Identity Management Then and Now: The SAP MaXware story

Today I find myself on a short consultancy visit at the King Abdullah University of Science and Technology (KAUST) in Saudi Arabia for leading local SAP partner RFID Saudi est.  The University is busy integrating different business systems like SAP HR (HCM) and the Student administration system (SCLM) to its portal, email system and Active Directory.


King Abdullah University of Science and Technology (KAUST) in Saudi Arabia

Many people in the Identity and Access Management Industry best know me as Managing Director of MaXware UK until the 2007 SAP acquisition. In fact I was part of the five person core management buy-out team, that acquired the company from EDB Business partners in Norway five years earlier. Today wind forward another five years and I was pleased to get the opportunity to get my hands dirty again in a slightly more technical role than usual. This enabled me to see for myself how much has changed in the look and feel of the old IdentityCenter and Virtual Directory products relabelled SAP NetWeaver IDM.

This slideshow requires JavaScript.

A bit of IDM history

First of all I should explain that when we started Maxware, I believe the term Identity Management hadn’t been invented yet. We called our product a ‘Meta Directory’, a term first introduced by Canadian company Zoomit Corporation. At least I assume this as their managing director Kim Cameron was known in those days as the ‘daddy’ of all Meta Directories. When Microsoft acquired Zoomit in 1999 Kim became Microsoft’s chief architect for identity and privacy. How much remains of the original Zoomit product in Microsoft’s Forefront Identity Manager (FIM) I am not sure.

The second major acquisition that shaped the Identity Management market took place on June 25th, 2002 and concerned IBM’s acquisition of one of MaXware’s main competitors, also hailing from Norway, called Meta Merge. The product is now known as Tivoli Identity Management (TIM). Then on 03 September 2002, IBM acquired all assets of Access360 and thus Tivoli Access Management (TAM) was added to complete the IAM portfolio.

Finally when Oracle created its OIM offering, they gobbled up a succession of companies in this space including  OctetString (OVD), Thor (OIM) and Oblix (OAM).
Dave Kearns observed in Network world :

The major driver for SAP, of course, is the competition from Oracle. When Larry Ellison annexed PeopleSoft, after PeopleSoft acquired J. D. Edwards, the battle line was drawn. Oracle’s successful integration of its identity management acquisitions – Phaos Technology, Thor Technology, OctetString and others – meant that SAP would have to acquire or develop similar technology or forever be on the defensive, or subject to the mercies of technology partners, when competing with Oracle for customers.”

 So here we have set the scene. David Kearns mentions BMC Software, Computer Associates, HP and Sun as other big-name companies companies that have at least in part bought their way into this field.

Before that time large organisations, that needed this technology, had to buy it from small innovative independent software vendors like MaXware. Novell was the only one among them that thought they were big enough to make it on their own.  Now I rarely read about them. I read in WikiPedia that thousands of layoffs were announced by current owner Attachmate for the Novell workforce, including hundreds of employees from their ProvoUtahValley center. Maybe they should have been a bit less conceited and a bit more co-operative when it mattered in those early years?

There have also been notable exits out of the IDM market like HP, proving to corporate IT purchase managers, that size isn’t always what it is cracked up to be.

SAP IDM the first 5 years

I know its getting on to six years since the MaXware acquisition, but most of the first year tends to be spent changing PowerPoint presentation templates and letter heads, organisational reshuffling and usually not much more. It was funny to see all the SAP identity store fields still begin with the trusted MX- prefix. Some of the original developers are still there from the original 1995 team. Plus ça change……

In the IDM market place SOX compliant provisioning became more of a business driver than data synchronisation between directories and data bases. The extension of the identity store with a provisioning framework and a role model complete with privileges is undoubtedly the major enhancement in this period. Also the .php web based user interface was replaced by SAPS own Web Dynpro programming tool, giving clear separation of business logic and display logic that big MaXware customers like T-OnLine had been demanding for years. Existing SAP users will probably stick with access through the SAP portal for user self service and role approvals . Some screen shots can be seen in the gallery below.


Provisioning now and provisioning then

When the term provisioning became ‘en vogue’ and customers started asking me if we did provisioning I said: “Sure we provision, we do ldapAdd and ldapDelete as well as ldapModify to keep corporate data in sync. What we didn’t tell them that our method always tried to do an ldapModify first and if the object wasn’t found we just created it in a second pass. The effect was the same.

If customers asked us if we had SAP connectors out of the box we were economical with the truth. We simply used iDocs reports and parsed them as simple delimited text files, applying our MD5 based delta mechanism to detect any changes.

Today’s provisioning connectors are much more sophisticated.  No longer do we overwrite the entire record if our delta hash suggests something has changed. Our changes in target systems are much more atomic and at attribute level.

MaXware’s Virtual Directory provided SAP with the ideal common provisioning middleware for passing identity data to and from target systems like Microsoft’s Active Directory. A light weight event agent simply monitors the directory’s unique sequence numbers (USN) to see if anything of identity interest has changed there.

The integration with HR (SAP HCM) and SAP GRC works on the same principles.

However on some other more obscure ABAB systems like SLCM, SAP clearly has more work to do! For instance they haven’t implemented methods, whereby an APAB system can send alerts to an external systems like IDM, when attribute changes occur, records are added or deleted.

They also don’t have a unique change number like AD which IDM can monitor using event-agents. Therefore, currently the only way we seem to build a connector of sorts, is to use the  generic ‘Business-Suite-Connector’ and generate reports of changes from such systems and enable the aforementioned trusted MaXware delta mechanism, either on the from pass or the to-pass.  You can imagine this may cause some performance issues, when large data sets need to be handled.

In conclusion, much has been achieved during the last five years since SAP took over the reigns at MaXware, but the school report also says: “Could do better in some areas!”

Furthermore being part of a huge organisation like SAP the level of documentation training and support is second to none, which is why I find it strange why this solution hasn’t moved an inch up in the Gartner ‘Magic Quadrant’ for provisioning. This is the subject of a previous blog post which WordPress statistics tell me is my most widely read to date!

Below some screen captures of the user interface of SAP NetWeaver IDM

This slideshow requires JavaScript.

About lasancmt

Passionate about Identity Management Disgusted at #ukip and #brexit
This entry was posted in IAM history, IAM Software vendors and tagged , , , . Bookmark the permalink.

2 Responses to Identity Management Then and Now: The SAP MaXware story

  1. Ian Yip says:

    Marcus, just a correction on the details around IBM’s acquisitions. Metamerge became Tivoli Directory Integrator (essentially the adapter toolkit for Identity Manager’s provisioning connectors). Access360 EnRole became Tivoli Identity Manager. IBM already had Tivoli Access Manager before either of these companies were acquired through their acquisition of Dascom.

    FYI, Novell’s Identity & Access products are very much alive. You rarely read about Novell because the IAM products are now key, strategic pieces of the NetIQ portfolio and marketed under the NetIQ banner. Novell’s more focused on the endpoint nowadays.

    • Ashok says:

      Excellent brief on the MaXware to SAP-IDM history. Way back in 2007 I recommended SAP-IDM, which came out under NetWeaver portfolio, over other better products available in the market at the time, to leverage in-house skills and support capabilities being primarily an SAP based business. Version 7.2 has come a long way integrating with NW Java AS and eliminating VB scripts. Certainly improvements are needed but I think as an alternative to CUA the investments and development efforts to reach where we are now required a great deal of integration efforts. SAP might have done better simply improving CUA to integrate with AD or improving connectors to CUA for other IDM players. Furthermore, GRC is another product with access capabilities, which treads on IDM toes. Having integrated IDM 7.2 and GRC AC10 I suspect IDM and GRC will have to come together pretty soon. Has there been any indication from SAP of such an integration? Allow the identity portions free of charge (like CUA features), but charge for the Risk Analysis capabilities for GRC. Besides, if the ABAP systems can link to AD for authentication as I believe is the plan, then IDM per se becomes overhead, except for central provisioning capabilities.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s