SECOND PRELIMINARY DRAFT
NIST SP 1800-35B: Implementing a Zero Trust Architecture 41
of the ZTA to quickly and easily request the exact data they need in the format, structure, schema, and
protocol each requires. In order to provide the flexibility and scalability that organizations need, the
platform is broken into six distinct modules: Federated Identity Engine; Universal Directory; Global
Synchronization; Directory Migration; Insights, Reports & Administration; and Single Sign-On.
3.4.18.1.1 RadiantOne Federated Identity Engine
The Federated Identity Engine abstracts and unifies identity data from all sources (on-premises or cloud-
based) to form an identity data fabric that is flexible, scalable, and turns identity data into a reusable
resource. The identity data fabric provides a central access point for authoritative identity data to all
applications, and encompasses all subjects, users, and objects (employees, contractors, partners,
customers, members, non-enterprise employees, devices, NPEs, service accounts, bots, IoT, risk scoring,
and data and other assets). RadiantOne gathers, maps, normalizes, and transforms identity data to build
a de-duplicated list of users, enriched with all identity attributes to create a single global profile for each
user. The Federated Identity Engine is schema-agnostic and standards-based, which allows it to build
unlimited and flexible views correlated from all sources of rich and granular identity data, updated in
near-real-time, and delivered at speed in the format required by all the consuming applications in the
ZTA. These views are stored in a highly scalable, modern big data store kept in near-real-time sync with
local identity sources of truth.
3.4.18.1.2 RadiantOne Universal Directory
The RadiantOne Universal Directory provides a modern way of storing and accessing identity
information in a highly scalable, fault-tolerant, containerized solution for distributed identity storage. Its
highly performant cluster architecture scales easily to hundreds of millions of objects, delivers
automation, high availability, and multi-cluster deployments to easily accommodate distributed data
centers. Universal Directory is FIPS 140-2 certified for securing data-in-transit and data-at-rest, and it
provides detailed audit logs and reports [10]. Universal Directory is accessible by all LDAP, SQL, SCIM,
and REST-enabled applications.
3.4.18.1.3 RadiantOne Single Sign On (SSO)
Single Sign On is the gateway between identity stores and applications that support federation
standards—SAML, OIDC, WS-Federation—for connecting users with seamless, secure, and uniform
access to federated applications. SSO enables a secure federated infrastructure, creating one access
point to connect all internal identity and authentication sources for strong authentication. It also
provides a self-service portal for managing passwords and user profiles.
3.4.18.1.4 RadiantOne Global Synchronization
Global Synchronization leverages bi-directional connectors to propagate identity data and keep it
coherent across enterprise systems in near-real-time, regardless of the location of the underlying
identity source data (on-premises, cloud-based, or hybrid). It builds a reliable and highly scalable
infrastructure with a transport layer based on message queuing for guaranteed delivery of changes.
Global Synchronization reduces complexity and administrative burden, simplifies provisioning and