With all of the different SaaS applications that Kinaxis is deploying, the importance of a 'easy to use' and administer Identity Management/SSO tool has increased recently. Does anyone have advice on the best approach to getting the right tool(s) to solve this problem?

Hi RobBell,

A great question! Having been through this exercise with a number of clients, here is the advice I can share. (This is not an exhaustive list, only a compilation of basic steps.)

Identity Management Tool / Vendor Selection Process:

1)Ensure you have strong business requirements and use them as your guide. (Not technology, political, vendor viability analysis, etc.) Think business, not tools/technologies/vendors.

2)What applications, platforms, and technologies do you have in place today? Make a grid (spreadsheet or similar), and list out your existing applications, their hosting platforms, their architectural types (62-bit / 32-bit, .NET, .PHP, etc.) If you like, I private message me and I can send you a sample template.

--NOTE: Identity and Access Management applications are *very* particualr in the Operating System, Application Server, and architecture versions they support.

3)Factor in any new applications you are evaluating. What do they require in the way of ports, protocols, and services?

4)Factor in your directory service(s) and user databases. Are your internal and external identities modeled correctly? If not, what will it take to get them there? Determine this *before* interviewing vendors and selecting tools.

5)What Identity Tools are interoperable? Which tools comply with the latest standards?

--More standards support = much easier to rip out and replace in the future if your organizational direction or business needs change.

6)Select tools that are fully "open" or at least "partially" open. For a custom SaaS portfolio, you will be doing a lot of customizations to match the requirements of your software, network infrastructure, OS platform, and user community.

Regarding "easy to use", there are two ways to look at that. "Easy to integrate" on the back end, and "easy to use" front-end (support/administrator user-facing.) The best approach to use is to find the tools and platforms that most closely match #2 above. In general, the "easiest to use" will be the tool(s) that support the largest number of applications in your current and to-be portfolio.

In other words, the easiest thing to implement will be the tool(s) that supports the broadest range of tools in your own SaaS portfolio. In my experience, organizations get way too caught up in the user interface. *Any* of the modern SSO and Identity Management tools can be customized endlessly with the front end. They all will use some standard HTML-generating platform (JSP, ASP, PHP, etc.) which can be highly customized to suit end-user and administrator needs.

Hope this helps. I would be interested to see what you ultimately select as your vendor/tool/platform. Have a great weekend!

Hi Rob and Corbin,

I'm really happy to see this kind of dialogue within the forums.

Just one thing I was wondering. From your question, Rob, are you referring to Identity Management solutions for your company's INTERNAL systems, or for your products/services to integrate with in the field?

I was originally thinking you might have been referring to solutions you are fielding that need to have SSO between them. But it could be that you are only dealing with internal systems.

Obviously, there will be a few other considerations in choosing a solution if it has to work in your customers' environments. I just wanted to see what the target environments you are deploying to are.

- Scott

Hi Scott,

Great points.

Rob - the selection criteria would be similar in these three scenarios:

1. Integrating your own internal portfolio
2. Integrating for other clients
3. Integrating for an SaaS solution that you are reselling or otherwise offering for clients

For #'s 1 and 2 above, the selection process will be identical (plus other factors as Scott mentions.)

For scenario #3, above, flexibility and openness (and of course license integration issues - BSD / GPL, CDDL, etc.) will be of interest. Then you can consider packaging a directory service with your SaaS offering (such as OpenLDAP or Microsoft's ADAM), and integrating an Open Source SSO solution such as:

• CAS (http://www.jasig.org/cas)
• JOSSO (http://www.josso.org)
• OpenSSO (https://opensso.dev.java.net/)

Though I personally would not endorse one solution over the other above without knowing your circumstances, I can say that many blue chip organizations have found OpenSSO a relatively easy-to-integrate solution, including cloud SaaS deployments. I also personally know of several large financial services firms with very broad and complex portfolios that have extensive CAS deployments.

Hope this helps. Have a great weekend!

Thanks again Corbin.

I also did a study for a client a year or so agon on Identity Management and SSO in their own organization of several thousand users. While it was a short engagement, it did some pretty attractive ROI potential on doing Digital Identity Access Management and Single Sign-on solutions, for productivity, in addition to enforcing consistent security policies.

Corbin and Scott,

Thanks for your very informative responses. I am responsible for both our corporate business systems as well as providing the SaaS services to our own customers. I face this challenge on both fronts, but I'm digging into the corporate side first. Right now we are building a matrix of business systems and the SSO protocol(s) that they support. None of the provisioning exercises for these systems has considered this capability, so I presume we'll be all over the map.

Once we have this side sorted out, we'll begin our research into what tools are available that meet our requirements on these fronts:

1. SSO protocols in use, and,

2. A list of 'user stories' that describe the user based requirements that we need to meet.

Fortunately, we have our Active Directory act together so I'm hopeful that this effort will generate beneficial results soon. I predict that the interesting decision we face will be around the simplicity/flexibility/maintainability continuum.

If others have experiences to share, I will eagerly read them.

bye, Rob