The initial setup of IdentityGuard was about as complicated as we expected, given the feature set of the product. That said, it wasn't an especially difficult process, and the installation guide was written in such a way that we were never left wondering what the next step was. Since we were testing with Active Directory as our user repository, we needed to extend our schema with a LDIF file provided by Entrust. We then ran the IdentityGuard installer file, choosing to use the integrated Tomcat application server. After completing that process, a configuration panel appeared that guided us through setting up the link to Active Directory, product licensing and setting up the first IdentityGuard administrator.
Supported on Linux, Solaris, Oracle and Windows servers, IdentityGuard is a highly flexible solution. Providing authentication for workstation, application and VPNs, it supports a number of different authenticators, including software and physical Oath tokens, grids, smartcards, machine identity and geolocation based on IP. The product is SAML 2.0 compliant, and comes with built-in support for Salesforce.com, Google Apps and Office 365.
A very interesting innovation, however, comes by way of Entrust's mobile smart credential application. Available for iOS, Android and BlackBerry, mobile smart credential uses either a mobile phone's near field communication chip or the Bluetooth stack to emulate a smartcard, allowing users to log into their workstations and applications just by having their mobile phone present, with the workstation seeing the phone as a standard smartcard. Considering the fact that IdentityGuard can be integrated with physical access control systems, the possibilities for its mobile technology become clear.
We also liked the fact that IdentityGuard offers very granular lockout policies, allowing administrators to set authentication failure thresholds on a per-method level. So for example, say a system requires a standard password and either a one-time password or a grid authentication. The end-user just can't seem to figure out how the grid works, and consistently inputs the wrong information. Rather than locking the user's entire account, the system simply locks out that user's ability to use the grid, and forces the one-time password method. Couple that with the product's self-service modules, and users are empowered to manage their own credentials without making numerous trips to the help desk.
The one thing we didn't like was that there is no built-in support for biometric readers. While biometric data can be captured through the smartcard enrolment process and stored on a smartcard, there's no way to simply scan a finger and log in to a workstation or application without third party utilities.
Entrust did a fantastic job with its product documentation. It has made available planning, installation and deployment guides for each module, along with user guides for the client pieces. It's all clearly organised and indexed, bookmarked and hyperlinked, with clear screenshots where appropriate.
Entrust has three levels of support: silver provides 12/5 phone and email support; gold expands those hours to 24/5; and platinum expands them even further to 24/7. Entrust also offers 24/7 emergency support for non-platinum subscribers, and it hosts a FAQs section and a knowledgebase on its website.
At a cost of approximately c£5* per user, IdentityGuard is surprisingly affordable, given the impressive feature set. Its support plans are billed annually, with silver costing 18 per cent of the total solution cost, gold costing 20 per cent and platinum at 22 per cent.
(*Converted from US dollars.)
A good choice at the right price with a decent feature set