Choosing new software is never easy. Coming up with selection criteria means that you need to understand your company’s needs and strengths. What questions should you ask to determine which identity governance tool is right for you?
Today I’ll focus on on-premise identity governance software provided by our two partners, SailPoint (IdentityIQ, or IIQ) and Oracle (OIM). However, these questions can be asked of any identity governance software you’re reviewing.
At a whitepaper level of detail, both tools provide nearly identical capabilities. Each does a great job of automatically provisioning/deprovisioning access, implementing role-based access control, and allowing certification of that access. So how do you dive a little deeper to find the differences?
Consider your current business processes and how they might differ from OOTB capabilities of the tool. If you have a general feeling that your process may not quite fit, you’ll likely need to do some customization. Literally every company requires this to some extent, so don’t feel like your particular business processes inherently put you in a unique or difficult position. The questions become: how much customization do you need, does the tool allow you to do it, and how difficult is it to accomplish?
Naturally, these questions are difficult to answer until you thoroughly understand your needs. Zirous recommends performing an assessment before you even begin your software search. We provide the Catalyst program to help you accomplish this goal. It also helps refine what business processes need to stay as-is and which would make more sense to change. We recommend that you adapt business processes to OOTB workflows as much as possible in order to implement more quickly, reduce ongoing maintenance, and make future upgrades easier.
OIM is geared toward large enterprises that require complete flexibility to adapt to their business processes. Its ability to adapt to your needs is usually only limited by your imagination. One of our favorite sayings is, “We can make it order pizza for you, if you want.”
IdentityIQ also has extensive customization capabilities, but they tend to be a bit more structured. For example, there is a single entry point for a particular event. From there, starting multiple tasks requires you to programmatically kick off other code. In contrast, OIM allows an arbitrary number of custom tasks to dynamically kick off from a single event. It may also require some tedious boilerplate code to accomplish certain goals.
Generally speaking, anything you can do in one tool you can probably find a way to do in the other. But overall, Oracle has an edge in customization capabilities.
Configuration vs. Customization
This may seem similar to the last section, but there’s a distinction. Software can be highly customizable without being very configurable. Zirous generally defines “configuration” as changes you can make to how the software behaves without requiring code changes.
IdentityIQ tends to provide more configurable options. There are dozens of checkboxes on some jobs. IIQ also provides the Accelerator Pack, which is a combination of UI wizards and backend workflows that allows clients to implement common processes without developing it themselves. These processes were developed by SailPoint engineers who saw the same customizations being implemented time and again across clients.
While understanding all the SailPoint configuration options may seem daunting, it also means that with a little bit of research, you can likely get it to do what you need without having to develop it yourself.
In contrast, OIM tends to provide only the most basic out-of-the-box workflows, approval processes, etc., and leaves it to the implementor to customize the software to get it to work exactly as desired.
As with most software, OIM’s approach gives more control. IIQ’s approach lets you get more done quickly, but gives up a level of control over how it might be done.
Technology Learning Curve
Oracle has combined several “best of breed” technologies into the OIM stack to accomplish various goals. Cosmetic UI customizations are accomplished through simple configuration in sandboxes. ADF is used for complex UI customizations. SOA is used for approval, manual fulfillment, and certification workflows. Java and XML are used throughout the stack. And it all runs on a heavy enterprise application server, WebLogic.
OIM requires you to use JDeveloper for ADF and SOA development. If you prefer to use another tool such as Eclipse for Java development, you’ll need multiple IDEs. In addition, some customization requires Design Console, which is a Java-based desktop GUI that runs outside of the other OIM web-based user interfaces.
Understanding the entire OIM stack tends to be a steep learning curve. In the short term, it may not be possible to have a jack-of-all-trades on your team who understands how to do everything. Supporting OIM may be broken up into several specialized roles fulfilled by different people until enough cross-training occurs.
SailPoint’s technology footprint tends to be smaller. It runs on lighter-weight application servers such as Tomcat. It all runs as a single application rather than the separate deployments used for OIM + SOA. Some customizations are developed in Beanshell, which is very similar to Java. Workflow design takes place natively within the UI. The ability to edit the UI and various configuration options just requires a knowledge of how to view and edit XML.
Utilities for migrating customizations and configuration tend to be more consolidated, consistent, and scriptable with SailPoint.
Other Software Considerations
Sometimes the target systems you will connect to will influence your software choice.
Both OIM and IIQ have a variety of connectors. These connectors provide the ability to interact with target systems without requiring you to do all of the development. Check if there is a connector available for your system. If not, it may still be possible to interact with that system using a “generic” connector such as flat file transfers. Or you can choose to write your own custom connector from scratch.
Another consideration is whether the target system itself has any particular technology requirements. For example, many of our clients use Oracle EBS. Single sign on with EBS is only certified with Oracle Access Manager (OAM) using OID or OUD as the LDAP. This could influence an identity governance implementation as you may desire an OIM-OAM-OID integrated environment. It may be possible to accomplish the same goal with IIQ, Okta (for example), and OID, but it’s not certified by Oracle. You have to decide how important that certification is to you, or if you want to use OAM for one part of your environment and another SSO provider for the rest.
In the end, you have to decide which of your company’s need are most important. Zirous can help you navigate those decisions. We specialize in understanding current state and how to make the best choices for new business processes. Then we turn those process choices into technology decisions. Just because your current processes seem to be very custom doesn’t mean they have to stay that way. Let us help!