Archive for the ‘Identity Management’ Category

Virtual Identity Server for Office 365

May 5, 2012

If you are thinking of going to the cloud you may want to take a look at our new offering at Optimal IdM (Virtual Identity Server for Office 365).  A quick look at some of the features and benefits are below:

  • Fast and easy multi-forest support (no changes needed to any of your data in AD)
  • Firewall for your LDAP
  • Two-Factor Authentication
  • Multi-Authentication Types (Windows Integrated, Client Cert, DoD CAC, SSO, and more)
  • Non-Routable UPN support (again, no changes needed to any of your data in AD)
  • Auditing
  • Denial of Service (DoS)
  • Support for desktop clients (Lync & Outlook) as well as all web apps (Portal, OWA & Lync web)
  • Support for provisioning and synchronization including and filtering of what data goes to the cloud
  • and much more…
Advertisements

Extending ADFS to Multiple Identity and Attribute Stores (Part 1 of 2: The Basics)

April 17, 2012

There is much discussion these days about Active Directory Federation Services 2.0  (ADFS) and the out-of-the-box support of identity and attribute data other than Active Directory (AD).  In this blog (part 1 of 2), I plan to cover the basics of extending ADFS using the Microsoft Windows Identity Foundation (WIF) components.  In part 2 of 2, I will cover some of the more important questions that should be asked prior to setting out to build your own Identity Provider (IdP) / Security Token Service (STS) or Attribute store vs. purchasing a supported solution from a 3rd party vendor.

Currently ADFS only supports (out-of-the-box), authentication (identity information) and authorization (attribute/claim information), directly from Active Directory (AD).  However, what many people are missing is the fact that ADFS does ship with a Framework (WIF) to extend ADFS to meet just about any need you may have for both authentication and authorization.

If your identity information is located in a store other than AD, you can choose to build your own IdP/STS for authentication from the framework provided or purchase one from 3rd party vendor that is formerly supported such as the Optimal IdM Federated Services product.  If you are looking to augment the claim information with attribute data that is located in a store other than AD/AD-LDS or SQL, you can choose to build your own Attribute store for authorization which is a pluggable module in ADFS or again, purchase one from a 3rd party vendor.  The Optimal IdM Federated Services product also includes a pluggable attribute store module that can surface attribute/claims from many different stores including nearly every LDAP on the market (ADAM, AD-LDS, Sun, Oracle, eDirectory, Open LDAP, OpenDS, etc.)  as well as most databases (SQL, Oracle, DB2, etc.).

Writing your own IdP/STS or Attribute store, isn’t extremely difficult, however, you need to first determine what features are most important to your organization prior to setting out to write your own.  Here are just some of the features that are included in the Optimal IdM Federated Services product and commonly used by many of Optimal IdM’s customers and should be considered:

  • Authenticate users from multiple AD forests without any forest level trusts in place
  • Authenticate users from many different backend systems (AD, ADAM, AD-LDS, Sun, Oracle, eDirectory, Open LDAP, OpenDS, etc.)
  • Authentication methods such as traditional forms-based, Windows Integrated, client digital certificates, DoD CAC cards, 2-factor  (Keep in mind that ADFS only support user/pwd and Windows Integrated Authentication out-of-the-box)
  • SSO support for existing IdM systems via header variables or cookie based solutions
  • OpenID Integration
  • Denial of Service (DoS) prevention
  • Proxy capabilities
  • Load-Balancing & Failover on front end web and backend data stores
  • Assertion Encryption
  • Audit logging of assertion and claim/attribute information
  • Federated Sign-out
  • Change Password & Forgot Password (Self-Service Password Reset)
  • Built-in connection pooling and performance optimizations for high-volume usage
  • Virtual Attributes & data translations/filtering
  • Passive & Active Profile
  • Office 365 integration including synchronization of on premise identities to the cloud and federated login with client applications (Lync, SharePoint, Outlook, etc.)

In Part 2 of 2, I will discuss the key questions that should be asked before embarking on the build vs. buy scenario for extending ADFS.

“The Experts Conference 2010 – Los Angeles”

April 20, 2010

Please stop by the Optimal IdM booth at this year’s The Experts Conference in Los Angeles.  We will be showing our new Virtual Identity Server integration with SharePoint 2010 and as always happy to answer your questions on virtual directory technology or any other identity management topic.  In addition, don’t miss Monday’s lunch session “Virtual Directory Q&A Session – Best Business Use Cases for a Virtual Directory“, and Mike Brengs session “Rapidly Deploying SharePoint Case Study“, which is slotted for 1:30 PM on Tuesday.

See you at the show and hope you don’t get delayed by the Volcano in Iceland!

Top 10 Laws of a Virtual Directory (Part I)

September 10, 2009

As more and more people are learning about Virtual Directories, they are asking better questions, so I decided to address them in my “Top 10 Laws of a Virtual Directory”.  This blog is Part I (Laws 1-5).  Stay tuned for Part II (Laws 6-10).

Law I:  A Virtual Directory MUST REDUCE complexity:  If you find your Virtual Directory deployment seeming to be somewhat complicated, then you either:

  • Selected the Wrong Virtual Directory vendor
  • Did not implement the solution correctly
  • Both of the above

Law II:  A Virtual Directory MUST NOT create more issues than it solves:  Yes, there are Virtual Directories on the market that set out to solve problem “x”, but in turn while doing so, create problems “y” (and sometimes “z”).

Law III:  A Virtual Directory SHOULD NOT be asked to solve ALL identity related issues:  For some odd reason, people feel the need to “compare” Virtual Directories with synchronization or federation, then saying which is better.  Each has its own pros and cons and should be used in the right situation.  There is no “silver bullet”, especially in the Identity Management space.

Law IV:  A Virtual Directory SHOULD NOT take long to deploy:  When selecting the right Virtual Directory for you, be careful if you are using a System Integrator (SI).  VIS can be deployed in as little as a few hours and normally no more than a few days (depending on the span of the project).  SI’s are only after deploying (and therefore recommending) products that increase their billable time.  They are often times NOT interested (i.e. incentives), on necessarily recommending the “best” solution for a given client.  Sad, but true.

Law V:  A Virtual Directory SHOULD NOT increase administration costs:  A Virtual Directory that requires you to hire more people just to manage/maintain it…is a bad choice.  In actuality, a “good” Virtual Directory (like VIS of course), should effectively “decrease” administration costs.  VIS does this through compliance and automation elements that are built into the product.  Another example is the tight integration that VIS has with SharePoint.  Don’t be afraid to ask your vendor (and their references) how much administration is needed.

Please watch for Part II in this series for Laws 6-10…