Ashraf Motiwala has some interesting thoughts about why IdM POCs are “difficult”. Mike Trachta follows up with why the successful POCs cause headaches for the SIs that have to produce the wonderful scenarios shown in the POCs. Both of these posts are worth reading.
I would like to throw my two cents in as the developer backstopping both the sales engineer doing the POC and the SI putting together the production system.
IdM POCs and the following rollout are very difficult for two main reasons. First the customer is often already in a bad way and is looking for a magic bullet. The IdM salesman has sold him on the IdM product as a most magical bullet that will make their problems go away. Solve all your identity problems! Out of the box! Easy as pie! The winner of the POC is often the sales engineering who makes their demo closest to this fantasy as possible. Then the brunt of making that fantasy a reality falls on the SI, and depending on the size and motivation of the vendor, the product development team.
This is a very bad way for an enterprise to solve their identity problems. Lost is the trade-off analysis that should be happening. For example when the POC focuses on provisioning Unix accounts, there is never any discussion about externalizing the identity (via a PAM or similar framework) rather than synchronizing it. This kind of logic leads to deployments that are difficult to maintain, don’t scale, and need major follow on investments as the IT infrastructure changes. Instead of doing a POC of who has “The Most Magical Bullet”, enterprise would be better suited to craft a long term IdM strategy and chose a vendor whose product best aligns with it.
The second reason IdM POCs are so difficult is that so few IT systems support externalized identity. This is an old hobby-horse of mine, but everyone who has done IdM POCs knows the pain I am talking about. And of course there are little in the way of identity standards deployed in most enterprise system, with the exception of LDAP (or at least the AD flavor of it).
Until those two thing change, IdM POCs will continue to be difficult. And the vendor with the Most Magical Bullet will continue to win, often to the long-term detriment of the customer.