Re: Which IAM solution do you recommend?

["Brautigam, Keith Adam" <kab65 () PSU EDU>]

When looking at Gartner be sure to distinguish between “Access Management” and “Identity Governance Administration 
(IGA)” solutions.  The former are geared towards Web SSO, which includes just in time provisioning and realtime access 
management decisions (geographic location, etc).  The latter are systems intended to manage the identity lifecycle.  
That includes data synchronization between systems and admin time access management (i.e. role assignment based on 
R/ABAC policies and then provisioning accounts and roles to target systems independent of the person accessing those 
services).

Gartner has a separate evaluation for each category, so there are two different magic quadrants.  That’s why you see 
some companies like SailPoint touting a partnership with Okta in order to provide a complete solution.

At Penn State we are moving from a home grown "identity management system" to SailPoint for IGA.  For “Access 
management” / Web SSO we are using Shibboleth with OpenLDAP groups for authorization to various services.  We’re very 
interested in Azure AD’s capabilities in that space, but like Okta, I Azure AD doesn’t support multi-lateral 
federations like InCommon.  Instead, they pre-built bilateral federations with each vendor and then make it easy for 
you to enable them.

Keith

On May 10, 2019, at 4:52 PM, Bill Thompson <thompsow () LAFAYETTE EDU<mailto:thompsow () LAFAYETTE EDU>> wrote:

Jared,

Lafayette is a small liberal arts college with about 2700 students. Our IAM infrastructure is based on the Internet2 
Trusted Access Platform (was TIER). It looks something like this:
* WebSSO, Federation, MFA - CAS, Shibboleth, Duo
* Enterprise Access Policy/Group Management - Grouper
* Sponsored Accounts Management - CoManage
* Enterprise Directory - OpenLDAP
* Password Management, Lafayette Account Lifecycle - custom
* Application Account/Authorization Provisioning - custom, driven by Grouper policy
* InCommon Certificate Service
* eduroam

We have support contracts with Unicon, Spherical Cow, and the Shib Consortium. They have helped us with installations, 
upgrades, support, etc. We're planning on moving all of this to AWS in the next 8-12 months.  I suspect that over time 
we'll have templates for running most of this in AWS, and that it will start to feel more like a SaaS type of 
deployment. Unicon will already host many of these components for you in AWS.

Best,
Bill


On Fri, May 10, 2019 at 12:34 PM AIS <ais () reinhardt edu<mailto:ais () reinhardt edu>> wrote:
I agree with Brad. In my recent review of Okta, I came to the same conclusion.

I don’t see Internet2 on the GartnerMQ ;)
Companies pay a lot of money to Gartner to win their favor.

This doesn’t make them the best option for higher ed identity and access management use cases or to be affordable to 
meet the need of our budget.

<image001.png><image003.png>