As the IT landscape becomes more complex and sysadmins must provision users to an increasing number and variety of resources, many admins search for user provisioning software to add to their stacks. However, not all user provisioning software works the same way or has the same capabilities, so we’ve developed this resource to help guide the search for the right tool.
Evaluation Checklist
As you evaluate your options, the following questions can help help you identify specific needs:
Do you anticipate that your organization will add users or grow substantially (e.g. merger, acquisition, or scaling)?
If your organization plans to scale, you’ll want to ensure your user provisioning software can accommodate both your current environment and any future changes that come with growth. If your organization is a Windows®-only shop right now, will the user provisioning software accommodate the acquisition of a Mac® shop?
What resources do you need to provision users to (think: systems, networks, file servers, apps)? Do you anticipate growing adoption of SaaS apps?
As with the above question, the user provisioning software you use needs to accommodate a wide breadth of resources, including SaaS apps and productivity suites like G SuiteTM or Office 365TM. If you anticipate that your organization’s portfolio of SaaS apps will grow, you’ll want to select a solution that enables single sign-on (SSO) as well.
What protocols are vital to your provisioning functions?
Do you need RADIUS functionality to authenticate users to networks? Do you need LDAP functionality to authenticate users to legacy apps, Samba file servers, and NAS appliances? Do you need SAML functionality for SaaS apps? Select user provisioning software can provide these capabilities without additional servers or difficult networking requirements.
Do you need to achieve regulatory compliance?
Depending on your industry, you’re likely subject to a number of compliance regulations about your identity and access management (IAM) strategy. The right user provisioning software can help you achieve compliance.
Do you want to automate your user provisioning workflow?
The right user provisioning software can enable user provisioning automation with tools like group-based provisioning, PowerShell, and REST-based APIs. These tools may use industry-standard protocols such as SAML JIT and SCIM to support a wide array of web applications, for one.
What directory service, if any, do you use currently?
If you use Active Directory® (AD) as your central IAM solution, it’s worth taking stock of which resources it’s actually managing on its own. Are you using additional solutions for Mac machines and for SSO? It’s also worth considering whether AD is still the most effective directory or if you meet common use cases for migrating to a modern directory service.
If you don’t have a directory service in place already or are looking for an alternative, can you find a modern directory service with comprehensive user provisioning capabilities?
We’ll now apply these questions to a couple scenarios: one in which you have Active Directory and want to extend it with additional user provisioning software, and one in which you leverage a cloud directory service with included user provisioning capabilities in place of AD.
Extend Active Directory
If you already have Active Directory in place as your directory service, the above questions can help you choose user provisioning software that will federate AD identities to resources it struggles to manage natively.
Ideally, you’ll find an all-in-one identity bridge so you only need to manage one additional tool, rather than one tool to manage Mac systems, another to enable web application SSO, and other tools as needed. Maintaining a collection of point solutions is more costly and complex, and consolidation should be the goal.
Implement Cloud Directory Service
Maybe you’re facing a Windows Server 2008 end-of-life or have decided not to replace aging domain controllers, or maybe you’re seeking a directory service for the first time. Either way, a cloud directory service with broader user provisioning capabilities is an avenue to consider.
Rather than selecting user provisioning software to layer on top of an AD instance, you can implement a cloud directory service that acts as a central identity and access management platform by itself.