Microsoft Identity and Access Management Series

Identity Aggregation and Synchronization

Chapter 1: Introduction to the Identity Aggregation and Synchronization Paper

Published: May 11, 2004 | Updated: June 26, 2006

Executive Summary

An essential element of managing computer networks is organizing information about people, applications, and network devices. Managing identity information is challenging because the essential data that describes people in an environment changes so frequently. For example, in a given month a large percentage of an organization's employees may change jobs, assume different roles, become associated with different projects, move to a new office, or even change their names. All these changes, while seemingly minor, can pose a significant challenge in complex networks with multiple identity stores.

This paper discusses how to aggregate and synchronize user identity information across multiple directories and identity stores in a heterogeneous environment. The result is to enable centralized administration of user identities across an organization's identity stores. The paper also provides detailed configuration tasks you can perform to achieve this by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).

This paper is part of the Microsoft Identity and Access Management Series.

The Business Challenge

Organizations store identity information as data objects in numerous data repositories. When identity information becomes inconsistent between identity stores, it can become difficult to use appropriately. Synchronizing information between multiple data repositories is challenging, time consuming, and expensive.

The business challenges that relate to identity synchronization include:

•	Reducing the costs associated with managing large numbers of identity stores.
•	Providing the ability to expand the organization's people and IT resources without a corresponding increase in IT staff.
•	Increasing employee productivity by being able to find the right information about other users.
•	Meeting regulatory requirements associated with privacy and access controls.

In large organizations, you can often find over one hundred discrete identity stores, all of which contain overlapping and usually conflicting personal data. Managing this identity data across many systems that use manual processes or custom scripts is simply not cost effective or accurate enough to meet the business needs of most organizations.

Management needs to know that the costs of managing user identities are as low as reasonably possible. Identity life-cycle management should also scale efficiently across various applications and network resources, and not require additional staff for every application brought on line or group of users hired.

The Business Benefits

Efficient administrative processes based on capable technologies for identity aggregation and synchronization can provide the following business benefits:

•	Reduced total cost of ownership (TCO) of networked systems through reducing the costs for managing digital identity data in multiple identity stores.
•	Increased IT administrator productivity.
•	Increased knowledge worker productivity.
•	Improved security and privacy controls across the organization.

Who Should Read This Paper

The audience for this paper includes architects, IT professionals, IT decision makers, and consultants working in organizations with multiple identity stores.

Reader Prerequisites

This paper assumes the reader has a moderate knowledge of identity and access management concepts and technologies as described in the “Fundamental Concepts” paper in this series.

To implement the solutions in this paper, readers should have an understanding of the infrastructure described and implemented in the “Platform and Infrastructure” paper in this series. For a greater understanding of MIIS 2003, review the Microsoft Identity Integration Server 2003 Technical Reference.

Top of page

Paper Overview

This paper consists of seven chapters. Each chapter builds on the previous one to demonstrate how a typical company plans, builds, tests, and operates an identity aggregation and synchronization solution by using MIIS 2003 with SP1 and the Microsoft Active Directory® directory service. The chapters cover the following topics:

Chapter 1: Introduction

The introduction provides an executive summary, the recommended audience for the paper, and an overview of each chapter in the paper.

Chapter 2: Approaches to Identity Aggregation and Synchronization

This chapter covers various approaches for identity aggregation and synchronization, including the recommended approach of using an identity integration product.

Chapter 3: Issues and Requirements

This chapter introduces the identity aggregation and synchronization challenges that Contoso Pharmaceuticals (a fictitious company with typical problems) faces, as well as their technical issues and requirements.

Chapter 4: Designing the Solution

This chapter describes the logical design of a solution for Contoso and how it works. It addresses Contoso issues and requirements with an identity aggregation and synchronization solution based on Microsoft technologies.

Chapter 5: Implementing the Solution

This chapter takes the design from the previous chapter and further refines it by providing step-by-step prescriptive guidance to implement the solution. It shows how you can set up identity aggregation and synchronization in a secure and functional way. This chapter also introduces the Tools and Templates provided for this paper.

Chapter 6: Testing the Solution

This chapter describes how to validate the implemented solution scenarios from Chapter 5. It also provides some troubleshooting steps to help with common implementation challenges.

Chapter 7: Operational Considerations

This chapter concludes the paper with details on operational procedures for running an identity aggregation and synchronization solution on a day-to-day basis.

Solution Scenario

In addition to a general discussion of identity synchronization approaches, this paper also provides detailed prescriptive guidance for implementing an identity aggregation and synchronization solution that builds on the Contoso Pharmaceuticals scenario introduced in the “Platform and Infrastructure” paper in this series. In this scenario, Contoso has two Active Directory forests, a Sun ONE Directory, and a Lotus Notes database to integrate.

This scenario has been compiled by Microsoft to illustrate the typical challenges organizations face in providing identity aggregation and synchronization, and includes guidance on how Microsoft technologies can address them. Chapters 3 through 7 focus entirely on this solution scenario.

Implementing an identity aggregation and synchronization solution provides a recommended foundation for building other identity life-cycle management solutions such as provisioning (fully automated or using workflow), entitlement management (groups in particular) and credential management (passwords in particular).

Note The “Password Management” paper in this series builds on the solution scenario in this paper to provide password change, reset, and propagation services.

Feedback

Please direct questions and comments about this guide to secwish@microsoft.com.