New Brunswick conquers identity management with virtual directory

What started as a single provincial department's effort to roll out a virtual directory now helps government employees and citizens access about 150 applications. Find out how New Brunswick solved what could have otherwise been a big federated identity management problem

identity concept 164551610
Credit: Thinkstock

The Province of New Brunswick has made federated identity services a key component of its interagency identity management service, which provides the gateway to dozens of applications.

Service New Brunswick (SNB), a provincial-owned corporation, serves as the primary identity provider for government services in the province. SNB provides more than 200 services to the public on behalf of multiple government departments. The organization provides over-the-counter services at office locations, operates a call center and offers online services.

SNB uses Radiant Logic's RadiantOne, a federated identity technology, to pull together disparate directories into a single location for application authentication and authorization. Radiant Logic includes a meta, local and virtual directory within its federated identity offering. The company refers to the virtual directory component as VDS.

The federated identity service operates within a CA Technologies identity management environment, which includes SiteMinder, for single sign-on and identity access management, and CA Directory.

Today, VDS facilitates access to about 150 applications, including 25 to 30 major line-of-business applications and gBIZ, a framework that lets citizens conduct a range of government transactions online.

"It definitely became a much bigger piece of our identity management platform than we anticipated," says Nick Bishop, technical strategist with SNB.

Identity Management Effort Starts Small, Gains Steam

Initially, SNB deployed VDS to support the New Brunswick Department of Health. The department purchased an off-the-shelf application as the foundation for its Patient Access to Quality Care system. The system lets doctors and external service providers working with patients in rehabilitation centers view patient profiles and share case notes. Patients can access the system as well.

The application involved many different user communities and different directories, but it would only accept a single Lightweight Directory Access Protocol (LDAP) source and a single authorization group. The Department of Health came to SNB for advice – and that's when the agency began looking for a virtual directory.

[ Related: Yahoo Attack Places Spotlight on Identity Management ]

Bishop said SNB evaluated four or five products and selected RadiantOne. The software stood out as a purpose-built federated identity service, which included a virtual directory, Bishop says. Other product offerings required configuring different options in order to serve as just a virtual directory; the virtual directory function "was a secondary use of the other products," he notes.

RadiantOne federated identity service integrated the identity information from the various directories, so the Patient Access to Quality Care application could leverage a single source of identity data. Other Department of Health applications have since signed on for use of RadiantOne.

From its foothold in the Department of Health, the federated identity service eventually took on an extended role within SNB and the province. While SNB was evaluating virtual directory technology, the province was in the midst of an identity management system overhaul. The new system brought with it a new way of authenticating apps.

However, Bishop says, the updated method introduced backward compatibility problems with many applications. So SNB asked Radiant Logic for assistance. The vendor came back with code, which Radiant Logic calls an interception script, to rectify the problem.

The interception script executes when VDS receives an identity data request from an application. The code makes sure the identity data is translated from the original format, schema and protocol into the specific format, schema and protocol the application can understand. This process allows normally incompatible identity sources and applications to communicate without the need to create, provision, maintain, and audit another identity store just for the application, according to Radiant Logic.

[ News: IBM Focusing on Identity Management With Lighthouse, CrossIdeas Buys ]

The fix helped SNB avoid hours of work modifying applications to deal with the new identity management system, Bishop says. "It saved us a lot of time and effort. We didn't have to go back and rework the applications."

Even if the changes turned out to be minimal, SNB would still have faced the task of changing and testing 150 applications to work with the new authentication model. Bishop says SNB didn't estimate the resulting cost avoidance but notes that the rework job would have taken four to six months at a labor rate of between $80 to $100 an hour (Canadian) and easily run between $54,000 and $100,000 to complete.

Federated Identity Management Grows With Infrastructure Layer

Dieter Schuller, vice president of sales and business development at Radiant Logic, says identity management systems that aren't able to present user information to the applications with the right schema, structure and protocols face a huge problem. In New Brunswick, Radiant Logic's technology provided an infrastructure layer that could connect SNB's various directories.

"They needed a layer that took what they had and make it usable by all the applications that needed to access user information," he says.

Schuller says SNB is fairly typical of the federated identity technology customers he sees in the market. "A lot of our government customers ... are experiencing the same set of issues," Schuller says, adding that commercial business face similar identity integration problems, too.

[ Case Study: Gatwick Airport Tenders for Cloud-Based Identity Management ]

Against that backdrop, the federated identity service has evolved into an intermediary software layer in SNB's identity management system. When an app requests identity data, SiteMinder points to RadiantOne and the VDS pulls together all of the directory sources. Those include Microsoft's Activity Directory, CA Directory and a SQL Server database. SNB's Active Directory deployment, for internal users, consists of one forest and 10 domains. CA Directory is for external users, while the SQL Server database contains metadata regarding user roles.

Virtual directories, in general, aim to mask the complexities of identity management. Nick Nikols, a research director at Gartner, says identity data may be stored in a format that isn't particularly user friendly. A virtual directory, he says, "can abstract away from that and generate a view that makes it easier to consume."

The role of the virtual directory is to aggregate the data stored in different identity repositories, Nikols adds. That way, an application doesn't have to go to each source to obtain the information.

SNB's RadiantOne deployment focuses on the virtual directory, joins and interception scripts, but it may move into Web services as well. SNB has been using its own Web services to provide information to applications. Bishop says SNB conducted a side-by-side comparison of its web services with Radiant Logic's Web services and found the out-of-the-box services handled about 95 percent of what its custom services could accomplish.

This story, "New Brunswick conquers identity management with virtual directory " was originally published by CIO.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.