Source code
Features
Home

Identity Management Product Feature Details


28 July 2017
Legend
Advantage. The product is significantly better than competing products.
Average. The product has an average quality.
Disadvantage. The product is slightly worse than competing products.
Warning. The product has a serious disadvatage that can be critical for deployments.
The points are awarded in accord with the evaluation methodology.
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Project information
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
License Proprietary
LGPL
Apache 2.0
not clear
explain We could not find proper licensing information neither on the website nor in the source code. Most source code files do not have any licensing header. A few source code files have LGPL header, however the pom.xml file refers to Apache license. Project information on openhub.net shows GPL3 as license.
CDDL
Apache 2.0
Evaluted version N/A
2014q1.2
3.1
3.2.2
3.1
1.2.2
Date of evaluation Feb 2015
Feb 2015
Feb 2015
Feb 2015
Feb 2015
Feb 2015
Primary supporters N/A
BCV solutions s.r.o.
Evolveum and partners
OpenIAM
ForgeRock
Tirasa, Apache Foundation
Suitability
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Enterprise: Employees
What is this? Management of enterprise employees. Requires good RBAC, support for complex organizational structures and entitlements, excellent provisioning capabilities, reasonable reporting and governance.

explain Good RBAC, some support for organization structure, usually no or very weak support for synchronization of organizational units and entitlements, delegated administration, workflow. Governance.

explain Basic RBAC. Basic support for organization structure (single tree) is likely to prove very limiting for modern enterprise. Limited to synchronization of accounts. Only very basic delegated administration. It is likely to work only for very simple deployments. Non-standard workflows. No governance.

explain Excellent RBAC, excellent support for organization structure (both functional and project-based), synchronization of organizational units and entitlements, delegated administration, workflow - all present out of the box. Only Governance is mostly missing.

explain Based on SOA. Reasonable RBAC, basic organization structure support, very simple delegated administration, workflow. Some governance features.

explain Poor RBAC, almost no support for organization structure out of the box, no direct support for entitlements, delegated administration needs to be developed using a custom code. Governance is mostly missing.

explain Rasonably good RBAC, group synchronization, privilege delegation, workflow. Governance is mostly missing. But no organizational structure support and no delegated administration.
Enterprise: Customers
What is this? Management of enterprise customer identities. Requires scalability and good provisioning capabilities. Organizational structure and RBAC are much less important. Governance is usually only an obstacle here.

explain Heavyweight and non-scalable architectures. Heavyweight parts cannot be normally turned off (e.g. workflows). Any modifications to the products lighter are likely to void the warranty and support.

explain Heavyweight parts cannot be turned off (e.g. workflows) and are likely to be an obstacle to scalability. Locked to relation database. NoSQL support almost impossible.

explain Lightweight and scalable architecture. Heavyweight parts can be turned off (e.g. workflows).

explain Heavyweight architecture. Limited throughput and scalability. Heavyweight components cannot be disabled as the architecture is based on them. Practically bound to relation database. NoSQL support is almost impossible.

explain Lightweight and scalable architecture. Heavyweight parts are not present therefore there is no need to turn them off. However lot of functionality needs to be developed using a custom code which can make the deployment very costly.

explain Lightweight architecture. Heavyweight parts can be turned off (e.g. workflows). Architecturally locked to relational database. Support for NoSQL not practically possible.
Cloud
What is this? Use of IDM inside cloud service deployments, e.g. integrating applications in SaaS clouds or directly exposing functionality as IDaaS. Requires scalability. At least basic support for RBAC and organizational structure is also required. Multi-tenancy is critical.

explain Heavyweight and non-scalable architectures. Heavyweight parts cannot be normally turned off (e.g. workflows). Any modifications to the products lighter are likely to void the warranty and support. Usually no multi-tenancy support and no practical way to achieve it.

explain Heavyweight parts cannot be turned off (e.g. workflows) and are likely to be an obstacle to scalability. Locked to relation database. NoSQL support almost impossible. No multi-tenancy support.

explain Lightweight and scalable architecture. Partially multi-tenant.

explain Heavyweight architecture. Very complex. Very resource-hungry. Limited throughput and scalability. Heavyweight components cannot be disabled as the architecture is based on them. No multi-tenancy support. Practically bound to relation database. NoSQL support is almost impossible.

explain Lightweight and scalable architecture. No built-in multi-tenancy support. Proper multi-tenancy implementation is likely to be very difficult.

explain Lightweight architecture. Heavyweight parts can be turned off (e.g. workflows). Architecturally locked to relational database. Support for NoSQL not practically possible. No multi-tenancy support.
Telco
What is this? Management of customer identities in telecommunication environments. Requires scalability, ability to support usually complex service offerings and excellent integration capabilities to a broad range of technologies. At least partial support for service provisioning is a plus.

explain Heavyweight and non-scalable architectures. Heavyweight parts cannot be normally turned off (e.g. workflows). Any modifications to the products lighter are likely to void the warranty and support.

explain Heavyweight parts cannot be turned off (e.g. workflows) and are likely to be an obstacle to scalability. Locked to relation database. NoSQL support almost impossible. No service provisioning support.

explain Lightweight and scalable architecture. Only a very basic support for service provisioning.

explain Heavyweight architecture. Limited throughput and scalability. No support for service provisioning. Practically bound to relation database. NoSQL support is almost impossible.

explain Lightweight and scalable architecture. Service provisioning can be partially developed using a custom code. Suitable but can be very costly.

explain Lightweight architecture. Heavyweight parts can be turned off (e.g. workflows). Architecturally locked to relational database. Support for NoSQL not practically possible. No service provisioning support.
Public Sector
What is this? Management of identities in the public sector. Usually a good support for organizational structures is required to model organizational structure of public agencies, hierarchy of regions/provinces for citizen identities, etc. Also reasonable support for RBAC, good authorizations and at least a basic governance is required. Public sector seems to be shifting to open source preference therefore a clean open source strategy is also important.

explain Support for organizational hierarchies. Workflows. Governance. But public sector seems to move towards opensource.

explain Basic support for organizational hierarchies may be just enough for public sector. Non-standard workflows may be an obstacle. Opensource strategy is not yet clean (short public history).

explain Excellent support for organizational hierarchies. BPMN workflows. Clean opensource strategy.

explain Basic organizational hierarchies that can support simple use cases. Workflows. Opensource strategy is not clear.

explain No support for organizational hierarchies. BPMN workflows. Problematic opensource strategy.

explain BPMN workflows. Very clean open source strategy. But no support for organizational hierarchies is an obstacle. However it can work very will in some cases, e.g. non-integrated municipality systems
Academia
What is this? Management of all types of academic identities: teachers, students, employees, visitors. Usually a support for very complex (and parallel) organizational structures is required. Ability for a (parametrized) membership in many organizational units is critical. As is the support for temporal conditions (to limit student and visitor access during a year). Clean open source strategy is also crucial.

explain RBAC and organizational structure too weak for academia. Usually no or very weak support for temporal conditions. Academia seems to strongly prefer open source.

explain No parametric roles. No temporal conditions. Limiting organizational structure. Non-standard workflows may be an obstacle. Opensource strategy is not yet clean (short public history). It is likely to work only for very simple deployments.

explain Parametric roles, organizational structure, temporal conditions. Clean opensource strategy.

explain Only a simple organizational structure, roles almost useless for academia. Opensource strategy is not clear. Connectors are not open source.

explain Poor RBAC, no organizational structure. Temporal conditions can be developed but this is likely to be costly and unreliable. Problematic opensource strategy.

explain Simple temporal conditions and very clean open source strategy. No organizational structure support is a major obstacle.
Architecture
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Overall System Architecture
What is this? How good is the software architecture from the software engineering point of view. Is the system well divided into subsystems and components? Are there proper abstractions in place (such as interfaces)? Is the structure of the system appropriate and understandable?

explain Usually architecture from early 2000s. It is too deeply entangled in the product that it cannot be changed or significantly improved.

explain Three-layered system. Very simple.

explain System cleanly divided to subsystems and components, described by the UML model, clean interfaces between components.

explain Completely SOA-based which is both an advantage and a disadvantage.

explain OSGi-based architecture. Component boundaries are mostly visible. Component responsibilities seem to be reasonable. However the architecture is not well documented and it is difficult to understand and use correctly. This is important especially because heavy customizations that are common in OpenIDM are likely to ruin the architecture if it is not understood correctly.

explain Architectural components are almost not recognizable. Good component structure is missing.
Platform
What is this? Platform on which the system runs. E.g. specific operating system or hardware-independent platform.

explain Ancient platforms such as Java 5 are still not entirely uncommon.
Java 6

explain It may seem that CzechIDM actually runs of Java 7. However the JBoss 5.1 used in CzechIDM only supports Java 6. Java 6 is an obsolete platform. Security updates are no longer available.
Java 7

explain Java 7 is fully supported and Java 7 language features are used in the code. OpenJDK is supported. Java 8 supported for runtime.
Java 6

explain It may look like OpenIAM runs on Java 7. But the source code is set to Java 6 syntax. Which means that Java 7 language features are not used at all. Java 6 is an obsolete platform. Security updates are no longer available. Also OpenJDK is not supported.
Java 6

explain It may look like OpenIDM is built using Java 7. But the source code is set to Java 6 syntax. Which means that Java 7 language features are not used at all. Java 6 is an obsolete platform. Security updates are no longer available. Also OpenJDK is not supported for production use.
Java 6

explain It may look like Syncope runs on Java 7. But the source code is set to Java 6 syntax. Which means that Java 7 language features are not used at all. Java 6 is an obsolete platform. Security updates are no longer available.
Structural Framework
What is this? Framework (or other method) which is used to 'wire' the system together. Framework that binds the components together and forms the basic structure of the system.
Custom

explain Commercial products too often fall for the NIH syndrome and use custom framework. Such approach is almost certain failure.
Java EE

explain Java Enterprise Edition is considered to be a heavyweight framework. Expect more demanding deployment. And also more expensive as fully-featured Java EE application server is required.
Spring

SOA

explain This product actually includes an Enterprise Service Bus. It is internally heavily based on Service-Oriented Architecture. This can be an advantage but also a critical drawback. Also OpenIAM is using obsolete and flawed SPML protocol for connector integration.
OSGi/Spring

explain OSGi has its benefits but it also has a steep learning curve. This needs to be considered.
Spring

User Interface
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Framework
What is this? Programming framework that was used to build GUI. This is crucial as the framework is very difficult to change. It usually means re-writing the entire GUI.
(various frameworks)

explain The systems typically use bloated and outdated GUI frameworks.
JBoss Seam

explain JBoss Seam is a discontinued framework. This is a development dead end.
Apache Wicket

explain Very modern framework. Incredibly efficient GUI development.
Spring MVC

explain Architecturally very clean framework. Good choice.
JQuery

explain JQuery is a client-side framework. In OpenIDM it obviously relies on server-side REST services to work. This can work well for very simple user interfaces (as OpenIDM has now). But it is a dead end for a complex GUI development.
Apache Wicket

explain Very modern framework. Incredibly efficient GUI development.
Usability
What is this? How easy is to use the system, how easy is to understand it. Is the system flooding user with information? Does it spread the information in a thousands of confusing tabs? Ergonomy, etc.

explain There are few notorious products that require a PhD degree to operate. But the GUI usually somehow evolved over the years and the usability is reasonably good on average.

explain Look and feel of 1990s. Lots of bugs. Some parts of user interface are in Czech language even if English language is selected.

explain Difficult at places but overall appropriate for the purpose. Good ergonomy.

explain Quite cumbersome at places. Especially when dealing with organizational structure.

explain Extremely limited GUI mostly usable only as a prototype. It is definitelly not usable for the level of administration and customization that OpenIDM deployments usually require. The administrator has no option but to use the JSON-based configuration.

explain Cumbersome at places. The graphical design is not the most attractive one. But still quite appropriate for the purpose.
Completeness
What is this? Does the user interface provide access to all functionality available in the system?

explain Almost all products present vast majority of functions in their GUI.

explain It seems that most functions of the product are accessible through GUI

explain While most functions of the product are accessible through GUI there are still many that are not. However this is continually improving in each version. It also needs to be noted that midPoint has much more features that the other products.

explain It seems that most functions of the product are accessible using the GUI. OpenIAM seems to have slightly more complete user interface than the other products.

explain Extremely limited GUI mostly usable only as a prototype. It is definitelly not usable for the level of administration and customization that OpenIDM deployments usually require. The administrator has no option but to use the JSON-based configuration.

explain It seems that most functions of the product are accessible through GUI
Speed
What is this? How quickly the GUI reacts to user actions.

explain The GUI is almost never fast. But speed is usually acceptable.

explain GUI is slow! Very slow. Few seconds of delay is normal. All other IDM systems perform significantly better on the same hardware.

explain Perfectly acceptable.

explain Faster than average. But the cost is high resource consumption.

explain Neither fast not slow. But due to the GUI nature is heavily depends on the client performance. This may be a limitation for mobile devices.

explain Perfectly acceptable.
Customization
What is this? How easily can be the GUI fuctionality be customized.

explain There is usually some way how to customize the GUI. But it is usually limited to selecting the fields to display, changing the logo and color.

explain Almost not customizable at all.

explain Templating based on LESS. The GUI automatically adapts to schema changes therefore heavy customization is usually not needed.

explain Form templates

explain Need to modify the GUI source code even for trivial customizations (such as schema change)

explain Need to modify source code to really customize it.
Role-Based Access Control (RBAC)
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Provisioning Roles
What is this? Ability to specify which accounts to create when a role is assigned to a user. Ability to define attribute values.

explain Support for account types, attributes, use of scripting and other expressions. Scripting language is often proprietary. Usually no temporal constraints (e.g. valid from a specific date) or any other advanced features.

explain Attributes as constant or determined by a rule

explain Define account types, attributes, use of scripting and other expressions, conditional expressions, temporal constraints (e.g. valid from a specific date), several enforcement modes, ...

explain A role can only enforce static attribute value.

explain The support is very simplistic and very fresh. This is a very basic critical functionality of an IDM system and OpenIDM got that only very recently. Problems are to be expected during the deployment.

explain Good flexibility can be achieved by using derived and virtual attributes.
Hierarchical Roles
What is this? Ability to include one role in another role.

explain Support for role hierarchy is common and usually reasonable comprehensive.

explain Yes, it has it. That's all. Nothing extra.

explain Support for conditional role hierarchy


explain Not supported.

Assignment parameters
What is this? Ability to customize each role assignment with parameters. E.g. specify a tenant for which the assigned role applies). The assignment parameters are not part of role definition and neither they are part of user data. The parameters must be part of user-role relation (assignment).

explain Support for this feature is extremely rare.

explain Not supported. This is a critical design limitation.

explain Support for arbitrary assignment parameters. Support for tenant ID out of the box.

explain Not supported. This is a critical design limitation.

explain Not supported. This is a severe design limitation.

Parametric Roles
What is this? Use parameters from user assignment or from a super role in the role expressions. E.g. parametrize the assignment of role assistant with an organizational unit or locality to which it applies.

explain Support for this feature is extremely rare - if present at all.

explain Not supported.

explain Role expressions can use parameters from assignments and role extension.

explain Not supported.

explain Not supported.

explain Not supported.
Conditional Roles
What is this? Ability to "switch on and off" each role based on an arbitrary condition. Ability to assign temporal validity constraints (role valid from or to a specific date).

explain Usually only a very weak support.

explain Not supported.

explain Conditional expressions using a scripting, temporal conditions.


explain A role may be conditionally effective if the user has the resource already assigned by another role. However there is no support for arbitrary (scripting) conditions or temporal constraints

explain Not supported.
Meta-roles
What is this? Roles that can be applied to roles themselves. E.g. ability to sort roles to groups or types (functional,business,IT,...) and specify the synchronization properties for each group using a unified policy (meta-role).

explain If it is present at all it is ususaly not generic and hardcoded only to support some usecases.

explain Not supported.

explain All features of RBAC system can be applied to the RBAC system itself. Excellent flexibility.

explain Not supported.

explain Not supported.

explain Not supported.
Role ownership
What is this? Assign a role owner who have more privileges over the role, e.g. ability to modify role definition.

explain This seems to be a common feature. Especially for systems that support role lifecycle management.

explain Not present out-of-the-box. It is not clear whether it is feasible to develop it at all.

explain Indirect by using organizational structure, delegated administration and fine-grained authorizations. Also allow group ownership of roles.

explain Not present out-of-the-box.

explain Not present out-of-the-box. But OpenIDM has flexible schema and this can be developed as a custom scripting code. Yet it is likely to be quite complex customization.

explain Present out-of-the-box. But does not allow group ownership of the role.
Role lifecycle
What is this? Ability to guide the creation, modification and disposal of a role, e.g. using proper authorizations, workflow, approvals, etc.

explain Average support. Maybe half of the system have somehow reasonable support for role lifecycle.

explain Not present out-of-the-box. Can be developed as a custom workflow code.

explain Not present out-of-the-box. Can be developed as a custom workflow code.

explain Not present out-of-the-box. Can be developed as a custom workflow code.

explain Not present out-of-the-box. Can be developed as a custom workflow code.

explain Not present out-of-the-box. Can be developed as a custom workflow code.
Role synchronization
What is this? Ability to create groups (or other objects) in the target systems as a reflection of a role. Also ability to create roles as a reflection of arbitrary resource objects.

explain This is still not very common. Some systems are designed to synchronize anything with anything but vast majority of systems seems to be ony built to synchronize users and accounts.

explain Not present out-of-the-box. Product does not seem to support this feature at all.

explain Can synchronize roles to any kind of resource objects. Bi-directionally. Also able to centralize policies using meta-roles. Easy way to reflect user-role relationship e.g. to a LDAP group membership.

explain There is a kind of role-group synchronization present out-of-the-box. But its capabilities are limited.

explain Can synchronize roles to any kind of resource objects. However a custom code is required to properly bind the object that are copies of the roles to the users that have the role.

explain Present out-of-the-box. But it is not a very generic solution. It is hardcoded to synchronize only to groups.
Organizational structure
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Organizational units
What is this? Ability to support object that model organizational units such as companies, divisions, departments, projects, workgroups, teams, ...

explain Organizational structure support is quite common. Although it tends to be simplistic (a single tree).

explain Organizational units are present out-of-the-box. Extensibility and typing flexibility is uncertain.

explain Organizational units are pre-configured first-class objects.

explain Organizational units are present out-of-the-box. Pre-configured support for many organizational unit types.

explain Organizational units are not present out-of-the-box neither they are among the default objects. As OpenIDM supports flexible schema the organizational units can be configured. But they are not special in any way.

explain Organizational structure is not supported
Organizational tree
What is this? Ability to organize organizational units to a tree-like structures, ability to display them and efficiently browse them.

explain Organizational structure support is quite common. Although it tends to be simplistic (a single tree).

explain All units must belong to a single organizational tree. This is displayed in a tree form. But the user interface has some issues.

explain Organizational unit can form any kind of acyclic oriented graph. It is properly indexed, displayed, paged, etc.

explain Organizational trees can be formed. But it is not displayed in a tree form and it has a very relational look and feel. No ability for a subtree search. It raises questions whether the tree structures are properly indexed.

explain Support for object tree structures is not present. It can be somehow simulated but it will not scale as there is no support for proper tree indexes (closure tables).

explain Organizational structure is not supported
Parallel organizational structures
What is this? Ability to maintain several independent organizational structures. E.g. maintain functional organizational tree and a parallel flat project-oriented structure. Ability to assign the same user to each of them independently.

explain Not very common.

explain Parallel organizational structures not supported

explain There may be arbitrary number or parallel organizational graphs. A user may be number of any number of them.

explain Parallel organizational structures seems to be supported. However the presentation of the structures is very confusing.

explain Can be partially implemented using a custom code. But given limited support for organizational structure its utility is more than limited.

explain Organizational structure is not supported
Organizational structure synchronization
What is this? Ability to create organizational units (or other objects) in the target systems as a reflection of organizational structure. Also the other way around. Ability to transform flat structures to tree structures, ability to reconstruct tree structure from flat string attributes, etc.

explain Synchronization of organization tree is mostly supported. But it is very limited. E.g. it is uni-directional, limited to single resource, etc.

explain Not supported.

explain Organizational structure can be synchronized to any kind of target object in any reasonable kind of structure. However some limitations may apply.

explain Not present out-of-the-box. Possible using a very non-systemic custom code.

explain Organizational units can be synchronized as any other objects. But synchronization into a tree-like structures is extremely difficult to implement.

explain Organizational structure is not supported
Provisioning and Synchronization
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Propagation
What is this? Ability to propagate data from the IDM system to the managed systems (resources).






Real-time synchronization
What is this? Ability to synchronize data from managed systems to the IDM on an almost-real-time basis (delay in seconds).

explain Most systems have reasonably good life sync. But there still seems to be some that rely only on reconciliation only.

explain Real-time synchronization and reconciliation have different configurations. This increases the configuration and maintenance burden.

explain Real-time synchronization and reconciliation share the same policy setting (exceptions are possible if needed). This simplifies configuration and improves configuration consistency.

explain Real-time synchronization and reconciliation have different configurations. This increases the configuration and maintenance burden.

explain Real-time synchronization and reconciliation share the same policy setting. This simplifies configuration and improves configuration consistency.

explain Real-time synchronization and reconciliation have different configurations. This increases the configuration and maintenance burden.
Reconciliation
What is this? Ability to compare data records in IDM and in the managed systems.

explain Usually good support. But limitations apply. E.g. some systems cannot reconcile attribute values, other are not very flexible, etc.

explain Real-time synchronization and reconciliation have different configurations. This increases the configuration and maintenance burden.

explain Reconciliation is not only about account/user existence. Attribute values are also automatically reconciled by using policies and mappings. No extra configuration is necessary.

explain Real-time synchronization and reconciliation have different configurations. This increases the configuration and maintenance burden.


explain Real-time synchronization and reconciliation have different configurations. This increases the configuration and maintenance burden.
Opportunistic synchronization
What is this? Ability of the IDM system to automatically trigger synchronization when needed. E.g. in case that an account is missing when IDM attempts to modify it, when existing account is present when a new account is being created, etc.

explain This is very rare. It is either not present at all or it is very limited.

explain Not supported.

explain MidPoint reacts to variety of provisioning failures, e.g. errors that account was not found, that it already exists, etc. It triggers a 'self-healing' mechanism that automatically uses synchronization policies to remedy the situation without a need for manual intervention.



explain Not supported.
Attribute mapping
What is this? Ability to map attribute values between resource objects (object on managed systems) and the objects in the IDM system.

explain There is usually a reasonably good support. But the actual mechanisms tend to be proprietary and cumbersome.

explain Strictly speaking mappings are always only one-to-one without any transformation. But some flexibility can be achieved by using roles. The mapping-like structures in roles can define a static (constant) value or use a BeanShell code.

explain MidPoint supports broad range of mappings: simple one-to-one mappings without transformation, constant values, script expressions, generated values, opportunistic searches over IDM database or the resource, etc. As midPoint uses a relative change model the mappings are only executed when needed (when source attributes are changes) which contributes to scalability.

explain Execution of a custom code is NOT possible from a mapping. Only one-to-one mapping and static (constant) values are supported.

explain Execution of a custom code is possible from a mapping. A lot of tricks can be done by invoking scripting libraries. But the mapping itself has quite a limited implicit logic.

explain Strictly speaking mappings are always only one-to-one without any transformation. The flexibility can be achieved by using derived and virtual attributes which allows JEXL expressions. But generally the mapping possibilities are quite limited. Custom Java or workflow code can be used in a more complex cases.
Uniqueness, iteration
What is this? Ability to enforce uniqueness of attribute values (on managed systems) and to iteratively find a unique value, e.g. by trying identifiers in the form of jack001, jack002, ...

explain Usually not supported out-of-the-box. But in almost all cases it can be implemented using a custom code.

explain Not supported out-of-the-box. Can be theoretically implemented by writing a custom workflow code but it likely to be considerably complex.

explain Mechanism to iterate and find unique value is part of the system out-of-the-box. Only configuration is needed. This natively works for identifiers. It can also be adapted for other non-identifier values using a small piece of scripting code (1-2 lines).

explain Not supported out-of-the-box. Can be theoretically implemented by writing a custom workflow code but it likely to be considerably complex.

explain Not supported out-of-the-box. Can be implemented by writing a custom code.

explain Not supported out-of-the-box. Can be theoretically implemented by writing a custom workflow code but it likely to be considerably complex.
Provisioning ordering and dependencies
What is this? Ability to enforce proper ordering of provisioning operations. E.g. if an application account depends on existence of operating system account. Also ability to properly pass attribute values between systems. E.g. create e-mail account first, pass the e-mail address value to user attribute, then create an AD account and properly set the e-mail address.

explain The systems usually have some way of ordering provisioning operations. But the support tends to be non-systemic.

explain Seems not be supported out-of-the-box. Feasibility of support for this feature is questionable.

explain MidPoint allows to configure a dependency between resource or even between object types on a single resource. MidPoint then automatically computes the required ordering of operations, interleaving the operations with execution of attribute mappings as necessary.

explain Seems not be supported out-of-the-box. Feasibility of support for this feature is questionable.

explain Not supported out-of-the-box. Can be implemented by writing a custom code.

explain Seems not be supported out-of-the-box. It could be supported using a custom workflow code but the complexity is uncertain.
Provisioning notifications
What is this? Notifications that announce success or failure of provisioning operations. Used mostly to deliver initial credentials and to notify system administrators about problems. Support for various channels (e-mail, SMS, ...)

explain Almost all systems have a reasonably good support for notifications.

explain Notifications needs to be explicitly sent by using a custom workflow code.

explain Notifications can be simply configured for every provisioning operation. No need to modify the workflow or write a custom code. The notifications are processed by templating engine (velocity).

explain Notifications needs to be explicitly sent by invoking a notification service (which is provided). The mail has to be composed by using a custom Groovy code.

explain Notifications needs to explicitly sent using a custom scripting or workflow code. But it is relatively easy to implement. Samples are available.

explain Notifications need to be explicitly sent by using a custom workflow code.
Resilience
What is this? Ability of an IDM system to recover from provisioning failures such as timeouts and retries, compensation mechanisms, transactional guarantees, etc.

explain This is one of the worst aspect of commercial IDM systems. There are seems to be some notable exceptions but vast majority of system seems to behave in a very fragile fashion when failures and misconfiguration occur.

explain It looks like only a very simple timeout/retry mechanism is implemented.

explain MidPoint provides full resilience for write operations. As midPoint uses the relative change model it can simply remember the operation delta and replay it later. No locking is necessary and system is fully operational. The opportunistic synchronization will automatically handle eventual errors in these delayed operations. Attribute caching for read operations is not yet implemented. However as attribute values are normally mapped into midPoint data this does not usually affect normal system operation.

explain No reliable information about this feature. It looks like only a very simple timeout/retry mechanism is implemented.

explain Very simple compensation code is provided with the product. The goal is to roll back failed operations. However due to the change handling mode of OpenIDM this code is likely to be unreliable of even dangerous. The development of more complex compensation code is possible. But it is likely that the basic architecture of OpenIDM will make any compensation attempts very unreliable in practice.

explain It looks like only a very simple timeout/retry mechanism is implemented.
Entitlements
What is this? Support for management of entitlements on the resource side (in managed systems) such as LDAP groups, AD groups, privileges, ACLs, etc. Ability to display and synchronize them. Also ability to manage membership or association of accounts and entitlements.

explain Almost no support at all. The 'Privileged Identity Management' is a separate field therefore the IDM products usually do support entitlements to avoid cannibalism with the PIM products.

explain No systemic entitlement support out-of-the-box. Some support can be implemented using a custom code and hacks in LDAP and AD connectors.

explain MidPoint natively supports resource entitlements. No explicit support in a connector is needed. MidPoint fully supports entitlement synchronization. MidPoint also supports entitlement membership and associations. E.g. Role assignment inside midPoint and group membership on the resource can easily be bound together using just a couple of simple mappings.

explain OpenIAM supports group membership management. However the support is limited only to some object type. E.g. it cannot be bound to role membership.

explain There is no generic support for entitlement provisioning out-of-the-box. It can be partially developed using a custom code. Group membership for LDAP and AD can be supported using a hack in the connectors and a custom code (samples are available).

explain Some group membership support is obviously present but it seems not to be very systemic solution and the exact mechanism in not clear.
Connectors
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Framework
What is this? Framework of mechanism used to manage and access provisioning connectors.
Prorietary

explain The use of proprietary connector framework seems to be an unwritten law. Or it is maybe the NIH syndrome in practice.
Sun ICF

explain Sun Identity Connector Framework is a discontinued project. Other IDM systems already migrated to ConnId. But not CzechIDM.
ConnId

explain MidPoint is based on common ConnId 1.4 framework. Although Evolveum no longer participates in OpenICF, midPoint still supports both ConnId connectors and OpenICF connectors.
SPML over ESB

explain SPML is an outdated, discontinued and flawed protocol. Yet we award some points here because ESB integration allow to use multiple languages to develop a connector.
OpenICF

explain OpenICF framework is based on ConnId 1.4. It theoretically supports both ConnId connectors and OpenICF connectors. However the ForgeRock seems to be reluctant to support ConnId connectors. Also not all OpenICF connectors are supported for production use.
ConnId

explain Syncope is based on ConnId framework. The syncope team also maintains the ConnId project.
LDAP
What is this? Support for LDAP servers.

explain LDAP is perhaps the most widely supported protocol. It is usually supported well.

explain Outdated generic LDAP connector. The version of this connector used by CzechIDM has some limitations.

explain Mature and well tested generic LDAP connector that supports VLV, paging controls, SSL, TLS, kerberos, etc. Tested with many LDAP servers (OpenLDAP, OpenDJ, ApacheDS, Sun/Oracle DSEE, 389 Directory Server, etc.)

explain The documentation describes an LDAP connector. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that open source LDAP connector for OpenIAM probably does not exist.

explain Mature and well tested generic LDAP connector that suppors simple paging controls, SSL, kerberos, etc. However this connector has some limitations e.g. no support for STARTTLS and no support for VLV

explain Mature and well tested generic LDAP connector that supports VLV, paging controls, etc. However it looks like the capabilities of ConnId version of the LDAP connector has slightly limited capabilities as compared to the OpenICF version.
Active Directory
What is this? Support for Microsoft Active Directory.

explain AD is supported by almost all systems. But the quality varies.

explain Native AD connector seems to be missing. Only LDAP connector is available. However the LDAP connector used by CzechIDM has some serious limitations when used with AD.

explain Both native (ADSI) and LDAP-based connection to AD is supported. Script execution is supported by native connector. However the native connector is slightly limited in capabilities. It is being extended by the Evolevum team.

explain The documentation describes use of LDAP connector for AD connection. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that open source LDAP connector for OpenIAM probably does not exist.

explain Both native (ADSI) and LDAP-based connection to AD is supported. Script execution is supported by native connector. However the native connector is slightly limited in capabilities.

explain Only LDAP-based connection to AD seems to be supported.
Databases
What is this? Support for relational databases.

explain Database connectors are usually present and well supported.

explain Outdated DatabaseTable connector for simple single-table integration from Sun ICF. Also universal JDBC connector which is native to CzechIDM.

explain DatabaseTable connector for simple single-table integration, ScriptedSQL connector, specialized connectors for various databases that manage administrative database users.

explain The documentation describes connector for Oracle database and generic database table connectors. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that open source database connector for OpenIAM probably does not exist.

explain DatabaseTable connector for simple single-table integration, ScriptedSQL connector, specialized connectors for various databases that manage administrative database users. NOTE: The ForgeRock support for some connectors may be limited.

explain DatabaseTable connector for simple single-table integration, ScriptedSQL connector.
Generic connectors
What is this? Connectors that can apply to many types of systems. Flat files, CSV, XML, scripting connectors, etc.

explain Support for generic connectors is usually slightly weaker. But still good enough.

explain Outdated XML connector, outdated flatfile connector, SPML connector.

explain Smart CSV connector, XML connector, scripted groovy connector, SPML connector. SOAP connector from ConnId.

explain The documentation describes several connectors. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that such open source connectors for OpenIAM probably does not exist.

explain Smart CSV connector, XML connector, scripted groovy connector, SPML connector. NOTE: The ForgeRock support for some connectors may be limited.

explain CSV directory connector, flat file connector, SOAP connector from ConnId. XML file connector seems to be missing.
Unix connectos
What is this? Connectors for UNIX-like systems such as Linux, Solaris, BSD, AIX, ...

explain Commercial UNIX flavors are sometimes supported. But not always. Support for Linux flavors is usually quite weak.

explain Universal SSH connector. Outdated Solaris connector.

explain Specialized SSH-based connector that currently supports Solaris, Linux and IAX. Also generic UNIX connector from ConnId. Also a FreeIPA connector from ConnId.

explain The documentation describes Linux connector. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that such open source connectors for OpenIAM probably does not exist.

explain Specialized SSH-based connector that currently supports only Solaris. NOTE: The ForgeRock support for this connector may be limited.

explain Generic UNIX connector (but the range of supported UNIX flavors is unknown). FreeIPA connector.
HR connectors
What is this? Connectors for HR systems such as SAP HR modules, PeopleSoft HRMS, ...

explain This varies a lot. But it the support is usually slightly better as compared to opensource systems.

explain Missing. Even CSV connector is not there.

explain Some code for generic SAP connector. Code for SAP integration over SOAP is available. But usual HR integration is implemented using CSV

explain The documentation describes SAP connector. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that such open source connectors for OpenIAM probably does not exist.

explain Some code for generic SAP connector. But usual HR integration is implemented using CSV. NOTE: We are not sure about how much is this connector really supported.

explain Specialized HR connectors seem not to be available. But usual HR integration is implemented using CSV or SOAP
ERP and business applications connectors
What is this? Connectors for ERP systems and various 'business' systems such as SAP ERP (R/3), Oracle applications, ...

explain This varies a lot. But it the support is usually slightly better as compared to opensource systems.

explain Oracle ERP

explain Some code for generic SAP connector. Oracle ERP connector.

explain The documentation describes several connectors. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that such open source connectors for OpenIAM probably does not exist.

explain Some code for generic SAP connector. Oracle ERP connector. NOTE: The ForgeRock support for these connectors may be limited.

explain Specialized ERP connectors seem not to be available.
Cloud connectors
What is this? Connectors for cloud-based services such as SalesForce, Google apps, Office 365, ...

explain Usually quite a weak support

explain None

explain Office 365, GoogleApps, WebTimeSheet, SalesForce

explain The documentation describes several connectors. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that such open source connectors for OpenIAM probably does not exist.

explain GoogleApps, WebTimeSheet, SalesForce. NOTE: The ForgeRock support for these connectors is not clear.

explain GoogleApps
Mainframe and mini connectors
What is this? Connectors for mainframe systems and 'minicomputers' such as z/OS, OS400, RACF, ...

explain This varies a lot. But it the support is usually slightly better as compared to opensource systems.

explain Outdated RACF connector

explain RACF, OS/400

explain The documentation describes several connectors. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that such open source connectors for OpenIAM probably does not exist.

explain RACF, OS/400. NOTE: The ForgeRock support for these connectors may be limited.

explain Specialized connectors seem not to be available.
Other connectors
explain This varies a lot. But it the support is usually slightly better as compared to opensource systems.

explain VMS, Alfresco

explain VMS

explain The documentation describes several connectors. But we were not able to locate the source code. Therefore we assume that this connector is not opensource. Which means that such open source connectors for OpenIAM probably does not exist.

explain VMS. NOTE: The ForgeRock support for this connectors may be limited.

explain CMD, OpenAM
Connector compatibility
What is this? Can the connectors be used in other systems? Is there a support for legacy connector frameworks?

explain No compatibility at all.

explain Compatible with legacy Sun connectors.

explain Compatible with ConnId 1.4 and OpenICF without any change. Legacy Sun connectors may also be used (small changes may be necessary).

explain OpenIAM connectors seems not to be compatible with any other connectors.

explain Technically compatible with ConnId 1.4 without any change. However the ForgeRock team seems to be reluctant to support such connectors. Legacy Sun connectors may also be theoretically used (small changes may be necessary).

explain Theoretically compatible with OpenICF without any change. However the extent of Syncope support for such connectors is not known. Legacy Sun connectors may also be used (small changes may be necessary).
Connector development
What is this? How easy is to develop a new connector.

explain The developments environments are usually reasonably good. But they often depend on proprietary tools and expensive IDEs.

explain Simple development in Java. Poor documentation. No maven archetype or any other development infrastructure.

explain Simple development in Java. Framework has reasonable documentation. Maven archetype available.

explain Connector development is not documented. The interface is not documented. There are no publicly available samples. We only award a point here because the SPML protocol itself is documented.

explain Simple development in Java. Framework has reasonable documentation. Maven archetype available.

explain Simple development in Java. Framework has reasonable documentation. Maven archetype available.
Customization
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Flexibility
What is this? Overall flexibility of the product: ability to change its behavior to satisfy the requirements.

explain Many products are as flexible as granite. But there are also products that are reasonably flexible. The flexibility is average - on average.

explain Somehow flexible. But most concepts are fixed.

explain MidPoint is fairly customizable. But important concepts are formalized and therefore somehow fixed.

explain Somehow flexible. But many concepts are fixed.

explain Extreme flexibility. Almost everything can be changed or customized.

explain Somehow flexible. But most concepts are fixed.
Popular scripting languages
What is this? Support for Groovy, JavaScript/ECMAscript or other popular scripting languages.

explain Very, very bad. Popular scripting languages are usually not supported through the products. Proprietary languages and mechanisms are used.

explain Groovy or JavaScript seems not to be supported.

explain Groovy is fully supported. It is the default scripting language. JavaScript/ECMAscript is fully supported.

explain Groovy is supported in some places (connector scripts). JavaScript seems not to be supported.

explain Groovy and JavaScript are fully supported.

explain Groovy or JavaScript seems not to be supported.
Other scripting
What is this? Support for other scripting languages.

explain Proprietary mechanisms. But they are usually quite good.

explain Only BeanShell is supported. BeanShell is a discontinued language.

explain XPath v2. Support for any JSR223 language is feasible.

explain No other scripting language seems to be supported. But some flexibility can be achieved by leveraging the built-in ESB.

explain No other scripting language is supported.

explain Good support for JEXL language put at appropriate places.
Extensible objects
What is this? Ability to extend existing object types with custom attributes. Ability to use the custom attribute in the same way as built-in attributes. Also ability of the attribute to be properly stored, indexed, displayed in forms, etc.

explain Almost all products support object extensibility. But there may be limitations with respect to extension visualization, indexing, etc.

explain There seems to be a way how to extend the objects. But this requires custom code, rebuild and most likely also extension of database schema. It is not present out-of-the-box.

explain Every object type can be extended with custom attributes. There attributes are automatically displayed in forms using appropriate field type. The attributes are stored efficiently and they can easily be indexed without changing the database schema.

explain Object can be extended with 'metadata'

explain Complete schema can be changed or extended.

explain Schema for existing object types can be extended with custom attributes.
Generic objects
What is this? Ability to define new object types beyond those that are provided by default. Also ability for these new object types to behave as a first-class citizens.

explain There is usually some mechanisms. But the extension objects are usually not first-class citizens.

explain This seems not to be supported. Only built-in object types are available.

explain New types of objects can be stored using the 'GenericObject' type. However these are not first-class citizens. However midPoint built-in object types are very generic. Therefore 99% of all object types found in IDM deployments can be represented by built-in types present in midPoint.

explain This seems not to be supported.

explain Complete schema can be changed or extended.

explain This seems not to be supported. Only built-in object types are available.
Generic synchronization
What is this? Ability to synchronize any object with any other object.

explain There are few products that are very good at this. But vast majority of products does not support it.

explain It looks like there are only a few built-in synchronization paths and this cannot be extended.

explain Built-in object types can be synchronized to any type of resource object. And also the other way around. Some limitations apply for generic objects.

explain It looks like there are few built-in synchronization paths.

explain Anything can be synchronized with anything else.

explain It looks like there are only a few built-in synchronization paths and this cannot be extended.
Hooks/triggers
What is this? Ability to place custom code to be executed at important points in request processing.

explain There is usually an ability how to plug in custom code. But the quality and documentation is usually quite poor. This can also trigger warranty and support problems.

explain Ability to put BeanShell code in 'rules' that can be executed at appropriate places. Also ability to customize behavior using a workflow.

explain Ability to put hooks inside a 'clockwork' algorithm that is processing all the requests. The hooks can modify the requests. Similar ability for the workflows.

explain Ability to put custom code at some places, mostly be using workflow or ESB.

explain Ability to put custom code almost everywhere.

explain Ability to put custom code at some places. However this needs to be either compiled Java code or a workflow code.
External interfaces (APIs)
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Local native API
What is this? Local interface available in a primary language (e.g. Java). The goal is low overhead (local calls) and efficient development (e.g. use of callbacks, asynchronous invocation, etc.)

explain Native APIs are usually available. But they are typically NOT public, not supported or guaranteed to be upgradeable. Also it is almost impossible to legally use it as the product itself cannot be changed.

explain As CzechIDM is a Java EE application the EJB interface can be considered to be a native API. It is not well componentized but this is perhaps given by the outdated Java EE framework. However the most sever issues is that the documentation is only available in Czech language. So anyone that does not speak that language is out of luck here.

explain Java interface publicly available, well-documented (javadoc), complete product functionality is available by this interface. It is properly isolated in its own component. It uses all the conveniences that Java provides (Type safety, generics, callbacks, etc.). All data types are available in a form of compiled Java classes (generated from primary schema).

explain There is a component that could be considered to be a local API. However it is too big to be a useful abstraction. Also it has very low abstraction level (e.g. mostly using class, not interface, even exposing JPA entity classes). There is also almost no developer documentation.

explain The architecture claims that there is a 'RESTful Java API'. However we could not find any trace of this interface in the documentation or wiki. We also were not able to identify the component in the source code and even not in the component dependencies. Therefore we have to conclude that this part of OpenIDM either does not exist or it is not publicly available.

explain We have identified some traces of classes that could possibly form Java interface. However these are not properly componentized and not documented.
SOAP web service
What is this? Web service exposed by SOAP endpoint, WSDL definition, XSD schema, WS-Security support, etc.

explain SOAP interfaces are usually present and they tend to be mostly function-complete.

explain There is a very simple SOAP interface. However it has also no functionality. And the documentation is all Czech, of course.

explain SOAP interface is publicly available. Proper WSDl, XSD and namespacing is used. Secured by WS-Security. Complete midPoint functionality that can be exposed using a web service is exposed (e.g. no callbacks). Based on primary XSD schema. Schema HTML documentation is automatically generated.

explain SOAP interface is available and seems to be mostly complete. The WSDL definitions are also available, but only in the source code. However XSD schemas seems to be completely missing.

explain SOAP interface is obviously not available. And given the OpenIDM philosophy we seriously doubt that it will ever be available.

explain SOAP interface seems not to be available.
REST
What is this? RESTful resource-oriented interface with proper structure according to REST architectural style (Fielding) and WWW architecture.

explain Almost no support at all. And if it is supported then the API is very weak.

explain Sorry, no REST. CzechIDM seems to be too outdated. It looks like the last major update of CzechIDM happened a long before REST was fashionable.

explain REST interface is publicly available. It is reasonably documented at it is mostly function-complete. It follows a proper REST architectural style. However some limitations may apply mostly do the inherent limitations of REST.

explain There is a very minimal REST interface. It is NOT function-complete. In fact it is miles away from that.

explain REST interface is publicly available. It is reasonably documented at it is mostly function-complete. However it does NOT follow a proper REST architectural style. We can only guess that these deviations were made to overcome the inherent limitations of REST.

explain There is a function-complete REST interface which is used as a primary system interface. It has some limitations which are mostly given by the REST itself.
Client library
What is this? A stand-alone component that can be linked to an application code and can be used to conveniently access the IDM system over the network.

explain This greatly varies. But many products seem to have some kind of client library.

explain There are some JAXB classes that could be considered to be a client library. But they are mostly useless. And of course, it all in Czech.

explain Java client library is available as a stand-alone component. It contains Java code automatically generated from the primary system schema. Therefore the data objects can be conveniently accessed using getters and setters (no need to use maps and constants).

explain We have not identified any client library code. However we are awarding some points because the functionality is obviously accessible through ESB which can be used as a partial substitute.

explain Client library seems not to be available. The 'curl' tools seems to be the universal client.

explain There is a separate component that defines client interface. But it is not stand-alone. The user of this interface has to also link a substantial part of Syncope code into his application. The client library is also very poorly documented.
Data Storage
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Commercial relational databases
What is this? Ability to store data in commercial relational databases such as Oracle, Microsoft SQL Server, etc.

explain Almost all products support almost all commercial databases.

explain CzechIDM does not list supported databases. CzechIDM documentation claims that any database is theoretically supported. But we know that there are subtle issues (such as locking and concurrency). Therefore we tend to disagree with the CzechIDM team and give an average score for this aspect.

explain Oracle and MS SQL are supported. Also MySQL.

explain Oracle and MS SQL Server are supported. Also MySQL.

explain Not very reliable data. Some documentation says that MS SQL, MySQL and Oracle is supported. Other says MySQL and DB2.

explain Syncope does not list supported databases. Syncope documentation claims that any database is theoretically supported. But we know that there are subtle issues (such as locking and concurrency). Therefore we tend to disagree with the Syncope team and give an average score for this aspect.
Opensource relational databases
What is this? Ability to store data in open source relational databases such as PostgreSQL, MariaDB, etc.

explain Quite weak. Usually only MySQL is supported.

explain CzechIDM does not list supported databases. CzechIDM documentation claims that any database is theoretically supported. But we know that there are subtle issues (such as locking and concurrency). Therefore we tend to disagree with the CzechIDM team and give an average score for this aspect.

explain PostgreSQL and MariaDB supported. Also MySQL.

explain PostgreSQL or MariaDB seems not to be supported. Only MySQL.

explain PostgreSQL seems to be supported in the latest version. As is MySQL. MariaDB seems not to be supported.

explain Syncope does not list supported databases. Syncope documentation claims that any database is theoretically supported. But we know that there are subtle issues (such as locking and concurrency). Therefore we tend to disagree with the Syncope team and give an average score for this aspect.
NoSQL
What is this? Ability to store data in NoSQL databases.

explain The support is extremely rare. And we are not sure it is actually supported for production use anyway.

explain No support for NoSQL. Architecture NOT ready for NoSQL.

explain Architecture ready for NoSQL. Prototype code exists. But support is not productized yet.

explain No support for NoSQL. Architecture NOT ready for NoSQL.

explain Architecture ready for NoSQL. Experimental code for OrientDB exists and is part of the product.

explain No support for NoSQL. Architecture NOT ready for NoSQL.
Self-service
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Self registration
What is this? Ability for anonymous user to fill out a registration form which creates a user record. Also ability to control which fields are required, field validation, CAPTCHA, etc.

explain Usually well supported.

explain It looks like the self-service functionality is completely missing. We cannot find any trace of this GUI, source code or documentation.

explain Not supported out-of-the-box. Can be implemented using a custom code in the GUI or by using an external user interface.

explain Registration form is available out-of-the-box. It is quite comprehensive and seems to be configurable. However the ease-of-use is not really the best.

explain Registration form is part of the default user interface. However it is hardcoded to match only some configurations of OpenIDM and it has to be modified for almost every OpenIDM deployment.

explain Registration form is available out-of-the-box. However it is obviously NOT designed for an end user. E.g. it shows fields such as 'derived attributes' that will surely confuse the user.
Edit profile
What is this? A dialog that allows user to change some of their own user profile details. Also ability to control which fields are displayed, which fields are editable, etc.

explain Usually supported. But the pages are often ugly, non flexible and not really fun to use.

explain It looks like the self-service functionality is completely missing. We cannot find any trace of this GUI, source code or documentation.

explain 'Edit user' page in the administration interface can be used for this purpose. It automatically adapts to user authorizations. However integration with other self-service components is not perfect yet. Alternative implementation is possible using a custom code.

explain 'Edit profile' page is available out-of-the-box. As much of OpenIAM GUI this is not the most attractive page in the world. But it works.

explain 'Edit profile' page is part of the default user interface. However it is hardcoded to match only some configurations of OpenIDM and it has to be modified for almost every OpenIDM deployment.

explain We are not sure about this one. There is no special page for this in the user interface. Several facts suggest that this should be available to set up using an authorizations. But we have not managed to configure it.
Password change
What is this? Ability for a user to change his own password (when the user still knows the old password). Also ability to select/filter resources, apply policies, etc.

explain Usually reasonably well supported.

explain It looks like the self-service functionality is completely missing. We cannot find any trace of this GUI, source code or documentation.

explain 'Password change' page is part of the product out-of-the-box. It allows to select affected resources. However integration with other self-service components is not perfect yet.

explain 'Password change' page is available out-of-the-box. Although it is quite simplistic it does the job.

explain 'Password change' page is part of the default user interface. As password is quite standardized attribute this is likely to work without modification. However the page is very simplistic.

explain We are not sure about this one. There is no special page for this in the user interface. Several facts suggest that this should be available to set up using an authorizations. But we have not managed to configure it.
Password reset
What is this? Ability for a user to reset his own password when the old password is lost. Support for verification mail, security questions, etc.

explain Usually reasonably well supported. Although many products are limited only to security questions.

explain It looks like the self-service functionality is completely missing. We cannot find any trace of this GUI, source code or documentation.

explain Not available out-of-the-box. This feature is being developed. In the meantime support is possible using a custom code.

explain Password can be reset by answering a set of user-defined security questions.

explain Looks like it is not available out-of-the-box. It can be implemented using a custom code.

explain Password reset functionality available out-of-the-box. Very simple security question and an answer.
Account summary
What is this? Simple page that provides easily understandable information about user's accounts, entitlements, group membership, etc.

explain Some kind of information is usually presented. But it is almost always very ugly and it almost never contains entitlements.

explain It looks like the self-service functionality is completely missing. We cannot find any trace of this GUI, source code or documentation.

explain Account summary is part of the user dashboard. It shows accounts and assignments, but entitlement information is missing.

explain 'Manage identities' page is available out-of-the-box. It displays most of the information - except for entitlements (groups).

explain Looks like it is not available out-of-the-box. It can be implemented using a custom code.

explain We are not sure about this one. There is no special page for this in the user interface. The account details are only shown on the 'edit user' page. Therefore it is questionable whether a read-only version can be easily displayed. However this can obviously be implemented using a custom code.
Password agents
What is this? Agents that capture cleartext passwords and sent them to IDM for distribution. E.g. agents for Active Directory, LDAP servers, etc.

explain Varies. But most products seems to have at least an agent for AD.

explain It looks like the self-service functionality is completely missing. We cannot find any trace of this GUI, source code or documentation.

explain Password agent for Active Directory is available as a separate project.

explain Password agents for OpenDJ and Active Directory are mentioned in the documentation. Binaries of the OpenDJ agent can even be downloaded. But the source code cannot be found. Therefore we have to assume that these are not open source parts of OpenIDM and we have to exclude them from this evaluation.

explain Password agents for OpenDJ and Active Directory are mentioned in the documentation. Binaries of the OpenDJ agent can even be downloaded. But the source code cannot be found. Therefore we have to assume that these are not open source parts of OpenIDM and we have to exclude them from this evaluation.

explain Password synchronization agents seem to NOT be available. There is no mention in the documentation, in the source code or among the Github repositories.
Other self-service functionality
explain Varies.

explain It looks like the self-service functionality is completely missing. We cannot find any trace of this GUI, source code or documentation.

explain Actually midPoint does not have a dedicated self-service interface. The administration and the self-service are provided by the same application. Therefore all the delegated administration functions are fully accessible. It only depends on the authorization policies.

explain Self-service GUI allows to execute some tasks that would normally be classified as delegated administration. The functionality is quite rich.

explain There is nothing else. Especially the ability to execute delegated administration is missing.

explain Obviously parts of the functionality can be exposed to the end user by using privilege delegation.
Security
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Authentication
What is this? Flexibility of authentication mechanisms, integration with SSO systems, etc.

explain Some systems have quite fixed authentication. Other have some ability to configure it. Yet other integrate with AM system. This greatly varies.

explain The authentication mechanism seems to be hardcoded. However it looks like CzechIDM allows delegation of authentication to a resource.

explain Only authentication based on local database is supported out-of-the-box. Other options are available by changing Spring-security configuration (requires rebuild).

explain OpenIAM suite also contains access management part. The IDM part naturally integrates with that. It looks like authentication flexibility is achieved by configuring the AM part.

explain Authentication is somehow flexible. OpenIDM supports several options (e.g. integration with OpenAM). But a custom code is usually required.

explain This is a bit of a mystery. It looks like the authentication is currently hardcoded. Spring security seems not to be used. It cannot be configured in the GUI. It looks like some improvements are planned for the next version.
Authorization
What is this? Ability to control who can do what. Overall authorization flexibility and architecture.

explain Usually not great. And too often the actual mechanism is very confusing. Authorization in depth is very rare.

explain Authorization seems to be implemented both at the user interface level (GUI) and inside the business logic. Which means there is some kind of authorization in depth.

explain Authorization is an integral part of the system. It is implemented on three layers: GUI, interface and data. The request must satisfy all the policies on all levels to be allowed. This means that midPoint implements 'authorization in depth' concept.

explain Authorization seems to be implemented only at the user interface (GUI) level. This is very weak. It looks like there is no authorization on the interface level and absolutely no authorization in depth.

explain Authorization seems to be implemented only at the interface (REST) level. It looks like there is no authorization in depth. The authorization code is in fact scripting code. This is a flexible solution but it either does not scale or it tends to be insecure (or both).

explain Authorization seems to be implemented at the interface (REST) level. This makes sense for Syncope architecture but it is still quite weak. It looks like there is no authorization in depth.
Fine-grained authorization
What is this? Ability to specify authorization policies on a fine granularity (e.g. on the attribute level)

explain Seems to be present in most systems in one way or another.

explain The authorizations seems to be very rough-grained. Attribute-level authorization seems not to be supported.

explain Authorizations policies are very fine-grained. Authorizations can be specified down to the individual attributes of any object. The system will automatically use the authorization statement to rewrite database queries to make system scalable. The system also automatically filters and reduces search results.

explain This seems not to be supported by the authorization subsystem. The control over attributes can be partially achieved by customizing the GUI (which is obviously inspired by Sun IDM). However this is very weak and it is generally a bad security practice.

explain Not implemented out-of-the-box. Can be partially implemented using a custom code. But it cannot be done efficiently as there seems to be no support for query rewriting. And even if there is such a support this approach tends to be very inconsistent and insecure. It also cannot be analyzed using a formal tools and therefore it is a major obstacle for security audits. From security point of view this is a bad practice.

explain This seems not to be supported by the authorization subsystem. Honestly, we have no idea how access to individual attributes can be controlled.
Delegated administration
What is this? Ability to delegate administrative tasks to specific user groups. E.g. ability to specify administrators for individual divisions, ability to delegate some functions to he call center, etc.

explain Usually present. But often very simplistic.

explain Authorizations can obviously be bound to organizational unit. However this is quite limited. Especially because the authorizations are very rough-grained and the organizational structure of CzechIDM is very simplistic to provide real flexibility.

explain Authorizations can be scoped to individual organizational units (divisions, projects, teams) with respect to both object of the authorization and target. E.g. an authorization can allow to assign any role that belongs to 'Public Roles' group to any user that belongs to organization 'Project X'.

explain Control over organizations can be delegated and executed in the self-service interface.

explain Not implemented out-of-the-box. Can be partially implemented using a custom code. However the utility is very limited as OpenIDM does not support organizational structure.

explain Syncope has no support for organizational structure therefore also delegated administration is most likely unsupported.
Privilege delegation
What is this? Ability to delegate privileges of one user to another user. E.g. allow one user to take all the responsibilities of another user during a vacation.

explain Not very common as out-of-the-box feature. But it almost always can be implemented.

explain There seems to a support for approval delegation. But nothing more. As CzechIDM does not support for temporary role assignment any better support is unlikely to be feasible.

explain Not supported out-of-the-box. However midPoint supports temporary role assignments. Custom workflow code can be used to temporarily assign all roles of one user to another user.

explain This seems to be only partially supported in the scope of the workflow. Custom workflow code is very likely required.

explain Not supported out-of-the-box. Can be partially implemented using a custom code. But as OpenIDM does not support temporary role assignment the implementation is likely to be very complex and fragile.

explain Syncope has a way how to use authorization to delegate role access to another user. This is a big cumbersome but it obviously works.
Audit
What is this? Ability to record all the operations of the users and the system down to a very fine details.

explain Present in all systems. The level of detail is usually reasonably fine-grained. But not always.

explain It looks like only a very rough-grained data are recorded in the audit log. There is special audit logs that records changed attributes of users. But it does not record the attributes of organizations or roles.

explain MidPoint records all operations in the audit log regardless of the source (user-initiated, scheduled, synchronization-initiated). The information is recorded on a very fine level, e.g. complete records about every changed attribute (delta) is recorded. Supported auditing to files and database table.

explain OpenIAM seems to records all operations in the audit log recorded on reasonable level of details.

explain OpenIDM seems to records all operations in the audit log recorded on a very fine level, e.g. complete objects are recorded. However there seems to be several audit logs with a different formats.

explain Syncope obviously records something in the audit log. But we are not entirely sure what. The documentation is missing and we have not managed to figure out how to run audit log report from the GUI.
Workflow
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Workflow engine
What is this? Whether the product contains built-in or default workflow engine and how good the engine is.
Proprietary

explain NIH syndrome in practice. Almost all the commercial systems have proprietary workflow engines.
jBPM

explain CzechIDM is using quite old version of jBPM engine.
Activiti

explain Activiti is unquestionably the state-of-the-art opensource workflow engine.
Activiti

explain Activiti is unquestionably the state-of-the-art opensource workflow engine.
Activiti

explain Activiti is unquestionably the state-of-the-art opensource workflow engine.
Activiti

explain Activiti is unquestionably the state-of-the-art open source workflow engine.
Workflow engine integration
What is this? How well is the workflow engine integrated into the system. Is it natural part of the system or was it added just as an afterthought? Are the workflow action items (such as approvals) reasonably integrated into the user interface?

explain Greatly varies.

explain The workflow is well integrated. It looks like most (if not all) actions are routed through workflow by default. But it looks like this cannot be turned off.

explain Workflow engine is well integrated into the system. It is automatically invoked at appropriate stages of request exection. But it can be turned off if needed.

explain The workflow is well integrated. It looks like most actions are routed through workflow by default.

explain The workflow is not well integrated. It looks like the workflow can only be invoked from reconciliation and by using a custom code.

explain The workflow is well integrated. It looks like most (if not all) actions are routed through workflow by default. However the workflow can be turned off by using the provided 'NoOp' engine.
Built-in approval workflow
What is this? Whether the product contains built-in or default approval workflow and what are the capabilities. Approval process is a usual part of IDM solutions and it is not entirely trivial to implement.

explain Approval capability seems to be the must-have. But it is very limited in some systems.

explain Approval process is available out-of-the-box. It is obviously designed for simple role approval process. Custom workflow code is needed for a more complext situation.

explain Approval process is available out-of-the-box. It is well integrated into the system. E.g. the system computes approval needed to process the request. The workflow just executes them which makes the workflow simpler. Simple approval schemes, multi-level approval or completely custom schemes are supported. The only drawback is a slightly confusing user interface.

explain Approval process is available out-of-the-box. Approvers can be set for most OpenIAM objects. The approval process seems to be quite comprehensive.

explain Approval process is not available out-of-the-box. However some samples exists. The approvers need to be computed inside the workflow using a custom workflow code. It also looks to be integrated into the default user interface. But as the user interface is mostly useless prototype this is a very small benefit.

explain Approval process is available out-of-the-box. Approvers cannot be explicitly set but it looks like the concept of role owner is used instead.
Generic workflows
What is this? Can the workflow be customized? Can any type of custom workflow be plugged into the IDM processes?

explain The systems are usually capable of executing any workflow. Also support in the GUI is quite common.

explain There is obviously some support for custom workflow execution in the web service interface. But it is not very powerful.

explain Any kind of workflow can be used to process any kind of request over any kind of business object (even role and organizational units). The workflow can be executed at two stages: before the roles are applied and after the roles are applied. This allows implementing workflows for different purposes (e.g. business-oriented workflows and sysadmin-oriented workflows).

explain We are not certain about this. The workflow engine seems to be a generic ESB service therefore it should be theoretically possible to use it for any kind of workflow. But we were not been able to locate any explicit support for this in the OpenIAM user interface or documentation.

explain Any kind of workflow can be used to process any kind of request over any kind of object - provided that it is invoked using a custom code.

explain We are not certain about this. Execution of custom workflow should be possible but there seems to be not support for it in the GUI and no documentation.
Workflow standards
What is this? Does the workflow support workflow standards (such as BPMN)?

explain As the workflow engines are usually proprietary the BPMN2 adoption is very slow.

explain BPMN2 seems not to be supported. Proprietary jBPM language is used.

explain BPMN2 is fully supported.

explain BPMN2 is fully supported.

explain BPMN2 is fully supported.

explain BPMN2 is fully supported.
Pluggable workflow engine
What is this? How easily can the default workflow engine be replaced? Can the product use a different engine? Or can it invoke remote workflow system instead?

explain Almost no system allows to replace the workflow engine. And even if it theoretically allows it this is almost certain to void the warranty and support.

explain It looks like the workflow engine is very tightly bound with the system and that it cannot be replaced and even cannot be turned off.

explain Relace of workflow engine or integration with external workflow engine is possible. But it requires custom Java code and rebuild.

explain It looks like architecturally and theoretically it should be replaceable as it is a ESB service. However the practice may not always match the theory. And we have found no indication that this was actually tried or that it is supported.

explain It looks like the built-in activity engine is not easy to replace. However it is obviously possible to integrate another engine (as long as it works in OSGi) or invoke external workflow. However a custom code is needed to that.

explain Syncope workflow engine is definitely pluggable. There is a working support for it and there is also a documentation (which is quite surprising in this project).
Governance, risk assessment, compliance and forensic
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Segregation of duties
What is this? Ability to exclude privileges or groups of privileges that cannot be assigned to the same identity at the same time.

explain Role exclusion mechanism seems to be common out-of-the-box. More advanced policies can usually be implemented using a custom code (e.g. workflow).

explain Not supported out-of-the-box. Can be implemented using a custom code.

explain Role exclusion mechanism is available out-of-the-box. More advnced policies can be implemented using a custom code (e.g. workflow).

explain Not supported out-of-the-box. Can be implemented using a custom code.

explain Not supported out-of-the-box. Can be implemented using a custom code.

explain Not supported out-of-the-box. Can be implemented using a custom code.
Recertification (attestation)
What is this? Support for regular reviews and re-approvals of assigned privileges.

explain Usually supported. May not be very convenient, but the functionality is usually there.

explain Not available out-of-the-box. It can be partially implemented as a custom workflow.

explain Not available out-of-the-box. It can be partially implemented as a custom workflow.

explain Basic re-certification task in available as a sample. More complex cases can obviously be implemented as a custom workflow.

explain Not available out-of-the-box. It can be partially implemented as a custom workflow.

explain Not available out-of-the-box. It can be partially implemented as a custom workflow.
Role analysis
What is this? Support for automated analysis of privileges aiming at assisted design of RBAC structures. E.g. Role mining, role suggestions, etc.

explain Still not common, but some functionality is present. However some vendors have specialized analytic products therefore the functionality in IDM products is understandably not present.

explain Not supported. Can be implemented by (complex) custom code or an external system. But it is going to be very though.

explain Not supported. Can be implemented by (complex) custom code or an external system. But it is going to be very though.

explain Not supported. Can be implemented by (complex) custom code or an external system. But it is going to be very though.

explain Not supported. Can be implemented by (complex) custom code or an external system. But it is going to be very though.

explain Not supported. Can be implemented by (complex) custom code or an external system. But it is going to be very though.
Reporting
What is this? Support for producing a well-formatted human-readable reports (e.g in HTML or PDF) that contain information from the IDM system and/or the resources. Also ability to easily configure custom report, modify the report design, etc. (Simple data export from a database is NOT considered to be reporting)

explain The support for reporting seems to be generally quite good.

explain It looks like only an audit log report is available.

explain The reporting is implemented by integrating with the popular JasperReports library. The reporting is fully integrated with the product code and task manegement. However the GUI support is mostly missing. Custom reports can be created but the XML report definition needs to be created using JaspeReports tools and then imported into MidPoint.

explain The reporting is implemented by integrating with the BIRT project. GUI provides only very minimal features. The reports can be extended but some custom code is needed for that.

explain OpenIDM does not include any reporting component out-of-the-box. It cannot generate readable reports. The reporting has to be do by an external component or by using a complex custom code.

explain The reporting in Syncope seems to be implemented by using Apache Cocoon. The Cocoon is not exactly a full blown reporting framework and its capabilities can be limited. The upside is that there is an integrated GUI configuration for reports.
History reports
What is this? Support for storage of historical data and ability to analyze them. E.g. ability to report who had a particular role 6 moths ago.

explain Usually only audit log information is available. Advanced support is usually missing.

explain Only audit log information is available. Advanced support is missing. This feature is NOT present on the product roadmap.

explain Only audit log information is available. Advanced support is missing. However this feature is on the product roadmap.

explain Only audit log information is available. Advanced support is missing.

explain Only audit log information is available. Advanced support is missing. This feature is NOT present on the product roadmap.

explain Only audit log information is available. Advanced support is missing. This feature is NOT present on the product roadmap.
Operation
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Hardware resource efficiency
What is this? Systems that consume a lot of CPU, RAM or overload disks will have a low score here.

explain ElephantWare at its best. The heavyweight architecture takes its toll.



explain OpenIAM is the most resource-hungry of all the evaluated systems. In fact it consumes several times more resources than other systems.

explain OpenIDM is has the smallest footprint of all the evaluated systems. However do not remember that it is also the smallest project and that it shifts the GUI overhead to the client.

Reliability
What is this? Whether the system actually works, all the time, reliably, without strange bugs.

explain The systems usually work quite well once the deployment battle is won. But once they fail there is usually nothing that an engineer can do except for filling a problem report.

explain The system failed several times during the tests. It just won't start correctly. Voodoo methods like several restarts and clearing browser cookies solve the problem. This indicates that the system is not very stable. There are also numerous bugs in the GUI. Our guess is that the outdated infrastructure and libraries are causing problems.

explain Worked perfectly during the tests.

explain Worked perfectly during the tests.

explain Worked perfectly during the tests.

explain Worked very well during the tests. We have experienced some issues while working with reports.
High availability
What is this? Ability to work in clusters, geoclusters or other distributed configurations.

explain Must-have. Looks like every single product supports it. However the support may require heavyweight cluster, extra software or licensing. It may be very expensive.

explain HA configuration seems not to be supported!

explain Supported operation in lightweight cluster: web load balancer, shared (clustered) database, support for task failover

explain HA support based on Java EE container. While this will work well it can significantly increase the deployment cost. HA-capable containers are usually quite expensive.

explain Supported operation in lightweight cluster: web load balancer, shared (clustered) database, support for task failover

explain Supported operation in lightweight cluster: web load balancer, shared (clustered) database, support for task failover
Export/import
What is this? Ability to export all system data and import it to a different system. This is useful for configuration management, migrations (dev->test->prod), backup and restore, upgrades and variety of other reasons.

explain Most products seems to support it. But it looks like there are exceptions.

explain Export/import of configuration seems not to be supported. Maybe database export/import can be used instead.

explain Complete configuration and data can be exported and imported in XML.

explain Export/import of configuration in a document form seems not to be possible. Database export/import could perhaps be used instead.

explain Export/import possible. Indirectly. But it is complicated by the fact that many 'configuration' aspects are in fact a custom code which is not that easy to export/import.

explain XML Export/import of configuration is supported.
Bulk actions
What is this? Ability to efficiently execute operations on a selected objects in a batch mode.

explain Most products seems to support it. But it looks like there are exceptions.

explain We have not found any support for bulk actions.

explain Batch tasks are fully supported. It is combination of search query (that selects objects) and a script to be executed with each object.

explain Bulk operations are supported although the implementation is not very generic and the capabilities are limited.

explain Seem not to be supported.

explain Only a very limited bulk actions are supported.
Logging
What is this? Ability to control what information is logged, ability to log debug and tracing information, whether the log messages are easy to understand, etc.

explain Generally the situation is a disaster. The use of obsolete logging mechanisms seems to be the unwritten law. It is common that a single products has two or three logging systems and configurations. The log records are not very useful for a deployer. These are usually used just as incomprehensible data that the deployed copies and pastes to the trouble ticket system.

explain It looks like that CzechIDM does not log almost anything at all. The logfiles are flooded with logging noise from JBoss and libraries. Troubleshooting CzechIDM is likely to be very tough.

explain Logging can be controlled on a very fine grain. Logging messages are appropriate and understandable. The team has a clear guidelines for logging message levels and formats.

explain Log levels are poorly chosen. The logs are flooded by useless messages. At least there are not too many useless warnings and exceptions.

explain The logging levels are all wrong. Unimportant information is logged at INFO level and flood the logs. Warning seems to be normal. The information is often very cryptic. Developer documentation almost do not exist therefore it is not clear whether there are proper guidelines.

explain Logging is all wrong! Lot of noise on the INFO level. Warnings are normal. There are even exception traces in the logfiles during normal operation. The guidelines for logging are obviously not defined and this is a major drawback.
Documentation
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Architectural documentation
What is this? Documentation of architecture, subsystems, components, dependencies, modules, UML diagrams, ...

explain Terrible. Usually only information suitable for marketing slides is available. Deep technical information is almost always impossible to get. Do the vendors consider it to be trade secret?

explain Leaves much to be desired.

explain Complete architecture documented, all the subsystems and components, complete schema (automatically generated), UML diagrams. Some documentation slightly outdated.

explain Almost no architectural documentation.

explain Very little architectural documentation.

explain Almost no documentation at all!
Administration documentation
What is this? Documentation describing system configuration, administration and customization

explain Almost all the products have excellent documentation.

explain Good documentation - relative to CzechIDM very limited features.

explain Complete documentation is 'live' in the wiki, continually maintained. Very good quality.

explain Good administrator documentation. Slightly less good when it comes to customization.

explain Excellent professional style, sufficiently complete, but 'live' information in wiki is quite small and outdated

explain Only the very minimum. It is vastly insufficient.
Developer documentation
What is this? Documentation describing how the system is implemented, how to create plug-ins and other programming extensions, how to contribute to the project, etc.

explain Usually very weak. Almost always limited to development of simple product extensions. It looks like the common practice is to 'route' all the complex tasks to the vendor's professional services division.

explain Some topics are documented but many are not.


explain Absolutely insufficient.

explain Good documentation for JavaScript extensions. But poor documentation about OpenIDM implementation.

explain Just a couple of pages. Definitely insufficient.
Community
Commercial averageCzechIDMmidPointOpenIAM IDMOpenIDMApache Syncope
Version control system
What is this? Where is the source code maintained? Is the history public? What are the technical obstacles to contribution?
Not public

explain Source code not available. By definition.
Git (self-hosted)

explain Distributed version control. But the team does work with Github or similar community site and also does not publish any kind of information about the contribution process.
Git (github)

explain Distributed version control. Very low entry barrier for contributions. No a-priori permission is required.
Git (github)

explain Distributed version control. Very low entry barrier for contributions. No a-priori permission is required.
Subversion

explain Centralized version control. Very high entry barrier for contributions. A-priori permission is required and the contribution must pass mandatory code review.
Git (github,apache)

explain Distributed version control. Very low entry barrier for contributions. No a-priori permission is required.
Community support
What is this? Publicly shared information, e.g. in mailing lists, wiki, bugtracking, knowledge base, etc. Information that are only accessing for subscribers or behind a paywall are NOT considered to be community support.

explain Public support forums are usually not very useful. Commercial support is required.

explain It looks like the community support does not exist. There is no wiki, no bugtracking, no mailing lists, ...

explain Wiki is publicly available and very rich. Bugtracking system is also publicly available. Mailing list are moderately active. Answers are responded quickly and openly.

explain Wiki is publicly available with good information. But bugtracking system is NOT publicly available. Mailing list exists but are almost entirely empty.

explain Wiki is publicly available. But it is not very rich and it is outdated. Bugtracking system is publicly available. Mailing list are moderately active. Answers are responded quickly. But many questions remain unanswered or are 'redirected' to sales department.

explain Wiki is publicly available. Although amount of information is limited the team obviously publicly shares everything they have. Bugtracking system is publicly available. Mailing list exists and are quite active. Questions are properly answered.
Roadmap
What is this? Is project roadmap publicly available? Is product developemet planning transparent and predictable? Can roadmap be influenced by the community?

explain Some kind of roadmap is usually publicly available. But there is no practical way how it can be influenced unless the customer is a huge multi-national company or something similar.

explain We could not find any roadmap information at all.

explain Roadmap is publicly available. It can be influenced by the community but it is usually not discussed in public. The roadmap is set up by Evolveum and discussed with the partners.

explain Roadmap is NOT publicly available. We have found no information about next releases.

explain Roadmap is publicly available but it only describes one release. The roadmap is not discussed in public. It looks like the roadmap cannot be significantly influenced by the community.

explain Roadmap is publicly available. It covers many future releases and seems to be connected to the bugtracking system. The plans are publicly discussed.
Contributions
What is this? Is the code a product of a closed team in a single company or is it a group effort? How many independent groups or developers contribute to the project? This is a crucial aspect because the companies behind open source projects tend to be small and there is still a risk of failure. However if the project has a broad community it is very likely that the product development will continue even if the project founder fails.

explain Usually none at all. It looks the common practice is also to turn down the contributions from the partner networks.

explain According to source code history there are no contributions.

explain There are few contributions outside of Evolveum team. The community mostly contribute ideas but not yet actual code. Yet the contributions exist and the team is open for more contributions.

explain According to the source code history the OpenIAM seems to cooperation of at least two companies. However it is questionable if this can be considered to be a proper contribution as the communication is obviously not public.

explain As OpenIDM is using a centralized version control system it is almost impossible to judge the amount of contributions. By looking at the source code history we guess that there are almost no contributions at all. This opinion is also supported by a very high entry barrier for contributors.

explain The team is composed from many companies and individuals. There are many contributions. Communication seems to be mostly public.
Openness
What is this? How much is the project open to the public? Is the product design and architecture discussed in public? The the planning done in public? Is everything done in a clean and transparent open source way?

explain These are CLOSED source products. And they mostly stick to it.

explain Perhaps the only thing that makes this project classify as open source is the license.

explain System architecture is completely public. Important issues are publicly announced on mailing lists. Development is reasonably transparent.

explain Very obscured. There are conflicting statements about which license actually applies to the source code. The project used open core model in the past but now no information about this is available. It looks like almost the entire project history was purged at least one.

explain System architecture details are not public. Development is somehow obscured. Parts of the system are obviously developed out of public sight. Release binaries are not publicly downloadable. ForgeRock is obviously using private branches on some of their development project. While we have not observed this behavior in OpenIDM it is possible that ForgeRock will use private branches also in this project.

explain Proper open source strategy is implemented and obviously is overseen by Apache Foundation. Everything about Syncope seems to be public. This is by far the most open of all evaluated projects.