IBM Tivoli Access Manager [EOL] Reviews

Allows users to use a single password across a set of multi-tenant application suites. This would have otherwise required 50-100 unique passwords per application. This allows the user to inject a centralized password (a.k.a. authentication service credential) with little ease and increased reliability. In turn, this removes the user element of the logon process, which is often the root cause of the invalid password attempts.

Single Sign-On functionality is valuable because the core purpose of the product is to allow universal (or bespoke) SSO for application suites. These are heavily customizable and can fully integrate with in-house provisioning systems.

• Password management
• Single sign on
• Provisioning and de-provisioning of account
• Unified Directory Server

Before solution implemented it took around 2-3 weeks to get all the necessary account information for a new employee in my organization. Since implementation, this now only takes a few minutes. As soon as HR submit all their data the user account is generated and the user gets their username and password.

Also, we have many applications and before SSO the users had to remember all the different passwords. We have many legacy applications and they had different password policies that were not always as strong as they should be. Now, however, we have one password for all the applications, and one password policy.

It provides robust security.

The SSO, URL-based access control, OAuth 2 and OIDC are the most valuable features.

The URL-based access control has become more important due to the paradigm shift towards RESTful APIs, i.e., where URLs uniquely represent the resources to be protected. IBM TAM has a rich authorization model which simulates the system/environment to be protected by its protected object space. This makes it easy to visualize the hierarchical model of the end system and to attach ACLs/policies and customized rules, to the objects to be protected.

OAuth 2 is now the de facto standard for API protection and scoped authorized delegation. IBM TAM now supports OAuth 2 and can act as fully compliant OAuth 2 authorization server.

OIDC is fast becoming equally or more popular than SAML and is certainly the modern developers choice for SSO, i.e., for both the cloud/on-prem apps. The newer version of the IBM TAM supports OIDC, which can act as the OIDC provider.

Some of the valuable features are:

• Reverse proxy
• Protected object space
• Ease of integration
• Multiple and robust AuthN and AuthZ mechanisms built-in
• No single point of failure (SPOF)

It has improved the working of our organization by having:

• Multiple endpoints integrated
• One integration point with reverse proxy for multiple portals

WebSEAL is a reverse proxy web server that performs authentication and authorizations. It is similar to CA SiteMinder Secure Proxy Server. The advantage of WebSEAL is that WebSEAL supports SPNEGO protocol and Kerberos authentication to support Windows desktop single sign-on. Actually, Apache HTTP server supports SPNEGO protocol, as well. However, TAM can map a user account in a domain controller to a web application's user account that has a different ID, in collaboration with IBM Tivoli Identity Manager (TIM).

The combination of TAM with IDM in IBM Tivoli Identity Manager helped us to realize robust and secure authentication infrastructure in accordance with industry regulations and laws.

1. Providing centralized authentication authority and enforce consistent authorization policies to users.
2. Realizing ease of user accesses using enterprise level single sign-on.
3. Improving traceability of application uses.

On the other hand, Tivoli Identity Manager known as TIM provides centralized ID lifecycle management as an IDM solution.

By using TIM together with TAM, the following benefits are served:

Many actual accounts in several LDAPs including TAM LDAP are managed by TIM LDAP. (LDAP directory tree supports a nest structure known as “Person has many accounts” model). In addition, person can have many attributes like; department code, Job grade, hiring date, resignation date in the future, etc.

By using these attributes, all accounts which belong to the person automatically are able to be activate/or inactivate. Specifically, account creation/deletion/update can execute automatically by using HR information. If someone reaches his/her retirement date, the account is inactivated by automate workflow process, without raising the account deletion request.

In addition, a process called “Reconciliation” checks several LDAPs (e.g. Active Directory), and can harmonize account information and its attributes between TIM and the LDAP. For example, if an improper account is directly created into Active Directory, scheduled Reconciliation process detects the account, and revoke the account based on pre-setting rules.

This is the reason I recommend to use TAM together with TIM.

• Authentication
• Authorization
• Risk Profile
• MFA
• Federation
• Oath
• SAML 2.0

We implemented MFA in way that helps us to reduce a lot work load in terms of reducing help desk call to reset password.

Web security.

It keeps our web applications secure.

• Several SSO methods are supported out of box.
• Federation based SSO (SAML / Oauth / OpenID etc) setup is easy.
• Very good performance and scalability.
• The internal STS token service can be used for custom SSO tokens.
• It is highly scalable and can meet high loads and performances.
• Reverse proxy sits in front of the application and applications need only minimal changes to support SSO with ISAM.

Our customer had SSO requirements, as well as web-firewall and federation requirements that we fulfilled through this product.