Remotely-hosted, secure identity services  
Case Studies
Demos / Rich Media
Product Info
White Papers

White Paper:
Introducing Fischer Identity™


Identity management (IdM) enables organizations to automate many of the outcomes required by regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, J-Sox, PIPEDA, and the European Privacy Directives. Best practices dictate the use of preventative, detective and corrective controls. Without IdM, compliance effort and costs are higher and are likely not sustainable, but comprehensive compliance requires the capabilities and stability available only with advanced, well-architected IdM suites. Interoperability technology must be at the solution’s core to enable rapid, simple, and widespread deployment across firewalls, domains, locations, and even across enterprises as partnerships can increase the risk of noncompliance. In addition to improved compliance, IdM solutions provide many trickle-down benefits, including cost savings, reducing the efforts of auditors, making workflows self-documenting and easy to understand, and so on. These solutions are the key to long-term sustainability of identity-related compliance and at the lowest possible cost.

1. Introduction

Identity Management (IdM) is vital to managing compliance and security and is one of the keys to preventing identity theft and fraud. It is essential for business efficiency and responsiveness to business changes. However, leading analyst organizations report customer dissatisfaction with traditionally architected provisioning initiatives:

“There is a consistent message from UP [user provisioning] customers that UP products are still too complex to implement and maintain on an ongoing basis and, therefore, require too much technical support from the vendor and / or systems integrator."

“C&SI [consulting and system integration] costs remain high due to the unbalanced state of customization required by the enterprise versus product and practice maturation rates.” (Gartner)
Technology must facilitate the business requirements of organizations rather than dictate which business choices are available: In addition to providing the features required for business, it is important for the solution to have a robust architecture and support any procurement model. Fischer Identity is the only solution meeting these requirements. This paper highlights the capabilities of Fischer Identity. Details are provided in the Fischer Identity Suite™ Architecture Overview white paper.

2. Fischer Identity Capabilities

2.1 Compliance & Audit

Fischer Identity helps organizations of all sizes comply with a wide array of regulations such as Sarbanes- Oxley, HIPAA, FERPA, etc. Automated preventive, detective and corrective controls discover and remediate compliance violations as well as simplifying reporting, recertification, audits and audit preparation. Organizations can easily recertify access to resources, reduce audit preparation, and quickly provide reports to answer audit questions such as "who had access to what, and when."

2.2 Provisioning

Provisioning ensures security and enterprise workforce effectiveness by providing appropriate access to IT resources such as accounts and privileges as well as controlling non-IT resources like credit cards and badges. The provisioning (and deprovisioning) processes can optionally require approvals and are initiated 1) through user-friendly self-service pages, 2) via requests from managers, or 3) automatically as events occur on connected systems.

2.2.1 Request-Based Provisioning

End-users and managers can easily initiate the provisioning process by selecting enterprise business roles and resources for themselves or for their employees / business partners and their requests can be automatically routed for approval. Request-based provisioning typically requires a shorter implementation time and can be used as a complete solution, as the first phase to automating role-based provisioning, or in combination with role-based provisioning.

2.2.2 Role-Based Provisioning

Business events such as hiring a new employee can automatically initiate the provisioning process; for example, when Human Resources enters a personnel action in an HR or contractor management system, the organization’s rules determine which resources are provided based on factors such as a person’s location or membership in a specific department. Role-based provisioning can also be combined with request-based provisioning, especially when some resources are required by very small groups of users.

2.3 Self-Service Portal

The Self-Service Portal enables a variety of actions such as requests for resources, approvals, password resets, user profile management, recertification processes, etc. It was designed for clarity and ease of use, which is vital since users typically use it only occasionally. Organizations can also specify the features available to each user, which simplifies usability.

2.4 Password Reset and Synchronization

Users can securely reset their forgotten passwords without calling the Help Desk, which improves the user experience and reduces costs. Fischer Identity enforces the organization’s password policies and can automatically synchronize a user’s passwords for accounts on multiple systems. Help Desk representatives can also manage a user’s passwords for all systems and applications, which avoids the need to learn a proprietary interface for each system. It also eliminates the risk of catastrophic errors since Help Desk representatives no longer have more privileges than required.

2.5 Privileged Access Management (PAM)

Organizations can control their “keys to the kingdom” by managing administrative and shared accounts that are often highly privileged, but cannot be traced to an individual user. These accounts are frequently the targets of identity thieves and others (insiders and hackers) because they can bypass controls to access or destroy sensitive information without being traced. PAM also eliminates the need to store passwords in an organization’s scripts that must login to various systems and applications. Scripts are very commonly used and cause a significant security vulnerability, since anyone who gains access to a script is able to see an administrative password and breach the system, likely without being traced.

2.6 Federated and Web Single Sign-On

Users can be permitted to securely single sign-on to Web and SaaS applications as well as to resources in partner organizations, which improves the user experience and reduces calls to the help desk for forgotten passwords. This enhances privacy since user information does not need to leave the enterprise. Users are also appropriately deprovisioned from using federated applications. Federation also provides a fast method for secure access control for large populations of users without the labor and delay to create individual accounts for each user. Federation complements Fischer’s other offerings such as provisioning: Rules and processes are enforced so that users receive the correct privileges for Web and federated resources.

2.7 Enterprise Business Roles and Role Engineering

Enterprise business roles represent groups of persons who perform similar functions and need similar resources to complete their duties. Fischer’s “top-down” hierarchical role engineering enables organizations to manage access, audit, and periodically recertify their populations for accounts, entitlements, and roles.

2.8 Interoperability / Connectivity

Fischer Identity includes a wide array of connectors and a unique architecture designed to quickly connect disparate systems, even across enterprises. All configuration can be performed centrally without the need for additional technologies such as VPNs, which speeds implementation and reduces costs.

2.9 SAP User Administration

Authorized users can use the Self-Service Portal to administer SAP user accounts. Organizations can safely transfer mundane tasks from SAP administrators so they can focus on tasks with higher value to the organization. This also eliminates the need to create and manage additional SAP administrative accounts and permissions for user administration.

2.10 Mobile Identity Management

The Fischer iFly mobile interface enables authorized users to approve provisioning requests and reset passwords from their mobile devices. This enables organizations to choose the best individuals to approve provisioning requests without regard to whether the person will always have timely access to a PC. Business processes do not need to be delayed when approvers travel.

2.11 Implementing, Maintaining and Extending IdM Solutions

The challenges associated with implementing and maintaining traditional IdM solutions are well known: IdM projects typically take much longer and cost much more than originally planned. Organizations also complain that they must schedule a project team to make even a small change, and they don’t dare make significant changes: Many organizations have developed manual workarounds for new business requirements since changing a traditional IdM solution can present unreasonable business risks.

In contrast, organizations can quickly and cost-effectively implement Fischer IdM solutions. The flexibility of Fischer Identity also enables organizations with IdM solutions from other vendors to preserve their investments while expanding their IdM capabilities to support additional business processes and additional connected systems.

3. Identity Management Procurement Models

Organizations can choose the procurement models that best fit their current needs and have their investments protected if they need to change to another model in the future. Fischer supports the full spectrum of business procurement strategies. Regardless of the procurement model or the complexity of the requirements, Fischer Identity is rapidly implemented and supports unforeseen business changes.

3.1 On-Premise Software Model

This is the traditional software-as-a-product approach where the organization owns and manages the solution. The organization has full control of all aspects of the solution including the timing of upgrades, customizations, etc.

3.2 Outsourced On-Premise Model

This is an outsourced model where a service provider furnishes the implementation services required to run the solution on the client’s premises. The complexity and software requirements for this model are consistent with those of the traditional on-premise software-as-a-product model.

3.3 Software as a Service / Cloud Model: Identity as a Service® (IaaS®) Model

In the SaaS / Cloud model, a service provider owns the infrastructure, hosts the software in its own facility, and makes it available to clients on a subscription basis. Such solutions typically employ a multitenant (one-to-many) approach where at least some of the assets are shared among multiple client organizations. Since connected systems typically reside at the client’s locations, Fischer’s cross-domain capabilities enable rapid and cost-effective connections to each client organization.

3.4 Shared Services / Private Cloud Model

The shared services model is similar to a SaaS model except that the “service provider” is the organization itself or is closely related to the client organizations. For example, one university in a statewide system could act as the service provider for other colleges and universities within the state.

3.5 Hosted Model

In the hosted model, the solution is operated by the service provider and is physically located at the service provider’s data center. The solution and infrastructure are typically dedicated to a single client organization and can be owned by the client organization or can be procured as a subscription service.


Fischer Identity provides a rich set of features in a robust architecture. It is the only IdM solution that can be implemented using any procurement model: SaaS, hosted, outsourced on-premise, and software-asa- product. The same solution cost-effectively supports a wide range of business sizes from the small to medium businesses to the largest multinational corporations.


Gartner. Witty, R. J. & Allan, A. & Wagner, R. Gartner Magic Quadrant for User Provisioning.
Gartner. Perkins, Earl. IAM Consulting and System Integration, Part 1: Market, Trends and Impacts
Gartner. Desisto, R.P. & Paquet, R. How to Evaluate SaaS Architecture Model Choices.
Forrester. Cser, A. Identity-Management-As-A-Service.


Document MCB-08-401F February, 2014

Copyright © 2007-2014 Fischer International Identity, LLC. All rights reserved.
Fischer International, Fischer International Identity, Managed Identity Services, Managed Identity Services Technology, Identity as a Service, IaaS, the Fischer International Logo, Global Identity Architecture, Built for Business…Yours, and all other Fischer product or service names are the trademarks and/or registered trademarks of Fischer International Identity.


 PDF Version