IBM Tivoli Access Manager [EOL] Reviews

It provides robust security.

The SSO, URL-based access control, OAuth 2 and OIDC are the most valuable features.

The URL-based access control has become more important due to the paradigm shift towards RESTful APIs, i.e., where URLs uniquely represent the resources to be protected. IBM TAM has a rich authorization model which simulates the system/environment to be protected by its protected object space. This makes it easy to visualize the hierarchical model of the end system and to attach ACLs/policies and customized rules, to the objects to be protected.

OAuth 2 is now the de facto standard for API protection and scoped authorized delegation. IBM TAM now supports OAuth 2 and can act as fully compliant OAuth 2 authorization server.

OIDC is fast becoming equally or more popular than SAML and is certainly the modern developers choice for SSO, i.e., for both the cloud/on-prem apps. The newer version of the IBM TAM supports OIDC, which can act as the OIDC provider.

The user interface for LMI needs improvement.

The Local Management Interface (LMI), especially for the older IBM Tivoli Appliance Manager (TAM) version, can be improved in terms of overall UI/UX and also, in terms of the performance of the monitoring dashboard.
The LMI for version 9 is much better in that respect.

An Amazon Machine Image (AMI) for the newer appliance versions for hosting the virtual appliances on AWS will help.

There were no stability issues.

There were no scalability issues.

I would rate the technical support a 6/10.

The initial setup was of medium level complexity. The subsequent configuration was complex.

Go for the latest version.

The automation of provisioning has reduced the time it takes for creating a user or an employee in our organization.

Flexibility to connect with different environments and product stability are the best features.

• Connection: There are a number of players in the market and most of them have challenges with being able to connect seamlessly without customization to various data providers, such as queues or databases. Since IBM's Identity and Access management has been in the market for a long time, the connectivity has improved over time.
• Stability: An application that is not stable enough will never succeed in the market. I have seen less down time.

Microsoft has active file handling where you can access different types of documents from the browser itself. This is not supported anywhere other than with Microsoft products. This is desirable, but not a show-stopper.

AngularJS is not yet supported. This could be a cause of worry, since we are seeing the emergence of many AngularJS scripts in webpages. I am sure IBM is working towards enabling it.

There is Java process that hangs in WebSphere almost every month.

We have had no problems with scalability.

I would give technical support a rating of 4/5.

I have always worked with IBM products. This solution was from Tivoli before IBM acquired it.

Compared to the Oracle setup, the initial setup was straightforward.

Pricing is competitive and is lower than other players in the market.

We evaluated Oracle, SailPoint, and ForgeRock.

Go for it. It will be good for your business.

I like the primary function of this product allowing the administration of user/network accounts with a fair amount of ease.

Tracks and assists us with Roles associated to each user.

Need better documentation on usage and admin tasks.

It has been used for at least five years but I have only been working with it since August 2014.

We have had stability issues lately with the hardware and SAN that the product runs on.

We implemented this through a vendor.

Allows users to use a single password across a set of multi-tenant application suites. This would have otherwise required 50-100 unique passwords per application. This allows the user to inject a centralized password (a.k.a. authentication service credential) with little ease and increased reliability. In turn, this removes the user element of the logon process, which is often the root cause of the invalid password attempts.

Single Sign-On functionality is valuable because the core purpose of the product is to allow universal (or bespoke) SSO for application suites. These are heavily customizable and can fully integrate with in-house provisioning systems.

The profiling element is incredibly robust, but also equally as complex, it requires an off-site course to be able to understand the context or the plethora of options available.

The majority of the "IMS profiles" we use are too dangerous to touch without multiple engineers having oversight of a change and an incredibly thorough change management system.

For clarity, an IMS Profile is the process flow in which the SSO component uses to recognize application screens, Windows and logon fields to be able to decide when to intercept and inject credentials into SSO managed applications.

There were endless issues with stability in version 8.0.1. There were issues with stability, anything from the IMS Services stopping on any of the IMS servers (the infrastructure servers responsible for allowing user connectivity to the back end which provides the user with their "wallet" at logon. These issues were improved with several hotfixes and service packs but the out-of-the-box version lacks any automatic SQL cleanup utilities, so to perform a cleanup of old users or wallets is dangerous SQL, which interrogates the database - to our knowledge this has not changed in the latest version.

There were scalability issues with 8.0.1. Whilst we could build a new VM with the underlying OS and prerequisites, IBM was always required to assist on-site as only they knew the complicated and fairly undocumented procedure to implement a new IMS server to the pool. In 8.2.1, this has been amplified tenfold as the solution moved from Apache on Windows to IBM WebSphere on Windows, which is incredibly complicated and requires multiple levels of specialist knowledge. This makes it nearly impossible for our company to expand the number of nodes in the WebSphere cluster without accidentally introducing new issues in the said cluster.

Technical support is very good, incredibly thorough, and if you have the right support agreement in place, it can be infinite. That being said, when raising a ticket, due to the complex nature of SSO, you need to provide a ton of technical details in the form of logs from the end point to the back end.

These recycle at a very high rate, especially in larger estates so acquiring the logs is not always easy. For this reason, we've had some larger issues outstanding for quite some time. For supported versions, if the level 1-3 teams can identify the cause, they will either provide you with a hotfix that has been previously developed, give you in depth instructions on what needs to change, or refer the development team for a bug fix.

We previously managed passwords without an SSO solution. The next step was an enterprise grade SSO solution. At the time, the IBM SSO offering seemed to fit the bill.

In v8.0.1 (several years ago), the out-of-the-box solution was very complex and required a huge amount of IBM's time (at cost to the client!) in order to implement the entire solution (test/uat/prod clusters).

Due to the nature of our business and the complication around some of the applications we deploy and wanted SSO to manage, this made the production implementation of SSO take in excess of one and a half years.

The IBM prices are, as ever, extortionate, even with a business partnership, and high levels of discounts. This is the same as with other IBM products.

Several options were put on the table during an initial paper based PoC, but there were no other viable enterprise grade solutions which offered all of the functionality we required.

Read through the (openly available) profiling guides to get a good understanding of how complex the profiling process is going to be. If you have very complex applications, which aren't a simple "start > username/password window opens > end", then you will be opening yourself up to needing a permanent resource to manage the entire solution end-to-end. IMs in all versions can get very unhappy if it's not nursed from time to time.

From my experience, most of the product features are meant for specific purpose(s) of its own demand and need. Implementing the feature depends on case to case, considering the organization's enterprise/middleware infrastructure design.

TAM component integration and their SSO capabilities and transparency are the most valuable features I have found.

It applies access controls on an organization's web space while running on its components independently, while being highly available. We can isolate our organization infrastructure from security considerations, as we have our entire organization security policy centralized, organised & administered from its API.

Older TAM versions are not compatible for connecting to a DB. I'm not sure if it is available in iSAM 8/9.

However, since iSAM 9 was released as an appliance model, I don't think having a DB as a TAM database directly makes any difference for the users.

I have used it for five years.

We have not encountered any deployment issues. There were a few challenges while implementing ETAI, and ETAI++ integration with the existing infrastructure.

Kerberos setup/run time & virtual hosting concepts have some limitations.

We have not encountered many stability issues.

We have not encountered many scalability issues.

Customer service is 8/10.

Technical support is 8/10.

I have used CA SiteMinder, as well.

I don't see any technical reason for switching a strategic product from IBM TAM. However, considering the iSAM way of making an appliance model, which creates dependency on the cloud for infrastructure, we may think of other options.

Initial setup is straightforward, but we might have to consider the solution architecture to make full use of its components' capacity.

Implementations were in-house projects.

Before choosing this product, we evaluated CA SiteMinder and Oracle Access Manager.

It is a very good security product to integrate with any middleware infrastructure.

Centralized policy management and reverse proxy-based architecture make it very flexible in terms of deployment, adoption, and implementation. SSO capabilities over various technologies is another strength of this product.

This product enhanced the overall security at perimeter and improved user experience via SSO. A central place for policy and credentials simplifies the authentication over application landscape.

The product has not been updated with emerging technologies over the years specifically around AJAX, REST and Mobile app integration. Also the federation capabilites are very limited.

I have deployed this product at various clients over the last 10 years.

Initial deployment of the product is always critical and issues do come up but not due to limitation in the product. Most of the issues were around bad planning or incorrect deployment.

No, there were bugs identified many times but mostly they were fixed via patch release or a workaround was offered.

No, if deployed correctly it is highly scalable product.

Fantastic customer service from IBM.

Technical support is good as you can raise issue any time and based on criticality of the issue IBM can provide support immediately. In some cases even on-premise support is also available.

A home grown solution was replaced by ISAM to change and configure SSO quickly for applications and at the same time using a scalable product was other major consideration.

The initial setup is always complex due to number of applications and user base involved. As the product is a front door for all applications this is very critical and complex setup. Also due to internal and external users and multiple authentication mechanisms involved for different type of users it gets complicated.

IBM team was used for the initial deployment and support and the support provided by them was fantastic. They offer quality consultants all across the globe with short notice.

Yes, it was compared with Siteminde.

This is a great product with proven history. A little better planning is required before deploying it. Given the change in web technologies and SSO protocols it might be better to check other products in market too.

Some valuable features in this product are: webSEAL policy, proxy servers, LDAP server (IBM TDS).

The modularity with which each component may run on a different host is valuable. In addition, multiple instances per component might be installed with load balancers. It provides good scalability and reliability, not to mention the overall availability of the service.

The entire security of the intranet and internet web applications has been covered by the TAM environment.

It happened from time to time, that is, after a long period without restart, the TDS/LDAP instances crashed and remained in a hanging state. A restart did solve the issue but the support was not able to find the cause, despite the fact that the latest fix pack was installed for TDS v6.3.

A similar issue came up when LDAP requests did cause performance issues on TDS or caused the TDS to crash.

As information on fixes and issues related to ITDS are publicly available, let me point you to the respective site:

You may notice, there are several issues listed, which lead to a crash.

Not sure, which one is/was ours, but please notice that TAM/SAM requires multiple software bundles to be installed (like GSKit, Java SDK, WAS, DB2) – each of them having issues.

I have used this solution for five years.

We experienced crashing of LDAP with some specific queries and it affected performance of the TDS proxy.

It is scalable via load balancers but there are some issues with sync while using several LDAP trees.

I would give the technical support a 8/10 rating. Sometimes, there are long running support tickets (for 6-8 months) and that is unacceptable from the customer's point of view.

We were not using any other solution before. We were partially using Apache reverse proxy along with LDAP.

The setup is complex. Without training and prior knowledge, it is hard to get a working environment.

As far as I know, the later versions of TAM (renamed to SAM), are working as appliances and with that, no experience is needed. My advice is to be careful and think twice.

Identity management

We have managed to automate the creation of all employees, and the company's clients and then assign the accounts/accesses according to business need.

TIM logging

Three and a half years.

Little issues that were quick to resolve. I don't understand why they have to separate the deployment, as I have used other products that make the deployment as easy as possible.

Never.

Never.

Good.

I have only ever used this product.

The initial set-up is a bit complex for a novice as the Linux version of it needs you to be somewhat good with Linux. There are certain OS requirements which if you are not familiar with Linux, you going to struggle a bit.

Through a vendor team, and their level of expertise was very high.

No other options were evaluated.

It is a very good product to implement.