Courion Enterprise Provisioning Suite 7.20 - InfoWorld Test Report

  • Article

Courion Enterprise Provisioning Suite 7.20 includes ProfileCourier, a user-profile store; PasswordCourier, a metapassword repository; and ComplianceCourier, a policy-control module aimed at tying the other modules together for managed security.

Courion was the only vendor to bring a full partner to the test, namely Citrix and its Citrix Password Manager. On the other hand, this allowed Courion to be the only vendor to demonstrate true SSO (single sign-on), in which global passwords were used to automate log-ins across all systems.

Installation of the Courion suite on our test network began with AccountCourier and Citrix Password Manager. Citrix created a complete log-in credential store across all installed applications and linked up with AccountCourier, which allows administrators to apply policies and rules on the whole.

In practice, users see none of this. We merely saw what turned out to be the most handsome intranet template in the whole review. Courion merely slapped a fake TCPIP Corp. logo on its pages and rolled on.

Courion also demonstrated a wizard-based user startup process -- which is lengthy but editable -- that records all required user information and creates or modifies that user's account. As soon as Harry answered all of these questions and defined his new password, the combination of Citrix and the Courion suite enabled that password for SSO across all of Harry's assigned resources -- desktop, e-mail, and webERP.

SSO happens quickly because Citrix's app is running as a Web service on a dedicated system in the domain. It receives an SPML (Service Provisioning Markup Language) request from the Courion suite -- regarding Harry's log-in credentials -- and responds to that request with the appropriate password. Citrix can be keyed to a directory for this purpose, to a database, or any combination. Some of the other solutions offer this basic functionality, but they're much more rigid about the resources their systems require to complete these tasks, such as directory servers or databases that must be used as credential repositories.

Many of the solutions managed the provisioning workflow process via a Web interface, using e-mail simply as notifiers -- "You've got an approval task waiting; please log in and take care of it." Courion's suite managed everything inside of e-mail with no need to log in to an underlying Web application. This type of integration isn't trivial, however, so expect some programming to take place in real life in order to achieve it.

Courion Enterprise Provisioning Server hit a snag when merging the Fergenschmeir and TCPIP directory information. The product certainly had the necessary tools, but Courion's engineers weren't able to solve a programming problem quickly enough to complete the migration in the time allotted. This served to illustrate one drawback of Courion's ultraflexible solution: complexity.

The suite also stumbled when Harry went bad. In this test, Harry creates an account in AD using a stolen admin password. Other solutions detected and disabled the unauthorized account immediately. Courion Enterprise Provisioning Suite took a more circuitous route to finding the problem: by running a reconciliation process against its directory store and listing policy violations in a report. Sure, you could run reconciliations fairly frequently, but there are system performance issues to consider. Finding Harry's rogue account in real life might take longer than you'd like using Courion's solution.

Overall, Courion Enterprise Provisioning Suite offers impressive flexibility and tight integration with existing infrastructure. Credential stores can be separate databases, existing directories, or combinations. Workflows can integrate with your applications directly using existing APIs.