Tuesday
28Apr

Next Stop - EIC 2009

We're continuing our "push for performance" at the European Identity Conference (EIC 2009) which is being held at Forum am Deutschen Museum in Munich from the 5th through the 8th of May. We'll be demonstrating our new releases of Symlabs Virtual Directory Server and Symlabs LDAP Proxy in the conference exposition, as well as Symlabs Federated Identity Suite. Since we already showcased the speed and added features of our new 5.0 releases in Las Vegas last month, we'll call this their first live performance tour in Europe. And although it's not quite as new, the current version of Symlabs Federated Identity Suite continues to prove it's credentials quite capably since we rolled it out late last summer, and it has certainly earned a place on the performance podium as well.

In addition, Sampo Kellomäki, our Chief Architect, will be speaking in two panels that I'd highly encourage you to attend if at all possible. EIC is known for having world-class speakers from the ranks of enterprise technologists, thought leaders, and experts in most significant technology topics such as Identity Management and Governance, Risk Management and Compliance (GRC). It's put on by Kuppinger Cole, a highly respected analyst firm, and this year brings a very impressive list including some of the best known names in the industry and some good friends of ours - Felix Gaehtgens and Dave Kearns, just to mention a couple. The first panel Sampo is speaking in is User Centric Identity In The Cloud: Trust And Privacy, Trust Metrics on Wednesday the 6th at 16:30 following the break, part of the "Innovation" track. The second is Directory Services & Virtual Directories: Virtual Directory Services on Thursday the 7th also at 16:30 following the break, part of the "Best Practices" track. I can promise you that if Sampo has his way, the discussion will be interesting enough to keep you from dozing off after your meal. In fact, the whole agenda is full of topics that should hold your interest, but since there are four parallel streams of presentations, panels, and workshops, plus opening and closing keynotes every day it would be impossible to list them all. The full agenda is on the European Identity Conference 2009 site, so you can see it there.

In addition to the panels, presentations, and workshops, while you're at the conference I really hope you'll take the time to stop by our booth in the expo and give our team a chance to explain how you can put the performance of our products to work for you. Given the pressure of the current economy, it's more important than ever to maximize the use of your resources, and we can offer valuable suggestions on how to do that in your identity infrastructure if you'll spend a few minutes with us. Whether you are interested in virtual directory infrastructures or federated identity applications, we'll be happy to run our products through their paces for you and answer any questions you might have. See you in Munich!

Jeff Zukowski

Friday
20Mar

Meet Us At The Experts Conference

The Experts Conference for Directory & Identity is coming up next week in Las Vegas, and this will give us our first chance to do trade show demonstrations of the new 5.0 release of Symlabs Virtual Directory Server and Symlabs LDAP Proxy. We announced 5.0 several weeks ago, and in case you missed it, you can read the press release: Symlabs Races Ahead of Rivals With Performance of New Products. It includes both new features and performance improvements, but we've been particularly focused on the performance of these products lately. While we've had a great deal of dialog with our client base and are extremely pleased with the results they've experienced, this is an opportunity to take the new release out "on the road" and show it off. These situations always produce interesting discussions, sometimes leading us to new ideas, and often letting us see a light bulb go on over someone's head when we can take the time to explain exactly why performance matters so much and demonstrate it live.

We've done benchmark testing that shows both Symlabs Virtual Directory Server and Symlabs LDAP Proxy to be significantly faster than competitive products, and we're currently doing some more. In the near future, we'll post the results here and provide a complete picture of how we tested and what it means in different types of implementations. That will also give us a chance to review the new features in 5.0 for Active Directory (domain routing and cross-domain authentication), LDAP (virtual tree), and all the new plug-ins plus enhancements to administration and configuration tools.

For most attendees, the biggest reason to be interested in The Experts Conference is the information that the experts will dish out there. There is a whole agenda of workshops and educational sessions, covering some of the hottest topics in the industry. Of course, there will be a number of BOFs (Birds of a Feather sessions) which usually turn into some of the most interesting discussions at technical shows. We'll be participating in both the Virtual Directories and the Federated Service BOFs, so if you would like to share your views on either subject, hear ours, and take part in the discussion that follows, please join in. The Experts Conference is running from Sunday, March 22 through Wednesday, March 25, and the official BOFs are being held Tuesday, March 24, starting at 4:30 PM. You can get see the whole agenda and get more information on the show here, then check when you get there for specific locations or any informal sessions that are announced, and be sure look us up.

Tuesday
17Feb

Virtual Directory Servers And Cache

A number of people have been expressing various opinions about the use (or, indeed, even the need) of caching in virtual directories. Most of the discussion has resulted in response to a blog posting by Ashraf Motiwal. In a recent post he asks Symlabs to come forward and provide our own impressions on the subject, and we're happy to join the discussion. In short, Symlabs believes that a cache is a tool that should be used within a virtual directory only when needed, and in general caching should be avoided where there is not a clear need for it.

The general discussion about the performance overhead that a vds layer places on top of an existing data infrastructure has been adequately addressed by Mark Wilcox in his blog post. We typically see an increase in latency of around 2 milliseconds, although this may vary to between 1 and 4 milliseconds depending on your infrastructure and the amount of processing that you are handling within your virtual directory.

Keep in mind that cache has its uses, mainly to overcome limitations of your infrastructure, but also that it is usually not the only solution available. Some potential situations include:

  • The back-end server cannot provide the requested throughput. However, this is best overcome by setting up additional replicas.
  • Latency from the back-end server is too high. This one is usually best overcome with a replica that is local to the virtual directory server.
  • The back-end server suffers from unacceptably low availability. For instance, the server might have scheduled maintenance shutdowns that render the source unavailable to client applications. This, too, is overcome with a replica.
  • Calculating the result set takes too long in the back-end server. This usually occurs as the result of a very complex SQL query that requires too many external joins. In this case, it's better to redesign your provisioning workflows.
  • The client application is brain-dead and performs the same query many times in a row - this is the only case in which I've seen true benefits from using cache in a virtual directory server.

We realize that real world environments can't always (or even often) be filled only with ideal solutions, and we've tried to account for that in the design of our products. For any of the cases above, if the client has some limitations that do not allow the preferred strategies to be employed, we provide flexible caching options in Symlabs Virtual Directory Server and Symlabs LDAP Proxy v5.0.

I hope that in everything that I have said here, I have made it clear that I do not think that a cache is the proper solution to handling performance issues. In general it should be considered more as a band-aid that can be used in a desperate situation. In this vein, I fully agree with the comments that Clayton Donley made in his blog post back in April last year.

One final note, I have to correct the math in Tim Paul's blog post. If your server does 5000 queries per second, the latency of each query is NOT 0.2 milliseconds (1/5000) - in reality you have multiple client connections being served at the same time and even multiple asynchronous requests over those connections. Modern directories have search latencies between 1 and 20 milliseconds.

Antonio Navarro

Thursday
25Sep

Trust In New Mobile Applications - Part 3 (Conclusion)

Although we've had a bit of a gap in our thread on this topic, I'd like get back to it at last and finish it up. Working from the architecture I described in the last section, let's assume this view continues to develop, and Telcos push ahead with implementing SAML 2.0 APIs as a general rule. For ASPs, then, adopting this open security model will be both straightforward and very beneficial. They'll have plenty of options for adding the technology to their application that will allow the widest variety of ASPs to participate, no matter what underlying hardware or software they built it on. When their application needs to validate itself to the Telco network, it can use standard SAML 2.0 authentication methods to do it. When it needs information from the user's profile to incorporate into the service, it can use standard ID-WSF application queries or something more advanced such as People Service, if it's available, to obtain it securely.

The fact that SAML 2.0 and ID-WSF are open standards not only means a level playing field for all the ASPs and Telcos in terms of functionality, it also means solid security for the information under their control. But, while SAML 2.0 and the various ID-WSF protocols are the main instruments for securing identity information in this environment, the "identity-related services" that are defined in the ID-WSF model will play an important role in the big picture for mobile users.

Going forward, the applications that will be most desirable for mobile users generally need some personal and profile information to create their value, but that should not necessarily mean releasing any sensitive information. After securely validating the identity of the participants (the user, the ASP, the Telco) and their authority take part in a particular transaction at any place and time, the services in the ID-WSF model can be made available to all the participants for secure, controlled delivery of that personal information in a standardized format, while safeguarding sensitive information.

This gives ASPs and Telcos a safe, flexible, and easy way to utilize information in end-to-end services on behalf of a user. Because it's open and standardized, an ASP can develop to APIs that will work with a variety of Telco networks and Telcos can incorporate a wide range of ASPs and make their services available quickly - neither has to create special access, security, or formats to protect and exchange privileged information. In fact, using this model, the ID-WSF services that manage and deliver this information are themselves a potential market for ASPs.

While some types of information might naturally associate with a network, like user location or handset model, other types, like personal contacts and associations, are related to the user, and still others, like automobile registration are related more to an outside authority. ID-WSF is a rich environment that defines services such as geolocation, contact book, personal profile, and ID-DAP to not only objectify the information in a standard way, but also create a layer of security with access that can be granted or controlled by the appropriate authority (i.e., user, network administrator).

The end result, when developed and done properly, is the ability to create applications like Wizi, offer them in a variety of networks from a single ASP platform, and allow them to become a unique service experience in each implementation by combining other participating ASPs or features particular to that Telco. This, of course, brings us back around to the front of the discussion, and why we are so energized to work on standards activities, proofs-of-concept, and demonstrations with ASPs, Telcos, and the assortment of other companies and organizations that have similar interests. We really think this will result in some important and powerful capabilities that can dramatically change how people go about a great many of their daily activities.

Everything we learn, plus anything useful we create in these activities gets incorporated into Symlabs Federated Identity Suite. We tailor specific packages based on some of these activities, for example our IdP Telco package has everything they need to utilize the protocols, operate an Identity Provider, and connect to ID-WSF services in their network. We also offer packages designed to build and manage various ID-WSF services such as Personal Profile, Geolocation, or People Service.

I hope I have given you a enough of an overview for this exciting environment that we get watch unfolding firsthand, and are fortunate to participate in creating. In the event that you have any questions, are interested in trying Symlabs Federated Identity Suite for yourself, or have some ideas you'd like to explore, please visit our website. You can download our products, obtain more information, or contact us with your suggestions.

Pablo Sánchez

Thursday
04Sep

DIDW Offers Information, Ideas, And Hands-On

It's often hard to keep the realm of Identity Management in perspective and grounded in reality, but Digital ID World 2008, which takes place next week from September 8th through 10th at the Hilton Anaheim in California, is one of those rare opportunities to grab several days of discussions, workshops, and educational sessions on a wide variety of topics that will help you do just that. This year there's a full agenda of talks that offer user, vendor, and standards perspectives on the industry, but one of the things I think is most valuable is the opportunity to get your hands on some of the products you'll need to actually make identity management a reality for your environment.

Whether you're building new infrastructure or updating an existing one, whether it's for internal use, commercial opportunities, or government services - there's no substitute for demonstrations & discussion with the product folks to help you see how a puzzle assembles into your particular picture, in my opinion. We place a lot of emphasis on this, so we'll be there in booth 311 (around the center of the exhibition area in the California Pavilion) with demonstrations of Symlabs Virtual Directory Server, Symlabs LDAP Proxy, and Symlabs Federated Identity Suite plus experts from our team to answer your questions, discuss your individual requirements, and generally offer suggestions that we hope will be useful in your planning.

As already mentioned here in earlier posts, we've added a lot of improvements to all three of these products in the past several months, and we'd love to show them off for you. Of course, we encourage you to take in the rest of the agenda, since there's a wealth of informative presentations and panels on tap, just don't forget to pay us a visit while you're in the area. We're looking forward to seeing you.

Jeff Zukowski