Implementing effective identity aggregation and synchronization requires a detailed analysis of the key business and technology drivers. This chapter records these factors for the fictitious Contoso Pharmaceuticals environment, and lists the solution requirements along with the security vulnerabilities that must be addressed by the following closely related solution scenarios.
For more information about the Contoso Pharmaceuticals example organization, see the “Platform and Infrastructure” paper in this series.
On This PageBackgroundOrganizations running multiple identity stores in heterogeneous environments often face the challenge of synchronizing digital identities across different stores in order to meet their business requirements.
Contoso experienced difficulties trying to integrate the digital identities from a recently acquired company, Fabrikam, with their existing information systems. Isolated directories and identity stores complicate the problem of overlapping identity information, because much of the information is missing, out of date, or incorrect.
Business IssuesContoso identified the following business issues to address through identity aggregation and synchronization: | • | E-mail communication problems. Contoso e-mail address information is incorrect for many users in the growing company, due to the use of two different messaging systems (Lotus Notes and Microsoft® Exchange Server). Mission critical e-mail communications are occasionally delayed as users need to find out new e-mail addresses and send messages again. | | • | No authoritative source of identity information. Users are unsure what identity information they can trust within Contoso, and it takes too long to get their user information updated in various places. | | • | The expense of managing redundant data stores. The IT organization spends significant time and resources attempting to manage identical information in multiple locations. | | • | The cost of training new IT staff to manage redundant data stores. New IT staff require significant training simply to ensure they can effectively manage the same identity information across many identity stores. |
Technical IssuesContoso has identified several technical issues related to identity synchronization: | • | Account information is inconsistent or incorrect. Digital identity attribute information in different identity stores is outdated or incorrect. | | • | Certificate Mapping. Mapping digital certificates for external users to gain access to internal corporate resources. | | • | Future acquisitions will be challenging and time consuming. This issue is an assumption that is based on the past experience of manually integrating Fabrikam employees. Contoso cannot predict the systems they will need to integrate, and therefore need maximum flexibility. | | • | Data validity. In order for an identity synchronization solution to perform correctly, the data being synchronized should be valid. Previously used manual processes introduced large amounts of invalid data that will need to be fixed. |
Security Issues
Contoso needs to keep multiple identity stores synchronized manually, which results in critical security issues such as incorrect entitlement information. Applications use entitlement information in different identity stores to authorize user access. Often this entitlement information is entered incorrectly, outdated, or inconsistent with authoritative identity stores.
While there aren't many security issues related to identity aggregation and synchronization, this solution provides a solid foundation for other solutions such as provisioning and password management, which are a source of significant security risks for many organizations.
Solution Requirements
From these issues, Contoso produced the following set of requirements for aggregating and synchronizing its digital identity information:
| • | Central, comprehensive, aggregated identity store. The solution must provide a comprehensive, aggregated view of all identities within the Contoso organization. | | • | Flexible attribute flow and synchronization. Synchronization must propagate authoritative identity information between multiple directories and be fully customizable with respect to generating and publishing attributes in each identity store. | | • | Custom attribute generation. The ability to create new custom attributes based on other available attributes is required to support capabilities required by Contoso, such as certificate mapping. | | • | Mail-enabled user synchronization. Users of both Lotus Notes and Microsoft Exchange should be able to see the e-mail addresses of users of the alternate system to facilitate the sending of messages between systems. Therefore, Lotus Notes contacts must exist in Active Directory and Exchange users must exist in the Lotus Notes address book as users with Internet addresses. | | • | Rapid integration with new identity stores. Because Contoso plans more acquisitions, the company needs to be able to integrate additional identity stores easily into the solution. |
| |
