More Related Content
Similar to Open am and_radiantone
Similar to Open am and_radiantone (20)
Open am and_radiantone
- 1. TM
USE CASE: RADIANTONE AND OPENAM
Deliver Scalable Federated Identity—At a Fraction of Time and Cost
www.radiantlogic.com | 877.727.6442
© Copyright 2012 Radiant Logic, Inc. All rights reserved.
Page 1
Providing a Single Source of Aggregated Identity Data
Extending single sign-on across your mobile, social or cloud applications is now a must
for most IT departments—but there’s just one problem. Identity data, passwords, and
attributes are scattered across many directories and data silos, using a mix of standards
and security means. For most companies, such a complex identity infrastructure
used to mean either sinking months of manpower and piles of cash into an unwieldy
infrastructure overhaul, or bringing in an “Identity Management stack” from large vendors
that only partially addresses the problem, yet eats a big chunk of the budget. Now there’s
a better solution.
Market leaders Radiant Logic and ForgeRock work in tandem to deliver a complete web
access management (WAM) and Federation solution, for heterogeneous and distributed
identity systems —at the best value point on the market. By combining innovative
commercial open source Web Access Management (WAM) with a federated identity
service based on virtualization, you can unify your identity silos into a one common LDAP
identity store, radically simplifying a complex environment.
Radiant Logic and ForgeRock’s solution enables your users to securely connect to your
mobile, social and cloud applications or portal, without disrupting the identity ecosystem
that you’ve already built. Together, Radiant Logic and ForgeRock provide an agile,
integrated solution that’s simple to implement and architected from the ground up for
Internet Scale.
▲▲ ForgeRock OpenAM is the only “All-in-
One” Access Management solution that
includes SSO, Authorization, Federation,
Entitlements, Adaptive Authentication,
Strong Authentication, and Web Services
Security in a single, unifi ed product.
It is the only developer-friendly access
control solution to use a single, common
programming interface (REST) that’s easy
to invoke.
▲▲ Radiant Logic’s Federated Identity Service
links identity information and attributes
stored across the enterprise, cloud, and
federated environments. By abstracting
identity out of disparate, heterogeneous
sources, and into a common, interoperable
service, RadiantOne creates a virtual
identity hub for many initiatives. It enables
faster deployments, lower integration
costs, fl exibility you need to navigate
changing business requirements.
- 2. TM
USE CASE: RADIANTONE AND OPENAM
Challenge
Achieving SSO with Distributed Identity Sources and a Heterogeneous Environment
Federation deployments are often focused on the security layer, and which protocols to use for which purpose. However, the layer behind the
scenes—that heterogeneous and highly distributed tangle of existing identity sources—continues to be a signifi cant hurdle to achieving true single
sign-on. For example, when it comes to SAML, the job of the federation layer is to route all authentication requests from the federated applications
to one (or more) identity provider (IdP)—and that’s where it stops. The implementation of the identity provider is your problem to solve. The IdP is
supposed to receive the authentication request, try to authenticate the user, then either allow or deny access. But this becomes increasingly diffi cult
when you have multiple sources of identity and authentication in the mix. Many of today’s complex enterprises face the following challenges when
it comes to providing single sign-on:
▲▲ Multiple identity silos such as Active Directory domains and forests, LDAP directories, SQL databases, or even application repositories, such
www.radiantlogic.com | 877.727.6442
© Copyright 2012 Radiant Logic, Inc. All rights reserved.
Page 2
as Salesforce and Google Apps.
▲▲ Multitude protocols and connections (including LDAP, JDBC, or web services).
▲▲ Attributes and passwords or other credentials stored locally in disparate sources.
- 3. TM
USE CASE: RADIANTONE AND OPENAM
.Authentication
With many identity silos and proprietary identity stores belonging to each application, there are typically many password repositories. Even the
protocols used to reach each source are different and may include LDAP, SQL, or web services. In order to provide single sign-on using OpenAM, you
have to navigate all these distributed sources. If your system can’t fi nd the correct user in the appropriate identity store and get the corresponding
login credentials to the application, you can’t deliver single sign-on. And without SSO, your users have to keep track of multiple login names, and go
through numerous password resets and calls to the helpdesk.
Authorization
Commonly used to protect URLs, page objects, or possibly the scope of a web page, authorization is based on policy. These policies are commonly
enforced through user attributes. Enforcement can be done locally—inside the application—or centralized through your IAM solution. This is also
a problem when attributes are scattered across disparate resources. Your IAM tool needs to know which attributes belong to which user, and policy
enforcement may require user attributes stored in a variety of repositories. While OpenAM is equipped with a XACML authorization engine, without
a way to unify user attributes, it’s limited in its ability to enforce policy at a granular level.
The ideal solution to the problem of scattered identities, passwords, and attributes would be a central identity store, with constantly
updated information.
www.radiantlogic.com | 877.727.6442
© Copyright 2012 Radiant Logic, Inc. All rights reserved.
Page 3
- 4. TM
USE CASE: RADIANTONE AND OPENAM
Solution
A Common Access Point Powered by a Federated Identity Service
In order to provide SSO, you need a centralized access solution for all applications and identities. By providing an access hub between a variety of
applications and identity stores, Radiant Logic and ForgeRock combine two technologies to allow seamless authentication between all sources. So
all your applications—web, cloud, mobile, and more—can connect to ForgeRock OpenAM, and ensure they’re relying on the right identity and login
credentials thanks to the RadiantOne federated identity service.
This connection can be made using a variety of methods. These range from policy agents, to WS* and REST API’s, , to proxy technology. Whatever
the application requests, the combined solution can provide the identity information using the applications’ preferred connection method.
VDS + OpenAM Reduces Complexity
VDS create a single connection to OpenAM using LDAPv3, completely hiding the attribute distribution and password information. It’s a solution
that’s fully supported without any customization on the level of OpenAM, guaranteeing scalability and high availability.
The solution works in three steps:
1. Enable authentication and SSO across multiple sources by building a union list with no duplicates.
Federated identity service works by creating a hub that unites all of the identity information stored within individual data sources—LDAP directories,
SQL databases, AD forests, or almost any other fi le format—into one virtualized directory. Then all these identity sources are inventoried to pull
their data into the new virtual directory in a coherent way. The virtualization engine creates an authoritative global list of all users across the system,
and unifi es overlapping user representation. It tags each user with a unique identifi er and correlates those identifi ers across silos (regardless of
format), creating a single global list of all users in the network, without collision. So there’s no need to build scripts directing authentication toward
different data repositories. Now users from different identity stores, including multiple AD forests, are all accessible via the same common list.
www.radiantlogic.com | 877.727.6442
© Copyright 2012 Radiant Logic, Inc. All rights reserved.
Page 4
- 5. TM
USE CASE: RADIANTONE AND OPENAM
2. Support attribute-driven authorization via joining to create global user profi les.
After creating a union list of users, a join is performed to extend each user profi le with attributes stored in multiple identity sources. This enables
custom user views based on any attribute in any identity source, or a complete view of a single user with all attributes across all sources. These
joined attributes complete the user profi le that RadiantOne hands to ForgeRock’s OpenAM, translating exactly the attributes the federation wants,
in the credential format it demands, for each authentication or authorization request. Since these user profi les join all the attributes from each data
3. Provide one access point for ForgeRock OpenAM
Thanks to the union and join operation performed by the RadiantOne VDS, OpenAM can access a single connection to one virtual identity store.
This enables OpenAM to receive the identifi ers and credentials it needs in order to provide single sign-on to cloud, web, and legacy applications;
reverse proxy services; or even mobile devices. A variety of authentication methods can be used, including WS* and REST APIs, policy agents, , and
password replay, depending on what the application is expecting.
www.radiantlogic.com | 877.727.6442
© Copyright 2012 Radiant Logic, Inc. All rights reserved.
Page 5
source, you easily can perform much more fi ne-grained authorizations.
- 6. TM
USE CASE: RADIANTONE AND OPENAM
Benefits of the RadiantOne and ForgeRock Solution
▲▲ Open source offers great value with exceptional service delivery and support.
▲▲ One single user store connection for ForgeRock OpenAM.
▲▲ Range of APIs enable the developer to choose the best option.
▲▲ Does not disrupt current deployments.
▲▲ Intuitive, wizard-driven work process.
▲▲ Fully supported, scalable, and highly available.
▲▲ Faster deployment times for new applications.
About RadiantOne
Radiant Logic, Inc. is the market-leading provider of identity virtualization solutions. Since pioneering the first virtual directory, Radiant Logic has
evolved its groundbreaking technology into a complete federated identity service, enabling Fortune 1000 companies to solve their toughest identity
management challenges.
Using model-driven virtualization technology, the RadiantOne federated identity service builds customizable views from disparate data silos,
streamlining authentication and authorization for identity management, context-driven applications, and cloud-based infrastructures.
Organizations in a wide range of sectors rely on RadiantOne to deliver quick ROI by reducing administrative effort, simplifying integration tasks, and
enabling future identity and data management initiatives.
www.radiantlogic.com | 877.727.6442
© Copyright 2012 Radiant Logic, Inc. All rights reserved.
Page 6
Contact Us
To find out more about Radiant Logic, please call us at 1.877.727.6442, email us at info@radiantlogic.com, or visit www.radiantlogic.com.