What is our primary use case?
Initially, it started off with single sign-on and promoted single sign-on within multiple single sign-ons.
Over time, it morphed into also implementing what we call authorization policies. That includes limiting when people can access an application in terms of the time of day, or limiting which user populations can use a particular application.
It's mainly an access management tool.
Over the last four years or so, we've leveraged the integration between Access Manager and the advanced integration framework so that we can now also implement multi-factor authentication.
What is most valuable?
It's a very powerful product.
It's very easy to integrate with applications.
At the time when we deployed the product, the fact that you've got a lot of legacy applications that don't necessarily support federation protocols like Oath and SAML, yet have Access Manager's ability to automatically populate in an HTML form and submit it has been very useful. That capability was one of the reasons we went with it. We stuck with it over and above Access Manager. Now, of course, as time has progressed, we're moving more towards the use of the federation protocols, specifically when it comes to cloud-based apps like ServiceNow.
What needs improvement?
Since we use it to access a number of mission-critical applications, it means that we have multiple sites. We have independent instances of Access Manager deployed. What's very important for us is to ensure that the configurations across the various sites are 100% aligned. If they had a mechanism to ensure that's the case, that would be great.
For example, the worst thing to do is if you run into an issue, and then you fail over to your disaster recovery environment, and then you find out that you've got a missing configuration there, it'll be great if one could easily compare configurations across instances of NetIQ Access Manager to ensure consistency. It's just about ensuring consistent configuration across various instances.
Having the ability to easily extract and view and compare and version control configurations would be ideal. If you consider our scenario whereby, let's say, we've got an instance for our retail environment, and for that instance, we've got a disaster recovery environment. We need to ensure the amount of service at each of those sites. Now yes, they serve different purposes, however, for us, it's very important that site A and site B are 100% aligned. And so if there was a way to easily extract the configuration and to compare it across sites, to me, that would just make everything from an operational perspective significantly easier.
For how long have I used the solution?
I've been using the solution for probably ten years.
What do I think about the stability of the solution?
Over the years, stability has improved. Typically when there's a new major release, there are issues and then two or three sales packs later you're in a better position. That's just the honest truth.
Right now, we're fairly stable. In the next month or so, we are going to be upgrading to the latest major release. At least now, on the third service pack, I don't expect there to be issues. That's my experience.
There is a major release going from version three to four or four to five. There seem to be issues up front, and then once you get to the third or fourth service pack to address those various issues, you're fine again. Having an experienced implementation partner is important due to the fact that if you don't get your parameters tuned correctly, you are also going to run into some issues.
What do I think about the scalability of the solution?
There's no issue with scalability. The sizing documentation is pretty good, and we haven't run into any issues as far as scalability is concerned. It's just as easy as adding another provider or access gateways, that's not a problem.
We're probably looking at about 30,000 users on internal stuff, however, if you're talking about concurrent connections, we are in the region of probably 100,000 users on the solution right now. It's extensively used in the organization.
How are customer service and support?
We've got a dedicated support engineer, so that does help in terms of logging and escalating any issues that we uncover.
The support team is quite knowledgeable when it comes to Access Manager. So when we do have issues, we get the necessary responses that we need.
Of course, just like any other product, if our requests or issues result in development changes, we'll have to fall into the queue as far as that's concerned. That said, if we're talking about high-priority vulnerabilities that need to be addressed or just your typical support issues, they are very responsive.
How would you rate customer service and support?
How was the initial setup?
Obviously, over the years, we've upgraded and installed different versions. We're literally running at the moment, four instances of NetIQ Access Manager, each serving a different purpose - whether it's for our retail population or for our internal stuff. For us to set up an instance is fairly straightforward. That said, we've done it so many times. We know what is required, and we know from a sizing perspective and from a configuration perspective what is required. Maybe we have an unfair advantage in terms of having done this so many times and being involved with the product for so many years. That's why it's difficult to comment on how easy or hard it is to set up. If you've never done it, I probably would recommend that you get some more professional services or at least better architecture, and maybe do some kind of health check after you've done your installation.
I'd rate the ease of setup a four out of five.
What about the implementation team?
The setup is done in-house. We have gained knowledge over a number of years. If you are a company and you newly acquired it, I would recommend that you involve the vendor or some kind of additional services.
There are a number of tuning parameters that greatly can help with the performance and stability of the product. And it's basically implemented when you're involving an implementation partner.
What's my experience with pricing, setup cost, and licensing?
I can't speak directly about pricing. However, we've got a bundle agreement with the organization since we use a lot of their products, so we probably get some form of preferential pricing.
Which other solutions did I evaluate?
At some stage, maybe six years ago, we considered performing an evaluation with Oracle Access Manager. This must have been about six or seven years ago. The feature set on Access Manager just exceeded what was available in Oracle.
We haven't done many comparisons between other products recently and since the last time we looked was six years ago, not many other products were on the table at that point. The ones that we had access to were Oracle Access Manager and iCare Access Manager.
From a pricing perspective, we looked at Okta not too long ago. However, the pricing was just too much, based on what we are paying for the iCare access manager. For our situation, the agreements that we set up way back in the day are advantageous to us from a pricing perspective. If we had to do it right now, the pricing would've been a big, big factor.
What other advice do I have?
While this product can work for different sizes of companies, if you've only got simple requirements, maybe you need to go rather look into a cloud service that offers something similar, like Okta or Ping. However, if you've going to have to implement single sign-on and multi-factor authentication for a number of applications, I would go with something like NetIQ Access Manager.
I'd rate the solution eight out of ten.
There aren't any glaring issues with the product. As time has progressed, they've continued to modify it. It's a very mature product.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
