Identity Management and Isode's Directory Vision
Isode's Products and Directory Solutions
Isode's M-Vault family of directory products can be used as building blocks for many types of directory solution. While they can be used in many ways, most directory solutions built on Isode products are essentially solving the same problem, even though superficially they may look quite different. This page, in setting out our overall approach to directory solutions, covers:
Identity Management is a phrase popular with many analysts and consultants, and is being used to describe a wide range of solutions with many companies publishing long and confusing white papers on the subject. While the term, and the many different solutions it may represent, can cause confusion, there are some important common themes of Identity Management solutions that reflect real requirements. This page covers Isode's approach to Identity Management, which we describe in terms of a broad directory based solution.
Isode Products: Existing and Future
In 2003, Isode's directory vision was to provide an excellent large scale directory server (M-Vault). While this remains a key component of our directory vision, Isode is looking to provide a directory based solution, which includes server, management and integration components to provide account and application management, authentication and authorization. This page summarizes this broader solution as well as showing how Isode products are currently used within the directory solutions area and how products from some of our partners are be used as part of an Isode-based directory solution.
One Directory Entry - One Person - One Account
Directory solutions can be used by a Service Provider or Enterprise to manage data on a set of users and their accounts (typically either customers or employees). The core of Isode's model for managing this is:
- Data will be stored and managed in a directory.
- Each user and associated account is held in a single directory entry
The single directory entry is important, as it gives users and administrators an unambiguous location to locate all information associated with each user. Users of the system can come to a single place to find out necessary information on an account.
LDAP directory is ideal to provide this because:
- Core standard schema, extensible to new applications and information.
- General purpose high performance client access over protocol.
- High replication for performance and robustness.
- LDAP servers such as Isode's M-Vault can offer secure data storage with authenticated and confidential client access.
Accounts and Applications
The directory entry represents a single account for the user. This framework can be used to support the same user utilizing multiple applications from the same single account. The key to this is the extensible directory schema, which allows each application to hold application specific information in the directory, in a manner which does not conflict with other applications. User specific information for each supported application can be held in a single location.
Authentication and Trust
A major benefit of this directory-centric model is that applications can use the directory for authentication, using the "proxy authentication" approach, illustrated above. In this approach, the user provides authentication credentials to the application. The application uses these credentials to authenticate against the directory, and thereby authenticate the user.
Authentication Mechanisms and SASL
It is important to support a choice of authentication mechanisms, which may include:
- A range of password based authentication mechanisms, with different operational and security characteristics. This includes technologies such as DIGEST-MD5, SRP and Kerberos.
- Digital Signature based security, using X.509 PKI (Public Key Infrastructure).
- Biometric techniques.
The core LDAP protocol only supports a few built in authentication mechanisms. For this reason, Isode sees SASL (Simple Authentication and Security Layer) as key technology, because it gives an extensible framework for using different authentication mechanisms with LDAP.
Passwords and Password Management
While password based authentication seems old fashioned, it is the only mechanism that will be available for many organizations, service providers and applications. For many deployments, password based authentication will be the dominant approach used. Isode offers a range of capabilities to support password authentication and management.
PKI and Biometric solutions will generally need special purpose management capabilities, which in practice will mean having specialized software for managing these authentication mechanisms (e.g., Certification Authority products to support PKI). Isode's strategy for passwords is that the directory and associated management tools should provide everything that is needed for use and management of password based authentication, such as control of password choice, password resets, and password expiry. Isode's solution will enable multiple applications to support a user with the same password (single sign on).
Authentication is validating the identity of a user. Authorization is determining whether the authenticated user has the right to use an application or perform a function. Many systems using LDAP for authentication handle authorization in one of two ways:
- Implicit authorization. Because the user has been authenticated, the user is authorized.
- Use of a separate authorization server, which applications use to make authorization decisions.
While both of these can be good approaches, there are many situations where an intermediate approach is desirable. For example, an ISP allows an application to be used by users that have paid for the service, and registers this information in the user's directory entry. This authorization requires very simple business logic, based on information that is stored in the directory. Isode's approach is to provide a directory based authorization system that supports this kind of application. Authorization is decoupled from the application, so that changes to the authorization rules do not require changing the application.
Supporting the Application for Authentication and Authorization
The key problem to be solved for a system using LDAP for Authentication and Authorization is integrating the applications. Many modern applications have direct support for LDAP, and so the only requirement is correct configuration. Isode's strategy is to provide two additional integration options:
- Program APIs (in 'C' and Java). These are particularly useful for custom applications, including Web applications.
- PAM (Pluggable Authentication Module) gives a simple API that can be used directly by many applications.
As well as holding data for authentication and authorization, it will often be useful for additional application data to be held in the directory to support applications. In general, where simple applications have per user parameters, the directory is a good place to hold these. For example:
- A mailbox service can hold maximum mailbox size information.
- A message switching service can hold information necessary to support email routing and delivery.
- A Radius service can hold configuration information.
White Pages and Information Services
A key goal of most directory deployments is to provide support to other applications, such as messaging. These applications will often use the directory as transparent infrastructure. Because the directory will hold useful information on users, it is often desirable to use this to provide a general information service or "white pages" service, to provide lookup of information such as email address, telephone number and location.
In some directory deployments, data is managed externally (see "Data Feeds" below) and in others it is managed in the directory. In the latter case, management of the data, including user data, passwords, and authorization related data is critical. Isode's approach to providing this critical functionality is based on a set of data management libraries with a published API. These management libraries are used by Isode's Web and Desktop data management applications, and may also be used directly by custom management applications.
When data is not mastered in the directory, it needs to be loaded from an external source. Isode support bulk loading of data using the LDIF (LDAP Data Interchange Format) to achieve this. Where data is stored in multiple external sources, it may be necessary to use a data synchronization product to achieve this.
Many authentication and authorization systems model LDAP as being provided by a single local server. This is very unfortunate, as one of the key benefits of an LDAP approach is that it allows data to be distributed in order to allow data to be managed in a natural location, and it allows data to be highly replicated to improve performance and reliability of the total system. Isode's core directory model includes distribution and replication.
M-Vault supports X.500 DISP (Directory Information Shadowing Protocol), which is the only open standard for directory replication. This can enable multi-vendor replicated deployment. Isode offers a directory connector solution to help build a coherent distributed directory using multiple directory servers. Isode's distribution model assumes that directories are configured using common naming and schema. If this is not the case, Isode's partner solution from Symlabs can be used.