Symplified Offers Single Sign-On for the Cloud

 
 
By P. J. Connolly  |  Posted 2010-08-05
 
 
 

Symplified Offers Single Sign-On for the Cloud


Directory services may be old news, but they still represent an important part of the IT infrastructure. The question for many organizations is how to take an existing directory that grew up around locally served applications and services such as file and print, and use it with cloud-based services such as Google and Salesforce.com.

Too often, the answer is to avoid integration between local identities and the cloud. That choice, convenient as it may be in the short run, is likely to blow up in one's face someday. As cloud-based services proliferate, the potential only increases for trouble through a compromised user identity, or a dropped ball on the part of an administrator provisioning services for users.

Enter Symplified and its SinglePoint cloud-based single sign-on services, which were refreshed in summer 2010 with an array of new features designed to keep local user stores and cloud-based services on the same page. Symplified's approach to SSO makes heavy use of open-source technologies and methods such as SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) to perform its chores.

Although the nature of cloud-based services makes it possible to slipstream new features into the mix, Symplified chose instead to implement an entirely new provisioning fabric for SinglePoint in July, implementing augmented synchronization and directory capabilities, and a service that allows companies to use Google and Salesforce.com as cloud-based directory services that can authenticate users in other applications.

The new Symplified Identity Vault can substitute for an on-premises directory service, and manage user identities as a cloud-based function, independent of any local infrastructure. For example, in a traditional portal environment, the IT group would maintain users within an LDAP directory; when the Identity Vault is implemented, the portal instead turns to Google or Salesforce.com for authentication, and uses the information supplied by the chosen service to deny or grant access.

For shops looking to migrate from the traditional locally served user authentication and authorization, or simply to offer a hybrid of local directory services and cloud-based services, Symplified Sync steps into the picture. Symplified Sync offers a way to bridge the gap between Microsoft Active Directory and the cloud, mapping user attributes defined in AD to cloud services as desired. In this first pass, Sync bridges between Active Directory and Google or Salesforce.com, but Symplified expects to include other cloud applications as demand requires.

Bridging and Management


Symplified Sync makes use of so-called identity routers-operated by Symplified, or by the local IT group-that provide the exchange between a directory store and a targeted application. What makes this particularly useful for administrators who are supporting both Active Directory and one or more cloud applications is that this doesn't require user provisioning to be done through unfamiliar tools. Adds, changes and deletes are still performed through the existing tools for Active Directory, but are pushed up to the cloud without the need for administrator intervention.

Symplified Virtual Directory goes beyond this bridging function to provide an impressive array of services that accommodate organizations with multiple identity stores, offering attribute mapping, data transformation, normalization and related functions for numerous LDAP and RDBMS (relational DBMS) systems on the one hand, and cloud-based services on the other. By offering these capabilities in a one-to-many model, Symplified claims that the Virtual Directory removes the need to fiddle with schemas or write custom code in order to exchange data between repositories.

All of this is managed through the SinglePoint Studio, a Web-based application that from all appearances is truly a browser-neutral tool. I was even able to use Safari on Mac OS X to access its functions, although most of my tinkering was done through an installation of Firefox 3.6 on Windows XP.

For my testing, I used a cloud-based setup of the Symplified applications. It's relatively easy to become comfortable with the processes of configuring and applying policies to various groups. Even higher-level functions, such as configuring user identity stores, are readily accessed and managed.

SinglePoint Studio defines applications with one or more "relative paths"-these don't correspond to any portion of a file system, but are better thought of as reflections of an organizational chart. One might have an application defined for sales, another for operations and so on. Within each application, relative paths can be defined to separate manufacturing from warehousing, if those groups have different rules for accessing a supply chain function that's common to the operations group.

The studio's dashboard page shows at a glance how a SinglePoint system is configured: applications, identity routers, user stores and pending configuration changes are all displayed for easy reference.

SinglePoint Studio's management functions are rather well thought out, offering a "Super Administrator" role that backstops the standard administrator role. "Supers" have the ability to add, delete and edit administrators and super administrators, and both groups have the power to define and manage the various aspects of the access control and authentication policies. "Supers" also have the power to reboot the all-important identity routing service.

It's relatively easy for SinglePoint customers to incorporate new public cloud services into their application mix. Once Symplified's engineers digest a service's authentication scheme, it becomes available to Symplified's entire customer base. That's as forward-looking as one could hope for.

Rocket Fuel