- 4chan hell raisers finding fame brings heat?
- The 10 dumbest mistakes network managers make
- NetApp quits bidding war in face of EMC opposition
- CompuServe closes after 30 years
- Google to launch open-source Chrome OS this year
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
An anonymous reader posted to the Network World forum asking about the Identity Bus: "Using LDAP as the name or protocol for the Identity Bus makes it sound like a virtual directory to me. What would be the difference? How would an Identity Bus be different than a virtual directory?" A perfectly good question, which shows the interest in the concept, but also the need to explain it all just a bit better.
Back in March when I first mentioned the “Identity Bus” as introduced by Microsoft’s Stuart Kwan I also mentioned that the concept I preferred could be called an “Identity hub” - a system to transform protocols and data from one format to another. In some ways, that’s what a virtual directory does.
Boiled down to essentials, a virtual directory is a database of pointers to various data repositories. Many of those repositories are identity datastores (LDAP directories, x.500 directories, Active Directory, username/password stores, etc.) while others (financial databases, e-mail address books, inventory lists, etc.) are data items that can be associated with an identity while not actually being identifiers. The virtual directory presents a single view of all of the data while at the same time relating the various bits of information to a particular identity. It does this by translating a request (via LDAP, SQL, ?ML, etc.) into the native protocol of the datastore from which the request is ultimately being made. It then takes the result and packages it in a format the calling application will understand. (Compare Identity Management products)
The Identity hub would also take requests from applications and services, translate them to the native protocol of the datastore and send them to their destination. The reply would undergo a reverse operation to send the result back to the requesting application or service. That sounds very similar, doesn’t it?
The most important difference, though, is the knowledge inherent in the service (the virtual directory or the Identity hub). A virtual directory, at it’s heart, is what’s called a “join engine.” Before it can successfully operate it needs to know all of the identities throughout the system and know which identifiers refer to the same entity. In other words, it needs to know that dkearns, davek, and DAK all refer to the same entity: me. Thus, it can serve up data from all the authoritative sources about me, when requested to by someone or something with sufficient rights to view the data.
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
The Leader in Network Knowledge
Comments (5)
Identity Hub - Subset of Virtual directoryBy Anonymous on May 29, 2008, 11:32 amFirst of all I dont agree with the Virtual Directory definition given. I don't agree that virtual directory needs to know all the information about identities,...
Reply | Read entire comment
Re:not sure I get itBy Anonymous on May 29, 2008, 11:28 amIssue you are facing is related to global and consolidated identities and their unique identification. It's combination of data cleaning as well as virtualization. Identity...
Reply | Read entire comment
not sure I get itBy James on May 14, 2008, 2:02 pmI'm in a large global enterprise. One of the biggest problems we have is identifying users across systems as there's (to date) little conformity in how accounts...
Reply | Read entire comment
the ID bus/hubBy David Kearns on May 14, 2008, 12:16 pmAs I see it, the bus/hub isn't aware of the nature of the data (request, response, etc.) it reads the source protocol/schema and the target protocol/schema and performs...
Reply | Read entire comment
could you give some more detail?By Anonymous on May 14, 2008, 11:48 am"But when the reply to that request comes through it doesn’t recognize it as such, just as another request to re-package data and tokens within the right protocol." does...
Reply | Read entire comment
View all comments