• Compare
• Company
  • Leadership
  • Careers
  • Partners
  • Press Room
  • Events
• Solutions
• Products
  • Password Manager
  • User Manager
  • Group Manager
  • Exchange Manager
  • SharePoint Manager
  • Connectors
  • Dot Net Workflow

Metadirectory & Sync Services

Scalable Metadirectory Synchronization Services and Identity Correlation

Enterprise Proven Metadirectory Solution

In order to meet today's stringent security and regulatory compliance requirements organizations must maintain accurate directory information and be able to link disparate application user identities with the actual people who use them. Dot Net Workflow solves the identity correlation and data synchronization challenge with a robust relational database-driven metadirectory and synchronization platform. Dot Net Workflow's metadirectory synchronizes common information between directories, systems, and applications, including: AD, LDAP, HR, ERP, database applications, and custom applications.

Dot Net Workflow is a rich metadirectory platform that offers traditional information synchronization as well as virtual directory access, role-based entitlement management, and external authorization and authentication for applications. Metadirectory Services within the Dot Net Workflow platform provide the following functions and features:

Multi-Faceted Metadirectory

The Dot Net Workflow metadirectory serves three primary functions - it is a traditional metadirectory, an RBAC metadirectory, and a Federation Identity Provider directory:

• Traditional Metadirectory - as a traditional metadirectory, it maintains information gathered through an inventory process concerning people and the accounts they own in managed directories. The Dot Net Workflow identity correlation engine is used to determine ownership mappings, which are stored in the metadirectory for reporting purposes, and to determine the proper processing of attribute flow between a person's multiple user accounts when a change occurs to one of them.
• RBAC Metadirectory - as an RBAC metadirectory and entitlement management policy repository, the Dot Net Workflow metadirectory stores information gathered during the inventory of managed systems, including: the resources that exist, the rights assignments for these resources as assigned in the managed systems, and the definitions of these rights (or roles) used by that system. In addition to storing this managed system RBAC information, the metadirectory stores Dot Net Workflow RBAC information, such as the definition of Dot Net Workflow roles, role assignments for managed system resources, business location structures for delegation, dynamic RBAC policies for provisioning or de-provisioning resources, and all other RBAC policies and settings. Based on native system permissions and RBAC policies, the Dot Net Workflow always knows who has access to specific resources.
• Federation Identity Provider Directory - as an IDP directory, the Dot Net Workflow metadirectory maintains a Person object for each human person that uses or is managed by the system and anchors any accounts that a person may own in foreign systems (including Cloud SaaS Apps) to that one Person object. This provides for full reporting and management capabilities across all systems. The Person object is what authenticates a user into the Dot Net Workflow system allowing them to perform any tasks authorized by their security assignments as well as permitting SSO to other trusted systems. A person may authenticate via many flexible methods, including authenticating with their managed accounts against the managed system themselves, federated SAML single sign-on, federated WS-Fed single sign-on, Windows integrated authentication, X.509 certificate-based authentication, and OpenID authentication. The Dot Net Workflow Identity Provider directory can be used by any application that supporting SAML or WS-Fed authentication, the .NET Membership and Role Provider model, or applications that can be customized to authenticate via web services.

The Dot Net Workflow metadirectory is extensible, allowing organizations to define their own types of protected resources, rights definitions, roles, and policies. All information stored in the metadirectory, including that gathered from managed systems like Active Directory, as well as the calculated information of who has access to what, is made accessible in the many out-of-the-box reports provided by Dot Net Workflow. In addition, the Workflow Studio report designer allows new reports to be created that capture and display metadirectory information in any way meaningful to an organization.

Metadirectory White Pages

Up-to-date and easily accessible directory information increases productivity by simplifying employee communications and collaboration. EmpowerID solves the challenge of providing accurate and current information by leveraging the detailed information contained in the metadirectory to provide friendly and interactive end user interfaces for viewing and managing this information. Existing pages can be customized or new ones can be created from scratch using the Workflow Studio page designer. Any information stored in the metadirectory is available for use in any custom pages created, and the resulting friendly interfaces are accessible as web pages, Silverlight applications, and rich Windows Presentation Foundation applications.

Scalable Multi-Instance Synchronization Engine

Data synchronization is an essential aspect of a comprehensive Identity Management platform. The Dot Net Workflow synchronization service is a distributable and scalable multi-instance 64-bit Windows Service capable of handling the largest and most demanding environments. The synchronization services leverages the Dot Net Workflow base agent platform, which adheres to a next-generation web services model. This allows any number of agents to run in parallel at one time, to be distributed across firewall boundaries with secure encrypted web services communication and to have the ability to perform automatic load-balancing and failover. Sync agents can reside in any location to optimize deployment for on-premise or cloud-based environments.

Flexible Attribute Flow Rules and Change Tracking

Dot Net Workflow sync agents monitor the changes to attribute values that take place in managed directories during the inventory process. Changes to user accounts update the user account information stored in the metadirectory and are evaluated against any attribute flow rules to determine what course of action should be taken on a per-directory and per-attribute basis, whether that results in an update to the associated Person object in the metadirectory, ignoring the change, or rolling it back in the managed system. These changes to a user account are recorded as inbound changes and a complete history is maintained in the Account Attribute Inbox, including all previous and new values. If the attribute flow rule is configured to update the Person object, then the metadirectory field is updated and the flow rules are evaluated for any other user accounts that are owned by that person. If any other user accounts exist and are set to receive updates for this attribute, an entry is made to the Account Attribute outbox denoting both the new and previous values. Outbox entries are then processed to update the managed system.

Password changes are handled in much the same manner as attribute changes. Changes to a user account password will sync to the Dot Net Workflow Person object and to any user accounts owned by that person where the system is set to receive password updates. Password changes can be initiated via self-service workflows, helpdesk admin workflows, web service notifications from other systems, and as detected by the Password Manager Active Directory Password Change agent, which resides on Domain Controllers and listens for native password changes.

Policy Jobs and Services

In addition to synchronization services, Dot Net Workflow includes many policy evaluation and enforcement services, or jobs, which are used to enforce more dynamic policies that should be reevaluated on a continuing basis. Policies can be delivered via services or by using the flexible permanent workflow model where workflows can be set to continuously cycle, analyzing data and enforcing policies specified in the workflow design.

The key policies and jobs include:

• Account Inbox - The Account Inbox is the identity correlation engine that reconciles and validates the proper ownership of the disparate user accounts that reside on any managed systems throughout an organization and permanently links the ownership of those user accounts to particular individuals. As a part of this process, the Account Inbox identifies orphaned or defunct accounts that no longer belong to an active individual and therefore represent a security risk.
• Resource Entitlement Inbox - Resource Entitlements are an important feature of the platform for ensuring the proper enforcement of access and security. Resource Entitlements (RETs) are policies that govern the provisioning and de-provisioning of user accounts and other resources such as home folders and mailboxes. RETs are evaluated interactively during a workflow process when a new Person object is created and when the Person object's Business Role and Location changes. RETs are also evaluated by a background job known as the RET Inbox which continuously evaluates RET policies to determine if any Person object has an excess of entitlements that should be de-provisioned, is missing entitlements that should be provisioned, or has entitlements that should be in a different directory location due to a recent organizational transfer.
• Business Role and Location Reevaluation - The Business Role and Location Re-evaluation job is used to automate the assignment and maintenance of Person objects to Business Roles and Locations in the metadirectory. In turn, Business Role and Location assignments determine many of the policies a person receives. The Business Role and Location Reevaluation job automates the maintenance of these assignments based on information gathered during the inventory of authoritative systems such as HR or ERP. Linkage of roles in the metadirectory to current information from these systems creates and automates the policy driven environment where access reflects what a person does as specified in the systems of record.
• Default Attribute Policy Reevaluation - Policy-based attribute values are used to automate the maintenance of user attributes, which means that values can be assigned to a person by policy and will be updated for that person if their Business Role or Location changes. Based on your Attribute Flow Rules, changes to attribute values may or may not update the values in connected directories.

Why Dot Net Workflow Metadirectory Services

The Dot Net Workflow provides a new approach to metadirectory services, offering a breadth of functionality that distinguishes it from other solutions Identity and Access Management solutions. Key features include:

• Employs a distributable and scalable multi-instance 64-bit Windows Service capable of handling the largest and most demanding environments
• Provides web service-based agents to distribute across firewall boundaries for on-premise or cloud-based environments.
• Its RBAC metadirectory encompasses resources and their rights assignments in managed systems in addition to the common metadirectory function of managing user accounts.
• Its Federated Identity Provider directory supports all standard SSO protocols (SAML, WS-Fed, and OpenID).
• Includes Domain Controller Agents that capture and synchronize user password changes
• Its dynamic policy enforcement platform automates many aspects of account management and policy-based provisioning and rights assignment across enterprise systems and directories
• Features cross platform support for synchronizing password changes and unlocks between Active Directory, LDAP, and custom applications
• Its detailed reporting inventories all user account information including password last set, password expires on, and account lockout status