Hey I was browsing the forum and saw your post. Went through this recently. There are a lot of choices / products to look through, but I will tell you that most of them either (a) suck or (b) suck even more. Well let me clarify... If you are ONLY looking for a "LAN" solution, e.g. you will not be publishing it externally and you don;t care at all about single point of failure or reliability, then just about any solutiuon you find will do.
BUT- If you intend to make this accessible to external users, are concerned with perimeter security and failover / redundancy, and / or are under any current regulatory complaince like PCI / SOX etc, almost all the product you look at will FAIL in one or all of these areas. And let's not mention thast some of them are just rediculous to set up, are build on open source "tomcat" crud and mysql databases. Horrid. They are mostly all built for SMB use inside the LAN, use outdated "question / answer" enrollments that do not work (users always forget the q/a's ), and there is zero attention to security design. Plus for most of them you'll have to call India for support. No thanks.
To make it short- I found only three good contenders that met our needs for PCI penetration tests, had good support avail in the USA, and are actually designed for external (public) deployment:
1. Microsoft FIM (Forefront Identity Manager)
2. SysOp Tools (
www.sysoptools.com/password-reset-pro.aspx in case you've not heard of them)
3. Hitachi-ID (
www.hitachi-id.com - who would have thought Hitachi makes software?? ;p)
What did we go with? Password Reset PRO. For us it was the best fit, and the price was less than half of FIM / Hitachi, and (IMO) it is a more usable / customizable / easier to deploy product. This is a 100% AD-integrated solution, does not use databases, is totally modern on the enrollment options, uses native IIS for the self service portal site, and it is 'impossible' to lose enrollments sincethey are stored in AD as a hashed attribute (awesome!). Can be easily load balanced, etc. Plus their support is tops, and most of their customers are Gov / Mil / Edu so that says something. Be sure to ask for their new version 3 if you are going to eval because it is not on thier website yet. Version 3 adds support for mobile device access and a lot of other cool stuff. Really stupid easy to set up, and had the best permiter security methods I've ever seen.
Second choice would have been FIM, it is a great solution. But we did not need all of the extra features so the cost made it not worthwhile. It also passed our external pen tests. It is really time consuming to set up though.
Hitachi was really nice, I would say middle of the road on installation effort. Downside is that a separate database is required. Upside is good security and a ton of SSO connectors for typing in multiple platform logons so the self service function. Enrollment method not that modern. But, it is designed for external use. Expensive. We did not need any SSO so the cost here did not seem inline for our needs.
Any of the above three would be a good place to start and a "benchmark" of the best products out there right now. IMHO, Reset PRO has by far the sharpest design and functionality, best cost, and it is the only product that will let a user enroll if their password is already expired or if they have a temp password. Did not find that avail from anyone else, which to me would seem to be an important feature.
GL-
Facebook
Twitter