Sun Java System Identity Manager 5.5 - InfoWorld Test Report

  • Article

We didn't see much whizbang innovation in Sun Java System Identity Manager 5.5, but we did find a level of reliability and maturity that's rare for this segment. Sun's entire identity management suite consists of Access Manager, Directory Server Enterprise Edition, Federation Manager, Identity Auditor, Identity Manager, and Identity Manager Service Provider Edition. Our test required only Identity Manager, Identity Auditor, a MySQL database used as the VIM (Virtual ID Manager) repository, and pieces of Access Manager for SSO. 

As opposed to the solutions we've discussed thus far, Sun's is completely agentless. Its technology takes full responsibility for monitoring and interacting with existing directory servers and applications without the need to deploy agents. For certain technologies, such as AD or Novell's directory, Sun deploys a black-box style software gateway for data translation, but this is not an agent, nor does it require changes to target systems in order to function.

In practice, this looked very slick. To configure all our test resources, rules, users, and everything else, Sun dumped its Smart Forms technology into a Web-based, wizard-driven configuration tool that maintained the look and feel of our TCPIP intranet. You still need to know what you're doing; several times during our test things didn't work properly because the Sun marketing engineer missed a few system settings, requiring a local Sun engineer to intervene. But if you know what to feed the system, Smart Forms really speed things along.

The first step in a Sun Identity Manager implementation is to populate the VIM that drives the rest of the system. The TCPIP AD migration to the VIM took some configuration time on Sun's part, but it ran properly the first time. After this had been completed, publishing white pages was easy.

Subsequent testing ran smoothly for the most part, beginning with hiring Harry. Sun Identity Manager enabled an ActiveSync feature -- running on a separate Tomcat server -- that acts as a listener on any target app. As soon as Harry was entered in e-HRMS, ActiveSync saw the changes and propagated them to the VIM and all appropriate systems. Keying specific e-HRMS data fields -- home phone number, Social Security number, date of birth -- to specific data values back in the metadirectory, Sun's solution allowed for easy matching through the Smart Forms interface to the same fields in other systems such as AD. Here is also where we saw some pieces of Access Manager, as this product was required to manage Harry's SSO features.

Sun Identity Manager also handled the optional workflow approval process -- PC request, phone extension request, and so on -- based on Harry's hiring, prompting our Exchange server to generate an e-mail notification to the relevant approvers. After the approvers have received their e-mails, they log in to Identity Manager and manage the approval process from there. 

Closed systems, such as Courion's and Thor's, also worked their approvals within a Web application interface, relying on e-mails only as alerts. Novell's and Sun's solutions can work either way.

After TCPIP purchased Fergenschmeir, Sun Identity Manager was capable of managing the AD migration without requiring any use of Microsoft's AD tools. Instead, Sun configured an Identity Manager user ID and then kicked off the Fergenschmeir system discovery. This proceeded with a couple of hiccups because Fergenschmeir's tree was protecting administration and similar accounts from being migrated.

When it had been tweaked, all the Fergenschmeir information was translated into the VIM and then dropped into TCPIP's AD tree. The sexy thing is that, after discovery, the whole migration process worked like a big wizard. All told, Sun Identity Manager had little trouble connecting to our disparate systems, and our extra-credit Notes and z/OS integrations posed no trouble at all.