Symantec Siteminder Reviews

Single Sign-On is the number one feature of SiteMinder that we're using. The ability to log in once and use those credentials for multiple web sites is very valuable for us.

Upgrades is the biggest area for improvement. It really struggles with the upgrade process. We tell CA this pretty often.

We've had no issues with deployment.

We've had no issues with stability.

We have challenges with scalability. We have a environment in which applications during peak enrollment periods can go from 80 users to 8,000 users in a weekend. Scalability is very difficult with SiteMinder. You basically have to roll out new policy servers and so the ability to provision capacity quickly is still a big challenge for us. They talk about it with every presentation. They're containerizing everything and they're doing all the right things, but they could roll them out faster.

We probably open two to three tickets a week. I manage that relationship so I supervise those tickets and escalate them appropriately. The problem is we need the support, but they don't know anything about the product.

One of the challenges is they kind of have a tiered support model where you get your case open to a Tier 1 support engineer, and often times we're using very specific portions of their products that aren't used to. For example, we use some kind of custom implementations of some of the older technologies for which it's difficult to get a resource who actually knows what we're using and how we're using it. The initial engagement with support can often take us two or three days to get the ticket assigned to the person who knows what they're talking about. Like DLWS, which is a distributed log on web service, which wasn't a core part of the product back in the day and it's just not used by a lot of people.

Some of the advanced password services stuff can be a little bit problematic, getting it assigned correctly, that kind of stuff.

It's complex. Because of the complexity of the application, you're going to need to involve professional services. You're going to need to bring in a lot of outside resources if you've never done it before. It's not an out-of-the-box, point-and-click, now-you-have-SiteMinder situation. It's going to take a lot longer than that and I think the complexity is often hidden. People are going to stumble upon these challenges in their enterprise after they start it.

Not really. We use Ping, so we have products that do similar kinds of stuff. We used to use Tivoli, so we have some experience with that. Identity Manager's been used in the enterprise before. SiteMinder works a lot better for us just because we have a base of administrators who know how it works, ease of installation, and configuration.

It loses points for the upgrade and for just the lack of ease of management. We've been using it for a long time, so we're comfortable with its weaknesses and we've adjusted our process around those. I think for a new implementation it would be very challenging to bring in SiteMinder.

Primary use case is for authentication in Single Sign-On, that's the biggest that we have. But we use it for our internal employees.

It has performed well. We had some hiccups, but that's all.

We had some challenges through modernizing everything over the last two years. Now we are pretty good. We don't see any production challenges. I don't think we have had an incident for a year now.

I think Single Sign-On helps a lot. If you look at our organization, and really all financial institutions, we have a lot of legacy apps. So it really helps to get Single Sign-On.

We use it on the agent model, and we have a lot of capabilities which we leverage to do it on the different apps, so critical apps are protected better. And we do step up using this, but we are looking at other products now to do the advanced track.

We use it mostly out of the box, standard, no customization.

Ease of use is very good, for administrating it. It's very well known. The ease of use is good for our deployment and our applications.

I would like to see a move towards the newer technologies, which is what we are doing right now. I think that's in the roadmap that's coming, in the 12.8 and 14 releases, but we would like to have it sooner than later.

I think now, for over a year, we have had any issues. It has been really very stable for us.

We don't have, and have never had, any scalability challenges.

We use it for challenges we have. If there are any issues that apps are reporting, we use tech support.

I think we have been good for over a year. We always get to the same contact that we have in the support. It's not dedicated support that we have bought, but most of the time it goes to the same person. So it's very easy to traverse.

We had a predecessor to it which was near end of life. I knew this product because I was part of CA previously.

We went with CA because it met most of our requirements. We had a requirement list of what we definitely wanted, what was nice to have, and I could see most of what we wanted.

We actually used CA Professional Services. There were some challenges on some aspects of it, but on the base product, not at all.

We looked at a lot of vendors around it. We had looked at RSA, Ping, and a multitude of others, just on paper, so to speak.

Most important criteria when selecting a vendor: We definitely look at our engagement. We look at the support. That's always the critical factor. Otherwise, I would say most of the products, if you go by the 80/20 principle, they will technically fare well.

I would say invest a lot of time in designing it. Don't just run in without reading the guides and start deploying.

We use it for authentication and authorization for our website. We have multiple external and internal websites that we host, so we are using SSO for authenticating and authorizing for all those websites.

It has performed quite well. We have been using it more than 10 years now.

• Authentication
• Authorization

for our websites. These features are important because all the sites need authentication for security purposes. That has been handled pretty well all these years with SSO.

It doesn't take time for us to configure, maybe because we have been using this product for so long. In terms of security rights, a lot are covered under SSO, so we don't actually have to go and do something on the back end.

We would like to the OAuth be more stable, more issues being fixed rather than not.

We're pretty happy, but there are some scenarios with the new stuff, like OAuth - where authentication happens from Google, Amazon - in which they're still lagging right now. They're developing it, but we have been using SSO for a long time and Oauth capability was not there, and it recently started this year. So we had a little bit of a question, "Should we still use this product or we should go to another product?" That was the one concern.

Stability? There have been some issues but over the years but it's pretty stable. The issue we encountered was a whole site going down. But we were able to bring it up.

Scalability is pretty good.

They're pretty good on some of the non-issues. There are some delays, however, and they keep on asking for logs or try to delay it, maybe it's stuff they don't know. But in most of the cases they respond pretty quickly.

I wasn't in on the initial setup, but I have been installing a lot of the newer versions. Compared to six, seven years ago, now it is very, very smooth.

I would still not rate it a 10 out of 10 because, like I said, we had some issues with the OAuth here and there. Once those are done right, I think it would be a nine out of 10.

Regarding advice to a colleague who is researching this or a similar solution, it depends on what they are trying to accomplish. Are they going legacy, where you authenticate, versus the newer federation?

But I would recommend SSO as a solution.

Security is the most valuable feature.

It enhances the user experience and the security posture for the company. It protects the company from vulnerabilities.

It has improved our user experience quite a bit because they can log in once and go to any application they want, as long as it is integrated with SiteMinder, which was the not the case before. So, in terms of productivity it does add a lot of value.

We would like to see more information on the analytical piece of it. There are certain other components which are integrating, advanced integration, that might add value to it. We would like to see the CA SiteMinder by itself provide threat analytics, depending on behavioral authentication and so on, without having to add an extra piece to it.

We've been using this product for about ten years.

This product is quite stable. We've been using this product for about ten years. We haven't experienced a situation where we had to take an outage because the product was unstable. The core policy server is pretty stable, but there are other add-ons that keep coming up with which we keep having problems. However, CA has been proactive in fixing these issues.

The scalability of this tool is very good.

I would give the technical support a rating of 2-3/10. Most of the time, from my experience, every time I have an issue, techncial support tries to buy time by asking me some unrelated questions or by trying to give me information that does not match my requirement. I need to push hard to get a subject matter expert who can help me with the product. This is an experience I have been having for the last 4 to 5 years; it is not new.

We were not using any other product before this one.

I was involved in the initial setup process. The initial setup was neither straightforward nor complex. It is medium, depending on the implementations. It was a bit complicated because of the number of components that we had to install, based on our setup.

Any advice I would give about this product would be an honest reflection of my experience with this product. From the technical perspective, as much as we can do, it has been pretty good. Don’t get me wrong, our account manager is great; there is no question about that. However, the quality of support and documentation are my primary concerns.

Some of the most important factors while selecting a vendor are the vendor’s technical experience, our approachability to them, their response back, licensing costs and so on.

The most valuable feature is that it takes a lot of the logic for authentication and authorization out of the hands of your application and moves it into a centralized framework. Once we have our authentication and authorization policies set, they are easy to duplicate across all our applications instead of trying to develop them into each application individually. That’s where we probably see the most benefit or the most cost savings for our organization.

It has reduced developer costs; we get some of that back. Before, when we used a tool that was engineered in-house, it still required a lot of developer resources. Every time we created a new application, it needed to integrate into our in-house solution.

As we are now moving away from that, this product gives us the ability to have single sign-on zones expand outside of even what was normally our in-house product, to now use things like federation and SAML to carry out single sign-on, to things that might not even use the single sign-on solution from CA.

Increased single sign-on zones and then saving on developer time/costs are the biggest benefits.

One thing that we found a little difficult, was the default functionality to understand error messages coming back from a directory. You had to either use an add-on product or an advanced password service or perhaps change components within your directory, just to understand a simple message whether if a password has been expired or if it was incorrect.

Since then we have bought an additional SM Walker product, which is a third-party solution to resolve this issue. However, it would be nice if that aspect of the solution was a default functionality, within this tool itself and not something that you had to purchase as an add-on feature.

It has been good, after the initial first year or two that we purchased this product. When we first started out, we had some implementation issues; maybe it was not configured correctly and that caused us some problems.

Once we figured out those issues, it has been very stable since then.

Once we were familiar with the product, we haven't had any problems with its scaling. We had to figure out the factors that need to be increased so that we can scale up and also elements to look for as far as performance is concerned. We continue to use it more and more, along with an increasing number of applications being brought over.

We have used technical support quite a bit. Once we get connected to someone who understands the issue and can explain the necessary solution to us, it has been very good. For us, getting to that person or to the second level of support is time consuming. We have to jump through a lot of the same hoops in order to get to that person. The initial first level support is not as great, however once we get to that second level, we usually get back meaningful solutions that help us out.

Initially we didn't find the need to invest in building ourselves. We had an in-house product that we had developed and as time passed by, there were some security holes that can be found in any existing product. It wasn't cost effective for us to maintain it. Hence, the decision to purchase a third-party software like CA Single Sign-On/Shibboleth/CAS made a lot more sense as the expense incurred for purchasing any of these products was much less than for us to create or develop our own in-house solution.

Basically, it did not make a lot of sense to try and reinvent the wheel when nothing unique was needed for our organization. It was just more logical to buy another tool versus using an in-house product.

With the default set up, there is always a limitation on the number of connections that you can have under your policy servers. We didn't know this and it wasn't something that we were informed of, during implementation. As a result, as soon as we hit the maximum limit we started experiencing issues. It probably took us about a month to figure out the solution, which ended up being rather simple but that was a big bump in the road for us and hurt us in the initial stages itself.

During implementation, make sure to verify the tuning guide. We had a transition with our implementation person, who was changed in the middle of the process. In our case, factors such as maintenance and performance tuning were skipped over. We didn't really get to those aspects until we were live-in production and then needed to work out some of these issues. Thus, don't underestimate such a situation because when you experience such issues your customers are also going through them and then at that point it is public.

Mostly, our experience with this product has been good. There are areas that we think could be improved but mostly, we are happy with it.

The 2 other systems that were seriously considered were Shibboleth and then CAS. One of the main reasons as to why we decided to purchase this product, was the authorization functionality that exists in CA SSO. It was more suitable for a lot of our products as we could save time in the development aspect. I am not sure if any such functionality did exist at that level or complexity in either Shibboleth or CAS. Thus, for us this was a major selling point.

We use it a lot for federation, authenticating in-house or on premises, and that gives us access to an outside SaaS provider.

Also, we like the reverse proxy tool so much that in some instances we’re using SSO just for that and not even single sign-on.

It's really increased the security of our applications, and in some cases, has provided much more security. It does this even while some applications don't require multiple usernames and passwords.

The documentation is not good enough, particularly the installation documentation could be improved. Some things are left open to interpretation and others are simply not documented at all. CA will take liberties and make assumptions that your system is a certain way, and so the documentation is based on that.

It’s very stable, but we found some bugs and got workarounds quickly. We stress out SSO, from what I understand CA's reasoning is, but they're quick to resolve the issues.

We've had no issues at all with scalability, as it covers everything we do even at thousands of logins per minute.

We use them a lot and they're quick to pick up cases. We have almost a dedicated team with them that escalates up issues.

It’s fairly complex as it has lots of pieces. We’re in the process of upgrading and we’re building a mirrored environment and then moving everything over to it.

CA is great to work with, but to use it, just learn the product suites and how they interact. Make sure you have a good layout and make sure you have everything you need.

We primarily want to use the solution to implement our SSO, Single Sign-On solution.

The single sign-on is the solution's most valuable feature.

Since we're in the early stages of examining the solution, it's hard to predict what might be lacking.

We're currently unable to find information about if the solution can do a full implementation with SQL. Some better and more accessible documentation for new users or those curious about the product would be helpful.

We want to implement a simple application. Currently, from what we're finding, we're not sure if it would work the way we need it to.

The solution is quite new to us and I only really started looking at it about two or three weeks ago. We're in the testing phase.

We've never contacted technical support.

For a long time, we used SiteMinder, We're currently looking into what might be a better solution for SSO. That's why we're currently evaluating CA SSO. We'd been using the previous solution for two or three years but it hasn't been able to provide us with what we needed. Currently, we're trying to implement CA on servers for IPMP.

The initial setup seems straightforward, but we're curious about the aspect of SSO for SQL servers. We're also investigating from the net side to see what requirements are needed. We haven't implemented or deployed it yet.

We have our own in-house team that will handle the implementation.

I'm an implementor, so I help clients implement the solution for their companies.

We're still in the process of testing the solution. We're currently not providing services on it as we are still in the testing phase.

So far, with a simple implementation of the SSO, I'd rate the solution eight out of ten.

It is our authentication system for access to online and mobile banking.

Its performance has been good. It works well for us.

It keeps our members safe, that's a benefit for us. It's important.

Federation, for sure, because we have a lot of third-party vendors that we need to integrate with, and this is a turnkey solution in some ways.

The Directory is secure. It's our user store, and it's important to keep our members safe. The product does well with that.

I think they need to integrate some of the newer types of authentication into the product. I'm not seeing the innovation when it comes to biometrics in the product.

Also, easier integration with third-party partners to OpenID Connect because username/passwords are a thing of the past. People are going to be using facial recognition. Apple has gone that way. There are other companies like Daon that are doing this. CA SSO will be left behind if they don't have it yet. There's some innovation being done, but it's not there.

Improvement is being made all the time. I just came out of a session here at the CA World conference where they showed how you set up Federation partners is being improved, through more APIs. Making life easier for the engineer is always important because we are lazy in general. So improvements are being made in that space. There's more to be done, like how to make configurations easier, and not have the engineer having to guess what will happen when he changes a particular setting.

If I had answered this question four years back I would have said "poor." But over the last four years they've done a lot of work to make it stable and it's reasonably stable right now.

It still goes down once in a while. But that's not the product's problem, it's probably how it's configured in our environment. So the product is pretty stable.

It is scalable. It depends on where it's running, and on where it's deployed, and how it's configured. In our case, it is scalable. 

Some parts are scalable, not all parts. We do have some customized pieces within the product itself that we paid CA to build for us. Some of those things are not scalable.

Technical support is good. We're a large scale customer for CA, so we do have Premium Support from them. We had a problem about three years back with the stability and we were going down all the time. We actually got somebody in-house from CA, to come to our office within a few hours, and the person stayed on until the problem was fixed.

We had no choice. We were growing too big. We had a homegrown solution in place six years back, and our CTO at that point made a conscious decision to go towards this approach. And it worked.

I think CA had a pre-existing relationship with our company. And our CTO had used a CA SSO product before, and the recommendation was made at that point. So I don't know whether it was a full evaluation that was done, or whether it was the fact that, "Hey, it is a product that had worked before in other places, and we're talking about a straightforward use case here. So let's just go for it."

In terms of advice to someone looking for a similar solution, this one has worked for us, so think of whether it fits into your space. It may be best-in-class for doing a particular type of function, but that doesn't mean it fits in your ecosystem. So think of that first before you pick something which is best-in-class.

Complex, painful. But that is to be expected of any new setup. When you're a big bank like us, any kind of migration to a new product is hard. I expect it to be painful, and it was painful. But it's not something that you can avoid.

One thing that recently surprised me about CA is how big it is. The product I'm talking about in that context is not a CA product, it's an acquisition that CA made a few years back. I was used to working with the other company. Once we knew that CA bought it, I was surprised to see how big CA is. Just the product suite itself is pretty large. So just that was surprising.

As for the most important criteria when selecting a vendor, technical support is clearly one of them. Vendors tend to sell us something and then walk away, and we're left holding the bag. So tech support is clearly important. Apart from that, in terms of products, we don't care much about best-in-class. We just need to make sure it fits within any kind of technology ecosystem that you have. You could come and sell me a product that is best-in-class for doing a particular thing. But if it doesn't fit into my current stack, than it's useless.