"The LDAP Guys."

LDAPCon 2009 Session

GLUU Overview -- Schwartz

Submitted Materials

• Submitted Slides

Abstract

Gluu is a San Antonio, TX based startup offering a cloud based IDaaS that aims to make it easier for organizations to securely share identity information and to achieve SSO via SAML. Gluu aims to be an open cloud based federation infrastructure that will empower organizations to create small and large "Communities" on-demand, as in social networking applications. After joining a Gluu Community, an organization can specify which people from their organization and what attributes of those people is shared within the Community.

While inter-domain SAML federation networks have been successful in specific vertical markets, (for example InCommon for educational institutions), the goal of Gluu is greater than user-centric SSO. The primary problem that Gluu seeks to address is extranet identity lifecycle management. While provisioning workflows for adding and deleting people within the organization have been well defined (if not easily solved), scalable flow of identity information across organizational boundaries has simply not been addressed by current products and services.

Gluu, acting as a trusted third party, performs the role of an identity clearinghouse and federation exchange. This can be especially useful for large enterprises with thousands of partners. The task of keeping extranet information up to date is critical, expensive, and logistically challenging.

An important design goal of Gluu is to accommodate organizations with varying degrees of technical sophistication: from a one person company to a large enterprise. Consequently, there are several methods for managing identities in Gluu. For very small organizations without internal IT departments, Gluu offers manual delegated administration. For large organizations, Gluu offers integration via SPML. For organizations in the middle, Gluu offers an appliance approach that uses a virtual directory server to map LDAP and RDBMS data on the Gluu member's internal network. The appliance also detects changes and updates Gluu.

Gluu has not followed the typical model of per user pricing. User-based pricing discourages organizations from adding identity information, which is contrary to the value of a ubiquitous global extranet identity management infrastructure. The business model of Gluu is to offer Gluu Community Membership for free, and to sell flat rate annual memberships for organizations that want supported Communities. Gluu will also fund the infrastructure through services, including technical support, identity assurance reviews, and Gluu customizations.

In order to build a globally ubiquitous identity infrastructure, a horizontally scalable, virtualized directory service was necessary. Gluu's directory service distinguishes between data that is mastered within Gluu-for example, data created by Organizations through Gluu's delegated administration-and data that is simply shared through Gluu while owned and mastered in the organizations' internal systems. RDBMS is used to model Groups and Communities, although Groups are also virtualized in LDAP (they are needed for ACI enforcement). Another design challenge of Gluu was to enable organizations to dynamically extend the user and group schema. The ability of organizations to use Communities to solve their specific business needs requires the schema to be extensible. Schema also needs to be private. For example, an organization might not want the world to know the names of their private attributes.

Gluu is a cloud based infrastructure with a secure communications policy: all communication between servers uses SSL. Gluu's public LDAP service, published as DSML, is only available via HTTPS. Gluu was built to be Highly Available. All components are redundant.

Without the work of great companies and the open source community, Gluu could not exist. The core identity stack includes: Radiant Logic VDS 5.1, Sun OpenSSO 8.0, OpenDS 1.2, OpenDS DSML Gateway 1.2, Jboss 5.0, Jboss Seam 2.1, and MySQL 5.1.

This talk will be a candid discussion of the technical design of Gluu, with diagrams and a live demo of the service to make it more accessible to the audience.

BIO

Michael Schwartz is the CEO and Founder of Gluu, inc. a San Antonio based IDaaS offering inter-domain identity management and SAML based federation. Both an entrepreneur and a technical expert, he has been a hands-on integrator and architect specializing in LDAP for over 10 years. He is also the author of an LDAP client API, LUGE, which simplifies LDAP programming by offering a mix of abstraction and best practices to increase productivity. Mr. Schwartz's first successful business venture was Spacelab.Net, a New York based ISP. Spacelab was sold to Verio (now NTT) in 1998, immediately after which Mr. Schwartz founded ID-Vault, a firm specializing in identity management services. Since that time, he has worked on LDAP and SSO projects for many large enterprises including AIG, UBS, ADP, Tiffany, Lehman Brothers, the American Association of Medical Colleges, the National Democratic Institute, the Greek Orthodox Archdiocese of America, TIAA-Cref, McGraw Hill, BMW, Cendant, Lucent and others. Mr. Schwartz was also the lead directory architect for British Telecom's MarketPulse Service, a VoIP service for the global financial services industry.