Implementing an On-Premises Identity Management Solution? Forget It.

This article was originally published by Stephen Lee on the Okta Blog

Let’s start with a hypothetical situation: I’m going to hand you an on-premises identity management solution for free. Well, great, but there’s plenty left to do to turn your identity management dream into reality. First, let’s get the solution installed. Most of the on-premises IDM solutions are traditional three-tier applications. Starting with the database tier, you want to make sure that you have robust hardware to provide a scalable and highly available database infrastructure. Your company may already have solid database infrastructure in which case you will simply extend that to deploy some additional instances for the purpose of your identity management solution. The web- and application-tier deployment poses a similar problem. With identity management being a critical piece of your IT infrastructure, you will most likely have dedicated app-tier and web-tier deployment to support this mission-critical piece of software.

You now have the product in place. What are you going to do with it? Looking at the whiteboard detailing your identity management dream (and anyone with an identity management dream has that whiteboard somewhere), you want to integrate various systems with the IDM solution to solve all the headaches you are currently facing with single sign-on, access management, account provisioning, password management and risk management. These systems most likely include your Human Resource Management System (HRMS) and various other Enterprise Resource Management Systems (ERPs), on-premises or cloud based, and corporate LDAP directories.

Establishing single sign-on, to give seamless and secure access for end users to their applications, is usually the first item on the checklist. You probably have some sort of a corporate LDAP directory acting as the authoritative source for user authentication. Next thing is to integrate your application targets with your SSO solution. Applications use different mechanisms to support SSO. Some use SAML, some may support Integrated Windows Authentication and others may have no support at all. It’s up to you and your IT team to look at each application individually to determine the best way to integrate and implement the solution. Typically, this involves some configuration changes in the application and in your SSO solution — and sometimes coding is needed.

Account provisioning involves more integration with the target applications. To support provisioning, the identity management solution has the ability to trigger creation, modification and deactivation of accounts based on the user lifecycle. The basis of this integration is application connectors tying the IDM solution to all the applications. This may involve directly writing to the application database or via application-provided APIs to trigger these actions. Like the SSO problem, these integrations are non-standard. Your IT team will have to investigate and implement these point integrations with each of your application. Some on-premises solutions offer pre-packaged connectors, though usually without many choices.

As you are evaluating the deployment and rollout of your solution, you are also anticipating your organization’s growth,  in terms of both users and the list of applications being used. You now have to prepare for the expansion and maintenance of, not only the identity management solution itself, but also the various applications that you have integrated with — not to mention the underlying infrastructure that supports the software.

How sweet is my free offer now?

An on-premises identity management simply does not step up to the task in supporting a modern IT infrastructure. The reality is that a comprehensive identity management solution is much more than software. The problem itself is inherently a fluid one in that there are many parties involved (your solution vendor, application vendors, your end users, etc.) and many moving pieces that change over time (integrations, new applications, new versions of applications, new security requirements, etc).

In most cases, you have an IT infrastructure similar to many other organizations and are using many of the applications that other organizations use. In other words, you share a similar identity management dream with many others. Why redo the work when somebody else has already done it? Why reinvent the wheel when integrating applications with your identity infrastructure? Why go through the hassle of dealing with vendors and implementing unnecessary point integrations?

This problem lends itself to a cloud service provider approach because what you need is not an identity management solution, but an identity management service (like Okta). You need a service that has the experience and expertise in recommending and implementing the right way to integrate with your existing infrastructure such as your HRMS and LDAP directories. This service should provide pre-integrated solutions to your applications and handle the implementation details with your vendors, thus solving the age-old “connector problem” that troubles many on-premises identity management deployments.

Let your service provider handle the maintenance and upgrade cycle with the vendors. From a practical standpoint, a cloud provider can implement and rollout these changes much faster to more organizations with a properly implemented single-instance, multi-tenant architecture. Scalability, high-availability of your identity management solution and application expansions become the responsibility of your service provider, not your IT department.

For audit and reporting, a good cloud solution like Okta can easily provide a platform to capture and store logs and audit information — all in the cloud, allowing for comprehensive reporting and analytics.

Much has been written and said about the advantages of cloud solutions. Last week, my colleague Michael highlighted the importance of security and the fact that “good SaaS products are designed in a way that makes security natural.” As I’ve pointed out, a good cloud identity management service is the perfect way to solve your organization’s complex identity management problem – and in doing so, removing the complexity to free your IT department.