Documentation ID-Synch Product Literature Integrating the Hitachi ID Management Suite with Metadirectories

Integrating the Hitachi ID Management Suite with Meta Directories

Abstract

Meta directories are becoming a widely deployed tool for managing user identity information, such as login ID, full name, e-mail address and other personal attributes, in a consistent manner across multiple directories. Meta directories, password management and account provisioning tools are sometimes seen as redundant. In reality, they are complementary tools, with almost no overlapping functionality. Integrating meta directories with password management and provisioning tools provides increased value to organizations with heterogeneous systems. The strength of meta directories is to synchronize attributes of user objects between directories, H.R. systems and mail systems. Password management tools extend this capability to include the password attribute, which meta directories cannot manage directly, due to inconsistent hashes. Account provisioning tools extend directory management further by adding a workflow for change request entry / routing / authorization, and by supporting creation of password-protected user objects. Integrating meta directory, password management and account provisioning products yields maximum value for identity management. This paper discusses how P-Synch® and ID-Synch® can be deployed in conjunction with meta directory products, how the technologies interact, and how they complement one another.

Introduction

Meta directories are becoming a widely deployed tool for managing user identity information, such as login ID, full name, e-mail address and other personal attributes, in a consistent manner across multiple directories.

Meta directories, password management and account provisioning tools are sometimes seen as redundant. In reality, they are complementary tools, with almost no overlapping functionality. Integrating meta directories with password management and provisioning tools provides increased value to organizations with heterogeneous systems.

The strength of meta directories is to synchronize attributes of user objects between directories, H.R. systems and mail systems. Password management tools extend this capability to include the password attribute, which meta directories cannot manage directly, due to inconsistent hashes. Account provisioning tools extend directory management further by adding a workflow for change request entry / routing / authorization, and by supporting creation of password-protected user objects.

Integrating meta directory, password management and account provisioning products yields maximum value for identity management.

This paper discusses how P-Synch and ID-Synch can be deployed in conjunction with meta directory products, how the technologies interact, and how they complement one another.

The remainder of this paper is organized as follows:

• Meta directories defined:

  A brief definition of meta directory products.

• How meta directories relate to Active Directory:

  A description of Microsoft's Active Directory, followed by an explanation of how it reduces but does not eliminate the requirement for both meta directories and effective password management.

• Common components and processes:

  Some software components and processes that meta directories have in common with password management and account provisioning tools such as P-Synch and ID-Synch.

• Meta directory first:

  Integration between P-Synch/ID-Synch and meta directories in the situation where the meta directory was already deployed when the password management or provisioning project begins.

• P-Synch first:

  Integration between P-Synch/ID-Synch and meta directories in the situation where the password management or provisioning project precedes deployment of a meta directory.

• Extending meta directory functionality:

  Some ideas about how technology in ID-Synch may be used to extend the functionality of a meta directory in the future.

Meta directories defined

Meta directories are software tools that synchronize the contents of multiple user directories. They typically read a list of user and user-attribute data from multiple directories, build a master directory of users and their attributes, and push new or changed data from the master directory back to some or all of the managed directories.

This directory synchronization process is normally run in a batch, in several steps:

1. Read data from existing systems.
2. Join data into a master directory, where all users and all user attributes are represented in the form of one entry with many attributes per user.
3. Write a subset of the data, using some attributes and applying to just some users, from the master directory to some of the managed directories.

The net effect of meta directories is that information entered about users on one system is automatically propagated to other systems. For example, if a user's home phone number is changed in a company's human resources database, the new phone number might be automatically applied to his profile on the corporate e-mail system and network operating system.

This propagation of user information means that data about users can be made consistent amongst diverse systems. In some cases, it is also possible to cease manual administration of some systems entirely, and rely on the meta directory to forward changes (add, modify, delete) to the user directory from one system to another.

In addition to propagating changes from one directory to another, some meta directories provide an organization with a view into the master directory, either as it is stored internally or by dynamically binding to the various existing directories. This view is called a virtual directory.

Many organizations are migrating their network operating system from Windows NT or Novell NDS to Microsoft Active Directory, using Windows 2000 servers.

Active Directory (AD) can simplify the process of managing user identity data by centralizing it in one place. User records for the network login, for e-mail (using MS-Exchange) and for Intranet applications are all resolved in a single, LDAP-compliant directory.

Applications running on Windows, Unix and even OS390 mainframes can validate user IDs and passwords against the same system, and using Kerberos can even implement single sign-on so that users don't have to sign in separately to each system.

In effect, AD allows organizations to consolidate user identity management into a single, enterprise-wide directory. This consolidation reduces the need for meta directories, since their job is to integrate information from multiple, diverse systems. It also reduces the frequency of password problems that users experience, as they have fewer login IDs and passwords, and consequently the need for password management is reduced.

Despite the clear benefits of AD, most organizations find that they continue to have multiple user directories. For example, they may integrate the NOS login, e-mail system and some Intranet content with AD, but they might still have mainframes, legacy applications, non-Microsoft DBMS servers.

Non-IT-related user information will still be managed in multiple places, including an H.R. system, a payroll system, a contracts management system, a phone directory, etc.

Many organizations also choose to consolidate to multiple directories, rather than just one directory. For example, some companies deploy a Sun or IBM directory service to support web applications, and Active Directory to support network login and other Microsoft server products.

Other organizations may deploy multiple AD directories, and some users will log into more than one.

The net result is that while AD reduces the problems that arise from too many user directories, organizations are almost never able to reduce the number of directories to just one. Meta directories and password management continue to serve a valuable function to resolve the directory management issues that remain.

Password management and provisioning systems defined

Another class of tools targeted at medium to large organizations streamline heterogeneous management of passwords, provisioning of login access, and termination of that access:

Password management systems defined

Password management systems are designed to reduce the cost of ownership of password-based authentication, and to improve the security of password authentication.

P-Synch is a password management system that supports:

• Password synchronization, both automated and web-based, to reduce the password management burden on users.

• Self-service password reset, allowing users to reset their own passwords if they forget them or trigger an intruder lockout, without calling the help desk.

• Assisted password reset, which streamlines resolution of password problem calls made to the help desk.

P-Synch yields cost savings by:

• Reducing the frequency of password problems (synchronization).
• Diverting password problem calls away from the help desk (self-service reset).
• Shortening password call resolution at the help desk (assisted reset).

P-Synch improves authentication security by:

• Reducing the number of written passwords (synchronization).
• Enforcing strong, global password quality rules.
• Enforcing sound authentication prior to all password resets.
• Encrypting all network traffic and data storage related to password management.
• Making it possible to delegate the password reset privilege to support analysts without giving them other rights.

Access provisioning systems defined

Access provisioning systems are designed to streamline change management to login systems. They reduce the delay between organizational change and matching changes in user access to I.T. infrastructure, and ensure that user access is terminated once it is no longer required.

ID-Synch is an access provisioning system that supports:

• A web + mail workflow system for entering change requests, routing them to authorizers, reviewing and approving change requests, and automatically updating system access based on approved requests.

• An automated, rules-based provisioning system that monitors organizational changes on other systems (e.g., H.R. system) and makes matching updates to login systems.

• A web-based central administration system where a security officer can make global changes to user access rights, across heterogeneous systems.

ID-Synch yields cost savings by:

• Reducing the time users must wait for new or changed access.
• Reducing the number of security administrators that must be engaged to manage systems access changes.
• Streamlining system migrations.
• Cleaning up orphan accounts, which can reduce software license costs.

ID-Synch improves access security by:

• Ensuring effective and rapid access termination.
• Removing orphan accounts.
• Enforcing standards in new account setup.
• Enforcing proper authorization rules on all changes.
• Maintaining a forensic change and audit log for all changes.

Common components in meta directories, P-Synch and ID-Synch

Meta directory products and P-Synch / ID-Synch share some common components:

• Agents that list user IDs and user attributes from managed systems.

• Agents that create, modify and delete users on managed systems.

• An internal database or directory that represents a master list of users, and what each user's login ID is on each system.

Meta directory products and P-Synch / ID-Synch also share at least one key process, which is to correlate possibly different user IDs on different systems to one-another, and to users. This "join" process is frequently the most complex part the deployment of any identity management system.

Meta directories and P-Synch / ID-Synch have almost no overlapping functionality, but do share some infrastructure, as described above.

Integration between these systems yields value by minimizing the total deployment effort of the products. For example, once an infrastructure is activated to collect login IDs and ID correlation with one system, the resulting data set should be shared with the other two systems, rather than regenerated.

Similarly, once agents have been configured on one system to manage users, passwords or other attributes on one directory, it makes sense to leverage the same infrastructure for the other systems, rather than deploying a new set of agents in each case.

Integrated deployment strategies

The following sections describe two alternate strategies to deploy both a meta directory product and P-Synch / ID-Synch in a way that maximizes the investment in infrastructure, and minimizes the setup effort.

Meta directory first

For organizations that have already deployed a meta directory, prior to installing P-Synch or ID-Synch, it makes sense to leverage the data set in the meta directory, that correlates user IDs between systems.

P-Synch and ID-Synch both include a plugin point which allows them to access user and account profiles on an external directory rather than internally. This is accomplished using the PARSE ACCOUNT EXT plugin point. When this plugin is used, the P-Synch user and account databases become a temporary cache for user and login ID information.

Alternately, P-Synch or ID-Synch can be configured with either a one-time or periodic batch load of data from the meta directory.

When P-Synch is deployed before a meta directory, or where the join data set in the meta directory is limited in scope or incomplete at the time of P-Synch deployment, it may make sense to leverage P-Synch's built-in capability to correlate login IDs across systems, and to push this data out to the meta directory.

Where systems have consistent login IDs, P-Synch correlates them automatically, using data from a nightly auto-discovery process.

Where systems have different login IDs, and there are no convenient attributes to correlate them to one another, P-Synch provides an alias profile builder. This tool allows users to identify their own accounts on the network, using the process illustrated in Figure [link].

    Alias profile builder process (1)

This process leverages the users' own knowledge of their login ID profiles to quickly assemble a comprehensive and validated set of user ID correlation data.

This data can be fed into a meta directory either in real time (using an exit trap such as UALS UPDATE SUCCESS) or in nightly batch updates.

Extending meta directory functionality

Background

Most of the current meta directories evolved from products designed to synchronize data among e-mail systems, and between e-mail systems and network operating systems.

As a consequence, they generally support e-mail systems, LDAP directories and network login IDs well, but frequently have little or no support for other systems that users log into, such as ERP applications, mainframe systems, DBMS servers, etc.

Initializing passwords

Meta directories normally operate in batch mode, and can only read password hashes stored on managed directories. Since every kind of managed system uses a different password hashing algorithm, it is impossible to copy a usable password from one directory to another.

This limitation means that while meta directories can discover new login IDs on one system, and create matching login IDs for the same users on other systems, they cannot set an initial password for newly-created login IDs.

This limitation is resolved with P-Synch. The meta directory can set initial passwords on new login IDs to a random number, which the user does not know. Users are then prompted to use P-Synch's password synchronization system to change all of their passwords -- including the password on the new login ID -- to a single new value.

This solution makes it possible to use a meta directory to create new login IDs on password-protected systems, without using default passwords or sending initial passwords to users in an insecure e-mail.

This is best illustrated by an example:

1. An administrator adds user X to Active Directory (AD).
2. User X logs into AD.
3. At night, the meta directory detects the new login ID (User X on AD), and creates a new login ID for the same user on a Sun ONE directory (User X on SONE). The new login ID has a random password.
4. The meta directory sends user X an e-mail, asking him to change his passwords in order to activate his Sun ONE login account.
5. User X logs into AD, and changes his password.
6. P-Synch synchronizes the password from AD to SONE.
7. User X logs into SONE, with the same password he just set on AD.

Future work

Hitachi ID is working on additional integration between ID-Synch and meta directories:

The scarcity of "agents" or "connectors" suggests that a valuable direction for integrating ID-Synch with meta directories is to expose the functionality of the ID-Synch agents, which cover a very wide range of system types, to meta directories. This will allow meta directories to apply their core competency, namely coherent and consistent management of user attributes in an enterprise, to a broader range of systems in any given organization.

Another characteristic of meta directory products is that they run in batch mode, and do not detect administrative changes made to individual systems in real time. P-Synch already has this capability, at least in some degree, with the transparent password synchronization service. Accordingly, Hitachi ID is investigating a real-time connection from a change in a user's group memberships on one system, through P-Synch, to a meta directory, to trigger automatic changes to the user's access on other systems.

Summary

There is significant shared infrastructure, but no functional overlap, between password management, access provisioning and meta directory products. All three form valuable components of an identity management infrastructure.

Deployment of the three products (meta directory, P-Synch, ID-Synch) should be considered together, as installation of components of one system can be leveraged to accelerate deployment of the others.

References

Meta directory vendors today include:

Vendor	Product	Web site
Critical Path	CP Meta Directory Server	http://cp.net
Maxware	DSE	http://www.maxware.com
Microsoft	MMS	http://microsoft.com/mms
Siemens	DirX	http://siemens.com

 

Notes: ¹: IBM acquired MetaMerge and intends to package it as a part of an IBM Identity Management suite.

To find out more about P-Synch, visit	http://P-Synch.com/.
To find out more about ID-Synch, visit	http://ID-Synch.com/.
To find out more about Hitachi ID, visit	http://Hitachi-ID.com/.

 

© Hitachi ID Systems, Inc. 2008. All rights reserved.