- Access management (AM) delivered as identity access management as a service (IDaaS) is outpacing traditional software-based AM products for new purchases.
- Most midsize or large enterprises have some form of AM product or service. However, there are still “greenfield” purchases, replacements or augmentations of legacy software solutions.
- The desire to deploy AM tools is a symptom of an underlying disease. There are applications that have been designed and deployed with different application and identity architectures over time and without recognition that a common AM abstraction layer can provide risk reduction, user convenience and operational efficiency benefits.
Security and risk management leaders responsible for identity and access management should:
- Conduct an inventory of applications that are in scope for AM, by identifying the use cases and user constituencies these applications support. Determine each application’s architecture with attention to the current and optional authentication and SSO protocols these applications may support.
- If applications do not support standards-based SSO specifications, determine the level of effort and cost to convert the application to support standards. These determinations will influence product selection and help with decisions to potentially leave some legacy applications out of scope for an AM project.
- Use the results of the application inventory as input to AM product selection, and ensure that vendors are queried regarding their abilities to support proprietary application SSO needs. Conduct proofs of concept that include these applications.
Strategic Planning Assumption
By 2022, IDaaS will be the chosen delivery model for more than 80% of new access management purchases globally, up from 50% today.
What You Need to Know
AM products are used by organizations of almost all sizes and for workforce, B2B and B2C use cases. Each application that can be successfully managed by AM products can reduce the password management burden on users and help desk staff. AM tools also provide adaptive access and authentication capabilities to elevate trust commensurate with risks and help prevent malicious access. AM tools help enable business by supporting federated access and enabling bring your own identity. IAM leaders should use this research as a companion to the “Magic Quadrant for Access Management, Worldwide” to understand AM product offerings and gain insight into how products can meet needs.
Critical Capabilities Use-Case Graphics
Figure 1. Vendors’ Product Scores for the Workforce Users Accessing SaaS Use Case
Source: Gartner (September 2018)
Figure 2. Vendors’ Product Scores for the Business-to-Consumer (B2C) Use Case
Source: Gartner (September 2018)
Figure 3. Vendors’ Product Scores for the Business-to-Business (B2B) Use Case
Source: Gartner (September 2018)
Evidian provides its Web Access Manager (WAM) primarily as software, but also through managed service provider (MSP) partners. It uses a proxy architecture for the policy decision points and enforcement points. These functions can be hosted together and logically separated from application servers, or enforcement point agents can be installed on application servers for performance improvements (for example, in high-volume transactional environments). The product comes bundled with an OpenLDAP directory service implementation that customers can use, or they can use other Lightweight Directory Access Protocol (LDAP) directories.
Administer Users and Partners: As with other AM tools, Evidian WAM leverages users’ data held in underpinning directories. There is no built-in functionality for administrators to manage users’ identities. Evidian Identity Manager can be added on for administrative purposes. Evidian WAM has extensive user self-service capabilities to allow users to manage their accounts, and the product provides self-service password reset with a good set of authentication methods that can be invoked during the reset process.
Evidian WAM allows for delegated administration, which can support internal distribution of administrative rights or B2B use cases. There is no packaged invitation process for delegated administrators.
Authorization and Adaptive Access: Evidian WAM provides the fundamentals of access policy enforcement based on repository held attributes and contextual data, which includes the use of an IP Address as a proxy for geolocation, browser characteristics and time settings.
User Authentication Methods: Evidian WAM supports X.509, “QR Entry” — a QR code that generates a one-time password (OTP) based on a displayed QR code — their own software-based OTP and RSA SecurID soft tokens. Biometric methods are provided through third parties. Evidian’s mobile push solution was not generally available during the analysis cut-off period, but is now in beta.
Session Management: Evidan WAM provides global session timeout capability, and access to specific applications can be suspended, for example, to support target application maintenance. Federated target applications are also supported.
Social Identity Support: Evidian WAM supports social registration and login from multiple social ID providers. Sign-up, sign-in and linking functions are supported. Evidian WAM also supports the ability for users to provide consent for attribute retrieval usage in the self-service functionality.
SaaS Application Enablement: Evidian WAM supports a standard setup process for creating connections to SaaS. Standard federation protocols and password vaulting and forwarding are supported. However, there are no application-specific templates, automated or one-click setups, or established connections to SaaS apps. Setups are manual.
Nonstandard Application Enablement: Evidian WAM can support the standard federated SSO protocols and provides a reverse proxy that does proprietary HTTP header manipulation. Evidan WAM can also support the Remote Desktop (RDP) protocol, and Evidian ESSO can be added on to support password vault and forward-style SSO for thick client apps.
API Target Enablement: Evidian WAM supports OAuth 2 and OpenID Connect interactions to APIs. It also supports mixed SAML and OAuth/OIDC use cases, in which the user is authenticated by a SAML-based federated identity provider or social identity provider, and then being given access to the target API.
Event Logging and Reporting: Evidian WAM does not have canned or customized reporting features. It provides standard logging of access and administrative event data. Evidian’s IGA tool has reporting capability and can be added on. Customers can also export or stream log data to other tools.
Auth0 provides an identity platform, Auth0 Enterprise, which it delivers as multitenant SaaS or as a managed offering that can be hosted in customers' data centers or in public clouds. Auth0 provides a mix of packaged and extensible functionality to support a variety of use-case needs. The company’s unique emphasis is on developers to support requirements for rapid incorporation of access management standards-based functionality into applications. For this reason, Gartner clients may find the platform lacking needed out-of-the-box functionality for application connectivity, administration and reporting. Much of Auth0’s AM functionality is added to applications through templates and rules. There is no “developer-centric” use case in this Critical Capabilities, but Auth0 is increasingly on Gartner clients’ shortlists for developers wanting a standardized platform for integrating identity into applications.
Administer Users and Partners: Auth0 provides the ability for administrators to perform the fundamental identity CRUD functions. The company provides a developer widget and hosted login pages for sign-up, forgotten password functions and other functions. Password management functions are solid. The company provides an extension that must be installed to support delegated administration functionality.
User Authentication Methods: Supported authentication methods include X.509, out-of-band SMS, mobile push for iOS and Android, and Apple Touch ID and Face ID. Rules can be extended to support third-party authentication methods.
Session Management: There is only a global SSO session timeout per tenant. Each application manages its own SSO security tokens. However, the global session parameter can be checked at application runtime, and the app’s session can be terminated.
Social Identity Support: Auth0 supports an extensive list of North American social providers and Badoo as well as other identity providers. All the major functions of sign-up, consent, customized attribute requests and sign-in are supported. Trust can be elevated based on the use of a social identity provider.
SaaS Application Enablement: Auth0 provides excellent standards support and protocol and token translation. The platform provides coarse-grained access enforcement to SaaS. However, Auth0 has very few canned SaaS application connectors, and it does not support password vault and forward-style SSO.
Nonstandard Application Enablement: Auth0 supports standards-based access to applications wherever they may be hosted. It lacks its own reverse proxy or agent technology to support legacy targets needing proprietary authentication techniques. However, there are reverse proxy agents available on GitHub that can leverage Auth0’s platform for authentication.
API Target Enablement: Auth0 provides authentication and authorization to protect APIs using OAuth 2 and OIDC. They do not have an API gateway product or component of their service.
Event Logging and Reporting: The Auth0 platform logs all events and provides an interface to export data to major SIEM systems. However, the platform lacks packaged or customizable reporting function and analytics.
CA Technologies offers core access management functionality through its software product, CA SSO (formerly Siteminder), and its cloud offering, CA Identity Service. CA Technologies augments its foundational access management offerings with CA Advanced Authentication, which provides contextual/adaptive access. CA API Management is a full life cycle API management product that includes an API gateway. CA Technologies’ AM software product and IDaaS are evaluated together in this research, and the capability ratings are a composite for these offerings. During the analysis phase, CA Technologies was in the process of being acquired by Broadcom.
Administer Users and Partners: CA SSO and CA Identity Service are administered from separate management interfaces. CA SSO does not provide a packaged administrative function to perform user CRUD functions, nor does it provide user self-service registration. However, the CA Identity Manager software product can be used for these functions, and there is an API that can be programmatically used. CA Identity Service also provides these functions. The CA SSO and CA Identity Service both provide capabilities for delegated administrators to manage application access for a subset of users.
Authorization and Adaptive Access: CA SSO and CA Identity Service have different authorization architectures, but both provide the fundamentals of policy setting and rendering access decisions. CA SSO provides some contextual access using endpoint device characteristics, but most contextual data usage requires CA Advanced Authentication to augment CA SSO. CA Identity Service does not have inherent contextual data support and requires integration with CA SSO and Advanced authentication to leverage its capabilities for contextual access.
User Authentication Methods: The combination of CA SSO and CA Advanced Authentication provides a good variety of authentication method choices. Supported methods include public key tokens, OTP software, mobile push and biometric authentication methods. OTP hardware tokens are provided by partners.
CA Identity Service supports out-of-band SMS and mobile push natively. All other authentication methods require integration with CA SSO or Advanced Authentication.
Session Management: CA SSO has solid session management capabilities. Nonfederated applications can be controlled for duration, and idle timeout and applications can be grouped to manage sessions. CA Identity Service does the standard management for federated connections, but must be integrated with CA SSO for more fine-grained session management.
Social Identity Support: CA SSO supports social sign-on with multiple common identity providers. However, it does not provide packaged self-service functionality to create new user IDs as found in a sign-up flow, nor does it provide self-service functionality for the linking of a social identity to an established ID. CA Identity Service relies upon CA SSO for the same social identity capabilities and inherits the same limitations.
SaaS Application Enablement: CA SSO provides the setup functionality and guides for federated SaaS apps, and it has a REST interface to programmatically set up connections, but there are no templated pre-established federation connections for SaaS. However, CA Identity Service does have a library of preconnected SaaS apps, and several of those connectors also provide rich provisioning capabilities.
CA SSO provides support for all major SSO standards, with OIDC support provided recently. CA SSO does not have password vaulting and forwarding in the base product, but there is an add-on component that can be implemented by CA to support this function. CA Identity Service provides password vaulting and forwarding SSO in addition to standards-based SSO.
Nonstandard Application Enablement: This is one of CA SSO’s core strengths. It can support applications that require a proxy, agents or combined architecture, and it can integrate with VPNs through the RADIUS protocol. CA has agents for traditionally hard-to-integrate apps, such as SAP, SharePoint, PeopleSoft, Siebel and older versions of Oracle E-Business Suite. CA Identity Service does not provide these capabilities directly, rather it relies on CA SSO to do so. When CA SSO and Identity Service are used together, the user gets a single dashboard to access all connected apps.
API Target Enablement: CA SSO and Identity Service do not natively support API target enablement. However, CA Technologies has a separate CA API Gateway product that can be integrated with CA SSO and CA Identity Service. It is a more feature-rich alternative to products from other vendors that provide only authentication and authorization functionality for APIs (see “Critical Capabilities for Full Life Cycle API Management”).
Event Logging and Reporting: CA SSO provides a solid variety of canned reports. CA Identity Service also provides canned reporting through application and activity dashboarding. Neither CA SSO nor CA Identity Service provides native custom reporting capabilities.
Centrify’s Application Service is an IDaaS offering. Its base access management functionality provides web application SSO using federation standards or password vaulting and forwarding, and there are application proxy and application plug-ins for common app servers to support customers’ on-premises apps. Lightweight identity administration features to support some of customers’ apps are also part of the service, as are provisioning connectors to a number of popular SaaS applications. The service comes with integrated EMM features — notably security configuration and enforcement, device X.509 credential issuance and renewal, remote device location and wiping, and application containerization. Centrify also sells PAM functionality that can be integrated with Application Service. Centrify’s standard offering runs on Azure, and there is an alternative pay-as-you-go offering that runs on AWS. During the analysis phase of this research, Thoma Bravo, a private equity firm, acquired a majority interest in Centrify.
Administer Users and Partners: Application Service provides very good capabilities for administrators to configure policies and manage applications and users. It also has all the expected user self-service features and API support for organizations to customize the users’ self-service experiences. B2B delegated administration is also included.
Authorization and Adaptive Access: Application Service provides the baseline coarse-grained externalized authorization model that gates access to target system URLs or APIs. However, the service can use extensive contextual data sources for access control, and has an analytics engine with machine learning capabilities to support risk-based access scenarios. Its inclusion of MDM functionality helps the application service deliver needed endpoint device data to the analytics engine.
User Authentication Methods: The Application Service supports X.509 authentication including smartcards and derived credentials, software and hardware OTP (for tokens based on the OATH standard), out-of-band SMS and voice, mobile push, and all major phone and tablet finger biometric sensors. FIDO support was added this year.
Session Management: As with most IDaaS offerings, Centrify Application Service can support a configurable global session timeout for all users and separate session timeouts for roles or groups of users. As with other products, the ability to support federated session management is limited to applications that have a logout URL.
Social Identity Support: Application Service provides the basics for social sign-on using IDs from a few of the major social media identity providers. The service can do linking if the email addresses used are the same on the social IdP as they are for Centrify’s customers’ identities. There are no built-in consent flows for pulling additional attributes from social media sites.
SaaS Application Enablement: Centrify has been in the SaaS enablement business for several years, and is one of the vendors that has thousands of apps preconfigured for SSO using all standard protocols and password vaulting and forwarding as well. OAuth 2 client and server support was added this year. The base service includes user provisioning to approximately two dozen popular SaaS apps and system for cross-domain identity management (SCIM) support.
Nonstandard Application Enablement: Application Service provides plug-ins for common application servers to enable these services with standard authentication protocols, and use the Application Service as the AM. Centrify also provides an App Gateway to provide access to legacy applications, and can do HTTP header manipulation.
API Target Enablement: Application Service can support OAuth 2 flows for API application targets, but the vendor does not have other API protection features.
Event Logging and Reporting: Centrify has very good canned and customizable reporting capabilities, and the service’s analytics capabilities can be used to automatically alert administrators for threshold- crossing risks. Centrify provides reports that can support access certifications, which shows the trail of access request and approvals.
ForgeRock delivers an identity platform model that is sold by function. Access management functions include authentication, authorization, federation, adaptive risk, user-managed access (UMA), social identity, self-service and identity gateway, which is their reverse proxy. ForgeRock also has user provisioning and directory products that share common components with its access management products. It also sells an edge gateway designed to incorporate the Internet of Things (IoT) and support resource-limited devices. The platform uses the software delivery model. There is no IDaaS, but one is roadmapped for 2018, and ForgeRock partners deliver the functionality as managed and hosted services.
Administer Users and Partners: ForgeRock’s AM product components provide an administrator and user self-service dashboard. The AM product includes the baseline standard password reset functionality, and partner federation setup is solid. There are no B2B administrator invitation features and no user provisioning connectors in the AM product components, but ForgeRock sells administration components that do user CRUD and fulfillment functions.
Authorization and Adaptive Access: ForgeRock’s AM components provide very good coarse- and fine-grained authorization capabilities. A good set of contextual data elements can be used to render access decisions. However, the policy decisions are made based on rules and extended with scripts, and there is no analytics engine to enhance this capability. ForgeRock added an “Intelligent Authentication” feature set that supports visual assembly of multiple logical access events into a cohesive runtime workflow to support appropriate continuous risk evaluation and trust elevation.
User Authentication Methods: ForgeRock supports X.509, software OTP, out-of-band SMS, mobile push and Apple Touch ID. RSA SecurID is also supported out of the box, and there is a sizable partner community with authentication product integrations.
Session Management: ForgeRock AM products provide very good session management. Global and individual timeouts are supported, sessions can be terminated by administrators, and users can terminate their own sessions. Users can have multiple sessions, and administrators can choose to limit this capability.
Social Identity Support: ForgeRock AM components support several social media sites for social login, including the well-known U.S. providers, as well as WeChat and VKontakte. The AM products support registration and account linking of multiple social identity providers to an account. Attribute retrieval from social identity providers requires a matching data element between ForgeRock’s customer database or directory and the social media account. Complex workflows for social ID require ForgeRock’s identity administration components.
SaaS Application Enablement: ForgeRock’s AM products come with out-of-the-box connectors for Salesforce and Google. Otherwise, administrators use a traditional wizard for establishing federated or password-vault-and-forward style SSO to SaaS.
Nonstandard Application Enablement: ForgeRock provides a reverse proxy called the Identity Gateway. The company also provides policy agents that run on common web application services to support session management, perform policy enforcement and help avoid target application modification to support a standard. There are no proprietary application-specific agents. ForgeRock has an edge gateway to support IoT use cases, which is unique among the vendors covered in this research.
API Target Enablement: ForgeRock AM products, like most other AM vendors, support OAuth 2 to target APIs, and APIs can call back to ForgeRock’s APIs to authenticate users and validate tokens. However, the company also has the Identity Gateway, which provides authentication, authorization and traffic throttling features found in API gateway products.
Event Logging and Reporting: ForgeRock’s AM components provide very granular event logging capability, and the company provides log handlers that export log to data in a variety of formats to work with external reporting and analysis tools. The AM product also has a monitoring interface that can be used to pull event data into other systems. However, the company provides no canned or customizable reporting functionalities.
IBM delivers access management functionality in appliance and IDaaS forms. IBM Security Access Manager (ISAM) is the hardware- or software-based appliance that comes with all functionality built in, but enabled as customers license the different modules. ISAM also includes web application firewall (WAF) functionality. IBM Cloud Identity is based on a SaaS architecture, runs on IBM Cloud, and is designed to compete more directly with other vendors delivering IDaaS. ISAM and Cloud Identity are evaluated together in this research, and the capability ratings are a composite for these offerings.
Administer Users and Partners: ISAM and Cloud Identity have very similar feature sets and provide user self-service profile management and password management capability.
Cloud Identity provides delegated administration through the portal application. ISAM provides the ability to federate with business partners, and partner admins can be enabled to manage policies for a subset of users, but there is no out-of-the-box workflow for setting up delegated administration.
IBM also sells its IGA product, IBM Identity Governance and Intelligence.
Authorization and Adaptive Access: ISAM provides a granular authorization enforcement model. The policy decision engine is based on configured rules and risk scoring. ISAM has an extensive list of contextual data elements that can be used for input to access decisions. IBM can also leverage integrations with its own MaaS360 mobility management, with Trusteer for fraud prevention, and can use threat data from X-Force and QRadar.
Cloud Identity provides coarse-grained authorization enforcement to applications. The contextual data it can consume is almost completely the same as ISAM. Cloud Identity is also preintegrated with the MaaS360.
User Authentication Methods: ISAM supports X.509 methods, knowledge-based authentication (KBA), soft OTP, out-of-band SMS, mobile push and finger print biometrics with equipped iOS and Android devices.
Cloud identity supports X.509 methods, soft OTP, out-of-band SMS, mobile push and finger print biometrics with equipped iOS and Android devices. The other methods supported by ISAM are also supported when the two products are integrated in a hybrid model.
Session Management: ISAM and Cloud Identity provide very good session management for global and inactivity timeouts, end-user logout, administrative session termination, and configuration of sign-out URLs for connected applications.
Cloud Identity has established registration and login integrations with major U.S. social identity providers, as well as RenRen, QQ, Webio and WeChat, and it provides consent flow capabilities. Account linking is supported.
SaaS Application Enablement: ISAM provides SSO using standards and password vaulting and forwarding, and provides coarse-grained access control to SaaS applications. ISAM has a large list of “quick-connectors” to SaaS apps. There are no provisioning connectors included with ISAM other than an SCIM interface.
Cloud Identity has the same functional capabilities of ISAM with regard to SaaS access. Its library of connected apps is also extensive. Cloud Identity can provision users to a relatively small but growing set of SaaS applications.
Nonstandard Application Enablement: ISAM uses a reverse proxy architecture to provide AM to applications using different techniques and token formats. It can perform password-vaulting and forwarding, and it can manipulate HTTP headers for proprietary applications. The product also has plug-ins for hard-to-integrate apps, like older versions of Oracle E-business suite and SAP.
Cloud Identity does not have ISAM’s ability to support proprietary HTTP header-based authentication. Cloud Identity alone can use password vaulting for these apps, but it also integrates with ISAM components to leverage its capabilities as described above.
API Target Enablement: ISAM and Cloud Identity can provide authentication, authorization and token translation features to protect APIs using the OAuth 2 standard and also the reverse proxy for specialized needs. IBM can augment these capabilities with its DataPower product for other traditional API gateway functionality.
Event Logging and Reporting: ISAM logs all event data, and the ISAM license includes entitlements to use IBM Security QRadar Log Manager for reporting and analysis.
Cloud Identity has good reporting functionality as part of the administrator console, and it provides some canned reporting and the capability for custom reporting.
i-Sprint Innovations delivers its AccessMatrix Universal Access Management (UAM) as software. UAM was initially developed to meet the needs of i-Sprint Innovations’ banking customers. The company also offers a stand-alone or integrated user authentication product, as well as an enterprise SSO product to support legacy applications with password vaulting and forwarding.
Administer Users and Partners: UAM provides administrators with the abilities to perform the common user entitlement administration and policy management functions. Administrators can also perform basic CRUD functions with UAM, and the company sells a separate IGA tool for more advanced needs. The ability to assign delegated administrators and their privileges is particularly strong, and this feature set can be used for internal and B2B use cases. User self-service password reset is provided. Users are able to change a limited set of their own attributes.
Authorization and Adaptive Access: UAM supports coarse- and fine-grained authorization enforcement using a rule-based policy decision engine. It support a baseline set of contextual data for access enforcement, including the use of endpoint device ID and software data, geolocation, interaction metrics and history.
User Authentication Methods: UAM supports KBA, out-of-band SMS and voice, X.509, soft OTP, Vasco Digipass, other third-party OATH-based OTP hardware tokens, mobile push, and Apple- and Android-based fingerprint sensors and facial authentication. The UAM server is also FIDO UAF compliant and supports its own and third-party FIDO-compliant authenticators. The company also sells an HSM-based password vault.
Session Management: UAM supports global session lifetime and idle times, and can allow or disallow concurrent sessions. It does not provide granular session management by user or groups of users.
Social Identity Support: i-Sprint Innovations added social identity registration during the last year and now supports Facebook, Google, WeChat and LINE. UAM can link a social identity to an established identity upon sign-on.
SaaS Application Enablement: UAM supports federation protocols, password vaulting and coarse-grained access control to SaaS. However, all connections are administered manually via the GUI. There are no SaaS templates or preconfigured connectors.
Nonstandard Application Enablement: UAM uses a combined reverse proxy and agent architecture in addition to password vaulting and forwarding to support applications that are not standards-enabled. Agents are required when password vaulting is not desired.
API Target Enablement: UAM supports OAuth 2 token issuance and can therefore be used to pass authentication state and authorization attributes and scopes to target systems. Otherwise, it does not support other API gateway functionality.
Event Logging and Reporting: UAM logs all event data and provides some basic canned reports. Event data can be exported to external systems for customized reporting.
Micro Focus delivers its Access Manager as software and as a service. The IDaaS functionality (Micro Focus Access) is almost completely identical to the packaged software. Access Manager comes with some contextual access features, and the company sells a separately licensed Advanced Authentication Framework product. Micro Focus’ AM software product and IDaaS are evaluated together in this research, and the capability ratings are a composite for these offerings.
Administer Users and Partners: Access Manager provides excellent user and self-service administration capabilities. It provides the standard capabilities to manage users’ group memberships, roles and access policies, and it also provides a GUI and APIs to perform user CRUD functions. User self-service is provided for password management, profile and privacy settings, choice of secondary authentication methods, and device registration. Delegated administration functionality is provided to support the partner use case.
Micro Focus Access has all the same administration functionality as its packaged software.
Authorization and Adaptive Access: Access Manager provides coarse- and relatively fine-grained authorization enforcement using attributes, roles and contextual data as input to access decisions that can be enforced on URLs and objects, webpages, and for providing scopes to target applications. A very good variety of contextual data can be used as input to a rule-based and risk-score-based policy engine, and policies can be deeply nested for complex access requirements.
User Authentication Methods: The combination of Access Manager and Advanced Authentication provides X.509, out-of-band SMS, RF-proximity card, out-of-band voice and mobile push, and soft OTP for iOS and Android devices.
Session Management: Access Manager provides global and application-specific session policies, and supports device-based timeouts for iOS devices. The tool also provides an interface to list all active sessions and terminate specific sessions. Multiple application sessions can be allowed or disallowed.
Social Identity Support: Access Manager provides support for several U.S.-based social media sites and provides all the core functionality to register, sign in, link and unlink a social identity from an established identity.
SaaS Application Enablement: Access Manager supports standards-based federation and password vaulting and forwarding, and provides coarse-grained access enforcement to SaaS. The product comes with over 200 pre-established SaaS connectors. Access Manager provides user provisioning connectors for approximately two dozen popular SaaS applications.
Nonstandard Application Enablement: Access Manager has a reverse proxy architecture and can inject credentials into HTTP headers for apps with proprietary requirements. However, it lacks agent technologies needed for some legacy applications, such as ERPs.
API Target Enablement: Access Manager supports OAuth 2 and therefore can forward a token containing attributes and scopes to target APIs. However, it does not provide API gateway functionality.
Event Logging and Reporting: Access Manager comes with built-in analytics capability for canned and customized reporting, and reporting workflow can be set up to schedule report generation. The analytics functionality is an add-on product for the Micro Focus Access IDaaS offering.
Microsoft’s access management offerings are Azure Active Directory (Azure AD), Basic and Premium, and Azure AD B2C. B2B use cases are supported with Basic or Premium, and there is a licensing metric that allows for a set number of B2B users for every licensed Basic or Premium user. Premium and B2C are the products covered in this research and are evaluated together. The capability ratings are a composite for these offerings.
Microsoft uses an IDaaS delivery model. Azure AD Premium includes reporting, security analytics and MFA, and some user-provisioning functionality for SaaS apps. It also includes a license to use Microsoft Identity Manager, its software tool, which provides identity synchronization with workflow support for on-premises systems. Azure AD B2C is a separate service from Azure AD Premium. B2C has some limitations relative to Azure AD Premium, which are highlighted below. Microsoft has a broad portfolio of infrastructure, platforms, applications and services, many of which are underpinned by Azure AD.
Administer Users and Partners: Azure AD Premium includes strong capabilities to administer users and partners. User self-service administration and password reset are also solid, and the service enables delegated administration for B2B scenarios and has an invitation workflow for this. The product includes the license to use Microsoft Identity Manager (MIM) software, which includes approval workflow and synchronization capabilities for on-premises applications (see “Critical Capabilities for Identity Governance and Administration”).
Azure B2C uses Microsoft Graph API for CRUD functions, and target systems are mostly OAuth 2 accessible APIs. Developers use Microsoft’s APIs and can use Microsoft-provided sample code to build identity administration functions into its application systems. There are built-in policies for simple implementation, or there is the “Identity Experience Framework” to support more complex policies, usage scenarios and integrations with other systems.
Authorization and Adaptive Access: Azure AD Premium’s authorization model uses analytics and a broad set of contextual data to render access decisions. Microsoft calls this feature set conditional access. The company uses endpoint device and software characteristics, geolocation, user authentication behavior, threat analytics and a number of third-party data sources.
Azure B2C enables developers to leverage directory-based attributes to format security token attributes and scopes for downstream applications. B2C does not have the conditional access features and analytics that Premium has.
User Authentication Methods: Premium supports out-of-band voice call and SMS text, mobile push, software-based OTP, third-party OATH-based tokens, and static Q&A methods. The service also supports FIDO U2F-compliant hardware tokens and fingerprint biometrics when Windows Hello is used.
Azure AD B2C supports voice calls and SMS text. Other methods are only supported with custom configurations using the Identity Experience Framework, which is in preview.
Session Management: Neither Azure AD Premium nor B2C supports global or user group-based session management. There are security token revocation functions that individual app developers can use.
Social Identity Support: Azure B2C supports common U.S.-based social media providers, as well as Weibo and QQ. Sign-up, sign-in and multiple social identity linking are supported, but the latter requires use of the Identity Experience Framework, which is currently in preview and is geared toward developers.
SaaS Application Enablement: Microsoft Azure AD Premium has a large library of preconfigured cloud apps for which the service can deliver authentication, SSO and coarse-grained authorization enforcement. All major standards are supported, as is password vaulting and forwarding. Premium also includes a set of provisioning connectors for popular SaaS applications.
Azure B2C has OpenID connect capabilities, but not SAML support (although SAML is in preview), nor a set of preconfigured apps to connect with.
Nonstandard Application Enablement: Microsoft’s approach to supporting nonstandard applications is a bit of a patchwork with multiple components potentially required. Microsoft AD FS can be used with claims-aware applications. The Web Application Proxy included with the Premium license provides reverse proxy-style integration, but does not do proprietary HTTP header manipulation. For this need, Microsoft partners with Ping Identity, and Premium includes a limited-use license (up to 20 applications) to Ping Access. While this partnering strategy helps Microsoft customers with a relatively small number of nonstandard application needs, it does not support large organizations with many of these types of applications well. Additional Ping Access licenses must be purchased to support more than 20 applications, and administrators will find themselves potentially managing three or four different components and consoles.
Azure B2C does not support legacy and proprietary target system architectures.
API Target Enablement: Azure AD can issue tokens to be used downstream for authentication and authorization to APIs, and the service supports OAuth 2 and OIDC. The Azure Application Proxy can be used as an API service endpoint to intercept API calls and authenticate against internal ADs. Azure AD does not perform other traditional API gateway functions. However, Microsoft offers Azure API Management for more full-featured API management and gateway capabilities.
Event Logging and Reporting: Microsoft Azure AD has auditing logging, and canned reporting features for access activities include risky sign-ins and users that are flagged for risks. There is also a REST-based API for retrieving log data to be used with other tools, such as BI or SIEMs.
Azure AD B2C provides only the reporting API. Developers or admins must create their own reports.
Okta delivers AM functionality via IDaaS. The vendor also delivers a reporting and identity administration functionality. Okta sells its functionality in two editions — IT Products, intended for the workforce, and API Products, intended for the developers and external use cases. Okta sells its AM functionality in separate products.
Administer Users and Partners: Okta provides an administrative interface for managing users’ CRUD operations, as well as APIs, bulk load functionality and bridge functionality to synchronize data from customers’ directories. User self-registration, profile management and password management are provided. Okta also provides add-on products to support identity life cycle management for automated user provisioning and deprovisioning. Delegated partner administration for B2B use cases is supported as well, as is inbound federation from any SAML provider.
Authorization and Adaptive Access: Okta provides coarse-grained authorization enforcement on target applications and APIs. Its adaptive access functionality leverages basic location, network and device context, and risk signals, such as access from high-risk IP addresses. The context and risk input can be used to elevate trust.
User Authentication Methods: Okta supports email OTP, voice call, security questions, smart card (X.509), image-based KBA, soft OTP, out-of-band SMS and mobile push authentication methods. Apple Touch ID is supported for use with its mobile push as is facial recognition through Windows Hello. It also supports third-party OATH-based tokens, FIDO U2F tokens, Symantec VIP, YubiKey, Google Authenticator, RSA and Duo.
Session Management: Okta supports global session maximum and idle timeouts and forced logout.
Social Identity Support: Okta supports the major U.S. social media sites and supports registration and sign-in. Out-of-the-box social ID linking is supported when there is a match between attributes, such as email address, on the social media site and the established customer identity. Scripting is required for more advanced use cases.
SaaS Application Enablement: Okta has an extensive library of preconfigured cloud apps for which the service can deliver authentication, SSO and coarse-grained authorization enforcement. All major standards are supported, as is password vaulting and forwarding. Okta’s life cycle management product provides user provisioning to a library of approximately 150 SaaS applications. Okta also supports inbound provisioning from non-HR applications like Box, Office 365, Salesforce and G Suite.
Nonstandard Application Enablement: Okta does not have a reverse proxy or a native capability that can support applications that use proprietary HTTP headers. Okta leverages partners for these functions. As with other vendors, Okta can integrate with customers’ existing access managers through federation protocols or use password vaulting and forwarding to reach nonstandard applications. In July 2018, Okta acquired ScaleFT, a company that has a reverse proxy component, but it does not currently support proprietary HTTP authentication.
API Target Enablement: Okta’s API Access Management add-on can issue tokens to be used downstream for authentication and authorization to APIs, and the service supports OAuth 2 and OIDC. It can do protocol translation, for example, take claims and attributes from an inbound SAML, and convert to OAuth and OIDC. However, Okta does not have API gateway functionality.
Event Logging and Reporting: Okta collects extensive log data, and the service provides a wide array of out-of-the-box reports along with a tool that can be used for customized reporting. As with other vendors, the logs can be exposed via API, which can be used for exporting data to other reporting and analysis tools.
OneLogin delivers AM through a service and a customer-hosted software-based access manager, OneLogin Access, for support of customers’ traditional web applications. The vendor delivers basic identity administration and provisioning capabilities for cloud apps and reporting functions as well. The company provides the same platform features for internally and externally facing use cases.
Administer Users and Partners: OneLogin has good administrative user CRUD support and directory synchronization capabilities. Self-service password reset is provided, but self-service profile management is not. Users cannot change their own account data. Delegated administration provides the ability for B2B partners to manager their users.
Authorization and Adaptive Access: OneLogin provides coarse-grained access to applications and APIs. Its policy engine uses a risk-scoring model with policy decisions triggered when events reach established risk thresholds. IP address, browser characteristics, known good bad IP ranges, anonymous network egress, and new or known device state are leveraged to render context-based access decisions. Machine learning is used to recognize when users and their contextual access patterns become more known and reduce the risk score.
User Authentication Methods: OneLogin provides security questions, soft OTP, mobile push, out-of-band SMS, X.509 certificates, and Apple Touch ID support for unlocking OneLogin’s mobile authenticator app (OneLogin Protect and OneLogin Mobile). The company also has OneLogin desktop for Windows and Mac that provides X.509 authentication to the service. OneLogin also integrates third parties that offer other authentication methods, such as Duo with voice and RSA with SecurID, Yubico Yubikeys, Google/Microsoft Authenticators, and Symantec VIP Access.
Session Management: OneLogin provides global or user session default timeout or idle timeout, and applications can be assigned their own timeouts. Their access management software can also transmit timeouts to applications that must be able to process those messages. There is also forced session termination for administrators and help desk staff.
Social Identity Support: OneLogin supports sign-in from the major U.S. social media providers, and it supports linking a social identity to an established customer identity. However, the platform does not provide registration for new users with a social ID, nor can it use social login as input for trust elevation decisions.
SaaS Application Enablement: OneLogin provides a very large library of established SaaS connections for SSO and authorization enforcement. All standard protocols are supported, and their password vault and forward function include the ability for users to easily vault passwords for apps that have not been preapproved by administrators. The vendor has a user provisioning add-on and can provision to many SaaS applications, and it has inbound provisioning from popular SaaS-based HR applications. SCIM 1.1 and 2.0 are supported.
Nonstandard Application Enablement: OneLogin Access reverse proxies and agents (aka OneLogin Access enforcement points) receive their configuration and access policy from OneLogin IDaaS, and they use OneLogin IDaaS for authentication and policy enforcement.
API Target Enablement: OneLogin offers API protection through the use of its OpenId Connect provider. During the analysis phase for this research, OneLogin released support for machine-to-machine authentication via Client Credentials Grant and support for native applications via Auth Code plus PKCE Grant.
Event Logging and Reporting: The OneLogin Platform provides event logging, canned, and customer reports on users, events and applications. Integrations with SIEM and other analytics tools are provided through the OneLogin API. OneLogin partners with Sumo Logic to provide reporting dashboards for OneLogin covering adaptive authentication, app monitoring and security metrics. This is a separately licensed product.
Optimal IdM delivers access management as software and as IDaaS. Its Optimal Federation and Identity Services (OFIS) is its on-premises software offering, and OptimalCloud is a single-tenant IDaaS offering. The OptimalCloud product includes the core offering, and there are separate offerings for authentication and reporting. OFIS and Optimal Cloud are evaluated together in this research and the capability ratings are a composite for these offerings.
Administer Users and Partners: OFIS and OptimalCloud support administrator and user self-service administration and password management. OptimalCloud provides delegated administration features for the workforce and partners. OptimalCloud provides user provisioning for Office365 and SCIM target systems. OFIS does not have provisioning connectors.
Authorization and Adaptive Access: OFIS and OptimalCloud provide a rule-based authorization engine. The product can use a basic set of contextual data as input to access decisions. Contextual data includes geolocation, IP range, browser characteristics and time. There are other data attributes provided by calling applications or inbound identity providers that can also be used in access decisions.
User Authentication Methods: OFIS and OptimalCloud support X.509, out-of-band email and SMS text. There is an add-on authentication service that supports TOTP standard tokens and authenticators based on FIDO U2F as well as an app that provides soft OTP and push mode and Q&A methods. Optimal IdM also partners with TypingDNA for its typing behavioral biometric product.
Session Management: OFIS and Optimal Cloud can do federated application timeout and work with applications that have logout URLs.
Social Identity Support: OFIS has no packaged social identity support. OptimalCloud provides registration, sign-in and identity linking capabilities for the major U.S. social media providers. Use of social media can be used as input for trust elevation.
SaaS Application Enablement: OFIS and OptimalCloud support the standard federation protocols and provide coarse-grained authorization enforcement to SaaS application targets. Preintegrated or templated apps are limited to Office365. However, the OptimalCloud service is “concierge-based,” and Optimal IdM’s staff create SaaS connections for their users as part of the base service offering.
Nonstandard Application Enablement: OFIS and OptimalCloud provide a Microsoft IIS-based proxy that supports inbound standard federation protocols and can then set HTTP headers for proprietary application connections.
API Target Enablement: OFIS and OptimalCloud can create OAuth 2 and OIDC security tokens to be used by downstream APIs. There are no other API gatewaylike functionalities.
Event Logging and Reporting: OFIS and OptimalCloud provide a solid set of canned reports based on logged data, and can natively support Splunk for more advanced analysis. Data can be exported to other analytical tools.
Oracle delivers AM through its long-standing Oracle Access Management (OAM) suite as software and through Oracle Identity Cloud Service (IDCS). The AM Suite Plus brings together functionality provided by formerly distinct products for proxy- and agent-style web access management, federated identity management and adaptive access. IDCS is delivered as part of Oracle’s IaaS and PaaS. These two offering sets enable Oracle to service hybrid IAM needs for cloud and on-premises application sets. OAM suite and IDCS AM features are evaluated together in this research, and the capability ratings are a composite for these offerings.
Administer Users and Partners: Oracle Access Management software has password reset capabilities, but all other user administration functions require Oracle’s IGA software products or the addition of IDCS.
IDCS Standard Edition provides password management, user self-service profile management, and very good user and partner invitation and setup capabilities.
Authorization and Adaptive Access: OAM Suite has a capable authorization engine, and its adaptive access can use device fingerprinting, network data and users’ access behavioral profile for trust elevation. However, development has been discontinued for the module that provided most adaptive access features.
IDCS can leverage a rich set of device, network and behavioral contextual data used for coarse-grained access to target systems.
User Authentication Methods: OAM supports X.509 software OTP, mobile push, out-of-band SMS text and fingerprint biometrics for equipped iOS, Android and Windows 10 devices, and facial recognition on iPhone X. Knowledge-based methods are supported with the Oracle Adaptive Access Manager (OAAM) module.
IDCS supports software-based OTP, out-of-band SMS, mobile push and third-party tokens.
Session Management: OAM has very good session management capabilities expected from a traditional web access management software provider. The product can manage global and individual sessions by individuals and groups of users, and can do logout of federated application sessions when the target supports SAML logout.
IDCS provides global user session management and can manage the lifetimes and revocation of OAuth token-based access.
Social Identity Support: OAM’s Mobile and Social component provides login functionality for the most common U.S. social IdPs. Social registration is provided through sample code, and consent flow capabilities are absent. Account linking to an established ID is provided.
IDCS provides global user session management and supports SAML single logout for apps that support this function, and it can manage the lifetimes and revocation of OAuth token-based access.
SaaS Application Enablement: OAM provides SAML 2.0 and OAuth 2 support. OIDC support is roadmapped. It provides password vaulting and forwarding, and it can provide coarse-grained access control to SaaS apps. However, OAM has no preintegrated connections to SaaS apps.
IDCS supports all modern federated SSO protocols and password vaulting, and has integrations with Oracles apps and a growing library of preconnected third-party SaaS applications. IDCS provides provisioning connectors to Oracle cloud-based applications and some third-party SaaS, and the service has SCIM support.
Nonstandard Application Enablement: OAM is a capable traditional access manager with a long history of supporting proxy and agent-based connections to legacy web applications.
IDCS supports legacy applications by the use of an NGINX-based application gateway, and IDCS also integrates with OAM web gates. It is possible for the combination of OAM and IDCS to support an organization’s mix of new standards-based and legacy-architected apps and provide access to users through a single dashboard.
API Target Enablement: OAM and IDCS support authentication and authorization functions to protect APIs, and OAuth2 and OIDC flows are supported, as are protocol and security token translation. Oracle sells a separate API gateway service for functionality such as traffic throttling and threat protection.
Event Logging and Reporting: OAM provides access event logging. Oracle BI is needed for report creation of canned or custom reports based on the log data.
IDCS logs all event data, which can be retrieved through a summary dashboard, out-of-the-box reports and a reporting API. The IDCS administration console provides typical “who accessed what and when” reports along with application role and privilege grant and revoke actions.
Ping Identity provides access management functionality using software and IDaaS delivery models. PingFederate and PingAccess are software that runs on-premises or in the cloud. PingOne is Ping Identity’s multitenant IDaaS offering, which provides SSO, coarse-grained authorization enforcement and a cloud directory. PingID is the vendor’s IDaaS-based MFA offering. PingOne can be used with Ping software in hybrid deployments where PingFederate and PingAccess provide bridge connectivity for on-premises or private cloud-based applications.
Ping Identity’s access management products are complemented by their PingDirectory and PingDataGovernance software products. Ping Identity also has migration tools, including PingDataSync to migrate and consolidate directories and PingAccess Policy Migration to help migrate from legacy WAM products.
Administer Users and Partners: For a Ping Identity software implementation, multiple components are required to fulfill the requirements. PingDirectory has a delegated user admin web application that enables delegated administrators to update user profiles, disable/enable and unlock accounts, and reset passwords. PingFederate also supplies HTML templates to provide self-service account management capabilities to end users.
A PingOne IDaaS implementation provides the required capabilities for administrative user CRUD and for user self-service. Ping Identity also provides different options for federating and providing delegated administration to partners within a customer’s tenant, or by using multiple tenants.
Authorization and Adaptive Access: Both PingOne and Ping Identity’s software AM solutions provide predominantly rule-based access control using mostly data held in repositories or transmitted from applications or identity providers. Contextual data elements that can be used as input to access decisions include IP-based geolocation and time-based data. When PingID is added, known device characteristics can be used as well. Ping Identity acquired Elastic Beam during the analysis phase for this research. Once this new PingIntelligence for APIs product is integrated with Ping’s platform, it should improve the platform’s adaptive access and threat blocking capabilities for APIs through machine learning and artificial intelligence.
User Authentication Methods: Ping Identity’s software AM products combined with the PingID service support X.509, out-of-band SMS and voice, soft OTP, mobile push, and fingerprint and facial recognition biometric based on Apple and Android device-based sensors. There are third-party integrations for Yubikey, RSA SecureID, Duo and Symantec VIP.
PingID by itself supports OTP software, out-of-band SMS and voice, and fingerprint and facial biometric biometric based on Apple and Android device-based sensors. When PingOne is used with Ping Identity’s software products, the additional methods listed above are available as well.
Session Management: For software implementations, PingAccess supports idle and maximum session timeouts. Session tokens can be scoped to single applications or groups of applications. Administrators can terminate sessions.
PingOne alone supports only federated single logout for SaaS applications that support it. It does not support session management for nonfederated applications.
Social Identity Support: For software implementations, PingFederate supports the major social U.S. social providers and provides registration, sign-on, and social ID linking.
PingOne supports Google as an identity provider out of the box, as well as any other social IdP that leverages the OpenID Connect protocol.
SaaS Application Enablement: For software implementations, PingFederate provides SSO and coarse-grained authorization and supports all federation standards, but does not support password vaulting and forwarding. It has connectors for approximately 20 popular SaaS applications.
PingOne provides SSO and coarse-grained authorization using SAML, WS-Federation, WS-Trust and Password vaulting and forwarding. As with most other IDaaS offerings, there is a large library of preconnected SaaS applications. The same set of user provisioning connectors is available when PingOne is integrated with on-premises Ping software components.
Nonstandard Application Enablement: The combination of PingAccess and PingFederate provides solid capability to integrate with apps that don’t support federation standards and require HTTP header manipulation. PingOne can also leverage PingAccess and PingFederate in combined implementations.
API Target Enablement: The combination of PingAccess and PingFederate can provide authentication authorization enforcement, token and protocol translation, key management, and traffic throttling to protect APIs. They do not provide a full-featured API gateway.
Event Logging and Reporting: Ping Identity’s software products log all access data, but do not have canned reporting capabilities. PingOne adds a set of canned reports.
SecureAuth + Core Security
SecureAuth + Core Security offers the SecureAuth IdP AM product through a hybrid delivery model with a software appliance in addition to adaptive access determined in the cloud. The vendor sells IdP in different tiers, with the middle and higher tiers providing adaptive access and protections against fraud perpetuated by fraudsters porting phone numbers to other carriers. SecureAuth’s merger with Core Security in 2017 provides the combined company with adjacent products in IGA, access management and threat detection.
Administer Users and Partners: SecureAuth IdP provides administrative user CRUD support, self-service CRUD and password management, and it supports delegated administration for workforce and partner use cases with email notifications for registration. The product can perform user provisioning for approximately five common SaaS apps.
Authorization and Adaptive Access: SecureAuth IdP has a rule- and risk-based adaptive access model. The product has the widest range of contextual data that it can leverage of any of the AM products covered in this research.
User Authentication Methods: SecureAuth IdP supports every authentication method covered in the survey and more.
Session Management: SecureAuth IdP supports total time and inactivity time session management. As with other AM vendors, federated applications with sign-out URLs can be used to initiate a global session timeout.
Social Identity Support: SecureAuth IdP supports the major social U.S. social providers and provides registration, sign-on and social ID linking. Social ID can be used as input for trust elevation.
SaaS Application Enablement: SecureAuth IdP supports all major federation protocols and password vaulting and forwarding, and it can provide SSO and coarse-grained authorization to SaaS apps. It has templated configurations for approximately 100 SaaS apps.
Nonstandard Application Enablement: SecureAuth IdP has a reverse proxy and can do header manipulation, and the password vault and forward functionality can be used for web applications that won’t work with the proxy.
API Target Enablement: The company added OAuth 2 and OIDC support during the last year, and this gives them the basic capability to support authentication and authorization to APIs from client applications that support those specifications. However, the product does not support token translation or other API gateway features.
Event Logging and Reporting: SecureAuth IdP collects extensive log data, and the service provides a good selection of out-of-the box reports along with integrations to several security analytics tools.
The access management market has shifted during the last decade from providing only software-based solutions to one in which IDaaS delivery is now the majority preference for new purchases. Vendors that entered the market with IDaaS as the only or predominate delivery model have excelled in supporting the use case of workforce users accessing SaaS. This is due to their ease of app enablement, fast time to value for customers, and a light on-premises infrastructure footprint for bridging organizations and directories to the IDaaS.
However, most of these vendors did not have solutions to support legacy applications with proprietary authentication interfaces, other than by password vaulting and forwarding. Session management capabilities were also limited, as were finer-grained authorization capabilities. These vendors have been improving their legacy application support through development, partnership or acquisition. Vendors with IDaaS as the primary or only delivery model have also slowly improved their offerings for B2B and B2C use cases. Delegated administration support for B2B use cases has become common, and self-service and profile management functionality to support B2C use cases are improving.
Traditional AM software vendors have long supported the legacy application requirements, session management and authorization enforcement for customers’ applications. These vendors have also supported all the major use cases. However, these vendors’ products mostly lacked the large library of preconnected SaaS applications that IDaaS vendors have. Traditional AM software also takes more infrastructure and people to manage than today’s IDaaS solutions.
These realities have led traditional AM software vendors to develop IDaaS offerings and to tout hybrid solutions that can support legacy and new application architectural needs.
Therefore, there is bidirectional movement to deliver comprehensive functionality for different use cases. Born-in-the-cloud vendors continue to outshine traditional vendors for SaaS enablement, but as traditional product vendors enhance their IDaaS, or create more templated access for their software-based AM tools, the functional gaps between old and new vendors are shrinking. Buyers with a large number of in-scope legacy applications that don’t support standards may need to own and manage two products, potentially in a hybrid model.
Product/Service Class Definition
Access management applies to technologies that use access control engines to provide centralized authentication, single sign-on (SSO), session management and authorization enforcement for target applications in multiple use cases (such as B2E, B2B and B2C). Target applications may have traditional web application architectures, native mobile architectures or hybrid architectures. Increasingly, target systems include APIs. Smart or constrained devices with or without human operators may be incorporated as well. Applications may run on the customers’ premises or in the cloud.
Critical Capabilities Definition
Administer Users and Partners
AM tools provide capabilities to perform administrative functions for the purposes of granting and revoking access to target systems, delegating administration, setting runtime policies, and providing self-service functions. Almost all AM tools provide password reset functions — a base capability.
Most AM implementations are complementary to administrative tool implementations like IGA products and directory management tools. AMs leverage the data created by these other tools, such as user attributes and group memberships, to execute runtime policies, which allow or disallow access. Tools with IDaaS delivery models usually must synchronize data from enterprise repositories to use that data for access decisions. Syncing can be complex in organizations with multiple directories or databases that hold identity data. Products that support these complexities by making it easier to get data into the cloud service are noted as providing added value in scoring.
Thus, additional identity administration functions provided by AM tools are not core AM functions but are for added value in the absence of IGA functionality. Some AM tools provide the ability for administrators to do user create-read-update-delete (CRUD) functions. Some AM tools also provide functionality for users to perform their own CRUD on their user profile data. This feature set can be more important when AM tools are implemented stand-alone without the benefit of IGA or other administrative tools. A profile update is particularly beneficial for consumer IAM (CIAM) use cases. Provision of these functions in the base AM product is reflected in ratings. Consent management is also important in CIAM use cases, but is usually not found within AM products, other than a basic box-checking capability within profiles and support for consent flows in social login use cases.
A few AM tools provide the ability for administrators to invite individuals within and outside the organization to be delegated administrators by sending them an email with a link to click to participate. This added value is reflected in Critical Capability ratings and, particularly, in the B2B use case.
In short, even though user administration functions are not AM functions, AM tools that provide functionality and added value in the base AM product, and that are above and beyond administrative policy setting and self-service password reset, are scored higher than those products that don’t.
Authorization and Adaptive Access
These capabilities provide access policy management and enforcement to target application components and to potentially elevate trust before allowing access. The policy engines of AM tools make access decisions based on rules, risk scoring, analytics or some combination of these capabilities.
AM tools have traditionally leveraged users’ attribute and group membership data as input to static access policies, and target systems included websites or anything that could be referenced by a URL. This is coarse-grained front door access to an application or API.
AM tools leverage an ever-increasing variety of runtime contextual data as input to access decisions. IP address range restrictions and use of an IP address as a proxy for geolocation are table stakes now and alone are not very effective. Vendors’ products and services can often leverage contextual data (such as endpoint device known/unknown state and security posture), data sources (such as known good and bad IP addresses), session egress from anonymization services, the use of credentials that have been compromised, or repeated failed attempts to use credentials as input to access decisions.
Manual policy management with static rules and risk scoring based on static rules have become more difficult to manage and error-prone with the increases and sophistication of attacks on users’ credentials. Therefore, vendors have been investing in analytics engines and machine learning that flag risky access and aim to reduce the burden and brittleness of manual policy management.
Thus, the breadth of contextual data that can be used along with the intelligence brought to bear by analytics engines are both weighed heavily on scoring for this Critical Capability. Coarse-grained “front-door” authorization enforcement to target application URLs is a baseline capability. The ability to easily manage authorization to finer-grained objects, such as application subfunctions or specific objects on a webpage, is noted and can affect scoring.
User Authentication Methods
User authentication methods are the technologies that support the real-time corroboration (with an implied or notional confidence or level of trust) of a person’s claim to an identity previously established to enable their access to an electronic or digital asset.
User authentication technologies have been sold as independent products for decades by vendors that generally do not sell general-purpose access managers. Conversely, AM vendors have partnered for user authentication methods and have also developed and acquired authentication methods to be sold as part of their AM offering or independently.
Different authentication methods are more or less appropriate for different use cases. For example, hardware-based methods, such as one-time password tokens and smart cards, may be appropriate for workforce use cases in regulated industries, but are not optimal for consumer use cases.
This critical capability emphasizes the breadth and choice of authentication methods that are available from the vendor to support different use cases (see the Use Cases section.)
Workforce/Partner Access to SaaS Applications
Prevalent methods: OTP hardware tokens, phone-as-a-token methods, and analytics and adaptive techniques.
Prevalent methods: OTP hardware tokens, phone-as-a-token methods, analytics and adaptive techniques, and public-key hardware tokens.
General B2C Access
Prevalent methods: Phone-as-a-token methods, analytics and adaptive techniques, and biometric methods.
Session management is the capability and granularity to which AMs can control session state for user-present interactions with applications. Session management includes global and application session tracking and termination.
This includes settings that allow for session termination for one or more applications that a user is signed on to and based on different parameters (for example, global or individual application session timeout, or user logout from one or more applications).
Traditional software-based access managers that route all session traffic through proxies or use application server agents are generally superior for managing sessions because the AM tool has control and awareness of session state and the flow of operations to and from the target applications.
Managing session state for federated applications is often more challenging because once a user is authenticated to a target system, the session control is owned by the target system itself — not the AM. Some application vendors have created a sign-out URL, and in these instances an AM tool can intervene, perhaps when a global AM session timeout value is reached, and invoke the sign-out function of the target app. All AM vendors’ capabilities are somewhat inhibited by this need for the SaaS vendor to support sign-out.
Thus, products were evaluated based on the scope of supported target system types they can manage sessions for and the granularity of session management for global and individual application sessions.
Social Identity Support
Social identity support includes the abilities to sign up and sign in to the AM and to link the social identity with an established identity (if one exists), thereby allowing users to use either identity for accessing target systems.
Social identity support also includes the ability for the AM product to leverage the use of a social identity as a distinct event to trigger a trust elevation policy. Social identity integration is most important for CIAM use cases.
Social identity integration is a set of functionality that straddles AM and a small bit of the administrative aspects of IGA capabilities. Signing in with a social identity is clearly an AM function, and is a baseline capability of AM products. Signing up is, logically, a registration or IGA function. However, the two functions are often joined together in workflows that involve a first-time user’s access to a site. Sign-up and sign-in are also used for a returning user when that user wishes to register and use a social identity after initial ID creation.
Products were evaluated based on:
The number and global representation of social identity providers that are supported out of the box
The extent that sign-up, sign-in and linking are all supported in the base AM product rather than requiring an additional product (such as IGA)
The ability to use social login as a discrete event for trust elevation is a baseline capability provided by all AM vendors covered in this research, unless otherwise noted.
SaaS Application Enablement
This is the ability and ease with which an AM product can help establish connections to SaaS applications and make them ready to use for authentication and SSO.
AM vendors use standard federation protocols, such as SAML and OpenID connect, as well as password vaulting and forwarding to provide users with SSO when applications don’t support standards-based federation. In the early days of SaaS federation, AM administrators had a number of manual configuration steps to complete to create the federation and make it ready to use. Some AM software products come with templates for popular SaaS applications, and vendors that predominantly or only deliver AM as an IDaaS provide large libraries of preconnected applications and generic templates to allow customers to more easily set up new connections when an established connector is not available.
Differentiation among vendors is found in the extensiveness of the preconnected app library and the relative ease with which an administrator can set up new connections for authentication and SSO.
User provisioning to SaaS targets is an IGA function. Almost all vendors covered in this research have some IGA features, but they are most often sold as separate (but related) products. However, vendors that provide user provisioning to SaaS applications as part of the same product that includes all the AM functionality are noted and score higher in this SaaS enablement criterion.
Nonstandard Application Enablement
This is the ability for AM products to directly support application targets that do not use standard federated SSO protocols and need some combination of reverse proxy or agent, or that make proprietary connections using HTTP header manipulation.
Proprietary application connections have been the domain of the traditional software-based access manager that have reverse proxies and agents. Organizations often have the option to do the work to convert a proprietary app to one that supports federation standards, or to use the password vault and forward style of SSO for these applications. However, if conversion is viewed as too arduous, perhaps because there are too many apps, or the app was developed by a vendor who will not or cannot make the change, then proprietary methods or password vaulting and forwarding must still be used by the AM product to provide SSO.
Products were evaluated based on their abilities to use different techniques to successfully integrate target applications with proprietary interfaces. AM vendors that don’t have these proprietary integration capabilities will use standard federation protocols to communicate with separate and existing access management products that can, in turn, continue to perform the proprietary connection. In this case, existing products must remain in place to protect the target apps.
API Target Enablement
This is the capability to provide AM functionality to protect APIs with authentication and authorization functionalities.
The AM market has evolved to support the fundamentals of authentication and authorization functions to protect APIs. This feature set has grown in importance as organizations have evolved their application architectures toward API clients and back-end services. Major PaaS and SaaS vendors have also moved their application integration architectures to be API-based.
API protection has traditionally been the domain of the API gateway, which is the runtime component of a full life cycle API management offering (see “Magic Quadrant for Full Life Cycle API management”). API gateways provide authentication and authorization functions, but also several threat protection and other features (such as data privacy protection) and service call routing and orchestration. API gateways can support user-present and “headless” interactions — the latter being the model when no user interaction is part of the API call. However, API gateways usually lack the session management capabilities and advanced adaptive access features of AM tools. Thus, when a mix of user-present access to URLs and API targets is needed, it is best practice to use AM products as the identity provider along with API gateways for their complementary features.
At minimum, an AM vendor should be able to support user-present interactions in which a client (browser or native app) needs access to an API target. The AM should be able to authenticate and authorize the user or the user’s client app for API access and to create the necessary security tokens to enable that access. This implies the support for OAuth 2 and OpenID Connect.
The ability to support mixed SAML and OAUth/OIDC use cases is a slightly more advanced capability provided by only some of the vendors covered in this research. This capability involves the user being authenticated by a SAML-based federated identity provider and then being given access to the target API. AM vendors can also differentiate their products by adding in more features found in API gateways (such as traffic throttling to mitigate denial of service attacks). Vendors that have API gateway functionality to augment the base AM scored higher.
Event Logging and Reporting
All AM products log event data, such as successful and failed authentication attempts, password resets, and administrative policy changes. This data can be exported to SIEM systems or other analytics tools.
AM products that include canned reporting, and especially customizable reporting tools, are scored higher in this criterion.
Workforce Users Accessing SaaS
This use case involves the setup of connections from the AM to SaaS, and the protection of that access with authentication, SSO and authorization functions.
As organizations adopt more and more SaaS, they are faced with users having to manage more IDs and passwords. Rapid increases in SaaS adoption were the force that made identity federation take off due to the need to facilitate access to these apps and avoid creating new identity islands with more passwords to manage. When federated SSO can be enabled, there is usually no need to have separate SaaS passwords, and users get the convenience of SSO. However, federation standards have only been adopted by a minority of SaaS providers, albeit the most commonly used providers. The long tail of SaaS applications still only supports password-based authentication. To overcome this issue, many vendors have created password vaulting and forwarding capabilities to give users SSO to password-based apps. Thus, AM products must support SAML and OIDC federation standards and password vaulting and forwarding to meet the range of needs for this use case.
Federation also requires some setup by administrators, and certificates used to establish trust between the federation IdP and the SaaS provider have to be purchased, implemented and monitored for expiration and refresh (see “Technology Insight for X.509 Certificate Management”). IAM leaders must be aware that each new app creates a bit more administrative burden, and while not usually a problem initially, the burden grows along with the number of SaaS. AM vendors, especially those delivering via IDaaS, have provided libraries of preconnected apps to reduce the setup burden. Thus, weighting and associated scoring for this use case improves for vendors that have created libraries of preconnected apps and have made it easy for customers to select and use these connections with minimal configuration. Connections to non-SaaS applications (such as legacy apps run in customers’ data centers) are deprecated for this criterion, and therefore weighted lower than in other use cases.
For session management, we score higher for vendors that are able to support applications that need SaaS-provided single logout links and can align these SaaS logout requests as needed by customers with global session parameters.
This use case features consumers accessing a wide range of applications that do or do not support standards-based SSO, wherever they are hosted.
Self-service features present within the AM product itself affect scoring.
API access and nonstandard application enablement are weighted somewhat heavily for this use case, and SaaS less so. Social identity integration is weighted heavily.
The availability of consumer-friendly authentication methods, as described in the authentication methods section, and self-service features are also weighted more heavily.
This use case involves business partner users accessing a potentially wide range of applications that do or do not support federated SSO standards and are hosted anywhere.
The ability to easily set up partners through federation is emphasized for this use case, as is the setup and enablement of delegated administration. This is to support the ability for partner designees to manage access for their own users, which tends to happen with larger partners.
SaaS, API access and nonstandard application enablement are weighted evenly for this use case.
We note that a particular customer-facing use case — one that involves organizations as customers rather than individual consumers — has a similar topology and set of needs when compared with business partner access. Thus, the criteria and weightings for B2B apply to this organizational customer access as well.
Social identity integration is weighted moderately higher than for the workforce to SaaS use case, but not as high as the direct-consumer use case.
Availability of external user-friendly authentication methods is also weighted more heavily.
Vendors Added and Dropped
This is the first Critical Capabilities for access management.
Vendors evaluated in this Critical Capabilities for access management must have had 400 discrete access management customers, each with their own contracts, at the end of 2017. Access management products that cannot support, or are not marketed to support, all major use cases (workforce B2E, B2C and B2B) were excluded. For example, solutions that are primarily focused on supporting only B2C use cases were excluded.
The following functionalities are required for a vendor’s access management product or service to be included in this analysis. In this research, the word product is used to mean product or service. These functions may be offered through multiple products, but they must be the vendors’ products and not those of third parties, unless stipulated below:
- User authentication — The product must provide inherent support for password authentication to the access management tool. Support for additional authentication methods from the access management vendor and its partners, and contextual and adaptive authentication methods, are considered for scoring purposes, but are not inclusion criteria.
- Trust elevation — The product must, at minimum, be able to let administrators set policies that require trust elevation for access to specific applications. The ability to require step-up user authentication and/or reauthentication is the baseline requirement.
- Analytics and contextual information to perform trust elevation and the ability to initiate other types of required actions (such as requiring an alternative authentication method be used or denying the transaction) are considered in the scoring, but are not inclusion criteria.
- SSO — The products must provide SSO to web applications using SAML. The product must support the specific use case of users authenticating to Windows/Active Directory and subsequently being provided with SSO to protected applications not integrated with Windows/Active Directory. Products must also support sign-on to the access management tool using one or more social media identities. This implies support for OAuth 2 and potentially OpenID Connect.
The following SSO methods were analyzed as part of critical capabilities scoring:
- Standards-based SSO using SAML and OpenID Connect
- Use of a reverse proxy (with credentials transported in HTTP headers)
- Use of a server agent to interact with the access management tool
- Use of password vaulting and forwarding techniques
- Functionality to support the transmittal of authentication and authorization information to APIs as part of application flows for previously authenticated users
Session management — The product must provide some functionality that maintains session state when users are authenticated to one or more applications. Session management enables single sign-on because the product is “aware” of an established session. Session management functionality can also provide individual (or multiple) application session termination based on administrator-configured settings (such as using timeout parameters, or based on users logging out of one or more sessions).
Security token services — Once a user authenticates to the product or to an identity provider federated with the product, the product must provide protocol and security token translation. This enables SSO and attribute transmittal to target applications that use different security token formats and syntaxes and SSO protocols.
Authorization enforcement — At a minimum, the product must allow/disallow users’ access to the primary access point — the “front door” (usually referenced by a URL) — of applications based on attribute data available in identity repositories (for example, directories and databases). The products must allow administrators to create, manage and put into production access policies used by the product to render access decisions and enforce those decisions.
The following functionalities were considered in scoring, but are not inclusion criteria:
- Ability to support authorization enforcement to APIs
- Ability to use contextual information, such as geolocation, device characteristics and date, or time of day as input to an access decision
- Ability to perform fine-grained authorization enforcement on subobjects within applications
- Ability to use complex combinations of rules and attributes to render access decision
- The use of analytics engines that can augment or replace rule-based policy engines
Developer interfaces to access management functionality — Vendors must provide a set of APIs or an SDK to allow developers to make calls to the access management tool from applications to support externalization of authentication and authorization functions from these applications.
This Critical Capabilities does not cover the following types of related offerings:
Access management offerings that lack an access policy decision and enforcement engine. This includes pure user authentication products and services. In addition, products that began as pure user authentication products and then were functionally expanded to support SSO via SAML or OpenID Connect, but can’t manage sessions or render authorization decisions (see“Market Guide for User Authentication”).
Access management offerings that are only or predominantly designed to support OSs and/or PAM (see “Market Guide for Privileged Access Management”).
Remote or on-premises “managed” access management. Services designed to take over management of customer-owned or -hosted access management products, rather than being provided by delivery of the vendor’s own intellectual property (see “Market Guide for IAM Professional Services, North America”).
Access management functions provided only as part of broader infrastructure or business process outsourcing agreement. Access management must be provided as an independently available and priced product or service offering.
Critical Capabilities Methodology
This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.
View Analyst Gregg KreizmanGregg Kreizman
Managing Vice President
© 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity."
AboutCareersNewsroom PoliciesSite IndexIT GlossaryGartner Blog NetworkContactSend FeedbackGartner, Inc.
© 2018 Gartner, Inc. and/or its Affiliates. All Rights Reserved.