Explore our New Federated Identity Service at RSA

I’m looking forward to RSA this year, where we’ll announce a major breakthrough in the way companies manage their identity in this increasingly web and cloud-centric world. I’m also proud to see that RSA is integrating our solution into its excellent IdM stack.

I’ll tell you all about it below, but first, I’d like to address a topic that’s been burning up the blogosphere lately.

The Virtual Directory is Dead. Long Live the Virtual Directory!

We all know that it’s not enough to innovate; the success of a new technology is also measured by its degree of integration within the existing ecosystem. I’ve been reflecting on that challenge lately, after reading this piece on Ping Federate’s new authentication chaining capability, which suggests the virtual directory is no longer necessary. Hmm, we know our good friends at Ping Identity are not that radical—just check out the slides from their latest webinar—but I guess you know the old joke: Groucho was a Marxist and Lenin was a Beatle. I will leave it to Nishant Kaushik’s excellent response to explain why authentication chaining is only a very small part of the answer.

Mostly, I’m struck by the fact that the virtual directory—technology my friend Claude and I invented back in the dark ages of last decade—is now such an accepted part of today’s identity infrastructure that people feel free to proclaim its demise. After years of trying to explain what a virtual directory was, that feels like a victory! 🙂

Okay, now let me share some news I’m really excited about.

From Virtual Directory to a Federated Identity Service Powered by Virtualization

Over the years, we’ve advanced virtual directory technology from a proxy-driven routing and remapping engine to a model-driven virtualization solution, which enables you to design the exact identity views required by your applications. Now we’ve taken it a step further, delivering a federated identity service based on virtualization that’s key to the deployment of any secure web application or identity provider (IdP) in a federation—all without disrupting your existing systems. This service hides the heterogeneity of your existing identity sources, and exposes a logical, coherent, secure, and application-friendly view of your users to both internal and external applications. And it drives any business initiative where a global view of identity is essential, including web access management, portal, and cloud integration.

Sounds like a great solution, right? But first, let’s take a look at the problem we’re solving.

Applications, Security Protocols, and Identity Sources—Oh, My!

In any sizeable modern organization, there are many links tying applications, via disparate security and access protocols, to all the different identity sources. I call this the “Star Wars” effect:

Identity Sources

For such companies, many internal, external, web, and cloud-based applications (A) must talk to many identity sources (I) using different security protocols (S), with every factor representing some number (N) of links—and every link costing lots of money ($$$) to develop, manage, and maintain.

When you do the math—A x I x S = N links (x $$$)—it’s basically a shoot-out at the Not-OK Corral, where you’re left with a brittle network of links, protocols, and identity representations that require a whole IT team to maintain. And whether your company is revamping its portal, adding a critical cloud-based application, or acquiring a partner, any changes put incredible (and incredibly expensive!) demands on a critical infrastructure.

An Identity Hub to Reduce Complexity and Rationalize your Infrastructure

Fortunately, there is a well-established pattern for solving the problem of too many links. By creating an intermediate layer—a hub—you can reduce the complexity of M x N interactions to more manageable and linear M + N connections. After all, this is why the airlines fly you through Denver or Charlotte or Chicago, instead of offering the chaos of thousands of direct flights between destinations.

Our federated identity service acts as a virtual identity hub, anchoring your identity infrastructure and enabling you to interconnect all the identities across the enterprise, no matter where or how they’re stored, for smarter security, better authentication, and more finely-grained authorization.

Federated Identity Service
Now, this idea of an identity hub is not new—in fact, identity vendors have been trying to develop (or reinvent) some form of an identity hub for years, from the over-centralization of the ”enterprise directory,” to the efficient but inflexible meta-directory, and more recently the flexible but limited “classical” virtual directory based on simple mapping, routing, and proxy. After many years of experience with customer integrations, we know you need to combine the strengths of all these different approaches, and add a little special sauce on top, so let’s take a quick look at the technologies and processes underlying our solution.

Under the Hood: What Drives the RadiantOne Identity Hub

At the foundation level, you need a virtualization layer that’s rich enough to abstract the variety of identity representations, and smart enough to project them into the specific views your applications need for strong authentication and smart authorization. This is what we call virtualization by model.

But beyond the abstraction layer and a rich toolset, you need also a well-defined process. When you build a common layer shared by applications and existing identity sources, you also need to satisfy a complex set of new requirements. Ideally, your hub must be able to route and delegate credentials, automatically synchronize attributes, aggregate and disambiguate identities, and provide some sort of advanced caching and storage for better performance. And to build a solid federated identity infrastructure, these capabilities must be deployed in a well-considered order. To make it all easier, we’ve automated this workflow through a set of powerful wizards in VDS+, which guide you through the steps required. These wizards take once-complex configurations and turn them into quick and simple point-click-done operations—they’re real gamechangers, and it’s worth stopping by booth 345 at RSA for a demo. You can also read more about this new solution in our latest press release.

But there’s still one important consideration we need to address. While every vendor agrees you need some form of identity hub, there’s great debate about where that hub should live.

Elvis May Have Left the Building—But Your User Credentials Need to Stay On-Premises

Of course, cloud vendors are eager to prove the merits of their SaaS approach. “Just host it in the cloud!” they say, which is great for greenfield deployments or homogeneous environments. But most medium to large organizations have built up an existing infrastructure with many applications and identity sources, each responding to different security methods and protocol—all held together with costly customizations, long nights on the help desk, and no small amount of hope. For such companies, hosting on the cloud is risky, because too much identity has to be synchronized across the firewall.

Hub Outside the Firewall

In these cases, we know it’s better—in fact, it’s imperative from a security sense—to begin by hosting the identity hub on-premises, so your cloud apps get the identity they need, and your critical enterprise data doesn’t have to walk a tightrope across your firewall every time someone logs on to Salesforce. The beauty of RadiantOne’s on-premises service is that you can consolidate and rationalize all your identity, no matter where it’s required—enterprise, web, mobile, cloud—without disrupting your existing infrastructure. With this approach, you get immediate wins for your current identity initiatives and can also evolve your identity in whatever direction you choose.

Radiant Logic Federated Identity Hub

Take a Test-Drive at RSA: Join Us at Booth 345

There’s a lot more to say about our federated identity service, and I’ll be taking a closer look at some of the technological underpinnings in blogposts to come, including model-driven virtualization, identity correlation through union, identity extension through join, as well as synchronization, data remapping, and advanced caching.

For now, come see RadiantOne in action at RSA!

We’ll be in booth 345, so please either drop by or schedule a session with my team at info@radiantlogic.com or at 1.877.727.6442.

See you at RSA,

Michel Prompt, founder and CEO, Radiant Logic