At the Ping CIS conference last month, I met Sean Deuby, guru of all things Microsoft for Penton Media, and was impressed by his insightful view of MS world. We both agree that the enterprise’s evolution toward the cloud will go through a hybrid model, as he outlines in his recent article on Active Directory and Microsoft’s identity vision. This model suggests that on-premises and cloud-based identity will learn to work together harmoniously, a future we’re certainly banking on here at Radiant—in fact, we’re working hard to make it happen!
And we both understand that Microsoft’s entry into the IDaaS sector with Windows Azure Active Directory (WAAD) and its new Access Panel functionality will both validate and inescapably redefine this market. In fact, I’m taking to the blog for one of my occasional rants and rambles so I can consider the ideas he raises in both articles here, because I think they signal a sea change—one with plenty of room for vendor innovation, as well as opportunity for enterprises grappling with how to securely connect their unwieldy on-premises architectures to the ever-expanding cloud.
But that’s not all—we’re going all-Microsoft, all-the-time here at Radiant right now. Sean will be joining us for a webinar on September 19, where we’ll host a freewheeling conversation on how to extend your Microsoft environment to the cloud, exploring ways to make WAAD and ADFS work perfectly in this hybrid world.
Validation and Redefinition: Identity-as-a-Service Comes of Age
The IDaaS market began through the efforts of a cluster of start-ups, including some well-funded players who’ve managed to carve out some potential empires on the cloud. But now, with Microsoft bundling basic cloud SSO portal functionality for free with your Microsoft 365 subscription (although we all know that “free” is never really free—there are always implicit costs that come with deployment, just like every key piece of the identity infrastructure)—well, things are about to get interesting. This move will force realignments of everything from pricing to value props, because it’s tough to compete against “free” without offering some serious value-added differentiation.
Obviously, when Microsoft enters a market, that’s a clear signal that the market has traction. But such a behemoth also has mighty big feet, and its arrival is going to trample some grass. We’ll have to see how everything plays out, but I’m sure we’re all wondering what IDaaS will look like in 6 months, a year, and more. One thing I know for certain, though, is that this hybrid identity future will be federated—and your identity is going to need some serious housekeeping to really work the way the press releases and marketing materials will promise. And that’s where Radiant comes in.
Federating Identity: What You Need to Make the Hybrid World Work
You may have noticed, but we’ve been beating the drum about the need to federate your identity to support the cloud for a while now. For us, federation is about more than security access protocols, such as SAML, Open-ID Connect, or OAuth. You must federate your identity layer, as well—and doing it on-premises before shipping it off to the cloud makes sense.
We can see how this plays out by looking into the structure of an entry in Windows Azure AD. You’ll see that this structure is a lot simpler than the definition of a user inside the on-premises enterprise version of AD. And this makes sense, because Windows Azure AD is a normalized, aggregated view of your different local Active Directories—a federated view of your Microsoft identity. But here’s what they don’t mention in the press release: populating WAAD with this sort of common global view won’t happen unless you really massage the data from the different “Local ADs” before you integrate it into this cloud system.
How Microsoft Would Do It Without Radiant: One Forest at a Time
Now as we see above, DirSync is the pipe that connects your enterprise AD to WAAD. But while you can reach any AD domain inside a given forest using DirSync, simply making the connection will not give you the final image you want. You need to normalize and correlate your identity data to establish a valid global list.
Putting Your House (and Forests) in Order
Although Microsoft is going all-in on the IDaaS market, enterprise AD still remains the foundation of this hybrid future. In fact, as Sean says, “a day may come when Azure AD eclipses its on-premises version. But it is not this day.” And this means you’re stuck with your thicket of domains and forests, with all its headaches and complexities. So how can you get all that identity info ready for use in the cloud? While DirSync and ADFS are excellent means of provisioning and transporting federated data, they can’t help you transform that data or gather it from across a complex AD infrastructure. For that, you need Radiant.
If You Have More Than One AD Forest, You Need a Federated Identity Service
One of the most important uses cases for the deployment of your identity on WAAD will be where you will sync (or rather remap, because the two structures are not a one-to-one match for every attribute) your AD to WAAD, through a federated account. At a high level, this means that WAAD will check your login, while delegating the credential checking part of the authentication back to ADFS, so it can use your local AD password/kerberos system.
In my next post, we’ll consider how to make this work, looking at why you need to normalize, aggregate, and remap your identity before shipping it off to the cloud.
Then we’ll finish this series of WAAD posts by focusing on the world beyond Microsoft, exploring why you can’t afford to ignore the rest of your identity infrastructure, from legacy databases—including those venerable old mainframes!—to your aging Novell and Sun/Oracle directory infrastructure.
Be sure to check back for more on this topic, and watch this space for details about our can’t-miss webinar coming up on September 19 with Microsoft expert Sean Deuby and one of Radiant’s sharpest technical minds, Lisa Grady.