Federated Directory Services



Similar documents
White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Designing a Data Solution with Microsoft SQL Server 2014

Course 20465C: Designing a Data Solution with Microsoft SQL Server

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Egnyte Cloud File Server. White Paper

20465: Designing a Data Solution with Microsoft SQL Server

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

White Paper: Cloud Identity is Different. World Leading Directory Technology. Three approaches to identity management for cloud services

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

UIT USpace Flexible and Secure File Manager for Cloud Storage

Sun Infrastructure Solution for Network Identity Seamlessly extend secure access to your enterprise fast, with reduced deployment time and cost

Implementing Microsoft Azure Infrastructure Solutions

Building a Cloud-Ready, Future-Proof Identity Infrastructure:

Designing a Data Solution with Microsoft SQL Server 2014

Moving to the Cloud: What Every CIO Should Know

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Microsoft SharePoint Architectural Models

IBM Cognos Performance Management Solutions for Oracle

Designing a Data Solution with Microsoft SQL Server

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Open-Xchange Hosted Edition Directory Integration

SMART Solutions for Active Directory Migrations

Course 20465: Designing a Data Solution with Microsoft SQL Server

Designing a Data Solution with Microsoft SQL Server

Designing Database Solutions for Microsoft SQL Server 2012 MOC 20465

Cross-domain Identity Management System for Cloud Environment

Implementing Microsoft Azure Infrastructure Solutions

Centrify Cloud Connector Deployment Guide

Modernize IAM with a Web Scale LDAP Directory Server

Designing Database Solutions for Microsoft SQL Server 2012

Server-based Password Synchronization: Managing Multiple Passwords

Get Success in Passing Your Certification Exam at first attempt!

Active Directory LDAP

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

How To Deploy Cisco Jabber For Windows On A Server Or A Network (For A Non-Profit) For A Corporate Network (A.Net) For Free (For Non Profit) For An Enterprise) Or

Security Architecture Whitepaper

TO DEPLOY A VIRTUAL DIRECTORY TOP THREE REASONS. White Paper June Abstract

PASS4TEST 専 門 IT 認 証 試 験 問 題 集 提 供 者

Designing, Optimizing and Maintaining a Database Administrative Solution for Microsoft SQL Server 2008

ENZO UNIFIED SOLVES THE CHALLENGES OF OUT-OF-BAND SQL SERVER PROCESSING

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

BEDIFFERENT ACE G E R M A N Y. aras.com. Copyright 2012 Aras. All Rights Reserved.

BES10 Cloud architecture and data flows

Kaseya IT Automation Framework

The State of Hybrid Cloud

White Paper Converting Lotus Notes Applications to the Cloud Using the CIMtrek converter Product

The increasing popularity of mobile devices is rapidly changing how and where we

This course is intended for database professionals who need who plan, implement, and manage database solutions. Primary responsibilities include:

How To Get A Single Sign On (Sso)

IDENTITY & ACCESS MANAGEMENT

White Paper. Using Universal Platform TM to Facilitate Disaster Recovery Projects

Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Service Pack B; 5 days, Instructor-led

Grid and Multi-Grid Management

MS Design, Optimize and Maintain Database for Microsoft SQL Server 2008

BEDIFFERENT A C E I N T E R N A T I O N A L

Ariett Purchasing & Expense Management. Go Paperless, Go Mobile, Go Easy.

Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

Your Location Instant NOC using Kaseya. Administrator at Remote Location Secure access to Management Console from anywhere using only a browser

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

ADAPTABLE IDENTITY GOVERNANCE AND MANAGEMENT

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

EMC Data Protection Advisor 6.0

Directory Integration in LANDesk Management Suite

Choosing a File Sync & Share Solution. PRESENTATION TITLE GOES HERE Darryl Pace Optimal Computer Solutions

20465C: Designing a Data Solution with Microsoft SQL Server

Simplified Management With Hitachi Command Suite. By Hitachi Data Systems

OpenStack Cloud Migration : Migrating On-premise workloads to OpenStack Private Cloud

WHITEPAPER SECURITY APPROACHES AND SECURITY TECHNOLOGIES IN INTEGRATION CLOUD

managing SSO with shared credentials

Road2Master Office 365 Hybrid Deployment and Migration Part 1 - Introduction. Ashwin Venugopal

WHITE PAPER. Active Directory and the Cloud

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Single Sign-on (SSO) technologies for the Domino Web Server

Understanding Object Storage and How to Use It

Business-Driven, Compliant Identity Management

"Charting the Course... MOC C Designing a Data Solution with Microsoft SQL Server Course Summary

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper

Authentication Integration

Better Together with Microsoft Dynamics CRM

Extend and Enhance AD FS

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

Course 20465C: Designing a Data Solution with Microsoft SQL Server

Building Secure Cloud Applications. On the Microsoft Windows Azure platform

Business-Driven, Compliant Identity Management

Documentation. CloudAnywhere. Page 1

OracleAS Identity Management Solving Real World Problems

Designing a Data Solution with Microsoft SQL Server

6231A - Maintaining a Microsoft SQL Server 2008 Database

nexus Hybrid Access Gateway

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Active Directory and DirectControl

Designing a Data Solution with Microsoft SQL Server 2014

Quest InTrust. Version 8.0. What's New. Active Directory Exchange Windows

Security, Reliability & Control with Hosted Exchange

Transcription:

Federated Directory Services for the connected enterprise Federated Directory Server helps overcome the challenge of distributed identity data, which is a significant hurdle to the deployment of new enterprise business solutions. Table&of&Contents& Business&challenges&and&solution&scenarios&...&2 Business&scenarios&...&2 Enterprisesecurity...2 Collaborationandsocialinteraction...3 Cloud access&provisioning...4 Mobileaccess...4 Federated&Directory&Server&...&5 Migrateorco<exist...5 Joinmultipledirectories...6 Enrichwithdatafromothersources...6 SelectivewriteBackofchangestotheoriginalsource...6 Federateauthenticationbacktooriginalsource...7 Performance&characteristics&...&7 Conclusion&...&8

Business&challenges&and&solution&scenarios&& Therequirementsareclear: allusersmustbeabletologinthroughoneserver and find information about everybody in one place. Rip and replace is not an option.ontheotherhand,anysignificantchangetotheexistinginfrastructureis notacceptableeither.somethingneedstogive. Identity data is a critical component of the connected enterprise. This is information about employees, customers, contractors, and business partners. It is essential for focus areas such as enterprise security, collaboration and social interaction, cloud based solutions, and business compliance. Each of these realms introduces challenges and requirements of their own,andthey will be discussedfurtheroninthispaper. Althoughnotasurprise,itisstillcuriousthatthiscriticalinformationisstoredin several places, but not in the same format, and not even consistent in data content.additionally,itissometimesmanagedunderdifferentjurisdictionswith unique processes and compliance requirements. Finally the systems that store this information have varying degrees of technical availability, scalability, data reliabilityandsecuritypolicy. IBMFederated Directory Server bridgesthissetofchallenges.itisbuiltona world leading, market proven,and massively scalable directory service. Yet it integratesrightbackintofragileenvironmentsthathaveimportantdata,though they might not for various reasons be ready to directly support the new requirementsoftheplannedenterprisesolutions. Business&scenarios& Thebusinessareasshownbelowhavehighvisibilityinmostenterprises.They providethebackgroundforadiscussiononhowfederateddirectoryservercan rapidlyhelptodeployenterprise solutionsinthesecontexts. Enterprise&security& Security is an ever more important component of the enterprise infrastructure. However, it is common that identity data is fragmented across multiple LDAP directories or other resources. This complicates deployment of services

suchassinglesign<on 1 thatuseauthenticationserverstoverifythatusernames andpasswordsarevalid.forexample:& a. Forcomplianceorcounter<threatreasons,anorganizationcouldmandate thatallusersauthenticateusingtheiremailaddressoremployeenumber. This is difficult to implement if there is no standard for login names acrosstheenterprisedirectories. b. Employeesneedtointeractwithcustomerswhenloggingintoexternally facing IT systems such as enterprise content systems or social software like IBM Connections 2. For security reasons the existing enterprise directoriescannotbeusedtoauthenticateusersinthissituation. There are other common problems such as that enterprise applications only beingableto connect to a single corporate LDAP directory for authentication purposes. However, people can exist in several directories, and the naming structure for authentication credentials can vary across the systems. Also, certaindirectoriesmightcontainpeopleandgroupsthatarenottobesurfaced totheenterpriselevel. Collaboration&and&social&interaction& Thefirstitemontheagendawhenplanningsocialsoftwareinanenterpriseisto address any authentication challenges as described in the previous section. However, once security has been addressed, thenextstageis todesigna rich environment for users. Social software is about content and context, which means that information about people needs to be available and visible. For example, phone numbers, organizational and geographical location, and similar contentthatmayexistinothersystemsintheenterprise. 1 IBMSecurityAccessManagement: ISAM:http://www.ibm.com/software/products/en/access<mgr<web ESSO:http://www.ibm.com/software/products/en/access<mgr<esso 2 http://www<01.ibm.com/software/lotus/

Suchinformationrichnessisusuallynotavailableinexistingdirectories,sothe data must be brought in, merged, correlated and cleaned before this added content can be made available to the social software. A final point is that this informationneedstobeavailablefast,andsometimesglobally,whichmeansthat dependence on the systems where the data originated should be avoided becausetheymightnotbedesignedforthehigherperformanceandavailability requirements. Cloud& &access&&&provisioning&& Cloud is a broad topic. Therefore a few scenarios are used to illustrate where FederatedDirectoryServercansimplifydeploymentandusageofnewservices. The core problem from an identity perspective is that the cloud<based systems do not have access to the existing authentication services. Depending on the situation,thiscanbeaddressedby a. Synchronizing user information between the enterprise and the cloud environments. Federated Directory Server supports the SCIM protocol, which is a commonly supported protocol for user provisioning. For example, any changes in local Active Directories can be synchronized acrosstoacloudidentityservice. b. Providing the cloud environment with access to the enterprise authentication services. This can work well in a private cloud scenario where the new cloud infrastructure is within existing enterprise infrastructure. c. UsefederationserviceslikeIBMFederatedIdentityManager 3,whichlets enterpriseusersaccesscloudserviceswithoutsynchronization. FederatedDirectoryServerisasolidfoundationforprivate,hybrid,orpublic cloudprojectswhenexistingusersneedaccesstonewservices. Mobile&access& Accessfrommobiledevicesinsidetheenterpriseisinmanywayssimilartothat fromworkstations.however,onceoutsidetheenterpriseperimeter,themobile unitsmustfirstaccesstheinfrastructurethroughavpnserviceorothermobile access management service 4. These services struggle with the same issues as described in the Enterprise security section above in that there might be multipleinternaldirectorieswhereusersaremanaged.furthermore,theactual structure of the user credentials is possibly different in the systems as well, making it challenging to consolidate for mobile access. For example, on one systemlogginginmightrequireausernamesuchas anne_p@marketing,while onanotherserveritmightbe AnneParks/Marketing. Federated Directory Server can provide a single name space to the mobile gatewayssothatallusersmayusethesametypeoflogin,suchasemailaddress 3 http://www<03.ibm.com/software/products/us/en/federated<identity<mgr/ 4 IBMSecurityAccessManagerforCloudandMobile:http://www< 03.ibm.com/software/products/us/en/samcm/

or employee number, yet still be authenticated against their home directory in linewiththewaythatauthenticationiscurrentlyconfigured. Federated&Directory&Server& Federated Directory Server delivers a number of capabilities that allow an organization to address the above business scenarios. It is a foundation for enterprise security and identity visibility that combines performance, global scalability, and government class security with deep integration to legacy directoryservices.inthiswayanorganizationcankeepwhatisalreadyinplace, yetextendtheuseoftheinformationtosupportnewrequirements. The deployment scenarios illustrated below are examples that will be used to discussthecapabilitiesintheproduct.thesescenariosdonotexcludeeachother, andaredescribedthiswaytosimplifyeachusecaseratherthanlistallindividual capabilities. Migrate&or&coFexist& Whentransitioningfromonedirectorytoanotheritisusuallynotenoughtojust migrate the data since business will be ongoing until the move is complete. Sometimes both directories need to stay in place for some time, which introducesanumberoftechnicalconsiderations. a. Mustchangesintheoriginaldirectoryimmediatelybepropagatedtothe newdirectory? b. Canoriginaldatabeusedasis,ormustitbecheckedandpossiblycleaned orotherwisemodifiedtoconformtoenterprisestandards? c. Should users get new passwords, or should login to the new directory resultinauthenticationbacktotheoriginaldirectory? d. If attributes are modified in the new directory, should these changes be writtenbacktotheoriginaldirectory? e. Should the directory hierarchy be mirrored in the new directory or shouldthedatastructurebesimplified?

f. Shouldgroupsalsobesynchronized? Federated Directory Server supports all of these scenarios, providing an organization with a significant amount of flexibility when planning a directory migrationorco<existenceproject. Join&multiple&directories& Dealingwithmultipledirectoriesisnotverydifferentfromthepreviousscenario. WithFederatedDirectoryServer,anynumberofdirectoriescanbeintegratedat the same time. All of the capabilities mentioned above work as expected with multipledirectories. Federated Directory Server additionally helps consolidate the user names that are used to log in. The existing directories possibly have different naming structures, which can lead to confusion in the organization. FDS allows you to choose a common attribute to identify users, transparently converting login credentials to the values expected by the existing directories. The next section will describe how data from other sources can be pulled into the user profiles andthenbeusedtoidentifyuserswhentheylogin. Enrich&with&data&from&other&sources& Notonlydoesidentitydatathatisstoredinmultipledirectoriesneedtoappear asifitiscomingfromthesameplace,butthisdatamightneedtobecombined withinformationfromothertypesofsystemsanddatastoresaswell.infdsthis is called joining data from multiple sources. For example, there might be additional organization data in an Human Resources (HR) system, or other attributesinadatabasethatneedtobeavailableinthenewdirectory.fdscan join in data from any number of sources because the underlying technology is basedondirectoryintegrator.thisincludesaccessingwebservices,rest<based systems, SQL databases, and many other out<of<the<box sources, as well as entirelycustomsourcesbyexploitingthepowerofdirectoryintegrator. Selective&writeBack&of&changes&to&the&original&source& Changes in Security Directory Server (SDS) can be pushed back to the source systems.forexample,usersmightbeallowedtomodifytheirhomeaddressand telephone number, which will be written back to Active Directory so that the Microsoft environment can benefit from changes created by the new systems. Thisprovidesanadditionallayerofsecurity,mitigatingtheneedforsettingup advanced security models to restrict direct access to the existing directories. Part of the vision for FDS has been to insulate and extend the existing data environments, to reduce the risk of exposing them directly to new enterprise servicesthattheywerenotdesignedtohandle.

Federate&authentication&back&to&original&source& Password synchronization is a thing of the past 5. Users and passwords can continuetobemanagedthewaytheycurrentlyare,eveninmultiplesystems.if desired,theycanautomaticallybetransferredtosecuritydirectoryserver(sds) at the appropriate time if the existing directory server needs to be sunset for authentication purposes. It is even possible to let users log into SDS using a differentlogincredential(suchastheiremailaddressoremployeenumber),and have SDS automatically translate that to the correct user name when checking thepasswordintheexistingdirectories. Performance&characteristics& The hybrid integration architecture of FDS results in significant performance characteristics. Firstofall,IBMSecurityDirectoryServer(SDS)istheLDAPengineinFDS.SDSis ahighlyscalable,veryreliableandhighperformanceldapdirectoryserver.for large environments, SDS can replicate data to provide maximum speed in local infrastructures across the world. Therefore, existing data located in an identity silocanbeintegratedwithricherdatafromothersystems,andthenpropagated throughsdstomakeinformationavailableathighspeed. Although part of the same argument as above, it s worth pointing out that existing identity sources might not be designed or managed in a way that is suitable for real<time integration with new enterprise services. FDS represents an insulateandextend approachwherechangesarepulled onlyonce from existing systems and after that are accessed only from SDS. It is therefore possible to deliver world<class performance independent of the speed and availabilityofexistingsystems. 5 Passwords are usually one<way encrypted. This means that you can ask a server is this the correct password for this user, but cannot ask what is the password for this user. As a result passwords generally cannot be copied betweensystemsunlesstheysharetheexactsameencryptionalgorithm.

Compared to a traditional virtual directory approach, the FDS approach ensuresthatdataisavailableathighspeedaccessbeforeitisrequestedbyauser. And finally, all data can be aggregated, cleaned and harmonized to a common formatbeforeitisaccessed.themorecomplexthedataharmonization,themore costly it is to perform this in real<time and still maintain an acceptable level of performance. Conclusion& Federated Directory Server provides a new range of options for identity infrastructures. Existing directories can be seamlessly integrated into new directory services that scale in a manner that previously was not possible. Existingusermanagementprocessescanstayinplace,andcanevenbeapplied tonewdirectorieswhendesired. AsFDSisbasedontheDirectoryIntegratortechnology,itcanbecustomizedto practicallyanyscenariotohandlethespecificrequirementsoforganizationsthat haveuniquetechnicalchallenges. With FDS, distributed identity silos can be brought together so that the enterprisecanexposeasingle,logical,rich,andstructuredinterfacetonewand existingenterpriseapplications.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information