat when we unveil the RadiantOne federated identity service. RadiantOne 6.0 is the first complete on-premise federated identity service based totally on virtualization, and it’s purpose-built to address the security demands of authenticating and authorizing a diverse user base—including internal, external, and mobile—across multiple security protocols, identity stores, and usage patterns. RadiantOne 6.0 includes the brand new VDS+ virtual directory, the Cloud Federation Service (CFS) to connect identities with the cloud, and a powerful identity correlation and synchronization engine.

See RadiantOne in Action: Drop by for a Demo

We’d be happy to set up a demo, so just drop us a line at info@radiantlogic.com, or stop by booth #345. We’ll have virtualization pros on hand to answer any questions, or to walk you through the new RadiantOne platform!

Free Expo Pass! ($100 value)
Pass Code: EC12RLG

Learn from the Pros at Axiomatics, Sailpoint, Layer 7, and Radiant Logic

Companies today are looking for a comprehensive authorization solution that’s external to applications, resources, and data—and an increasing number of IT organizations are turning to XACML-driven access control. Do you have the knowledge you need to build such dynamic, flexible, and compliant authorization services?

Deliver Smarter, Attribute-Based Access Control

Radiant Logic is co-hosting a series of XACML training workshops across the country. These trainings explore how to integrate your existing identity silos with modern and complex architectures. We’ll also look at how virtual directory services, XML gateways, and access governance complement XACML systems. You’ll come away with real insight into how to achieve policy-driven attribute-based access control using real-time enterprise data, regardless of that data’s location, form, or complexity.

Don’t Miss these Opportunities!

These trainings will introduce XACML concepts and complementary technologies and then take a deeper dive into more advanced topics. All your session materials, meals, and wireless Internet access will be provided.

Get a more detailed agenda and register today.
 
See you at the workshop!
 
-The Radiant Team
 
PS: We’ve run this same series in other cities and it has sold out. If you’re interested in attending, be sure to register soon.

Join Us for the FICAM Kick-Off, March 28, Washington, DC

If you work in identity management for a government agency, you can’t afford to miss this free FICAM kick-off.
 
Join us for an event highlighting the recently-released FICAM roadmap. Take a deep dive into the FICAM guidelines, discuss potential use cases, and gather best practices for implementation. You’ll hear from FICAM gurus Anil John and Deborah Gallagher, and explore how the RadiantOne complete identity service, based on model-driven virtualization, is being used to build the Authoritative Attribute Exchange Service. 

Sign Up Now for this Free FICAM Kick-Off

We’ll begin with a breakfast of croissants and coffee and end with lunch. Along with the speakers, there will be ample time for questions and mingling—and every attendee will receive a ticket to tour the spy museum.

If you’re charged with implementing FICAM initiatives, this is one event you won’t want to miss—we look forward to meeting you at the Spy Museum.

Check out the agenda and be sure to sign up today!
 
See you in DC,
 
The Radiant Team

Radiant Logic’s going on tour! We’re thrilled to announce our 2012 event line-up, with a number of great ways for you to put RadiantOne in your hands, and see what our complete identity service is all about. Check our brand new events page for dates, locations, and registration.

• RadiantOne Trainings: Don’t miss your chance to master the new RadiantOne VDS+, and get practical experience in an instructor-led classroom. This year, we’ll offer our totally revamped trainings in ten different cities, so register for one near you!
• XACML Workshops: Learn how to achieve policy-driven attribute-based access control using real-time enterprise data, with industry leaders Radiant Logic, Axiomatics, Layer 7, and Sailpoint.
• FICAM Event: Work in identity management for a government agency? Learn more about the new FICAM guidelines, potential use cases, and best practices for implementation over free breakfast and lunch at the Spy Museum!

Here at Radiant, we believe that the future’s already here— and we’ll prove that this month when we ship the first release of the RadiantOne Cloud Federation Service, so you can turn your RadiantOne VDS into one connector to the cloud, enabling SSO across your enterprise—and even from an outside device like a smartphone or a tablet. Stay tuned in February to download your free trial!

Instead of defining and maintaining static groups for cloud-based authorization, RadiantOne lets you create new dynamic groups based on existing attribute values, and populate those groups with users coming from multiple sources:

You can also import existing static groups into RadiantOne VDS and remap them to meet application requirements:

RadiantOne can even base your group definition on multiple attribute values—such as department and title—for more finely-grained group definition. Say you want a group for each department in your enterprise. With RadiantOne, all you have to do is create a dynamic group for the attribute “department” and automatically you have groups for your Sales, HR, and Marketing departments, with members coming from across all data stores.

With RadiantOne, it’s easy to leverage your existing data for attribute-based authorization in the cloud and keep those groups up to date automatically.

>> Read our new FICAM white paper and be sure to attend the FICAM kick-off at the end of March.

You’ve heard us talking about building a federated identity service out of distributed systems, and the critical importance of an on-premise identity hub. Considering the many disparate sources, the multiple authentication and authorization methods, and the diversity of applications accessing this identity infrastructure, we’re going to keep talking about the need for an identity service through 2012. In fact, we’re busy cooking up a new product line-up for next year, combining all the capabilities you need to overcome these challenges—including model-driven virtualization, as well as synchronization and correlation—previously available only through a collection of point solutions. RadiantOne’s new identity service rationalizes your current identity infrastructure, bridging your immediate reality with the long-term option of a hosted solution. With RadiantOne, the future’s built in—so you can face today’s challenges and take advantage of tomorrow’s opportunities.

	Best Wishes in the New Year! It’s that time of year, when we look back at the shrinking budgets and expanding possibilities of 2011, and ahead to the opportunities and challenges of 2012. Thank you for your interest and support over the past year, and here’s to a very successful new year—may it be filled with identity innovations, infrastructure advancements, and high-ROI initiatives! -Happy Holidays from the Radiant Logic Team

In the News:

Gartner IDaaS Report Includes Radiant Logic

In a recent market profile of Identity Management as a Service (#G00215472), Gartner analyst Mark Diodati identifies a growing movement towards what he calls “the Emerging Identity Bridge.” In Diodati’s words, “While the IDaaS market matures and additional IdM capabilities are supported, the identity bridge will become an important—perhaps essential—component for hybrid deployments. The identity bridge can ‘smooth over’ the differences between on-premises and hosted architectures.” With both directory sync and federation IDP capabilities, RadiantOne can serve as an identity bridge by delivering an on-premise federated identity hub for all your applications—both enterprise and cloud-based.

Identity For the Cloud, Not In the Cloud

It’s no secret that a centralized identity hub is essential for federated identity—but the pressing question is where to host it. In his report, Diodati distinguishes between three use cases where identity management and cloud computing intersect: To the Cloud, In the Cloud, and From the Cloud. He writes, “Today, the primary (and original) deployment model for IDaaS is ‘to the cloud.’ Under this model, the goal is to extend the organization’s existing on-premise IdM capabilities to SaaS and partner applications in the cloud.” If you’re like most larger enterprises, you already have a complex infrastructure with identities spread across many disparate sources—multiple AD domains and forests, other directories, databases, web services—along with a multitude of legacy applications that rely on those sources. For such companies, a move to cloud-based identity would be extremely disruptive—while using only ADFS would cover only one of the multitudes of identity repositories you grapple with every day.

Radiant Logic’s federated identity hub is the perfect choice for organizations that want to leverage IDaaS, but also need to keep user information on-premise. With the ability to aggregate, sync, and correlate identities from across the enterprise and the cloud, RadiantOne’s on-premise identity hub gives you a centralized identity source for all your applications. As an “identity bridge,” RadiantOne federates your identity to deliver a single point of access for all your applications— no matter what they do or where they’re located. Cloud applications can authenticate users against the authoritative sources within your organization—and your essential identity data doesn’t have to cross the firewall every time you synchronize user accounts. RadiantOne is a solution that spans both your immediate reality—a heavy investment in on-premise identity stores—with the long-term option of a hosted solution, so you can begin taking advantages of cloud infrastructures today.

New White Paper:

Secure Cloud Apps without Disrupting Your Enterprise Identity Infrastructure

Discover how a virtual identity service enables you to federate your identity, delivering a single point of access for all your applications, no matter what they do or where they’re located. By delivering identity as a complete, on-premise service, cloud applications can authenticate users against the authoritative sources within your organization—and your essential identity data doesn’t have to cross the firewall every time you synchronize user accounts.

>> Download

Feature Spotlight:

Add Speed and Scalability with a Persistent Cache

Searching for users takes a lot of time and processing power. To find a user, your client application has to first query multiple backends, navigating many different protocols, and then retrieve the necessary attributes—all while dealing with errors resulting from duplicate accounts. Costly and time-consuming lookups are required for retrieving multiple attributes on the fly, and correlating users across silos can add hours of processing time. This results in glacial performance on essential tasks such as authentication.

However, RadiantOne’s persistent cache guarantees accessibility of data—even when the underlying backend is down, persistently cached views are always available. These views are kept up to date with near-real time cache refresh, with changes being detected via connectors linked to the data sources, so finding your user is a quick, no hassle process.

Challenge: Draining and Costly User Look-Ups

Costly and time-consuming lookups are required to find a user across directories, database, and cloud applications, and especially for retrieving multiple attributes on the fly. This can lead to extreme slowdowns for critical tasks such as authentication.

Round robin is one method to find a user across identity sources. In this configuration, the application checks one backend after the other, resulting in many irrelevant queries and slow response time since the application has to look through each source, one at a time.

Another option is to issue parallel queries, which means that the application searches all data stores at the same time. While it’s much faster than round robin, you’re still overloading your data stores with irrelevant queries. This can overload slower data stores by forcing them to handle the same number of queries as a faster data store that’s optimized for more.

Solution: Advanced Persistent Cache

RadiantOne’s virtual layer offers a smarter, faster alternative, by creating one global list of identities from across all data stores that the client application can query. And, because it’s stored in a persistent cache, one lookup in the global list immediately returns the results, while backends are shielded from excessive queries. A persistent cache means that data is never stale, and attribute joins can be performed on the fly.

A persistent cache enables:

• Guaranteed performance— regardless of the nature and performance of the underlying source.
• Real-time cache refresh based on event detection.
• Complex joins across multiple sources without sacrificing performance.

RadiantOne’s Persistent Cache is a high-performance LDAP directory fully equipped with replication, so finding your user is never a challenge—no matter how many authentication sources you have in your backend. Only RadiantOne enables you to scale to millions of users without sacrificing speed—while keeping all your identities dynamically updated.

The big story these days is the move to cloud-based applications that deliver specialized new services without the cost and hassle of developing or managing them yourself. But securing these applications is another story. While the Software-as-a-Service (SaaS) model is expanding enterprise capabilities, it’s also putting a strain on your existing identity infrastructure.

According to Gartner analyst Greg Kreizman in his paper on Options for Coping with New Identity Islands in the Cloud: “SaaS providers often fail to adequately address enterprise identity and access management (IAM) integration requirements, and customers face increased identity administrative burdens, reduced user convenience, and reduced audit and compliance insight.” In fact, as Kreizman points out, the majority of SaaS apps do not provide ways to leverage established enterprise IAM tools to manage identity and access for cloud applications.

The Logon Challenge without a Federated Identity

For most enterprises, the cloud only deepens an existing challenge: how to secure a complex heterogeneous environment with multiple identity sources and applications. As you can see, dealing with n (identity sources) and p (applications) leads to c (chaos):

The answer is to federate identities, creating a central identity hub to give your SaaS applications a single point of access for authentication and authorization.

You Need an Identity Hub—but Where Should it be Hosted?

No matter what the model, everyone agrees: a centralized identity hub is essential for federated identity. The difference is in where it’s hosted. If you’re starting from scratch with a greenfield deployment, it makes sense for identity to be hosted in the cloud—basically, you’re securing your SaaS applications using another cloud-based service that’s contracted out to a third-party vendor. If you’re a smaller organization looking to authenticate against your Active Directory employee base, then federating locally using ADFS (Active Directory Federation Service) might be the best choice—after all, it’s built right in to the system, so it’s cheap and designed to work with your AD.

If you’re like most larger enterprises, however, you already have a complex infrastructure with identities spread across many heterogeneous sources—multiple AD domains and forests, other directories, databases, web services—along with a multitude of legacy applications that rely on those sources. For you, a move to cloud-based identity would be extremely disruptive—imagine cutting down the forest to make room for some seedlings; there’s all sorts of potential there, but meanwhile, you’re getting sunburned—while the use of ADFS would cover only one of the multitude of identity repositories you grapple with every day.

A Federated Identity Service For the Cloud—Not In the Cloud

What you need is a way to federate all your identities, delivering a single access point for all your applications, whether they’re in the enterprise, on the web, or in the cloud. Such an on-premise identity service allows you to authenticate as close to the authoritative sources as possible—and keeps your identity more secure, since identities don’t have to travel across the firewall every time you synchronize user accounts.

With RadiantOne virtualization, you don’t have to uproot your existing infrastructure. RadiantOne delivers a complete, federated identity service that allows your identity to evolve easily with changing requirements, whether that means adding new data sources or applications, expanding your user populations after a merger or acquisition, or extending your identity securely to take advantage of the cloud.

Does a Move to the Cloud Mean a Return to Silos?

In a recent article for Information Week, Michael Biddick questions whether a move to the cloud might just create a whole bunch of new identity silos in your infrastructure. He asks, “So, why are we adopting SaaS at a steady clip if we haven’t found a good way to securely link these apps with one another and in-house systems?” However, with ten years of experience in unifying identity silos, we believe we have the solution.

As the pioneers of the virtual directory, identity integration is our forte—and we know that Saas applications are not all that different. By isolating applications from the complexity of backend sources, RadiantOne’s identity and context service provides a single unified view of customers, employees, and partners. This service is a key enabler for enterprise security initiatives, including Web Access Management, Portal SSO, and Federation—as well as integrating Saas applications into the infrastructure. RadiantOne virtualizes identities out of their backend silos—whether that’s multiple Active Directory domains and forests, databases, applications accessed by a web service, or all of the above—and creates one central, virtual identity hub inside the enterprise where SaaS applications can point.

A two-part solution powers this identity service. The RadiantOne Cloud Federation Service (CFS) together with the RadiantOne virtual directory server, create a one-stop solution to integrate all your enterprise identities, and link them with the cloud. CFS delegates the task of authenticating against all your identity stores to one common virtual layer, and shields your external and cloud applications from the complexity of your identity systems.

RadiantOne’s virtual identity hub creates one secure, virtual point for both on-premise and SaaS applications to access.

Webinar: Achieve Cloud SSO with an On-Premise Solution

With more and more critical applications housed in the cloud, your enterprise faces one central question: How does the cloud fit into our identity management strategy? Instead of reinventing your existing identity system, RadiantOne virtualization gives you an on-premise solution to securely connect with cloud-based applications. Tune in to our webinar on October 13 at 8am PST to find out how RadiantOne virtualization delivers identity as a local service.

Product Highlight: RadiantOne Cloud Federation Service

The new RadiantOne Cloud Federation Service (CFS), powered by identity virtualization, enables SaaS application to access identities across your entire infrastructure. CFS authenticates the user against a variety of sources—including Active Directory, LDAP, databases, and web services—then gathers the requested attributes, and builds a token in the form that the application understands. The result is one secure logical access and audit point to connect all your authentication sources to the growing world of cloud applications.