See our complete list of Top SSO Solutions
IBM Security Access Manager (ISAM) is feature-rich but on-premises only. IBM is playing catchup through another SSO product for the cloud known as Cloud Identity. Current IBM customers and enterprises looking for a feature-rich, on-premises deployment with high throughput should consider ISAM. Those looking for a cloud deployment, though, should test Cloud Identity carefully.
IBM has two SSO solutions. Its on-premises product, IBM ISAM, is an access management and authentication platform that includes a reverse proxy enforcement point, a policy decision point and policy information points. ISAM provides several authentication mechanisms out of the box, as well as an extensible interface and prebuilt integrations with several third-party authentication vendors.
The identification as a service (IDaaS) solution, Cloud Identity, provides federation (OIDC and SAML 2.0) and API-based multifactor authentication and SSO for applications. It is integrated with IBM’s Mobile Device Management Solution for mobile device SSO and risk analysis and connectors.
IBM has recently enhanced its access management products to include the following:
- A ‘single click’ button to establish a connection from on-premises ISAM to IBM’s Cloud Identity IDaaS platform. This allows adoption of cloud-delivered IAM for resources in the cloud without needing to immediately relocate user repositories or disrupt existing application connections in the enterprise.
- A Docker version of its on-premises SSO platform, ISAM, so that access security can be deployed along with applications and microservices.
- Authentication partners for IBM Security App Exchange, which hosts code to integrate a variety of authentication solutions with IBM Access Management solutions.
- Support for user presence, one-time password (OTP) and fingerprint biometrics via the IBM Verify app, available for both iOS and Android.
Markets and Use Cases
IBM’s authentication solutions are deployed in finance, government, communications, insurance and manufacturing verticals. Common use cases include the following:
- Mobile access and SaaS application protection
- Consumer or citizen-facing authentication
- Integration with fraud detection for deep profiling of users’ geo-location or devices (DeviceID), including spoofing attempts of these elements, and holistic Identity Risk evaluation to facilitate highly granular two-factor authentication decisions for optimized balance of security and user experience.
Certifications in ISO27001 and FIPS 140-2 Compliance. IBM is also pursuing FIPS Certification and Common Criteria Certification.
ISAM has a policy engine to define complex risk-based authentication (RBA) policies using a rules-based interface to enforce a variety of authentication mechanisms based on decisions made using risk scores calculated from a range of attributes. IBM Trusteer Pinpoint Detect transparently builds user profiles based on a multitude of data points and risk parameters to authenticate users continuously and seamlessly differentiate between legitimate and fraudulent accesses. Trusteer Pinpoint Detect incorporates cognitive behavioral biometrics capabilities, using patented analytics and machine learning for real-time cognitive identity and fraud detection. ISAM also has pre-built integration with IBM’s Security Intelligence platform, QRadar, for insider threat protection based on user behavioral analytics.
IBM Verify sends a push notification a user’s registered device requesting approval or denial of the transaction or login attempt with an accompanying device capable of fingerprint or facial recognition. IBM also supports partner biometric solutions via the IBM Security App Exchange including biometric solutions from partners such as BioConnect, Crossmatch and ImageWare.
ISAM has enterprise customers with hundreds of thousands of users that manage millions of requests daily. Performance stats for ISAM include the following:
- Throughput: Up to 1.3 Gpbs or 42,000 requests per second
- Latency: Down to O.8 ms
- Large-packet throughput: Up to 1.2 Gpbs
- Small-packet throughput: Up to 42,000 requests per second
- Authentication throughput: Up to 42,000 requests per second
For the IBM Cloud Identity Connect and IBM Security Access Manager hybrid models, agents are not traditionally required as they utilize standard federated single sign-on flows. For on-prem enterprise single sign-on solutions, IBM Security Access Manager may require an agent to be deployed on backend target enterprise applications.
ISAM: Physical hardware appliance, prices per appliance
Virtual appliance: Per processor value unit (PVU) or per user value unit (UVU)
Cloud Identity: Broken down by employee and eligible participant; eligible participant licenses are sold in packs of 100, starting at $2.50 per employee per month.