You need an application to solve a problem for you. And you need to find the one that will be best for your organization. Let’s, for example, say you are looking for an identity and access management (IAM) solution. Just a random example off the top of my head.
So, you need a system that will help you centrally manage all your users’ identities and give them a single place from which they can log into their applications securely without having to remember a bunch of different passwords. You, as the administrator, are also looking forward to controlling the authentication process across the board and ensuring that their passwords are complex enough or haven’t been compromised. You do your research and find a few options exist. They all seem to fit your needs. How do you choose?
Well, I find my next step in this process depends on how familiar I am with whatever type of solution I am looking into. If I am familiar with IAM solutions I might go straight to getting trial accounts and testing the few that seem most interesting. If I am not familiar with what IAM solutions can do for me, I am more likely to reach out to a sales representative and ask for a demo. Then I would get a trial account.
Bottom line is, no matter what, I want to get my hands on the product before I buy it. I need to try it out to see how easy it is to do certain things. Many applications claim that they have certain features or can perform certain tasks, and they certainly might be able to do so. But sometimes configuring or setting up these features can be incredibly time consuming and I want to know about that ahead of time. If I am looking at an IAM solution there are a few key features I might want to check out:
- How easy it is to create a user or sync users with other directories?
- How quickly can I add an app to the IAM and assign it to an end user?
- What is the end user experience like? Is the interface simple for them to use?
- How easy is it for me to set up particular MFA options as an administrator and as an end user?
- Can I easily find help in terms of documentation or videos to explain the features I can’t figure out on my own?
This tool is going to be a big part of my day to day life as an administrator and my users’ day to day lives for years to come. I need to make sure everyone is comfortable with it. So I need to make sure I check some basic features first.
- Create a user.
- Add an application.
- Assign the user to the application.
- Login as the user to test that experience.
Then I might play around a bit more by testing out multi-factor authentication (MFA) functionality, even play with their adaptive MFA offering like OneLogin’s SmartFactor AuthenticationTM. See what else I can figure out like viewing events or setting up notifications.
I also need to realize that my trial experience is not necessarily something I want to replicate when I decide to purchase. A trial experience gives you a chance to poke around and try things out, but it is important to understand that in a production environment there are probably best practices you want to make sure you follow from the beginning. There might even be a recommended order in which you want to implement your IAM, and it might be slightly different than how you went about playing with your trial account.
For example, in a trial account you might have only tested out applications that used forms authentication. Basically, you used the IAM to store a username and password for an application and when you clicked on the application from within the IAM portal it passed that saved username and password onto the application automatically and you got logged into the application. This is a very easy thing to do and thus is a quick way to test out how to connect to applications. However, using an IAM to simply store usernames and passwords is like using a Ferrari to just go to the store and back. An IAM has so much more to give you. In your production environment, it would be best if you set up connections to applications using protocols like SAML or OpenID Connect (OIDC). These don’t rely upon simply storing and passing credentials onto the application. These set up a trust relationship between the IAM and the application such that the application trusts the IAM to do all the authentication for it. These are much more secure methods and should be used as much as possible when setting up application connections within an IAM. But they are more complex to set up and are not something you would usually want to test out in a trial account. The only way you would want to configure these forms of authentication within trial accounts is if you had a test or trial account version of the application you are trying to connect to because using a production instance could interfere with your regular access.
A trial experience can be invaluable during your evaluation period of different solutions. I recommend keeping a spreadsheet or table of sorts, so that you track that you are testing each solution in a consistent manner and keeping noting your thoughts and reactions. Make sure you are comfortable with a solution’s basic functionality before you proceed to purchase it. Once you do purchase it, don’t assume you know the best way to implement it just because you spent time testing things out. Make sure they give you some sort of implementation guide or best practices before you jump into implementing your new IAM solution for your organization. So look around, take your favorite options for a test drive and once you have purchased don’t forget to read that friendly manual.