In SWITCHaai, identity management is entirely the responsibility of the organisations participating as identity providers in the federation. With its successor, the Swiss edu-ID, elements of identity management tasks will be performed by SWITCH. SWITCH has conducted a market analysis (RFI) with the aim to identify existing identity management products that fit the Swiss edu-ID requirements, to evaluate these products, and to make a recommendation on the next steps in the project.
The RFI was conducted between April and June 2016 in two phases. Firstly, a questionnaire of ca. 70 questions and 30 use case descriptions, was sent to 25 vendors and/or integrators in the field of identity management products and services. In a second step, representatives of the four top-rated products were invited to present and discuss their solution concept at individual workshops.
The questionnaire analysis yielded the following main findings:
- Most products primarily address a corporate environment. The business to customer scenario of the Swiss edu-ID is supported to a lesser extent. It is therefore unsurprising that off-the-shelf products provide only partial coverage of our requirements.
- The evaluated products follow different integration approaches. Some products provide a flexible customization architecture which effectively reduces the required development effort. Other products are less customisable and need to be extended through programming. Extensions require APIs; these are available and mostly well documented.
- Independently of how a product is integrated, the know-how and experience required is considerable and hence a big investment has to be made by the customer.
- Vendors provide different perspectives in terms of a sustainable cooperation model. Some are going through consolidation phases, others tend to bind the customer to the integrator, and some are better prepared for more independent customers with appropriately skilled staff.
- The license models of all closed source products are based on a per-user scheme, regardless of their respective activity level. As the Swiss edu-ID project expects significant numbers of inactive accounts, either a flat rate or a licensing model clearly distinguishing between active and inactive accounts is required.
- Commercial products dominate the market. Only a few open-source products are available.
The outcome of the product evaluation workshops was that there is no clear single winning product identified. The evaluation team has agreed to further investigate the product Apache Syncope together with the integrator and main contributor Tirasa. Apache Syncope provides a well developed and configurable workflow engine as well as a documented API for extensions. It allows starting in a small configuration that can be gradually extended over time. The cooperation model is promising, and with appropriate commitment by SWITCH, the product roadmap could be influenced which would also help securing investments. However, the fact that the community and the company for professional services are relatively small poses a risk.
The evaluation team recommends to build a clearly scoped prototype based on Apache Syncope that implements the functions of the currently operational Swiss edu-ID infrastructure and a number of additional use cases. If the product is not suitable for the future Swiss edu-ID service, the competing short-list products or an alternative open-source product will have to be reconsidered.
The full public report is available on the Swiss edu-ID project website. A confidential version of the report with more details is available for members of the SWITCH community on request from the Swiss edu-ID project members.