Identity Infrastructure Is
Our Area Of Expertise

The subjects discussed here include technologies, standards, architecture, implementation, and applications ... a broad range, to be sure. Each area is evolving rapidly due to the dramatic increase in scope and importance of identity for services and applications. LDAP, virtual directories, federation, and SSO are now key ingredients in an IT infrastructure. The ability to get maximum performance from them is absolutely critical. We are fortunate to have a "behind-the-scenes" view, and hope the observations we share from that perspective prove useful to our readers who care about these topics.

Follow Symlabs
More Information
Blogroll
Entries By Topic

Entries in Virtual Directory (21)

Wednesday
Aug042010

XML-based Additions To A Virtual Directory Infrastructure

DateWednesday, August 4, 2010 at 01:58PM

Recent events and our desire to constantly advance the 'state of the industry' have converged to bring the subject of identity-related XML-based frameworks and webservices back into our focus. This has prompted some very interesting internal discussions about the various ways they can be supported in a virtual directory environment. We've already explored one, SPML or Service Provisioning Markup Language, in some detail as a result of customer interest. In fact, we currently have an active deployment with very a large client in the energy industry that is using SPML 2.0 as a protocol within Symlabs Virtual Directory Server. While we're pleased with how quick and relatively painless it was to accomplish, plus how successfully it's operating, this is not really something we've had any significant demand to do.

In principle, adding support for any markup language - whether used to provision webservices, or to implement access control policy such as XACML, or to handle other identity-related tasks - is easy to achieve with Symlabs Virtual Directory Server. Even though this hasn't yet become a core requirement in the market, we've been examining the implications. It's clear that the "de facto" standard for exchanging XML-formatted information in modern infrastructures has settled on SOAP (or some less rigorous variation), with HTTP as the transport protocol. So, because Symlabs Virtual Directory Server has built-in HTTP support, we can already handle most, if not all, of these as webservices. The modular, staged nature of our products (their ability to add any needed functionality through plug-ins, extensions, or even manual stages) means that, starting with this generalized support as a base, we have a straightforward way to add XML encoding/decoding functions. When an XML-based protocol becomes popular enough, we could make standard extensions available, and for more unique requirements our clients have the flexibility to develop the ones they need either with our help or on their own.

As identity infrastructures continue to push forward and demand for these XML-based additions begin to take off, this will be a very interesting subject to follow. We'll keep you posted on what we're seeing & doing, and if you have any thoughts on it be sure to let us know.

AuthorFernando García Vegas | CommentPost a Comment |
in ,
Saturday
May152010

Kuppinger-Cole Interview Now Available

DateSaturday, May 15, 2010 at 06:00AM
While attending European Identity Conference 2010 in Munich our Virtual Directory Product Manager, Fernando Garcia, gave a very informative interview to Felix Gaehtgens, a Senior Analyst from Kuppinger-Cole, and it's now up on their website. Check out Fernando's interview to hear his interesting discussion with Felix about applications and directions for virtual directories. And, if you're interested in more thoughts from Felix, you can find him in our blogroll.
AuthorJeff Zukowski | CommentPost a Comment |
in ,
Wednesday
May122010

Impressions From EIC 2010

DateWednesday, May 12, 2010 at 07:44PM

This year's Kuppinger-Cole European Identity Conference confirmed that many of the players in the identity market are now trying to work more closely to improve future technologies and increase their uptake. The conference centered around 'the Cloud', a rather nebulous term for services provided over the Internet. As expected, discussions focused on security issues and on ways in which identity data could be leveraged to improve business in an environment where data is becoming increasingly distributed. In summary, it was apparent that, while some areas of contention regarding security have been settled by agreeing that different protocols should be used to achieve different ends, there are still many issues which need to be resolved.

As for improving revenue and management in the identity sphere, things seemed a lot more vague, and mostly hinged on the hope that businesses would come to see the benefits of these technologies on their own. This was most evident in a talk about Identity Cards, where roll-out approaches vary widely. The German approach enforces compulsory enrollment but offers services to businesses that may help reduce infrastructure costs, while the Swiss approach pushes the business cases for uptake but allows for voluntary adoption. Although some interesting ideas about potential ways the technology could benefit businesses were presented, it will only become clear over time whether businesses actually see these benefits.

Perhaps the most positive aspect of the conference was the impression that many of the big players in the market are trying to work together toward a common goal. However, opinions are still fairly divided, and I was somewhat concerned to observe a few high-profile players in the industry suggest that identity federation through SAML (and, in particular, the work that Liberty Alliance has done, now continued by Kantara Initiative) looked like it would die in the water. This thinking is a little uninformed and, when chatting with other visitors to the conference, it was good to hear that SAML is ubiquitous in the Australian education sector and is widely used across Sweden as well as Denmark in various other governmental sectors.

This confidence in SAML was certainly reflected in a talk by Fulup Ar Foll, who accepted that while OpenID had won ground in the Web 2.0 space, SAML is the natural choice in the commercial and enterprise sphere, as is InfoCard for user interfacing and identity selection. This unofficial armistice between competing technologies has allowed the market to move forward, and everyone in the identity market seems to agree that authentication is a necessary evil, but not the end goal. Now that we have settled some differences over the roles that these technologies play and the arenas in which they belong, we can start looking toward ways that they can enable other identity services to provide real and tangible benefits for businesses and consumers.

Although touted as an 'experts conference', it is clear that the real goal was to educate potential customers and vendors about new identity technologies. Actually, many of these technologies are not really that new. As already mentioned, the Liberty Alliance federation technologies have been developed over the last 10 years or so, and InfoCard has been in development for almost as long. Instead of explaining the practical usage of many of these technologies and demonstrating them in action, the conference speakers still discuss them in a very theoretical way. In talking to many of the integrators and visitors attending the sessions, I sensed that there was a general frustration with this tendency to keep to the theory and to continue talking about the future. Integrators felt that there was little focus or guidance on how to handle the very real problems that they face today, and that all of this looking toward tomorrow (when things will be much better) was not genuinely helpful.

A few of the visitors seemed overwhelmed by the sheer mass of acronyms, protocols, and jargon that was being used. Perhaps it would be fair to say that this type of conference is simply not geared toward people who lack an understanding of the basic theory already out there - but if one needs to be grounded in theory to really understand all of the talks, then there should be little need for the talks to remain theoretical. As an industry, we really need to be careful of not simply 'blinding our consumers with science'.

There seems to be a genuine need to balance conferences like EIC with some advisory workshops where integrators, developers, and architects can learn how to begin working in a direction that will help resolve current issues in a way that won't paint them into a corner in the future. I attended the Authentication and Authorization track entitled 'How to make your software security architecture future-proof' which was presumably intended to have precisely this effect. The panelists pushed the work they were doing and suggested moving away from connection-based authentication and a 'pull-based' identity infrastructure. However, there was little guidance on how to actually achieve this, or how to work it into an existing architecture that more than likely would be built around these types of technologies. The obvious time limitations in a big conference make it difficult to move beyond a high-level schematic of what these technologies involve and into any deeper discussion, so it is hard to be very critical of this. However, it may help to garner support if we can show practical examples of how these technologies are solving problems right now. Indeed, this was highly evident in the talk on OpenID development being done at Microsoft, where we were able to see a prototype solution to many problems using OpenID, as it currently stands, in action. More kudos to you, Ariel Gordon.

To illuminate my perspective for these comments, I'll note that Symlabs has an interesting history. Our core product is designed to resolve many of the immediate issues associated with distributed identity data and connection-based authentication. Much of our software is built around the theme of dealing with problems that people face today. Over the years, particularly through our involvement with Liberty, we have also genuinely explored future technologies. We built Symlabs Federated Identity Suite around many of these concepts. In this way, we have attempted to maintain a presence in both arenas. But one thing is clear to us - while interest in federation is slowly picking up, the majority of our customers are looking to solve today's problems today.

EIC 2010 in Munich was a great opportunity to meet some new people and catch up with many other familiar faces. It was interesting to see how many of the issues that used to be so divisive are now playing out, and it was a genuinely positive experience. I just hope that, when the next one comes around, the experience is a little less ethereal and we see a bit more of an effort to address the problems in existing infrastructures so it can match up to the forces driving these technologies.

Rowan Puttergill

AuthorRowan Puttergill | CommentPost a Comment |
in , , ,
Tuesday
Apr202010

An Invitation - Join Symlabs At TEC 2010 To Discuss Virtual Directories And FIM

DateTuesday, April 20, 2010 at 06:52PM

The Experts Conference 2010 will be held next week, and our CEO Antonio Navarro will be giving a presentation there entitled "Virtual Directories and FIM: A Match Made in Heaven?" on Tuesday, April 27th, at 2:45 PM. And, while you're at the conference, please stop by and visit with one of the Symlabs experts who will be on hand and more than happy to discuss virtual directories, or any other identity management subject, with you. We'll offer you a demo and show you how to apply Symlabs Virtual Directory Server, Symlabs LDAP Proxy, or Symlabs Federated Identity Suite to solve many of the problems that are now common in an identity infrastructure. We can also give you some good tips on how to put our new Symlabs Free LDAP Browser to work in a variety of creative ways.

Microsoft's Forefront Identity Manager is a very hot topic these days, so if you're one of the many looking for useful information to plan a deployment, this session should be quite helpful. Antonio has a keen understanding of the underlying technologies and standards for virtual directories and identity management in general, and he has a broad experience in the various products, architectures, and management techniques required to implement a successful infrastructure, so whether it's FIM, Active Directory, or some other identity or directory topic that has your interest, he can offer advice worth listening to.

The Experts Conference (TEC) 2010 will be held on April 25-28 in the JW Marriott Hotel Los Angeles at L.A. LIVE, Los Angeles, California, and the session that Antonio is addressing will be held in room FIM-2 on April 27th from 2:45 PM to 4:00 PM. This will be an important event for all of you who are interested in Microsoft identify technologies, and I hope to meet a lot of you there!

Jeff Zukowski

AuthorJeff Zukowski | CommentPost a Comment |
in ,
Friday
Apr022010

Use 'Virtual Schemas' To Make Complex Data Management Problems Disappear

DateFriday, April 2, 2010 at 07:47PM

It has only been just over a month since we released Symlabs Free LDAP Browser, and already we're closing in on a thousand downloads of the software. The enthusiastic reception must indicate that we've done something right, and also makes this seem like a good time to take a closer look at what the browser has to offer plus why it's the perfect application to use in conjunction with Symlabs Virtual Directory Server and Symlabs LDAP Proxy, as well as a range of other LDAP directory products.

To quickly review, Symlabs LDAP Browser is a java application that can run on practically any OS that supports a Java Runtime Environment. It has many great built-in features like full TLS/SSL support, stored searches & bookmarks, LDIF exports, RootDSE & schema viewing, and two simplified editing interfaces for managing directory entries. It can even open multiple connections at once and switch between them using an intuitive tabbed interface, which is extremely useful when working with virtual directories since you'll most likely want to see the difference between views on your backend and the view that you are generating through the proxy engine.

One of the most common integration problems that virtual directories are typically called upon to resolve involves distributed or fragmented identity data. And, one feature that's unique to Symlabs LDAP Browser is proving to be particularly handy for virtual directory administrators who deal with this. They frequently find user data stored across multiple backend repositories, and, if they're lucky, these are repositories of the same type. If they're not so lucky, the various different repositories at least support the same protocol. But, if they're downright jinxed, they'll find themselves trying to consolidate data stored in several types of LDAP directories along with records stored in various relational databases.

Virtual directories offer a wealth of useful facilities to help resolve these problems, but quite often they do so by violating the schema. That's not to say schema violations are always a problem. Some applications are schema-agnostic and will just work with the attributes and LDAP objectClasses that they expect. Indeed some virtual directory products do offer the flexibility to smooth over problems caused by schema violation, and there are ways to trick an application into believing that the schema actually conforms (at least, we know it's possible with Symlabs LDAP Proxy and Symlabs Virtual Directory Server). Still, not every solution is going to call for such drastic measures. However, if you choose not to resolve schema violations, you may struggle to find a LDAP browser that can work properly in your environment.

Symlabs LDAP Browser has a very clever feature that addresses this issue. Imagine an ugly situation in which some data for your users is stored within a relational database and, at the same time, you have an LDAP directory that stores entries for the same users. You have an application that needs to access both sets of data as if it were stored in a single LDAP directory entry. The obvious solution is to implement a virtual directory that maps data from the tables in the database onto branches within the virtual directory tree. Using some join functionality, you merge the data from each record with the data for each entry based on a common field or attribute. Now you have a problem ... the directory will still report the schema that it supports, but you also have a bunch of 'virtual attributes' that represent data in the database, and these attributes are not reported by the schema.

While your target application may be okay with this and your LDAP browser may get as far as displaying the values for these attributes, its very unlikely that the browser will let you modify entries that do not conform to the schema. Unless, of course, you're using Symlabs LDAP Browser. It is similar in that it really is schema strict - the difference is it also supports the novel idea of a 'virtual schema'.

Symlabs LDAP Browser will download a copy of the schema into memory, then allow you to modify the schema entries that it has stored for the connection. You can add new objectClasses or attributes to the schema, remove conflicting classes or attributes, and modify existing schema entries. Although this has no effect on the backend server, it means that if the data presented by your virtual directory solution does not conform to an existing schema, you will still be able to work with that data within the browser. This is because the virtual schema approach allows you to trick Symlabs LDAP Browser into believing that the data actually does conform. Best of all, you can store the virtual schema modifications that you make for any connection so when you open the same connection again, the browser will download the schema as usual and then apply the modifications you previously made.

You can easily perform virtual schema modifications
that accommodate your virtual directory solution
And, when adding a new virtual attribute, you can
fully define it as if it were a genuine schema entry

Of course, this functionality will only work where a solution is designed to support it. In other words, this isn't a quick and easy way to modify the schema on your server so other applications will work with your data. It's only a convenient trick to get the browser itself to work with non-conforming data, but it's a trick that the virtual directory enthusiasts out there are very glad to see. We specialize in virtual directory solutions, and in our many years of experience we hadn't come across a browser that was effective at handling this type of problem. So, we put this little innovation into our Symlabs Free LDAP Browser and we're pleased that it's so popular.

If you're looking for something that can handle your actual schema modification requirements without affecting your existing repository, then you should look to Symlabs Virtual Directory Server or Symlabs LDAP Proxy, particularly given many of the recent improvements that we've made. If, on the other hand, you just need a browser that can work with your virtual directory solution, regardless of how schema-compliant its data presentation is, then download Symlabs LDAP Browser for yourself and use it with our compliments - its free.

Rowan Puttergill

AuthorRowan Puttergill | CommentPost a Comment |
in , , ,
Page 1 2 3 4 5 ... 5 Next 5 Entries »