Has anyone used OpenAM / OpenDJ / OpenIDM without using ForgeRock support plans?
We are committed to implementing an open source identity management system and have identified the ForgeRock stack as the best technology to implement.
However, the high cost of supporting ForgeRock and the per-user pricing model is a potential barrier. Our current user base is ~ 45K, but we expect to reach 1M in the next 2 years.
So, we are exploring scenarios in which we work without FR support. The lack of FR Maintenance releases seems to create a damper, so we're wondering if others have gone that route.
- What was your experience?
- What projects have you done for this? Size, etc.
- With no FR Maintenance releases, could you easily create your own patches?
- What are the potential problems?
If there are blogs or other communities that tackle this topic, please point them to me in a general direction.
Thank.
source to share
As a community user I have been using OpenAM (/ OpenSSO) and OpenDJ for the last 6 years or so, but it was a very small deployment (10,000 users only 1 server instance from both products).
1) In the early stages, we had security issues with OpenAM, which we mainly solved by restarting the server instances - clearly not preferred, but we really didn't spend too much development effort trying to solve it (plus we lacked the necessary knowledge to research). After doing some actual product search efforts, it turned out that most of our problems were either presumptuous (poorly written settings or misconfigurations) or were actually something that was recently resolved in the OpenAM project and was relatively easy to revert to our version.
Of course, the experience itself depends a lot on how often you want to make configuration changes in your deployment, although we haven't changed much over the years, OpenAM just worked well for long intervals without requiring any maintenance.
3) Since we didn't actually encounter new issues (configuration barely changed), there were no surprises after a while. The security patches were mostly easy to back up and didn't cause too many problems (it helped that after 1.5 years I became an FR employee and I was actively working on OpenAM issues though :))
4) I think that running without a subscription has its own risks, but they mainly involve:
- Do you plan to roll out new features based on OpenAM features during these two years (i.e. do you plan to continually make changes to the deployment)?
- Do you have good developers to work on these features? For example, working with OpenAM may require you to look at the source code to figure out how everything works, the quality of the documentation has improved significantly over the years. Regardless, the fixes for backups will get more and more complex over time as the releases will differ much more (as the development team gets bigger and bigger for each project) and even then you can't just assume that all the problems that you come across are by definition already allowed in the trunk. Having to solve some problems on your own is a cost / risk to consider.
- what SLA do you want to use for deployment? Will your business go bankrupt after 1 minute of outage? Is it okay to just restart the service (in case of some weird problem)?
- Do you really need support for all 3 products? For example, my background will allow me to easily work without OpenAM support, but I would be in depth if something goes wrong with my provisioning system ...
And a general note:
For a user, 20x growth over two years sounds a little unrealistic, or at least very encouraging. Perhaps you should look for a 1 year subscription for a smarter target number and then renew once you have a better understanding of customer growth in your business?
source to share