-
Pros
- Robust policy engine with support for dynamic evaluation of risk
- Cloud-curated app catalog provides instant access to catalog updates
- Flexibility for customizing deployment for hosting on-premises or in a private cloud
-
Cons
- Self-hosted architecture requires more management and support overhead
- UI isn't as intuitive as cloud-based competitors'
- Weak integration support
CyberRes NetIQ Identity Management Specs
| Authentication to On-Premises Apps | |
| Directory Connector | |
| Multiple Directory Integration | |
| Multiple SSO Policies | |
| Password Sync | |
| Report Library | |
| SaaS Provisioning | |
| User Self-Service | |
| User-Customizable SSO Portal |
Micro Focus' CyberRes NetIQ Access Manager (we'll just call it "Access Manager") has competed in the identity management (IDM) space for years, even spending some time under the old Novell banner. This kind of history comes with high expectations and no small amount of curiosity about the maturity and innovation of the current solution. Access Manager is geared toward businesses looking to self-manage their IDM toolset, with options for running on-premises using individual software components or as a virtual appliance either on-prem or in a private cloud. Access Manager's identity component is part of a larger family of tools focused on identity and access governance for your enterprise. Although it caters to those who need on-premises deployment, Access Manager necessarily lacks the convenience and pricing advantages of SaaS-based IDM offerings such as our Editors' Choice award winners Okta and VMware Workspace One Access.
NetIQ Access Manager Installation and Components
Access Manager is a more traditional enterprise application than most of the others we reviewed this time around, although solutions like Ping Identity's PingFederate still cater to enterprise IT shops looking to tune individual components for performance, reliability, and security. The appliance-based installation offers flexibility of a different sort because it lets you set up Access Manager in a more controlled private cloud environment. Either option does require more in terms of installation, configuration, and maintenance than Identity as a Service (IDaaS) solutions, so unless your IT department is ready to absorb the additional workload (or pay for additional staffing), you may want to look elsewhere.
The four components of Access Manager are the administration console, identity server, access gateway, and analytics server. The roles of the admin console and analytics server are self-explanatory, with the administration console being the focal point for all configuration and policy changes and the analytics server handling the business intelligence and reporting end of things.
The identity server role handles authentication traffic, whether that be single sign-on (SSO) using protocols like SAML (Security Assertion Markup Language), Active Directory, LDAP, or even certificate-based authentication. Finally, the access gateway serves as a reverse proxy, allowing internet-based clients to securely access legacy web applications hosted internally.
The company offers a set of installation documents that highlight prerequisites, network and firewall requirements, and even the order in which components should be installed. Additional post-installation steps are required to configure local identity stores, including Active Directory or LDAP.
Managing Applications
One obvious concern with committing to an IDM solution hosted on-premises rather than buying a service is the update process. That's particularly true of any areas you really need to keep up-to-date, like your application catalog. CyberRes gets around this by curating the app catalog online and serving up the catalog data seamlessly through the admin console, which keeps the app catalog updated and flexible while also allowing your enterprise to maintain control over the platform as a whole.
Applications in the app catalog can be installed in Access Manager through a set of steps very similar to the platform's IDaaS cousins. Once an app is selected from the catalog, there are some basics to configure such as identifiers for your instance in the web application, as well as which attributes from your directory should be utilized in the cloud app. Access for specific users can be defined using roles, with more advanced requirements such as specific authentication methods set using contracts (which we'll cover a bit more in a minute).
For apps not available in the app catalog, Access Manager offers a connector studio, which allows you to configure custom apps using forms-based authentication or SAML. Although most IDM suites provide a method to add custom applications, Access Manager does a stellar job of offering a wide variety of options while keeping things relatively intuitive. It also provides a template for defining federation instructions for sharing the connector with other parties (such as other IT shops within your enterprise).
NetIQ Access Manager Policy Management
Access Manager uses policies to manage authorization to applications and other corporate resources, assign roles, and manage attribute flow using logic-based rules. Authorization policies are configured using conditions. If the conditions are met, actions are triggered to allow or deny an access attempt or even enforce a specific contract (potentially requiring elevated authentication factors).
Risk-based authentication policies provide a way to dynamically evaluate authentication attempts to determine how risky an attempt may be using factors such as geolocation, device fingerprint, or user history. The benefit of risk-based policies is the ability to leverage more intrusive authentication factors when an attempt is deemed to have increased risk.
There's a potential for false positives, which is certainly a concern since users being inconvenienced with additional authentication requirements or outright denial of corporate resources ultimately costs your business time and money. But the alternative is not requiring additional factors or requiring them all the time. Access Manager gives you a high degree of control over each of the factors associated with authentication risk.
Authentication contracts, though not technically considered policies within Access Manager, are used to configure how authentication to a particular identity store occurs. Contracts are defined in a specific identity server and determine which authentication methods should be invoked. If a user has already accomplished the authentication required by a contract, they are authenticated silently.
Access Manager Pricing
Micro Focus offers perpetual licenses for Access Manager for $20 per user, or $8.40 per user on an annual subscription basis. Software maintenance costs run an additional $4.50 per managed identity per year. Overall, NetIQ Access Manager doesn't have the benefits of an IDaaS platform or a clean, intuitive UI like the other solutions we've reviewed. However, if your priorities run more toward the need for control over the infrastructure and configuration behind your IDM platform, Access Manager may be worth a look.