What tools exist for identity management w/ Active Directory?

Question

What products do you use to manage identity propagation in your environment?

For example, Joe gets hired at the company. HR inputs Joe's profile in the HR employee management application. A ticket is passed to IT to manually create Joe's Active Directory account, add a bunch of user groups for his job role. They will also manually create Joe's accounts in other disparate systems that don't authenticate with Active Directory. By the time Joe gets all his access, he's already wasted a week on company time twiddling his thumbs and surfing the webs.

Then one day, they found pr0n on Joe's PC, dated back to his first week on the job, and so they showed him the door. Now, all the same people have to repeat the work to undo Joe's access in all the systems he had access to.

The same process also repeats if someone changes job roles, such as to another department.

What I'm looking for is a tool designed for sysadmins to manage user accounts such that changes like these can be fully automated once they're changed in the master database (HR application, in this example).

I'm aware of Microsoft's ILM 2007, and its predecessor MIIS. I find these products poorly documented, entirely too difficult to manage, and I've found almost no support online.

What products might meet this criteria?

Answer 1

Wikipedia entry on Novell Identity Manager has several suggestions. http://en.wikipedia.org/wiki/Novell_Identity_Manager

Answer 2

I work as a consultant doing Identity Management implementations.

There are a number of products out there. Oracle, Sun, IBM, Courion, Novell all make Identity Management products.

It always looks like an easy idea at the time, and each vendor makes it seem easy, but the back end business processes make it much harder than it ought to be. I.e. There is no such thing as a default install. Every body requires some silly customizations.

As for MS ILM, they have delayed ILM 2 till some time in 2010 now, and the version I did training on back in December was pretty darn weak at the time.

I primarily use Novell Identity Manager for customers, and we find it very effective. Others who do Oracle or Sun products usually feel and say the same thing.

You should identify what connected systems you want to link. (I.e. What is your HR program? Active Directory, and anything else? Any other systems store Identity?) Then with a list of the systems you want to connect you can look at products to see how well they handle them.

Answer 3

I know there are many IM products out there, but I can only spare my experience. I've been implementing Oracle's IM solutions, including Oracle Internet Directory, Oracle Single Sign On and so forth. These products are well integrated with MS Active Directory and of course they work well with Oracle's products and other 3rd party products, via special interfaces and APIs. The HR application we used was Oracle HR (part of Oracle Apps suite), so propagation of information was rather simple. Also, using some custom built code, the IM was integrated to the SharePoint portal.

Answer 4

Another good one is Hitachi ID Identity Manager. Hitachi ID is not a "platform vendor" so the integrations span lots of systems, without risk of "of course, it works better with our directory/database/app server/etc."

Identity synchronization is one of the use cases that works particularly well (read: limited scripting required).

I do work for them.