It is our authentication system for access to online and mobile banking.
Its performance has been good. It works well for us.
It is our authentication system for access to online and mobile banking.
Its performance has been good. It works well for us.
It keeps our members safe, that's a benefit for us. It's important.
Federation, for sure, because we have a lot of third-party vendors that we need to integrate with, and this is a turnkey solution in some ways.
The Directory is secure. It's our user store, and it's important to keep our members safe. The product does well with that.
I think they need to integrate some of the newer types of authentication into the product. I'm not seeing the innovation when it comes to biometrics in the product.
Also, easier integration with third-party partners to OpenID Connect because username/passwords are a thing of the past. People are going to be using facial recognition. Apple has gone that way. There are other companies like Daon that are doing this. CA SSO will be left behind if they don't have it yet. There's some innovation being done, but it's not there.
Improvement is being made all the time. I just came out of a session here at the CA World conference where they showed how you set up Federation partners is being improved, through more APIs. Making life easier for the engineer is always important because we are lazy in general. So improvements are being made in that space. There's more to be done, like how to make configurations easier, and not have the engineer having to guess what will happen when he changes a particular setting.
If I had answered this question four years back I would have said "poor." But over the last four years they've done a lot of work to make it stable and it's reasonably stable right now.
It still goes down once in a while. But that's not the product's problem, it's probably how it's configured in our environment. So the product is pretty stable.
It is scalable. It depends on where it's running, and on where it's deployed, and how it's configured. In our case, it is scalable.
Some parts are scalable, not all parts. We do have some customized pieces within the product itself that we paid CA to build for us. Some of those things are not scalable.
Technical support is good. We're a large scale customer for CA, so we do have Premium Support from them. We had a problem about three years back with the stability and we were going down all the time. We actually got somebody in-house from CA, to come to our office within a few hours, and the person stayed on until the problem was fixed.
We had no choice. We were growing too big. We had a homegrown solution in place six years back, and our CTO at that point made a conscious decision to go towards this approach. And it worked.
I think CA had a pre-existing relationship with our company. And our CTO had used a CA SSO product before, and the recommendation was made at that point. So I don't know whether it was a full evaluation that was done, or whether it was the fact that, "Hey, it is a product that had worked before in other places, and we're talking about a straightforward use case here. So let's just go for it."
In terms of advice to someone looking for a similar solution, this one has worked for us, so think of whether it fits into your space. It may be best-in-class for doing a particular type of function, but that doesn't mean it fits in your ecosystem. So think of that first before you pick something which is best-in-class.
Complex, painful. But that is to be expected of any new setup. When you're a big bank like us, any kind of migration to a new product is hard. I expect it to be painful, and it was painful. But it's not something that you can avoid.
One thing that recently surprised me about CA is how big it is. The product I'm talking about in that context is not a CA product, it's an acquisition that CA made a few years back. I was used to working with the other company. Once we knew that CA bought it, I was surprised to see how big CA is. Just the product suite itself is pretty large. So just that was surprising.
As for the most important criteria when selecting a vendor, technical support is clearly one of them. Vendors tend to sell us something and then walk away, and we're left holding the bag. So tech support is clearly important. Apart from that, in terms of products, we don't care much about best-in-class. We just need to make sure it fits within any kind of technology ecosystem that you have. You could come and sell me a product that is best-in-class for doing a particular thing. But if it doesn't fit into my current stack, than it's useless.
It is basically for authenticating the users, whether it be privileged users or employees. Thus, we use that single sign-on (SSO) as an authentication mechanism.
It is a simple solution to implement, and it provides additional flexibility.
Right now, federation that comes out-of-the-box with single sign-on is the most valuable feature that we have, and also scalability.
Better documentation. I went through some sessions on single sign-on for version 12.7. Whatever features we are looking for from a REST API perspective, they will be there. So far, it is good. We have to implement it, and figure out what is good or bad about it.
There are a few other competitors which are taking up advantage over the segment being more agentless. SiteMinder is more driven with agent-based authentication, but the others are going with being more agentless. So, we have to go into the more next gen technology, where other vendors are going into, and that is where SiteMinder is lagging behind. The speed at which they are bringing up these features, it is very slow.
It is stable, but certain features which are out in the market are not available to make it more robust.
We are able to scale well with the amount of users that we have and the users that we are supporting. So, it is quite scalable. However, it does not scale vertically. It is only scalable horizontally. Therefore, it increases the footprint.
Right now, we have hundreds of policy servers between two datacenters. If it was vertically scaling, the footprint would have been reduced, and we have been looking towards a solution. However, the SiteMinder platform as such, even the 64 bit, is built on a horizontal scaling architecture. I do not think it is built on vertical scaling. Even if it is, for most of the companies like us, where we invest in a lot of infrastructure, vertical scaling would not really help.
We had a legacy implementation, and their technical support has been acclimatized to the new partnership federation, so they could not help much in terms of the solution. Therefore, I had to do trial and error to figure out what to do with it, and get it working.
Over the past years, CA support has been only focused on problem areas. When there is a specific problem, they will focus on resolving that problem. They are more focused on closing tickets. They are more focused on getting the tickets closed than resolving them. If the solution is not resolved, and if I requesting, "Hey, I want a couple of weeks for that to be open." Sometimes, they do it. Sometimes, they say, "Hey, we will close the ticket, then you can reopen a new one."
Other instances, if it is a feature that we need answers on, support sometimes says you need to get professional services to get engaged. I do not know whether it is the right direction that CA wants to go, because support is something that support professionals are supposed to know about the product. I would go and open up a ticket to get answers based on the feature that is available or what we are planning to do. We cannot just go hire professional services for everything that we do.
All of the feedback within our team for CA Support is not good. It really is on a very low level, but then it is very specific for CA SSO. The CA support for other products, like CA Spectrum, has been good. However, for CA SSO, it is absolutely poor.
The initial setup was straightforward. Also, we have been doing upgrades, in place upgrades, as well as cloning infrastructure, which has been pretty straightforward.
However, the documentation is very unclear. It is painful to go through the actual documentation and get the information which we need.
I opened up a ticket a couple of weeks ago. It was on strong authentication where we wanted to upgrade from an older version to a newer version. I had to go through three documents and open up a ticket to understand how the upgrade process should happen. It was so confusing. In one document, they say something, and in another document, they say another thing. I actually had to open up a ticket for this. I wanted to delegate the work to somebody else, and when they asked me the question, I did not have the answer, because it was distributed across three documents.
Even during my initial deployment of strong authentication, this was the older six stack two version, if I would have gone through the document to build it, I would not have done it. We had professional services sitting with me, because I was doing a PoC. At that time, we went through the installation, and I was able to receive some help.
But for everything, I cannot go to professional services. If the documentation was straightforward, then I do not have to refer to professional services. That is one thing that I have noticed, the documentation is really unclear.
Ping and ForgeRock. In our company, because they are competitive and have an edge over SiteMinder, they are even considering going for ForgeRock or Ping. These companies are more flexible and are open source products, whereas SiteMinder is propriety.
So unless we get into something, then we can't even go to open source and get the information. It is basically, we have to reach out to CA to get answers.
That is what management is looking for. They want versatility, and when senior management looks for a product, they are looking at:
That is the thing that they're looking at, and they are finding Ping Identity, or Ping products, and ForgeRock products more appealing than SiteMinder.
I have been working with Site Minder for the past 10 years, maybe more. However, I know the product, therefore I am able to manage it. The people in my team, they are not really happy with it, mostly from the support perspective.
Security is the most valuable feature.
It enhances the user experience and the security posture for the company. It protects the company from vulnerabilities.
It has improved our user experience quite a bit because they can log in once and go to any application they want, as long as it is integrated with SiteMinder, which was the not the case before. So, in terms of productivity it does add a lot of value.
We would like to see more information on the analytical piece of it. There are certain other components which are integrating, advanced integration, that might add value to it. We would like to see the CA SiteMinder by itself provide threat analytics, depending on behavioral authentication and so on, without having to add an extra piece to it.
We've been using this product for about ten years.
This product is quite stable. We've been using this product for about ten years. We haven't experienced a situation where we had to take an outage because the product was unstable. The core policy server is pretty stable, but there are other add-ons that keep coming up with which we keep having problems. However, CA has been proactive in fixing these issues.
The scalability of this tool is very good.
I would give the technical support a rating of 2-3/10. Most of the time, from my experience, every time I have an issue, techncial support tries to buy time by asking me some unrelated questions or by trying to give me information that does not match my requirement. I need to push hard to get a subject matter expert who can help me with the product. This is an experience I have been having for the last 4 to 5 years; it is not new.
We were not using any other product before this one.
I was involved in the initial setup process. The initial setup was neither straightforward nor complex. It is medium, depending on the implementations. It was a bit complicated because of the number of components that we had to install, based on our setup.
Any advice I would give about this product would be an honest reflection of my experience with this product. From the technical perspective, as much as we can do, it has been pretty good. Don’t get me wrong, our account manager is great; there is no question about that. However, the quality of support and documentation are my primary concerns.
Some of the most important factors while selecting a vendor are the vendor’s technical experience, our approachability to them, their response back, licensing costs and so on.
Single Sign-On is the number one feature of SiteMinder that we're using. The ability to log in once and use those credentials for multiple web sites is very valuable for us.
Upgrades is the biggest area for improvement. It really struggles with the upgrade process. We tell CA this pretty often.
We've had no issues with deployment.
We've had no issues with stability.
We have challenges with scalability. We have a environment in which applications during peak enrollment periods can go from 80 users to 8,000 users in a weekend. Scalability is very difficult with SiteMinder. You basically have to roll out new policy servers and so the ability to provision capacity quickly is still a big challenge for us. They talk about it with every presentation. They're containerizing everything and they're doing all the right things, but they could roll them out faster.
We probably open two to three tickets a week. I manage that relationship so I supervise those tickets and escalate them appropriately. The problem is we need the support, but they don't know anything about the product.
One of the challenges is they kind of have a tiered support model where you get your case open to a Tier 1 support engineer, and often times we're using very specific portions of their products that aren't used to. For example, we use some kind of custom implementations of some of the older technologies for which it's difficult to get a resource who actually knows what we're using and how we're using it. The initial engagement with support can often take us two or three days to get the ticket assigned to the person who knows what they're talking about. Like DLWS, which is a distributed log on web service, which wasn't a core part of the product back in the day and it's just not used by a lot of people.
Some of the advanced password services stuff can be a little bit problematic, getting it assigned correctly, that kind of stuff.
It's complex. Because of the complexity of the application, you're going to need to involve professional services. You're going to need to bring in a lot of outside resources if you've never done it before. It's not an out-of-the-box, point-and-click, now-you-have-SiteMinder situation. It's going to take a lot longer than that and I think the complexity is often hidden. People are going to stumble upon these challenges in their enterprise after they start it.
Not really. We use Ping, so we have products that do similar kinds of stuff. We used to use Tivoli, so we have some experience with that. Identity Manager's been used in the enterprise before. SiteMinder works a lot better for us just because we have a base of administrators who know how it works, ease of installation, and configuration.
It loses points for the upgrade and for just the lack of ease of management. We've been using it for a long time, so we're comfortable with its weaknesses and we've adjusted our process around those. I think for a new implementation it would be very challenging to bring in SiteMinder.
Customer was looking for initially an automated self user registration through a secure channel. Apparently it looks like a very easy going requirements but if you look in the detail they want to authenticate before registration process. A user came to create an Identity and customer wants to authenticate and securly takes the same data.
Another issue was localization and reporting
If I describe what actually happened, a little bit of the business case, that will help you to understand what it was like. The customer is the kind of customer that really doesn't want to share anything. When a person joins that organization, he has to pass through a couple of security levels, the scrutiny, before the ID is given to him. They used to use a manual process. Whenever a person joined the organization, they used to take his details; they used to write on a piece of paper; then this paper used to go to one of the departments; then it goes to another department; and so on. It wasn’t just a matter of going from one building to another; it was going from region to region.
Finally, this paper goes through a couple of scrutiny procedures. Then, it used to come back to the IT department, and finally, they do their security check and they create the ID and give it to them in an envelope. That was a kind of long procedure that sometimes took 2-4 months to create the ID; just an ID for a person. It was a challenge for the customer for the last 20 years.
We were doing that project and during that project, we found that the project owner wasn’t trusted. The project sponsor wasn’t trusted to just change this overall but they had this security constraint. What they actually wanted was that when they create the ID, they want this person to be authenticated. Generally, this is not the case in any organization, that somebody joins an office and he doesn't have any ID. So, how are you going to authenticate it?
What happened was that what we've been told, “Will you guys do this? Authenticate through a national database? We want, when a person is going to join us and he will request an ID, he should be authenticated through a biometric and that fingerprint will take him to the national database, where he will check in and it will come back to their IDP, their identity provider. They have it internally, and then, we will pass it through our system.”
Now, this was a challenge because in CA Identity Management, when you have a self-user registration page, this page was open so anybody could go and open it. We needed to protect that page, and on top of that, this information had to be protected to a third party. What we did is, we brought a couple of products in the middle of it: CA Federation, CA Single Sign-On, and CA Identity Management.
What happened when the user got authenticated with his fingerprint, it comes to the IDP, we have federation through CA Federation and then, once it passes through it, we have CA SSO, which is protecting the identity management page. Once it gets past this information, it comes to the self-user registration page, but here's another challenge: You've been authenticated but now you have a page which is open. I can authenticate myself and put someone else through the system. That could be a possibility, so we had a problem.
What we did is, we just pulled the data out from the third-party, national database and brought them to the CA identity page, to the self-user registration page, and all his names, IDs, and phone numbers, come in automatically. Then, it goes through several approval processes. Finally, the ID is transmitted over his mobile number that is in the national database.
That kind of work we have done. There are other challenges, as well.
The most valuable feature is that it meets the requirements of the customer. You have a lot of features in the product. Every product has them, but the question is, are these products going to meet the requirement of the customer? Because, if you meet the requirements of the customer, then it's way too easy to get inside the customer. We met the requirements of the customer and that's why I believe that this product has value.
I think the future release is, if you ask me, I think they have done a lot in the new release, especially the front end. The front end was not as good. CA did a good job in doing it, especially when I look at the new identity suite. They have done a good job in changing the overall look and feel. This is actually what the customer was looking for. The look and feel was not good in the earlier product. It's a journey, so we just completed one of the requirements for the customer.
CA has reporting at the moment. With the reporting, every particular segmented product has a reporting engine. I would like to see centralized reporting for all of them together. If an enterprise customer has all of these three or four modules for security, he will get consolidated reporting.
A problem we had with the customer was, at the moment, we were asked, “Are you able to integrate these products together?” Were we able to get the requirement done for the customer, as a business requirement? The reporting side we were unable to do it out-of-the-box. If CA consolidates the reporting for all three together, it may be easier. I'm not sure, but it may be easier.
No at all.
We are changing the architecture to scale it.
Customer Service:
An eight out of 10.
Technical Support:
A seven out of 10
No.
It's one of most complex requirements as explained earlier.
CA Partner implemented it
Time value and money.
CA solutions.. Are generally expensive but for the customer the ROI is big.
Yes
When you are looking for a security solution, products are there in the market, but you really don't want to go for a product that looks very beautiful from the front but has very bad stuff in the back end. One good thing is that CA has, I believe, that is has an edge. It allows me do a lot of what the customer is looking for, beyond the customer; beyond the product boundaries. They are certain things that we would not be able to do if this CA solution didn’t have this flexibility, and it's highly secure. It is a highly reliable solution to work with.
We implemented the solution almost a year and a half ago and up until now, there has been no downtime. It is reliable; it is good; it is open for customization; it is open for integration.
From my experience working with CA for almost 13 years, it’s a company. I'm not saying it’s specific to a solution. I'm talking about CA in general. It's a company with a solution and the company with the right solutions.
I have explained the journey of how these solutions (not specifically CA SSO only, but their entire security suite, including Federated Identity Management) met the requirements:
There are critics and these critics help CA to build their good solutions.
Extraordinary product; extraordinary flexibility to explore and meet the requirements of the customer.
Our primary use is for client demo on authentication/authorization, federation, and ease of use.
The product was just for client demo purposes. There was no deployment onsite.
No stability issues.
No scalability issues.
Technical support by CA Technologies is wonderful. I used to post my queries and get quick responses. The CA forum is something I would recommend to follow if you are dealing with any CA product. I appreciate their timely and effective responses.
Although it is straightforward, for someone new to access management, it is always a challenge to understand what is done and why. That is where I struggled initially, since I was very new to the domain. Domain knowledge is more important when you are new to a product.
I recommend conducting a PoC on every available product before choose one.
Not applicable.
Be sure to get your doubts clear on any product features, integration with other CA products, and other security products.
I recently came across Okta, which also has cool features.
Before implementing, ask a CA manager to provide you a list of use cases, which can help you in building/offering what you have in mind.
We use it for authentication and authorization for our website. We have multiple external and internal websites that we host, so we are using SSO for authenticating and authorizing for all those websites.
It has performed quite well. We have been using it more than 10 years now.
for our websites. These features are important because all the sites need authentication for security purposes. That has been handled pretty well all these years with SSO.
It doesn't take time for us to configure, maybe because we have been using this product for so long. In terms of security rights, a lot are covered under SSO, so we don't actually have to go and do something on the back end.
We would like to the OAuth be more stable, more issues being fixed rather than not.
We're pretty happy, but there are some scenarios with the new stuff, like OAuth - where authentication happens from Google, Amazon - in which they're still lagging right now. They're developing it, but we have been using SSO for a long time and Oauth capability was not there, and it recently started this year. So we had a little bit of a question, "Should we still use this product or we should go to another product?" That was the one concern.
Stability? There have been some issues but over the years but it's pretty stable. The issue we encountered was a whole site going down. But we were able to bring it up.
Scalability is pretty good.
They're pretty good on some of the non-issues. There are some delays, however, and they keep on asking for logs or try to delay it, maybe it's stuff they don't know. But in most of the cases they respond pretty quickly.
I wasn't in on the initial setup, but I have been installing a lot of the newer versions. Compared to six, seven years ago, now it is very, very smooth.
I would still not rate it a 10 out of 10 because, like I said, we had some issues with the OAuth here and there. Once those are done right, I think it would be a nine out of 10.
Regarding advice to a colleague who is researching this or a similar solution, it depends on what they are trying to accomplish. Are they going legacy, where you authenticate, versus the newer federation?
But I would recommend SSO as a solution.
There are a few valuable features in this product, such as single sign-on and web access management.
Centralized control to enforce security for the entire enterprise and complete visibility of the policies which we implement for most of the web applications make it more valuable for any enterprise. The ease of implementation is standardized and the availability of documentation on the CA Portal is very informative for any engineer to go ahead and implement it on his own.
From time to time, there are various upgrades available on the CA Portal that make it more compatible for all the different web servers or app servers to get it implemented.
It improves the working of our organization in the way that it secures most of the web applications or mobile applications. In addition, we don't have to depend on any other application teams to do any custom coding, as such.
Some of the features need to be improved. For example, the Federation feature. CA SSO is getting into that space and can definitely do better than the other products that are available.
It doesn't have a lot of features. I think there is some customization that's required on the CA Federation side if it has to get attributes from a different source. If an authentication has to happen in one source and then get attributes from some other source, then there's a requirement to do some custom coding work.
It's very much stable. As long as it works, everyone will be fine, but the minute it breaks, our enterprise will scream.
It's very robust and easy to scale. We were able to scale it within 2 weeks.
In regards to the technical support, the response time is good and they can give more hands-on information to engineers. Most of the time, they point to the available documentation on the CA Portal. But once we engage our point of contact, i.e., the partner contact on ASI, we get more attention from CA experts.
We were not using any other solution. We have been using this product for at least nine years.
I was not involved in the initial setup but we were involved in most of the migrations after the initial setup. The migrations are not very complex; it is moderate and not simple, either.
Engineers need to go through the documentation to fix some of those issues. One of the struggles was to create some of the indexes on their pre-server that we didn't know how to do. At that time, maybe, we were a few of the first customers who were doing this. So, we ran into some issues which were not even known to the CA support team.
It's definitely a good product and you won't go wrong if you choose this product. It's proven and is working fine. We can scale it. The support is also good. It's very stable and I don't think there is any other product which provides this kind of functionality.
The important criteria whilst choosing a vendor were scalability and the enterprise-level features that are compatible to all different versions of app servers and web servers.