Not Just Set and Forget
An IAM implementation involves more than buying the software and setting aside a few days to install it. It requires considerable planning and may demand consultants; we list some of the resource and identity-store information you'll need to gather in "Roll Out the Red Carpet,". All the products we tested scaled well for thousands of simultaneous users, and any will meet most enterprise needs. The major variables are the products' features and ease of use.
All the products are priced per user, and most require a minimum of 1,000 users. Per-user prices range from $20 to $50, but beware the hidden costs: All the vendors recommend consulting services. A global IAM consultant told us IAM implementation typically takes six months, and more than a year for large enterprises.
With the exception of Novell, which offers only a reverse-proxy mode, all the vendors provide both agent and proxy approaches. To implement agents, you typically install an ISAPI/NSAPI filter on each Web server that will be part of the IAM infrastructure. In the long run, an agent approach might require extra maintenance, but it will provide more granular control. On the other hand, a reverse proxy, which is placed between the client and the Web servers, requires no server modifications. It's a good choice for shops using a Web server for which the vendor doesn't offer a Web agent, such as older versions or unsupported platforms. In addition to required changes in the network configuration, performance could be a problem with a reverse proxy unless you use a redundant/load-balanced architecture, because all traffic must be routed through the proxy rather than distributed across many servers.
Our Impressions