12.17.2015 - LDAP Migrations Made Easy – Part 2

LDAP iconIn LDAP Migrations Made Easy – Part 1, we discussed several common migration challenges dealing with schema,  paging and Directory System Agents (DSA’s) that can easily be avoided by using a Virtual Identity Server. In this post we will cover several other challenges involving Directory Information Trees (DIT’s), Access Control Lists (ACL’s) and password migration and how to overcome them with the end result being an efficient, seamless and secure migration. ...

12.10.2015 - That Synching Feeling I Get From Cloud SSO

Single Sign-On is all the rage these days.  Organizations are looking to ease the hassles and expenses related to user passwords.  Single sign-on (SSO) is a user authentication process that permits a user to enter one name and password in order to access multiple applications.  This can help reduce the number of calls to a help desk for access issues, thereby reduce the operating cost for the organization.  The latest market trend is to take this a step further and leverage external companies for SSO.  By using products that offer SSO as software as a service (SaaS), an organization can greatly reduce the expense related to the management of these integrations. However, when an organization moves their SSO infrastructure into “the cloud” there are new risks to be considered. sinking feeling definiton ...

12.2.2015 - Bridging the OAuth2/SAML2 Divide, Part 2

In Bridging the OAuth2/SAML2 Divide, Part 1, we talked about how an identity broker can be used to bring OAuth2 and OpenID Connect into a SAML2 federated environment. We talked about how Optimal Federation and Identity Services (OFIS) can be used as a federation proxy to bridge OAuth2 and OpenID Connect to a SAML2 identity provider without requiring user identity information to be synced to the cloud. Let’s dive deeper into this and look at some of the important details. SAML-OAuth Divide First, unless you only have one identity provider you will need to have a means of determining where the user needs to go to for authentication. For the passive side of OAuth2 and Open ID Connect that is pretty straightforward. When the user is first redirected to the identity broker for authentication he is prompted to select the identity provider to be proxied to. Once the user enter selects the identity provider he is forwarded to that identity provider for authentication. This is referred to as Home Realm Discovery (HRD). ...


  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.