When to Migrate: Red Hat Identity Management vs. Third-Party Solutions

Over last several months, in meetings with many Red Hat customers, I have been asked about best practices related to migration from an existing third-party identity management solution to Red Hat’s Identity Management (IdM) solution. In today’s post I will share some of my thoughts on this matter…

I’ve found that there are several reasons why customers might not be satisfied with what they already have.

Stability

It’s not uncommon to hear about how an existing third-party identity management solution is not working well. Poor stability is a great reason to start shopping around. Of course, people ask whether (or not) what Red Hat offers is stable. My response: it is reasonably stable for a solution that adds so many new features with each and every release. If you expect our solution to be flawless, this may not be the solution for you as, inevitably, bugs happen. As no two deployments are equivalent in terms of size, complexity, and load – identity management systems need to be both stable and flexible (i.e. capable of addressing a variety of scenarios and use cases) – a challenge, to be sure.

After sharing my response, the following questions are usually: “How serious are the bugs? How will the Red Hat Identity Management team handle them? How will Red Hat respond to my concerns?”. My response to this second round of questions: we, at Red Hat, are professionals and we care. The identity management space is very complex and issues pop up. In addition to robust customer support services – Red Hat professional services has a number of offerings in this area. If you need help we are happy to provide it. Also, it is always wise to set up a proof of concept to ensure that Identity Management can meet your requirements before committing to running IdM in a production environment.

Platform Coverage

Many identity management offerings provide support for a broad set of platforms that can be hooked into a central identity solution. This usually includes hooking HP, Solaris, AIX, Linux and various mobile platforms to Active Directory. The Identity Management solution from Red Hat has advanced support for Linux platforms primarily Red Hat Enterprise Linux, Fedora, and CentOS but other Linux distributions like Debian, FreeBSD, Arch Linux, Scientific Linux and Ubuntu have recently included some client bits to play well in the Red Hat IdM ecosystem. There is also basic support for older UNIX distributions (for both authentication and identity lookup). While there are no special features for mobile authentication, such clients can usually be supported via standard LDAP and Kerberos protocols.

That said, to date, there has not been much demand in this area. If you have a use case, please share it with us; alternatively, open a support case (preferable) or file a request for enhancement in our bug tracking system. If and when you do file a bug, please select “Red Hat Enterprise Linux 7” as the target product and “ipa” as the component.

If you want to move to Red Hat Identity Management and completely eliminate a third-party solution you will need to assess what might happen to your legacy systems. If you are planning to eliminate them over time, starting with the Red Hat IdM solution for the Linux systems while keeping the third-party vendor solution for legacy systems is a good choice. As you replace older systems with the new ones, you can gradually phase out the legacy solution over time.

A typical question here is: “Does Red Hat provide the tools to do such conversion / migration?”  As mentioned above, every deployment is unique. The best approach would be to connect to the Red Hat support organization and run a joint evaluation. It might render some basic recommendations and guidelines that you would be able to follow yourself or might lead to a recommendation to engage with Red Hat professional services.

Manageability

Existing available solutions either connect everything directly to Active Directory or require a completely stand-alone server and call for data synchronization between different silos. In some cases this is an adequate solution. In many (other) cases, this really limits the ability of the Linux part of the enterprise to do its job. The Red Hat Identity Management solution, as I mentioned in my original series of blogs, comes with direct and indirect integration options regarding Active Directory as well as a completely stand alone solution. The choice is yours and you should pick whatever fits your business needs and enterprise model best.

Feature Completeness

Red Hat Identity Management is quite robust and competitive and in some areas much better integrated and advanced than other third-party offerings. The identity management solution that Red Hat provides, has been built with the modern enterprise in mind. It is suited for the use cases that require a high level of flexibility and automation without setting aside the needs of the traditional datacenter.

For the full Identity Management feature set, please consult Red Hat Enterprise Linux Identity Management related documentation (scroll to the bottom of the page) in the Red Hat Customer Portal. Note that there are some gaps in the offering. To date, Red Hat does not have a formal offer related to centralized aggregation and processing of the identity management logs. There are, however, some efforts in this area. Since the client and server components provide rich information feeds, we were able to prototype some of the potential solutions presented here. A session recording project is also underway. It is called Tlog and will be covered in more detail in a future blog. Be aware that if you rely on the logging and session recording solution provided by same vendor as your (current) identity management solution, switching to the Red Hat Identity Management offering might not be possible for some time. We, however, are very interested in working closely with customers to try early versions of our solutions so that we can deliver something that will meet your needs and expectations. Contacting Red Hat support would be the best way to get engaged.

Cost

Red Hat’s Identity Management solution is included with Red Hat Enterprise Linux subscriptions (i.e. it’s provided at no additional charge). Most other identity management solutions have additional costs, and often times the more systems you have the higher the costs are. So before you (once again) write a check to a vendor to solve your identity management challenges, think about whether you are getting value for your money. Maybe it is time to consider a move.

Summary

If you feel the need for a change, Red Hat Identity Management is well worth consideration, and if something is missing – engage!

Red Hat is unique in that as an open source company anyone with enough interest / motivation can get to the code, see what we are doing, and take advantage of the ability to influence the project / work itself. How many other vendors can offer you this kind of access?

  1. Hello Dmitri Pal

    I have a use case for IdM (IPA Server) on scotiabank for LATAM solution.

    They have around 300 guest servers with RHEL 6,7 for x64_86 and RHEL for Power IBM
    They also have 15 RHEV Hypervisors and for resellers they have Red Hat Satellite

    As you can see, we have consolidated Red Hat solutions.

    The most recent Red Hat Identity Manager (IPA Server) however, the bank wants to hook Solarix 10, 11 and AIX 7 to IdM.

    IBM, Oracle, BMC and the other companies offers third-party identity management solution. At ScotiaBank hooked with Red Hat Linux.

    I am RHCSA, RHCE and OpenStack certified, but the guide to linking Solix and AIX to IdM is different from each other.

    AIX 7.x and Solaris 10 and 11 are the exisiting versions. Do you have a consolidated guide that I can follow or can I open a support case so you can help me?

    Thanks

    1. Hello,

      Thank you for reaching out.
      There is a way to hook Solaris and AIX systems to IdM. But the level of capabilities and support varies on the server configuration.
      Do you plan to use AD trust?
      If you do not plan to use AD trusts and your users will be in IdM you can use Kerberos for authentication and LDAP for identity lookups leveraging native authentication and identity modules available in Solaris and AIX.
      If you do and want to expose AD users to AIX and Solaris then you need to connect those systems to IdM compat tree for authentication and identity lookup. There will be no Kerberos in the picture.
      Please look the chapter about support of legacy clients in the Windows Integration Guide (Identity Management Documentation). I am not pasting the link to the exact chapter since sections change from version to version. The content is applicable not only to old Linux versions but to Solaris and AIX too.
      In both cases the question is about access control.
      IdM provides host based access control capabilities for Linux clients. For Solaris there is a community version of pam_hbac. That can be used to use HBAC from IdM. The situation with AIX (at the moment of writing Jul 2017) is worse. pam_hbac was not complete since there is not enough customers who actually were interested to push forward and invest into pam_hbac solution. Most of the customers consider AIX a slowly dying breed and do not want to make a lot of investment is this area.
      Anyways pam_hbac is here and contributions and collaboration is welcome: https://github.com/jhrozek/pam_hbac
      A lot of materials about AIX and Solaris clients can be found on the freeipa wiki: http://www.freeipa.org/page/ConfiguringUnixClients
      Pages are old but still apply.
      Now about Red Hat support. It is well described in the following article: https://access.redhat.com/articles/261973

      Thank you,
      Dmitri

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s