A lot of vendors are cashing in on the compliance mandate for an identity management solution to take the burden off of the CIO/CSO relating to compliance reporting for IT security. The way they do it is by putting the entire stack in one BIG Bill of Materials with the assurance of taking away the pain of identity management and compliance reporting.
In theory that might work, but in reality, when the implementation starts it all starts to fall apart.
Here are a few tips for how to approach an identity management solution.
1. Find out what is in the environment and try to clean up what's not required. A way to do that could be by deploying a virtual directory that gives a read-only view to all user repositories and helps you analyze what's there.
That would help in clean up without having to change or deploy anything in the network. Also, you wouldn't have to deal with the application owners' reluctance to share data, as they would not be required to give write access to their applications.
2. After the clean-up phase, use the same virtual directory approach to expose the underlying user repositories to be exposed as an LDAP V 3 directory and then can be used as a single LDAP-enabled directory that would fetch the user information from wherever it lies and present it to the application. This would ease up the approach to a single sign-on solution. A single sign-on solution would be better managed with one LDAP than multiple LDAP directories.
3. After single sign-on has been deployed using one LDAP directory, the approach could be to go in for a user provisioning system that would have basic workflow capabilities and provisioning functionalities. The solution would help in provisioning the users in the underlying repositories acting as a feed to the virtual directory.
The key would be deciding if the identity management solution is connected to all your repositories. This is important to a successful and rapid implementation. Moreover, never rely on presentations and demonstrations. Always insist on proof of concept, as your environment would certainly be different from others. Reference calls would give you an idea for how other people in the industry are using the same solution and would help you in implementation, but your decision should not be based on that alone.
4. After all the pieces are in place, then you may look for federation -- not before that.
Don't forget to align your business processes with workflows of identity management, without which you would never be able to justify ROI. Always get into the details of the solution architecture, as you might never know if your key business system is supported out of the box or if you have to customize it.
Hope it helps.