Download publication

Connecting IdM services to SURFconext
Project
Projectyear
Releasedate
Version
:
:
:
:
SURFworks
2013
17-01-2014
1.0
Summary
This research compares the currently available IdMaaS services and assesses the market
opportunities for IdMaaS for the Dutch R&E community. We conclude that Dutch Research & Higher
Education institutes are generally not ready for a complete cloud offering of IAM services. By and
large they lack a clear policy for adopting cloud services and have a reserved position towards
IdMaaS due to the sensitive nature of the data involved and their awareness to comply to privacy
regulations. Therefore, IdMaaS will not be an alternative for the on-premise IAM services in the
Dutch R&E sector in the short term (1-3 years). Nevertheless, IdMaaS is seen as an attractive
option for realising additional IAM functions.
Deze publicatie verschijnt onder de Creative Commons licentie Naamsvermelding 3.0 Nederland.
Meer informatie over de licentie is te vinden op http://creativecommons.org/licenses/by/3.0/nl/
Colophon
Programme line
Part
Activity
Deliverable
Access rights
External party
:
:
:
:
:
:
SURFworks
SI-SDT
Connecting Services
2013-521g – Connecting IdMaaS Services
Public
m7, Ludo Gorzeman, Peter Jurg, Ton Verschuren
This project was made possible by the support of SURF, the collaborative organisation for higher
education institutes and research institutes aimed at breakthrough innovations in ICT. More
information on SURF is available on the website www.surf.nl.
2/38
6 Matters one should know about Connecting IdM services
to SURFconext.
Scenario
What is it?
With the rise of cloud computing we also see IAM-as-a-Service, i.e. IAM in
the cloud, being offered by more and more suppliers. This research
compares different IdMaaS vendors and assesses the readiness of the
community for adopting this new service model for IAM.
A comparative research on IdMaaS suppliers and the readiness of the
community for adopting this new service model for IAM.
Whom is it for?
The target audience for this report consists of CIO’s, ICT managers, IAM
functional application managers, and the members of the SURF Special
Interest Group for Identity Management in general.
How does it work?
A shortlist of IdMaas suppliers were compared based on a number of
criteria (both functional and non-funcitonal). The findings are presented in
this report.
Get an overview of the IdMaaS supplier landscape
What can one do
with it?
More information
Eefje van der Harst ([email protected])
3/38
Contents
1. Background ................................................................................................... 4 2. Purpose and target audience ............................................................................ 5 3. Approach for this report .................................................................................. 6 4. Disclaimer ..................................................................................................... 6 5. Identity and Access Management-as-a-Service ................................................... 6 6. Customer perspective ....................................................................................10 7. Results.........................................................................................................11 8. Conclusions ..................................................................................................15 Annex: Longlist and shortlist of IdMaas suppliers .....................................................16 Annex: CA Technologies .......................................................................................17 Annex: Clavid .....................................................................................................19 Annex: CloudID ...................................................................................................21 Annex: Covisint ...................................................................................................23 Annex: iWelcome ................................................................................................26 Annex: Microsoft .................................................................................................28 Annex: Okta .......................................................................................................30 Annex: PingOne ..................................................................................................32 Annex: Sailpoint ..................................................................................................34 Annex: Traxion ...................................................................................................36 4/38
1. Background
Federated Identity & Access Management is in everyday use for the majority of the
research and higher education (R&E) community in the Netherlands. Over one hundred
institutes with almost one million users can use over one hundred services through the
SURFconext federation, resulting in more than 100.000 federated logins per day.
SURFconext is a collaboration infrastructure that connects a number of basic building
blocks for online collaboration:
• federated authentication and authorisation, so that users can securely access all
kinds of available services via the same account that they use at their own
institution;
• group management enabling access to content and functionalities, for example for
a project team, to be managed centrally. These may be internal groups of the
institution or groups from the SURFconext group management application;
• a standard data interface for exchanging activities, reports, and group information
(OpenSocial) with cloud applications;
• cloud applications of various providers (for example Google Apps, Edugroepen,
Sharespace, Liferay Social Office).
SURFconext allows institutions to integrate internal and external online services, thus
enabling them to offer users a collaboration environment within which they can access
the online services that they require.
Currently, an on-premise Identity & Access Management (IAM) facility, connected to
SURFconext, is a common asset in the Dutch R&E community.
With the rise of cloud computing we also see IAM-as-a-Service, i.e. IAM in the cloud,
being offered by more and more suppliers. Hence the question arose if this new form of
IAM is of interest to the Dutch R&E community and how it relates to SURFconext.
Although IAMaaS would be the appropriate abbreviation for IAM-as-a-Service, in this
report we will use the term IdMaaS (Identity Management-as-a-Service) since this is the
common term used these days.
2. Purpose and target audience
Commissioned by SURFnet and in close collaboration with SURFmarket, m7 conducted
research into IdMaaS and the readiness of the community for adopting this new service
model for IAM. The goal of the research is threefold:
•
describe and compare the currently available IdMaaS services;
•
assess the market opportunities for IdMaaS for the Dutch R&E community;
•
select the most promising top 3 among the IdMaaS vendors and assist
SURFmarket to include these vendors in its dynamic procurement system.
The first goal concerns this report. The result of the latter goal is to lower the threshold
for both the vendor and the customer to reach a favourable agreement to procure an
IdMaaS service.
As a result of this research SURFnet wants to assess the suitability of IdMaaS for the
smaller institutions with little know-how about IAM, that are not yet connected to
SURFconext. Is IdMaaS for this type of organisation a suitable solution to connect to
SURFconext as an Identity Provider?
The target audience for this report consists of CIO’s, ICT managers, IAM functional
application managers, and the members of the SURF Special Interest Group for Identity
Management in general.
5/38
3. Approach for this report
A small number of organisations connected to SURFconext was visited to learn their
interest in and expectations of IdMaaS. Suggested by SURFnet and SURFmarket, we
interviewed the responsible persons for either ICT or IAM of the following organisations,
two academic hospitals and three universities:
• Leids Universitair Medisch Centrum (LUMC);
• VUmc;
• Hogeschool Utrecht;
• Universiteit Maastricht;
• Technische Universiteit Delft.
We discussed their view on cloud computing in general, their current IAM service and
features lacking, and assessed their willingness to move (part of) their on-premise IAM
service to the cloud.
In a seminar at the end of November we presented the results of our study and provoked
discussion about the usefulness of IdMaaS for the SURF community.
Based upon desk research1 we compiled a longlist of some twenty IdMaaS vendors (refer
to Annex: Longlist and shortlist of IdMaas suppliers). We studied their websites to find
out what IAM functions they provide (refer also to the next chapter for a description of
the IdMaaS services) and posed a number of questions about non-functional features by
e-mail. Based upon a number of criteria we compiled a shortlist of ten vendors. Next a
questionnaire was sent to these vendors, followed by—if we got any response—a meeting
or teleconference to discuss their answers. Finally we filled out a template per vendor
(refer to the annexes) and submitted it to them for review. A compilation of our findings
is included in the chapter on results.
4. Disclaimer
IdMaaS is a young industry, consisting of well-known players with fully developed IAM
suites for on-premise use moving to the cloud and newcomers deploying in-house
developed solutions or combinations of existing solutions (open source and commercial).
Hence this report is a snapshot of a rapidly changing vendor landscape, where a first
wave of takeovers and mergers is not unlikely.
5. Identity and Access Management-as-a-Service
In the last few years many vendors of IAM suites have decomposed their offer into
several smaller modules that offer particular IAM services. This trend obviously follows
the trend of the last 5-10 years of performing IAM projects step by step.
In the last 2 years the decomposition of IAM into several services has led to cloud offers
for some demarcated IAM services. For example federation, single sign-on and
provisioning to public cloud applications are services that are offered from the cloud.
However, in the last year we see that more sophisticated services, especially self-service,
access governance, and risk-based access, are also offered from the cloud.
In this document we use a decomposition model for IAM that is depicted in Figure 1.
1
The Forrester Wave report on Enterprise Cloud Identity And Access Management, Q3
2012, proved an inspiring document for our research.
6/38
Figure 1 Decomposition of IAM functions
At the bottom of this picture we start with the underlying processes for registration,
change and exit for identities that are already in place in the majority of organisations,
Dutch higher education and research included. Therefore, we exclude the registration
functionality for staff and students in our comparison assuming this is already in place as
an on-premise process. For smaller organisations looking for a solution to connect as
identity provider to SURFconext however, this functionality would be required as part of
the IdMaaS offering. Usually though, their registration needs will be met by the guest
registration functionality of the IdMaaS supplier. In larger organisations guest
registration is sometimes a more diffuse process, where different parts of the
organisation have their own process for it. So guest registration often can be improved
by a central software solution that enforces one way of doing this.
Below we discuss the other services in the picture and their role in IAM. We distinguish
services that have a 10 year or more history, which we call classical IAM services, and
IAM services that became popular in the last 2-3 years, which we call modern IAM
services.
5.1.
Classical IAM services
5.1.1. Identity Vault / life cycle management
An identity vault is a central user repository that contains the information necessary for
account and role provisioning. So from here users get their account and basic access
rights in different systems. On top of the identity vault the processes for life cycle
management can be implemented. This defines existence of accounts and access rights
for users depending on the state of their identity. Whether or not to implement a central
Identity Vault mostly depends on the number of users and expected changes. Generally
it is cost effective to implement a central Identity Vault for a couple of thousands
identities.
5.1.2. User provisioning
This service provides the provisioning of account information to all applications and
authentication databases (see below) that need a user account in order to provide access
to a user.
5.1.3. Role and group assignment
Which systems are appropriate for a user is defined by the roles a person has or to which
groups a person belongs. Roles can be job description, department, location or other
information, often provided by HR. Groups often have a more ad hoc character, like a
project group. Life cycle management also handles changes in roles and groups and
translates them into changes in access (if needed).
Other approaches for access management like access request management and identity
and access governance are described below.
7/38
5.1.4. Delegated admin
Delegated admin can be used for distributed user account management within an
organisation. Admin users can for example create and remove users, change access
rights or perform self-service tasks on behalf of users.
5.1.5. Single sign-on (SSO)
Single sign-on is a mechanism that allows the user to log in only once to have access to
several services without logging in again. This service is mainly a technical
implementation. The biggest challenge is to integrate desktop and web-SSO.
5.1.6. Strong authentication
This provides a central service for 2-factor authentication or otherwise stronger
authentication methods than username and password that can be applied to several
applications.
5.1.7. Self-service
This is a central service by which end users can change or reset their password and
maybe also change some personal information (this might be viewed upon as part of
delegated admin, with delegation to the users themselves).
5.1.8. Access request management
Besides the information in HR (job description, department, location, etc.) users within
an organisation will have specific tasks for which they need specific access. This can be
established by so-called access request workflows. Line managers and application owners
will have to approve requests by employees. It is utopian to think that such workflows
can be used to manage all access rights in all applications. A lot of rights will still be
entered in the applications without any workflow. In that case, Identity & Access
Governance (see below) can help.
5.1.9. Reporting and auditing
Reporting and auditing is useful for obtaining insight in access rights, delegated admin
activity, self-service activity, provisioning, etc.
5.2.
Modern IAM services
5.2.1. Federation
Federation can be used to enable web-SSO, i.e. SSO for web-based services. It may also
serve to let people from another organisation login to your services with the account
from their own organisation and vice versa.
5.2.2. Identity and Access Governance (IAG)
This is a service that will retrieve access rights from several applications, gather them
and present the consolidated rights for review. Access rights can be labelled as low,
medium or high risk and a manager can get an overview of what type of access their
employees have (risk, license costs, etc.). He can then approve, change or withdraw
access rights. With this approach access rights can still be entered in the applications
themselves, but managers are alerted when new employees come in or access rights are
changed. IAG can also help to detect violation of segregation of duty.
5.2.3. Cloud provisioning
Cloud provisioning is not much different from account and role provisioning, but uses
API’s of Cloud Providers and open standards to provision and deprovision accounts and
roles.
8/38
5.2.4. Identity-based device management
Linking device management to identity management ensures that life cycle management
is effective for personal devices and enables an organisation to define personal access
rights for devices. It may also be used for risk-based access.
5.2.5. Risk-based access
Risk-based access enables organisations to make access decisions on the behaviour of
users. For example the location of a user should not suddenly change when a user is
accessing services or a user should not access systems at unusual hours.
5.2.6. Social logon
Social logon helps organisations to diminish user account management for individual
users. They can login with a social media account. Since trust and security are not at a
high level here, this mechanism is mostly used for providing customers access to (semi-)
public information. For example for marketing purposes: an organisation wants to
provide information to potential customers and at the same time wants to keep track of
the activity and profile of those customers.
Most IdMaaS cloud providers currently have a main focus on the modern IAM services,
forming the biggest opportunity as most organisations have the classical IAM services
already in place. Most of them are able to offer the classical IAM services from the cloud
as well, though.
Device management turned out to be an exception. Though device management is
offered as a cloud service by many service providers, these services are quite often not
part of the IdMaaS offering, but available as a separate service from the same supplier or
from specialised suppliers.
We will use the picture above in the annexes to this document to indicate what services
are offered by the different IdMaaS providers. Furthermore, we will describe how the
IdMaaS offering relates to the SURFconext service.
Apart from a functional comparison of the IdMaaS suppliers, we looked at a number of
non-functional aspects2:
● What privacy (data protection) regulations apply to the IdMaaS service? The
EU Directive, the Safe Harbor Principles, or otherwise?
● Will the supplier comply with the International Standard for Assurance
Engagements (ISAE) 3402 or Statement on Standards for Attestation
Engagements (SSAE) 16 for their service auditor's statements3?
2
For more information (in Dutch) refer to the checklist for contracts with cloud providers
(http://www.surfsites.nl/cloud/download/ChecklistContractueleAfspraken.pdf) and the
best practises on privacy for cloud providers
(http://www.surfsites.nl/cloud/download/cloudBPG.pdf). The latter explains the
standards for the certifications mentioned.
3
ISAE 3402 provides an international assurance standard for allowing public
accountants (an independent third party) to issue a report for use by user organizations
and their auditors (user auditors) on the controls at a service organization that are likely
to impact or be a part of the user organization’s system of internal control over financial
reporting. Hence ISAE 3402 provides assurance over outsourced business processes.
ISAE 3402 includes the IT environment of the service organization and its security. SSAE
16 resembles ISAE 3402 and differs only for the specific case of US customers of service
organizations. Hence it is not relevant for Dutch higher education institutes. Note that
ISAE 3402 reports can be of type I or type II, the first being a snapshot, the latter
reporting over a longer period with a minimum of 6 months.
9/38
●
●
●
ISO 27001 certificate4? This will ensure that the service is secure and will be
audited regularly.
What SLA is offered? For a service that enables users to log on a good uptime
of the service, short response times when a disruption occurs and a globally
acceptable performance are important SLA parameters.
Is data escrow supported? If so, an exit or migration to another supplier will
be easier, because such a service can make sure that the customer’s data will
be available, even if the supplier is bankrupt or suffers from a large calamity.
We did not include the costs of the IdMaaS offerings in our research. But we did ask the
vendors for their cost models. On what parameters are their tariffs based? Apart from an
one-time set-up fee, the license costs can be based upon the following parameters:
● number and type (internal or external) of users;
● number of authentications per period of time;
● number of connected cloud applications;
● number of administrators in the cloud platform;
● the two-factor authentication methods used;
● support level.
6. Customer perspective
None of the organisations interviewed has defined a policy for the cloud yet, although
some are in the process of defining one. And some collaborate in the SURF Cloud
Taskforce, hence the topic has their interest. Main reasons for adopting cloud services in
general are an improvement of the quality of the services offered, increased agility, and
a change from a capital expenditures to an operational expenditures cost model including
reduced manpower for application management and support. But due to the sensitive
nature of IAM (accounts, personal data, access to licensed content and services) the
migration to a completely cloud-based IAM service is unlikely in the short term. All
organisations claim to hold on to a local registration process for employees and students,
a local identity store including lifecycle management, and—due to the sometimes very
extensive on-premise application landscape—to a mainly local provisioning process. The
academic hospitals interviewed even claimed that they cannot move their identity store
to the cloud because of the data protection regulations in force. But the authors of this
report do not think this is true, because IdMaaS can be considered to be a technical
solution for IAM that has to adhere to the same legislation as on-premise IAM.
To summarise the viewpoint of the organisations interviewed, IdMaaS is not considered
to be an alternative for the basic, classical IAM functions. At the seminar, however, the
majority of the institutions indicated an interest in IdMaaS because their current onpremise IAM solution is bound for replacement in the near future.
Nevertheless, IdMaaS is seen as an attractive option for realising additional IAM
functions, such as strong authentication, improved self-service, guest registration
(especially in the context of virtual organisations or collaboration teams), provisioning to
cloud applications, and possibly in the longer term social logon and identity-based
(mobile) device management. This was confirmed during the seminar, where two third of
the attendants showed their interest in IdMaaS within a three-year term. On the other
hand, a quarter of the audience thinks that IdMaaS may not be a solution for them,
4
Though ISAE 3402 covers IT security, it is not very specific about the security measures
and its relevance for IT security depends on the third party who issues the report and the
auditor of the customer who verifies it. ISO 27001 is a pragmatic certification that
ensures that certain measurements are taken and therefore may offer additional
assurance.
10/38
because their business processes are not generic enough and they are unwilling or
unable to adjust to more generic processes.
A remarkable finding was the fact that the modern Identity & Access Governance
approach does not have the attention of Dutch Research & Higher Education at the
moment, so a cloud offer for this functionality is currently not on their wish list.
7. Results
This chapter contains the results of our research of the IdMaaS vendors on the shortlist.
We describe the current state of affairs in the IdMaaS landscape in the context of the
Dutch situation. Not all suppliers responded to our questionnaire or to our request to
review our findings. If so, it will be mentioned in the annex concerned.
The IdMaaS market is young, but rapidly developing. During our research we came
across several suppliers that were not on our initial longlist. Some suppliers build their
offering based upon their own intellectual property; some use products from the wellknown classical IAM vendors. Some suppliers offer their service since a number of years,
but the majority introduced their IdMaaS offering in the last two years.
Not surprisingly, the set of IAM functions offered and their maturity strongly varies per
supplier. A number of suppliers mainly focus on offering as many out-of-the-box
connections to cloud applications as possible, usually presented through a user or admin
dashboard. Choose your cloud application, click and go is the adagio here.
Others try to cover as many IAM functions as possible, trying to compete with onpremise IAM suites. Still others offer a wide variety of two-factor authentication options.
Whereas the IAM functions offered are easy to find on the suppliers’ website, the nonfunctionals are harder to obtain. But where an SLA is important for any cloud application
(“*-as-a-service”), for IAM a number of specific non-functional requirements are critical,
due to the nature of the data concerned. Here information security standards, like ISO
27001, and third-party audit formats like ISAE 3402 and SSAE 16 come in. Together they
provide an indication how safe your user’s data and privacy are in the suppliers cloud
platform. Of course, the suppliers are aware of these issues and some are in the process
of regionalising their cloud (data centres) in order to adhere better to the Dutch and EU
data protection regulations.
When it comes to the positioning of the IdMaaS offering with respect to SURFconext
there is a varying degree in overlap of functions offered. Actually the majority of IdMaaS
suppliers offer technical services that can be used to build a federation like SURFconext.
They offer authentication using SAML (and OpenID connect), web SSO for cloud
applications and social logon, just like SURFconext offers. However, they only provide
technical solutions, whereas SURFconext offers a complete federation with central
facilities that make connecting to a large number of services a breeze and a trust
framework that helps to diminish the burden of arranging agreements with many service
providers. Using an IdMaaS supplier, institutions will have the technical possibilities of a
federation, but will not have the federation itself. In general this makes the IdMaaS
services less attractive because the added value is limited.
However, there are still some areas where SURFconext does not offer functionality and
IdMaaS providers do. Some examples:
• Two-factor authentication;
• SSO to cloud applications not included in SURFconext;
• Guest registration;
• Device management;
• Provisioning to cloud applications;
• On-premise provisioning, identity vault and SSO.
11/38
A general observation across all suppliers is that support for the group API of SURFconext
is lacking. The consequence is that group information used in the SURFconext connected
cloud applications will not be available in the cloud applications connected to the IdMaaS
supplier’s platform. SSO, however, between the supplier’s and SURFconext domains
won’t be a problem.
One of the non-functional aspects that will be of interest to a prospective customer of an
IdMaaS service is the supplier’s ability to execute: how many comparable organisations
are among the supplier’s customers; how easy is it to set up the service and how long
does it take for the service to be operational; how well is support organised; is the
supplier already active or not on the Dutch market, etc. And with respect to the latter
aspect: is the supplier inclined to connect to SURFconext? Note however, that the ability
to execute is beyond the scope of our research, partly due to the lack of response on the
subject from a number of vendors.
In the annexes a short description of the supplier and its offering is given. The table
below summarises our findings for the functional and non-functional aspects.
The table shows that—not surprisingly—federation techniques and SSO are supported by
all suppliers. Identity & Access Governance, device management and to a lesser extent
access request management are still rather rare. Auditing and reporting are generally
implemented in a basic form. Those suppliers rated “mature”(blue) for this function
usually provide an interface for a Security Information and Event Management system.
A remark about provisioning needs to be made. Although the table shows that user and
cloud provisioning is generally well supported, suppliers indicated that in practise
provisioning is far from trivial. Some suppliers claim to provide provisioning to cloud
applications only if they support standards like SPML and SCIM, for which support in
applications is not very common at the moment. And some interpret provisioning as justin-time provisioning5, while generally ahead-of-time provisioning6 is required. For the
latter usually custom interfaces need to be implemented.
Overall, the classical IAM functions show better support than the modern ones.
Discussions with suppliers showed that many of them are still developing their solutions
and have support for many of the modern IAM functions on their roadmap.
On the non-functional side, the fact that not all suppliers indicate to adhere to the EU
privacy regulations shows their sometimes limited interest in de Dutch (European)
market.
Support for data escrow is provided by the majority of the suppliers, which should ease a
(periodic) change of IdMaaS supplier, e.g. after a tender.
The approach taken and the sometimes meagre response from the vendors prevent us
from appointing a top 3 of best suppliers. Moreover, the choice for a suitable IdMaaS
solution strongly depends on the specific IAM functions required by an organisation.
5
Just-in-time (JIT) provisioning creates a profile for the user in the application at the
time of first login.
6
Ahead-of-time (AOT) provisioning creates a profile for the user in the application before
the first login.
12/38
The legend reads:
Traxion
Sailpoint
Ping
Okta
Microsoft
iWelcom
e
Covisint
CloudID
Clavid
CA
Modern IAM
device mgmt
risk-based xs
social logon
federation
IAG
cloud provisioning
Classical IAM
SSO
2FA
selfservice
access req mgmt
reporting & auditing
LCM
user provisioning
roles & groups
DA
guest registration
13/38
Non-functionals
Adhere to privacy regulations
Third-party audit conformity
ISO 27001
SLA
99.5
99.5
99.9
99.9
Escrow support
Table 1 Comparison of IdMaaS suppliers
Some more background information:
•
•
•
•
•
All providers offer good functionality for cloud provisioning, federated login and
SSO for cloud applications. Additionally they all offer good functionality for onpremise SSO. Clavid is an exception, they only provide authentication, not
provisioning.
Covisint is the most experienced IdMaaS provider as they were an IdMaaS
provider avant la lettre in the automotive industry. Their offer is highly
standardized though, so customizations may be expensive. In terms of overall
functionality they have the best score.
Okta and CA seem not very interested in the Dutch educational market. That is
what we deduce from the fact that they were not very responsive. Traxion
indicated that their focus is not on education anymore.
For specific types of functionality we would recommend the following suppliers:
o Two-factor authentication: Clavid and iWelcome.
o SSO to cloud applications not included in SURFconext: all.
o Guest registration: Covisint and iWelcome.
o Device management: Covisint.
o Provisioning to cloud applications: all but Clavid.
On-premise provisioning and identity vault are functions that most suppliers do
not offer (yet) in a way that can meet the rather complex business rules of the
Dutch higher education community, but that appears to be a matter of time.
Instead, at the moment, most suppliers do provide simple provisioning tools. If an
institution plans to make provisioning simpler though, most suppliers are able to
help out.
14/38
8. Conclusions
Dutch Research & Higher Education institutes are generally not ready for a complete
cloud offering of IAM services. By and large they lack a clear policy for adopting cloud
services and have a reserved position towards IdMaaS due to the sensitive nature of the
data involved and their awareness to comply to privacy regulations. Therefore, IdMaaS
will not be an alternative for the on-premise IAM services in the Dutch R&E sector in the
short term (1-3 years).
For federation and SSO the institutes mainly use SURFconext. SURFconext might also
offer strong and step-up authentication in the near future. Thus the overlap between the
IAM functions offered by SURFconext and IdMaaS suppliers will likely grow. On the other
hand some IdMaaS vendors try to connect as many cloud applications to their platform
as possible, whereas SURFconext generally connects (niche) applications for the R&E
community. Depending on the need for cloud applications, the SSO domain of the
IdMaaS solution may be of interest.
On the other hand several cloud IAM providers support the modern IAM functionalities
the institutes are looking for. However, the core business of the providers lies mostly in
functionality that is offered by SURFconext. Furthermore Dutch cloud IAM providers are
inclined to provide additional features outside of the regular cloud spectrum, like guest
registration and improved self-service.
One of the modern IAM functions, identity-based device management, is rarely part of
the IdMaaS offering today. This function is mainly the domain of specialised suppliers.
That may change in the near future, though, since this feature is on some IdMaaS
suppliers’ roadmap.
Support for the group functions supported by SURFconext seems entirely lacking among
the current IdMaaS suppliers. Moreover also within SURFconext not many applications
support this yet. On the SURFconext side it would be worth investigating the future of
this function.
The approach taken and the sometimes meagre response from the vendors prevent us
from appointing a top 3 of best suppliers. Moreover, the choice for a suitable IdMaaS
solution strongly depends on the specific IAM functions required by an organisation.
The factors mentioned above make the Dutch R&E market less attractive for the IdMaaS
vendors. They could try to target the smaller institutions and sell them the whole IdMaaS
package (including the connection to SURFconext as an identity provider), but the
volumes will be low.
Dutch R&E institutes adopting IdMaaS must be aware that cost effectiveness will only be
achieved if they are willing to adjust—actually simplify—their business processes so that
technical implementation becomes less complex. Institutes will probably only do this in
the context of a cloud-based strategy, where increasingly on-premise applications are
replaced by cloud-based or SaaS solutions. Such a strategy will eventually take away the
necessity for on-premise IAM anyway.
Because IdMaaS is a young and rapidly developing industry, a reiteration of this research
in one or two years is recommended. Then the current mismatch between the demand
and supply side of IdMaaS for Dutch R&E may be reassessed.
15/38
Annex: Longlist and shortlist of IdMaas suppliers
The following suppliers were included on the longlist and shortlist for this project, based
on the criteria below:
Supplier
Capitar
CA Technologies
Clavid
CloudID
Covisint
Gluu
iWelcome
Lighthousegateway
Microsoft
Okta
Ping
Sailpoint
Salford Software
Simeio
Symantec
Symplified
Traxion
Vasco Data Security
Verizon
Shortlist
(y/n)
n
y
y
y
y
n
y
n
y
y
y
y
n
n
n
n
y
n
n
Explanation (if not on shortlist)
Not ready in time for this report
Did not satisfy shortlist criteria
Did not satisfy shortlist criteria
Not a general-purpose IdMaaS solution
Did not satisfy shortlist criteria
Did not satisfy shortlist criteria
Did not satisfy shortlist criteria
Not a general-purpose IdMaaS solution
Did not satisfy shortlist criteria
Criteria for the shortlist7:
Functional criteria:
● Is provisioning supported?
● Is SSO supported, both for on-premise and cloud applications?
● Is strong (two-factor) authentication supported?
● Is guest registration supported?
● Is self-service and access request management supported?
● Is access governance provided?
Non-functional criteria:
● Does the vendor adhere to the EU privacy or Safe Harbor principles?
● Did the vendor respond to our questions?
Applying these criteria resulted in omitting vendors with a single or very few IAM
functions. Hence organisations seeking only a very limited set of IAM functions in the
cloud should evaluate the IdMaaS landscape based on their own criteria.
7
Note: because there is a federation in place (SURFconext), the list of criteria is not a
generally applicable list for IdMaaS, but tailored to the situation in the Netherlands.
16/38
Annex: CA Technologies
Supplier
CA Technologies, USA, is a well-known company with a wide range of software and SaaS
solutions. Their SiteMinder product was one of the first IAM products.
Review of this annex received: no.
Product: CloudMinder
URL: http://www.ca.com/us/cloudminder-identity-management.aspx
CloudMinder is—as the name suggests—the SaaS version of CA’s existing IAM products
like IdentityMinder and SiteMinder. In fact it is a suite of products just like the onpremise versions. It provides an interface to an on-premise AD or LDAP user store and
does provisioning to both on-premise and cloud applications (using SCIM). An overview is
given in the picture below.
Figure 2 Overview of CloudMinder
Guest registration is part of the offering as is role management. A complete set of self
service and delegated administration functions is available, including access request
management.
SSO includes on-premise and cloud applications. Various two-factor authentication
options are offered as part of CloudMinder Advanced Authentication. Social login is
supported.
No information about our non-functional requirements could be obtained.
17/38
The picture below summarises the main features of CloudMinder:
Figure 3 CA's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
With its track record in IAM CA offers a robust and mature cloud-based service that could
add value for an organisation in addition to SURFconext.
18/38
Annex: Clavid
Supplier
Clavid AG is a privately-owned Swiss company with IAM services based on in-house
developed software as its core product. Since 2007 Clavid runs an OpenID identity
provider with users from over 50 countries. The company’s main focus is on two-factor
authentication and SSO.
Review of this annex received: yes.
Product: Clavid
URL: http://www.clavid.com/
Clavid runs its IdMaaS service since 2012. Three operational models are offered: pure
cloud, on-premise maintained by Clavid, or on-premise maintained by customer. For this
report we only take the cloud mode into consideration. Their architecture is depicted in
the following figure:
Figure 4 Overview of Clavid
Clavid features two main elements: the Internet Identity Provider and Authentication as
a Service. The Internet Identity Provider connects to an on-premise user store (AD,
LDAP, HR system). It offers provisioning to on-premise but not to cloud applications.
Guests can be registered in the Internet Identity Provider. Roles are not supported. Selfservice for selection of two-factor methods, login settings, password reset, usage history
is supported. Delegated administration is not supported.
SSO is one of the main distinctive services of Clavid, covering both on-premise and cloud
applications, even with the possibility of protocol translations between e.g. SAML and
OAuth.
19/38
Two-factor authentication is Clavid’s main focus, so an extensive set of protocols, tokens,
and methods is supported. Even SURFnet’s tiqr! The required authentication strength
(using NIST levels8) and corresponding method can be configured per application.
On the non-functional side the following applies to Clavid:
● Clavid runs in a Swiss data center and adheres to the Swiss privacy regulations,
which pose less restrictions upon data processing than the EU Directive.
● Clavid is certified for ISAE 3402.
● No SLA details are available.
● Third-party data escrow is supported.
The picture below summarises the main features of Clavid:
Figure 5 Clavid's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
Clavid’s main strength lies in their support for strong authentication and is rather unique
in the extent of their features. The number of out-of-the-box interfaces with cloud
applications is rather limited. But any standards-based application can be coupled
rapidly.
Clavid has realised a (test) connection to SURFconext already. A demo showed a
federated login with username and password through SURFconext for a test application
connected to Clavid’s SSO platform. And subsequently a second-factor authentication
through Clavid to gain access to the test application. A nice example of step-up
authentication.
8
U.S. National Institute of Standards and Technology. The levels are specified in their
standard SP 800-63-1.
20/38
Annex: CloudID
Supplier
CloudID is a privately-owned Dutch company that offers services built around their
service called LionGate. CloudID operates in different markets and focuses on larger
organizations.
Review of this annex received: yes.
Product:LionGate
URL: http://www.cloudid.nl/en/liongate/what-is-liongate/
LionGate exists since 2010 and started as a solution that uses an identity store (for
example Active Directory) of an organisation to perform authentication for cloud
applications and also offers some access rights management for cloud applications.
LionGate was originally built on the open source version of A-Select, but now uses
Asimba, an A-Select fork, and in-house developed software.
Figure 6 Overview of LionGate
LionGate connects well to popular cloud applications like Google Docs, Salesforce.com,
Exact Online, Microsoft Office 365, Zoho and SAP Business ByDesign. It offers
provisioning and federated authentication and single sign-on. CloudID positions LionGate
as a solution that has a great ease of use.
LionGate also makes it possible to make use of several authentication methods for
different applications.
For one of their customers they also developed tight integration of LionGate with Citrix
XenApp.
On the non-functional side the following applies to LionGate:
● CloudID ensures that LionGate is run from Dutch data centres.
● No SLA details are available.
● Third-party data escrow is supported with a preferred, independent, provider.
● CloudID does not comply to ISAE 3402 and is not yet certified for ISO 27001.
21/38
The picture below summarises the main features of CloudID:
Figure 7 CloudID's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
An interface from CloudID to SURFconext is possible as SURFconext may serve as an IdP
from LionGate’s perspective.
22/38
Annex: Covisint
Supplier
Covisint, USA
Covisint is a subsidiary of Compuware Corporation (USA) and had its initial public offering
at the end of September 2013. It is the oldest IdMaaS supplier with over ten years of
operation. Started out in the automotive industry Covisint today is present in other
sectors like healthcare, energy, travel, manufacturing, financial services, life sciences,
and public sector.
Review of this annex received: yes.
Product: Covisint Cloud Identity Service (CIS)
URL: http://www.covisint.com/idm
CIS is based on Covisint’s own software. Covisint claims CIS is being used by 80,000
organizations, managing over 18 million identities.
The architecture of CIS is displayed in the next figure:
Figure 8 Overview of CIS
Central element is the IDBridge, that performs the synchronisation of identities
(accounts) between a local identity store, e.g. an Active Directory or LDAP server, and
CIS. Furthermore the IDBridge takes care of the provisioning to local and cloud
applications, both just-in-time (JIT) and ahead-of-time (AOT), using SPML or custom bulk
uploads.
23/38
Registration of guests is available in the cloud IdP. CIS supports roles and groups. A
number of default roles, mainly administrator roles are available, e.g. Application
Configuration Administrator, Individual Service Admin, Organization Service
Administrator, Security Administrator, User Account Administrator. Additional roles can
be configured.
Self service is offered, e.g. self-service registration, password reset, and access requests.
Delegated administration allows administrative users to delegate authorisation to
manage organisations, departments, applications, service packages (a set of applications
or services) and users. A number of default workflows is offered.
CIS provides for SSO across on-premise and cloud applications, optionally extended with
desktop SSO (for Windows computers).
CIS offers two-factor authentication as an optional add-on that can be enabled for all
applications, not for individual applications.
CIS offers a number of default reports: federation reports (use of federated applications),
administrative reports (about usage or security), and audit reports. In addition, CIS is
able to provide access and location information to an enterprise’s Security Information
and Event Management (SIEM) system.
CIS offers the ability to deliver secure access to data to a user’s mobile device. All key
system functions are available via API’s for (mobile) app(lication)s.
Delegated authentication to social media IdP’s (social logon) is supported.
On the non-functional side the following applies to CIS:
● Covisint adheres to the EU Safe Harbor Principles. It also has a data center
located in Frankfurt.
● Covisint is SSAE 16 certified.
● The minimum SLA is 99.5% and up to 99.999% SLA is available.
● Third-party data escrow is supported.
The picture below summarises the main features of CIS:
Figure 9 Covisint's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
As with all IdMaaS suppliers, CIS will have to be connected to SURFconext in order to be
able to add value for the Dutch R&E community. CIS being a very feature-rich and
24/38
mature offering, it can form an interesting complementary service next to SURFconext.
And since Covisint is a leader in the IdMaaS industry according to Gartner rapid adoption
of new standards, trends and response to customer demand by Covisint is very likely.
25/38
Annex: iWelcome
Supplier
iWelcome, Netherlands
iWelcome is a relatively young Dutch company, which has its roots in the IAM
consultancy and implementation company Everett.
Review of this annex received: yes.
Product: iWelcome
URL: http://www.iwelcome.com
iWelcome is a single-tenant cloud-based IAM solution, launched in 2011, combining
several open source products with custom solutions.
Figure 10 Overview of iWelcome
iWelcome provides a broad spectrum of functionality, both for authentication and
provisioning. For authentication most industry standards (SAML, OpenID, OAuth2, etc.)
are supported and a connection to the SURFconext Federation already exists. Strong
authentication can be realised through the iWelcome Authenticator App (iOS, Android,
Blackberry and Windows Mobile), Yubikey or generic OATH based solutions. Risk-based
access can be configured based on IP-range, location, device, etc. Access governance is
currently very limited in functionality and restricted to accounts in iWelcome’s own
Identity vault.
In terms of provisioning, iWelcome supports SCIM, SPML and custom connections
through SOAP and/or REST APIs. It maintains both its own identity vault and connections
to external LDAP/AD directories. Guest accounts can be added to the cloud identity vault
and provisioned back into the local directories. Groups can only be managed through the
local directories. iWelcome supports both self-service for the end user and delegated
administration.
As for reporting and auditing, all activity is stored in log files, which are parsed into
reports on the web-based dashboard and accessible for third-party applications through
an API.
On the non-functional side the following applies to iWelcome:
● iWelcome is ISO 27001 certified
● The SLA guarantees 99.5% availability, upgradable to 99.9%
● iWelcome is solely hosted in European data centres
● Third-party SaaS and data escrow is not yet available.
26/38
The picture below summarises the main features of iWelcome:
Figure 11 iWelcome's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
iWelcome is currently already connected to SURFconext and provides additional
functionality in terms of provisioning, access control and strong authentication. It boasts
guest account functionality tailored for higher education.
27/38
Annex: Microsoft
Supplier
Microsoft, USA
Their on-premise IAM product is called Forefront Identity Manager (FIM) and was
released in 2010. It is the successor of Identity Lifecycle Manager (2007). For many
organisations Microsoft’s Active Directory is their main (and only) IAM product.
Review of this annex received: no.
Product: Windows Azure Active Directory (WAAD)
URL: http://www.windowsazure.com/nl-nl/solutions/identity/
Windows Azure is Microsoft's cloud application platform, launched in 2010. In 2012
WAAD was introduced as Microsoft’s IdMaaS offering.
WAAD is currently a free service for which an SLA is not available. A paid-for version is in
the pipeline, however. WAAD supports a pure cloud scenario (accounts are registered
and stored in the cloud AD) as well as a hybrid scenario, where an on-premise AD is
connected to WAAD. The latter scenario is most likely for our constituency and provides
for SSO across on-premise and cloud applications, optionally extended with desktop SSO
(for Windows computers).
WAAD is relatively new and still undergoing major development, closely related to
improvements to Microsoft’s Active Directory Federation Services module as part of the
Windows Server platform. Improvements include risk and context-based access control.
Some IAM functions will be realised in the future with third parties’ products, e.g. for
access governance and self-service and management capabilities. The current set of
multi-factor authentication (MFA) solutions supported is rather limited: X.509 certificates
and phone-based (voice, text message, app), called Active Authentication. MFA can be
configured per user, not per application. Support for third-party solutions is on the
roadmap as is configuring MFA on a per-application basis.
Microsoft is rapidly connecting more and more cloud services to WAAD, from over 200 at
this moment to a planned 1000 halfway 2014. Hence WAAD will act as a broker for
access to cloud applications (like SURFconext) and includes identity synchronisation in
order to perform provisioning into the cloud or on-premise applications. Guests can be
registered in WAAD. Support for groups is still limited. Existing groups in the on-premise
AD can be provisioned to cloud applications if they support the new Graph API (not to be
mixed-up with the Facebook Graph API!). The same API can be used to define groups in
WAAD.
Simple reporting is currently available, but the feature set will be extended in the near
future.
Social logon is only supported in Azure for Microsoft Live.
Microsoft has a separate cloud service for mobile device management, called Windows
InTune.
On the non-functional side the following applies to WAAD:
● Microsoft adheres to the Safe Harbor Principles when it comes to privacy
regulations. Regional localisation (e.g. Western Europe) of WAAD is planned
due to customer demand.
● WAAD is SSAE 16 certified.
● Data escrow is possible through the API provided. Service escrow is not an
option.
28/38
The picture below summarises the main features of WAAD:
Figure 12 Microsoft's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
In order to benefit from the cloud services connected to WAAD, a connection between
WAAD and SURFconext has to be made. This seems well possible.
At this moment WAAD does not offer much added value beyond the existing services of
SURFconext. But due to the many improvements in the pipeline or on the roadmap this
may change in the near future.
29/38
Annex: Okta
Supplier
Okta is a privately-owned company based in the US. Okta was founded in 2009. Okta is
one of the first providers of IAM from the cloud.
Review of this annex received: no.
Product: Okta
URL: http://www.okta.com
Okta integrates with existing directories and identity systems, as well as thousands of
on-premise, cloud-based and mobile applications, to enable IT to securely manage access
anywhere, anytime and from any device.
A number of very big IT companies use Okta as their identity solution.
Figure 13 Overview of Okta
On the non-functional side the following applies to Okta:
● Okta is SSAE-16 certified.
● Okta uses Amazon Web Services as its hosting provider; Amazon is ISO 27001
certified.
30/38
The picture below summarises the main features of Okta:
Figure 14 Okta's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
An interface from Okta to SURFconext is possible as SURFconext may serve as an IdP
from Okta’s perspective.
31/38
Annex: PingOne
Supplier
Ping Identity, USA
Ping Identity is an international company, primarily based in the USA with offices in
Canada, Australia, Japan and the UK. It was founded in 2002 and has a strong focus on
single sign-on solutions.
Review of this annex received: no.
Product: PingOne
URL: https://www.pingone.com
PingOne was launched in 2012 as a cloud based SSO platform.
PingOne provides authentication to both cloud-based and on-premise applications based
on either SAML or a lightweight REST API. It supports strong authentication through onetime passwords in text messages. PingOne provides no functionality for risk-based access
control, access governance or access request management.
PingOne does not have its own identity vault, but does support user and group
provisioning from on-premise directories to applications through SCIM and a number of
SaaS-specific non-standard protocols (e.g. Salesforce, Google, Workday, etc.).
Groups can be created and managed inside PingOne, but only for access control
purposes, not for further provisioning. Guest registration support was added just
recently.
PingOne provides basic reporting through the web-based management portal, but has no
support for auditing.
On the non-functional side the following applies to PingOne:
● PingOne is SAS70 type II certified, the predecessor of SSAE 16.
● PingOne does not advertise an ISO 27001 certification.
● The SLA guarantees 99.9% availability, reporting includes availability and
response-time statistics as well as incident history
● PingOne is hosted in the USA and does not adhere to the Safe Harbour Principles.
Note that PingOne does not collect or store privacy-related user data, it is merely
a transport channel
● Third-party escrow is not available.
The picture below summarises the main features of PingOne:
Figure 15 Ping's IdMaaS functional decomposition
32/38
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
From a technical point of view, PingOne can easily be connected to SURFconext.
PingOne’s main focus is on single sign-on and federation, which overlaps with
SURFconext. Its rather basic support for user provisioning—lacking an internal identity
vault—and strong authentication do not offer much added value over the functionality
already provided by SURFconext.
33/38
Annex: Sailpoint
Supplier
Sailpoint is a privately owned company based in the US. Sailpoint is one of the pioneers
in Identity and Access Governance software and already has a rich customer base with
their on-premise solution.
Review of this annex received: yes.
Product: IdentityNow
URL: http://www.sailpoint.com/solutions/sailpoint_products/identitynow
IdentityNow exists since 2013 and is Sailpoint’s first cloud offering.
Figure 16 Overview of Sailpoint
IdentityNow provides an integrated set of governance, provisioning and access
management services for the business applications. Rich application connectivity options
allow IdentityNow to securely manage cloud and on-premise applications.
Furthermore IdentityNow provides SSO for cloud and on-premise applications, accessed
by PCs, tablets, and smartphones. It offers an appstore or portal to achieve this and uses
SAML and OAuth as technology standards.
IdentityNow integrates with on-premise ‘Integrated Windows Authentication (IWA)’ to
enable single sign-on after a Windows login (desktop SSO).
On the non-functional side the following applies to IdentityNow:
● SailPoint completed a SSAE 16 audit.
● Sailpoint has all its data in the Amazon cloud and Amazon is ISO 27001 certified.
● Customer data remains primarily within the EU, as EU Amazon AWS locations are
utilized for hosting within the EU. Additionally, SailPoint adheres to Safe Harbor
Principles and is Safe Harbor certified.
● Sailpoint can offer 99.9% availability.
● Third-party data escrow is supported.
34/38
The picture below summarises the main features of IdentityNow:
Figure 17 Sailpoint's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
How does it compare to SURFconext?
An interface from Sailpoint to SURFconext is possible as SURFconext may serve as an IdP
from Sailpoint’s perspective.
35/38
Annex: Traxion
Supplier
Traxion is a privately-owned Dutch company that claims to be market leader in the
Benelux for IAM. Traxion provides consultancy, implementation and operational services
based upon third-party IAM software. Although Traxion is a well-known player in the
educational market, their focus has shifted towards the manufacturing and transport
industries.
Review of this annex received: no.
Product: IAM4Cloud
URL: http://iam4cloud.com
Note: Traxion brands IAM4Cloud for educational institutes as IAM4Education. In this
document we will use IAM4Cloud.
IAM4Cloud is operational since 2011. It consists of various third-party products like FIM
(Microsoft), OpenAM, Symplified, and CloudMinder (CA).
IAM4Cloud supports various usage scenarios, ranging from on-premise hosted services
via hybrid to pure cloud services. For this study, the hybrid scenario with the user store
on premise is most relevant and depicted in the figure below.
Figure 18 Overview of IAM4cloud
IAM4cloud features a broad range of interfaces to connect with the on-premise user
store: AD, LDAP, webservices, or a local Access Manager. Provisioning to both onpremise and cloud applications is supported, but according to Traxion’s experience
provisioning proves to be a custom solution for most applications. The two provisioning
modes, just-in-time (JIT) and ahead-of-time (AOT) are supported. Within IAM4Cloud the
provisioning rules for applications are generally related to group memberships. When a
user is added to a group the applications will automatically be assigned to the user.
Other authorisation models are optionally supported.
36/38
Guest registration is supported in two ways: in the on-premise identity store or in the
cloud (Virtual Organisation scenario).
Groups are essentially used to exercise control over the packages of applications users
are allowed access to.
Self-service, by way of a user portal, is provided for password reset and access request
management combined with delegated administration.
SSO is supported both for on-premise and cloud applications. Legacy (on-premise)
applications can be added to the SSO domain thanks to the Symplified (proxy) product.
Thanks to the Microsoft technology used, desktop-SSO can be supported as well.
Support for two-factor (2FA) authentication is implemented in step-up mode, i.e. after
validating the username and password a second factor authentication method can be
configured per user, not per application. A number of third-party 2FA methods are
supported, like Entrust, RSA, the Belgian eID, biometrics, et cetera.
For reporting the default (basic) FIM reports are used. Custom reports are available on
request. The platform supports all standards-based integrations with third-party
monitoring and security information and event management (SIEM) tools.
While the products under the hood support identity& access governance (IAG) to varying
degrees, IAM4Cloud does not offer IAG as a standard option. Nor does it offer identitybased device management or social logon.
On the non-functional side the following applies to IAM4Cloud:
● Traxion gives no guarantees as to where in the cloud the IAM4Cloud service is
running. On request a single-tenancy version of IAM4Cloud can be realised in one
of the UK of NL data centers, thus adhering to the EU privacy rules.
● Traxion is not certified for SSAE 16 or ISAE 3402.
● No SLA details are available.
● Third-party data escrow is supported with a preferred, independent, provider.
The picture below summarises the main features of IAM4Cloud:
Figure 19 Traxion's IdMaaS functional decomposition
Legend:
Colour
Meaning
Not known or absent
Yes or basic functionality
Mature or advanced functionality
37/38
How does it compare to SURFconext?
An interface from IAM4Cloud to SURFconext is very well possible due to the modular
character of IAM4Cloud. Depending on the organisation’s demand for IAM functions
IAM4Cloud may well be in a position to deliver. The non-functional requirements need
some more attention in that case, though.
38/38

Download Report