How has it helped my organization?
Allows users to use a single password across a set of multi-tenant application suites. This would have otherwise required 50-100 unique passwords per application. This allows the user to inject a centralized password (a.k.a. authentication service credential) with little ease and increased reliability. In turn, this removes the user element of the logon process, which is often the root cause of the invalid password attempts.
What is most valuable?
Single Sign-On functionality is valuable because the core purpose of the product is to allow universal (or bespoke) SSO for application suites. These are heavily customizable and can fully integrate with in-house provisioning systems.
What needs improvement?
The profiling element is incredibly robust, but also equally as complex, it requires an off-site course to be able to understand the context or the plethora of options available.
The majority of the "IMS profiles" we use are too dangerous to touch without multiple engineers having oversight of a change and an incredibly thorough change management system.
For clarity, an IMS Profile is the process flow in which the SSO component uses to recognize application screens, Windows and logon fields to be able to decide when to intercept and inject credentials into SSO managed applications.
What do I think about the stability of the solution?
There were endless issues with stability in version 8.0.1. There were issues with stability, anything from the IMS Services stopping on any of the IMS servers (the infrastructure servers responsible for allowing user connectivity to the back end which provides the user with their "wallet" at logon. These issues were improved with several hotfixes and service packs but the out-of-the-box version lacks any automatic SQL cleanup utilities, so to perform a cleanup of old users or wallets is dangerous SQL, which interrogates the database - to our knowledge this has not changed in the latest version.
What do I think about the scalability of the solution?
There were scalability issues with 8.0.1. Whilst we could build a new VM with the underlying OS and prerequisites, IBM was always required to assist on-site as only they knew the complicated and fairly undocumented procedure to implement a new IMS server to the pool. In 8.2.1, this has been amplified tenfold as the solution moved from Apache on Windows to IBM WebSphere on Windows, which is incredibly complicated and requires multiple levels of specialist knowledge. This makes it nearly impossible for our company to expand the number of nodes in the WebSphere cluster without accidentally introducing new issues in the said cluster.
How are customer service and technical support?
Technical support is very good, incredibly thorough, and if you have the right support agreement in place, it can be infinite. That being said, when raising a ticket, due to the complex nature of SSO, you need to provide a ton of technical details in the form of logs from the end point to the back end.
These recycle at a very high rate, especially in larger estates so acquiring the logs is not always easy. For this reason, we've had some larger issues outstanding for quite some time. For supported versions, if the level 1-3 teams can identify the cause, they will either provide you with a hotfix that has been previously developed, give you in depth instructions on what needs to change, or refer the development team for a bug fix.
Which solution did I use previously and why did I switch?
We previously managed passwords without an SSO solution. The next step was an enterprise grade SSO solution. At the time, the IBM SSO offering seemed to fit the bill.
How was the initial setup?
In v8.0.1 (several years ago), the out-of-the-box solution was very complex and required a huge amount of IBM's time (at cost to the client!) in order to implement the entire solution (test/uat/prod clusters).
Due to the nature of our business and the complication around some of the applications we deploy and wanted SSO to manage, this made the production implementation of SSO take in excess of one and a half years.
What's my experience with pricing, setup cost, and licensing?
The IBM prices are, as ever, extortionate, even with a business partnership, and high levels of discounts. This is the same as with other IBM products.
Which other solutions did I evaluate?
Several options were put on the table during an initial paper based PoC, but there were no other viable enterprise grade solutions which offered all of the functionality we required.
What other advice do I have?
Read through the (openly available) profiling guides to get a good understanding of how complex the profiling process is going to be. If you have very complex applications, which aren't a simple "start > username/password window opens > end", then you will be opening yourself up to needing a permanent resource to manage the entire solution end-to-end. IMs in all versions can get very unhappy if it's not nursed from time to time.