Archive for the ‘SharePoint’ Category

VIS for SharePoint — nominated for Best of TechEd 2014!

May 11, 2014

At TechEd 2013, the Optimal IdM – VIS for Office 365™ was nominated and WON Best of TechEd in the first ever Cloud Computing category presented by Windows IT Pro.  This year we are excited to announce that we are nominated at TechEd 2014 for our VIS for SharePoint  solution in the SharePoint category!

This is truly an honor and we are grateful to be in this position. If you are at the show, please stop by our booth (#129) and meet the team!

Extending ADFS to Multiple Identity and Attribute Stores (Part 1 of 2: The Basics)

April 17, 2012

There is much discussion these days about Active Directory Federation Services 2.0  (ADFS) and the out-of-the-box support of identity and attribute data other than Active Directory (AD).  In this blog (part 1 of 2), I plan to cover the basics of extending ADFS using the Microsoft Windows Identity Foundation (WIF) components.  In part 2 of 2, I will cover some of the more important questions that should be asked prior to setting out to build your own Identity Provider (IdP) / Security Token Service (STS) or Attribute store vs. purchasing a supported solution from a 3rd party vendor.

Currently ADFS only supports (out-of-the-box), authentication (identity information) and authorization (attribute/claim information), directly from Active Directory (AD).  However, what many people are missing is the fact that ADFS does ship with a Framework (WIF) to extend ADFS to meet just about any need you may have for both authentication and authorization.

If your identity information is located in a store other than AD, you can choose to build your own IdP/STS for authentication from the framework provided or purchase one from 3rd party vendor that is formerly supported such as the Optimal IdM Federated Services product.  If you are looking to augment the claim information with attribute data that is located in a store other than AD/AD-LDS or SQL, you can choose to build your own Attribute store for authorization which is a pluggable module in ADFS or again, purchase one from a 3rd party vendor.  The Optimal IdM Federated Services product also includes a pluggable attribute store module that can surface attribute/claims from many different stores including nearly every LDAP on the market (ADAM, AD-LDS, Sun, Oracle, eDirectory, Open LDAP, OpenDS, etc.)  as well as most databases (SQL, Oracle, DB2, etc.).

Writing your own IdP/STS or Attribute store, isn’t extremely difficult, however, you need to first determine what features are most important to your organization prior to setting out to write your own.  Here are just some of the features that are included in the Optimal IdM Federated Services product and commonly used by many of Optimal IdM’s customers and should be considered:

  • Authenticate users from multiple AD forests without any forest level trusts in place
  • Authenticate users from many different backend systems (AD, ADAM, AD-LDS, Sun, Oracle, eDirectory, Open LDAP, OpenDS, etc.)
  • Authentication methods such as traditional forms-based, Windows Integrated, client digital certificates, DoD CAC cards, 2-factor  (Keep in mind that ADFS only support user/pwd and Windows Integrated Authentication out-of-the-box)
  • SSO support for existing IdM systems via header variables or cookie based solutions
  • OpenID Integration
  • Denial of Service (DoS) prevention
  • Proxy capabilities
  • Load-Balancing & Failover on front end web and backend data stores
  • Assertion Encryption
  • Audit logging of assertion and claim/attribute information
  • Federated Sign-out
  • Change Password & Forgot Password (Self-Service Password Reset)
  • Built-in connection pooling and performance optimizations for high-volume usage
  • Virtual Attributes & data translations/filtering
  • Passive & Active Profile
  • Office 365 integration including synchronization of on premise identities to the cloud and federated login with client applications (Lync, SharePoint, Outlook, etc.)

In Part 2 of 2, I will discuss the key questions that should be asked before embarking on the build vs. buy scenario for extending ADFS.

Extend AD FS 2.0 to leverage powerful features of a virtual directory with Virtual Identity Server Federation Services!

March 10, 2011

After overwhelming requests from our clients and prospects, it’s finally here!!  Yes, the Virtual Identity Server Federation Services™ (VIS Federation Services).  VIS FS seamlessly integrates with AD FS 2.0 to extend AD FS 2.0’s powerful features to now include the ability to support authentications from multiple data repositories as well as support for multiple authentications methods (traditional forms-based as well as Windows Integrated and SSO from other Identity Management systems.  Read the full Press Release here.

Any claims-aware application that supports AD FS 2.0 (such as SharePoint 2010 and Unified Access Gateway or UAG) can now leverage the powerful features of the Virtual Identity Server (Virtual Directory), without even knowing about VIS!  Simply configure the claims-aware application to AD FS 2.0, then configure AD FS 2.0 to trust the new VIS FS STS, and that’s it!!  For more details about this new product, please stop by our booth at The Experts Conference 2011 in Las Vegas April 17-20!

SharePoint People Picker (Part II)

July 15, 2010

…And now the video link to the new Optimal IdM People Picker.

SharePoint People Picker

July 12, 2010

Have you ever used SharePoint and wished for a more flexible/powerful “People Picker”?  Well, Optimal IdM has just released a fully customizable People Picker (the Optimal People Picker) for SharePoint that works in conjunction with its Virtual Identity Server for SharePoint product.  This release will be included for free along with VIS for SharePoint, however, a stand-alone version of the Optimal People Picker will be released soon and will work with SharePoint 2010 when using Claims Authentication, but will not require VIS for SharePoint.  Some of the powerful benefits and features include:

  • Ability to search on multiple different attributes (not just the user id), at the same time
  • Configurable list of attributes to return to user
  • Ability to sort results
  • Easy to use interface that includes a paged grid view
  • Ability for administrators to apply various filters on the results based on group memberships (filtering based on RBAC)
  • Ability for administrators to create search templates (for commonly used searches)
  • Ability for administrators to apply different filters for permission searches
Optimal People Picker

Optimal People Picker

“The Experts Conference 2010 – Los Angeles”

April 20, 2010

Please stop by the Optimal IdM booth at this year’s The Experts Conference in Los Angeles.  We will be showing our new Virtual Identity Server integration with SharePoint 2010 and as always happy to answer your questions on virtual directory technology or any other identity management topic.  In addition, don’t miss Monday’s lunch session “Virtual Directory Q&A Session – Best Business Use Cases for a Virtual Directory“, and Mike Brengs session “Rapidly Deploying SharePoint Case Study“, which is slotted for 1:30 PM on Tuesday.

See you at the show and hope you don’t get delayed by the Volcano in Iceland!

Reducing SharePoint complexity and cost

March 13, 2010

A year ago, Optimal IdM released a special version of its virtual directory just for SharePoint (VIS for SharePoint).  At that time it was specifically for SharePoint 2007, and to date has be an overwhelming success.   Our customers that are using the product have been raving about the simplicity of the product and the cost savings that have been realized.

Now with the upcoming release of SharePoint 2010, we have stayed on top of each release from Microsoft, including the most recent release candidate (SharePoint 2010 RC).  We are pleased to say that VIS for SharePoint (2010 RC), is fully operational and we are looking to support the final version when it is released to market (which we hope will be soon).

As such, Optimal IdM remains the true leader in SharePoint deployments across multiple back-end data stores including:

  • Multiple AD domains/forests (yes, with a single SharePoint deployment)
  • Multiple LDAP types (AD, AD-LDS/ADAM, Sun, etc.)
  • Multiple data sources (SQL, Oracle, etc.), which can be used to make SharePoint security decisions from

All of this in real-time or near real-time.  Virtual Identity Server (VIS) is still the only true Microsoft centric and Microsoft friendly virtual directory vendor on the market.  To learn more about our VIS for SharePoint integration, click here, or to watch a video of its powerfulness in action, click here.

Top 10 Laws of a Virtual Directory (Part I)

September 10, 2009

As more and more people are learning about Virtual Directories, they are asking better questions, so I decided to address them in my “Top 10 Laws of a Virtual Directory”.  This blog is Part I (Laws 1-5).  Stay tuned for Part II (Laws 6-10).

Law I:  A Virtual Directory MUST REDUCE complexity:  If you find your Virtual Directory deployment seeming to be somewhat complicated, then you either:

  • Selected the Wrong Virtual Directory vendor
  • Did not implement the solution correctly
  • Both of the above

Law II:  A Virtual Directory MUST NOT create more issues than it solves:  Yes, there are Virtual Directories on the market that set out to solve problem “x”, but in turn while doing so, create problems “y” (and sometimes “z”).

Law III:  A Virtual Directory SHOULD NOT be asked to solve ALL identity related issues:  For some odd reason, people feel the need to “compare” Virtual Directories with synchronization or federation, then saying which is better.  Each has its own pros and cons and should be used in the right situation.  There is no “silver bullet”, especially in the Identity Management space.

Law IV:  A Virtual Directory SHOULD NOT take long to deploy:  When selecting the right Virtual Directory for you, be careful if you are using a System Integrator (SI).  VIS can be deployed in as little as a few hours and normally no more than a few days (depending on the span of the project).  SI’s are only after deploying (and therefore recommending) products that increase their billable time.  They are often times NOT interested (i.e. incentives), on necessarily recommending the “best” solution for a given client.  Sad, but true.

Law V:  A Virtual Directory SHOULD NOT increase administration costs:  A Virtual Directory that requires you to hire more people just to manage/maintain it…is a bad choice.  In actuality, a “good” Virtual Directory (like VIS of course), should effectively “decrease” administration costs.  VIS does this through compliance and automation elements that are built into the product.  Another example is the tight integration that VIS has with SharePoint.  Don’t be afraid to ask your vendor (and their references) how much administration is needed.

Please watch for Part II in this series for Laws 6-10…

You don’t have to have multiple LDAP’s to benefit from a Virtual Directory

September 4, 2009

I can’t wait for part III of Bob’s blog series on “Why are Multiple Directories Deployed and Virtual Directories Ignored?“.  I’m afraid that people will associate using Virtual Directories only to solve the multiple-directory problem as being the only use, when in fact; the uses go on and on.

A Virtual Directory can provide significant value to clients whether they have a single LDAP, or hundreds of them. As I mentioned before, the perception is that “…if I only have one LDAP, then why would I bother with a Virtual Directory?” Well, I could ask the question “…is there any value in using a database view if I only have a single table?” or if I have a single web server, is there any value in using a reverse proxy? The answer to both of those questions is obviously YES, and likewise to that of a Virtual Directory in a similar scenario.

Oddly enough, the benefits in using a database view and the benefits in using a reverse proxy are the EXACT same benefits in using a Virtual Directory. Think about this:

Database View:

  • Provides the ability to filter out data that you don’t want to publish to the consumer of the data (Data loss/leakage Prevention).
  • Provides the ability to perform data translations to the data in real-time. This includes changing the names of fields to either obfuscate them or simply make them easier for consumption.
  • Provides the ability of an added layer of security to the back-end tables. They can be read-only or updatable.
  • Provides the ability to join like data from other tables in a merged view.

Reverse Proxy Server:

  • Provides the ability to mask the server names (obfuscation).
  • Provides the ability to join multiple back-end web servers and host them under a consolidated namespace.
  • Provides the ability of an added layer of security to the back-end web servers
  • Provides the ability of additional caching of information for performance gains of high-traffic websites.

So, I listed 4 common benefits of using a database view and 4 common benefits for using a reverse proxy. My list is obviously not a comprehensive list, but rather just a small sampling of the benefits. Ironically, ALL 8 benefits (there is some overlap), are the same EXACT benefits to using a Virtual Directory! Here is an updated list for Virtual Directories (again, most of these benefits have nothing to do with the number of LDAP’s you have either):

  • Provides the ability to filter out data that you don’t want to publish in LDAP searches (Data loss/leakage Prevention).
  • Provides the ability to perform data translations in real-time. A great example of this is virtually changing the OU structure of your data. Here you can flatten hierarchical data and conversely convert flat data to a hierarchical structure.
  • Provides the ability of an added layer of security to your back-end LDAP data. In addition, VIS provides auditing and reporting as well.
  • Provides the ability to join data from back-end LDAP’s (as well as other types of data stores such as databases, etc.).
  • Provides the ability to mask backend LDAP’s (and provides automated failover/redundancy as well).
  • Provides the ability to merge back-end data into a consolidated namespace.
  • Provides the ability to cache certain data to increase overall performance. (This topic is a blog or two on its own). A good example of this is an application (such as SharePoint), continually pulls data from AD on the user that is currently logged in. Enabling cache (say for just 5 minutes), could save hundreds of back-end searches to AD!

The bottom line here is that as scary as Virtual Directories sound, the benefits they provide are already in wide use today. It’s all about applying the technology in the proper way.

Virtual Identity Server | “The .NET Virtual Directory”