The identity management challenge

See correction at end of review

The benefits of identity management are an easy sell. Of course IT organizations want to automate user provisioning, put an end to "I forgot my password" help desk calls, and bring sanity to access management across the enterprise. Connect these dots to Sarbanes-Oxley, and even CEOs and CFOs are on board.

The question now is, What are the true costs -- in terms of blood, sweat, tears, consultants, and unmet expectations -- of implementing a solution that, one way or another, touches every system in the enterprise? And which solutions are ready for prime time?

These were the questions we set out to answer in InfoWorld's first identity management shootout at the Advanced Network Computing Lab at the University of Hawaii, Manoa. We invited nine vendors: Computer Associates, Courion, Hewlett-Packard, IBM, Microsoft, Novell, Oracle, Sun Microsystems, and Thor Technologies. Six accepted, with CA, HP, and Oracle being the three holdouts that resisted our charms.

The lucky participants sent their solutions and engineers to paradise to do battle, which required each solution we tested -- Courion Enterprise Provisioning Suite 7.20, IBM Tivoli Identity Manager 4.6, Microsoft Identity Integration Server 2003 Enterprise Edition, Novell Identity Manager 2, Sun Java System Identity Manager 5.5, and Thor XellerateIM 8.0 -- to step through a series of identity management tasks based on a common business plot and simulated employee lifecycle.

We built a test network for TCPIP Corp., a fictitious company. The network was based on AD (Active Directory) and was stocked with a Microsoft Exchange 2000 server, a Linux-based HR application called e-HRMS, a Linux-based accounting application called webERP, and a few other systems for good measure. Our vendors needed to integrate their solutions with all of these systems and then tackle certain identity management challenges, including the hiring, firing, and criminal breach of a junior accountant named Harry, as well as TCPIP's acquisition of rival Fergenshmeir Inc. and the resulting directory migration.

To accomplish our required tasks, each identity management solution had to integrate with the e-HRMS system, AD, the webERP system, the Exchange server, and, in some cases, a Windows file server. Each of our six solutions took a slightly different path to achieve this, but the basic procedure was for each vendor to create custom connectors to the MySQL back end of e-HRMS and map various data fields present in the database to the same fields in AD. Various policies had to be created for user-name format, password strength, and so on.

When all this was functional, an initial reconciliation task had to be run to synchronize the data between the identity management server, the e-HRMS database, and AD. Following this, a subsequent reconciliation task would detect changes in the e-HRMS system that then triggered actions within the identity management solution.

We watched each vendor struggle in the lab to some degree, and we played devil's advocate with them all. In the end, only one vendor couldn't complete all of our tests, and this was due more to a lack of additional test time and product complexity than not having the required features.

All of the solutions we tested met our essential requirements, but important differences emerged. Some products worked well on the back end but lacked a unified management and reporting interface. Others presented the slick front end but a problematic foundation. Moreover, some vendors did a better job than others of tying together the multiple tools for identity management into a single, unified solution.

Courion Enterprise Provisioning Suite 7.20

Courion Enterprise Provisioning Suite 7.20 includes ProfileCourier, a user-profile store; PasswordCourier, a metapassword repository; and ComplianceCourier, a policy-control module aimed at tying the other modules together for managed security.

Courion was the only vendor to bring a full partner to the test, namely Citrix and its Citrix Password Manager. On the other hand, this allowed Courion to be the only vendor to demonstrate true SSO (single sign-on), in which global passwords were used to automate log-ins across all systems.

Installation of the Courion suite on our test network began with AccountCourier and Citrix Password Manager. Citrix created a complete log-in credential store across all installed applications and linked up with AccountCourier, which allows administrators to apply policies and rules on the whole.

In practice, users see none of this. We merely saw what turned out to be the most handsome intranet template in the whole review. Courion merely slapped a fake TCPIP Corp. logo on its pages and rolled on.

Courion also demonstrated a wizard-based user startup process -- which is lengthy but editable -- that records all required user information and creates or modifies that user's account. As soon as Harry answered all of these questions and defined his new password, the combination of Citrix and the Courion suite enabled that password for SSO across all of Harry's assigned resources -- desktop, e-mail, and webERP.

SSO happens quickly because Citrix's app is running as a Web service on a dedicated system in the domain. It receives an SPML (Service Provisioning Markup Language) request from the Courion suite -- regarding Harry's log-in credentials -- and responds to that request with the appropriate password. Citrix can be keyed to a directory for this purpose, to a database, or any combination. Some of the other solutions offer this basic functionality, but they're much more rigid about the resources their systems require to complete these tasks, such as directory servers or databases that must be used as credential repositories.

Many of the solutions managed the provisioning workflow process via a Web interface, using e-mail simply as notifiers -- "You've got an approval task waiting; please log in and take care of it." Courion's suite managed everything inside of e-mail with no need to log in to an underlying Web application. This type of integration isn't trivial, however, so expect some programming to take place in real life in order to achieve it.

Courion Enterprise Provisioning Server hit a snag when merging the Fergenschmeir and TCPIP directory information. The product certainly had the necessary tools, but Courion's engineers weren't able to solve a programming problem quickly enough to complete the migration in the time allotted. This served to illustrate one Click for larger view. drawback of Courion's ultraflexible solution: complexity.

The suite also stumbled when Harry went bad. In this test, Harry creates an account in AD using a stolen admin password. Other solutions detected and disabled the unauthorized account immediately. Courion Enterprise Provisioning Suite took a more circuitous route to finding the problem: by running a reconciliation process against its directory store and listing policy violations in a report. Sure, you could run reconciliations fairly frequently, but there are system performance issues to consider. Finding Harry's rogue account in real life might take longer than you'd like using Courion's solution.

Overall, Courion Enterprise Provisioning Suite offers impressive flexibility and tight integration with existing infrastructure. Credential stores can be separate databases, existing directories, or combinations. Workflows can integrate with your applications directly using existing APIs.

The Courion/Citrix combination will weave nicely into any enterprise, but the price tag is significant. The amount of programming necessary may also add implementation time and cost.

IBM Tivoli Identity Manager 4.6

To reach into the various moving parts of our enterprise, ITIM (IBM Tivoli Identity Manager) 4.6 used custom agents that we installed on every managed resource, including our AD domain controllers, database servers, and so forth. The agents hold a reasonably small footprint and require minimal configuration. IBM says that many of its agents don't need to be installed on managed resources, but can manage multiple resources remotely from a single server.

Before any identity management can occur, existing HR applications and the directory must be integrated. For this task, IBM used TDI (Tivoli Directory Integrator), a Java application that functions as an intersection of identity data, both for initial integration and as a permanent connector when needed. TDI runs on Linux and Windows and offers a clear view of any managed resource. In the test, this tool was primarily used to map data from the HR database to AD -- and vice versa -- providing the IBM engineers with a fluid way to manipulate the data.

By pulling in MySQL Java connectors to the TDI tool and working with AD via LDAP, an IBM engineer was able to quickly map database fields to LDAP fields and create a custom connector to move data between them in whole or in part based on triggers, schedules, or manual intervention. TDI handled all integration tasks with aplomb, providing simple methods to reformat disparate data, such as consistently formatting phone numbers, Social Security numbers, and birth dates. We were quite taken with this tool.

The test scenarios caused IBM some fits and starts. At times their own interface seemed to stymie the IBM engineers, but those moments were brief. Overall, every aspect of the test was completed satisfactorily, including the extra-credit portions of integrating the z/OS and Lotus Notes servers. Then again, those are IBM products.

The relative immaturity of the ITIM Web GUI was notable throughout the test. This interface allows admins to create and modify end-user pages, drawing on a wide array of page layout and functionality choices. For instance, it's relatively simple to declare the database fields a user sees when viewing company directory information or modifying his or her personal data, and whether certain fields may be modified at all.

The overall navigation of the UI, however, isn't so clear. In many places, the only way to construct certain actions is to plug JavaScript code snippets into small text fields in the UI. This provides some power, but it's also significantly more complex and substantially less elegant than we expected. At times it seemed like trying to open a window with a brick. Also, the solution is bereft of any undo capabilities. After you've configured and begun running an action -- say, to reconcile AD data with an HR database -- you can't easily step back to a previous state; you can try to revert only by constructing another action. On the plus side, a simulation feature allows you to try policies before enabling them.

The workflow functions of ITIM are top-notch. A GUI representation of a workflow is presented in a Java applet, allowing users to drag elements around to create approval steps, assign tasks, and so forth.

The reporting engine of ITIM is vast and complex. It's possible to generate reports containing nearly any data present in the system, but again, it's a little challenging to assemble the data in a logical form. Crystal Reports integration is present, however, and Crystal would be our reporting tool of choice in an actual implementation.

ITIM took the same approach the Courion suite did when discovering Harry's breach, but ITIM went a step further. After detecting the rogue admin account during a reconciliation run, ITIM simply deleted the account and set a flag to define the action taken. Automatic deletes may seem a bit draconian to many admins, but if you rely on the identity manager as your central, official record of identity data, then you should trust it -- it could be a lifesaver.

All told, IBM Tivoli Identity Manager is a reasonably priced package that can handle the more esoteric aspects of any enterprise. It provides a solid, fast back end and great integration tools, but integrating ITIM into a production network takes skill. You'll likely need outside help to get the implementation off the ground.

Microsoft Identity Integration Server 2003 Enterprise Edition

Of all the contenders here, MIIS (Microsoft Identity Integration Server) 2003 stands out in two ways. First, it's by far the cheapest, at least at first glance (more on that later). Second, it's unique in leveraging several features of Windows, as well as other Microsoft tools, to accomplish tasks other identity management servers handle alone.

For example, publishing our corporate white pages took only a few minutes using Windows SharePoint Services and AD. One of our requirements was that only HR personnel be able to see birth dates and Social Security numbers through the intranet directory. As it turned out, Microsoft didn't even need to set up special permissions within the white pages because SharePoint can respect AD permissions.