Symantec Siteminder Reviews

The three security products perform different functions, but they are all part of the suite. SiteMinder is an industry leading solution as everyone is using it. The new offerings are simplified, which is good.

Besides that, other things are pretty much on par for the industry products out there. All the products have valuable features, but they’re similar with what’s out there.

We are using it for multi-factor authentication, and we are using it also for our identity management processes. Some of the tasks we have been doing for boarding, it's helped us meet requirements by having dual-factor authentication.

With CA Identity Manager, the integration support with other technologies is still not mature enough. CA IDM still has a lot of moving components. Oracle and SailPoint solutions are much simpler and robust, although we are using CA because we have licenses despite it needing to be simplified.

We're using this alongside IdentityMinder and RiskMinder.

I would rate the suite 4-5/10. SiteMinder is the most stable and is 7-8/10 rating. with the other ones, we’ve had problems, and they doesn’t really match our business needs. The other parts of the suite are lower.

I think for SiteMinder, we have a business need and we think it is scalable. For 2016, we'll increase our infrastructure. For the others, we are running them on a minimum hardware set.

We often use tech support when we get stuck in situations. We have less of a relationship with them because we escalate with partners and they provide us with support. If you just open a ticket directly with CA, the guy doesn’t have a solution. With the partners, there's always a good solution.

I started using it six years ago when it was very complex. Now they have given a lot of UI features and simplified it as well.

They are good from a cost standpoint. The price model offering is very comparative to other solutions. That is a positive.

We also looked at Oracle and SailPoint solutions. We looked for a solution that had good integration with other technologies in an enterprise organization. We also considered the simplicity of the product.

CA has a lot of servers, but it needs to be simplified to only two to three components. The SiteMinder solution is something that if my colleagues would like, I’d suggest that.

Other products I would say, go look out in the market. There are better solutions, and CA should look at Gartner’s Magic Quadrant and IDG. Look at the capabilities to see how they can bring those capabilities into their products, etc. It gives me the single sign-on between applications. On-boarding isn’t effort intensive. Those are good things.

Primary use case is for authentication in Single Sign-On, that's the biggest that we have. But we use it for our internal employees.

It has performed well. We had some hiccups, but that's all.

We had some challenges through modernizing everything over the last two years. Now we are pretty good. We don't see any production challenges. I don't think we have had an incident for a year now.

I think Single Sign-On helps a lot. If you look at our organization, and really all financial institutions, we have a lot of legacy apps. So it really helps to get Single Sign-On.

We use it on the agent model, and we have a lot of capabilities which we leverage to do it on the different apps, so critical apps are protected better. And we do step up using this, but we are looking at other products now to do the advanced track.

We use it mostly out of the box, standard, no customization.

Ease of use is very good, for administrating it. It's very well known. The ease of use is good for our deployment and our applications.

I would like to see a move towards the newer technologies, which is what we are doing right now. I think that's in the roadmap that's coming, in the 12.8 and 14 releases, but we would like to have it sooner than later.

I think now, for over a year, we have had any issues. It has been really very stable for us.

We don't have, and have never had, any scalability challenges.

We use it for challenges we have. If there are any issues that apps are reporting, we use tech support.

I think we have been good for over a year. We always get to the same contact that we have in the support. It's not dedicated support that we have bought, but most of the time it goes to the same person. So it's very easy to traverse.

We had a predecessor to it which was near end of life. I knew this product because I was part of CA previously.

We went with CA because it met most of our requirements. We had a requirement list of what we definitely wanted, what was nice to have, and I could see most of what we wanted.

We actually used CA Professional Services. There were some challenges on some aspects of it, but on the base product, not at all.

We looked at a lot of vendors around it. We had looked at RSA, Ping, and a multitude of others, just on paper, so to speak.

Most important criteria when selecting a vendor: We definitely look at our engagement. We look at the support. That's always the critical factor. Otherwise, I would say most of the products, if you go by the 80/20 principle, they will technically fare well.

I would say invest a lot of time in designing it. Don't just run in without reading the guides and start deploying.

We use Single Sign On to provide, of course, single sign-on to a variety of web applications. We use it to federate identity for remote web applications as well.

It's performed well. We're on an older version, so there's the occasional stability issue, but overall, that's what you're going to see in any enterprise environment.

As our identity model continues to mature, probably the Federation is most valueable. 

In IT, you're seeing a large shift to the cloud, and to using software as a service applications and, because of that, you still need to be able to securely assert identity. The Federation components of CA Single Sign On allow us to do that effectively and with minimal resource investment, to realize functionality.

It allows us to get, again, both externally hosted and internally hosted web applications up and running using centralized credentials in short order. It makes it easy.

I've talked to them about this: I'd like to see a rework of the user directory configuration. In Single Sign On, whenever you set up a new user directory, there is a pretty specific number of hoops that you have to jump through in order to maximize throughput between Single Sign On and a user directory. A lot of those aren't documented, so the only way you typically get that information is by engaging CA support, which, if you don't think you need to do that beforehand, you're going to have an unpleasant surprise when you cut over. 

So, either reworking the user directory configuration would be great, to make some of those hoops that you have to jump through unnecessary, or redundant. Or, failing that, reworking the documentation for setting up the user directory, explaining the rationale behind why you have to do the things you do. Because, if it were documented, at least then you'd be able to set it up effectively without incurring downtime, as you find out how to do it the right way.

In terms of the stability issues, what we do see is frequent Policy Server service restarts. What will happen is SM Policy Server will die and be restarted by the SM executive. That happens relatively frequently. But again, we're on an older version, and we've been told by CA that that's the reason why, and that it has been patched in later releases of the product. 

But the executive restarts the service as fast as we can log in and look to see, is there any service impact? The environment is once again processing authentication and authorizations. Not only that, but, we do have a relatively large environment as well, so we have policy servers running and multiple datacenters. It's not just one in each datacenter, it's several in each datacenter. So we don't see any large, sweeping impacts to our enterprise authentication traffic; when one goes down, it gets restarted. Although, it is a pain because you do have to allocate resources to go and verify that yes, indeed, it did come up.

The scalability? I think it does well. We've been able to scale horizontally at various times throughout the lifecycle of the product, within our environment, with minimal fuss. It's been good.

It's good, actually. Very good. The product knowledge that they have on hand with that staff is more than adequate. They've sent people on site on several occasions. We've engaged them not only through the phone, but through the web submission portal, and in person. At every opportunity, CA staff has been professional, knowledgeable, easy to work with.

We were using something previously but I don't recall what it was. In terms of switching, it's a similar decision chain to what you think about when you need to invest in an upgrade. Is there a problem with stability? Is there a problem with scalability? Does the solution meet the evolving needs of your enterprise? 

From what I've heard, the solution that was in place in the past was very unstable. In terms of comparison, Single Sign On is much more stable from what we've seen, than the previous candidate. That's why we decided to make a change. We evaluated the options at hand, and selected Single Sign On to move forward.

I wasn't involved in the initial setup for our current environment, but I'm involved with a project that is setting up the upgrade environment. It's pretty straightforward.

When we are looking for a new vendor, what's important to us is the relationship between us as a customer and the vendor. That has to be strong. They need to be available and supportive of our vision. 

Also, we're looking for somebody who also can help us define that vision in places where we might not have it all the way fleshed out. You could go through the list of things that you're looking for in a vendor, and build out a wish list, but, realistically, somebody that supports us when we need it, helps us to figure out where we're going when we don't quite know, and, provides technological solutions that support our long term vision. CA does that, and that's why we're with them.

I gave it an eight out of 10 because it's a really good solution. No solution is perfect, so that's why I picked eight.

I would say to give CA Single Sign On a good hard look. There are a lot of other competitors out there folks like, Okta, PingFederate, I think IBM has a product that does something similar.

I would tell them that CA Single Sign On is a worthwhile option. If they're doing their research, take a look at it, and see whether or not it meets their use case. It does for us, and it does it well, so I would certainly recommend it.

SSO provides out-of-the-box authentication for the majority of the apps; and it provides a holistic solution for the company. Right now, we are using an on-premise solution. If we want to move to the Cloud, CA has that solution as well. So we’re positioned quite well to move into the Cloud as well.

They take the authentication and the core screen authorization out of application code. They also integrate with other security products very well.

SSO has impacted security on the whole. It has provided a very good user experience. We have recently moved from an experience in which users had to log in multiple times. Now they love it because they don't even have to have a log in because we integrated certain functionality from the CA side, like integrated Windows authentication. Users love it for certain applications where they had to log in a number of times during the day.

CA has come up with and has talked about Cloud-based solutions. I would like to see more mature ideas than what they're providing. I'm sure they have that on their roadmap. There are certain integration points that can be leveraged and made more easy to deploy, like the REST APIs and things like that. That is an opportunity to make deployment easier for any employer or for any company. They are talking about it. It’s going in the right direction. That’s for certain.

The stability of the solution depends on how you implement it. It's stable. There are no known issues. If there are patches required, CA provides patches regularly. Overall, it is pretty good.

There's really no limit to scalability if you have the right hardware and right architecture. I wouldn't put it on the product. It's how you deploy the product. Thousands and millions of authentications are done in seconds and milliseconds, so scalability is not an issue at all.

The company has used technical support. It's usually used if they need upgrades. If they need some help, they have it. The technical support is on par with the current level of support in the industry.

This happened before my time, so they actually had either a home-grown product, or they had some legacy systems for provisioning or for authentication. They had a different product which wasn't doing exactly the same thing, but this a very mature product. This has been there for a long, long time, for the past 20 years now.

They evaluated other options before choosing this one way before I was there. However, for example, there are other security and security engineering products that they're currently evaluating. Some of them are from CA, and some of the others are in-house. For example, privileged access is an important one and the company's talking to CA about Privileged Access. They have a product which is not really meeting their requirements today. Hopefully, the Privilege Access one will take care of that.

In choosing a vendor, the relationship is one of the most important factors. In today's world, everybody has the same features, so it’s the relationship that matters. It's not a vendor. It's a partnership. You develop that, and you're pretty much covered.

It depends on what requirement is the most important to them. Is the Cloud the most important thing to them; or is in-house important to them? The main consideration is what issue are they trying to address? If they're trying to address the user experience, everything holistically: CA, Oracle, RSA, they're all, again – it all depends on the relationship and what CA provides.

The most valuable feature is that it takes a lot of the logic for authentication and authorization out of the hands of your application and moves it into a centralized framework. Once we have our authentication and authorization policies set, they are easy to duplicate across all our applications instead of trying to develop them into each application individually. That’s where we probably see the most benefit or the most cost savings for our organization.

It has reduced developer costs; we get some of that back. Before, when we used a tool that was engineered in-house, it still required a lot of developer resources. Every time we created a new application, it needed to integrate into our in-house solution.

As we are now moving away from that, this product gives us the ability to have single sign-on zones expand outside of even what was normally our in-house product, to now use things like federation and SAML to carry out single sign-on, to things that might not even use the single sign-on solution from CA.

Increased single sign-on zones and then saving on developer time/costs are the biggest benefits.

One thing that we found a little difficult, was the default functionality to understand error messages coming back from a directory. You had to either use an add-on product or an advanced password service or perhaps change components within your directory, just to understand a simple message whether if a password has been expired or if it was incorrect.

Since then we have bought an additional SM Walker product, which is a third-party solution to resolve this issue. However, it would be nice if that aspect of the solution was a default functionality, within this tool itself and not something that you had to purchase as an add-on feature.

It has been good, after the initial first year or two that we purchased this product. When we first started out, we had some implementation issues; maybe it was not configured correctly and that caused us some problems.

Once we figured out those issues, it has been very stable since then.

Once we were familiar with the product, we haven't had any problems with its scaling. We had to figure out the factors that need to be increased so that we can scale up and also elements to look for as far as performance is concerned. We continue to use it more and more, along with an increasing number of applications being brought over.

We have used technical support quite a bit. Once we get connected to someone who understands the issue and can explain the necessary solution to us, it has been very good. For us, getting to that person or to the second level of support is time consuming. We have to jump through a lot of the same hoops in order to get to that person. The initial first level support is not as great, however once we get to that second level, we usually get back meaningful solutions that help us out.

Initially we didn't find the need to invest in building ourselves. We had an in-house product that we had developed and as time passed by, there were some security holes that can be found in any existing product. It wasn't cost effective for us to maintain it. Hence, the decision to purchase a third-party software like CA Single Sign-On/Shibboleth/CAS made a lot more sense as the expense incurred for purchasing any of these products was much less than for us to create or develop our own in-house solution.

Basically, it did not make a lot of sense to try and reinvent the wheel when nothing unique was needed for our organization. It was just more logical to buy another tool versus using an in-house product.

With the default set up, there is always a limitation on the number of connections that you can have under your policy servers. We didn't know this and it wasn't something that we were informed of, during implementation. As a result, as soon as we hit the maximum limit we started experiencing issues. It probably took us about a month to figure out the solution, which ended up being rather simple but that was a big bump in the road for us and hurt us in the initial stages itself.

During implementation, make sure to verify the tuning guide. We had a transition with our implementation person, who was changed in the middle of the process. In our case, factors such as maintenance and performance tuning were skipped over. We didn't really get to those aspects until we were live-in production and then needed to work out some of these issues. Thus, don't underestimate such a situation because when you experience such issues your customers are also going through them and then at that point it is public.

Mostly, our experience with this product has been good. There are areas that we think could be improved but mostly, we are happy with it.

The 2 other systems that were seriously considered were Shibboleth and then CAS. One of the main reasons as to why we decided to purchase this product, was the authorization functionality that exists in CA SSO. It was more suitable for a lot of our products as we could save time in the development aspect. I am not sure if any such functionality did exist at that level or complexity in either Shibboleth or CAS. Thus, for us this was a major selling point.

We are talking about the authentication products in general. What was previously SiteMinder, AuthMinder, some of the risk based authentication products that they have. I think the mainstream use that we have for the products are probably around web single sign-on. Being able to sign on to applications, the users not having to authenticate again. One of the good features we get out of the product as well is to be able to include different authentication methods. We use username and password but we also use smart card authentication, which is very key to our company.

Two factor authentication based on hard token effectively. Yeah the main thing I guess is, well two things. One is end user experience, so single sign-on. Before the product was introduced, we had multiple sign-ons to different applications. End users have to enter their username password multiple times. Now of course with single sign-on they enter it once and then during that session, they no longer need to authenticate again. The second thing I think that is important also security. It’s a secure product. We can make use of two factor authentication with the product and so from a security perspective, it gives us strong authentication. Our solution has to be basically 99.9% available, which means we have to have the highest availability out of the product that you can rarely from an IT system

We have deployed it in a very highly resilient and with a very strong PCM component. Ability to fail over within a datacenter and the possibility of failing over between countries and datacenters. It scales well, we have 200,000 users that's not simultaneous or you are all using it at once but certainly it scales events. There are advanced features that would mean that we need to look at scalability so it does authentication, does also authorization. If there is heavy authorization traffic then we really need to also look at how we scale that up. It can’t scale. It’s just a question of putting in more servers, putting in more infrastructure to allow it to scale.

To be honest, I don’t get involved with the operations side too much. I am an IT architect so I look at the overall architecture of the system and then how to introduce new requirements and how they can get fulfilled but my impression certainly is that the support is good. It has to be very good because we have a 99.99% availability, so if it wasn’t good we would’ve moved off it by now. I would say it is a relatively complex setup. We have a relatively complex environment so with all of the availability requirements we have, it is quite complex but having said that, it is no more complex than any other enterprise systems that has to be highly available.

I wouldn’t say it was overly complex but there's complexity in it. One of the reasons we are here today is also to understand what features there are in the future. I think for me as an architect, I look at what the emerging trends are. We have a lot of new requirements; mobility is a big one for us. Bring your own device, being able to authenticate on mobile devices securely, being able to make use of multiple applications right on that mobile device. Being able to integrate with containers for example Citrix, also with the changing old pricing models we have, a lot of outsourcing, a lot of software as a service, we need to be able to improve how we have authentication to the cloud, federation capabilities and that sort of thing. There is a lot that we can do to go forward.

At this point I'd rate it about 8/10. One of the biggest things is availability. Availability, scalability, you really have to make sure you understand the scale of the deployment and what your requirements are around availability. Certainly in our company it has to be the highest scale, highest availability. Don’t underestimate the amount of testing you have to do, the amount of stress testing, load testing, because this is critical infrastructure. This really is the front door to all the applications in the bank and if this goes down, the bank has stopped working. Quite simply you have to make sure that you do all of the testing required to make sure that product is absolutely rock solid.

I think it is very important to do your due diligence. You need to do your research into what is out there and what is best to meet your requirements. That said, I think there is nothing really that can replace doing a proof of concept. You have to do a proof of concept, because no matter what the vendor says, no matter what other people say other blogs or other reviews, your involvement is always going to be unique. There is always going to be something that you need that maybe other people haven’t done before. Be that some authentication method, some authorization method, the number of people you have, your topology of your network.

There is always to be something. Take all of the other information in but you must verify yourself. I think you have to really understand supportability. Quality of the product, so you have to trust the quality of the development methods, the testing that it scales to how you wanted to scale that you’ve got examples of the product being deployed in similar types of organization, similar sizes, and similar industry is important. Yeah I think they are the main things really.

I use it for authentication and authorization.

SiteMinder simplified user access for our organization.

It's agent-based. It's convenient to deploy and integrate.

From the developer's point of view, it offers quite an easy-to-use interface.

I like being able to integrate with different systems and it is agent-based. 

Inside the same web server, it automatically has the framework to do the authentication and authorization. So it's quite easy to set up, especially for a lot of applications.

It doesn't have a feature for... or maybe it has, but for modern authentication, like OAuth or OIDC. We haven't utilized that portion; we haven't really looked at it because our priority is LDAP integration.

Modern authentication, like SAML-based or OAuth. But in our case with SiteMinder, we haven't utilized that portion of the feature.

In future releases, I would like to see maybe some more modern authentication, OAuth, OIDC, some of these plus identity mapping… It probably already has some of this, but we would want to ask for more identity mapping. 

Also, development of support and compatibility to configure these, like with container-based deployments like Docker.

It's already existing in my environment. We've been using it for quite some years.

So, I have been using it for at least 20 years. 

The pricing is reasonable. 

Overall, I would rate the product an eight out of ten. 

We use single sign-on to provide a single login page for all of our client apps across the organization and it performs wonderfully. We almost never have outages nor see slowdowns, not from our stuff anyway. 

People do not have to remember 35 to 40 usernames and passwords. They have a link to go to their page that they need to work on, and it is there. It knows it is them. If we lose an employee, they no longer can sign in from anywhere in the world, they are immediately gone. 

Simplifying the user experience. We use a lot of integrated Windows authentication with it. All of our applications get a point, click, and you are in, while we increase security at the same time.

I would prefer to see their SAML integration be a more streamlined and easier interface, more like PingFederate's interface. Their product works just as well for that use case, but we do not use it, because it is a much larger learning curve to get it running.

It is one of the most stable products in the banking organization that I am in. It never goes down and if it does, it is usually because my partner or me did something to it. 

I have been using it for a year. The company has been using it for probably 20 years. It has always been a very stable product.

It is immensely scalable. We have 18,000 employees running on six servers right now. They are not even at 10% usage, but to spin up more just to add a server and plug it in, it is ready to go.

Technical support is fantastic. They provide quick answers. It is very rare that it takes more than two or three days to actually resolve a non-production problem. With a production problem, they are right there with you the whole time until it is fixed.

We have had large-scale issues, but it never really took them a long time to fix. Usually within a few hours, we would have a fix.

They also take use of their community.

I was not involved in the initial setup, but I am involved in building a parallel platform right now for an upgrade. 

The upgrade is a very straightforward setup, easy to install and run. A little bit complex to set up rules, but that is why you want engineers around.

We have a resource that we are paying for from CA, but we really do not need to use them, except for on the Identity Management side. 

I would absolutely recommend they go with SiteMinder SSO. I have worked a little bit with some of the other products out there and they are not as easy to use, and they are definitely not as stable. Shibboleth is a competing free product. It is horrible. A lot of companies use it, but it is not fun.

Because I am new to this area, the thing that surprised me about CA is how quick they are to respond to changing needs. If we tell them we need something or do not know how to do something, they make it happen for us. It seems crazy for such a large organization to make that kind of move. 

The tool is easy to integrate with old, archaic, existing infrastructures that may not have been built with security in mind in the first place. With very little modification, we can usually secure a platform that never really had it before.

Most important criteria when selecting a vendor: responsiveness. When everything is good, the vendors are always around. It is how they respond when you have a problem.