Please stop by the Optimal IdM booth at this year’s The Experts Conference in Los Angeles.  We will be showing our new Virtual Identity Server integration with SharePoint 2010 and as always happy to answer your questions on virtual directory technology or any other identity management topic.  In addition, don’t miss Monday’s lunch session “Virtual Directory Q&A Session – Best Business Use Cases for a Virtual Directory“, and Mike Brengs session “Rapidly Deploying SharePoint Case Study“, which is slotted for 1:30 PM on Tuesday.

See you at the show and hope you don’t get delayed by the Volcano in Iceland!

So I am getting back on to the blogging bandwagon... Why?

A primary reason is that in any given day I seem to get asked similar questions by partners, prospects and partners. Of course getting asked the same question isn't necessarily a bad thing, but it does indicate that these folks (and I am sure others) don't know the answer. I am sure there are a whole other group of people who have the same question but never ask the question.

So I hope to cover from time to time some of the "FAQ's" on not only our product the Virtual Identity Server http://www.optimalidm.com/vis/, but also virtual directory questions and how they relate to other areas of identity management.

Along those lines today, I am posting this blog entry to highlight a new white paper available on our website today. The title is "When to Synchronize, Virtualize and Federate data in the Enterprise" and can be on our website here:

http://www.optimalidm.com/products/VIS/Downloads.aspx

It is basically a summary of a session I did a few years ago at The Directory Experts Conference (now The Experts Conference http://www.theexpertsconference.com/). Optimal IdM is a Gold Sponsor this year, so please do stop by and see us at the show April 25th to the 28th in Los Angeles.

Comparing these technologies and figuring out when to use which is still one of the most frequently asked questions that I see. This white paper doesn't dive into all of the details, but does give you the highlights. If you are interested in diving into this in more detail, then you will want to attend one of our upcoming Webinars that we are doing on this topic. Check out our website http://www.optimalidm.com/ or drop me a note if you are interested.

BTW - I should point out that any decent sized enterprise likely needs to leverage ALL of these technologies. I am not the only one saying this, but more on that later.

Optimal IdM recently released a video showing just how easy it is to install and configure the Virtual Identity Server. The video takes just 5 minutes, mainly because, well, that’s all the time you need. So, I was beginning to think about things that you can’t do in 5 minutes. Here’s just a snippet of my list:

• Smoke a cigarette
• Wash your car
• Take a shower
• Make Breakfast (toast doesn’t count)
• Drink a cup of coffee
• Commute to work (well, this one wouldn’t apply to telecommuters) – Heck, I’ve seen red-lights that last 5 minutes!!

My point here is that it’s incredible to think of how easy we made the installation and configuration of VIS. This allow our clients the ability to spend more time on planning and thinking of just how to benefit from this technology, and less time thinking/worrying about how to get the darn thing to work (out-of-the-box). Be sure to check out some of the other videos in our growing collection.

As more and more people are learning about Virtual Directories, they are asking better questions, so I decided to address them in my “Top 10 Laws of a Virtual Directory”. This blog is Part I (Laws 1-5). Stay tuned for Part II (Laws 6-10).

Law I: A Virtual Directory MUST REDUCE complexity: If you find your Virtual Directory deployment seeming to be somewhat complicated, then you either:

• Selected the Wrong Virtual Directory vendor
• Did not implement the solution correctly
• Both of the above

Law II: A Virtual Directory MUST NOT create more issues than it solves: Yes, there are Virtual Directories on the market that set out to solve problem “x”, but in turn while doing so, create problems “y” (and sometimes “z”).

Law III: A Virtual Directory SHOULD NOT be asked to solve ALL identity related issues: For some odd reason, people feel the need to “compare” Virtual Directories with synchronization or federation, then saying which is better. Each has its own pros and cons and should be used in the right situation. There is no “silver bullet”, especially in the Identity Management space.

Law IV: A Virtual Directory SHOULD NOT take long to deploy: When selecting the right Virtual Directory for you, be careful if you are using a System Integrator (SI). VIS can be deployed in as little as a few hours and normally no more than a few days (depending on the span of the project). SI’s are only after deploying (and therefore recommending) products that increase their billable time. They are often times NOT interested (i.e. incentives), on necessarily recommending the “best” solution for a given client. Sad, but true.

Law V: A Virtual Directory SHOULD NOT increase administration costs: A Virtual Directory that requires you to hire more people just to manage/maintain it…is a bad choice. In actuality, a “good” Virtual Directory (like VIS of course), should effectively “decrease” administration costs. VIS does this through compliance and automation elements that are built into the product. Another example is the tight integration that VIS has with SharePoint. Don’t be afraid to ask your vendor (and their references) how much administration is needed.

Please watch for Part II in this series for Laws 6-10…

Bob Bobel from Quest posted an interesting blog today, posing the question “Why are Multiple Directories Deployed and Virtual Directories Ignored?“. Basically stating that based on the concept of what a Virtual Directory provides, that everyone should have one (or want one). In his quest to find out why clients don’t have or don’t use a Virtual Directory, his general feedback was that “it just doesn’t fit our needs”.

Hmmm, that’s interesting that this would be the hightlighted response. In our experience, when talking with organizations (with multiple LDAP’s), most people really don’t know what a Virtual Directory is and exactly what one can do for them (although, they don’t want to seem behind on new technology, so they say things like “it just doesn’t fit our needs”).

It really all boils down to the lack of education on this emerging technology and the fact that there really isn’t much information on how they work or where to truely discover the benefits. When Microsoft comes in to help a client solve technical challenges around LDAP (AD, AD-LDS, Multiple-Domains/Forest, etc.), they mostly won’t recommend technology that they don’t have to sell. So clients miss out on opportunities to get educated on newer technologies that can help in certain situations. For example, Microsoft will almost always recommend to synchronize instead of virutalize, because that’s all they know and sell. Makes sense to me, but the client loses here by not always using the right tool for the job. Take a look at this for a quick guide to using a Virtual Directory.

Anyway, I look forward to part II of Bob’s blog on this topic.

Well it is time to dive right in to this blogging thing with a topic that always seems to come up with virtual directories and that is the subject of caching. It always seems to be a lively debate/discussion, so here are a few of my thoughts on two of the most common questions.

Question 1: Do you need to cache data with a virtual directory?

Being a consultant for many years, I have to give it my stock answer (and the right one IMHO) and that is "it depends". As with any application or system you are designing, the requirements and the environment should dictate the design. For example, some of our clients use the Virtual Identity Server for SharePoint edition of our virtual directory to quickly and easily stand up a SharePoint instance that can authenticate people from an External Active Directory forest and an Internal Active Directory Forest. For this type of cross-forest authentication deployment, there is probably not a need to cache this persistently or in memory.

Question 2: If needed, does this cache NEED to be persisted?

I know of one virtual directory vendor that is adamant that cache MUST be persisted. Yes there are times when a cache should be persisted, but saying that the cache always needs to be persisted just doesn't make sense to me. Perhaps they need to persist cache to overcome performance problems in their core engine and can't run sufficiently without it.

Yes, I believe a virtual directory should support both memory and persistent caching, but more importantly it should be architected correctly within the product and not be a hack add-on just to have a check mark on the features list. Keeping track of what each vendor supports can get confusing and sometimes it is misstated.

Mark Wilcox for example, posted in his blog that "OVD does provide a Cache plug-in that is granular - you can apply it globally or per adapter. It also doesn't require any other data-store (or software license, neither of which our competition can currently claim)."

While our Virtual Identity Server (VIS) virtual directory is focused on the more Microsoft centric shops, we are a virtual directory and therefore I suppose a competitor to OVD. With that said, the statement is not true. VIS does not require a separate data-store or software license to use caching. In fact, VIS doesn't require the installation of a custom plug-in to support caching. It is built right into the core engine and is a simple point and click configuration change in the GUI. VIS supports caching not only globally and per connection, but optionally down to which object classes you want to cache.

I think Matt Flynn sums it up well when he closes his post on the subject with, "My opinion is that it's a nice feature to have in the tool bag when needed, but it's not always needed."

Greetings everyone. My name is Mike Brengs and I am a Managing Partner at Optimal IdM, a software and consulting company based in the greater Tampa Bay Florida area that specializes in identity management. We are also the developers of the Virtual Identity Server, which is a Microsoft .NET LDAP Virtual Directory.

This is the first of what hopefully will be many blogs that I post. Why am I blogging? Good question and I am glad that your reading. The old tree falling in a forest quandary comes to mind... One of the reasons I am writing is because I am the "resident IdM evangelist" at Optimal IdM and along with that job I spend part of my time doing workshops, speaking engagements, etc. This extra role suits me well because for those of you who know me, know that I do tend to speak my mind.

Of course speaking publicly on a subject matter where I have some expertise is one thing. Going on the record and posting your thoughts and beliefs for everyone to read is quite another. This must be how politicians feel, where words can be taken out of context and scrutinized. Hopefully I won't make to many goofs and if I do can find some syrup for my waffling. Almost daily I will see a blog posting, read a newspaper article, or talk to a customer or analyst and think to myself; "If I had a blog, that sure would be a good post..." So in the end, I believe I have some thoughts and comments that a few of you out on the Internet might want to hear and find valuable.

One of the main areas that I will focus on is LDAP Virtual Directories (our Virtual Identity Server product is an LDAP Virtual Directory). As I talk to people, I find that many people are either not familiar with or have the wrong understanding of what an LDAP Virtual Directory is or how this can be applied to solving real problems for organizations. I am always amazed when I talk to our customers at the unique ways they are using the technology and in the end I hope you will too.

So I hope you will enjoy reading my blog and find it useful and informative. If you don't like my blog, then please send me your name, Social Security number, date of birth, Mother's Maiden Name and your Bank Routing Information. I will issue a refund of your monies paid immediately.