Symantec Siteminder Reviews

Customer was looking for initially an automated self user registration through a secure channel. Apparently it looks like a very easy going requirements but if you look in the detail they want to authenticate before registration process. A user came to create an Identity and customer wants to authenticate and securly takes the same data. 

Another issue was localization and reporting 

If I describe what actually happened, a little bit of the business case, that will help you to understand what it was like. The customer is the kind of customer that really doesn't want to share anything. When a person joins that organization, he has to pass through a couple of security levels, the scrutiny, before the ID is given to him. They used to use a manual process. Whenever a person joined the organization, they used to take his details; they used to write on a piece of paper; then this paper used to go to one of the departments; then it goes to another department; and so on. It wasn’t just a matter of going from one building to another; it was going from region to region.

Finally, this paper goes through a couple of scrutiny procedures. Then, it used to come back to the IT department, and finally, they do their security check and they create the ID and give it to them in an envelope. That was a kind of long procedure that sometimes took 2-4 months to create the ID; just an ID for a person. It was a challenge for the customer for the last 20 years.

We were doing that project and during that project, we found that the project owner wasn’t trusted. The project sponsor wasn’t trusted to just change this overall but they had this security constraint. What they actually wanted was that when they create the ID, they want this person to be authenticated. Generally, this is not the case in any organization, that somebody joins an office and he doesn't have any ID. So, how are you going to authenticate it?

What happened was that what we've been told, “Will you guys do this? Authenticate through a national database? We want, when a person is going to join us and he will request an ID, he should be authenticated through a biometric and that fingerprint will take him to the national database, where he will check in and it will come back to their IDP, their identity provider. They have it internally, and then, we will pass it through our system.”

Now, this was a challenge because in CA Identity Management, when you have a self-user registration page, this page was open so anybody could go and open it. We needed to protect that page, and on top of that, this information had to be protected to a third party. What we did is, we brought a couple of products in the middle of it: CA Federation, CA Single Sign-On, and CA Identity Management.

What happened when the user got authenticated with his fingerprint, it comes to the IDP, we have federation through CA Federation and then, once it passes through it, we have CA SSO, which is protecting the identity management page. Once it gets past this information, it comes to the self-user registration page, but here's another challenge: You've been authenticated but now you have a page which is open. I can authenticate myself and put someone else through the system. That could be a possibility, so we had a problem.

What we did is, we just pulled the data out from the third-party, national database and brought them to the CA identity page, to the self-user registration page, and all his names, IDs, and phone numbers, come in automatically. Then, it goes through several approval processes. Finally, the ID is transmitted over his mobile number that is in the national database.

That kind of work we have done. There are other challenges, as well.

The most valuable feature is that it meets the requirements of the customer. You have a lot of features in the product. Every product has them, but the question is, are these products going to meet the requirement of the customer? Because, if you meet the requirements of the customer, then it's way too easy to get inside the customer. We met the requirements of the customer and that's why I believe that this product has value.

I think the future release is, if you ask me, I think they have done a lot in the new release, especially the front end. The front end was not as good. CA did a good job in doing it, especially when I look at the new identity suite. They have done a good job in changing the overall look and feel. This is actually what the customer was looking for. The look and feel was not good in the earlier product. It's a journey, so we just completed one of the requirements for the customer.

CA has reporting at the moment. With the reporting, every particular segmented product has a reporting engine. I would like to see centralized reporting for all of them together. If an enterprise customer has all of these three or four modules for security, he will get consolidated reporting.

A problem we had with the customer was, at the moment, we were asked, “Are you able to integrate these products together?” Were we able to get the requirement done for the customer, as a business requirement? The reporting side we were unable to do it out-of-the-box. If CA consolidates the reporting for all three together, it may be easier. I'm not sure, but it may be easier.

No at all.

We are changing the architecture to scale it.

Customer Service:

An eight out of 10.

Technical Support:

A seven out of 10

No.

It's one of most complex requirements as explained earlier.

CA Partner implemented it

Time value and money.

CA solutions.. Are generally expensive but for the customer the ROI is big.

Yes

When you are looking for a security solution, products are there in the market, but you really don't want to go for a product that looks very beautiful from the front but has very bad stuff in the back end. One good thing is that CA has, I believe, that is has an edge. It allows me do a lot of what the customer is looking for, beyond the customer; beyond the product boundaries. They are certain things that we would not be able to do if this CA solution didn’t have this flexibility, and it's highly secure. It is a highly reliable solution to work with.

We implemented the solution almost a year and a half ago and up until now, there has been no downtime. It is reliable; it is good; it is open for customization; it is open for integration.

From my experience working with CA for almost 13 years, it’s a company. I'm not saying it’s specific to a solution. I'm talking about CA in general. It's a company with a solution and the company with the right solutions.

I have explained the journey of how these solutions (not specifically CA SSO only, but their entire security suite, including Federated Identity Management) met the requirements:

• The customer was looking to have a self registration and password reset portal for their organization but they don't want to leave this portal open and accessible to everyone without been authenticated. This was only challenge, which I have mentioned it.
• Second solution, open for customization for security from different datasources.
• Thirdly, localization of this solution. Eventually, if these solutions have only listed features and it works only what they present. For sure, we wouldn't be able to achieve it.

There are critics and these critics help CA to build their good solutions.

Extraordinary product; extraordinary flexibility to explore and meet the requirements of the customer.

We primarily want to use the solution to implement our SSO, Single Sign-On solution.

The single sign-on is the solution's most valuable feature.

Since we're in the early stages of examining the solution, it's hard to predict what might be lacking.

We're currently unable to find information about if the solution can do a full implementation with SQL. Some better and more accessible documentation for new users or those curious about the product would be helpful.

We want to implement a simple application. Currently, from what we're finding, we're not sure if it would work the way we need it to.

The solution is quite new to us and I only really started looking at it about two or three weeks ago. We're in the testing phase.

We've never contacted technical support.

For a long time, we used SiteMinder, We're currently looking into what might be a better solution for SSO. That's why we're currently evaluating CA SSO. We'd been using the previous solution for two or three years but it hasn't been able to provide us with what we needed. Currently, we're trying to implement CA on servers for IPMP.

The initial setup seems straightforward, but we're curious about the aspect of SSO for SQL servers. We're also investigating from the net side to see what requirements are needed. We haven't implemented or deployed it yet.

We have our own in-house team that will handle the implementation.

I'm an implementor, so I help clients implement the solution for their companies.

We're still in the process of testing the solution. We're currently not providing services on it as we are still in the testing phase.

So far, with a simple implementation of the SSO, I'd rate the solution eight out of ten.

The best feature would be single sign-on across multiple applications for our customer-facing sites. We don't want our customers to have to enter their user ID and password multiple times. We have a suite of a dozen or so sites as well as about 200 external sites that we federate with. Single sign-on is important, and federation is important.

We have a standardized way of integrating with applications so the application owners don't have to handle authentication or security. We handle that for them, so we use the burden from other application owners.

It puts the expertise around authentication and security on our organization where it belongs. The company doesn't have to depend on each individual application to maintain their own security. This allows us to really maintain control over the security aspect of it.

It's also enabled a quicker time-to-market for new applications that have to handle user ID and password security.

A more modern management interface would be nice. The existing interface feels like it's about 10 years old.

It's been probably about 10 years since we integrated with it.

We've had no issues deploying it.

It's been stable for the last 4-5 years, though we had some significant issues early on. We had some performance-related issues that caused some outages. Outages actually happened pretty frequently back then. If one centralized authentication mechanism went down, all the applications that depend on it were also unavailable. We've gotten past that, so we're much more of a reliable, robust platform now.

We serve about 10 million users all over the country in the US. Scaling it is not a problem as we just add more servers at that point. The one good thing about SiteMinder is that to scale you basically just add more servers. You can piggyback, use the same basic architecture, and just add more.

We have support contracts with CA, but it's hit or miss. We have to have an escalation path with a direct red phone to senior management support because of the nature of our contracts. We had to utilize that frequently, rather than go through the lower-tier support. Our infrastructure is different enough than CA's reference infrastructure that we take a lot of time to bring somebody new up to speed. We have a direct line to people who really know our implementation pretty well, and have been working with us for a number of years, so it helps.

Some years ago we had some other vendors early on. But we've got a pretty well-established build out with CA right now, so if we have some significant new functionality in the future, we'll certainly look at other vendors too.

There's a lot of manual work that has to go through transferring a configuration from a lower environment to an upper environment production, so be prepared for that.

I think the most valuable features are handling user authentication and integration with the other applications within the suite, like Single Sign-On.

Multiple users with multiple applications can be authenticated in a single location.

I really can't answer this right now. We have so many other products that serve our needs. There are other vendors that satisfy some of our requirements, so I'm not exactly sure what CA would be able to provide us with.

For the most part, SSO is very stable. Since deployment, it's been very stable for us. We do very regular metrics on availability and we're in the high, high 90s, 99% I think, so it's a very stable, durable product.

I think there are some drawbacks to the scalability. At a recent conference, we heard that it's going to be a lot easier to scale for larger companies. That's going to be good in the future.

Sometimes technical support is slow to respond, and that’s typical. Normally, the first response is, "send us your logs", so they can review our environment. There are specific people assigned to our account, so they know what our environment is like, but they still want to have the log so they can look at it. Sometimes that slows the process of problem resolution.

This decision was made before my time. I came in when the decision was made to go with CA for identity management. Our company was going through a transition of ownership and all the decisions were made at the time. That was about 7 or 8 years ago.

I came 2 or 3 months after the initial setup, so I wasn't part of that. We had a third-party company help us with our development and deployment, so they pretty much took the ball and ran with it. I don't know how complex it was for them. When they presented it to us at deployment time, we were ready to go.

We were looking for anything that would have satisfied our requirements.

Make sure you know who your support staff is, who your vendor representatives are for your account and really get to know them. Give them the requirements that you need and make sure that they're following through. Build good rapport with them. That way they can help you determine what you need to do and feel free in giving different types of suggestions.

When selecting a vendor, we look for:

• responsiveness
• technical support of the product
• accessibility of the technical support teams
• product knowledge
• ability to train their customers on their product

With Single Sign-On, we don't have to do anything in our system.

After they deploy the application, everything works seamlessly. That's the main benefit that we get out of this product. For authentication purposes, we can keep security out of our applications, which is productive for us.

We can rapidly onboard different partners. We don't have to wait for months to do that. For this, we use the Federation feature from CA Single Sign-On, which helps us a lot.

There is a need to introduce more templates in the UI side and this would help design this aspect better. As of now, there are only a few samples available.

There is scope for improvement in this product.

It works fine. We did not find any stability issues. It is very rare to see something go wrong, so the application is quite stable.

However, we have noticed that when you update to the latest version, it can be unstable. Right now, we are in a stable environment.

You can scale it very easily. It works exactly the way the product has been documented. We can scale it well and we did not find any issues with it.

The technical support level is moderate. I would give it a 5/10 rating.

It depends both ways - we need immediate solutions however from their end, it takes time to get answers.

We required such a product, as we were using an old solution. That’s how we started using CA Single Sign-On with the CA SiteMinder.

The setup was not straightforward. I would give it a 7/10 rating - 1 being simple and 10 being complex. So, it was quite complex.

I would advise others to use this tool as it is robust and mostly it solves all the problems that arise in our industry.

We did consider other vendors. However, after we saw the demo for this product, we decided to purchase this product.

The factors we looked into before purchasing this product are the benefits of this product, how CA functions with other tools, costs, the level of support provided, upgrades and so on.

It is a flexible platform.

Using this product makes it easier for enterprises to integrate a majority or even all their apps into one single solution for access. Its easy-to-use functionality is the most valuable part.

The primary benefit of this product is security. It improves the overall security posture of the organization.

Secondly, establishing such a platform helps in saving costs as different applications are not trying to build their own security solutions and spend more money there.

A simple feature that still does not exist but it should be implemented as soon as possible, is that if a user is accessing an internet app from the internet, then it should perform a desktop single sign-on. But, if the same application is accessed outside of the network, the users should be given a page login. I don't want customization to implement this behavior, since this should be a simple configuration within SSO functionality. This should detect whether you are accessing from inside/outside of the network and accordingly present the authentication. This feature does not exist today and it is something, that almost all our clients ask for.

This is a mature and stable product. It has been a leader in the market for around 10-15 years. I can't imagine another competing product out there.

This product is both stable and scalable. I've seen up to 5-6 million users.

One advice for all would be to build relationships with the CA technical support team.

It is important to utilize your account manager if you're a customer or your partner contact if you're a partner, as this is the best way to get more information from them. In my opinion, building these relationships makes the entire the experience better.

Some of our clients, at times, have thought of using different solutions. The main reason for that is sometimes they do not have skill to harness the capability of this product along with the features that it offers.

When the client approaches CA, it provides an answer that is more product-oriented, rather than solution-oriented, so there is a communication gap. When we are at the client's side, we bridge this gap and that's why our customers are more successful working with us and CA together, rather than working directly with CA.

I was involved in the initial setup process for some of our clients.

For SSO and its setup, the process was straightforward.

It is very important to educate yourself in regards to the capabilities of this product by interacting with CA or attending conferences like CA World as they give you an insight about all that the product has to offer.

Single Sign-On is a mature product and hence I would be confident in recommending it to our clients.

Single sign-on allows you to log into multiple areas and sessions with just one user login. SiteMinder uses a cookie to pass the credentials along to different applications, and it’s encrypted. You can determine how long the session will last before users have to log in again. And if you have NTFS capability, it just automatically logs in again for them, using a firewall to protect LDAP.

We use it for our tier-1 applications through GLBA and SOX. It helps with compliance because we can make sure who a user is, log-in information, etc.

It’s never been an out-of-box solution except for IIS, which installs web servers for you. Basically, you do a bit of configuration, and the client on the other end is heavier use. That’s the beauty of SiteMinder -- you can do anything with it.

It’s really difficult to initially configure, but once you know where the traps are, it’s not a big deal. It’s done everything we’ve needed it to do.

It could use better air handling -- if your policy doesn’t work, you just get some dots instead of real information without looking at the logs. It would be nice to find the info without hunting in the logs.

Once every one to two years, the service will freeze, but if you have redundancy, all you have to do is restart. If you have redundancy, it’s not a big deal. The way it works, is that it does a round robin so that if one server goes down the other three handle the traffic.

Very scalable. You just have to have a central database where all servers hook up to the policy store, and all servers can use the database without a problem. You can then add as many servers as you want.

We’ve been using it since they were Netegrity, who had amazing an KB. But unless you’re standing up a new application, you don’t need it. We only get tech support involved when we have a new application.

I’ve been running SiteMinder since v4, the first time I had to learn everything. It’s easy to export the policy to the policy store, which is your most valuable thing. It’s on v12 now, and I haven’t had to update for two years. We’re no longer handling the server admin, that’s another team, but we’re handling all the policy configurations. We can take that and go from version to version with no problem.

As far as software goes, it’s as close to the energizer bunny as it gets. Every now and again, service will freeze, but other than that it just goes.

It depends on whether you can log in directly to your LDAP and manage it, because that would be easier. If you need the ability for just logging without buying an application and want good security, it’s an awesome solution.

Most people use it as an external firewall, but all our firewalls are internal, so this is a good back stop.

We use it a lot for federation, authenticating in-house or on premises, and that gives us access to an outside SaaS provider.

Also, we like the reverse proxy tool so much that in some instances we’re using SSO just for that and not even single sign-on.

It's really increased the security of our applications, and in some cases, has provided much more security. It does this even while some applications don't require multiple usernames and passwords.

The documentation is not good enough, particularly the installation documentation could be improved. Some things are left open to interpretation and others are simply not documented at all. CA will take liberties and make assumptions that your system is a certain way, and so the documentation is based on that.

It’s very stable, but we found some bugs and got workarounds quickly. We stress out SSO, from what I understand CA's reasoning is, but they're quick to resolve the issues.

We've had no issues at all with scalability, as it covers everything we do even at thousands of logins per minute.

We use them a lot and they're quick to pick up cases. We have almost a dedicated team with them that escalates up issues.

It’s fairly complex as it has lots of pieces. We’re in the process of upgrading and we’re building a mirrored environment and then moving everything over to it.

CA is great to work with, but to use it, just learn the product suites and how they interact. Make sure you have a good layout and make sure you have everything you need.