Gluu Blog

Follow us:
Back to Blog

17 Recommended Requirements for an Identity and Access Management POC

Michael Schwartz July 30, 2014

Identity and Access Management POC Checklist

We get requests for POC’s quite often. In an attempt to provide tactical guidance to organizations developing an identity and access management POC, the following are our top recommended criteria for evaluation.

By adding some or all of these requirements to your POC, your organization can limit vendor lock-in and ensure that the solutions considered will satisfy both current and future identity and access management challenges.

  1. Published results for OpenID Connect Provider (OP) and Relying Party (RP) software in InterOp 5 that indicate the vendor has at least 80% coverage of both the RP and OP defined inter-op use cases. For example, here are Gluu’s InterOp results.
  2. Support for UMA 0.9 Authorization Server endpoints, Resource Server endpoints, and supported client code. Include details on how the policy mapping is made to UMA scopes.
  3. Support for adaptive authentication: i.e. the ability to make changes to the business logic of authentication at run time. Or how to use a 1 or 2 step authentication workflow depending on the person (i.e. the IT group has to use two-factor authentication, normal users can use passwords…)
  4. Support for the publication of SAML Multi-party federation management, including a workflow tool for vetting SAML IDPs and SPs to join the federation, and other federation administrator operational tools.
  5. Support for public user registration.
  6. Support for invitation code based user registration.
  7. IDP must be able to specify authentication type on a per SP basis. For example, use passwords for Google, but tokens for Salesforce.
  8. Support for SAML persistent non-correlatable identifiers.
  9. Support for per SP attribute release policies in SAML.
  10. Native mobile client application for strong authentication, along with mobile device enrollment and management features.
  11. Support for the SCIM user management API’s to enable your organization to interface with the IDM system to send updates about users.
  12. Supported SAML client API for Java.
  13. Supported OpenID Connect client API for Java.
  14. Supported UMA client API for Java.
  15. Supported SCIM Client code.
  16. Support for open standards based API access control using headless API’s and a mobile client (i.e. no browser).
  17. Free open source license for binaries for major linux operating systems so your organization can easily take over operation and provide a reasonable free open source option to partners who do not want to purchase expensive enterprise software.


Have questions about these requirements? Feel free to schedule a meeting with us or comment on the blog to discuss the rationale behind our recommendations.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.