Product Group Tests

Identity management (2008)

Group Summary

Novell Identity Manager 3.5 is our hands-down choice for large and growing mid-sized organisations. For functionality, ease of use and overall support we rate it our Best Buy.

Our Recommended product is Courion Enterprise Provisioning Suite, which stood out for its ease of use and excellent pricing.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Personal identity verification systems may be gaining momentum, but it's not always easy to define what falls within this category, as Peter Stephenson discovers.

It can be a nightmare figuring out what identity management really means in the context of product selection. We looked at several products that presented themselves as candidates and found that they did not fit our concept of what identity management is.

The bottom line is that the immature level of the genre has spawned many products that address a piece of what may be loosely interpreted as identity management. One US standard (FIPS 201) defines a personal identity verification system as having three subsystems: the front-end; the card issuing and management; and the access control. The front-end includes those components that accept identity input. These could be a card system, a biometric system or any other way of providing unique individual identities.

The card issuing subsystem is just what it sounds like, but we may extend that to mean provisioning. This goes beyond cards to include any identity credential. We use the term "credential" here to mean any card, biometric, password or phrase, or PIN used to identify a subject. Finally, the access-control subsystem includes all of those things that authorised users can access and the means to control that access and authorisation.

If we stick to this definition, all the products we examined fit the description in some manner. However, we set a features benchmark to include at least one component from each of the standard's subsystems. That means we were looking for some manner of assigning unique identity credentials (the product did not need to supply the credentials), a method of provisioning and a method of binding identities to objects to which the identified subject might require access. In order to score more than three stars for features the product needed to meet our benchmark.

We also found that many of these systems are complicated to deploy, especially when they contain many modules and can address enterprises of different sizes. Once deployed, however, they tended to fulfill their promises of providing a greatly simplified method of managing personal identities and the objects to which they are bound. This begs the question of who needs identity management.

Most vendors believe that just about any size enterprise can benefit from their products. In that regard, at least for now, we beg to differ. Identity management must address a particular challenge. That may be size, special applications, high-security requirements, geographic disbursement of the organisation or some other particular needs. However, identity management for the sake of it does not fit our concept of when to apply the products.

That said, we are probably headed for a time when, in order to do away with static passwords, we will all want some form of identity management system. In that regard, we saw some products that are moving in that direction. These products are more than identity management products, they build that capacity into an overall workflow management system.

The real benefit of these systems is that they regularize the process of assigning, managing and auditing access. They are, in effect, full user management systems. They assign identities, provision users, bind users to objects, provide automated workflow for binding subjects and objects, audit user actions globally and, generally, simplify the management of user accounts without sacrificing security, auditability and compliance. Most important, perhaps, is that they are extensible. and can be deployed effectively in enterprises of almost any size.

How we evaluated
Because the products we saw covered a broad range of capabilities, we judged on two levels. First, we wanted to see if the product met our minimum benchmark of providing each of the subsystems called for by the standard mentioned earlier. Those that did could do better than three stars in the features category, but those that failed to were not limited in any other way.

Second, products that met only part of our benchmark were evaluated on those functions that they did provide. We evaluated them individually and, although they may have lacked features according to our benchmark, they may have been extremely competent in their own context. We did not, as is always the case in our review process, compare products. Each product was rated on its own merits.

- For details on how we test and score products, visit

All Products In This Group Test