1. THE COMPLETE
BUYER’S GUIDE
for IDENTITY MANAGEMENT
October 2008
Abstract
If you are currently evaluating identity management solutions, this guide will provide the information and tools
to help you make the right decision. In the first section of the guide, you will find a business primer that exam-
ines the role of identity management in addressing today’s business opportunies and challenges as well
as discusses the characteristics of an effective solution. In the second section of the guide, you will find helpful
decision-making tools you can use to ensure that your selection is best suited to your business needs and
technology environment.
2. Sun Microsystems, Inc.
Table of Contents
Executive Overview ........................................................................................ 3
What’s Included.................................................................................................. 4
Business Primer: Identity Management Trends, Opportunities and Solutions ....... 5
Increasing Business Value While Reducing Costs and Risks..................................... 5
Improve Access and Service ............................................................................. 5
Become More Secure and Compliant ................................................................ 6
Reduce Costs and Complexity........................................................................... 6
Building Value on a Secure, Sustainable Identity Infrastructure ............................. 7
Assessing Sun Identity Management .................................................................... 8
Exploring Sun’s Identity Management Offerings ................................................... 9
Key Business Benefits of Sun Identity Management......................................... 11
Improving Real-World Results with Sun Identity Management ......................... 12
Key Considerations for Evaluating Identity Management Solutions.................... 13
Buyer’s Checklist for Identity Management ........................................................ 13
Identity Lifecycle Management and Auditing .................................................. 13
Role Management ........................................................................................ 26
Access Management ..................................................................................... 27
Federation Services ....................................................................................... 28
Directory Services ......................................................................................... 29
Sun’s Commitment to Industry Standards ...................................................... 38
Sun’s Commitment to Open Source Communities ............................................ 40
End-to-End Identity Management from Sun ..................................................... 42
Take the Next Step ............................................................................................ 42
Glossary of Terms ......................................................................................... 43
3. 3 Executive Overview Sun Microsystems, Inc.
A New Business Paradigm Chapter 1
For more and more users, the network is
the nexus of engagement. As the hunger for Executive Overview
online services grows, a new set of require-
ments emerges for users and businesses
alike: The network is ushering in a new era of business growth and opportunity. All around
us—in the enterprise, in the developer community, between businesses and con-
• Users’ expectations for more choices,
along with better content and ser-
sumers, and in the public sector—people are using network communications to
vices, will only continue to increase. interact and collaborate in ways that were impossible just a few years ago. These
• Businesses are eager to meet those new capabilities have quickly created new expectations for today’s enterprise.
expectations by extending their
reach and making more new applica-
tions and services available—while
still controlling business risk.
• Competitive pressures are pushing
enterprises to generate new lines of
revenue and new customers through
rapid delivery of new services.
• Meanwhile, businesses must also focus
on keeping the current customer base
happy and loyal by enhancing exist-
ing service offerings and delivering an
outstanding customer experience.
For more and more users, the network is the nexus of engagement. As the hunger for
online services grows, a new set of requirements emerges for users and businesses
alike:
• Users’ expectations for more choices, along with better content and services, will
only continue to increase
• Businesses are eager to meet those expectations by extending their reach and mak-
ing more new applications and services available—while still controlling business
risk
• Competitive pressures are pushing enterprises to generate new lines of revenue
and new customers through rapid delivery of new services
• Meanwhile, businesses must also focus on keeping the current customer base
happy and loyal by enhancing existing service offerings and delivering an outstand-
ing customer experience
http://www.sun.com/identity/
4. 4 Executive Overview Sun Microsystems, Inc.
What’s Included in this Guide All together, this presents a new paradigm for the way people deploy, access, and
use networked information, applications, and resources. Barriers to access are falling
• Business Primer
away, freeing users and businesses to take the online experience to the known limits
• Buyer’s Checklist
• Industry Standards Fact Sheet and beyond.
• Open Source Projects
• Glossary This shift brings about a tremendous opportunity for businesses, yet it also requires
ubiquitous access in which user identity is an essential enabler. Extending the en-
terprise’s reach to more users than ever, after all, requires trust. And trust requires
identity. Today, there is an undeniable, urgent need for businesses and individuals
to know who’s on the other end of their transactions, to trust that entity, and to be
confident that the information they share is safe with them. Identity management
holds the answers to these needs.
By providing everything required to effectively manage identities across traditional
business boundaries, identity management makes it possible to securely deliver the
right resources to the right people at the right time and in the right context. In this
way, it can enable businesses to dramatically accelerate growth while leaving com-
petitors far behind—and to do so safely and securely.
What’s Included
Business Primer
—A look at identity management trends, opportunities and solutions.
Buyers Checklist
—What to look for when evaluating solutions.
Industry Standards Fact Sheet
—Reference information for key initiatives.
Open Source Projects
—Reference information for key projects.
Glossary
—Definitions of industry terms.
http://www.sun.com/identity/
5. 5 Business Primer Sun Microsystems, Inc.
Priorities of Today’s Executives Chapter 2
• How do we improve the customer Business Primer: Identity Management Trends,
experience by providing secure access Opportunities and Solutions
to information and services while also
expanding our selling opportunities?
• How do we enforce company security
policies and comply with legal man-
Increasing Business Value While Reducing Costs and Risks
dates, yet still provide open access to
information, applications, and systems Today’s identity management solutions must address multiple business goals and
for growing numbers of custom- serve competing, changing requirements. Consider the priorities of today’s
ers, partners, and employees? executives:
• How do we reduce IT costs and complex-
• How do we improve the customer experience by providing secure access to infor-
ity while at the same time have all the re-
sources we need to get to market quickly? mation and services while also expanding our selling opportunities?
• How do we enforce company security policies and comply with legal mandates,
yet still provide open access to information, applications, and systems for growing
numbers of customers, partners, and employees?
• How do we reduce IT costs and complexity while at the same time have all the
resources we need to get to market quickly?
These are just a few of the conflicting demands that companies must meet today.
Effective identity management can help meet them.
Improve Access and Service
Doing business electronically is a requirement for competing in today’s business
environment. The result is dramatic expansion in the number and variety of users
who require access to critical information resources, and in the ways in which they
gain access.
Figure 2. IT must address multiple, conflicting business goals
6. 6 Business Primer Sun Microsystems, Inc.
A secure, sustainable identity Access takes many forms. It can mean providing customers with readily available,
infrastructure can help your Web-based access to self-help, information, and online services to improve the
business to:
experience and to create new revenue opportunities for the enterprise. It can mean
• Create new revenue opportunities by creating secure online environments where employees and partners work together
securely sharing resources beyond bound- across traditional business boundaries to get new products and services to market
aries in collaborative business networks, faster. Whatever the circumstances, the challenge is to open up the enterprise to
and by using those networks to efficiently
new ways of conducting business while at the same time ensuring that information
and securely deliver services online
assets remain secure and privacy is protected.
• Ensure regulatory compliance through
a sustainable approach that makes Become More Secure and Compliant
security and compliance a simple part
One of the most powerful drivers for identity management is to ensure that corpo-
of everyday business, rather than a
resource-intensive, audit-driven event rate information assets and privacy remain well protected as access expands for both
internal and extranet-based users. The key is to balance the level of acceptable risk
• Reduce time and costs associated to the enterprise with its reach into new and expanded markets.
with everyday identity-related tasks
by automating relevant activities and Part of managing risk is complying with numerous laws and regulations stemming
processes and making them easily repeat-
from the growing worldwide concern about the security and privacy of information.
able as enterprise requirements grow
Businesses are challenged to comply with the requirements of these regulations
while staying competitive by speeding time to market, improving quality of service,
and increasing profit. To meet all of these demands, businesses need a unified iden-
tity management infrastructure that:
• Supports effective governance, risk, and compliance (GRC) initiatives in the
enterprise
• Handles the everyday identity management tasks that enable effective GRC on
an ongoing basis
Reduce Costs and Complexity
Cost reduction has become a fact of life for business, but it cannot be achieved at
the expense of business results. Enterprises are looking for technology solutions that
bring a higher degree of efficiency, leading to faster time-to-market, while also help-
ing to reduce ever-increasing demands on help desks and IT staffs.
The online business requires a flexible identity infrastructure that meets the growing
and changing needs of employees, partners, and customers, on a day-to-day basis
over time—without requiring costly investment and complex reinvention to accom-
modate growth and change. This infrastructure must support “anytime, anywhere”
access with security, dynamic assembly and disassembly of teams, single sign-on,
and easy integration with existing enterprise applications. And most importantly, it
must be easily adaptable and scalable so the business can quickly take advantage of
new opportunities.
http://www.sun.com/identity/
7. 7 Business Primer Sun Microsystems, Inc.
The 4 A’s of Identity Management Building Value on a Secure,
• Authentication Sustainable Identity Infrastructure
Quickly verify user identities A secure, sustainable identity infrastructure can help your business to:
• Create new revenue opportunities by securely sharing resources beyond boundaries
• Authorization
Control user access
in collaborative business networks, and by using those networks to efficiently and
securely deliver services online
• Administration • Ensure regulatory compliance through a sustainable approach that makes security
Manage users and assets
and compliance a simple part of everyday business, rather than a resource-inten-
• Auditing
sive, audit-driven event
Automatically document what • Reduce time and costs associated with everyday identity-related tasks by auto-
happened mating relevant activities and processes and making them easily repeatable as
enterprise requirements grow
A comprehensive identity management solution provides everything required to
create a secure, sustainable identity infrastructure by addressing the 4 A’s of identity
management:
Authentication—Quickly verify user identities
• Authenticate and authorize all user requests for secure applications and services
with one integrated solution, regardless of where the requests come from or where
the applications and services reside
Authorization—Control user access
• Ensure that only authorized users may access protected resources based on specific
conditions, and that they are granted access only after proper authentication
• Provide role- and rule-based authorization for centralized policy enforcement
Administration—Manage users and assets
• Provide a highly scalable deployment option for incorporating secure identity
administration (e.g., registration, self-service, delegated administration) and feder-
ated provisioning capabilities into extranet-facing applications and portals
• Accelerate the introduction of new, revenue-generating applications and services
without having to compromise on security or compliance controls
Auditing—Automatically document what happened
• Audit identities across enterprise applications and systems
• Eliminate manual effort and enable continuous compliance by automatically scan-
ning for, identifying, and fixing policy violations
• Provide a clear trail of access requests so auditors can identify and correct potential
regulatory violations
• Include packaged policies as a starting point to help achieve compliance faster
http://www.sun.com/identity/
8. 8 Business Primer Sun Microsystems, Inc.
What Analysts and Community Leaders Assessing Sun Identity Management
Say about Sun Identity Management
Sun identity management solutions are designed to meet the complex, demanding
• Forrester ranked Sun as a Strong requirements of today’s enterprise with capabilities for provisioning and auditing,
Performer in the Forrester Wave for role management, access management, and directory services—both within and
Identity and Access Management
beyond the enterprise.
• Gartner positioned Sun in the Lead-
ers Quadrant of its “Magic Quadrant
for Web Access Management”. Recognition from Analysts and Identity Community Leaders
• Gartner positioned Sun in the Lead-
ers Quadrant of its “Magic Quad- Forrester ranked Sun as a Strong Performer in the Forrester Wave for Identity
rant for User Provisioning”. and Access Management.
• Forrester ranked Sun as #1 in both cur-
Forrester Wave for Identity Access Management,
rent offering and market presence.
• SC Magazine gave Sun Identity Manager Q1 2008 Andras Cser, 14 March 2008
five out of five stars for its large-scale
performance and emphasis on compli- Gartner positioned Sun in the Leaders Quadrant of its “Magic Quadrant for Web Ac-
ance and auditing, and praised its ease cess Management.” Gartner places companies in the “Leaders quadrant” based on
of use. strong products and strong year over year growth.
• Information Security Magazine prod-
Magic Quadrant for Web Access Management,
uct reviews named Sun a HotPick.
2H07—Ray Wagner, Earl Perkins, 29 October 2007
Gartner positioned Sun in the Leaders Quadrant of its “Magic Quadrant for User
Provisioning.” Those in the Leaders Quadrant demonstrate balanced progress and
effort in all execution and vision categories. “Sun’s actions raise the competitive
bar for all products in the market, and they change the course of the industry.”
Magic Quadrant for User Provisioning,
1H06—Roberta Witty, Ant Allan, Ray Wagner, 25 April 2006;
2H07—Earl Perkins, Roberta Witty, 23 August 2007
Forrester ranked Sun as #1 in both current offering and market presence.
“Sun stands out as functionally superior and sets the gold standard for user account
provisioning...Sun Microsystems is a market leader for a reason—its product delivers
superior provisioning functionality with the highest ease of use.”
Forrester Wave: User Account Provisioning, Q1 2006
SC Magazine gave Sun Identity Manager five out of five stars for its large-scale
performance and emphasis on compliance and auditing, and praised its ease of
use. Sun’s solution was said to focus on “creating and managing provisioning work-
flows quickly and easily, as well as auditing and compliance.”
SC Magazine, 01 January 2008
Information Security Magazine product reviews named Sun a HotPick. “Sun Java
System Identity Manger excels with agentless connectors, scalability, and amazing
auditing.”
Information Security Magazine, March 2007
http://www.sun.com/identity/
9. 9 Business Primer Sun Microsystems, Inc.
Advantages of Working with Sun Specific Advantages of Working with Sun
• Industry leadership Industry leadership
• Freedom of choice
Sun manages billions of user identities worldwide for more than 5000 organizations.
• Freedom to grow
• Technology innovations
Freedom of choice
• Return on investment
Sun’s partnerships with leading system integrators means that organizations can
work with the deployment specialists of their choice to roll out Sun identity manage-
ment solutions. Sun’s commitment to open-source software means that software
integrators and their customers have complete access to Sun software for develop-
ment. In addition, Sun offers product and suite pricing models to optimally match
license pricing with specific needs.
Freedom to grow
As business relationships and customers proliferate, Sun identity management
products are designed to provide a high level of scalability that can enable organiza-
tions to accommodate more users and resources without requiring an entirely new
investment in identity management capabilities.
Technology innovations
Sun identity management solutions are based on open standards, making them
easy to integrate with existing technology infrastructures, and demonstrating Sun’s
leadership in developing and promoting technology standards. Sun was the first to
introduce an integrated provisioning and identity auditing solution and a complete
and comprehensive solution for identity-based compliance.
Return on investment (ROI)
The open architecture that characterizes Sun identity management makes the
process of applying identity management to numerous networked resources faster
and simpler. With deployment time reduced from months to weeks, ROI payback can
be measured in months instead of years. Sun identity management solutions also
deliver continuing financial improvement by reducing ongoing administration costs
up to 30%.
Exploring Sun’s Identity Management Offerings
Sun’s comprehensive set of identity management solutions enables organizations
to securely manage, protect, store, verify, and share data both internally and across
extranets. For organizations seeking to improve access, become more secure and
compliant, and reduce costs and complexity, Sun offers the only complete identity
management portfolio that provides the open access, open source, and open stan-
dards to support business growth—without sacrificing the security and integrity of
sensitive data and resources.
http://www.sun.com/identity/
10. 10 Business Primer Sun Microsystems, Inc.
Identity Management Offerings Sun Java™ System Identity Manager:
Identity lifecycle management and identity auditing
• Sun Java™ System Identity Manager
Sun Identity Manager provides the comprehensive functions to apply and enforce
• Sun Role Manager
• Sun Identity Compliance Manager security policy and meet compliance and audit requirements. The solution’s non-
• Sun OpenSSO Enterprise invasive architecture enables easy, fast implementation, with simplified connections
• Sun Directory Server Enterprise Edition that use agentless adapters to speed deployment across platforms, applications,
• Sun OpenDS Standard Edition
databases, and directories. Key features include:
• Streamlined, integrated provisioning and auditing capabilities, including industry-
leading user provisioning and synchronization
• Auditing that goes beyond simple reporting to provide automated reviews,
proactive scanning, and consistent enforcement
• Preventative and detective compliance, including policy violation tracking
and expiration capabilities to handle exceptions
Sun Role Manager: Role generation and role management
Sun Role Manager dramatically simplifies exceptions control by applying enterprise
access policies based on user roles rather than on individual access privileges. It is
the most complete solution for companies to address role management and identity-
based compliance challenges by simplifying existing manual processes and bringing
greater business alignment between business and IT.
• Robust role management including role engineering and ongoing role
maintenance as well as role certification by business unit managers or role owners
• Enterprise-level monitoring of access at the role level to detect and address policy
conflicts for enhanced audit effectiveness
• Dashboard view of certification status and policy exceptions to simplify
administration
Sun Identity Compliance Manager: Access control compliance
Sun Identity Compliance Manager reduces the risk associated with access control
and facilitates successful identity audits by continually monitoring actual access
against defined security policies and by automating existing manual access certifica-
tion processes.
• Most deployed identity compliance solution in the market
• Delivers proven, repeatable deployment execution and promised ROI
• Provides seamless integration with the Sun Identity Management Suite, other IAM
products, and leading SEIM and IT GRC vendors
Sun OpenSSO Enterprise:
Web access management, federation, and secure Web services
Sun OpenSSO Enterprise was designed to help today’s enterprise address every
aspect of the SSO challenge—both internal and external, both immediately and
as the organization’s needs evolve. Based on technologies developed in the open-
http://www.sun.com/identity/
11. 11 Business Primer Sun Microsystems, Inc.
Key Business Benefits source OpenSSO community, it is the only solution that provides Web access man-
Sun identity management enables busi- agement, federated single sign-on and Web services security in a single, self-con-
nesses to extend reach while reducing risk
tained Java application.
by:
• Optimized for both internal Web access management and extranet authentication
• Empowering them to deliver open, • Fast, lightweight federation capability that allows identity providers and service
secure access to customers, suppliers, providers to be connected in minutes
and partners, through broad support for
• The only standards-based solution to provide an end-to-end secure Web services
secure, sustainable identity processes
• Protecting sensitive information and solution with no plug-ins or special tooling required
resources from internal and external • Designed with repeatable, scalable tasks for rapid deployment of multiple
threats in the online global economy instances
• Making it easier to tackle today’s
tremendous compliance challenges with
robust auditing and reporting capabilities Sun Directory Server Enterprise Edition: Enterprise-class directory services
and strong support for GRC initiatives Sun Directory Server Enterprise Edition is the only high-performance directory
server with essential data services—including proxy, virtual directory, and data
distribution—to provide highly available directory services all in one solution.
• High performance, highly scalable directory for enterprise and carrier-grade
environments
• Robust security controls, including complete visibility into access requests
• Flexible replication capabilities for availability in distributed environments
• Integrated data services, including virtualization and distribution
Sun OpenDS Standard Edition: Open source-based commercial directory offering
Sun OpenDS Standard Edition is the world’s first commercially available pure Java-
based directory server that is based on the technologies developed in the open
source OpenDS community. Sun OpenDS Standard Edition brings to market in one
product a standalone and embeddable LDAP v3 compliant directory that is easy to
install, use, manage, and extend.
• Simple installation with intuitive administration
• Advanced security and password policies to protect sensitive identity data
• Advanced backup and restore capabilities to help ensure data availability and
reliability
• Small footprint for easy installation and embedding into other applications and
solutions
Key Business Benefits of Sun Identity Management
Sun identity management enables businesses to extend reach while reducing risk by:
• Empowering them to deliver open, secure access to customers, suppliers, and part-
ners, through broad support for secure, sustainable identity processes
• Protecting sensitive information and resources from internal and external threats
in the online global economy
• Making it easier to tackle today’s tremendous compliance challenges with robust
auditing and reporting capabilities and strong support for GRC initiatives
http://www.sun.com/identity/
12. 12 Business Primer Sun Microsystems, Inc.
Delivering Measurable Results Improving Real-World Results with Sun Identity Management
Sun identity management has delivered measurable results in key areas to a broad
• Improve Access and Service
• Become More Secure and Compliant range of organizations in both the private and public sectors. Here are just a few
• Reduce Cost and Complexity examples:
Improve Access and Service
• Athens International Airport: Immediate access to secure applications
• GM: Simplified information access for 321,000 employees worldwide
• RouteOne: Acceleration of loan process for 40 million transactions annually
• T-Mobile: Rapid access to new services for 20 million subscribers
• Lake Superior State University: Instant access to campus systems
• Swisscom Mobile AG: Significantly improved the efficiency of their customer service
at their points of sales
Become More Secure and Compliant
• ADP: Integration of processes to streamline regulatory compliance efforts
• DaimlerChrysler: Centralized directory to help meet requirements of privacy laws
• Mobile TeleSystems (MTS) Ukraine: Cut the time required for compliance audits
from one week to 8 hours
Reduce Cost and Complexity
• Caremark: 80% reduction in administrative staff
• GE: Automation of accounts to make over 300,000 employees and contractors more
productive
• Western Michigan University: Accelerated provisioning of new students
• Henkel: New technology implementation in months instead of years
http://www.sun.com/identity/
13. 13 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents Chapter 3
Identity Lifecycle Management and Auditing Key Considerations for Evaluating
• Automated Provisioning Identity Management Solutions
• Password Management
• Identity Synchronization Services
• Enterprise Architecture Considerations
• Extranet Architecture Considerations
Buyer’s Checklist for Identity Management
• Identity Audit
As you evaluate various identity management solutions, use this checklist to com-
Role Management pare key architecture components and designs as well as features and functions.
• Role Management
Access Management
Identity Lifecycle Management and Auditing
• Access Management AUTOMATED PROVISIONING YES NO
Federation Services
Does the solution create, update, and delete user accounts
• Federation Services across the enterprise environment, including Web-based and
legacy systems and apps?
Directory Services
• Directory Services Is the solution Web-based and available to administrators
• LDAP Directory Services
from any Web browser?
• Directory Proxy Services
• Active Directory Synchronization
• Web-based Viewer/Editor
Is the solution designed to support users both inside
• Directory Server Resource Kit (employees) and outside (partners, suppliers, contractors)
• Open Directory Services the enterprise?
Can you easily and quickly find a user (or a group of users) and
view their access privileges?
Does the solution allow you to instantly revoke all of a user’s
access privileges?
Does the solution leverage existing infrastructure (e-mail,
browsers) to facilitate automated approvals for account
creation?
Does the solution offer an automated approval mechanism
with zero-client footprint?
Does the solution provide the flexibility to map to your
existing business processes?
http://www.sun.com/identity/
14. 14 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents AUTOMATED PROVISIONING YES NO
Identity Lifecycle Management and Auditing If you answered yes to the previous question:
• Automated Provisioning
Are serial approval processes supported?
• Password Management
• Identity Synchronization Services Are parallel approval processes supported?
• Enterprise Architecture Considerations
• Extranet Architecture Considerations Does the solution provide automatic approval routing to per-
• Identity Audit sons appropriate to the system access requested (e.g., system
owners) and organizational structure (e.g., managers)?
Role Management
• Role Management
Can the solution dynamically determine routing of approvals
Access Management based on defined organizational information (for example,
• Access Management Microsoft Active Directory—to determine who the user’s
manager is and route approval to that manager)?
Federation Services
• Federation Services
Does the solution allow delegation of approval authority to
Directory Services another approver (or multiple approvers)?
• Directory Services
• LDAP Directory Services Can the solution automatically escalate a request to an
• Directory Proxy Services alternative approver if allotted time elapses?
• Active Directory Synchronization
• Web-based Viewer/Editor
Can the solution request information from applications or
• Directory Server Resource Kit
• Open Directory Services data stores during the approval process?
Can the solution support rule-based routing of approvals?
Can the solution require automated approvals for deleting or
disabling accounts?
Can the solution require automated approvals for changing
account values?
Does the solution provide the ability to request information
from approval participants to define account-specific
information during the process?
Does the solution support creating custom approval screens
and keeping them compatible in the upgrade process?
Can the solution fully automate the routine identity
management processes in your environment?
http://www.sun.com/identity/
15. 15 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents AUTOMATED PROVISIONING YES NO
Identity Lifecycle Management and Auditing Can added accounts for new users in an authoritative source
• Automated Provisioning
(e.g., HR database, directory) drive automated approvals and
• Password Management
• Identity Synchronization Services
account creation?
• Enterprise Architecture Considerations
• Extranet Architecture Considerations Can changes in user status (e.g., job promotion captured in
• Identity Audit HR system) automatically drive changes in user access
privileges?
Role Management
• Role Management
Can information in an HR database on employees departing
Access Management
the organization be used to completely and automatically
• Access Management delete all access privileges on the day of departure?
Federation Services Can the above processes be fully automated for large groups
• Federation Services of users in addition to individuals (e.g., when an acquisition
closes or a layoff occurs and a large group of users require
Directory Services
• Directory Services automated action)?
• LDAP Directory Services
• Directory Proxy Services Will the solution detect manual changes made in managed
• Active Directory Synchronization systems and automatically respond?
• Web-based Viewer/Editor
• Directory Server Resource Kit
When changes are detected, can the solution alert/notify
• Open Directory Services
designated personnel of access rights changes made outside
the provisioning system to verify if changes are legitimate?
Once detected changes are approved, will the solution
automatically update itself to include those changes?
Can the solution filter manual changes made on target sys-
tems so that only relevant identity changes trigger alerts?
If a detected account is not legitimate, can the solution auto-
matically suspend the account?
Can the solution be used to enforce privacy policy?
Does the solution support role-based access control?
Does the solution support assignment of users to multiple
roles?
Does the solution support the assignment of users to
hierarchical or inherited roles?
http://www.sun.com/identity/
16. 16 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents AUTOMATED PROVISIONING YES NO
Identity Lifecycle Management and Auditing Does the solution provide the ability to specify exclusionary
• Automated Provisioning
roles that prevent certain roles from being assigned a
• Password Management
• Identity Synchronization Services
conflicting role?
• Enterprise Architecture Considerations
• Extranet Architecture Considerations Can the solution assign resource account attribute values with
• Identity Audit the role?
Role Management Does the solution allow roles to be defined at any time, or not
• Role Management
at all, rather than requiring role definitions prior to
Access Management
implementation?
• Access Management
Does the solution enable you to leverage key information sys-
Federation Services tems in your environment as a source of authority on identity
• Federation Services information to drive automated provisioning (e.g., detect new
employees added to PeopleSoft and automate provisioning
Directory Services
• Directory Services based on that change)?
• LDAP Directory Services
• Directory Proxy Services Can the solution assign users to more than one role?
• Active Directory Synchronization
• Web-based Viewer/Editor Can the solution assign users’ individual access rights in
• Directory Server Resource Kit
addition to a role?
• Open Directory Services
Does the solution dynamically and automatically change
access rights based on changes in user roles?
Can the solution generate unique user IDs consistent with
corporate policies?
Does the solution support rule-based access control that
allows provisioning rules to be set and enforced on roles,
users, organizations, and resources as needed in order to
align with business needs?
Is the solution easy to use for both end-users and
administrators?
Is the solution highly scalable to adapt to growth in users,
applications, and access methods?
Does the solution work securely over WANs and across
firewalls?
http://www.sun.com/identity/
17. 17 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents AUTOMATED PROVISIONING YES NO
Identity Lifecycle Management and Auditing Does the solution provide an interface to third-party workflow
• Automated Provisioning
management applications?
• Password Management
• Identity Synchronization Services
Does the solution allow resource groups (such as an NT group)
• Enterprise Architecture Considerations
• Extranet Architecture Considerations to be created from the interface?
• Identity Audit
Does the solution provide directory management capabilities,
Role Management specifically the ability to create, update, and delete
• Role Management
organizational units and directory groups?
Access Management
Does the solution support pass-through authentication where
• Access Management
a user can be validated by a managed user account?
Federation Services
• Federation Services Does the solution support all of the leading database servers
and application servers?
Directory Services
• Directory Services
Does the solution support provisioning to mainframe security
• LDAP Directory Services
• Directory Proxy Services
managers such as Top Secret, RACF, and ACF2?
• Active Directory Synchronization
• Web-based Viewer/Editor Does the solution support provisioning to heterogeneous ERP
• Directory Server Resource Kit environments including SAP and Oracle Applications?
• Open Directory Services
Does the solution support provisioning to non-digital assets
(e.g., mobile phones, badges, etc.)?
PASSWORD MANAGEMENT YES NO
Does the solution provide password strength enforcement?
If you answered yes to the previous question:
Does the solution provide a password exclusion dictionary?
Does the solution provide a password history store to prevent
re-use of old passwords?
Does the solution allow users to manage their own passwords,
including resetting passwords?
If you provide an automated process for users managing
passwords, does the solution include a challenge/response?
http://www.sun.com/identity/
18. 18 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents PASSWORD MANAGEMENT YES NO
Identity Lifecycle Management and Auditing Can policy be set on challenge authentication questions (e.g.,
• Automated Provisioning
how many responses are required based on a user’s
• Password Management
• Identity Synchronization Services
organization)?
• Enterprise Architecture Considerations
• Extranet Architecture Considerations Does the solution support customers providing their own self-
• Identity Audit service challenge authentication questions?
Role Management Does the solution allow end users to synchronize their
• Role Management
passwords across multiple accounts?
Access Management
When users change or synchronize passwords, does the
• Access Management
solution enforce password strength policy?
Federation Services
• Federation Services Does the solution include a success/failure notification for
password reset and synchronization?
Directory Services
• Directory Services
Does the solution allow end users to access new accounts
• LDAP Directory Services
• Directory Proxy Services
or access new services or applications?
• Active Directory Synchronization
• Web-based Viewer/Editor If you answered yes to the previous question:
• Directory Server Resource Kit Are required approvals enforced when users request new
• Open Directory Services
accounts or access to new resources?
Can users update personal attribute information (address, cell
phone number, etc.) and have that information automatically
propagated to the appropriate resources?
Can the solution support accessing the Web-based user self-
service functions without requiring network log-in?
Does the solution integrate with interactive voice response
(IVR) for password reset functions?
Can the user view the status of the request from a Web
interface?
Does the solution support a kiosk mode to be configured for
users to change passwords from any terminal?
http://www.sun.com/identity/
19. 19 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents IDENTITY SYNChRONIzATION SERVICES YES NO
Identity Lifecycle Management and Auditing Does the solution provide a Web-based interface for individu-
• Automated Provisioning
als to view and edit their personal profile information (such
• Password Management
• Identity Synchronization Services
as legal name, mailing address, cell phone, and emergency
• Enterprise Architecture Considerations contact)?
• Extranet Architecture Considerations
• Identity Audit Does the solution provide integration with authoritative sys-
tems to detect profile changes and synchronize them where
Role Management
needed (for example, detect title and salary change in the
• Role Management
payroll system and update those attributes in the CRM system
Access Management and LDAP directory)?
• Access Management
Does the solution provide enterprise-wide identity data
Federation Services
synchronization, ensuring that profiles are accurate and
• Federation Services
consistent?
Directory Services
• Directory Services Does the solution provide one interface to view all identity
• LDAP Directory Services profile data?
• Directory Proxy Services
• Active Directory Synchronization If you answered yes to the previous question:
• Web-based Viewer/Editor
• Directory Server Resource Kit
Does the ability to view all identity profile data in one inter-
• Open Directory Services face require the building of another identity repository?
Does the solution provide a fast scheduling capability to
execute time-sensitive actions?
Is the solution agentless, or does it require installing software
on each managed resource?
Does the solution provide an incremental synch capability to
increase performance?
Does the solution provide data transformation and validation
rules during synchronization?
Does the solution support business rules by automatically
completing access privilege or profile data changes according
to corporate policies?
Does the solution support a large number of connectors to
synch between many systems?
Does the solution have an attribute mapping interface?
http://www.sun.com/identity/
20. 20 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents IDENTITY SYNChRONIzATION SERVICES YES NO
Identity Lifecycle Management and Auditing Can the solution accommodate bi-directional synchronization
• Automated Provisioning
via any method as determined by target resource capabilities
• Password Management
• Identity Synchronization Services
(e.g., event-driven, polling, and reconciliation)?
• Enterprise Architecture Considerations
• Extranet Architecture Considerations Can you completely configure data flow into and out of the
• Identity Audit provisioning system (including attribute mapping, transforma-
tions, etc.) via a Web-based interface (for example, the ability
Role Management
to configure detection of a telephone attribute change on
• Role Management
Directory A, transformation of telephone attribute, propaga-
Access Management tion of telephone attribute to Directory B and Directory C
• Access Management without having to resort to coding or scripting)?
Federation Services
• Federation Services ENTERPRISE ARChITECTURE CONSIDERATIONS YES NO
Directory Services Is the solution specifically architected for rapid deployment?
• Directory Services
• LDAP Directory Services Does the solution have a proven track record of rapid
• Directory Proxy Services
deployments?
• Active Directory Synchronization
• Web-based Viewer/Editor
Does the solution offer agentless connections to managed
• Directory Server Resource Kit
• Open Directory Services resources in order to reduce deployment time and simplify
operations and maintenance?
Does the solution leverage an intelligent indexing system to
manage user identities and access privileges, leaving account
information with the information owner and thus avoiding the
time-consuming effort of building and maintaining another
user repository?
Does the solution provide an automated way to discover and
correlate all accounts associated with an individual to speed
the account mapping process?
If you answered yes to the previous question:
Does the solution provide a way to engage end-users in the
discovery process for their own accounts?
Does the solution support managing accounts for a user who
has multiple accounts on the same resource (for example, a
user who has an administrative account and a development
account both on “Resource A”)?
http://www.sun.com/identity/
21. 21 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents ENTERPRISE ARChITECTURE CONSIDERATIONS YES NO
Identity Lifecycle Management and Auditing Does the vendor offer a wizard-style toolkit to extend coverage
• Automated Provisioning
of managed platforms to custom and proprietary
• Password Management
• Identity Synchronization Services
applications?
• Enterprise Architecture Considerations
• Extranet Architecture Considerations Does the solution include the ability to connect to resources
• Identity Audit using existing custom UNIX or Windows scripts? Can custom-
ers create new resource adapters by only using operating
Role Management
system scripts?
• Role Management
Access Management
Does the solution include an Integrated Development
• Access Management Environment (IDE) and debugger built on an industry-accepted
standard such as NetBeans?
Federation Services
• Federation Services Does the solution support SPML 2.0?
Directory Services
Does the solution support deploying on all the major database
• Directory Services
• LDAP Directory Services products, including Oracle, UDB DB2, Microsoft SQL Server,
• Directory Proxy Services and MySQL?
• Active Directory Synchronization
• Web-based Viewer/Editor Can the solution be deployed in heterogeneous Web applica-
• Directory Server Resource Kit
tion servers, including BEA Weblogic, IBM Websphere, Apache
• Open Directory Services
Tomcat, and Sun Java System Application Server?
Does the solution run on all the major operating systems
including: Solaris, AIX, Microsoft Windows, and Linux?
ExTRANET ARChITECTURE CONSIDERATIONS YES NO
Can the solution scale to meet the needs of the extranet, in-
cluding peak load registration and self-service (e.g., thousands
of updates per minute)?
Does the solution provide built-in transactional integrity for
extranet use cases that require guaranteed delivery of high
volumes of provisioning transactions?
Does the solution enable non-invasive integration with
extranet infrastructure components (e.g., no requirement for
directory schema or tree changes; provides agentless connec-
tivity to back-end systems)?
http://www.sun.com/identity/
22. 22 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents ExTRANET ARChITECTURE CONSIDERATIONS YES NO
Identity Lifecycle Management and Auditing Does the solution deliver service-level visibility into the perfor-
• Automated Provisioning
mance and throughput characteristics of the extranet identity
• Password Management
• Identity Synchronization Services
administration system?
• Enterprise Architecture Considerations
• Extranet Architecture Considerations Can the solution facilitate automated account linking and
• Identity Audit correlation across multiple back-end repositories to provide a
single view of an external customer?
Role Management
• Role Management
Does the solution include pluggable auditing for integrating
Access Management
with different auditing data formats, storage locations, and
• Access Management reporting facilities that may already exist in the extranet envi-
ronment (e.g., merging with existing access logs and report-
Federation Services
ing systems)?
• Federation Services
Directory Services IDENTITY AUDIT YES NO
• Directory Services
• LDAP Directory Services Does the solution provide object-level security and auditing to
• Directory Proxy Services track system change configuration?
• Active Directory Synchronization
• Web-based Viewer/Editor
Does the solution provide a comprehensive set of predefined
• Directory Server Resource Kit
• Open Directory Services
reports?
Can the solution be configured to audit and report any and
every provisioning action that occurs (e.g., new accounts
created, provisioning requests by approver, account changes,
failed administrator access attempts, failed user access
attempts, password changes, password resets, accounts dis-
abled, accounts deleted, rejected provisioning requests, etc.)?
Does the solution provide a comprehensive view into who has
access to which resources?
Does the solution report on who had access to what on a
given date?
Does the solution provide the ability to quickly find and report
on a user’s (or a user group’s) access privileges?
Can reports be run on demand?
Can reports be scheduled to run on
a regular basis?
http://www.sun.com/identity/
23. 23 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents IDENTITY AUDIT YES NO
Identity Lifecycle Management and Auditing Does the solution report by administrator (accounts created,
• Automated Provisioning
accounts modified, accounts deleted, password changes, com-
• Password Management
• Identity Synchronization Services
plete audit history per administrator, administrative capabili-
• Enterprise Architecture Considerations ties per administrator)?
• Extranet Architecture Considerations
• Identity Audit Does the solution report by platform or application (users per
platform, provisioning history per platform, who performed
Role Management
the provisioning actions on target platform)?
• Role Management
Access Management
Does the solution report on workflow (requests made by user,
• Access Management requests approved by approver, requests denied by approver,
requests escalated, delegation of approvals including to
Federation Services
whom and for what period of time)?
• Federation Services
Does the solution report on roles (users per role, resources per
Directory Services
• Directory Services role, approvers per role, changes to roles)?
• LDAP Directory Services
• Directory Proxy Services Does the solution report on delegated administration (dele-
• Active Directory Synchronization gated administrators, what their administrative privileges are,
• Web-based Viewer/Editor
and over what user groups and what managed platforms)?
• Directory Server Resource Kit
• Open Directory Services
Does the solution provide a comprehensive audit log of all
actions/modifications carried out through the system?
Does the solution easily integrate with corporate reporting
tools (e.g., Crystal Reports, Actuate)?
Can the reports be easily exported into Microsoft Excel, Micro-
soft Word, or databases directly from the user interface?
Does the solution report by user (audit history per user,
accounts/privileges by user, self-service activity by user,
role membership)?
Can the solution proactively detect risks such as dormant
accounts across all managed platforms?
If you answered yes to the previous question:
Can automated action be taken when certain results are
found (e.g., automatically disable dormant accounts, send
alert to administrator)?
http://www.sun.com/identity/
24. 24 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents IDENTITY AUDIT YES NO
Identity Lifecycle Management and Auditing Can the solution easily report on account-related security risks
• Automated Provisioning
in the environment?
• Password Management
• Identity Synchronization Services
Can the solution check for these risks on demand?
• Enterprise Architecture Considerations
• Extranet Architecture Considerations
• Identity Audit
Can the solution check for account risks on a regularly
scheduled basis?
Role Management
• Role Management Does the solution provide performance tracking and perfor-
mance tools like provisioning-time metrics, and tracing?
Access Management
• Access Management
Does the solution provide a graphical interface for creating
Federation Services and managing provisioning workflows, rules, and interface
• Federation Services screens?
Directory Services Does the solution provide the ability for a user to certify that
• Directory Services
a given set of users has the correct entitlements?
• LDAP Directory Services
• Directory Proxy Services
Can the approval process be done through a custom workflow
• Active Directory Synchronization
• Web-based Viewer/Editor with multiple approvers?
• Directory Server Resource Kit
• Open Directory Services Are the approvals logged in an audit log that satisfies the
requirements of external auditors?
Does the solution support the creation and enforcement of
policies?
Does the solution support scanning for policy violations?
Does the solution provide a compliance dashboard listing
policy violations?
Does the solution reconcile logical and actual access across
applications?
Does the solution allow multiple approvers and dynamic
approvers?
Does the solution allow multiple levels of remediators?
Does the solution allow remediations with escalation and
configurable timeout?
http://www.sun.com/identity/
25. 25 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents IDENTITY AUDIT YES NO
Identity Lifecycle Management and Auditing Does the solution provide for flexibility to mature the access
• Automated Provisioning
review process?
• Password Management
• Identity Synchronization Services
Does the solution scan, detect, and fix violations on a regular
• Enterprise Architecture Considerations
• Extranet Architecture Considerations schedule?
• Identity Audit
Does the solution allow access review based on exception?
Role Management
• Role Management Does the solution allow access review to be done by multiple
indices, orgs, managers, and applications?
Access Management
• Access Management
Does the solution allow creation of audit rules that are cross-
Federation Services platform?
• Federation Services
Can the solution allow entitlements to be changed during the
Directory Services review process?
• Directory Services
• LDAP Directory Services Does the solution provide for manager attestation?
• Directory Proxy Services
• Active Directory Synchronization
Does the solution provide for policy-based periodic access
• Web-based Viewer/Editor
• Directory Server Resource Kit
review?
• Open Directory Services
Does the solution address erroneous aggregation of
privileges?
Does the solution provide for automated remediation or
“Actionable Audits”?
Does the solution reconcile logical and physical access?
Does the solution allow preventive compliance whenever a
user is changed?
Does the solution allow you to capture separation-of-duties
conflicts?
Does the solution capture policy exceptions and revoke them
on expiration?
Does the solution allow audit policies to be imported from a
spreadsheet or file formats?
http://www.sun.com/identity/
26. 26 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents Role Management
ROLE MANAGEMENT YES NO
Identity Lifecycle Management and Auditing
• Automated Provisioning Does the solution allow access to be assigned based on a
• Password Management
user’s business roles?
• Identity Synchronization Services
• Enterprise Architecture Considerations
• Extranet Architecture Considerations
Does the solution allow approving managers to attest to
• Identity Audit access described in terms of a user’s business roles?
Role Management Does the solution provide role mining and role definition
• Role Management capabilities?
Access Management
Can the solution derive business roles from users’ existing
• Access Management
entitlements?
Federation Services
• Federation Services Can end users request optional entitlements or access based
on their business roles?
Directory Services
• Directory Services Can users be deprovisioned from systems and applications by
• LDAP Directory Services
removing the appropriate business roles?
• Directory Proxy Services
• Active Directory Synchronization
• Web-based Viewer/Editor
Can rules be defined that allow automatic role assignments
• Directory Server Resource Kit based on the assignment of another role?
• Open Directory Services
Does the solution provide the ability to easily see who has
access to what, described in terms that a business user can
understand?
Does the solution provide a glossary that defines which
entitlements and access are associated with a particular
business role?
Does the solution provide the ability to manage the entire life-
cycle of a role?
Does the solution allow run-time enforcement of identity
based controls that are easily understood by the average
business user?
Does the solution provide seamless integration between the
processes for provisioning, auditing, and role management?
27. 27 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents Access Management
ACCESS MANAGEMENT YES NO
Identity Lifecycle Management and Auditing
• Automated Provisioning Does the solution include federation and support for open
• Password Management
standards?
• Identity Synchronization Services
• Enterprise Architecture Considerations
• Extranet Architecture Considerations
Does the solution provide off-the-shelf agents for Web servers/
• Identity Audit app servers, Web apps, and portals at no additional cost?
Role Management Is the solution based on the J2EE architecture for high levels of
• Role Management scalability, integration, and customization?
Access Management
Does the solution provide centralized security policy enforce-
• Access Management
ment of user entitlements by leveraging role- and rule-based
Federation Services access control?
• Federation Services
Does the solution provide high availability and failover capa-
Directory Services
bilities to eliminate any single point of failure?
• Directory Services
• LDAP Directory Services
Does the solution use multiple load-balanced policy servers,
• Directory Proxy Services
• Active Directory Synchronization policy agents, and directory instances to do so?
• Web-based Viewer/Editor
• Directory Server Resource Kit Does the solution provide up-to-the-minute auditing of all
• Open Directory Services authentication attempts, authorizations, and changes made
to access activity and privileges?
Is the solution able to offer true single sign-on (SSO) in Micro-
soft Windows environments beginning with the sign-on event
at a Windows user’s desktop?
Does the solution allow enterprise applications and platforms
to integrate into the centralized authentication/authorization
framework seamlessly?
Does the solution integrate easily with other SSO products?
Does the solution require a specific directory be used as the
repository? Is that directory ubiquitous?
Can the solution integrate with applications without requiring
products to speak the same protocol?
Does the solution include at no additional cost a Security
Token Service to monitor and enable Web services security?
28. 28 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents ACCESS MANAGEMENT YES NO
Identity Lifecycle Management and Auditing Does the solution include access management, federation,
• Automated Provisioning
and Web services security?
• Password Management
• Identity Synchronization Services
Can the solution integrate with applications without requiring
• Enterprise Architecture Considerations
• Extranet Architecture Considerations products to speak the same protocol?
• Identity Audit
Does the solution provide centralized security policy enforce-
Role Management ment of user entitlements by leveraging role and rule-based
• Role Management
access control?
Access Management
Does the solution embed a directory to manage policy and
• Access Management
configuration or do you have to purchase a separate direc-
Federation Services tory?
• Federation Services
Does the solution provide access to critical identity services
Directory Services
via a Web services interface?
• Directory Services
• LDAP Directory Services
• Directory Proxy Services
Does the solution provide unlimited partner connections?
• Active Directory Synchronization
• Web-based Viewer/Editor Does the solution require that partners have a federation
• Directory Server Resource Kit solution to establish a federated relationship?
• Open Directory Services
Does the solution provide a way to test the connection to
federated partners to reduce the cost of support calls with
partners?
Federation Services
FEDERATION SERVICES YES NO
Has the solution been proven to be interoperable with other
products based on SAML?
Has the solution been certified as “Liberty Interoperable”?
Does the solution support the latest specifications (ID-FF 1.2.
ID-WSF)?
Does the solution enable you to deploy standards-based
Liberty Web services?
Does the solution allow partners to enable federation and
manage their own user information?
29. 29 Key Considerations for Evaluating Identity Management Solutions Sun Microsystems, Inc.
Buyer’s Checklist Contents FEDERATION SERVICES YES NO
Identity Lifecycle Management and Auditing Do you need to limit sharing of identity and attributes to
• Automated Provisioning
partners on a need-to-know basis?
• Password Management
• Identity Synchronization Services
• Enterprise Architecture Considerations Directory Services
• Extranet Architecture Considerations
DIRECTORY SERVICES YES NO
• Identity Audit
Is the solution a complete directory service solution (e.g.,
Role Management
also includes directory proxy, distribution and virtualization
• Role Management
capabilities, synchronization with Microsoft Active Directory,
Access Management and Web-based access to directory data)?
• Access Management
Does the solution provide proxy services for high-availability,
Federation Services
load balancing, enhanced security, and client
• Federation Services
interoperability?
Directory Services
• Directory Services Does the solution provide Microsoft Active Directory
• LDAP Directory Services synchronization?
• Directory Proxy Services
• Active Directory Synchronization Does the solution provide a Web-based viewer/editor for the
• Web-based Viewer/Editor
directory data?
• Directory Server Resource Kit
• Open Directory Services
Does the solution provide a set of tools to tune and optimize
directory service deployments?
Does the solution provide a comprehensive Web-based
administration framework for the service?
Does the solution provide a white pages-like application?
LDAP DIRECTORY SERVICES YES NO
Does the solution install easily?
Does the solution allow bulk loading?
If you answered yes to the previous question:
Can the solution load more than 1,000 entries per second?
Does the solution’s bulk load ensure data conformance and
schema compliance?