Home / server / Questions / 12762
Accepted
geoffc
Asked: 2009-05-28 03:46:57 +0800 CST

Relative strengths and weaknesses of various Identity Management solutions you have used

  • 772

This is somewhat more of a survey question, than a specific question. (I assume that is still ok).

I work as a consultant doing Identity Management projects. We focus mostly on Novell's Identity Manager product, which we find to be quite good.

I am curious to know what IDM products you have used, and what strengths and weaknesses you have seen in them.

I can start off with Novell's product.

Lots of connectors, that are truly bidirectional, password sync included, not just pushing passwords. (We have deployed the AD, eDir, Notes, AS400, NIS/NIS+, LDAP, JDBC, HTML Screen scraper, TN3270 Screen scraper, SAP HR, SAP UM, Remedy drivers, and there are still many more we have not touched yet like the SAP GRC, Netweaver, RACF/TopSecret/ACF2 drivers)

Event driven, which can be very powerful.

Good workflow engine.

Scalable. (We have a client with 150 eDir and AD drivers in production, 500K users).

Excellent design tools. (Novell Designer for Identity Manager).

Straightforward design language for manipulating events. (DirXML Script).

There are lots of other products out there: IBM's Tivoli Identity Manager (TIM). Sun's Identity Manager Oracle Identity Manager Courion Hitachi's (formerly Mtech out of Calgary) ID-Synch and P-Synch MS ILM

Which have you used, and what has your experience been like? What strengths and weaknesses have you seen?

active-directory novell identity-management edirectory

4 Answers

  1. Best Answer

    I've spent some time prototyping Microsoft's Identity Lifecycle Manager a year ago. They've move things around since then, so this may not be accurate of the current state of the product. At the same time I did spend time working with Novell IDM.

    ILM had some marked differences from IDM.

    • Significantly more connectors out of the box. Unlike Novell IDM, you're not going to pay extra to get things like your Oracle and MS-SQL connectors. If you're at all cost-conscious, this is a biggie. In our environment the cost difference was $100K versus $15K.
    • New-object replication requires custom code At least as of my review of the product, the "New Object" event requires linking to a compiled DLL that actually handles the object-create process in the remote environment. Presumably compiled in VisualStudio, this contains the functions required to actually set up a new object and related environment in a remote identity domain. On the one hand, this gives you complete control of the setup process, which is something that Novell IDM isn't that great about. On the other hand, you need to be able to create C#/VB programs in Visual Studio.
    • Not nearly as well defined transform stages IDM was very good about creating a visual environment that described the various stages of object transformation between two environments. ILM doesn't have this. IDM is intuitive. ILM requires a good deal of reading. What's more, to get fancy in the intermediary transform stages in ILM requires a compiled DLL, where in IDM it's handled in large part through the DirXML script Novell has evolved since 1999.
    • Poor design tools There is no equivalent to the Identity Manager Designer.

    Novell IDM really is the top tier of identity management solutions. It has been on the market for the longest and has had a chance to really solidify its feature set and mind-share. Even though it cost w-a-y more than ILM, you really do get what you pay for. In the end, in our environment the cost of ILM versus IDM would have been a wash due to the additional man-hours required to get an ILM-based environment up and running.

    In the end we decided that the cheapest way was to continue rolling our own. We already had a home-built system in place, and the cost projections were not that much different than an IDM/ILM implementation project would have been. Inertia won.

    • 3

  2. I'm only involved on the periphery of a Sun IdM project, and then only consistent comments I've heard so far are about the rather odd XPRESS scripting language involved. It's xml-based, and like no other scripting language.

    Strangely, even though the Sun IdM is almost completely built with Java, you can't use Java or any other common language to write the data tranforms, workflow, import/exports, etc.

    The only part I can vouch for, the Active Directory connector appears to work quite nicely and is highly customisable, allowing virtually unlimited attribute and class management (not out of the box mind you) and well as some AD security management.

    • 1

  3. I'd like to expand on Froosh's comments regarding SUN IDM...

    The XPRESS language is a bit odd, but is the result of SUN purchasing the IDM solution from Waveset. While he is correct that you can't write a workflow from Java exclusively, you can "invoke" java classes from inside XPRESS and pass in arguments.

    The solutions as a whole isn't horrible, but you write everything in XPRESS which is then converted / interpreted into Java classes, so there is a lot of overhead.

    While you look into IDM solutions, keep in mind that with Oracle's acquisition of SUN, it is likely that SUN IDM will be transitioned/migrated somehow to Oracle's solution.

    I've studied several solutions and I'd rank them as follows (keep in mind each has their niche)

    1. Novell (awesome mainframe integration)
    2. SUN (just keep in mind its future is in question)
    3. Oracle (has the best access management solution, though)

    I haven't had a chance to study Microsoft's solution, but if you're a Microsoft shop it integrates very well (from what I've heard) with AD and Sharepoint.

    --John

    • 1

  4. We are in the stage of looking for a good IDM solution among the Oracle, Sun, Microsoft and Novell. By any chance do you have the comparision chart with can tell us the strengths and weaknesses.

    Your help is highly appriciated.

    -Srini [email protected]

    • 1