Tuesday, March 25, 2008

Single Sign-On

There was an SSO webinar today by Quest Software.  I would like to thank them for actually putting some content into it and actually explaining what their solutions offer.  I have become a bit weary of webinars so laden with marketing message, you really have no idea what the technology is offering you or if it will fit your infrastructure or not. 

The recording is available here.   My big take-away's had a familiar ring to them, as I have repeated some of these points too many times to count at this point.  Quest has an offering of multiple applications for an SSO package.  Also, check out Mr Shaw's white paper on the subject. 

First SSO means different things to different people; enterprise SSO, Federated SSO, Web SSO, Single Password, Reduced SSO, etc.  But I believe that some things are the same regardless of the "type" of SSO you want to deploy.

Shaw had a nice list of the "perfect world" for SSO:

  • Standards based
  • A single password or login
  • A single directory
  • Strong Authentication support / multi-factor authentication
  • Support for multiple platforms
  • Support for multiple applications
  • Support for "thick, thin, and web applications"

This week I have been faced with some of the problems in solving SSO integration problems and how to deliver identity information to enable SSO.  A client had previously deployed a SSO solution for 35+ applications, using only two sources that were disjointed. Now they were faced with integrating another data source that contained intersection of identities. Some users in the new source exist in one of the other two sources - now the entire SSO solution collapses because it was based on the idea that they would never face an overlap of identities within the repositories.  Again, the answer was to deploy a virtual directory server as the abstraction layer to simplify the management of identities in these, now jointed data sources.

The lesson is, yes you can deploy an application without building a unified infrastructure, but you take a big risk.  When new data sources need to be incorporated (including acquired applications with their respective user-base), you can expect problems. 

PLAN AHEAD.. if you don't need to solve this integration problem now, YOU WILL at some point if you expect any level of scalability.  YES, it is possible to have one source for all your users, without replication.  By using the features of a virtual directory server to create a true union of identities (identities are correlated appropriately and duplicates are eliminated) and extend those entries with additional attributes from the needed data sources, you provide an identity infrastructure to provide authentication and authorization services to your SSO application. 


Monday, March 10, 2008

Are Meta-Directories Dead?

My favorite old ranter Dave Kearns (self proclaimed as the old man ranting in the corner) has an article for NetworkWorld, raising the question if meta-directories have any life left in the market.

Although I don't know if meta-directories are dead, they seem to still have a place in the world, I do see an end to this technology in favor or other technologies in the future. The Higgins project is offering a new approach to identity control and management.  Virtual Directories offer a solution, you can check out OVD and RadiantOne who both offer meta-directory type functionality.  (Although Oracle is not explicit how this use case is deployed using OVD since it requires the purchase of additional products, who knows if Oracle has actually tried this or not - you just buy buy buy (story as usual with Oracle right?) until you get the functionality, I have not tried this deployment use case with Oracle personally, I know that RadiantOne offers this functionality out-of-the-box. )

Jackson Shaw (an excellent source of high-quality information regarding in the IdM space) is the source of Kearn's rant, in his more recent posting Jackson again refers to meta-directories as "dead". Shaw also links to Neil McDonald's presentation at the Gartner's IDAM Summit "Everything You Know About Identity Management Is Wrong". 

What is sure is that things are definitely pointing to a big change in how Identity Management projects are deployed.  The time seems right for a major move towards a more manageable, higher level of fulfillment of the promises of IdM applications, and less complexity. 

Noel Yuhanna, principal analyst with Forrester, has some great ideas where this market is going, pay extra attention to "Information Fabric" and "Information as a Service" papers.  It is worth the read if you are planning for the long-term.  I have learned a lot from his materials. 

Another Virtual Directory to Market

Yes, I am a little behind in my postings.  Don't rant against me too much, I have a full-time job ya know!  :)  

I need to add my small voice to the cheers of yet another virtual directory added to the market. Optimal IdM has released their first version of their Virtual Identity Server (VIS)

The announcement was during last weeks' Directory Experts Conference in Chicago (mainly a Microsoft AD pow-wow, but definitely worth the time).  Although I was not able to attend personally, some of my co-workers did and they felt the event was worth the time.  I do have to note, it is has always been amazing to me how segregated Microsoft centric vs. non-microsoft centric IT shops are.  There were a lot of new people to meet instead of the usual groups that attend the other usual conferences that deal with Identity Management (like Burton's Catalyst, Gartner's IdM Conf, Digital ID World, etc). 

but I digress. .. back to VIS --- 

This newest virtual directory is based on .NET and totally Microsoft AD/ADAM centric.  Focusing mainly on the AD Forest problem (where enabling trust is not an option), the product offers a basic LDAP proxy solution for aggregating (although they call it "union", it appears to really offer aggregation, since I can not find the ability to merge same accounts from different directories into one profile, it requires unique members and identifiers in all connected sources).  They also offer a join, but since their use of "join" and "union" are a bit loose, it is hard to tell the level of sophistication and features they bring to the table.

The bottom line is its great to see another Virtual Directory on the market.  Here is how VIS fits in the overall VDS market...

Virtual Identity Server does:

  • LDAP Proxy
  • Merge and Join directories only
  • Designed for Active Directory / ADAM integration issues; forests, multiple domain controllers, etc
  • Merge of groups from multiple LDAP sources

Virtual Identity Server does NOT have:

  • fully LDAP compliancy local store (if a local store is needed, an instance of ADAM is used)
  • integration capabilities for databases, applications, or web services (at least outside Microsoft, and if it does offer it, it is not explained, although their solution would probably be to use ADAM between such services, which would add more points of failure and complexity, and undoubtedly performance and scalability issues).
  • ability to offer true union of data stores (where matching profiles can be mapped into a single view, they only merge and join) (if you need further technical explanation of this, esp for LDAP folks, let me know - I'm using mathematical definitions of these terms, more common in the database world).
  • meta-directory functionality and/or synchronization capabilities (again they would rely on ADAM, IIS, ILM, which brings nothing new)
  • data model (e.g. for creating new hierarchies / DIT structures)
  • cache (neither memory or persistent)

I am sure the product will evolve, and even though the initial offering is limited, they are offering a solution to a very significant problem, addressing compliancy issues and overcoming serious limitations of AD/ADAM. If you are a Microsoft shop, and don't anticipate the need to integrate from other branded products, then VIS is your choice.  If you have heterogeneous data sources (i.e. oracle, sun, novell) this is not your solution, you need to look at a product like Symlab's Virtual Directory (based on C++) for a more robust LDAP proxy or basic virtual directory for low to moderate volume, or the king of the virtual directories Radiant Logic's RadiantOne Virtual Identity and Context Platform, which offers more features and solutions than any other product I have found in its class by far.  RadiantOne also offers longer "legs" as it offers more features to scale to almost any level.