White Paper
Disclaimer ProofID Limited makes no representations or warranties with respect to the contents or use of this document and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Copyright Copyright 2014 ProofID Limited. All rights reserved. No part of this
publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of Proof ID Limited.
Contact Questions related to the information contained in this document should be
directed to Tom Eggleston at [email protected].
Tel: +44 (0) 161 906 1002 ProofID Limited
Lancastrian Office Centre Talbot Road
Manchester M32 0FP
© ProofID Limited 2014 III 25/06/2015
TABLE OF CONTENTS
1 EXECUTIVE SUMMARY ... 4
1.1 ProofID White Pages Managed Service ... 4
1.2 White Pages Managed Service Highlights ... 4
1.3 About ProofID ... 5
2 THE CHALLENGE – RAPIDLY DELIVERING A GLOBAL DIRECTORY ... 6
2.1 Disparate Directory Services ... 6
2.2 Problems caused by lack of a central directory ... 6
2.3 Why is a Central Active Directory Not Easily Achievable? ... 8
3 THE SOLUTION – PROOFID WHITE PAGES MANAGED SERVICE ... 9
3.1 White Pages Application ... 9
3.2 White Pages API ... 11
3.3 Directory Synchronisation ... 12
3.4 Launchpad for Federated Single Sign On ... 12
3.5 Architecture ... 13
4 CASE STUDY – MAZARS LLP ... 14
5 CONCLUSION ... 15
TABLE of FIGURES Figure 1: White Pages Landing Page ... 9
Figure 2: Initial Search Results ... 10
Figure 3: Detailed Search Result ... 11
Figure 4: Edit profile details ... 11
1 EXECUTIVE SUMMARY
1.1
ProofID White Pages Managed Service
A common challenge faced by many corporations that operate across multiple territories and have often grown through merger and acquisition, is the lack of a central directory of all user identities. In many cases, such organisations operate multiple directories, for example in each territory, and therefore there is no holistic directory.
There are many consequences of this challenge, ranging from simple process issues such as the difficulty of finding contact details for colleagues, to the strategic; such as the inability to offer a centralised strategy for delivery of shared or cloud services.
A common solution to this challenge is to attempt to create a centralised Active Directory containing all user records. However, this tends to be a very difficult and time consuming process, and in many organisations remains an aspiration that is never achieved. Ironically, whilst effort is diverted to creating a central Active Directory, the organisation is often unable to offer the centralised services which are driving that effort.
ProofID’s White Pages Managed Service is designed to address these challenges. Making use of a directory aggregation technology based upon LDAP and delivered as a fully managed service, the solution can be deployed rapidly, allowing organisations to reap the benefits of an aggregated central directory by offering enhanced and holistic services to its end users and customers.
1.2
White Pages Managed Service Highlights
The White Pages Managed Service delivers the following:
White Pages application providing single point for looking up colleagues’ contact details, featuring an attractive and intuitive UI.
Self-service functionality, enabling end users to maintain their own directory entries. Central repository of user identities, which serves as an Identity Provider (IDP) for federation
with cloud services or other web applications.
Integration with federation and Single Sign On services.
Aggregation of unlimited existing directory services via LDAP or text file update. Daily synchronisation of directory information.
Rapid deployment via standard directory connectors making use of standard interfaces e.g. LDAP.
Fully managed service, covering deployment, monitoring, maintenance and support. Proven scalability, with current deployments including the aggregation of over 70
ProofID Limited 5
1.3
About ProofID
ProofID is a specialist provider of fully managed identity management (IDM) solutions, based in Manchester, United Kingdom. Trading since 2008, ProofID has unrivalled depth of experience of delivering identity management solutions across multiple industries and sectors, with major clients across the UK, Ireland and Asia.
ProofID's philosophy is to provide fully managed solutions of the highest quality, enabling our customers to focus on what they do best, while we get on with providing the identity management services they need to run their business in a flexible, secure and resilient manner. We believe that because of its inherent complexity, regardless of vendor, the best way to maximise return on investment in identity management technology is to ensure that it is managed and maintained by experts. Identity management can offer so much to the modern organisation in the digital age, as identity management moves out of the enterprise and onto the internet, yet at ProofID we have seen too many instances of incomplete or poorly configured identity management systems which do not deliver the benefits that were expected. Our raison d'etre is to help our customers get the most out of their investment in identity management, allowing them to offer a better service to employees and customers and ultimately to ensure their investment has a positive impact on the bottom line.
2 THE CHALLENGE – RAPIDLY DELIVERING A GLOBAL DIRECTORY
2.1
Disparate Directory Services
Many organisations, particularly large, global corporations, are highly disparate in terms of directory services. It is very common for such organisations to maintain separate directory services for each subsidiary, or geographical territory, or even for discrete business units within a territory.
The main reasons this situation arises, includes:
Growth through acquisition and merger – In many cases, the complexities involved in
merging directory services during a merger or acquisition are such that the path of least resistance is followed and directory services for both organisations are maintained. Over time, the complexities involved in unpicking such a situation become more embedded. Autonomy of territories/subsidiaries – Often, subsidiaries in overseas territories require
a great deal of autonomy as to how IT services are delivered locally. In some cases this is for political reasons, but there are also many valid reasons, such as differences in local regulations, preferences of users or availability of IT services and support. In such circumstances, it can be very difficult, or even impossible, to impose a central directory service on a subsidiary and the differences in directory structure and processes can make it hard to integrate at a later date.
Directory Design – Best practice for design of directory services has changed over time,
based upon the capabilities of directory services technology, as well as supporting technology such as networking equipment. In some cases, decisions to implement separate directory services for different business functions may have been (and may still be) appropriate for the purposes of the applications leveraging the directory service.
2.2
Problems caused by lack of a central directory
Some of the challenges caused by a lack on central directory service include:
Locating colleagues – Without a central repository of all users, there is frequently no
ProofID Limited 7
Delivering central services – Large corporations
often offer central, or group IT services, such as VPN or Portal facilities. Ultimately the success of these services depends on the ability of users to authenticate to the service, which can become extremely complicated in the absence of a central directory. For example, if offering access to a central Portal, it could become highly complex to authenticate users against their home directory service – the portal application would need to have some way of knowing which directory to authenticate against and would also need network access to the relevant ports and servers in order to perform the authentication. This may be manageable for a small number of directories, but as the number of directories to integrate increases, this can become a significant and costly management overhead.
Coherent cloud strategy and control of
‘Shadow IT’ – As cloud adoption gains pace, all
organisations make use of cloud services to a greater or lesser extent, whether IaaS, PaaS or SaaS. Whilst this offers significant benefits to the organisation, the very availability and flexibility of cloud services can cause a significant problem if the organisation is not able to control and regulate its use. For example, a subsidiary may decide that it wishes to adopt a SaaS service, such as Salesforce, without consulting the wider organisation – indeed it is not uncommon for individual business units to unilaterally decide to adopt a cloud service, which can be paid for using a credit card. This ‘Shadow IT’ leads to significant issues ranging from licensing and compliance and cost to data protection and Intellectual Property protection concerns. It is essential for organisations to have a coherent, central strategy for cloud adoption, both to control these issues, but also to remove the barriers to cloud service adoption which can drive the growth of ‘shadow IT’. However, a pre-requisite to such a cloud strategy is a central repository of all users, so that services can easily be offered and access controlled, across the organisation.
EFFICIENCY THROUGH
CENTRALISATION
“Before we implemented White Pages, on oneoccasion I spent two full days tracking down contact details the IT Managers in each territory to invite them to a conference – each territory had a local white pages facility, but they were not joined up or easily accessible from other countries. Now we have a fully aggregated directory of users from across the globe, and a very flexible search facility, I can complete same process in less than an hour. Taken across the whole of our business, this represents a significant improvement in efficiency, and at the end of the day more time spent on fee earning work.”
Jayson Dudley, Group
2.3
Why is a Central Active Directory
Not Easily Achievable?
Many large organisations attempt to resolve the directory aggregation problem by attempting to create a central Active Directory to contain all user records. Whilst this might seem to be the utopian solution it is extremely hard to achieve in practice. The main reasons for this are:
Tightly integrated applications – Many business
applications are designed to be tightly integrated with Active Directory, often for role based access control purposes or authentication. This significantly complicates migration to a new Active Directory, as not only the directory, but also the application, must be moved. For critical applications, this can prevent migration occurring at all, as the business risk involved with the move is deemed to outweigh the benefits. Desktop integration – Most organisations have a
large estate of desktop PCs running Microsoft Windows. Typically, these workstations are domain-joined to the local Active Directory. While it is possible to move these workstations to a new Active Directory, this will require intervention at each workstation to leave the currently joined domain and join the new domain. There can be further complications involved in recreating the group policies which applied to the workstation in the old domain.
Local politics – Local administrators can become
heavily invested in their own directory service, which may not even be Active Directory. They may be resistant to change or fail to realise the benefits of centralisation and lack of local control. Lack of local involvement in the centralisation project has repeatedly proven to be one of the most significant barriers to timely completion.
These challenges taken together can mean that a central consolidated Active Directory remains no more than a distant aspiration for many large organisations, meaning that they cannot benefit from the opportunities offered by a central directory.
CONSOLIDATING
ACTIVE DIRECTORY IS
COMPLICATED
“We have a plan to provide a consolidated Active Directory, but given the complexities involved with this, it will take us a number of years to get there. ProofID were able to deploy White Pages and aggregate our directories in a matter of weeks, and we now have new
countries coming on board every week.”
ProofID Limited 9
3 THE SOLUTION – PROOFID WHITE PAGES MANAGED SERVICE
ProofID’s White Pages Managed Service addresses all of the issues outlined above and presents a rapidly deployable, central managed directory solution.
White Pages Managed Service is unique in that is offers White Pages application, which provides a interface to enable users to search the central directory, as well as directory aggregation technology, which allowing organisations to benefit from directory aggregation without needing to embark on a highly complex identity management project. This is offered as a fully managed service.
The core elements of the service are outlined below.
3.1
White Pages Application
White Pages is a web based application providing end users with a user friendly directory of contact details for colleagues from across the organisation.
The application presents an extensible selection of user attributes required for collaboration, such as: telephone numbers, email addresses, social media accounts and physical location. White Pages allows for advanced and flexible search capabilities to enable users can find colleagues quickly and easily, including searching across departments, territories and subsidiaries.
White Pages includes ‘Self-Service’ functionality that can allow users to update their own details (for example, telephone number) directly in the White Pages application.
The White Pages user interface is designed to be intuitive, enabling users to perform advanced searches easily with minimal training and can be branded to align with corporate guidelines. The following screenshots show the user interface during various end user operations.
ProofID Limited 11
Figure 3: Detailed Search Result
Figure 4 Edit profile details
3.2
White Pages API
The API will be made available organisations that wish to integrate the White Pages search capability with IT systems, for example a local telephone system may query the White Pages application to retrieve up to date telephone numbers for local users.
3.3
Directory Synchronisation
The service includes directory synchronisation technology, which can be rapidly deployed in order to create an aggregated, LDAP compliant directory service.
The directory synchronisation service connects to the various directory services within the organisation securely via LDAP and performs daily synchronisation of user records and the required attributes to a central directory. The connectors are standardised, obviating the need for a consultancy-led identity management project. All that is required is for the necessary network ports to be opened to allow the service to communicate with each directory (typically port 636 for LDAPS) and for the required attributes to be available in the source directory. Any data that is subsequently modified in the source directory will be synchronised to the central directory and the changes accordingly reflected in the White Pages application. If users are deleted in the source directory, they will also be removed from the White Pages directory. If self-service is enabled, then write-back allows any attributes that have been updated centrally to be written back to the source directory.
Where territories do not operate an LDAP compliant directory service, there is a facility for upload of user records via CSV. This means that all parts of the organisation, including very small branch offices, can participate in the service.
Using this approach, directories can be aggregated in a matter of hours, regardless of geographical location. This allows very rapid realisation of benefits for end users and return on investment for the organisation.
3.4
Launchpad for Federated Single Sign On
It is possible to synchronise passwords into the central directory from Active Directory. In this case, the directory can be used as a central point of authentication and acts as a launch pad for the introduction of next-generation identity management technologies such as federated authentication, which are essential if an organisation is to implement a coherent strategy for adoption of cloud services.
As a core element of the White Pages managed service, ProofID uses an industry leading enterprise federation and Single Sign On (SSO) solution. This acts as an ‘identity bridge’ between the aggregated directory and web based applications, either hosted, SaaS or on-premise.
ProofID Limited 13
- Seamless SSO from the desktop – no need to sign into web applications once a user has authenticated to the desktop.
- Integration kits to enable federation into commercial applications (such as Sharepoint), or to enable federation into applications which do not natively support a federation protocol. - Outbound provisioning into many commercial SaaS applications such as Office365 or
Google Apps.
- Login via social networks.
- Cloud Desktop service that provides a single landing page for users to access all of their corporate applications via SSO, whether on-premise, hosted or SaaS.
3.5
Architecture
The schematic below shows the architecture of the Directory Aggregation service.
4 CASE STUDY – MAZARS LLP
ProofID’s White Pages Managed Service solution is deployed at Mazars LLP, to provide global directory aggregation and people search capabilities.
Mazars is one of the top ten global accountancy firms and has offices in more than 70 countries worldwide. ProofID deployed White Pages at Mazars to enable staff in each territory to locate staff in other territories, a process that previously was very difficult and time consuming due to the lack of any central staff directory.
At Mazars, each of the countries is able to synchronise their local directory information either by a direct, near real time feed from their Active Directory, or via a text file upload in the case of territories which do not have an Active Directory, in order to create user records in the central directory. The Web Pages application, full branded with the Mazars look and feel is then used by staff to search globally for colleagues from Mazars’ tens of thousands of staff.
Jayson Dudley, Group Infrastructure Manager for Mazars recalls: ‘Before we implemented White Pages, on one occasion I spent two full days tracking down contact details the IT Managers in each territory to invite them to a conference – each territory had a local white pages facility, but they were not joined up or easily accessible from other countries. Now we have a fully aggregated directory of users from across the globe and a very flexible search facility, I can complete same process in less than an hour. Taken across the whole of our business, this represents a significant improvement in efficiency and at the end of the day more time spent on fee earning work.
ProofID Limited 15
5 CONCLUSION
Organisations can achieve many significant benefits by centralising their directory services, but in most cases the complexities involved in achieving this mean that it remains a distant aspiration. If organisations continue with this approach, it may be many years before they can reap the benefits of a centralised directory, such as efficiency gains from an effective White Pages service, or having a central authentication service around which to base a coherent cloud authentication and access strategy.
ProofID’s White Pages and Manage Services takes a different approach. By bundling the White Pages and Directory Synchronisation elements into a single product and by taking a standardised approach to directory aggregation, a fully centralised directory can be achieved in days and weeks rather than months and years.
ProofID’s approach does not need to replace efforts to move towards a consolidated central Active Directory, but can enable organisations to reap the benefits of centralised directory years before the completion of the Active Directory consolidation is complete.
WHITE PAGES MANAGED SERVICE – BENEFITS
Improved Efficiency Reduced Cost
Time saved on searching by having all users in one directory
Fewer calls to IT Help Desk to update user directory entries
Directory always current through daily synchronisation
No new systems to train IT staff on Single Sign On with only one set of
credentials
No staff required to maintain or run the White Pages as it is a fully Managed Service
Self-service functionality for users to maintain their won directory entries
No lengthy consulting engagement or implementation required
Intuitive interface so no user training required
No separate single sign on product licence or service required
Rapid Deployment so the service is up and running in days and weeks
