Over last several months, in meetings with many Red Hat customers, I have been asked about best practices related to migration from an existing third-party identity management solution to Red Hat’s Identity Management (IdM) solution. In today's post I will share some of my thoughts on this matter…
I've found that there are several reasons why customers might not be satisfied with what they already have.
It's not uncommon to hear about how an existing third-party identity management solution is not working well. Poor stability is a great reason to start shopping around. Of course, people ask whether (or not) what Red Hat offers is stable. My response: it is reasonably stable for a solution that adds so many new features with each and every release. If you expect our solution to be flawless, this may not be the solution for you as, inevitably, bugs happen. As no two deployments are equivalent in terms of size, complexity, and load - identity management systems need to be both stable and flexible (i.e. capable of addressing a variety of scenarios and use cases) - a challenge, to be sure.
After sharing my response, the following questions are usually: “How serious are the bugs? How will the Red Hat Identity Management team handle them? How will Red Hat respond to my concerns?”. My response to this second round of questions: we, at Red Hat, are professionals and we care. The identity management space is very complex and issues pop up. In addition to robust customer support services - Red Hat professional services has a number of offerings in this area. If you need help we are happy to provide it. Also, it is always wise to set up a proof of concept to ensure that Identity Management can meet your requirements before committing to running IdM in a production environment.
Many identity management offerings provide support for a broad set of platforms that can be hooked into a central identity solution. This usually includes hooking HP, Solaris, AIX, Linux and various mobile platforms to Active Directory. The Identity Management solution from Red Hat has advanced support for Linux platforms primarily Red Hat Enterprise Linux, Fedora, and CentOS but other Linux distributions like Debian, FreeBSD, Arch Linux, Scientific Linux and Ubuntu have recently included some client bits to play well in the Red Hat IdM ecosystem. There is also basic support for older UNIX distributions (for both authentication and identity lookup). While there are no special features for mobile authentication, such clients can usually be supported via standard LDAP and Kerberos protocols.
That said, to date, there has not been much demand in this area. If you have a use case, please share it with us; alternatively, open a support case (preferable) or file a request for enhancement in our bug tracking system. If and when you do file a bug, please select “Red Hat Enterprise Linux 7” as the target product and “ipa” as the component.
If you want to move to Red Hat Identity Management and completely eliminate a third-party solution you will need to assess what might happen to your legacy systems. If you are planning to eliminate them over time, starting with the Red Hat IdM solution for the Linux systems while keeping the third-party vendor solution for legacy systems is a good choice. As you replace older systems with the new ones, you can gradually phase out the legacy solution over time.
A typical question here is: “Does Red Hat provide the tools to do such conversion / migration?” As mentioned above, every deployment is unique. The best approach would be to connect to the Red Hat support organization and run a joint evaluation. It might render some basic recommendations and guidelines that you would be able to follow yourself or might lead to a recommendation to engage with Red Hat professional services.
Existing available solutions either connect everything directly to Active Directory or require a completely stand-alone server and call for data synchronization between different silos. In some cases this is an adequate solution. In many (other) cases, this really limits the ability of the Linux part of the enterprise to do its job. The Red Hat Identity Management solution, as I mentioned in my original series of blogs, comes with direct and indirect integration options regarding Active Directory as well as a completely stand alone solution. The choice is yours and you should pick whatever fits your business needs and enterprise model best.
Red Hat Identity Management is quite robust and competitive and in some areas much better integrated and advanced than other third-party offerings. The identity management solution that Red Hat provides, has been built with the modern enterprise in mind. It is suited for the use cases that require a high level of flexibility and automation without setting aside the needs of the traditional datacenter.
For the full Identity Management feature set, please consult Red Hat Enterprise Linux Identity Management related documentation (scroll to the bottom of the page) in the Red Hat Customer Portal. Note that there are some gaps in the offering. To date, Red Hat does not have a formal offer related to centralized aggregation and processing of the identity management logs. There are, however, some efforts in this area. Since the client and server components provide rich information feeds, we were able to prototype some of the potential solutions presented here. A session recording project is also underway. It is called Tlog and will be covered in more detail in a future blog. Be aware that if you rely on the logging and session recording solution provided by same vendor as your (current) identity management solution, switching to the Red Hat Identity Management offering might not be possible for some time. We, however, are very interested in working closely with customers to try early versions of our solutions so that we can deliver something that will meet your needs and expectations. Contacting Red Hat support would be the best way to get engaged.
Red Hat's Identity Management solution is included with Red Hat Enterprise Linux subscriptions (i.e. it's provided at no additional charge). Most other identity management solutions have additional costs, and often times the more systems you have the higher the costs are. So before you (once again) write a check to a vendor to solve your identity management challenges, think about whether you are getting value for your money. Maybe it is time to consider a move.
If you feel the need for a change, Red Hat Identity Management is well worth consideration, and if something is missing – engage!
Red Hat is unique in that as an open source company anyone with enough interest / motivation can get to the code, see what we are doing, and take advantage of the ability to influence the project / work itself. How many other vendors can offer you this kind of access?