Many organizations use Microsoft Active Directory to manage their internal users. These organization frequently use other Microsoft applications such as Exchange and Office and find the Active Directory integrates well with these environments. However, organizations that service numerous customers and partners often do not wish to use Active Directory for external users. Reasons include:
- Requirements to support thousands to millions of external users
- Concerns of CAL and external connector license requirement
- Difficulty of establishing AD federation through firewalls
- The desire not to “pollute” active directory with applications specific information
- Requirements for separate password management methods for external vs. internal users
- Multiple active directory domains that cannot easily be federated due to corporate restrictions
AssureBridge Identity Management 360™
provides an ideal solution for supporting external users, custom applications maintaining compatability with active directory.
IDM 360™ integration with Active Directory
IDM 360™ provides a highly available, scaleable directory server capable of services millions of users. In an Active Directory integration scenario, this server front-ends active directory and stores both internal and external users. External users are stored in the directory servers along with their passwords. Internal users (employees) are synchronized between the existing active directory and the directory server. This synchronization allows the central directory to hold as much or as little employee information as required. External users log in with the password from the directory server. IDM 360™ passes login requests through to active directory so internal employees maintain and use their AD password. The AD server (and its passwords) remains in the internal network while the directory server may reside in the DMZ to be available to external users.
IDM 360™ consolidation of multiple Active Directory Domains
When your organization has multiple AD domains, IDM 360™ can consolidate them even if they do not share trust relationships. IDM 360™ can synchronize multiple back-end AD servers into a single, central directory server. Applications may then point to this central server and provide consistent identity to all users in the organization. Again, passwords can remain with the local AD server; IDM 360™ will pass login request to the appropriate AD domain server.
IDM 360™ support for single sign-on
IDM 360™ provides extensive single sign-on capability for both internal and external users. If any of the users access and external service such as SalesForce, ServiceNow, Concur, Workday, etc,. IDM 360™ provides SSO function using SAML, WS-Federation, OAuth or OpenID. IDM 360™ determines how to correctly authentication the user against the central directory or via AD passthrough and then generates the correct Assertion/Claim.
IDM 360™ extends Active Directory to support applications
Often, network organizations do not wish to extend Active Directory as a full-blown application management store. They wish to preserve the vital functions of user and group management and are reluctant to dilute AD functionality by adding numerous fields to support application settings, roles and profile data. By using IDM 360™ as a front end, AD is preserved as an efficient store while additional information such as application preferences, extended user profiles is stored in the IDM 360™ directory server. The advanced synchronization, merges the active directory fields such as account name, group membership, phone numbers and emails, with application specific information such as application roles, permissions, and preferences. Continuous sync assures that any changes made in AD are reflected in real time over to the directory server. This allows applications to see a complete view of user information including specific information relative to the domain application.
IDM 360™ allows organizations to keep using their Active Directory for what is does best while also taking advantages of all the enabling features of a full function directory and identity system.