Was using Sun Identity Manager worth it?

By Mr. I | Published: March 2, 2010

With Oracle’s announcement of the demise of Sun IDM I have been wondering whether or not the transition from an in-house identity management solution to a third party solution was worth the investment in time and effort?  Did we gain anything with Sun IDM that wasn’t already there with our legacy applications?

To answer that question I have to look at what we had in the past.  Prior to implementing SIM our identity management strategy comprised of a lot of custom software.  Everything worked well but was very rigid.  Unless you were the developer familiar with the source code, adding new features or changing business policies was not a trivial thing to do.  But it worked and it was reasonably quick.

Sun Identity Manager was supposed to allow us to continue to have that tight integration with our business policies and practices while remaining flexible to change.  After all, it had a workflow engine, a rules engine, resource adapters and a customizable web interface.  It sounded like a perfect solution.  So, several years and many hundreds of thousands of dollars later did Sun Identity Manager amount to any cost savings?  Was there any gain in flexibility?

Implementing our legacy software business rules and  policies in the IDM workflows was relatively easy.  Kudos to whatever design team made them.  The IDM workflow engine is pretty robust.  The rules engine is relatively weak but it does the job.  (It’s hardly more than a standard Java method call but at least you can update it on fly.)

As easy as customizing the workflows were, using the IDM forms proved to a huge pain in the ass.  At first it looks relatively simple.  Forms allow you to do two main things: data manipulation and HTML generation. But as soon as you try to do anything complex the forms simply become convoluted contorted messes of code.  Variables within IDM forms don’t seem to know the word “scope”.  And then there’s defining HTML within the same IDM form.  Sure you can customize the look and feel.  But be prepared for some serious pain when doing so.  I hate forms in Sun IDM.  I spent so much time just making plain old  HTML look “normal” that it pains me to think of the total number of hours wasted when I could have just accomplished the same task using a regular JSP/Freemarker/Velocity template in a tenth the time.

The interaction between forms and workflows was never fully documented.  For example, why is it the enable user form isn’t part of a workflow until the user is already enabled?  What if I wanted to do something before the form is displayed?  The workflow is initiated after the form is submitted and there’s no changing that.  There are just some things that you can’t do in Sun IDM so in some respects it’s not nearly as flexible as advertised.

However, adding new resources was a breeze.  We made huge gains in simple attribute synchronization.  Need another LDAP server?  Sure no problem; a few code tweaks there; some attribute definitions here and done.  ActiveSync was nice too.  When used with an ActiveSync workflow it just worked.  New data was just passed to the activesync workflow.  The rest was up to me.  Simple.

Given those points I’d say that using Sun Identity Manager was worth it, but just barely.  That’s partially because we never were fully able to complete our transition away from the legacy system.  We were stuck in a half completed state.  If we’d been able to fully transition our legacy system into Sun IDM I might feel differently.  It’s also related to the product itself.  The IDM forms bought us no gains.  In fact, they were a step back from our legacy system.  However, those steps back were countered by gains made in the ability to encode our business policies as workflows and rules as well as the ability to on-board new resources easily.  So, again, it breaks even.

With the experience I’ve gained with Sun IDM over the last 3 and a half years, I certainly know what I’m looking for in a replacement.

Posted in Sun Identity Manager | Leave a comment

Oracle Formally Announces Plans for Sun Identity Manager

By Mr. I | Published: January 28, 2010

Oracle has completed their acquisition of Sun.  During a live webcast on the 27th of January Oracle announced their intentions for the major Sun product lines including Sun Identity Manager.  You can find archives of many of the webcasts at Oracle’s Sun Product Strategy site.

The first thing I noted was that Oracle does not intend to continue developing the current Sun Identity Manager product line.  In their words: “Oracle Identity Manager is the strategic product for identity administration.”  They pledged long term support for Sun Identity Manager 8.1 through to December 2014, extended support to December 2017 and “indefinite” sustaining support.  Oracle mentioned they plan on providing tools to upgrade from Sun Identity Manager to Oracle Identity Manager.  The only mention of what specific Sun Identity Manager technology was to be integrated into Oracle Identity Manager was the encrypted non-reputable audit logging and the integrated IDE.  There was no mention of the other technologies within Sun Identity Manager such as Xpress or the forms.

Sun Role Manager is Oracle’s strategic product for Identity Governance.  So it will be interesting to see how what is now Sun Role Manager is integrated into the new Oracle Identity Manager with whatever bits of Sun Identity Manager is left.

Oracle is re-branding all the current Sun identity products:

  • Sun Directory Server Enterprise Edition becomes Oracle Directory Server Enterprise Edition.
  • Sun Role Manager becomes Oracle Identity Analytics.
  • Sun Identity Manager becomes Oracle Waveset.  (This is likely to keep it very far away, in marketing terms, from the current Oracle Identity Manager.)
  • Sun OpenSSO Enterprise becomes Oracle OpenSSO Enterprise.

The last Sun webinar archive I viewed, only a week ago, about the integration between Sun IDM 8.1 Patch 7 and Sun Role Manager had a Q&A chat log with some of the product managers.  They indicated that the intention was to release Sun IDM 9.0 in Q2 of this year.  What that means for the newly branded Oracle Waveset product is anyone’s guess.

Finally, the webcast indicated that anyone with a perpetual license will receive credit towards Oracle Fusion.  How much credit?  Who knows…

What does this mean going forward?  Well, that’s up to your organization.  Years ago, my organization initially went with Sun Identity Manager 6 because the feature set appeared strong.  The other reason had to do with cost, Oracle’s product was simply too expensive at the time.  Are we going to migrate to Oracle’s Identity Manager?  I don’t know.  We’ve been in maintenance-only mode with Sun Identity Manager ever since Oracle’s announcement that they were going to purchase Sun.  So while we have new development work just waiting to be completed we are definitely going to be looking at alternatives to Oracle.  It’s been a bumpy road…

Posted in Sun Identity Manager | Tagged , | 1 Comment

The Good, The Bad & The Ugly

By Mr. I | Published: January 17, 2010

I received an email asking why I keeping using Sun Identity Manager if I disliked the product as much as I do.  The truth is that I don’t dislike it, but I sure don’t love it either.  Sun Identity Manager solves a provisioning problem for me but at a much higher time investment than I’d like.

For the most part, I like the behind-the-scenes systems that Sun IDM has.  The provisioning engine is relatively good.  The active sync scanner and deferred tasks have proved invaluable in my organization.  And, of course, the resource connectors themselves are the entire reason the whole system works.  The workflows, forms (for data manipulation) and Xpress language are all pretty good.  (Though, to be honest I’d rather see Xpress dropped in favor of Beanshell or some other more robust language.)

What I don’t like is the web interface.  It’s clunky, slow and difficult to use.  It’s nearly impossible to customize it to something that makes sense or even supports somewhat modern web standards.  (Go ahead and try to customize the end user interface to support the accessibility requirements of users with vision impairments.  It’s not a trivial task.)  I don’t have an issue with the way the IDM forms manipulate data, only the HTML generation.  Since JSPs aren’t used to customize the look and feel one is forced to use a rather complex and convoluted language just to do what JSP and HTML itself was designed to do.

I’m also not a huge fan of the documentation.  Both the training materials Sun has and the standard product documentation feel out of date and haphazardly put together.  (For the record I’ve taken all the expensive Sun IDM courses.  I also hate the word ExampleChoc.  :) )  There is also a significant lack of consistency in terminology across the product.  A workflow is a process is a task is an activity.  It’s tough for a new developer to figure out what is what when the terminology keeps changing.

The javadocs are often of little help.  They are a huge wasteland of undocumented or incorrect information. However, the documentation in the 8.1 release is a huge improvement over the documentation in IDM 7.1.  I look forward to seeing the improvements coming up with 9.0.  A product this complex warrants some good documentation, especially given that it’s not open-source.

So it does the job.  Some parts it does well.  Other parts are incredibly poorly done.  The parts it does well are often not mentioned enough because it’s only when one has problems tweaking something to fit specific business needs that any note is taken.  It’s easy to forget that the back-end system of my IDM deployment processes several thousand account updates per day in real time when I’m trying to get a form to just display properly.

Posted in Sun Identity Manager | 1 Comment


  • How many users does your IDM system manage?

    View Results

    Loading ... Loading ...