EmpowerID Products and Solutions
- Learning Center
Welcome to the Learning Center
The lack of a single source for identity data and the rapid proliferation of Identity data silos within Cloud applications, LDAP directories and databases poses significant problem in many organizations. With security data typically spread across multiple systems, including employee information housed either in HR databases and/or Microsoft Active Directories (AD), and customer and partner data existing only in CRM databases and additional LDAP directories, an efficient and authoritative central source for Identities is lacking. This presents a costly challenge since Identity Management applications and most commercial off the shelf (COTS) applications require a standard mechanism (most commonly an LDAP directory) to access identity attributes. Thus many organizations are hobbled in their efforts to quickly roll out new applications or to support Single Sign-On (SSO) initiatives without access to a single, centralized Identity source.
Virtual directories are an answer to this challenge because they allow information contained in heterogeneous sources to be presented to applications in a consolidated view as though it originated from a single source. EmpowerID’s Virtual Directory Service (VDS) provides a robust identity virtualization service with unified, enterprise-wide security by acting as an abstraction layer between disparate data stores, including: payroll systems, HR systems, Active Directory, custom applications and other sources. EmpowerID’s VDS allows applications to interact with these data sources, without being directly connected to them.
A typical scenario for most organizations is the need to maintain a separate directory for internal and external users. In larger organizations this becomes even more complex as mergers and acquisitions lead to the accumulation of multiple directories of internal users coupled with application directories that are stored in databases. Applications rely on this data for authenticating and authorizing users but most do not support connecting to more than a single directory. The EmpowerID VDS solves this challenge without requiring application code changes or altering the data in those repositories through the integration of multiple directory namespaces into a central virtual enterprise directory.
A user’s multiple accounts spread across enterprise directories presents a problem for the user, who must remember each username and password, or for the organization if they try to keep them all in sync. The EmpowerID VDS’ ability to authenticate to the one system in which the user does maintain their password solves this problem. Applications are able to pull a unified virtual view of the user from multiple directories while authentication is routed to the one source directory where the user’s password is maintained. The VDS can use Active Directory for employees while leveraging an LDAP directory or the EmpowerID Metadirectory for partners and customers as the data store for authentication. The EmpowerID VDS provides additional security by seamlessly integrating with the multi-factor authentication capabilities of the EmpowerID platform to extend strong authentication to all applications and platforms capable of performing LDAP authentication.
A complete picture of a user and their attributes is required for applications to enforce fine-grained authorization control. Unfortunately, a complete picture of user data cannot be obtained when the elements needed to construct it are scattered across different identity silos, including some that may only be accessible via SQL. The EmpowerID VDS can aggregates this information into a global user profile that joins data from multiple sources with high-speed access created by leveraging the EmpowerID metadirectory as a persistent cache that is unaffected by source directory performance issues or downtime.
The EmpowerID VDS extends centralized authentication with user and group management to Unix, Linux, Mac OS X, and VPN devices. These platforms support leveraging a centralized LDAP directory for user login, group-based authorization and provisioning. Using the EmpowerID VDS to consolidate these platform’s user stores can increase security with centralized multi-factor authentication and can eliminate the need to individually provision and deprovision identities into each system.
Legacy applications can require a fixed schema that can force an organization to maintain costly legacy stores just to satisfy old requirements. The EmpowerID VDS engine allows for complex transformations of data and the creation of virtual attributes from any directory source to continue meeting the constraints of legacy applications, but allows the decommissioning of legacy directories that are costly to maintain.
Group membership represents as close to a common language as has ever existed for controlling application security. Thus enabling applications to leverage an employee’s Active Directory Group memberships, while at the same time controlling access using groups for customers or partners that do not exist in Active Directory has become a key challenge for organizations exposing applications for use across the various groups who need access: internal employees, customers, members, and partners. The EmpowerID VDS creates a virtual view of existing groups providing all applications with a single point for accessing group information from across multiple backend data sources. Group membership for a Person is the sum of all of the groups that any of the accounts they own belongs to, as well as the roles that have been assigned to them in the EmpowerID metadirectory. A user could transition from being an employee with an Active Directory user to a partner that does not have an AD account and applications would be unaware only seeing a change in group memberships and associated privileges.
The EmpowerID VDS includes a unique capability for translating LDAP client actions such as user and group creation and management into EmpowerID Identity Management workflows. When any LDAP compatible client attempts to create, update or delete a user or group in the EmpowerID VDS, a workflow is initiated to handle the task. These EmpowerID workflows can create, delete, and update user accounts and/or groups within the source LDAP directory, or even across all connected systems. For example, creating an LDAP user in the EmpowerID directory can trigger a provisioning workflow that evaluates role-based policies to provision users across multiple enterprise systems including the creation of home folders, and Exchange mailboxes. Deprovisioning functions in the same manner by enabling a single LDAP user delete action to deprovision a person and all of their associated accounts and access. All workflow requests leverage EmpowerID’s built-in Rights-Based Approval Routing (RBAR) authorization system to route requests to authorized approvers when required.
The EmpowerID VDS leverages the multi-factor authentication capabilities that are built into the core of the EmpowerID platform, eliminating the costs associated with third party licenses. Flexibility on authentication options allows hardware tokens and smartcards to be used in situations where desired and even no cost options like software tokens and one-time passwords sent to mobile devices when appropriate.
Highly Scalable Node.JS Architecture
Persistent Metadirectory Cache
High query volumes and advanced scenarios require a persistent cache with the ability to automatically refresh source data. EmpowerID differs from other virtual directories by being integrated into a mature Identity Management platform. As such, the EmpowerID VDS is able to leverage the platform’s native Metadirectory and synchronization services as a continuously up to date persistent cache to guarantee that applications have fast access to the data they need—even if the actual data sources are down or performing slowly.