Archive for the ‘Virtual Directory’ Category

Virtual Directory as an API

July 20, 2013

In only a few years, we have gone from the “new kids on the block” to leader in the industry as the only vendor to actually be creating innovation in the space and we are not done yet.  A bit overshadowed by our Best of TechEd win, Optimal IdM quietly announced back in June that we now offer our award winning Virtual Directory as an API!  “Virtual Identity Server Framework”, is a .NET API that allows developers to fully embed the power of a Virtual Directory directly into their applications.  This removes the additional layer that is traditionally present when connecting to a Virtual Directory.  Now, you can perform all of the typical LDAP operations easily and efficiently.  Authenticating users, LDAP searches, modifies, deletes, adds, compares, etc. all as simple as 1 line of code and without the developer needing to know much about LDAP.

The possibilities become endless with how quickly we can roll out new supporting elements with the API, such as being able to expose VIS to web services (SOAP, REST, WCF, etc.) or being able to now leverage VIS directly from PowerShell.  That’s right as part of this rollout we have used this API to build PowerShell Cmdlets that once again bring the full power of VIS now into PowerShell scripting.

Advertisements

Extending ADFS to Multiple Identity and Attribute Stores (Part 2 of 2: The Tough Questions)

June 9, 2012

In part 1 of 2 in this blog I addressed the basics of extending ADFS.  In this blog (part 2 of 2), I will cover some of the more important questions that should be asked prior to setting out to building your own Identity Provider (IdP) / Security Token Service (STS) or Attribute store vs. purchasing a supported solution from a 3rd party vendor.

Questions to ask yourself:

  •  Does your company/firm want to maintain custom development for security related operations?  Typically this is not a good practice.   If you do, you need to ensure that you do it right and make sure that  the code you develop can be reused within the company for other uses so you have some sense of standards.  An STS should be robust and configurable to handle the entire companies authentication needs, otherwise you have one-off’s.
  • Is your company opposed to purchasing 3rd party software products?  For some folks this is the case, and for some it’s because of cost.  Just keep in mind the full cost of your time and effort to design, develop and maintain your solution vs. buying.  In many cases, the cost (tangible and intangible of developing) far out way that of purchasing.
  • Does your company/firm have the knowledge to development and maintain security software?  If you are a business application developer, then spending your development cycles writing security software may be a waste of your expertise/time.
  • Do we need to deliver a solution that scales and performs for all users?  If so, you will need to factor in features that may become a burden if you haven’t done them before, such as maintaining LDAP connection pools.  It is not feasible to scale creating and destroying connections for every authentication.
  • Do we already have expertise in federation?  If not, then you will be spending many days/nights researching terms and trying to figure out all of the many moving part within federation.  Microsoft’s WIF does make the task of building an STS somewhat easy, but if you don’t understand what it does under the covers, then you will have a difficult time trying to customize your solution to meet your business needs.
  • How many Relying Parties do you need to support?  If you plan to deploy your STS along with ADFS, then this may not be an issue.  Otherwise, if you have more than one (or plan to have more than one), you will need to factor that into your design and configuration utility.  Will you build a configuration utility or make it hard to install/configure/maintain?
  • Do you need to encrypt your assertions or just sign them?  In either case, you’re going to have to know the difference and how to implement them.  When signing, you need a certificate with the private key.  When encrypting, you only get the public key from the RP.
  • Do you need to support the FederationMetaData.xml file?  This is built into WIF, but maintaining it can be a chore (especially when working with certificates).
  • Do you need to implement a proper sign-out process?  This is available in WIF, but the process of signing users out of ADFS (as an RP) vs. signing users out of other RP’s is different and can be quite tough to get right.  The secret here is the ensure that you have given enough time to properly call the sign-out process in all of the places that your users are logged into (yes, you will need to track this yourself).
  • Do you have the free time on your hands to actually complete this development effort?  We have seen several people come to us after spending significant cycles in research and development for various reasons.
  • Do you have any authentication method planned out or will you be attempting to support many different types?  Such as:  User/Pwd, Integrated, Certificate, DoD CAC-Cards, Open ID, Custom SSO, etc.  If you are able to nail down one or 2 of these, you’d be better off, but when designing you have to plan for the future.
  • Speaking of design.  Will you develop a formal design document?
  • Do you have any auditing requirements?  If so, you really need to spend some time detailing out what it is you need to audit and where you plan to store the data.  Make sure the auditing is running on a separate thread from your login process to avoid any slowness in processing authentication.
  • If building custom, do you know how to build code that is not vulnerable to penetration testing, denial of service attacks, or cross-site scripting attacks?  Do you know what these are? Have you ever developed code that has been tested under these scenarios?  Remember, since your code is handling authentication and has access to user id’s and passwords security is paramount.  Can you afford a data breach such as Linked In where 6 million account passwords were compromised?
  • From an organization standpoint, what happens when the developer (maybe you) leaves the company?  Many developers want to develop “cool” things and you may be that person so you may be biased.  What is right for the company?

Finally, make sure you consider the following items as well if you plan to develop your own STS:

  • Timeouts & Token Sessions (including sliding scale tokens & cookie paths).  Do you know that these are?
  • Make sure your sign-out page is not a protected page (in case your STS token expires prior to your RP token)
  • Encrypt your connection information (passwords in your configuration files, etc.).  Don’t forget to factor in the time it will take to develop a solid encryption mechanism.  Remember this server is performing authentication and vulnerable to opening up security holes.
  • Ensure that you are handling byte arrays properly from LDAP.  For example, if you are working with AD/AD-LDS attributes such as the “objectGuid” or “objectSid”, remember to handle converting these values properly (Sid’s are converted/formatted differently than other byte arrays).
  • Make sure you fully understand all the query-strings in play in federation and how to handle them.  Note that some of the query-string values have query-strings themselves.

 

For more information on the Optimal IdM VIS Federation Services, go here.

Virtual Identity Server for Office 365

May 5, 2012

If you are thinking of going to the cloud you may want to take a look at our new offering at Optimal IdM (Virtual Identity Server for Office 365).  A quick look at some of the features and benefits are below:

  • Fast and easy multi-forest support (no changes needed to any of your data in AD)
  • Firewall for your LDAP
  • Two-Factor Authentication
  • Multi-Authentication Types (Windows Integrated, Client Cert, DoD CAC, SSO, and more)
  • Non-Routable UPN support (again, no changes needed to any of your data in AD)
  • Auditing
  • Denial of Service (DoS)
  • Support for desktop clients (Lync & Outlook) as well as all web apps (Portal, OWA & Lync web)
  • Support for provisioning and synchronization including and filtering of what data goes to the cloud
  • and much more…

Extending ADFS to Multiple Identity and Attribute Stores (Part 1 of 2: The Basics)

April 17, 2012

There is much discussion these days about Active Directory Federation Services 2.0  (ADFS) and the out-of-the-box support of identity and attribute data other than Active Directory (AD).  In this blog (part 1 of 2), I plan to cover the basics of extending ADFS using the Microsoft Windows Identity Foundation (WIF) components.  In part 2 of 2, I will cover some of the more important questions that should be asked prior to setting out to build your own Identity Provider (IdP) / Security Token Service (STS) or Attribute store vs. purchasing a supported solution from a 3rd party vendor.

Currently ADFS only supports (out-of-the-box), authentication (identity information) and authorization (attribute/claim information), directly from Active Directory (AD).  However, what many people are missing is the fact that ADFS does ship with a Framework (WIF) to extend ADFS to meet just about any need you may have for both authentication and authorization.

If your identity information is located in a store other than AD, you can choose to build your own IdP/STS for authentication from the framework provided or purchase one from 3rd party vendor that is formerly supported such as the Optimal IdM Federated Services product.  If you are looking to augment the claim information with attribute data that is located in a store other than AD/AD-LDS or SQL, you can choose to build your own Attribute store for authorization which is a pluggable module in ADFS or again, purchase one from a 3rd party vendor.  The Optimal IdM Federated Services product also includes a pluggable attribute store module that can surface attribute/claims from many different stores including nearly every LDAP on the market (ADAM, AD-LDS, Sun, Oracle, eDirectory, Open LDAP, OpenDS, etc.)  as well as most databases (SQL, Oracle, DB2, etc.).

Writing your own IdP/STS or Attribute store, isn’t extremely difficult, however, you need to first determine what features are most important to your organization prior to setting out to write your own.  Here are just some of the features that are included in the Optimal IdM Federated Services product and commonly used by many of Optimal IdM’s customers and should be considered:

  • Authenticate users from multiple AD forests without any forest level trusts in place
  • Authenticate users from many different backend systems (AD, ADAM, AD-LDS, Sun, Oracle, eDirectory, Open LDAP, OpenDS, etc.)
  • Authentication methods such as traditional forms-based, Windows Integrated, client digital certificates, DoD CAC cards, 2-factor  (Keep in mind that ADFS only support user/pwd and Windows Integrated Authentication out-of-the-box)
  • SSO support for existing IdM systems via header variables or cookie based solutions
  • OpenID Integration
  • Denial of Service (DoS) prevention
  • Proxy capabilities
  • Load-Balancing & Failover on front end web and backend data stores
  • Assertion Encryption
  • Audit logging of assertion and claim/attribute information
  • Federated Sign-out
  • Change Password & Forgot Password (Self-Service Password Reset)
  • Built-in connection pooling and performance optimizations for high-volume usage
  • Virtual Attributes & data translations/filtering
  • Passive & Active Profile
  • Office 365 integration including synchronization of on premise identities to the cloud and federated login with client applications (Lync, SharePoint, Outlook, etc.)

In Part 2 of 2, I will discuss the key questions that should be asked before embarking on the build vs. buy scenario for extending ADFS.

And then there were two (independent virtual directory vendors that is)…

June 11, 2011

So, since the big news from Quest Software announcing the acquisition of Symlabs, the independent virtual directory market has shrunk down to two.  That would be Optimal IdM (my firm), and Radiant Logic.  On tha tnote, I thought it would be a good time to browse the short history of virtual directory vendors and products and see just where they all are today:

VENDOR PRODUCT STATUS COMMENTS
OctetString OctetString Virtual
Directory – (Java)
Acquired (Oracle) Acquired by Oracle in 2005
(now Oracle Virtual Directory)
Sun Virtual Directory Server – (Java) Acquired (Oracle) Acquired by Oracle in 2009
(no longer sold)
MaXware MaXware Virtual Directory – (Java) Acquired (SAP) Acquired by SAP in 2007
(now SAP NetWeaver Identity Management Virtual Directory Server)
Symlabs Virtual Directory Server – (C & Java) Acquired (Quest) Acquired by Quest Software
in 2011 (will be embedded into some Quest product and no longer sold)
Identyx (Penrose) – (Java) Acquired (Red Hat) Acquired by Red Hat in 2008
(Identyx sold a special version of the Open Source Penrose Virtual Directory)
Applied
Identity
ID-Unify Acquired (Citrix) Acquired by Citrix in 2010
(no longer on the market)
MyVD My Virtual Directory – (Java) Open Source No updates in over 3 years (likely cannot keep up
with commercial vendors)
Novell Virtual Directory Services – (Java) Never made it to market Project was disbanded in
2005
Radiant
Logic
Virtual Directory Server – (Java) Commercially Available Written in Java and
requires Java run-times and third party binaries.
Optimal
IdM
Virtual Identity Server – (.NET) Commercially Available The ONLY .NET Virtual
Directory
on the market.  Microsoft-Centric, but connections to
heterogeneous systems.  Since its initial roll-out in early 2008, the
product has been proving to be a true innovator in new features and new ways
to leverage virtual directory technology.  Deep integrations into the
Microsoft suite such as SharePoint 2007/2010, AD FS 2.0, UAG,
and more.  Optimal IdM has three recent head-to-head wins against
Radiant Logic with Fortune
100 companies in 2011 alone!

Now to return back to the Quest acquisition of Symlabs, it’s worth nothing that the intention of this acquisition was not for Quest to enter into the virtual directory market, but rather to leverage the technology to make their own products better.  This tells me that they are pretty forward in their thinking of how to solve some common LDAP related issues that exist in many products on the market today.  As Dave Kearns points out in this article, this is the same reason that many companies purchase these products.  I believe this trend will continue, but what’s interesting to note is that as these vendors get swallowed up by the bigger vendors to solve their own internal issues, they are removing products from the market that are proving to be a vital part of the identity management technology stack.  After this latest acquisition, Symlabs customers will be asking questions and perhaps seeking a replacement product.  In order to ease this transition, Optimal IdM, will be making special offers to existing Symlabs customers to help them migrate to the Virtual Identity Server solution at a very low cost and no increase to their existing support expense.  Stay tuned for more details or contact Sales for more information.

Extend AD FS 2.0 to leverage powerful features of a virtual directory with Virtual Identity Server Federation Services!

March 10, 2011

After overwhelming requests from our clients and prospects, it’s finally here!!  Yes, the Virtual Identity Server Federation Services™ (VIS Federation Services).  VIS FS seamlessly integrates with AD FS 2.0 to extend AD FS 2.0’s powerful features to now include the ability to support authentications from multiple data repositories as well as support for multiple authentications methods (traditional forms-based as well as Windows Integrated and SSO from other Identity Management systems.  Read the full Press Release here.

Any claims-aware application that supports AD FS 2.0 (such as SharePoint 2010 and Unified Access Gateway or UAG) can now leverage the powerful features of the Virtual Identity Server (Virtual Directory), without even knowing about VIS!  Simply configure the claims-aware application to AD FS 2.0, then configure AD FS 2.0 to trust the new VIS FS STS, and that’s it!!  For more details about this new product, please stop by our booth at The Experts Conference 2011 in Las Vegas April 17-20!

“The Experts Conference 2010 – Los Angeles”

April 20, 2010

Please stop by the Optimal IdM booth at this year’s The Experts Conference in Los Angeles.  We will be showing our new Virtual Identity Server integration with SharePoint 2010 and as always happy to answer your questions on virtual directory technology or any other identity management topic.  In addition, don’t miss Monday’s lunch session “Virtual Directory Q&A Session – Best Business Use Cases for a Virtual Directory“, and Mike Brengs session “Rapidly Deploying SharePoint Case Study“, which is slotted for 1:30 PM on Tuesday.

See you at the show and hope you don’t get delayed by the Volcano in Iceland!

When to Synchronize, Virtualize and Federate data in the Enterprise

April 14, 2010

Another Managing Partner at Optimal IdM, Mike Brengs, posted a new blog today that has truly been a sore topic for some folks.   The topic is centered on when companies should consider using one technology over another, in this case, when to synchronize, when to virtualize and when to federate data within an enterprise.

These technologies have some level of overlap, but it is critical to know when to use each one and more importantly when not to use one.  I’ve known Mike a long time and he loves to use the analogy that you can drive a car from one end of the country to the other (say New York to Los Angeles), but the better choice to get from one to the other is certainly not by driving these days, but rather by flying.  The same logic should be applied with these technologies, for example, you may choose to duplicate/sync your users from two different AD forests into a consolidated ‘enterprise’ directory, but you must consider the new problems you just created to solve other problems and perhaps choose a alternative solution.

The bottom line on this topic is that you should consider that for each problem you are attempting to solve, how many new problems are you creating?  In the above example, you know have created a password synchronization problem with your solution (not to mention data latency), so be careful with your choices.

The whte paper Mike is referring to also includes detailed use-cases on this topic combined with the Virtual Identity Server.  Click the link to download the new white paper ‘When to Synchronize, Virtualize and Federate data in the Enterprise‘ white paper.

Reducing SharePoint complexity and cost

March 13, 2010

A year ago, Optimal IdM released a special version of its virtual directory just for SharePoint (VIS for SharePoint).  At that time it was specifically for SharePoint 2007, and to date has be an overwhelming success.   Our customers that are using the product have been raving about the simplicity of the product and the cost savings that have been realized.

Now with the upcoming release of SharePoint 2010, we have stayed on top of each release from Microsoft, including the most recent release candidate (SharePoint 2010 RC).  We are pleased to say that VIS for SharePoint (2010 RC), is fully operational and we are looking to support the final version when it is released to market (which we hope will be soon).

As such, Optimal IdM remains the true leader in SharePoint deployments across multiple back-end data stores including:

  • Multiple AD domains/forests (yes, with a single SharePoint deployment)
  • Multiple LDAP types (AD, AD-LDS/ADAM, Sun, etc.)
  • Multiple data sources (SQL, Oracle, etc.), which can be used to make SharePoint security decisions from

All of this in real-time or near real-time.  Virtual Identity Server (VIS) is still the only true Microsoft centric and Microsoft friendly virtual directory vendor on the market.  To learn more about our VIS for SharePoint integration, click here, or to watch a video of its powerfulness in action, click here.

What you can’t do in under 5 minutes

September 21, 2009

Optimal IdM recently released a video showing just how easy it is to install and configure the Virtual Identity Server.  The video takes just 5 minutes, mainly because, well, that’s all the time you need.  So, I was beginning to think about things that you can’t do in 5 minutes.  Here’s just a snippet of my list:

  • Smoke a cigarette
  • Wash your car
  • Take a shower
  • Make Breakfast (toast doesn’t count)
  • Drink a cup of coffee
  • Commute to work (well, this one wouldn’t apply to telecommuters) – Heck, I’ve seen red-lights that last 5 minutes!!

My point here is that it’s incredible to think of how easy we made the installation and configuration of VIS.  This allow our clients the ability to spend more time on planning and thinking of just how to benefit from this technology, and less time thinking/worrying about how to get the darn thing to work (out-of-the-box).  Be sure to check out some of the other videos in our growing collection.