Of all the contenders here, MIIS (Microsoft Identity Integration Server) 2003 stands out in two ways. First, it's by far the cheapest, at least at first glance (more on that later). Second, it's unique in leveraging several features of Windows, as well as other Microsoft tools, to accomplish tasks other identity management servers handle alone.
For example, publishing our corporate white pages took only a few minutes using Windows SharePoint Services and AD. One of our requirements was that only HR personnel be able to see birth dates and Social Security numbers through the intranet directory. As it turned out, Microsoft didn't even need to set up special permissions within the white pages because SharePoint can respect AD permissions.
MIIS was needed here only to provide the self-service password change function. MIIS includes an ASP application that integrates with SharePoint for this, allowing users to change their SSO passwords and have the change pushed out to all of the applications they use. Even cooler, you can link this app not only to the SharePoint white pages but also to Windows desktop-based password changing tools, so users can change the password for all their network resources from Ctrl-Alt-Del or User Accounts in the Control Panel.
The only potential stumbling blocks for Microsoft in our Windows-centric test network were the Linux-based e-HRMS and webERP applications. Microsoft managed SSO the same way for both apps, using neither Windows nor MIIS but a $600 third-party MIIS add-on called Centrify DirectControl.
DirectControl agents turned each Linux system into AD clients that used the Kerberos ticket associated with Harry's AD authentication to manage log-ins to e-HRMS and webERP. The upside is that it worked. The downside is that -- as opposed to Windows apps, which can receive authorizations from MIIS -- the Linux-based applications still needed to be configured with a Harry log-in.
Ironically, Microsoft stumbled a bit during our Fergenschmeir AD migration. Company engineers managed the initial cross-domain trusts easily enough (again using AD tools, not MIIS), but the directory migration itself, which they tackled using ADMT (Active Directory Migration Tools), required several attempts before they figured out the right syntax. This served to illustrate how many different skill sets Microsoft requires versus some of the other vendors in this roundup. Both Novell and Sun, for example, required only experts in their identity management solutions to step through all our scenarios. Microsoft required knowledge of MIIS, AD, Exchange, and a couple of third-party tools as well. And here's were additional costs may arise when implementing Microsoft's solution.
Microsoft used the second third-party tool, NetPro MissionControl for MIIS, in the security portion of our test. Because MIIS continuously monitors all accounts on the network, it had no problems detecting Harry's violation. Microsoft merely configured an MIIS rule to forbid all admin accounts created outside of MIIS. As soon as Harry created his illegal account, MIIS spotted and disabled it. Fast.
But MIIS couldn't easily tell anyone about Harry's faux pas. Using MIIS alone, finding the violation requires sifting through reports. NetPro MissionControl provides the alerts administrators need to take swift action.