TM

www.radiantlogic.com | 877.727.6442

© Copyright 2012 Radiant Logic, Inc. All rights reserved.

Page 1

USE CASE: RADIANTONE AND OPENAM

Providing a Single Source of Aggregated Identity Data

Extending single sign-on across your mobile, social or cloud applications is now a must for most IT departments—but there’s just one problem. Identity data, passwords, and attributes are scattered across many directories and data silos, using a mix of standards and security means. For most companies, such a complex identity infrastructure used to mean either sinking months of manpower and piles of cash into an unwieldy infrastructure overhaul, or bringing in an “Identity Management stack” from large vendors that only partially addresses the problem, yet eats a big chunk of the budget. Now there’s a better solution.

Market leaders Radiant Logic and ForgeRock work in tandem to deliver a complete web access management (WAM) and Federation solution, for heterogeneous and distributed identity systems —at the best value point on the market. By combining innovative commercial open source Web Access Management (WAM) with a federated identity service based on virtualization, you can unify your identity silos into a one common LDAP identity store, radically simplifying a complex environment.

Radiant Logic and ForgeRock’s solution enables your users to securely connect to your mobile, social and cloud applications or portal, without disrupting the identity ecosystem that you’ve already built. Together, Radiant Logic and ForgeRock provide an agile, integrated solution that’s simple to implement and architected from the ground up for Internet Scale.

Deliver Scalable Federated Identity—At a Fraction of Time and Cost

▲▲ ForgeRock OpenAM is the only “All-in-One” Access Management solution that includes SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security in a single, unifi ed product.

It is the only developer-friendly access control solution to use a single, common programming interface (REST) that’s easy to invoke.

▲▲ Radiant Logic’s Federated Identity Service links identity information and attributes stored across the enterprise, cloud, and federated environments. By abstracting identity out of disparate, heterogeneous sources, and into a common, interoperable service, RadiantOne creates a virtual identity hub for many initiatives. It enables faster deployments, lower integration costs, fl exibility you need to navigate changing business requirements.

TM

www.radiantlogic.com | 877.727.6442

© Copyright 2012 Radiant Logic, Inc. All rights reserved.

Page 2

USE CASE: RADIANTONE AND OPENAM

ChallengeAchieving SSO with Distributed Identity Sources and a Heterogeneous Environment

Federation deployments are often focused on the security layer, and which protocols to use for which purpose. However, the layer behind the scenes—that heterogeneous and highly distributed tangle of existing identity sources—continues to be a signifi cant hurdle to achieving true single sign-on. For example, when it comes to SAML, the job of the federation layer is to route all authentication requests from the federated applications to one (or more) identity provider (IdP)—and that’s where it stops. The implementation of the identity provider is your problem to solve. The IdP is supposed to receive the authentication request, try to authenticate the user, then either allow or deny access. But this becomes increasingly diffi cult when you have multiple sources of identity and authentication in the mix. Many of today’s complex enterprises face the following challenges when it comes to providing single sign-on:

▲▲ Multiple identity silos such as Active Directory domains and forests, LDAP directories, SQL databases, or even application repositories, such as Salesforce and Google Apps.

▲▲ Multitude protocols and connections (including LDAP, JDBC, or web services).

▲▲ Attributes and passwords or other credentials stored locally in disparate sources.

TM

www.radiantlogic.com | 877.727.6442

© Copyright 2012 Radiant Logic, Inc. All rights reserved.

Page 3

USE CASE: RADIANTONE AND OPENAM

.Authentication

With many identity silos and proprietary identity stores belonging to each application, there are typically many password repositories. Even the protocols used to reach each source are different and may include LDAP, SQL, or web services. In order to provide single sign-on using OpenAM, you have to navigate all these distributed sources. If your system can’t fi nd the correct user in the appropriate identity store and get the corresponding login credentials to the application, you can’t deliver single sign-on. And without SSO, your users have to keep track of multiple login names, and go through numerous password resets and calls to the helpdesk.

Authorization

Commonly used to protect URLs, page objects, or possibly the scope of a web page, authorization is based on policy. These policies are commonly enforced through user attributes. Enforcement can be done locally—inside the application—or centralized through your IAM solution. This is also a problem when attributes are scattered across disparate resources. Your IAM tool needs to know which attributes belong to which user, and policy enforcement may require user attributes stored in a variety of repositories. While OpenAM is equipped with a XACML authorization engine, without a way to unify user attributes, it’s limited in its ability to enforce policy at a granular level.

The ideal solution to the problem of scattered identities, passwords, and attributes would be a central identity store, with constantly updated information.

TM

www.radiantlogic.com | 877.727.6442

© Copyright 2012 Radiant Logic, Inc. All rights reserved.

Page 4

USE CASE: RADIANTONE AND OPENAM

Solution A Common Access Point Powered by a Federated Identity Service

In order to provide SSO, you need a centralized access solution for all applications and identities. By providing an access hub between a variety of applications and identity stores, Radiant Logic and ForgeRock combine two technologies to allow seamless authentication between all sources. So all your applications—web, cloud, mobile, and more—can connect to ForgeRock OpenAM, and ensure they’re relying on the right identity and login credentials thanks to the RadiantOne federated identity service.

This connection can be made using a variety of methods. These range from policy agents, to WS* and REST API’s, , to proxy technology. Whatever the application requests, the combined solution can provide the identity information using the applications’ preferred connection method.

VDS + OpenAM Reduces ComplexityVDS create a single connection to OpenAM using LDAPv3, completely hiding the attribute distribution and password information. It’s a solution that’s fully supported without any customization on the level of OpenAM, guaranteeing scalability and high availability.

The solution works in three steps:

1. Enable authentication and SSO across multiple sources by building a union list with no duplicates.

Federated identity service works by creating a hub that unites all of the identity information stored within individual data sources—LDAP directories, SQL databases, AD forests, or almost any other fi le format—into one virtualized directory. Then all these identity sources are inventoried to pull their data into the new virtual directory in a coherent way. The virtualization engine creates an authoritative global list of all users across the system, and unifi es overlapping user representation. It tags each user with a unique identifi er and correlates those identifi ers across silos (regardless of format), creating a single global list of all users in the network, without collision. So there’s no need to build scripts directing authentication toward different data repositories. Now users from different identity stores, including multiple AD forests, are all accessible via the same common list.

TM

www.radiantlogic.com | 877.727.6442

© Copyright 2012 Radiant Logic, Inc. All rights reserved.

Page 5

USE CASE: RADIANTONE AND OPENAM

2. Support attribute-driven authorization via joining to create global user profi les.

After creating a union list of users, a join is performed to extend each user profi le with attributes stored in multiple identity sources. This enables custom user views based on any attribute in any identity source, or a complete view of a single user with all attributes across all sources. These joined attributes complete the user profi le that RadiantOne hands to ForgeRock’s OpenAM, translating exactly the attributes the federation wants, in the credential format it demands, for each authentication or authorization request. Since these user profi les join all the attributes from each data source, you easily can perform much more fi ne-grained authorizations.

3. Provide one access point for ForgeRock OpenAM

Thanks to the union and join operation performed by the RadiantOne VDS, OpenAM can access a single connection to one virtual identity store. This enables OpenAM to receive the identifi ers and credentials it needs in order to provide single sign-on to cloud, web, and legacy applications; reverse proxy services; or even mobile devices. A variety of authentication methods can be used, including WS* and REST APIs, policy agents, , and password replay, depending on what the application is expecting.

source, you easily can perform much more fi ne-grained authorizations.

TM

www.radiantlogic.com | 877.727.6442

© Copyright 2012 Radiant Logic, Inc. All rights reserved.

Page 6

USE CASE: RADIANTONE AND OPENAM

About RadiantOne Radiant Logic, Inc. is the market-leading provider of identity virtualization solutions. Since pioneering the first virtual directory, Radiant Logic has evolved its groundbreaking technology into a complete federated identity service, enabling Fortune 1000 companies to solve their toughest identity management challenges.

Using model-driven virtualization technology, the RadiantOne federated identity service builds customizable views from disparate data silos, streamlining authentication and authorization for identity management, context-driven applications, and cloud-based infrastructures.

Organizations in a wide range of sectors rely on RadiantOne to deliver quick ROI by reducing administrative effort, simplifying integration tasks, and enabling future identity and data management initiatives.

Contact UsTo find out more about Radiant Logic, please call us at 1.877.727.6442, email us at info@radiantlogic.com, or visit www.radiantlogic.com.

Benefits of the RadiantOne and ForgeRock Solution

▲▲ Open source offers great value with exceptional service delivery and support.

▲▲ One single user store connection for ForgeRock OpenAM.

▲▲ Range of APIs enable the developer to choose the best option.

▲▲ Does not disrupt current deployments.

▲▲ Intuitive, wizard-driven work process.

▲▲ Fully supported, scalable, and highly available.

▲▲ Faster deployment times for new applications.