This document is an overview of the identity management requirements that arise in an Extranet portal, where a corporation provides services to a large number of external users -- typically consumers and in some cases partners.
The remainder of this document covers:
- A comparison of Enterprise IDM with Extranet IDM requirements.
- An overview of business process and technical requirements that arise in Extranet IDM, and suggestions for best practices.
- An overview of business process and technical requirements.
- Proposed solutions, using a combination of Hitachi ID products, third party software and custom software development, as appropriate.
24. Extranet Identity Management: Process and Architecture
C Microsoft ADAM
Hitachi ID Systems has no financial incentive to recommend any particular directory product, so we consider
ourselves to be impartial in this regard. Moreover, Hitachi ID Systems tends to favour Unix and Linux hosted
solutions, so our natural bias would be against AD/ADAM, which are hosted strictly on Windows/Intel. That
said, we think that AD and ADAM are significantly better than alternative LDAP directories:
1. AD and ADAM scale to about 2,000,000,000,000 objects (this has been empirically tested) and fail
gracefully with reasonable error messages beyond this scale.
2. ADAM is relatively inexpensive, costing nothing beyond a Windows Server operating system license:
(a) Windows Server runs on inexpensive x86 servers.
(b) There is no per-object license fee.
3. OpenLDAP is clean and robust, but does not support multiple master directory servers, so has limited
scalability.
4. The Sun/iPlanet/Netscape and IBM directory products share a source code heritage and unfortunately
that old source code is quite buggy. We have seen serious stability problems with Sun, iPlanet and
IBM directory servers at many of our customer deployments, especially to do with multi-master de-
ployments, insertion of attribute pre- and post-filters, etc. Basically, the Sun, iPlanet and IBM directory
servers are not as reliable as they should be.
5. Only two vendors have large production experience with massively multi-master directories: Microsoft
(AD/ADAM) and Novell (eDirectory). They each have customers with more than 1000 concurrently
active and replicated directory servers – far more scalable and robust, especially in the event of
network outages – than other vendors.
6. Only two vendors have a working group membership infrastructure in their directories – again, Mi-
crosoft and Novell.
Groups in Sun and IBM LDAP directories, in particular, are almost useless. The unidirectional schema
(group objects contain a multi-valued attribute listing users, but user objects do not enumerate group
memberships) mean that it’s too expensive to evaluate queries like “what groups is this user a member
of?” or to cope with environments that have thousands of groups or that have groups containing
thousands of users.
Strong group infrastructure is present in AD and eDirectory because of their vendors’ respective net-
work OS heritage. Conversely, weak group infrastructure mean that Sun and IBM directory products
are useless as a back end to a NOS and support only fairly simplistic access control models.
7. Openness and standards-compliance are important in a directory product. Oddly (despite buying
SuSe), Novell has the most closed directory product on the market. Hitachi ID Systems cannot, in
good conscience, recommend eDirectory for this reason.
8. Support for nested groups is often a useful strategy for constructing a complex authorization infras-
tructure. Only Active Directory and ADAM support nested groups.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: /pub/wp/documents/extranet-arch/extranet-idm-arch-2.tex
Date: 2008-05-12