www.novell.com

DirXML™ Competitive ComparisonsDirXML™ Competitive Comparisons

Ed AndersonDirector, Product ManagementNovell, Inc.eander@novell.com

Joe SkehanProduct ManagementDirectory Services and ProvisioningNovell, Inc.jskehan@novell.com

Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries

MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Agenda

• Market Segmentation

• Technology Components

• Market Competitors

• Novell DirXML

ag

end

a

MarketSegmentation

EnterpriseApplicationIntegration

Meta-directory

Provisioning

DirXML

Market Segmentation

Enterprise Application Integration (EAI)

• Data oriented• Been around for a while• Very expensive (lots of consulting required)• Characterized by XML and other standards

• Square peg in a round hole…

Players Middleware Application Server Platform Custom Consulting

Meta-directory

• Consolidation of directory data (identity) to a central repository

• Most directory products have an associated meta-directory component

• Typically based on rote synchronization

Players Microsoft iPlanet Critical Path Siemens Maxware Metamerge

Provisioning

• Automatic account creation, deletion, and modification based on business policies

• Usually includes workflow• Auditing and reporting• Digital access rights and permissions are also

provisioned• Most support batch imports from HR systems

Players Access360 Business Layers

Novell DirXML

• Plays in all three segments EAI

• Integration of identities across applications• Complimentary with general-purpose EAI solutions

Meta-directory• Consolidation and reconciliation of common data into a

central repository Provisioning

• Use of workflow rules to define the behavior of integrated systems

• An extension to eDirectory Uses the event system and data replication engine

• Can connect to any system Connects without requiring a change to the existing

application or deployment topology

• 100% Standards-based

TechnologyComponents

Key Components

• Workflow• Reporting and Auditing• Management• Persistent Join• Real-time• Standards• Bi-directional synchronization• Connector suite• Extensibility co

mponents

Workflow

• Workflow pertains to five activities Design

• The tools that visually map out the provisioning process• This is where the business processes are represented

Initiation• From where an add, modify, or delete event is initiated

Escalation• Suspending the data operation to acquire approval before

proceeding with the operation Tracking

• The status of any operation can be extracted from the workflow process

Enforcement

Reporting and Auditing

• Status Current status on connector state Current status on provisioning process

• Auditing Data collection Logging Alerts Reporting Data analysis Policy enforcement

Reconciliation This function points out the differences between connected

systems

Management UI

• Web-based Accessible anywhere Administrators can’t be tied to an

office

• Real-time Up-to-date views

• Design interfaces Lay it out Model it Export it Configure it

Persistent Join

• Join engines combine data elements from different data sources

A ‘join’ is the same concept as that used in the database world

• The ‘joined’ data constitutes the ‘meta-data’• Meta-data stored in a directory constitutes the meta-

directory• Persistent join

Joined data committed to disk Exposed through an intermediate method (meta-directory)

• Non-persistent join Synchronize common attributes within the data elements but

don’t expose the joined data anywhere

Real-time (Event Driven)

• Push Events are generated by one location and then

pushed to all applications

• Pull Events are detected in the applications and

then pulled to a central meta-directory

• Bi-directional Events are detected at all points pulled to a

central join engine, and then redistributed out to all other applications

Good

Bad

Bad

Standards

• Application interfaces Some are standard, some are not…all moving to XML

• Protocols Important for remote connectivity LDAP is critical, LDIF can be useful HTTP/SSL and IP generally

• XML Many flavors (vocabularies) DSML—watch for an increased role for DSML SAML—security federation between systems will rely on

SAML in the future SOAP—Web Service enablement of integration will also

be important

Bi-directional Data Synchronization

Novell DirXML

Connectors

• Database• Platform• Application• Directory• Messaging• Security• Device

Extensibility

• Developer tools SDK

• Tools• Documentation• Validation

Scripting, default configuration, exception handling

• XML The Universal Connector

• LDAP• File-based synchronization

Market Competitors

Provisioning Landscape

NovellAccess360Business Layers

• DirXML, Identity Provisioning• eRole• eProvision, Day1

Access360enRole

Things they did right…• Workflow integrated• Web-based access and management• Sets security attributes in applications• Accommodates user self-serviceThings to watch out for…• Forces all passwords to be set to the same value• Available only on Solaris• Changes are synchronized uni-directionally• No security offering for authentication or SSO• Access360 must develop all connectors…the system is

only extensible by Access360

Business LayerseProvision Day1

Things they did right…• Good point solution for managing employees• Graphical workflow• All management web-based• Works well in a Microsoft environmentThings to watch out for…• Tied to Windows, won’t work with other platforms

Completely dependent on COM

• Changes must originate from the BL console Except for PeopleSoft, the exception

• Changes are synchronized uni-directionally• Limited connectors, no developer tools

Meta-Directory Landscape

NovellMicrosoftiPlanetCritical PathSiemensMetamergeMaxware

• DirXML• Microsoft Meta-directory Services• Directory Server, Integration

Edition• Meta-directory Server• DirXmetahub• Integrator• DSE

MicrosoftMeta-directory Services (MMS)

Things they did right…• Good management interfaces• Free (product only)Things to watch out for…• Works only on Windows• Uses a proprietary scripting language for coding

connectors• Requires an expensive consulting engagement• Not really integrated with Active Directory

Uses an intermediate data store (meta-views)

• Requires a common key for the join• Limited connectors, only mainstream applications

iPlanetDirectory Server Integration Edition

Things they did right…• Strong use of LDAP, directory integration• Licensed code from ISOCORThings to watch out for…• Hasn’t seen development until recently• Limited connectors, connector development is very

difficult• Limited platform support• Requires a common key between applications• Weak supporting programs

Consulting, technical support, developer support

Critical PathCP Meta Directory

Things they did right…• Acquired product from ISOCOR• Good management and configuration tools• Works with any LDAP serverThings to watch out for…• Forces all data to a directory view, not a good fit for

provisioning• Limited use of XML• Limited platform support• No way to implement business logic (outside of

consulting)• Custom translators must be built for all connectors

SiemensDirXmetahub

Things they did right…• Strong use of LDAP, directory integration• Good platform support• Pretty good management utilities• Good granularity of controlThings to watch out for…• Limited presence in North America• Data synchronization uses intermediate files to move

data• Based on IBM MQ-Series• Confusing product line• Uses Tcl as the scripting language

MetamergeIntegrator

Things they did right…• Event-driven• Integration with other message bus technologies• Good platform support• Good support for rules and transformationsThings to watch out for…• More like an EAI solution• No consolidated, persistent view of joined data• Separate connectors are required for bi-directional

synchronization• Focused on directories, databases, and HR applications

MaXwareData Synchronization Engine (DSE)

Things they did right…• Good integration of business logic during

synchronization• Directory agnostic• Provides a persistent, joined view of the dataThings to watch out for…• Uses an intermediate state for a two-stage

synchronization• Computes the “join” during each event (no indexing)• Limited connectors, connector development is very

difficult Limited to directories and databases only

Novell DirXML

The One Net FoundationNovell eDirectory

Novell eDirectoryNovell eDirectoryNovell eDirectoryNovell eDirectory

Identity Repository• Enforces policy through complex data relationships• Defines identity data through schema• Stores identity data in a scalable database and manages

the stored data• Organizes identity data in a hierarchical namespace• Distributes data through advanced replication• Provides access to data through standard protocols and

APIs• Controls access to data using authentication and

authorization• Secures identity data in storage and during transactions

eDirectoryeDirectoryeDirectoryeDirectory

Identity Integration(Integrated policy)

Micro

soft

Applic

atio

ns

Mes

sagi

ng

Applic

atio

ns

ERP

Applic

atio

ns…

DirXMLDirXMLDirXMLDirXML

Identity Repository(Policy)

Identity Identity ProvisioningProvisioning

Identity Identity ProvisioningProvisioning

Business Policies and PracticesBusiness Policies and PracticesBusiness Policies and PracticesBusiness Policies and Practices

Identity Management

Identity Management

DelegatedDelegatedAdministrationAdministration

DelegatedDelegatedAdministrationAdministration

User Self-User Self-ServiceService

User Self-User Self-ServiceService

Novell DirXML

• Workflow Graphical workflow will be available this fall

(Provisioning) Implements policy-based workflow in the

DirXML engine

• Reporting and Auditing DirXML now includes advanced logging (data

collection) DirXML events can be collected and audited

through a standard auditing facility (NAAS)

• Management DirXML includes a graphics management and

configuration utility available through iManager

Novell DirXML

• Persistent Join All data is represented in eDirectory in its “joined”

state

• Real-time Change events are detected real-time in

eDirectory and in the connected application

• Standards DirXML uses XML, DSML, LDAP, IP/SSL DirXML interfaces and data formats were

submitted to the W3C as DSML 2.0

• Bi-directional synchronization Authoritative data source(s) are enforced All communication is bi-directional Individual attributes can be managed separately

Novell DirXML

• Connectors

• Active Directory• eDirectory• NT Domain• LDAP• iPlanet• Critical Path• SecureWay• Exchange• Notes• GroupWise

•Delimited Text•PeopleSoft•SAP HR•Oracle•DB/2•SQL Server•Informix•x.500

Plus many others…

Novell DirXML

• Extensibility Training / Education Sample Code Developer Kit Driver emulation Developer support

http://developer.novell.com/dirxml

Conclusions

• Novell DirXML is the best choice for identity integration• DirXML has more features than any other product• No modifications are required to work in the existing

environment• DirXML integrates with everything• DirXML provides immediate return-on-investment• All the tools are available to make DirXML extend to

support any environment• Novell provides all the back-end programs and

services to ensure that DirXML will successfully solve any problem