A large media company was planning to deploy a new employee portal for full-time and contingent staff. The portal user identities resided in multiple disparate Active Directory (AD) domains and the portal required additional information from the HR systems as well as application-specific attributes in order to provide a highly personalized experience. The portal was aggregating resources from both internal and cloud-based systems, so it was imperative to provide a secure site experience without compromising performance.
Sucess Story: Media Company
Media Company Secures New Employee Portal
Additional Technical Challenges Included:
- A single user account might reside in multiple legacy domains
- Traversing the legacy domains to find the proper user ID would result in the potential for duplicate records and long response times
- The data values that were needed to join the user stores had inconsistent formats
- Only a subset of the user base would be allowed to use Integrated Windows Authentication (IWA) and none of the directories contained an indicator flag for this permission
Our Solution
SDG solved the technical challenges with a unique solution integrating Radiant Logic Virtual Directory Server (VDS) and CA Single Sign-On. VDS allowed SDG to establish a layer of abstraction from the data stores and build logic that wouldn’t require any changes on the back end. CA Single Sign-On was then able to pull in VDS attributes for reference at authentication time. This architecture allowed for:
- A union of identity data between AD and the HR database.
- The creation of VDS Computed Attributes to manipulate data into the proper formats for user unification, authorization and authentication.
- A custom flag in the CA Single Sign-On header to indicate which users are eligible for IWA.
- The use of Persistent Cache to speed up authentication.
- Federation for cloud integrated sites allowed SSO into the HR portal for users managed by external identity providers.
The new directory and security infrastructure proved to be a winning combination for the media company. A universal user identity was established for all internal employees and contractors. Authentication times were kept to a minimum and, going forward, business solutions can be delivered faster and cheaper thanks to the flexibility of the virtual directory.