External directory synchronization in identity management

September 12, 2011 by Igor Lozhkin
One of the main roles of an identity management system is to maintain and deliver user profile data. User profile data in contemporary web applications is responsible for not only storing basic user information but also for managing user preferences, application-specific user configuration, user operational data, and data acquired from various directories, which are considered a primary source of user data for a specific user set. As a realtime identity management system, Arnica UnifiedLogon allows scheduled synchronizing of multiple sets of users derived from various directories such as Microsoft Active Directory, standalone databases, flat files, etc. This blog article reviews how Arnica UnifiedLogon provisions connections to multiple external directories and manages both intrinsic user profile properties as well as user properties obtained from the external directories.

Arnica UnifieidLogon stores user records in a Microsoft SQLServer database and provides both web service REST APIs and database APIs (views and stored procedures) to read and modify various user profile properties. UnifiedLogon maintains both its own user base as well as users derived and synchronized with other directories which are considered "external" in relation to UnifiedLogon, but in many cases staying as a primary data reference point. UnifiedLogon exposes the entire user base, so consuming applications do not have to take into account, from which directory the properties of a particular user originated. However, for data synchronization, such distinction is important and UnifiedLogon has the following four user properties for this purpose: 
  1. EDProviderCode - reference to the external directory (ED) provider, with which the user account is associated 
  2. EDProfiderUserName - identifier of the user in the external directory (for example, SAMAccountName in Microsoft ActiveDirectory) 
  3. IsEDSynchronizationEnabled - specifies whether sync process updates user account properties during the synchronization process
  4. IsEDAuthenticationEnabled - specifies whether the authentication process (user validation at the time of logon) uses external directory logon credentials and validation rules, or uses those of UnifiedLogon
9-18-2011 9-44-14 PM.png

Multiple external directories may be registered with UnifiedLogon, so different users may be associated with different external directories:

 9-18-2011 10-03-25 PM.png

In the properties page of a specific external directory, Arnica UnifiedLogon provides tools to define bi-directional scheduled synchronization scripts (UnifiedLogon to external directory, or external directory to UnifiedLogon), as well as logon request script, which is executed for user accounts which are configured to use external directory authentication:

9-18-2011 10-06-55 PM.png

Data synchronization scripts are usually executed on a scheduled basis, while the logon request script is executed only at the time of user logon.

In addition to the scheduled synchronization, which is executed for all users associated with a given external directory, administratotors may choose to use near-realtime synchronization, executed per user at the time the user logs in by running logon scripts. The logon scripts are configurable through logon page design environment.

By specifying whether a user account has been originally created in UnifiedLogon, or if a user account was imported from a particular external directory, and for the users from the second group - whether a particular user stays in sync with its original directory and whether UnifiedLogon delegates authentication requests against such directory, administrators may design various user integration solutions: 

9-18-2011 10-22-34 PM.png

When a user is created in UnifiedLogon, the profile data architecture may take full advantage of UnifiedLogon-based rich data options, regardless of whether the user is associated with an external directory. These data options are: standard and global custom fields, application user custom fields, user configuration directory, user-bound data stores. Even if a user is associated with an external directory, and the synchronization process affects only a selected set of user properties within this directory, the rest of user profile data stored in UnifiedLoon could far exceed what is maintained in the external directory from where the user account originated.