The most valuable feature is that it takes a lot of the logic for authentication and authorization out of the hands of your application and moves it into a centralized framework. Once we have our authentication and authorization policies set, they are easy to duplicate across all our applications instead of trying to develop them into each application individually. That’s where we probably see the most benefit or the most cost savings for our organization.
Improvements to My Organization
It has reduced developer costs; we get some of that back. Before, when we used a tool that was engineered in-house, it still required a lot of developer resources. Every time we created a new application, it needed to integrate into our in-house solution.
As we are now moving away from that, this product gives us the ability to have single sign-on zones expand outside of even what was normally our in-house product, to now use things like federation and SAML to carry out single sign-on, to things that might not even use the single sign-on solution from CA.
Increased single sign-on zones and then saving on developer time/costs are the biggest benefits.
Room for Improvement
One thing that we found a little difficult, was the default functionality to understand error messages coming back from a directory. You had to either use an add-on product or an advanced password service or perhaps change components within your directory, just to understand a simple message whether if a password has been expired or if it was incorrect.
Since then we have bought an additional SM Walker product, which is a third-party solution to resolve this issue. However, it would be nice if that aspect of the solution was a default functionality, within this tool itself and not something that you had to purchase as an add-on feature.
It has been good, after the initial first year or two that we purchased this product. When we first started out, we had some implementation issues; maybe it was not configured correctly and that caused us some problems.
Once we figured out those issues, it has been very stable since then.
Once we were familiar with the product, we haven't had any problems with its scaling. We had to figure out the factors that need to be increased so that we can scale up and also elements to look for as far as performance is concerned. We continue to use it more and more, along with an increasing number of applications being brought over.
Customer Service and Technical Support
We have used technical support quite a bit. Once we get connected to someone who understands the issue and can explain the necessary solution to us, it has been very good. For us, getting to that person or to the second level of support is time consuming. We have to jump through a lot of the same hoops in order to get to that person. The initial first level support is not as great, however once we get to that second level, we usually get back meaningful solutions that help us out.
Initially we didn't find the need to invest in building ourselves. We had an in-house product that we had developed and as time passed by, there were some security holes that can be found in any existing product. It wasn't cost effective for us to maintain it. Hence, the decision to purchase a third-party software like CA Single Sign-On/Shibboleth/CAS made a lot more sense as the expense incurred for purchasing any of these products was much less than for us to create or develop our own in-house solution.
Basically, it did not make a lot of sense to try and reinvent the wheel when nothing unique was needed for our organization. It was just more logical to buy another tool versus using an in-house product.
With the default set up, there is always a limitation on the number of connections that you can have under your policy servers. We didn't know this and it wasn't something that we were informed of, during implementation. As a result, as soon as we hit the maximum limit we started experiencing issues. It probably took us about a month to figure out the solution, which ended up being rather simple but that was a big bump in the road for us and hurt us in the initial stages itself.
During implementation, make sure to verify the tuning guide. We had a transition with our implementation person, who was changed in the middle of the process. In our case, factors such as maintenance and performance tuning were skipped over. We didn't really get to those aspects until we were live-in production and then needed to work out some of these issues. Thus, don't underestimate such a situation because when you experience such issues your customers are also going through them and then at that point it is public.
Mostly, our experience with this product has been good. There are areas that we think could be improved but mostly, we are happy with it.
The 2 other systems that were seriously considered were Shibboleth and then CAS. One of the main reasons as to why we decided to purchase this product, was the authorization functionality that exists in CA SSO. It was more suitable for a lot of our products as we could save time in the development aspect. I am not sure if any such functionality did exist at that level or complexity in either Shibboleth or CAS. Thus, for us this was a major selling point.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Dec 06 2016