• No results found

Federated Directory Services

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Federated Directory Services"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

!

Federated Directory Services

for the connected enterprise!

!

Federated! Directory! Server! helps! overcome! the! challenge! of! distributed! identity! data,! which! is! a! significant! hurdle! to! the! deployment! of! new! enterprise! business! solutions.! ! ! ! !

Table&of&Contents&

Business&challenges&and&solution&scenarios&...&2! Business&scenarios&...&2! Enterprise!security!...!2! Collaboration!and!social!interaction!...!3! Cloud!–!access!&!provisioning!...!4! Mobile!access!...!4! Federated&Directory&Server&...&5! Migrate!or!co<exist!...!5! Join!multiple!directories!...!6! Enrich!with!data!from!other!sources!...!6! Selective!writeBack!of!changes!to!the!original!source!...!6! Federate!authentication!back!to!original!source!...!7! Performance&characteristics&...&7! Conclusion&...&8! ! ! !

(2)

Business&challenges&and&solution&scenarios&&

The!requirements!are!clear:!“all!users!must!be!able!to!log!in!through!one!server”! and!“find!information!about!everybody!in!one!place”.!Rip!and!replace!is!not!an! option.!On!the!other!hand,!any!significant!change!to!the!existing!infrastructure!is! not!acceptable!either.!Something!needs!to!give.!

Identity! data! is! a! critical! component! of! the! connected! enterprise.! This! is! information!about!employees,!customers,!contractors,!and!business!partners.!It! is!essential!for!focus!areas!such!as!enterprise!security,!collaboration!and!social! interaction,! cloud! based! solutions,! and! business! compliance.! Each! of! these! realms! introduces! challenges! and! requirements! of! their! own,! and! they! will! be! discussed!further!on!in!this!paper.!

Although!not!a!surprise,!it!is!still!curious!that!this!critical!information!is!stored!in! several! places,! but! not! in! the! same! format,! and! not! even! consistent! in! data! content.!Additionally,!it!is!sometimes!managed!under!different!jurisdictions!with! unique! processes! and! compliance! requirements.! Finally! the! systems! that! store! this! information! have! varying! degrees! of! technical! availability,! scalability,! data! reliability!and!security!policy.!

IBM! Federated! Directory! Server! bridges! this! set! of! challenges.! It! is! built! on! a! world! leading,! market! proven,! and! massively! scalable! directory! service.! Yet! it! integrates!right!back!into!fragile!environments!that!have!important!data,!though! they! might! not! –! for! various! reasons! –! be! ready! to! directly! support! the! new! requirements!of!the!planned!enterprise!solutions.!

Business&scenarios&

The!business!areas!shown!below!have!high!visibility!in!most!enterprises.!They! provide!the!background!for!a!discussion!on!how!Federated!Directory!Server!can! rapidly!help!to!deploy!enterprise! solutions!in!these!contexts.!

Enterprise&security&

Security! is! an! ever! more! important! component! of! the! enterprise! infrastructure.! ! However,! it! is! common! that! identity! data! is! fragmented! across! multiple! LDAP! directories! or! other! resources.! This! complicates! deployment! of! services!

(3)

such!as!single!sign<on1!that!use!authentication!servers!to!verify!that!user!names!

and!passwords!are!valid.!For!example:

&

a. For!compliance!or!counter<threat!reasons,!an!organization!could!mandate! that!all!users!authenticate!using!their!email!address!or!employee!number.! This! is! difficult! to! implement! if! there! is! no! standard! for! login! names! across!the!enterprise!directories.!

b. Employees!need!to!interact!with!customers!when!logging!into!externally! facing! IT! systems! such! as! enterprise! content! systems! or! social! software! like! IBM! Connections2.! ! For! security! reasons! the! existing! enterprise!

directories!cannot!be!used!to!authenticate!users!in!this!situation.!

There! are! other! common! problems! such! as! that! enterprise! applications! only! being! able! to! connect! to! a! single! corporate! LDAP! directory! for! authentication! purposes.! However,! people! can! exist! in! several! directories,! and! the! naming! structure! for! authentication! credentials! can! vary! across! the! systems.! Also,! certain!directories!might!contain!people!and!groups!that!are!not!to!be!surfaced! to!the!enterprise!level.!!

Collaboration&and&social&interaction&

The!first!item!on!the!agenda!when!planning!social!software!in!an!enterprise!is!to! address! any! authentication! challenges! as! described! in! the! previous! section.! However,! once! security! has! been! addressed,! the! next! stage! is! to! design! a! rich! environment! for! users.! Social! software! is! about! content! and! context,! which! means! that! information! about! people! needs! to! be! available! and! visible.! For! example,!phone!numbers,!organizational!and!geographical!location,!and!similar! content!that!may!exist!in!other!systems!in!the!enterprise.! ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1!IBM!Security!Access!Management:! ISAM:!http://www.ibm.com/software/products/en/access<mgr<web! ESSO:!http://www.ibm.com/software/products/en/access<mgr<esso! ! 2!http://www<01.ibm.com/software/lotus/! !

(4)

Such!information!richness!is!usually!not!available!in!existing!directories,!so!the! data! must! be! brought! in,! merged,! correlated! and! cleaned! before! this! added! content! can! be! made! available! to! the! social! software.! A! final! point! is! that! this! information!needs!to!be!available!fast,!and!sometimes!globally,!which!means!that! dependence! on! the! systems! where! the! data! originated! should! be! avoided! because!they!might!not!be!designed!for!the!higher!performance!and!availability! requirements.!

Cloud&–&access&&&provisioning&&

Cloud! is! a! broad! topic.! Therefore! a! few! scenarios! are! used! to! illustrate! where! Federated!Directory!Server!can!simplify!deployment!and!usage!of!new!services.! The!core!problem!from!an!identity!perspective!is!that!the!cloud<based!systems! do! not! have! access! to! the! existing! authentication! services.! Depending! on! the! situation,!this!can!be!addressed!by!

a. Synchronizing! user! information! between! the! enterprise! and! the! cloud! environments.! Federated! Directory! Server! supports! the! SCIM! protocol,! which! is! a! commonly! supported! protocol! for! user! provisioning.! For! example,! any! changes! in! local! Active! Directories! can! be! synchronized! across!to!a!cloud!identity!service.!

b. Providing! the! cloud! environment! with! access! to! the! enterprise! authentication! services.! This! can! work! well! in! a! private! cloud! scenario! where! the! new! cloud! infrastructure! is! within! existing! enterprise! infrastructure.! c. Use!federation!services!like!IBM!Federated!Identity!Manager3,!which!lets! enterprise!users!access!cloud!services!without!synchronization.! Federated!Directory!Server!is!a!solid!foundation!for!private,!hybrid,!or!public!! cloud!projects!when!existing!users!need!access!to!new!services.!

Mobile&access&

Access!from!mobile!devices!inside!the!enterprise!is!in!many!ways!similar!to!that! from!workstations.!However,!once!outside!the!enterprise!perimeter,!the!mobile! units!must!first!access!the!infrastructure!through!a!VPN!service!or!other!mobile! access! management! service4.! These! services! struggle! with! the! same! issues! as!

described! in! the! “Enterprise! security”! section! above! in! that! there! might! be! multiple!internal!directories!where!users!are!managed.!Furthermore,!the!actual! structure! of! the! user! credentials! is! possibly! different! in! the! systems! as! well,! making! it! challenging! to! consolidate! for! mobile! access.! For! example,! on! one! system!logging!in!might!require!a!username!such!as!“anne_p@marketing”,!while! on!another!server!it!might!be!“Anne!Parks/Marketing”.!

Federated! Directory! Server! can! provide! a! single! “name! space”! to! the! mobile! gateways!so!that!all!users!may!use!the!same!type!of!login,!such!as!email!address! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 3!http://www<03.ibm.com/software/products/us/en/federated<identity<mgr/! 4!IBM!Security!Access!Manager!for!Cloud!and!Mobile:!http://www< 03.ibm.com/software/products/us/en/samcm/! !

(5)

or!employee!number,!yet!still!be!authenticated!against!their!home!directory!in! line!with!the!way!that!authentication!is!currently!configured.!

Federated&Directory&Server&

Federated! Directory! Server! delivers! a! number! of! capabilities! that! allow! an! organization! to! address! the! above! business! scenarios.! It! is! a! foundation! for! enterprise! security! and! identity! visibility! that! combines! performance,! global! scalability,! and! “government! class”! security! with! deep! integration! to! legacy! directory!services.!In!this!way!an!organization!can!keep!what!is!already!in!place,! yet!extend!the!use!of!the!information!to!support!new!requirements.!

The! deployment! scenarios! illustrated! below! are! examples! that! will! be! used! to! discuss!the!capabilities!in!the!product.!These!scenarios!do!not!exclude!each!other,! and!are!described!this!way!to!simplify!each!use!case!rather!than!list!all!individual! capabilities.! !

Migrate&or&coFexist&

When!transitioning!from!one!directory!to!another!it!is!usually!not!enough!to!just! migrate! the! data! since! business! will! be! ongoing! until! the! move! is! complete.! Sometimes! both! directories! need! to! stay! in! place! for! some! time,! which! introduces!a!number!of!technical!considerations.!

a. Must!changes!in!the!original!directory!immediately!be!propagated!to!the! new!directory?!

b. Can!original!data!be!used!as!is,!or!must!it!be!checked!and!possibly!cleaned! or!otherwise!modified!to!conform!to!enterprise!standards?!!

c. Should! users! get! new! passwords,! or! should! login! to! the! new! directory! result!in!authentication!back!to!the!original!directory?!

d. If!attributes!are!modified!in!the!new!directory,!should!these!changes!be! written!back!to!the!original!directory?!

e. Should! the! directory! hierarchy! be! mirrored! in! the! new! directory! or! should!the!data!structure!be!simplified?!

(6)

f. Should!groups!also!be!synchronized?!

Federated! Directory! Server! supports! all! of! these! scenarios,! providing! an! organization! with! a! significant! amount! of! flexibility! when! planning! a! directory! migration!or!co<existence!project.!

Join&multiple&directories&

Dealing!with!multiple!directories!is!not!very!different!from!the!previous!scenario.! With!Federated!Directory!Server,!any!number!of!directories!can!be!integrated!at! the! same! time.! All! of! the! capabilities! mentioned! above! work! as! expected! with! multiple!directories.!

Federated! Directory! Server! additionally! helps! consolidate! the! user! names! that! are! used! to! log! in.! The! existing! directories! possibly! have! different! naming! structures,! which! can! lead! to! confusion! in! the! organization.! FDS! allows! you! to! choose! a! common! attribute! to! identify! users,! transparently! converting! login! credentials! to! the! values! expected! by! the! existing! directories.! The! next! section! will! describe! how! data! from! other! sources! can! be! pulled! into! the! user! profiles! and!then!be!used!to!identify!users!when!they!log!in.!

Enrich&with&data&from&other&sources&

Not!only!does!identity!data!that!is!stored!in!multiple!directories!need!to!appear! as!if!it!is!coming!from!the!same!place,!but!this!data!might!need!to!be!combined! with!information!from!other!types!of!systems!and!data!stores!as!well.!In!FDS!this! is! called! “joining”! data! from! multiple! sources.! For! example,! there! might! be! additional! organization! data! in! an! Human! Resources! (HR)! system,! or! other! attributes!in!a!database!that!need!to!be!available!in!the!new!directory.!FDS!can! join! in! data! from! any! number! of! sources! because! the! underlying! technology! is! based!on!Directory!Integrator.!This!includes!accessing!Web!Services,!REST<based! systems,! SQL! databases,! and! many! other! out<of<the<box! sources,! as! well! as! entirely!custom!sources!by!exploiting!the!power!of!Directory!Integrator.!

Selective&writeBack&of&changes&to&the&original&source&

Changes! in! Security! Directory! Server! (SDS)! can! be! pushed! back! to! the! source! systems.!For!example,!users!might!be!allowed!to!modify!their!home!address!and! telephone! number,! which! will! be! written! back! to! Active! Directory! so! that! the! Microsoft! environment! can! benefit! from! changes! created! by! the! new! systems.! This!provides!an!additional!layer!of!security,!mitigating!the!need!for!setting!up! advanced! security! models! to! restrict! direct! access! to! the! existing! directories.!! Part! of! the! vision! for! FDS! has! been! to! “insulate! and! extend”! the! existing! data! environments,! to! reduce! the! risk! of! exposing! them! directly! to! new! enterprise! services!that!they!were!not!designed!to!handle.!

(7)

Federate&authentication&back&to&original&source&

Password! synchronization! is! a! thing! of! the! past5.! Users! and! passwords! can!

continue!to!be!managed!the!way!they!currently!are,!even!in!multiple!systems.!If! desired,!they!can!automatically!be!transferred!to!Security!Directory!Server!(SDS)! at! the! appropriate! time! if! the! existing! directory! server! needs! to! be! sunset! for! authentication! purposes.! It! is! even! possible! to! let! users! log! into! SDS! using! a! different!login!credential!(such!as!their!email!address!or!employee!number),!and! have! SDS! automatically! translate! that! to! the! correct! user! name! when! checking! the!password!in!the!existing!directories.!

!

Performance&characteristics&

The! hybrid! integration! architecture! of! FDS! results! in! significant! performance! characteristics.! First!of!all,!IBM!Security!Directory!Server!(SDS)!is!the!LDAP!engine!in!FDS.!SDS!is! a!highly!scalable,!very!reliable!and!high!performance!LDAP!directory!server.!For! large!environments,!SDS!can!replicate!data!to!provide!maximum!speed!in!local! infrastructures!across!the!world.!Therefore,!existing!data!located!in!an!identity! silo!can!be!integrated!with!richer!data!from!other!systems,!and!then!propagated! through!SDS!to!make!information!available!at!high!speed.!

Although! part! of! the! same! argument! as! above,! it’s! worth! pointing! out! that! existing! identity! sources! might! not! be! designed! or! managed! in! a! way! that! is! suitable! for! real<time! integration! with! new! enterprise! services.! FDS! represents! an!“insulate!and!extend”!approach!where!changes!are!pulled!–!only!once!–!from! existing! systems! and! after! that! are! accessed! only! from! SDS.! It! is! therefore! possible! to! deliver! world<class! performance! independent! of! the! speed! and! availability!of!existing!systems.!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

5!Passwords! are! usually! “one<way! encrypted”.! This! means! that! you! can! ask! a!

server! “is! this! the! correct! password! for! this! user”,! but! cannot! ask! “what! is! the! password! for! this! user”.! As! a! result! passwords! generally! cannot! be! copied! between!systems!unless!they!share!the!exact!same!encryption!algorithm.!!

(8)

Compared! to! a! traditional! “virtual! directory! approach”,! the! FDS! approach! ensures!that!data!is!available!at!high!speed!access!before!it!is!requested!by!a!user.!! And! finally,! all! data! can! be! aggregated,! cleaned! and! harmonized! to! a! common! format!before!it!is!accessed.!The!more!complex!the!data!harmonization,!the!more! costly!it!is!to!perform!this!in!real<time!and!still!maintain!an!acceptable!level!of! performance.!

Conclusion&

Federated! Directory! Server! provides! a! new! range! of! options! for! identity! infrastructures.! Existing! directories! can! be! seamlessly! integrated! into! new! directory! services! that! scale! in! a! manner! that! previously! was! not! possible.! Existing!user!management!processes!can!stay!in!place,!and!can!even!be!applied! to!new!directories!when!desired.!

As!FDS!is!based!on!the!Directory!Integrator!technology,!it!can!be!customized!to! practically!any!scenario!to!handle!the!specific!requirements!of!organizations!that! have!unique!technical!challenges.!!

With! FDS,! distributed! identity! silos! can! be! brought! together! so! that! the! enterprise!can!expose!a!single,!logical,!rich,!and!structured!interface!to!new!and! existing!enterprise!applications.!

! !

References

Download now ( PDF - 8 Page - 517.84 KB )

Related documents

Marine Insurance Cases

It theorized that when private respondent paid Caltex the value of its lost cargo, the act of the private respondent is equivalent to a tacit recognition that the ill-fated vessel was

Chimamanda Ngozi Adichie’s Americanah and Yaa Gyasi’s Homegoing: american blackness and white privilege through the lenses of the african diasporic experience

which will inherit transgenerational trauma. Effia’s branch is marked by the transmission of cultural knowledge and the conflict between the Fante and Asante tribes, which

B-10 TRADING PARTNER LABELS IMPLEMENTATION GUIDELINE

When a single building block is used for the Unique Container Identifier, it shall comply with the rules for a Unique Transport Unit Identifier as defined in ISO/IEC 15459 using

RETAIL THERAPY: UNDERSTANDING THE PHENOMENON TO IMPROVE CUSTOMER EXPERIENCE

Surprisingly, quality of Service does not seem to be of very high importance to retail therapy consumers. However, little treats and surprise gifts could make

Slavic Folklore, the Library, and the Web: A Case-study of Subject-Specific Collaborative Information Literacy at the University of Kansas

For example, feedback from the 2006 fall semester (Session 1) shows what students found most useful about the instructional session: The data imply that the introductory

Evaluation of a consultant pharmacist-delivered comprehensive medication management service

The results of this study suggest the independent consultant pharmacist model for the provision of CMM services has potential to be utilized as a new service delivery model (in

Chapter 5: Article Four: Bank Deposits and Collections

Per- haps the question is not very important under the circumstances of the present case, where the Supreme Judicial Court has arrived, on general principles,