SharePoint People Picker

July 12, 2010

Have you ever used SharePoint and wished for a more flexible/powerful “People Picker”?  Well, Optimal IdM has just released a fully customizable People Picker (the Optimal People Picker) for SharePoint that works in conjunction with its Virtual Identity Server for SharePoint product.  This release will be included for free along with VIS for SharePoint, however, a stand-alone version of the Optimal People Picker will be released soon and will work with SharePoint 2010 when using Claims Authentication, but will not require VIS for SharePoint.  Some of the powerful benefits and features include:

  • Ability to search on multiple different attributes (not just the user id), at the same time
  • Configurable list of attributes to return to user
  • Ability to sort results
  • Easy to use interface that includes a paged grid view
  • Ability for administrators to apply various filters on the results based on group memberships (filtering based on RBAC)
  • Ability for administrators to create search templates (for commonly used searches)
  • Ability for administrators to apply different filters for permission searches
Optimal People Picker

Optimal People Picker


“The Experts Conference 2010 – Los Angeles”

April 20, 2010

Please stop by the Optimal IdM booth at this year’s The Experts Conference in Los Angeles.  We will be showing our new Virtual Identity Server integration with SharePoint 2010 and as always happy to answer your questions on virtual directory technology or any other identity management topic.  In addition, don’t miss Monday’s lunch session “Virtual Directory Q&A Session – Best Business Use Cases for a Virtual Directory“, and Mike Brengs session “Rapidly Deploying SharePoint Case Study“, which is slotted for 1:30 PM on Tuesday.

See you at the show and hope you don’t get delayed by the Volcano in Iceland!

When to Synchronize, Virtualize and Federate data in the Enterprise

April 14, 2010

Another Managing Partner at Optimal IdM, Mike Brengs, posted a new blog today that has truly been a sore topic for some folks.   The topic is centered on when companies should consider using one technology over another, in this case, when to synchronize, when to virtualize and when to federate data within an enterprise.

These technologies have some level of overlap, but it is critical to know when to use each one and more importantly when not to use one.  I’ve known Mike a long time and he loves to use the analogy that you can drive a car from one end of the country to the other (say New York to Los Angeles), but the better choice to get from one to the other is certainly not by driving these days, but rather by flying.  The same logic should be applied with these technologies, for example, you may choose to duplicate/sync your users from two different AD forests into a consolidated ‘enterprise’ directory, but you must consider the new problems you just created to solve other problems and perhaps choose a alternative solution.

The bottom line on this topic is that you should consider that for each problem you are attempting to solve, how many new problems are you creating?  In the above example, you know have created a password synchronization problem with your solution (not to mention data latency), so be careful with your choices.

The whte paper Mike is referring to also includes detailed use-cases on this topic combined with the Virtual Identity Server.  Click the link to download the new white paper ‘When to Synchronize, Virtualize and Federate data in the Enterprise‘ white paper.

Reducing SharePoint complexity and cost

March 13, 2010

A year ago, Optimal IdM released a special version of its virtual directory just for SharePoint (VIS for SharePoint).  At that time it was specifically for SharePoint 2007, and to date has be an overwhelming success.   Our customers that are using the product have been raving about the simplicity of the product and the cost savings that have been realized.

Now with the upcoming release of SharePoint 2010, we have stayed on top of each release from Microsoft, including the most recent release candidate (SharePoint 2010 RC).  We are pleased to say that VIS for SharePoint (2010 RC), is fully operational and we are looking to support the final version when it is released to market (which we hope will be soon).

As such, Optimal IdM remains the true leader in SharePoint deployments across multiple back-end data stores including:

  • Multiple AD domains/forests (yes, with a single SharePoint deployment)
  • Multiple LDAP types (AD, AD-LDS/ADAM, Sun, etc.)
  • Multiple data sources (SQL, Oracle, etc.), which can be used to make SharePoint security decisions from

All of this in real-time or near real-time.  Virtual Identity Server (VIS) is still the only true Microsoft centric and Microsoft friendly virtual directory vendor on the market.  To learn more about our VIS for SharePoint integration, click here, or to watch a video of its powerfulness in action, click here.

What you can’t do in under 5 minutes

September 21, 2009

Optimal IdM recently released a video showing just how easy it is to install and configure the Virtual Identity Server.  The video takes just 5 minutes, mainly because, well, that’s all the time you need.  So, I was beginning to think about things that you can’t do in 5 minutes.  Here’s just a snippet of my list:

  • Smoke a cigarette
  • Wash your car
  • Take a shower
  • Make Breakfast (toast doesn’t count)
  • Drink a cup of coffee
  • Commute to work (well, this one wouldn’t apply to telecommuters) – Heck, I’ve seen red-lights that last 5 minutes!!

My point here is that it’s incredible to think of how easy we made the installation and configuration of VIS.  This allow our clients the ability to spend more time on planning and thinking of just how to benefit from this technology, and less time thinking/worrying about how to get the darn thing to work (out-of-the-box).  Be sure to check out some of the other videos in our growing collection.

Top 10 Laws of a Virtual Directory (Part II)

September 14, 2009

This blog in part 2 of my previous blog “Top 10 Laws of a Virtual Direcctory (Part I)“.  I will now cover Laws 6-10:

Law VI:  A Virtual Directory MUST NOT have a large footprint:  Optimal IdM’s Virtual Identity Server, for example, takes up less than 5 MB of disk space.  If you add in the Compliance Management system and the SharePoint integration, it climbs to only 25 MB.  The bottom line here is that VIS uses a single XML file for its configuration information, and relies on NO registry information to function (just a simple Windows service).  For requirements, the 2.0 Framework (or higher), is all you need to go.  Be careful of other solutions that require ugly JVM’s, and/or complicated configuration elements.

Law VII:  A Virtual Directory MUST NOT be difficult to support:  Optimal IdM’s Virtual Identity Server, runs on both Windows Server 2003 and Server 2008 in a single code-base.  For this reason, VIS is easy to support.  No worries of platform supportability here, in fact, VIS is officially certified on both Server 2003 and 2008 (including 64-bit).

Law VIII:  A Virtual Directory MUST be a VALUE ADD:  Since Virtual Directories are in essence LDAP Servers, there is an opportunity to make your LDAP experience “better”.  LDAP V3 has been around since 1997 (that’s a lifetime it technology years).  A Virtual Directory can provide features that should be built-into LDAP (perhaps standard one day in V4).  We like to refer to VIS as “LDAP++”, because it improves the users experience around LDAP.  (Watch for a future blog on LDAP++, or “LDAP on steroids”).

Law IX:  A Virtual Directory MUST NOT introduce too many proprietary elements:  A Virtual Directory should not introduce ANYTHING proprietary to your environment.  That includes proprietary data stores, caching, ports, etc.  Optimal IdM’s Virtual Identity Server, is complete WITHOUT any proprietary elements.  Be careful of systems that include complex proprietary elements.  (Complex & Proprietary = additional administration costs).

Law X:  A Virtual Directory MUST NOT require custom coding:  One of the most comment features of a Virtual Directory is handling joins and merges of data.  If it’s so common, why do vendors require you to write custom code to handle it?  How about caching?  Same problem, some vendors requires custom development just to handle basic elements of virtualization.  Optimal IdM’s Virtual Identity Server, is point-n-click for 99% of all features (with NO coding).  However, extensibility is available and in a common in-expensive langue (.NET).  Be careful of customization costs/efforts of other vendors and the language they require development in.  All this time, I thought Python was a snake….  How many people actually know what “Python” is anyway?

Top 10 Laws of a Virtual Directory (Part I)

September 10, 2009

As more and more people are learning about Virtual Directories, they are asking better questions, so I decided to address them in my “Top 10 Laws of a Virtual Directory”.  This blog is Part I (Laws 1-5).  Stay tuned for Part II (Laws 6-10).

Law I:  A Virtual Directory MUST REDUCE complexity:  If you find your Virtual Directory deployment seeming to be somewhat complicated, then you either:

  • Selected the Wrong Virtual Directory vendor
  • Did not implement the solution correctly
  • Both of the above

Law II:  A Virtual Directory MUST NOT create more issues than it solves:  Yes, there are Virtual Directories on the market that set out to solve problem “x”, but in turn while doing so, create problems “y” (and sometimes “z”).

Law III:  A Virtual Directory SHOULD NOT be asked to solve ALL identity related issues:  For some odd reason, people feel the need to “compare” Virtual Directories with synchronization or federation, then saying which is better.  Each has its own pros and cons and should be used in the right situation.  There is no “silver bullet”, especially in the Identity Management space.

Law IV:  A Virtual Directory SHOULD NOT take long to deploy:  When selecting the right Virtual Directory for you, be careful if you are using a System Integrator (SI).  VIS can be deployed in as little as a few hours and normally no more than a few days (depending on the span of the project).  SI’s are only after deploying (and therefore recommending) products that increase their billable time.  They are often times NOT interested (i.e. incentives), on necessarily recommending the “best” solution for a given client.  Sad, but true.

Law V:  A Virtual Directory SHOULD NOT increase administration costs:  A Virtual Directory that requires you to hire more people just to manage/maintain it…is a bad choice.  In actuality, a “good” Virtual Directory (like VIS of course), should effectively “decrease” administration costs.  VIS does this through compliance and automation elements that are built into the product.  Another example is the tight integration that VIS has with SharePoint.  Don’t be afraid to ask your vendor (and their references) how much administration is needed.

Please watch for Part II in this series for Laws 6-10…

You don’t have to have multiple LDAP’s to benefit from a Virtual Directory

September 4, 2009

I can’t wait for part III of Bob’s blog series on “Why are Multiple Directories Deployed and Virtual Directories Ignored?“.  I’m afraid that people will associate using Virtual Directories only to solve the multiple-directory problem as being the only use, when in fact; the uses go on and on.

A Virtual Directory can provide significant value to clients whether they have a single LDAP, or hundreds of them. As I mentioned before, the perception is that “…if I only have one LDAP, then why would I bother with a Virtual Directory?” Well, I could ask the question “…is there any value in using a database view if I only have a single table?” or if I have a single web server, is there any value in using a reverse proxy? The answer to both of those questions is obviously YES, and likewise to that of a Virtual Directory in a similar scenario.

Oddly enough, the benefits in using a database view and the benefits in using a reverse proxy are the EXACT same benefits in using a Virtual Directory. Think about this:

Database View:

  • Provides the ability to filter out data that you don’t want to publish to the consumer of the data (Data loss/leakage Prevention).
  • Provides the ability to perform data translations to the data in real-time. This includes changing the names of fields to either obfuscate them or simply make them easier for consumption.
  • Provides the ability of an added layer of security to the back-end tables. They can be read-only or updatable.
  • Provides the ability to join like data from other tables in a merged view.

Reverse Proxy Server:

  • Provides the ability to mask the server names (obfuscation).
  • Provides the ability to join multiple back-end web servers and host them under a consolidated namespace.
  • Provides the ability of an added layer of security to the back-end web servers
  • Provides the ability of additional caching of information for performance gains of high-traffic websites.

So, I listed 4 common benefits of using a database view and 4 common benefits for using a reverse proxy. My list is obviously not a comprehensive list, but rather just a small sampling of the benefits. Ironically, ALL 8 benefits (there is some overlap), are the same EXACT benefits to using a Virtual Directory! Here is an updated list for Virtual Directories (again, most of these benefits have nothing to do with the number of LDAP’s you have either):

  • Provides the ability to filter out data that you don’t want to publish in LDAP searches (Data loss/leakage Prevention).
  • Provides the ability to perform data translations in real-time. A great example of this is virtually changing the OU structure of your data. Here you can flatten hierarchical data and conversely convert flat data to a hierarchical structure.
  • Provides the ability of an added layer of security to your back-end LDAP data. In addition, VIS provides auditing and reporting as well.
  • Provides the ability to join data from back-end LDAP’s (as well as other types of data stores such as databases, etc.).
  • Provides the ability to mask backend LDAP’s (and provides automated failover/redundancy as well).
  • Provides the ability to merge back-end data into a consolidated namespace.
  • Provides the ability to cache certain data to increase overall performance. (This topic is a blog or two on its own). A good example of this is an application (such as SharePoint), continually pulls data from AD on the user that is currently logged in. Enabling cache (say for just 5 minutes), could save hundreds of back-end searches to AD!

The bottom line here is that as scary as Virtual Directories sound, the benefits they provide are already in wide use today. It’s all about applying the technology in the proper way.

Virtual Identity Server | “The .NET Virtual Directory”

Why not use a Virtual Directory?

September 2, 2009

Bob Bobel from Quest posted an interesting blog today, posing the question “Why are Multiple Directories Deployed and Virtual Directories Ignored?“.  Basically stating that based on the concept of what a Virtual Directory provides, that everyone should have one (or want one).  In his quest to find out why clients don’t have or don’t use a Virtual Directory, his general feedback was that “it just doesn’t fit our needs”.

Hmmm, that’s interesting that this would be the hightlighted response.  In our experience, when talking with organizations (with multiple LDAP’s), most people really don’t know what a Virtual Directory is and exactly what one can do for them (although, they don’t want to seem behind on new technology, so they say things like “it just doesn’t fit our needs”).

It really all boils down to the lack of education on this emerging technology and the fact that there really isn’t much information on how they work or where to truely discover the benefits.  When Microsoft comes in to help a client solve technical challenges around LDAP (AD, AD-LDS, Multiple-Domains/Forest, etc.), they mostly won’t recommend technology that they don’t have to sell.  So clients miss out on opportunities to get educated on newer technologies that can help in certain situations.  For example, Microsoft will almost always recommend to synchronize instead of virutalize, because that’s all they know and sell.  Makes sense to me, but the client loses here by not always using the right tool for the job.  Take a look at this for a quick guide to using a Virtual Directory.

Anyway, I look forward to part II of Bob’s blog on this topic.