Educause Security Discussion mailing list archives
Re: Which IAM solution do you recommend?
From: "Brautigam, Keith Adam" <kab65 () PSU EDU>
Date: Mon, 20 May 2019 14:44:27 +0000
When looking at Gartner be sure to distinguish between “Access Management” and “Identity Governance Administration (IGA)” solutions. The former are geared towards Web SSO, which includes just in time provisioning and realtime access management decisions (geographic location, etc). The latter are systems intended to manage the identity lifecycle. That includes data synchronization between systems and admin time access management (i.e. role assignment based on R/ABAC policies and then provisioning accounts and roles to target systems independent of the person accessing those services). Gartner has a separate evaluation for each category, so there are two different magic quadrants. That’s why you see some companies like SailPoint touting a partnership with Okta in order to provide a complete solution. At Penn State we are moving from a home grown "identity management system" to SailPoint for IGA. For “Access management” / Web SSO we are using Shibboleth with OpenLDAP groups for authorization to various services. We’re very interested in Azure AD’s capabilities in that space, but like Okta, I Azure AD doesn’t support multi-lateral federations like InCommon. Instead, they pre-built bilateral federations with each vendor and then make it easy for you to enable them. Keith On May 10, 2019, at 4:52 PM, Bill Thompson <thompsow () LAFAYETTE EDU<mailto:thompsow () LAFAYETTE EDU>> wrote: Jared, Lafayette is a small liberal arts college with about 2700 students. Our IAM infrastructure is based on the Internet2 Trusted Access Platform (was TIER). It looks something like this: * WebSSO, Federation, MFA - CAS, Shibboleth, Duo * Enterprise Access Policy/Group Management - Grouper * Sponsored Accounts Management - CoManage * Enterprise Directory - OpenLDAP * Password Management, Lafayette Account Lifecycle - custom * Application Account/Authorization Provisioning - custom, driven by Grouper policy * InCommon Certificate Service * eduroam We have support contracts with Unicon, Spherical Cow, and the Shib Consortium. They have helped us with installations, upgrades, support, etc. We're planning on moving all of this to AWS in the next 8-12 months. I suspect that over time we'll have templates for running most of this in AWS, and that it will start to feel more like a SaaS type of deployment. Unicon will already host many of these components for you in AWS. Best, Bill On Fri, May 10, 2019 at 12:34 PM AIS <ais () reinhardt edu<mailto:ais () reinhardt edu>> wrote: I agree with Brad. In my recent review of Okta, I came to the same conclusion. I don’t see Internet2 on the GartnerMQ ;) Companies pay a lot of money to Gartner to win their favor. This doesn’t make them the best option for higher ed identity and access management use cases or to be affordable to meet the need of our budget. <image001.png><image003.png>
Current thread:
- Re: Which IAM solution do you recommend?, (continued)
- Re: Which IAM solution do you recommend? Thomas Dugas (May 08)
- Re: Which IAM solution do you recommend? Mahmud Rahman (May 08)
- Re: Which IAM solution do you recommend? Miguel Angel Gonzalez de la Torre (May 08)
- Re: Which IAM solution do you recommend? AIS (May 08)
- Re: Which IAM solution do you recommend? Mahmud Rahman (May 08)
- Re: Which IAM solution do you recommend? Francisco Chavez (May 09)
- Re: Which IAM solution do you recommend? Leah Lang (May 09)
- Re: Which IAM solution do you recommend? David Eilken (May 09)
- Re: Which IAM solution do you recommend? Brad Judy (May 10)
- Re: Which IAM solution do you recommend? AIS (May 10)
- Re: Which IAM solution do you recommend? Bill Thompson (May 10)
- Re: Which IAM solution do you recommend? Brautigam, Keith Adam (May 20)
- Re: Which IAM solution do you recommend? David Eilken (May 09)
- Re: Which IAM solution do you recommend? Thomas Dugas (May 08)