Try our new research platform with insights from 80,000+ expert users
it_user432489 - PeerSpot reviewer
Senior IAM/ Security Consultan at a tech services company with 11-50 employees
Consultant
The SSO, URL-based access control, OAuth 2 and OIDC are the most valuable features.
Pros and Cons
  • "OAuth 2 is now the de facto standard for API protection and scoped authorized delegation. IBM TAM now supports OAuth 2 and can act as fully compliant OAuth 2 authorization server."
  • "An Amazon Machine Image (AMI) for the newer appliance versions for hosting the virtual appliances on AWS will help."

How has it helped my organization?

It provides robust security.

What is most valuable?

The SSO, URL-based access control, OAuth 2 and OIDC are the most valuable features.

The URL-based access control has become more important due to the paradigm shift towards RESTful APIs, i.e., where URLs uniquely represent the resources to be protected. IBM TAM has a rich authorization model which simulates the system/environment to be protected by its protected object space. This makes it easy to visualize the hierarchical model of the end system and to attach ACLs/policies and customized rules, to the objects to be protected.

OAuth 2 is now the de facto standard for API protection and scoped authorized delegation. IBM TAM now supports OAuth 2 and can act as fully compliant OAuth 2 authorization server.

OIDC is fast becoming equally or more popular than SAML and is certainly the modern developers choice for SSO, i.e., for both the cloud/on-prem apps. The newer version of the IBM TAM supports OIDC, which can act as the OIDC provider.

What needs improvement?

The user interface for LMI needs improvement.

The Local Management Interface (LMI), especially for the older IBM Tivoli Appliance Manager (TAM) version, can be improved in terms of overall UI/UX and also, in terms of the performance of the monitoring dashboard.
The LMI for version 9 is much better in that respect.

An Amazon Machine Image (AMI) for the newer appliance versions for hosting the virtual appliances on AWS will help.

What do I think about the stability of the solution?

There were no stability issues.

Buyer's Guide
IBM Tivoli Access Manager [EOL]
December 2024
Learn what your peers think about IBM Tivoli Access Manager [EOL]. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

What do I think about the scalability of the solution?

There were no scalability issues.

How are customer service and support?

I would rate the technical support a 6/10.

What about the implementation team?

The initial setup was of medium level complexity. The subsequent configuration was complex.

What other advice do I have?

Go for the latest version.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Technical Lead at a tech services company with 10,001+ employees
Real User
Uses automated provisioning to create users. I would like to see AngularJS support.

How has it helped my organization?

The automation of provisioning has reduced the time it takes for creating a user or an employee in our organization.

What is most valuable?

Flexibility to connect with different environments and product stability are the best features.

  • Connection: There are a number of players in the market and most of them have challenges with being able to connect seamlessly without customization to various data providers, such as queues or databases. Since IBM's Identity and Access management has been in the market for a long time, the connectivity has improved over time.
  • Stability: An application that is not stable enough will never succeed in the market. I have seen less down time.

What needs improvement?

Microsoft has active file handling where you can access different types of documents from the browser itself. This is not supported anywhere other than with Microsoft products. This is desirable, but not a show-stopper.

AngularJS is not yet supported. This could be a cause of worry, since we are seeing the emergence of many AngularJS scripts in webpages. I am sure IBM is working towards enabling it.

What do I think about the stability of the solution?

There is Java process that hangs in WebSphere almost every month.

What do I think about the scalability of the solution?

We have had no problems with scalability.

How are customer service and technical support?

I would give technical support a rating of 4/5.

Which solution did I use previously and why did I switch?

I have always worked with IBM products. This solution was from Tivoli before IBM acquired it.

How was the initial setup?

Compared to the Oracle setup, the initial setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

Pricing is competitive and is lower than other players in the market.

Which other solutions did I evaluate?

We evaluated Oracle, SailPoint, and ForgeRock.

What other advice do I have?

Go for it. It will be good for your business.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
IBM Tivoli Access Manager [EOL]
December 2024
Learn what your peers think about IBM Tivoli Access Manager [EOL]. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
PeerSpot user
Systems Admin Analyst 3 at CPS Energy
Real User
We can track the roles associated to each user. Needs better documentation on usage and admin tasks

Valuable Features:

I like the primary function of this product allowing the administration of user/network accounts with a fair amount of ease.

Improvements to My Organization:

Tracks and assists us with Roles associated to each user.

Room for Improvement:

Need better documentation on usage and admin tasks.

Use of Solution:

It has been used for at least five years but I have only been working with it since August 2014.

Stability Issues:

We have had stability issues lately with the hardware and SAN that the product runs on.

Implementation Team:

We implemented this through a vendor.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user704022 - PeerSpot reviewer
Infrastructure Specialist at a financial services firm with 5,001-10,000 employees
Real User
I can integrate with in-house provisioning systems. The profiling element is complex.
Pros and Cons
  • "Single Sign-On functionality is valuable because the core purpose of the product is to allow universal (or bespoke) SSO for application suites."
  • "The profiling element is incredibly robust, but also equally as complex, it requires an off-site course to be able to understand the context or the plethora of options available."

How has it helped my organization?

Allows users to use a single password across a set of multi-tenant application suites. This would have otherwise required 50-100 unique passwords per application. This allows the user to inject a centralized password (a.k.a. authentication service credential) with little ease and increased reliability. In turn, this removes the user element of the logon process, which is often the root cause of the invalid password attempts.

What is most valuable?

Single Sign-On functionality is valuable because the core purpose of the product is to allow universal (or bespoke) SSO for application suites. These are heavily customizable and can fully integrate with in-house provisioning systems.

What needs improvement?

The profiling element is incredibly robust, but also equally as complex, it requires an off-site course to be able to understand the context or the plethora of options available.

The majority of the "IMS profiles" we use are too dangerous to touch without multiple engineers having oversight of a change and an incredibly thorough change management system.

For clarity, an IMS Profile is the process flow in which the SSO component uses to recognize application screens, Windows and logon fields to be able to decide when to intercept and inject credentials into SSO managed applications.

What do I think about the stability of the solution?

There were endless issues with stability in version 8.0.1. There were issues with stability, anything from the IMS Services stopping on any of the IMS servers (the infrastructure servers responsible for allowing user connectivity to the back end which provides the user with their "wallet" at logon. These issues were improved with several hotfixes and service packs but the out-of-the-box version lacks any automatic SQL cleanup utilities, so to perform a cleanup of old users or wallets is dangerous SQL, which interrogates the database - to our knowledge this has not changed in the latest version.

What do I think about the scalability of the solution?

There were scalability issues with 8.0.1. Whilst we could build a new VM with the underlying OS and prerequisites, IBM was always required to assist on-site as only they knew the complicated and fairly undocumented procedure to implement a new IMS server to the pool. In 8.2.1, this has been amplified tenfold as the solution moved from Apache on Windows to IBM WebSphere on Windows, which is incredibly complicated and requires multiple levels of specialist knowledge. This makes it nearly impossible for our company to expand the number of nodes in the WebSphere cluster without accidentally introducing new issues in the said cluster.

How are customer service and technical support?

Technical support is very good, incredibly thorough, and if you have the right support agreement in place, it can be infinite. That being said, when raising a ticket, due to the complex nature of SSO, you need to provide a ton of technical details in the form of logs from the end point to the back end.

These recycle at a very high rate, especially in larger estates so acquiring the logs is not always easy. For this reason, we've had some larger issues outstanding for quite some time. For supported versions, if the level 1-3 teams can identify the cause, they will either provide you with a hotfix that has been previously developed, give you in depth instructions on what needs to change, or refer the development team for a bug fix.

Which solution did I use previously and why did I switch?

We previously managed passwords without an SSO solution. The next step was an enterprise grade SSO solution. At the time, the IBM SSO offering seemed to fit the bill.

How was the initial setup?

In v8.0.1 (several years ago), the out-of-the-box solution was very complex and required a huge amount of IBM's time (at cost to the client!) in order to implement the entire solution (test/uat/prod clusters).

Due to the nature of our business and the complication around some of the applications we deploy and wanted SSO to manage, this made the production implementation of SSO take in excess of one and a half years.

What's my experience with pricing, setup cost, and licensing?

The IBM prices are, as ever, extortionate, even with a business partnership, and high levels of discounts. This is the same as with other IBM products.

Which other solutions did I evaluate?

Several options were put on the table during an initial paper based PoC, but there were no other viable enterprise grade solutions which offered all of the functionality we required.

What other advice do I have?

Read through the (openly available) profiling guides to get a good understanding of how complex the profiling process is going to be. If you have very complex applications, which aren't a simple "start > username/password window opens > end", then you will be opening yourself up to needing a permanent resource to manage the entire solution end-to-end. IMs in all versions can get very unhappy if it's not nursed from time to time.

Disclosure: My company has a business relationship with this vendor other than being a customer: Our business has a close working relationship with IBM across several business areas and product sets. When using the legacy version of IMS 8.0.1, we only went for a basic support agreement which was fine, generally, but when choosing to upgrade to 8.2.1, we added an AVP support agreement to get better engagement and to help push us along with better management of our cluster.
PeerSpot user
PeerSpot user
Middleware Specialist at a tech vendor with 10,001+ employees
Vendor
Component integration, SSO capabilities and transparency are the most valuable features I have found.

What is most valuable?

From my experience, most of the product features are meant for specific purpose(s) of its own demand and need. Implementing the feature depends on case to case, considering the organization's enterprise/middleware infrastructure design.

TAM component integration and their SSO capabilities and transparency are the most valuable features I have found.

How has it helped my organization?

It applies access controls on an organization's web space while running on its components independently, while being highly available. We can isolate our organization infrastructure from security considerations, as we have our entire organization security policy centralized, organised & administered from its API.

What needs improvement?

Older TAM versions are not compatible for connecting to a DB. I'm not sure if it is available in iSAM 8/9.

However, since iSAM 9 was released as an appliance model, I don't think having a DB as a TAM database directly makes any difference for the users.

For how long have I used the solution?

I have used it for five years.

What was my experience with deployment of the solution?

We have not encountered any deployment issues. There were a few challenges while implementing ETAI, and ETAI++ integration with the existing infrastructure.

Kerberos setup/run time & virtual hosting concepts have some limitations.

What do I think about the stability of the solution?

We have not encountered many stability issues.

What do I think about the scalability of the solution?

We have not encountered many scalability issues.

How are customer service and technical support?

Customer Service:

Customer service is 8/10.

Technical Support:

Technical support is 8/10.

Which solution did I use previously and why did I switch?

I have used CA SiteMinder, as well.

I don't see any technical reason for switching a strategic product from IBM TAM. However, considering the iSAM way of making an appliance model, which creates dependency on the cloud for infrastructure, we may think of other options.

How was the initial setup?

Initial setup is straightforward, but we might have to consider the solution architecture to make full use of its components' capacity.

What about the implementation team?

Implementations were in-house projects.

Which other solutions did I evaluate?

Before choosing this product, we evaluated CA SiteMinder and Oracle Access Manager.

What other advice do I have?

It is a very good security product to integrate with any middleware infrastructure.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user181038 - PeerSpot reviewer
Enterprise Security Architect at a tech services company with 51-200 employees
Consultant
SSO capabilities over various technologies is a strength of this product but the federation capabilites are very limited

What is most valuable?

Centralized policy management and reverse proxy-based architecture make it very flexible in terms of deployment, adoption, and implementation. SSO capabilities over various technologies is another strength of this product.

How has it helped my organization?

This product enhanced the overall security at perimeter and improved user experience via SSO. A central place for policy and credentials simplifies the authentication over application landscape.

What needs improvement?

The product has not been updated with emerging technologies over the years specifically around AJAX, REST and Mobile app integration. Also the federation capabilites are very limited.

For how long have I used the solution?

I have deployed this product at various clients over the last 10 years.

What was my experience with deployment of the solution?

Initial deployment of the product is always critical and issues do come up but not due to limitation in the product. Most of the issues were around bad planning or incorrect deployment.

What do I think about the stability of the solution?

No, there were bugs identified many times but mostly they were fixed via patch release or a workaround was offered.

What do I think about the scalability of the solution?

No, if deployed correctly it is highly scalable product.

How are customer service and technical support?

Customer Service:

Fantastic customer service from IBM.

Technical Support:

Technical support is good as you can raise issue any time and based on criticality of the issue IBM can provide support immediately. In some cases even on-premise support is also available.

Which solution did I use previously and why did I switch?

A home grown solution was replaced by ISAM to change and configure SSO quickly for applications and at the same time using a scalable product was other major consideration.

How was the initial setup?

The initial setup is always complex due to number of applications and user base involved. As the product is a front door for all applications this is very critical and complex setup. Also due to internal and external users and multiple authentication mechanisms involved for different type of users it gets complicated.

What about the implementation team?

IBM team was used for the initial deployment and support and the support provided by them was fantastic. They offer quality consultants all across the globe with short notice.

Which other solutions did I evaluate?

Yes, it was compared with Siteminde.

What other advice do I have?

This is a great product with proven history. A little better planning is required before deploying it. Given the change in web technologies and SSO protocols it might be better to check other products in market too.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user177240 - PeerSpot reviewer
it_user177240Tivoli Access Manager SME at a government with 1,001-5,000 employees
Real User

CA site-minder used to be he major competitor. With ISAM 9 IBM products still lead the market.

Products that supports newer technologies mainly OAuth2, SAML2 are likely to be popular in future.

If you do not need reverse proxy it is also possible to configure Apache HTTP server (free) with some LDAP (may be free available) and configure J2EE authorization from application server.

Reverse proxies add lot of features and flexibility and comes will a huge price tag.

See all 4 comments
it_user595737 - PeerSpot reviewer
Service Now Consultant at a tech services company with 51-200 employees
Consultant
Multiple instances per component can be installed with load balancers.

What is most valuable?

Some valuable features in this product are: webSEAL policy, proxy servers, LDAP server (IBM TDS).

The modularity with which each component may run on a different host is valuable. In addition, multiple instances per component might be installed with load balancers. It provides good scalability and reliability, not to mention the overall availability of the service.

How has it helped my organization?

The entire security of the intranet and internet web applications has been covered by the TAM environment.

What needs improvement?

It happened from time to time, that is, after a long period without restart, the TDS/LDAP instances crashed and remained in a hanging state. A restart did solve the issue but the support was not able to find the cause, despite the fact that the latest fix pack was installed for TDS v6.3.

A similar issue came up when LDAP requests did cause performance issues on TDS or caused the TDS to crash.

As information on fixes and issues related to ITDS are publicly available, let me point you to the respective site:

You may notice, there are several issues listed, which lead to a crash.

Not sure, which one is/was ours, but please notice that TAM/SAM requires multiple software bundles to be installed (like GSKit, Java SDK, WAS, DB2) – each of them having issues.

For how long have I used the solution?

I have used this solution for five years.

What do I think about the stability of the solution?

We experienced crashing of LDAP with some specific queries and it affected performance of the TDS proxy.

What do I think about the scalability of the solution?

It is scalable via load balancers but there are some issues with sync while using several LDAP trees.

How are customer service and technical support?

I would give the technical support a 8/10 rating. Sometimes, there are long running support tickets (for 6-8 months) and that is unacceptable from the customer's point of view.

Which solution did I use previously and why did I switch?

We were not using any other solution before. We were partially using Apache reverse proxy along with LDAP.

What about the implementation team?

The setup is complex. Without training and prior knowledge, it is hard to get a working environment.

What other advice do I have?

As far as I know, the later versions of TAM (renamed to SAM), are working as appliances and with that, no experience is needed. My advice is to be careful and think twice.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user185811 - PeerSpot reviewer
Information Security Engineer with 1,001-5,000 employees
Vendor
Logging needs improvement.

What is most valuable?

Identity management

How has it helped my organization?

We have managed to automate the creation of all employees, and the company's clients and then assign the accounts/accesses according to business need.

What needs improvement?

TIM logging

For how long have I used the solution?

Three and a half years.

What was my experience with deployment of the solution?

Little issues that were quick to resolve. I don't understand why they have to separate the deployment, as I have used other products that make the deployment as easy as possible.

What do I think about the stability of the solution?

Never.

What do I think about the scalability of the solution?

Never.

How are customer service and technical support?

Good.

Which solution did I use previously and why did I switch?

I have only ever used this product.

How was the initial setup?

The initial set-up is a bit complex for a novice as the Linux version of it needs you to be somewhat good with Linux. There are certain OS requirements which if you are not familiar with Linux, you going to struggle a bit.

What about the implementation team?

Through a vendor team, and their level of expertise was very high.

Which other solutions did I evaluate?

No other options were evaluated.

What other advice do I have?

It is a very good product to implement.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user