Courion, IBM, Microsoft, Novell, Sun, and Thor Technologies put their user provisioning and access management solutions through our wringer
See correction at end of review
The benefits of identity management are an easy sell. Of course IT organizations want to automate user provisioning, put an end to "I forgot my password" help desk calls, and bring sanity to access management across the enterprise. Connect these dots to Sarbanes-Oxley, and even CEOs and CFOs are on board.
The question now is, What are the true costs -- in terms of blood, sweat, tears, consultants, and unmet expectations -- of implementing a solution that, one way or another, touches every system in the enterprise? And which solutions are ready for prime time?
These were the questions we set out to answer in InfoWorld's first identity management shootout at the Advanced Network Computing Lab at the University of Hawaii, Manoa. We invited nine vendors: Computer Associates, Courion, Hewlett-Packard, IBM, Microsoft, Novell, Oracle, Sun Microsystems, and Thor Technologies. Six accepted, with CA, HP, and Oracle being the three holdouts that resisted our charms.
The lucky participants sent their solutions and engineers to paradise to do battle, which required each solution we tested -- Courion Enterprise Provisioning Suite 7.20, IBM Tivoli Identity Manager 4.6, Microsoft Identity Integration Server 2003 Enterprise Edition, Novell Identity Manager 2, Sun Java System Identity Manager 5.5, and Thor XellerateIM 8.0 -- to step through a series of identity management tasks based on a common business plot and simulated employee lifecycle.
We built a test network for TCPIP Corp., a fictitious company. The network was based on AD (Active Directory) and was stocked with a Microsoft Exchange 2000 server, a Linux-based HR application called e-HRMS, a Linux-based accounting application called webERP, and a few other systems for good measure. Our vendors needed to integrate their solutions with all of these systems and then tackle certain identity management challenges, including the hiring, firing, and criminal breach of a junior accountant named Harry, as well as TCPIP's acquisition of rival Fergenshmeir Inc. and the resulting directory migration.
To accomplish our required tasks, each identity management solution had to integrate with the e-HRMS system, AD, the webERP system, the Exchange server, and, in some cases, a Windows file server. Each of our six solutions took a slightly different path to achieve this, but the basic procedure was for each vendor to create custom connectors to the MySQL back end of e-HRMS and map various data fields present in the database to the same fields in AD. Various policies had to be created for user-name format, password strength, and so on.
When all this was functional, an initial reconciliation task had to be run to synchronize the data between the identity management server, the e-HRMS database, and AD. Following this, a subsequent reconciliation task would detect changes in the e-HRMS system that then triggered actions within the identity management solution.
We watched each vendor struggle in the lab to some degree, and we played devil's advocate with them all. In the end, only one vendor couldn't complete all of our tests, and this was due more to a lack of additional test time and product complexity than not having the required features.
All of the solutions we tested met our essential requirements, but important differences emerged. Some products worked well on the back end but lacked a unified management and reporting interface. Others presented the slick front end but a problematic foundation. Moreover, some vendors did a better job than others of tying together the multiple tools for identity management into a single, unified solution.
Courion Enterprise Provisioning Suite 7.20
Courion Enterprise Provisioning Suite 7.20 includes ProfileCourier, a user-profile store; PasswordCourier, a metapassword repository; and ComplianceCourier, a policy-control module aimed at tying the other modules together for managed security.
Courion was the only vendor to bring a full partner to the test, namely Citrix and its Citrix Password Manager. On the other hand, this allowed Courion to be the only vendor to demonstrate true SSO (single sign-on), in which global passwords were used to automate log-ins across all systems.
Installation of the Courion suite on our test network began with AccountCourier and Citrix Password Manager. Citrix created a complete log-in credential store across all installed applications and linked up with AccountCourier, which allows administrators to apply policies and rules on the whole.
In practice, users see none of this. We merely saw what turned out to be the most handsome intranet template in the whole review. Courion merely slapped a fake TCPIP Corp. logo on its pages and rolled on.
Courion also demonstrated a wizard-based user startup process -- which is lengthy but editable -- that records all required user information and creates or modifies that user's account. As soon as Harry answered all of these questions and defined his new password, the combination of Citrix and the Courion suite enabled that password for SSO across all of Harry's assigned resources -- desktop, e-mail, and webERP.
SSO happens quickly because Citrix's app is running as a Web service on a dedicated system in the domain. It receives an SPML (Service Provisioning Markup Language) request from the Courion suite -- regarding Harry's log-in credentials -- and responds to that request with the appropriate password. Citrix can be keyed to a directory for this purpose, to a database, or any combination. Some of the other solutions offer this basic functionality, but they're much more rigid about the resources their systems require to complete these tasks, such as directory servers or databases that must be used as credential repositories.
Many of the solutions managed the provisioning workflow process via a Web interface, using e-mail simply as notifiers -- "You've got an approval task waiting; please log in and take care of it." Courion's suite managed everything inside of e-mail with no need to log in to an underlying Web application. This type of integration isn't trivial, however, so expect some programming to take place in real life in order to achieve it.
Courion Enterprise Provisioning Server hit a snag when merging the Fergenschmeir and TCPIP directory information. The product certainly had the necessary tools, but Courion's engineers weren't able to solve a programming problem quickly enough to complete the migration in the time allotted. This served to illustrate one Click for larger view. drawback of Courion's ultraflexible solution: complexity.
The suite also stumbled when Harry went bad. In this test, Harry creates an account in AD using a stolen admin password. Other solutions detected and disabled the unauthorized account immediately. Courion Enterprise Provisioning Suite took a more circuitous route to finding the problem: by running a reconciliation process against its directory store and listing policy violations in a report. Sure, you could run reconciliations fairly frequently, but there are system performance issues to consider. Finding Harry's rogue account in real life might take longer than you'd like using Courion's solution.
Overall, Courion Enterprise Provisioning Suite offers impressive flexibility and tight integration with existing infrastructure. Credential stores can be separate databases, existing directories, or combinations. Workflows can integrate with your applications directly using existing APIs.
The Courion/Citrix combination will weave nicely into any enterprise, but the price tag is significant. The amount of programming necessary may also add implementation time and cost.
IBM Tivoli Identity Manager 4.6
To reach into the various moving parts of our enterprise, ITIM (IBM Tivoli Identity Manager) 4.6 used custom agents that we installed on every managed resource, including our AD domain controllers, database servers, and so forth. The agents hold a reasonably small footprint and require minimal configuration. IBM says that many of its agents don't need to be installed on managed resources, but can manage multiple resources remotely from a single server.
Before any identity management can occur, existing HR applications and the directory must be integrated. For this task, IBM used TDI (Tivoli Directory Integrator), a Java application that functions as an intersection of identity data, both for initial integration and as a permanent connector when needed. TDI runs on Linux and Windows and offers a clear view of any managed resource. In the test, this tool was primarily used to map data from the HR database to AD -- and vice versa -- providing the IBM engineers with a fluid way to manipulate the data.
By pulling in MySQL Java connectors to the TDI tool and working with AD via LDAP, an IBM engineer was able to quickly map database fields to LDAP fields and create a custom connector to move data between them in whole or in part based on triggers, schedules, or manual intervention. TDI handled all integration tasks with aplomb, providing simple methods to reformat disparate data, such as consistently formatting phone numbers, Social Security numbers, and birth dates. We were quite taken with this tool.
The test scenarios caused IBM some fits and starts. At times their own interface seemed to stymie the IBM engineers, but those moments were brief. Overall, every aspect of the test was completed satisfactorily, including the extra-credit portions of integrating the z/OS and Lotus Notes servers. Then again, those are IBM products.
The relative immaturity of the ITIM Web GUI was notable throughout the test. This interface allows admins to create and modify end-user pages, drawing on a wide array of page layout and functionality choices. For instance, it's relatively simple to declare the database fields a user sees when viewing company directory information or modifying his or her personal data, and whether certain fields may be modified at all.
The workflow functions of ITIM are top-notch. A GUI representation of a workflow is presented in a Java applet, allowing users to drag elements around to create approval steps, assign tasks, and so forth.
The reporting engine of ITIM is vast and complex. It's possible to generate reports containing nearly any data present in the system, but again, it's a little challenging to assemble the data in a logical form. Crystal Reports integration is present, however, and Crystal would be our reporting tool of choice in an actual implementation.
ITIM took the same approach the Courion suite did when discovering Harry's breach, but ITIM went a step further. After detecting the rogue admin account during a reconciliation run, ITIM simply deleted the account and set a flag to define the action taken. Automatic deletes may seem a bit draconian to many admins, but if you rely on the identity manager as your central, official record of identity data, then you should trust it -- it could be a lifesaver.
All told, IBM Tivoli Identity Manager is a reasonably priced package that can handle the more esoteric aspects of any enterprise. It provides a solid, fast back end and great integration tools, but integrating ITIM into a production network takes skill. You'll likely need outside help to get the implementation off the ground.
Microsoft Identity Integration Server 2003 Enterprise Edition
Of all the contenders here, MIIS (Microsoft Identity Integration Server) 2003 stands out in two ways. First, it's by far the cheapest, at least at first glance (more on that later). Second, it's unique in leveraging several features of Windows, as well as other Microsoft tools, to accomplish tasks other identity management servers handle alone.
For example, publishing our corporate white pages took only a few minutes using Windows SharePoint Services and AD. One of our requirements was that only HR personnel be able to see birth dates and Social Security numbers through the intranet directory. As it turned out, Microsoft didn't even need to set up special permissions within the white pages because SharePoint can respect AD permissions.
MIIS was needed here only to provide the self-service password change function. MIIS includes an ASP application that integrates with SharePoint for this, allowing users to change their SSO passwords and have the change pushed out to all of the applications they use. Even cooler, you can link this app not only to the SharePoint white pages but also to Windows desktop-based password changing tools, so users can change the password for all their network resources from Ctrl-Alt-Del or User Accounts in the Control Panel.
The only potential stumbling blocks for Microsoft in our Windows-centric test network were the Linux-based e-HRMS and webERP applications. Microsoft managed SSO the same way for both apps, using neither Windows nor MIIS but a $600 third-party MIIS add-on called Centrify DirectControl.
DirectControl agents turned each Linux system into AD clients that used the Kerberos ticket associated with Harry's AD authentication to manage log-ins to e-HRMS and webERP. The upside is that it worked. The downside is that -- as opposed to Windows apps, which can receive authorizations from MIIS -- the Linux-based applications still needed to be configured with a Harry log-in.
Ironically, Microsoft stumbled a bit during our Fergenschmeir AD migration. Company engineers managed the initial cross-domain trusts easily enough (again using AD tools, not MIIS), but the directory migration itself, which they tackled using ADMT (Active Directory Migration Tools), required several attempts before they figured out the right syntax. This served to illustrate how many different skill sets Microsoft requires versus some of the other vendors in this roundup. Both Novell and Sun, for example, required only experts in their identity management solutions to step through all our scenarios. Microsoft required knowledge of MIIS, AD, Exchange, and a couple of third-party tools as well. And here's were additional costs may arise when implementing Microsoft's solution.
Microsoft used the second third-party tool, NetPro MissionControl for MIIS, in the security portion of our test. Because MIIS continuously monitors all accounts on the network, it had no problems detecting Harry's violation. Microsoft merely configured an MIIS rule to forbid all admin accounts created outside of MIIS. As soon as Harry created his illegal account, MIIS spotted and disabled it. Fast.
But MIIS couldn't easily tell anyone about Harry's faux pas. Using MIIS alone, finding the violation requires sifting through reports. NetPro MissionControl provides the alerts administrators need to take swift action.
Microsoft's solution proved quite functional, though noticeably disjointed from an administrative perspective. Nevertheless, MIIS -- plus Windows Server 2003 and AD -- completed all of our tests, including the directory store repopulation and the extra-credit Lotus Notes integration. The cherry on top is a price tag that's a mere fraction of the cost of competing solutions.
For Microsoft-centric enterprises, MIIS may be a bit scattered, and it may require filling in the holes with third-party tools, but it can be a powerful and cost-effective solution.
Novell Identity Manager 2
Novell's identity management solution relies heavily on the company's directory server, eDirectory, which does a fine job as an identity vault. Building on eDirectory to incorporate directory information from across the enterprise, Identity Manager takes care of the rest.
You'll find all the bells and whistles in Identity Manager 2, including password management, role-based provisioning, cross-application user management, user deprovisioning, and corporate white pages functionality. Furthermore, Novell has probably the most intuitive and polished user interface of the bunch.
Running through Harry's ups and downs revealed some clear benefits of the Identity Manager suite. The eDirectory and Identity Manager combo tied all of our disparate data sources together, allowing for as much flexibility and granularity as most enterprises require.
Identity Manager handles these tasks largely with administrator-defined identity policies, which allow admins to manage complex application relationships and workflow. All this information is pumped through a two-lane highway between the Identity Vault and the subordinate applications on the network. All this, of course, depends on Identity Manager Drivers, which are the agents needed to manage all applications. Communication among Vault, Drivers, and Identity Manager is based entirely on XML.
With the exception of Novell's fairly granular workflow capabilities, this is all standard stuff. And though the Identity Manager implementation went smoothly, there wasn't much to differentiate it from the others save Novell's carefully designed, glitzy user interfaces. Defining things such as the corporate white pages or the HR-to-IT workflow that our tests required was done in a slick Web-based administration tool that offered speed and customizability.
We'd seen this before, but Novell had a definite edge in the UI department. In fact, we were already sufficiently impressed, and then they pulled out Designer.
Designer gives the Novell solution a definite ooh-aah factor not found in any of the other products here, but it's important to note that this is an optional add-on. Fortunately, right now it's a free, optional add-on, and if you're using either eDirectory or Identity Manager, we highly recommend you download it ASAP.
Based on the Eclipse framework, Designer allows administrators to lay out almost the entire identity implementation visually and then drill down for configuration. Designer configures the entire Identity Manager front end using portlets, allowing administrators not only to modify the look and feel of each portlet (for easy integration into an existing intranet design) but also to modify each portlet at the field level -- in effect deciding exactly what users do and don't see one field at a time. Even better, Designer allows much of the configuration to be done in a simulated sandbox mode. That means you could design an identity implementation blueprint and play what-if games by altering underlying systems or configuration settings. Novell even added version control to make those games easier.
In the end, Novell conquered our lab scenario with few hiccups and went on to finish all the extra-credit tests, including Lotus Notes and z/OS integration, Web GUI- and e-mail-based workflow provisioning, and populating our e-HRMS database from AD, all handled centrally from the smooth iManager console.
When Harry turned naughty, Identity Manager found his illegal administration account so fast we didn't even have time to fully provision the account. Harry was immediately dumped into the Illegals group, which not only disabled his admin access but also kept a handy record of the attempt. It did not send us an alert, however.
The only area of the test where Novell would have relied on outside tools was our Fergenschmeir-to-TCPIP AD joining. As did a number of the other competitors, Novell would have used Microsoft AD tools for the initial migration and then used Identity Manager to manage the Fergenschmeir data through Identity Vault after it was part of the TCPIP AD forest. (Because third-party tools were necessary, we didn't bother to make this part of Novell's test.)
From administration to reporting, Novell Identity Manager proved to be one of the easiest-to-use solutions in the roundup. The addition of Designer adds even more intuitive functionality on top of this suite. Nevertheless, Novell has work to do: Although the glitzy front end was used for initial configuration, all subsequent validation was done largely looking at raw XML data.
Sun Java System Identity Manager 5.5
We didn't see much whizbang innovation in Sun Java System Identity Manager 5.5, but we did find a level of reliability and maturity that's rare for this segment. Sun's entire identity management suite consists of Access Manager, Directory Server Enterprise Edition, Federation Manager, Identity Auditor, Identity Manager, and Identity Manager Service Provider Edition. Our test required only Identity Manager, Identity Auditor, a MySQL database used as the VIM (Virtual ID Manager) repository, and pieces of Access Manager for SSO.
As opposed to the solutions we've discussed thus far, Sun's is completely agentless. Its technology takes full responsibility for monitoring and interacting with existing directory servers and applications without the need to deploy agents. For certain technologies, such as AD or Novell's directory, Sun deploys a black-box style software gateway for data translation, but this is not an agent, nor does it require changes to target systems in order to function.
In practice, this looked very slick. To configure all our test resources, rules, users, and everything else, Sun dumped its Smart Forms technology into a Web-based, wizard-driven configuration tool that maintained the look and feel of our TCPIP intranet. You still need to know what you're doing; several times during our test things didn't work properly because the Sun marketing engineer missed a few system settings, requiring a local Sun engineer to intervene. But if you know what to feed the system, Smart Forms really speed things along.
The first step in a Sun Identity Manager implementation is to populate the VIM that drives the rest of the system. The TCPIP AD migration to the VIM took some configuration time on Sun's part, but it ran properly the first time. After this had been completed, publishing white pages was easy.
Subsequent testing ran smoothly for the most part, beginning with hiring Harry. Sun Identity Manager enabled an ActiveSync feature -- running on a separate Tomcat server -- that acts as a listener on any target app. As soon as Harry was entered in e-HRMS, ActiveSync saw the changes and propagated them to the VIM and all appropriate systems. Keying specific e-HRMS data fields -- home phone number, Social Security number, date of birth -- to specific data values back in the metadirectory, Sun's solution allowed for easy matching through the Smart Forms interface to the same fields in other systems such as AD. Here is also where we saw some pieces of Access Manager, as this product was required to manage Harry's SSO features.
Sun Identity Manager also handled the optional workflow approval process -- PC request, phone extension request, and so on -- based on Harry's hiring, prompting our Exchange server to generate an e-mail notification to the relevant approvers. After the approvers have received their e-mails, they log in to Identity Manager and manage the approval process from there.
Closed systems, such as Courion's and Thor's, also worked their approvals within a Web application interface, relying on e-mails only as alerts. Novell's and Sun's solutions can work either way.
After TCPIP purchased Fergenschmeir, Sun Identity Manager was capable of managing the AD migration without requiring any use of Microsoft's AD tools. Instead, Sun configured an Identity Manager user ID and then kicked off the Fergenschmeir system discovery. This proceeded with a couple of hiccups because Fergenschmeir's tree was protecting administration and similar accounts from being migrated.
When it had been tweaked, all the Fergenschmeir information was translated into the VIM and then dropped into TCPIP's AD tree. The sexy thing is that, after discovery, the whole migration process worked like a big wizard. All told, Sun Identity Manager had little trouble connecting to our disparate systems, and our extra-credit Notes and z/OS integrations posed no trouble at all.
For Sun, identity management is the cure for compliance ills, and the company has a few features to back that up. A Risk Analyzer report, for example, can be run for specific applications -- such as AD -- to discover and report on problems such as orphaned accounts. When Harry turned hacker, Sun easily found and disabled the rogue account, but like some other solutions in the roundup, it couldn't generate an alert to immediately notify us of the problem.
Sun wants to make its identity management suite easy enough for general IT administrators to deploy it themselves. Given what we saw in testing, that goal is still a ways off. For IT shops that are used to enterprise software installations, we found Sun's Identity Manager to be pleasantly unremarkable.
Thor XellerateIM 8.0
During the months we spent planning for this test, we had two five-minute phone calls with Thor Technologies. The first was to invite them to the test, and the second was to discuss the test scenarios. Their response after reading the test plan was simply, "OK." This worried us quite a bit, given the numerous lengthy conference calls and level of detail that all the other players demanded. Our concern only grew the first morning of the test, when Thor's lone engineer opened her laptop, downloaded the MySQL Java connector, and began writing all the custom connectors on the fly.
We needn't have worried. Although Thor clearly had done the least preparation, it simply nailed the test, running quickly and confidently through every test scenario without a hitch, and even completing all the extra-credit portions with ease. XellerateIM is simply very well done.
Thor's approach is largely agentless. The company prefers to use external connectors to tie in various systems rather than require agents to be installed on every server, which is quite slick but also requires legwork. The Thor engineer toiled for more than two days to bring together the AD and MySQL-based HR system -- and to create all the necessary connectors to all the managed resources.
The Thor integration tool for creating connectors and managing databases and directories isn't quite as straightforward as IBM Tivoli Directory Integrator, but it offers a similar toolset. As with IBM's tool, Thor's can be used to create one-time or recurring connectors. After all the various data sets had been mapped and the database integration completed, this same tool performed the reconciliation tasks that brought changes from the HR system into play.
The Web GUI is as efficient and intuitive as any identity management interface we've seen -- which isn't saying all that much -- providing a nice portal to corporate directory information as well as administrative and user self-service functions. The JBoss and Oracle back end proved very responsive, even when running on the Dell Inspiron 700m laptop that doubled as the primary workstation for Thor's engineer.
The auditing and reporting functions of Xellerate are also well-designed and well-implemented, and they include the ability to notify admins of aberrations on reconciliation runs. After Xellerate discovered Harry's unauthorized admin account, it not only removed the account but alerted us to the violation. Although Xellerate includes a relatively thorough reporting engine, integration with Crystal Reports is also possible.
Throughout the test, it was obvious that Thor has identity management down pat. The downside is the cost: $250,000 for the solution we tested in the lab for 2,700 users. It's a steep price to pay, but Thor can back it up.
Meet the challenge
Every so often, when we're lucky, widespread necessity and solution maturity collide head-on. This is exactly what's happening today in the sphere of identity management. Although the underlying concepts of identity management aren't new, it's becoming clear that the execution of these concepts by solutions vendors is ready for the mainstream.
Between mandates from on high, such as Sarbanes-Oxley, and needs from below, such as the need to address management headaches associated with the constant march of new applications into the core infrastructure, the time of managing disparate systems and applications in silos is necessarily drawing to a close.
Bringing disparate systems together for centralized user provisioning and access management is a significant challenge, as our testing showed, but it's more than possible -- it's inevitable. Automating your infrastructure by implementing an identity management solution is likely to be the largest IT project you'll undertake for years to come, but it also has the potential to be the most rewarding. The potential calm after the storm is not to be overstated.
Even within our limited testing scenario, it was clear that these products are still evolving.
Sun Identity Manager seemed the most mature overall, with strong integration and management capabilities, but still lacks the reporting and front-end polish we were expecting. IBM and Courion have similar work to do on the manageability front. Indeed, Courion needs to keep working on making the flexibility of its solution more accessible. Novell has paid much attention to its front-end tools, producing the easiest solution to configure and manage by far, but it still needs work on the back end to match the depth of Courion or Thor. Finally, Thor was strong from stem to stern, although their implementation process required a good share of custom coding as well.
Brian Chee, InfoWorld senior contributing editor and manager of the Advanced Network Computing Laboratory at the University of Hawaii, contributed to the design and management of this test.
In this review, we misstated Novell's platform support and pricing and Sun's suite components and pricing. The management console of Novell's Identity Manager runs on NetWare, Windows, SUSE, Red Hat, Solaris, AIX, and VMware ESX Server. Web-based management is also available. The product can use a SQL Server, MySQL, DB2, Informix, Oracle, or Sybase database. The price of the Novell solution as tested is $105,300 for 2,700 users, including the base product and the additional drivers used for the testing scenario. The Sun Java System Identity Manager 5.5 bundle includes Identity Manager, Access Manager, and Directory Server Enterprise Edition. Including software, support, and maintenance, it costs $50 per employee per year, or $135,000 per year for our 2,700-user test scenario. The text has been corrected.
Overall Score (100%)
|Courion Enterprise Provisioning Suite 7.20||7.0||8.0||7.0||6.0||9.0|
|IBM Tivoli Identity Manager 4.6||8.0||7.0||7.0||8.0||9.0|
|Microsoft Identity Integration Server 2003, Enterprise Edition||6.0||7.0||7.0||9.0||7.0|
|Novell Identity Manager 2||8.0||8.0||9.0||8.0||8.0|
|Sun Java System Identity Manager 5.5||8.0||8.0||8.0||6.0||9.0|
|Thor XellerateIM 8.0||8.0||8.0||7.0||7.0||9.0|
Announcement follows two-week investigation into major cyberattack
The company is increasing its distribution capability, pinning hopes on sales of its new Passport...
Sponsored by Nuage Networks
Last Tuesday's MS14-066 causes some servers to inexplicably hang, AWS or IIS to break, and Microsoft...
Apple's iCloud Drive deployment was sure to mess up people's access to documents -- and it did
The larger design is very welcome, but there's much more to the iPhone 6 than a bigger screen
Sponsored by Rackspace
Sponsored by Nuage Networks
Sponsored by Fibre Channel Industry Association
Sure, there were lot of mobile flops this year, but that makes these winners even sweeter
Open source developers are hard-working people who don't need to hear misdirected complaints. Want an...
Google Chrome needs a little polish and enhancement to really work with us instead of just for us ...
The cloud is a great space for more money and new challenges, but you may need to be creative to get in...