Terminology Comparison: MIM vs SailPoint IDN

So I’ve been learning SailPoint IdentityNow (IDN) and I am rattling my brains trying to match what I know about MIM and make sense in my brain and relate to the terms and how they are the same/similar but have different names in each product.

I have done up a little comparison table showing the most common things I have understood till date and tried to put it in words the way they are termed differently in MIM and IDN.

I am not an expert in either and not saying they are essentially correct or which product is better than other (btw there is no right answer to that – each have clear pros and cons depending on what you want in a product) but just trying to bridge the gap on understanding what they are in each.

 MIMSailPoint IDN
Data TypeHas various like integer, string etc.Everything is defined as string essentially.
ConnectionDirect via MA which has config parameters.Done via a VA (Virtual Appliance) which is a lightweight custom Linux VM deployed at customer side (think of it as a secure tunnel from cloud IDN to your network).
Management Agents (MA)Individual connectors connected to sources.Called a Source - Downstream or upstream.
Connector Space (CS)Staging area for data in a connector.Shows up in the Accounts tab in the Source.
DisconnectorsObjects which had not connected to MV.Called "Uncorrelated Accounts" under the import data tab of the source.
Metaverse (MV)Where all the identities are connected to each MA and the fullest form of it in essence.Identity List which has links to all the sources.
Projection & ProvisioningEach MA has the rules and mappings to project a CS into MV and to the external source as well.Each Identity Profile has a mapping against a source and also provisioning rules. Sources which have an Identity Profile are also called Authoritative Source and ones which't don't are called Non-Authoritative.
Join RulesRules which join CS objects to MV based on defined criteria.Called "Correlation" in the Source where we define those criteria.
GroupsAD or MIM GroupsCalled Entitlements. It doesn't show groups as MIM does i.e. Group Management is not a thing. You do User Management with entitlements i.e. group membership.
ImportImporting objects from a connector to CS.Called "Account Aggregation" or "Entitlement Aggregation" which brings in the data.
AD Password Sync from DCDone via PCNSDone via PWI (Password Interceptor)
AD WriteDirect via ADMANeeds a domain joined computer with IQService installed.
Automation of logicSets / MPR and Workflows in MIM Portal.Does it via Access Profiles , Roles and Identity Profiles in IDN Portal.
Advance RulesDone via Workflows and other advanced methods like MIMWAL etc.Called Rules written in JAVA/BeanShell wrapped with XML.
Under the hood configLot of config is exported and modified in XML.Extensive API access mainly giving JSON outputs with few XML as well.

Feel free to correct me where I am wrong and / or if you want me to add something else or explain something more in details, do reach out.

Hopefully it made sense to someone!!!

Changing Gears: BBye FIM/MIM – Welcome SailPoint

Been working on FIM/MIM for over 6 years now I think and finally time has come to change to something new. FIM/MIM is good for basic syncs etc but when it comes to reporting and PAM solutions among other things, it lacks teeth. But it is good to know all competitors from marketing and implementation point of view. You know the pros and cons of each!!!

Extremely happy to join the SailPoint Crew and represent them Down Under. They are the market leaders in Identity Governance & Administration. The Gartner report speaks of itself and the difference between the competitors.

Going from one extreme end of the graph to the other. It’s certainly going to be challenging and fun. Looking forward to it!!!

So hopefully I should blog more about SailPoint in the coming weeks from now on.

#ChallengeAccepted

Comparison: Microsoft Azure B2C vs Okta Identity Cloud

Just something one of my colleagues had written up and thought was interesting to share. I don’t take credit for it nor full responsibility of accuracy of it. Feel free to rebuttal.

FeaturesMicrosoft Azure B2COkta Identity Cloud
Ability to protect other application's API using OpenID Connect and OUATH protocol/frameworkYesYes
API based enrolmentYes but can't register a phone number that will be used as a MFA factor. The reason being not able to do this is because of OpenID Connect restriction over impersonation principle. This feature might come in 2019.Yes. But Okta user management is not yet OAUTH/OpenID Connect compliant
Federated SSO based on SAML and OpenID ConnectYesYes
Force Password ChangeNo (not out of the box but can be done through customisation)Yes
Identity Lifecycle Approvals (both for self-enrolment, API triggerred enrolment)NoYes (very suitable for Okta to act as external identity onboarding tool)
MFA FactorsOTP over SMS and Voice Call (Officially). Microsoft App (Separate commercials, professional service engagement and not out of the box at the moment. Official support is expected in 2019)OTP over SMS & Voice Call, Octa Verify Mobile App TOTP and Push Notification, Security Questions, Fido U2F, RSA SecurID, FIDO2 Microsoft Hello (very good range of MFA options - a major strength)
Non federated SSONo (It's designed as not to be)Yes (a major strength)
Notification templates customisations (SMS and Email)only EmailBoth Email and SMS
Password RecoveryYes (only SMS/Voice Call/Email OTP as Identity Proofing methods)Yes (all MFA factors can be identity proofing methods)
Programming support for customisationC#. (Java Script support is expected in 2019)C#, Java, Java Script (a major strength)
Risk Scoring and Step-up MFA (Adaptive/Contextual)NoNo. Okta Threat Insight product is in beta phase now. They would be integrating with Okta Identity Platform in 2019. Currently Okta Identity Cloud support a tightly coupled MFA policy when it comes to IP/network zones, black listed countries, region/location, devices etc.
Self-activation of credential such as setting a password post enrolled through an APINo (a major drawback)Yes
Syncing from on-premise ADYesYes
User Interface Customisation and support of CORS (cross origin resource sharing)Yes (But require Custom Sign On policies for flexibility) and a separate Azure Blob storage subscription.Yes. Very flexible to host custom pages in Okta Identity Cloud tenant and also for pages hosted in remote servers.
User management API compliant with OpenID Connect and OAUTHYes (major strength on security here)No (Proprietary protocol at the moment. Quite surprising)
User to Application access mappingNoYes (pretty good on security here)
Web based self-enrolment and activationYesYes

MIMWAL Boolean Comparison: Did I do it wrong?

So I had to do some complex workflows for a client. And you know MIMWAL is best for that.

Now I was going to use the Eq() built in function to do a comparison to see if the attribute is coming back is true. The attribute I was comparing to was a boolean. So in the workflow I used an update resource type and had an activity execution condition that if the attribute is true then run the update. 

Naturally I tried this to being with

Umm, didn’t work. Should have matched and executed the WF. Tried various other ways

On doing some debugging I saw that WAL was doing a string comparison to a Int64 type and coming back as a False match even on a (‘True’,’True’) condition.

Then tried something different

Voila!! That worked. Well I don’t know if I did something or if this is the only way to do a boolean comparison in the Eq() function but hey it worked for me.. 

Mental note!!!

Edit: So as per comment below did some more testing and the following execution condition code worked 🙂 even with false value it looked for true. 

See.. I told you I did something wrong 🙂