Sponsor's Message - OctetString
The OctetString Directory Federator Express (DFE)
product is designed to improve the scalability, reliability, and
security of new and existing directory services environments.
DFE and Your Internal Environment: Improving Fault
Tolerance, Availability and Scalability
DFE's unique
combination of load-balancing, federation, and transformation makes
DFE uniquely qualified to provide directory "dial-tone" service that
meets the needs of a wide array of LDAPv3 enabled applications. DFE
differs from traditional LDAP Proxies in several important ways:
- Read vs. Write Routing. Since LDAP replicas are
read-only servers, DFE distinguishes between these servers directing
write traffic directly to LDAP master servers.
-
Connection Pooling. Most high performance directory servers
have a limited ability to handle increasing numbers of connections.
DFE improves source proxied directory replica performance by
limiting simultaneous connections to a tunable pool of reusable
connections. DFE pools connectors to perform queries for many
clients in succession, enabling directory replicas to focus on LDAP
operations and increase overall performance.
- Operation Level Load Balancing. When multiple directory
server replicas are configured, DFE establishes a pool of
connections across all servers and spreads the load evenly across
them. DFE can balance loads on an LDAP operation-by-operation
percentage allocation basis rather than on a connection-by-
connection basis. DFE is able to collapse thousands of clients into
a few optimized high performance connections, or alternatively split
a single "noisy" client across multiple-connections.
-
Routing. DFE offers intelligent routing, providing the
ability to route particular queries to particular LDAP servers. This
allows administrators control over which servers will handle
particular queries.
- Federation. DFE can combine
multiple enterprise directories or directory forests and present
them as a single directory view. Identities from multiple
organization can be merged into a single LDAP directory.
-
Heartbeat & Operation Timeout. DFE monitors all
connections and operations for timeouts and sends out a periodic
heartbeat that assesses the availability of directory replica
servers. In the event of a detected failure, DFE transparently
refers the client request to another replica server, ensuring that
the client always receives a successful response. When heartbeat
detects the server is available again, service is automatically
restored.
- Fault Tolerance. DFE servers can be
flexibly deployed in virtually any fault-tolerant configuration.
Configuration files can be shared allowing for rapid startup of new
DFE servers when fault or load conditions demand it, or, combined
with round-robin DNS, redirector, or cluster technology, to provide
a complete fault-tolerant solution.
Learn more about OctetSting, Inc. DFE and our Virtual Directory
Engine (VDE) Suite-based software solutions at www.octetstring.com
where you can download free, fully functional evaluation copies of
DFE and all other VDE products. Or call us at 847-358-9358 for more
information.
For more
info...
|
| |
Dear Colleague,
Welcome to this special issue of the DIM Report - bringing
you all the news from the Burton Group Catalyst Conference,
probably the most important conference for the world of
Directories and Identity Management.
I had hoped to
get this edition out yesterday, but I was waiting for reports
from my undercover, on-the-spot, investigative reporters.
Alas, the reports have failed to materialize, so I instead
I've put together an overview of the mass of announcements
from Catalyst, plus a roundup of other IdM (non-Catalyst)
news.
Hopefully, I'll be able to bring you some up-close and
personal reports from Catalyst in a later report. Speaking of
which, please note that I'm off on my summer holidays for the
next two weeks, so the next DIM Report won't be until 4
August. Make sure you keep the news coming and if you are off
on holiday/vacation too - have a great time!
Regards,
Dave Nesbitt
PS. There's some great new
MIIS info at the bottom of the report too.
|
|
|
|
|
Catalyst - Overview &
WS-Federation |
| |
Catalyst opened with Burton Group CEO and Research Chair,
Jamie Lewis' keynote speech: Enterprise Identity Management:
It's about the Business. "The ability to use and manage digital
identity while balancing legal, regulatory, privacy, and security
concerns is a prerequisite for securing and managing the virtual
enterprise," said Lewis. "Identity management is also critical
to e-business relationships and enabling distributed applications
based on the Web services framework. But enterprises face
a variety of challenges in accomplishing these goals. During
Catalyst we will outline these challenges, define Idm in clear
terms, and describe how it will evolve, giving enterprises
the information they need to plan effectively."
Topics covered in the three day
event included security, provisioning, the service
provisioning markup language (SPML), identity-based
encryption, federated identity, Web access management, and Web
services. Speakers included Burton Group analysts and
consultants, customers and vendors covering topics such as
"Provisioning: Deployment Experience", "Using Web
Services to Limit Middleware Bloat", "Federated Identity in
Practice", "Identity Networks, Scalable Trust Models and the
Role of Open Source" and "Enterprise Privilege Management".
Burton Group Website
Perhaps one of the most significant events at the show
was the announcement, and demonstration, of the WS- Federation
specification by Microsoft and IBM. This specification defines
mechanisms to allow federation of identities, attributes,
and authentication between participating Web services and
was first proposed in the document, "Security in a web services
world - a proposed architecture and roadmap", published
in April 2002.
WS-Federation presents an alternative
approach to the Liberty Alliance specification for federated
identity (both Microsoft and IBM are not members of the
Liberty Alliance), but does share one thing in common with
Liberty: support for the Security Assertion Mark-up Language
(SAML). Although the specification does not yet come under the
auspices of any standards-body, industry commentators are
hoping it may eventually find a home with other similar specs
with the Organization for the Advancement of Structured
Information Standards (OASIS).
WS-Federation
Spec
|
|
|
Catalyst - Liberty Alliance |
| |
The Liberty Alliance used the platform of Catalyst to
announce the publication of two important new documents.
The first is entitled "Raising the Business
Requirements for Wide Scale Identity Federation" and attempts
to identify the general business considerations that must be
addressed by any organization looking to extend Identity
Management beyond the organization's boundaries. The main
business requirements are identified as:
- Mutual Confidence: the measures and tasks that
circle of trust members undertake to enforce and manage
rules and risks.
- Risk management: to minimize
risk, federations must ensure they disseminate best
practices and have adequate revocation and fraud protection
measures.
- Liability: federations should establish agreements on
allocation of liability and dispute resolution.
- Compliance: federated Id systems must comply with
applicable regulations.
The second document is an independent assessment of the
Liberty Alliance and SAML specifications by the Financial
Services Technology Consortium (FSTC). The FSTC is a consortium
of leading North American-based financial institutions,
technology vendors, independent research organizations,
and government agencies that sponsors investigations into
new technology that may be of benefit to its members. The
paper reviews some financial industry requirements against
both SAML V1.0 and Liberty V1.1 through three use cases:
Employee Single Sign-On to Enterprise Partners; Business-to-
Business; Account Aggregation. The report comes to three
conclusions about SAML and Liberty that, although targeted
at the financial services industry, undoubtedly have resonance
across many other industries. The conclusions are:
- There are real business opportunities that can
exploit Liberty and SAML today.
- Standards bodies
and technology vendors still need to make it easier.
- Financial institutions should proceed with the
careful ease of Liberty and SAML. The whole
document is only available to FSTC members, but the executive
summary can be found on the Liberty website.
The Liberty Alliance
Website
|
|
|
Catalyst - Novell |
| |
Novell had some important news: a new architectural
guide for customers, the availability of a new SAML service,
and a new auditing and logging product extension.
Novell
Releases Roadmap for Secure Identity Management Success:
Novell has released a new secure identity management
architectural guide designed to help customers understand the
essential building blocks of secure identity management, and
how to design and deploy those components. The document, "A
Superior Foundation for Secure Identity Management," also
introduces Novell's Identity Automation Framework - the
company's technical architecture underlying the future of all
of its Nsure solutions.
Novell
Helps Business Partners Securely Share Identity Information on
the Web: Novell announced the general availability of the
SAML extension for Novell® iChain®, a federated identity
management service that allows companies to reach across the
Internet to form relationships with business partners and
customers. The concept of federated identity - securely
sharing user information across organizational or geographic
boundaries - is an important part of Novell Nsure secure
identity management solutions, which not only address identity
management within an organization but also beyond the
firewall.
Novell
Expands Nsure Solutions for Managing Compliance with
Government Regulations and Organizational Policies: Novell
is releasing a major new addition to its Novell® Nsure secure
identity management solutions. The company announced the
availability of Novell Nsure Audit, secure logging and
auditing software that allows businesses to track and monitor
security-related activity in internal systems and
applications.
Novell's Website
|
|
|
Catalyst - Critical Path |
| |
Critical Path had plenty of news to share with everyone
at Catalyst, with a major new meta-directory customer, a
reminder that their meta-directory can be used instead of MIIS
for Active Directory migrations, and the release of a password
management product.
Louisiana Health
Agency Selects Critical Path Software to Cut Costs of Active
Directory Migration and Multi-Vendor Data Integration:
Critical Path announced that the State of Louisiana's
Department of Health and Hospitals has selected the Critical
Path Meta-Directory to address two major initiatives. The
Critical Path software will be used both to consolidate
disease tracking data from clinical databases across the state
in near-real time and to simplify migration of their internal
user authentication system from Novell NDS to Microsoft Active
Directory.
Critical Path
Simplifies Implementation of Active Directory in Large and
Small Enterprises: Critical Path announced its support for
simplifying the deployment of Microsoft Active Directory in a
wide range of enterprise environments. Critical Path Meta-
Directory offers out-of-the-box connectivity to a breadth of
business systems and enables Active Directory to be integrated
with multi-vendor environments without the need for custom
development or disruptive platform upgrades.
New Password
Management Software from Critical Path Cuts Helpdesk Costs and
Boosts Enterprise Security: Critical Path announced the
Critical Path Password Management solution for centrally
administering passwords across systems and applications. The
software provides self-service resets of forgotten passwords,
centralized definition and enforcement of password policies,
dynamic password synchronization across systems for reduced
sign-on, and auditing of all password change activities.
Critical
Path's Website
|
|
|
Catalyst - The Rest |
| |
OpenNetwork
Delivers Industry's First Identity Management Solution that
Supports Web Services Standards for Provisioning and Single
Sign-On: OpenNetwork announced that its Universal
Connectivity Broker, one of the key components of the
Universal Identity Platform (IdP) 5.0, will be part of the
multi-vendor SPML Interoperability demonstration at Catalyst.
The Universal Connectivity Broker is a .NET Web Services-based
engine that supports federated single sign-on using the
Security Assertion Markup Language (SAML) and Microsoft
Passport, as well as federated provisioning and de-
provisioning using the Service Provisioning Markup Language
(SPML) and the Directory Services Markup Language (DSML).
Waveset
Lighthouse Directory Master Enables Enterprise Portal
Projects: As previewed in the last DIM Report, Waveset
introduced and demonstrated Waveset Lighthouse Directory
Master at Catalyst. This new solution enables organizations to
manage disparate identity data across directory environments.
Sun
and Waveset to Offer Integrated Identity Management Solution
for PeopleSoft: Sun and Waveset announced an expansion of
the companies' strategic alliance to deliver an integrated,
standards- based identity management solution for use with
PeopleSoft® applications. The first iteration of the solution
is designed to enable business process integration between
Human Capital Management and IT security/identity management.
Thor
Technologies to Participate in First Public Demonstration of
OASIS' Service Provisioning Markup Language (SPML) Standard at
Burton Group's Catalyst Conference 2003: Thor announced
its participation in the first public demonstration of the
OASIS Service Provisioning Markup Language (SPML) v1.0
Standard at the Burton Group's Catalyst North America
conference. Thor demonstrated its ability to interoperate with
any SPML-compliant application or managed system at the
Catalyst interoperability event.
Thor
Technologies Teams With Oracle To Deliver Adapters For
Identity Management And User Provisioning: Thor also
announced the availability of new Xellerate adapters for
Oracle Internet Directory.
|
|
|
Non-Catalyst News |
| |
There has been plenty of other news from the industry,
some of it undoubtedly timed to coincide with Catalyst. But,
as the releases didn't explicitly state "from the Catalyst
Conference", they get relegated to this catch- all section.
Oblix
Identifies Measurable Gain by Microsoft Windows Server Active
Directory: Oblix announced an acceleration in the number
of Oblix customers standardizing on Microsoft Active Directory
as well as a significant increase in associated revenue. Since
they entered Microsoft's .NET alliance Oblix reports a 100%
growth in license revenue generated from Active Directory
customers.
Oblix
and Westbridge Announce Integrated Identity Management and XML
Web Services Security Management Solution: Oblix and
Westbridge Technology announced the integration between Oblix
NetPoint® and Westbridge XMS. The Oblix / Westbridge combined
solution is an integrated XML security management solution
that leverages digital identity information to provide
authorization for Web Services.
BMC
Software® Enhances Provisioning Solution: BMC announced
key enhancements to its user provisioning solution,
CONTROL-SA®. CONTROL-SA now offers Service Provisioning Markup
Language (SPML) based provisioning, integration with service
management software Remedy®, and a new LDAP interface.
M-Tech
Announces Integration with Microsoft Identity Integration
Server: M-Tech joined the other vendors announcing support
for Microsoft Identity Integration Server (MIIS) and announced
a certified integration between MIIS Server and P-Synch, M-
Tech's password management solution.
ePresence
to Provide Security and Identity Management Services
Supporting IBM Tivoli Software: ePresence announced a
relationship with IBM to provide consulting and systems
integration services incorporating IBM Tivoli security and
identity management software.
More MIIS InfoCongratulations to my old friend Graham
Sayer of UK MIIS consultancy Metaconnections. Graham's first
deployment of MIIS in the UK went live this week at the Royal
Borough of Kensington and Chelsea. The case study of this
deployment, the first in the world by an MIIS partner, is
available from either the Metaconnections or Microsoft
website.
Metaconnections website
Also, a fantastic, comprehensive, and
very well written new white paper on MIIS is available from
the Oxford Computer Group website. Any similarity between the
writing styles of The DIM Report and this new paper, may, or
may not, be coincidental. Read it for yourself to judge.
The Oxford
Computer Group MIIS Paper
|
| |
