NEWSLETTER

Identity Integration: The Key to Successful Portal SSO Deployment

For several years, we have all heard about the value of providing Single Sign-On (SSO) for Web Portals. SSO simplifies access and provides a better user experience. There are many great Web Access Management (WAM) packages available today (see list). These packages provide developers with excellent support for Web SSO. However, often overlooked is the “behind the scenes” need for identity integration.This is the need to provide a unified and composite view of all users across disparate data sources.

In the following section we will describe the technical challenges and solutions for of identity (logon/password) integration for a successful Web SSO deployment. To further illustrate the points we will describe, our partner CoreBlox will show how RadiantOne and Siteminder were successfully deployed within a large company to enable SSO for their support portal.

Portal SSO Challenges

The ability to deliver an effective SSO solution is dependant upon two things. (1) You must be able to identify and authenticate all users across multiple data sources, and (2) provide additional profile information to deliver the information in the right security context.  

To accomplish these tasks, you need to have the ability to provide a unified view of all users to applications. This is the key to secure authorization and a rich integrated user experience. The solution is the RadiantOne Virtual Directory Server (VDS). VDS works behind the scenes to unify your distributed identity information into a single composite view of all users. It provides the integrated identity environment that makes the deployment of Web Access Management SSO seamless

This can be a significant challenge to solve when identity providers are spread across multiple security domains and disparate data stores. The complexity again increases when organizations need to integrate new user base (i.e. from a recent acquisition). 

The new set of users most likely will contain an overlap of users, or “intersection”. You must be able to detect same users across systems. A user that exists in three different systems must be represented as a single identity. Otherwise, applications will not have all the information necessary to provide single sign-on and/or proper authorization privileges.

To further complicate matters, the new identity sources themselves will most likely be disparate in nature; different architectures (Directories vs. Relational Databases vs. Applications or Web Services), different data structures (different object models vs tables vs. flat files), and different protocols to access them (LDAP, SQL, API’s, Web Services,  etc).  The integration challenge can be daunting even for the most experienced team.

You need an automated correlation process to properly identify and then integrate the new set of users into the existing user-base.

The solution is an abstraction layer using a flexible set of tools which allows for easy aggregation and integration* of identities into a common infrastructure. By creating a single “virtual” identity infrastructure, organizations can quickly subsume new applications and new users into an existing infrastructure.

Successful Identity Integration through Virtualization and Correlation

RadiantOne Identity and Context Virtualization Platform integrates identity from disparate data stores and across domains.   

RadiantOne Virtual Directory Server (VDS) and RadiantOne Identity Correlation and Synchronization Server (ICS) leverage a common abstraction layer. This platform integrates identity by aggregating, correlating, and publishing identity profiles of all users across the enterprise.

This eliminates the need for heavy replication and complex synchronizations usually associates with identity integration. 

• Virtualization overcomes the obstacles of protocol, data structure, and object representation across security domains, providing uniform access to identity profiles.

• Correlation establishes the necessary links between the different identity profiles of the same user.

RadiantOne ICS uses an automated correlation process, based on rich and flexible matching rules, to establish links between different identity profiles. Once this correlation is established, RadiantOne VDS publishes the necessary composite identity profile to your SSO policy server as a single LDAP source.

Integration of identities through virtualization combined with correlation provides SSO applications with a powerful mechanism to authenticate users and define fine-grained access controls and policies. Using this loosely-coupled approach, your infrastructure is flexible and able to adapt to new requirements.

Combining the functionality of SSO solutions and RadiantOne, companies gain a unique ability to bring together users and applications and reducing integration costs and time to market.

To illustrate the ideas and analysis laid out above we asked Todd Clayton of Coreblox, a Radiant Logic integration partner, to write about one of their recent deployment.

Coreblox’s Customer Use Case

by Todd Clayton

Recently Coreblox has deployed a complete identity and entitlements integration solution for a company making multiple business acquisitions.  The challenge was to give their customers a single point of access for online technical support, including during the interim/assimilation period of the merger.

Our client’s requirements were to:                                 

• Drive down technical support costs

• Increase the number of customers utilizing on line self-help options (currently at 20%)

• Re-capture lost revenue: Due to the complexity of the entitlement system fragmented across different applications silos, many customers did not have an easy access to the required resources

• Decrease customer confusion resulting from having too many environments. This is again due to the absence of a global point of control for granting access to multiple applications.

• Make it easier to deliver support to customers with products from different business units/acquired companies. Each business unit maintained their own customer support systems.

• Accommodate new and future security requirements while lowering demands /queries against  some limited or constrained data sources such as legacy applications

• Increase up-sell and cross-selling opportunities by having a unified profile view of all users. 
  

In short the goal could be summarized as building/providing a consistent, integrated, and user friendly external view of all support websites.  To meet those requirements we added the following features to the support Portal:

• Single Sign-On, for seamless customers access

• New Security Architecture design to accommodate future expansion and reduce the load on legacy systems

• Global Search, so that customers could easily navigate and find information in a very rich knowledgebase which cover subjects from  all support systems

• Common Centralized Issue Resolution across business units

 To reach our client’s target we applied the following methods and products:

• To help us in our Identity Integration effort required for SSO and integrated authorization and a common user experience we deployed:

• RadiantOne ICS (Identity Correlation and Synchronization Server). We used ICS to create a common “Identity Hub” (The VIH or “Virtual Identity Hub” in RadiantLogic parlance). Identifiers from directories (CA eTrust Directory, and ADAM), databases (SQL Server, Sybase, MySQL) were synchronized, aggregated and then correlated*. The resulting “logical union” eliminates duplicate identities based on rules defined by our client. The ICS process establishes also a global identifier for each unique user. The end result, the Virtual Identity Hub acts as a repository of the links between a global identity and each specific instance of an identifier stored in a local data sources.

• Once the identities were correlated we used RadiantOne VDS (Virtual Directory Server) to build the directory views (LDAP V3 Compliant) needed for SSO, authorization and profile management. More specifically  VDS helps us;

• Leverages the metadata from each identity store, using the global identifier created by ICS to deliver:

• a unified, single list of all users/customers across all product lines: this is the key enabler for SSO and integrated security

• for each user a rich and extensible profile that is used by authorization and site support services.

• These “virtual views” are delivered to SiteMinder under the form of a classic, consolidated LDAP directory for Authentication and Single Sign On. The rich user profiles (including all necessary attributes) are also the key enabler for flexible and secure policies by the SiteMinder Policy Server.

• CA SiteMinder

• Enables enterprise security and web single sign-on capabilities across all application platforms

• SAP Portal

• Allows a single front-end presentation layer across all legacy systems

• IBM WCDS/OmniFind

• Unified 3rd-generation knowledgebase across all acquired systems

The following diagram highlights the solution landscape:

Each of these components allowed the company to establish a base platform for current requirements, as well as a well defined process with known time-lines, for integrating data stores and applications from future acquisitions.  This is possible because RadiantOne ICS and VDS allows new sources to be brought on line and identities correlated, without requiring a complete rebuild of the Virtual Identity Hub.

Measurable Results

The new system delivered on meeting the customer’s requirements and the company’s ability to deliver on their goals.

• All external technical support systems are available through a single login, and Single Sign-On.

• Customers owning multiple products have unified entitlements and system access across all systems

• Customers can search across all content regardless of physical location of the data, improving self-service

• Support and administration costs were reduced by the new identity security infrastructure

The effort yielded an increase both in customer and employee satisfaction as well as a significant reduction in the time required to make system changes.  This combination of SSO and virtual directory technology delivered a match made not only in heaven, but also right here in our data centers.

About CoreBlox

CoreBlox provides Strategic Identity Management and Technical Support Consulting.  With over 30 years combined identity management and web access control experience and over 20 years support operations and infrastructure experience, CoreBlox has delivered solutions to some of the world’s largest financial and software companies.  CoreBlox is headquartered in Framingham, Massachusetts. For more information please visit http://www.coreblox.com, or call   877-879-2569. CoreBlox is a trademark of CoreBlox, Inc.

___________________________________________

* Aggregation vs. integration

Aggregation: bringing together identities from all data sources into a common namespace.  This function essentially sets all identities, side-by-side, for easy access and search. If there are no common users or identifiers between the data sources, the data sources are said to be “disjointed” and essentially a simple union of identities. 

Integration: the “mathematical union” of identities within a common namespace that provides a single representation of each actual user, regardless of the number of identity accounts that are located in multiple data sources.  Duplicates are eliminated and authoritative sources are used to represent in-common attributes

A union can be created dynamically using VDS if the volume is relatively low (<250K entries) and all sources have a common identifier established for all users.  If complex matching rules are needed to correlate identities, or the volume of entries is relatively high, ICS pre-correlates identity profiles, dramatically improving performance and flexibility.

Questions? Comments? Please email us at info@radiantlogic.com.

Back to Top