Magic Quadrant for Identity June 2015

8/19/2019 Magic Quadrant for Identity June 2015

1/37

G00265376

Magic Quadrant for Identity and Access

Management as a Service, WorldwidePublished: 4 June 2015

Analyst(s): Gregg Kreizman, Neil Wynne

Large vendor entrants in 2014 began to make their presence felt. Web-

centric but shallow-function services are in high demand. Vendors that can

deliver deeper functionality for IGA and legacy application support, including

niche vendors, may be the best for your needs.

Strategic Planning AssumptionBy 2019, 25% of IAM purchases will use the IDaaS delivery model — up from less than 10% in

2014.

Market Denition/Description A vendor in the identity and access management as a service (IDaaS) market delivers a

predominantly cloud-based service in a multitenant or dedicated and hosted delivery model thatbrokers core identity governance and administration (IGA), access and intelligence functions to

target systems on customers' premises and in the cloud.

This Magic Quadrant rates vendors on their ability to be global, general-purpose identity and access

management (IAM) service providers for multiple use cases. The vendors in this Magic Quadrant

must provide some level of functionality in all of the following IAM functional areas:

■ IGA: At a minimum, the vendor's service is able to automate synchronization (adds, changes

and deletions) of identities held by the service or obtained from customers' identity repositories

to target applications and other repositories. The vendor also must provide a way for

customers' administrators to manage identities directly through an IDaaS administrativeinterface, and allow users to reset their passwords. In addition, vendors may offer deeper

functionality, such as supporting identity life cycle processes, automated provisioning of

accounts among heterogeneous systems, access requests (including self-service), and

governance over user access to critical systems via workows for policy enforcement, as well

as for access certication processes. Additional capabilities may include role management and

access certication.


2/37

■ Access: Access includes user authentication, single sign-on (SSO) and authorization

enforcement. At a minimum, the vendor provides authentication and SSO to target applications

using Web proxies and federation standards. Vendors also may offer ways to vault and replay

passwords to get to SSO when federation standards are not supported by the applications.

Most vendors offer additional authentication methods.

■ Identity log monitoring and reporting: At a minimum, the vendor logs IGA and access events,

makes the log data available to customers for their own analysis, and provides customers with a

reporting capability to answer the questions, "Who has been granted access to which target

systems and when?" and "Who has accessed those target systems and when?"

Page 2 of 37 Gartner, Inc. | G00265376


3/37

Magic Quadrant

Figure 1. Magic Quadrant for Identity and Access Management as a Service, Worldwide

Source: Gartner (June 2015)

Vendor Strengths and Cautions

CA Technologies

CA Technologies delivers IDaaS under its CA Secure Cloud brand. CA Secure Cloud includes Web

application SSO, adaptive authentication and identity administration. The service supports user

Gartner, Inc. | G00265376 Page 3 of 37


4/37

provisioning to cloud and on-premises systems, including legacy applications. Self-service

requests, approval workows and delegated administration are all supported. The service can be

delivered completely from the cloud or in a hybrid model. CA has global regional partners that

deliver their own branded versions of IDaaS, underpinned by CA Secure Cloud.

Strengths

■ CA Secure Cloud provides greater functional depth for user administration than Web-centric

providers. Solid delegated administration and provisioning workows are provided.

■ The Advanced Authentication SaaS provides adaptive authentication options.

■ CA has a history of successfully leveraging global partners to deliver its solutions and services

worldwide.

■ CA's extensive product and service portfolio, as well as its sales and support channels, favors

the company in the Overall Viability criterion.

■ CA's portfolio of IAM software and IDaaS can be combined for complex functionality and use-

case support, and CA has a broad set of user provisioning connectors to leverage for cloud and

legacy application support.

Cautions

■ CA has not gained traction in the market and is resetting its strategy. Customers have

demanded customized implementations, which is not a design goal for CA Secure Cloud.

■ CA's pricing was above average for Web-centric pricing scenarios.

■ CA Secure Cloud does not yet support password vaulting and forwarding for SSO for targetsystems that do not support federation standards. This feature is roadmapped.

■ CA Secure Cloud lacks language internationalization, and the interfaces are provided in English

only.

Centrify

Centrify's Identity Service includes Web-centric IDaaS and enterprise mobility management (EMM).

The IDaaS portion of the offering provides Web application SSO using federation standards or

password vaulting and forwarding, user provisioning, and reporting. The integrated mobility

capabilities provide many of the features of stand-alone EMM vendors. Notable features includesecurity conguration and enforcement, device X.509 certicate issuance and renewal, remote

device location and wiping, and application containerization.

Strengths

■ The EMM features are the strongest in the IDaaS market, and Centrify has a strong relationship

with Samsung. Centrify hosts Samsung's own IDaaS offering, and Centrify leverages the



5/37

Samsung Knox containerization capability. Centrify added ngerprint biometric support for

Apple and Samsung devices in 2015.

■ Centrify added privileged account management as an IDaaS offering, and strengthened its

support for on-premises applications.

■ Centrify signicantly expanded the set of applications for which it can provide user provisioning

and license management.

■ The service and on-premises proxy component can be congured to keep some or all identity

data on-premises in Active Directory and not replicate it to the cloud. Cloud identity storage is

optional.

■ Reporting and analysis features for all events handled by the service are wide-ranging and

customizable.

Cautions

■ Centrify does not provide business-to-consumer (B2C) or B2B IDaaS offerings.

■ As with other Web-centric IDaaS providers, Centrify does not provide user provisioning

workow or identity governance features.

■ The user provisioning and identity synchronization components are in the early stages of

maturity. Bugs have been reported, and Centrify is addressing them with xes.

■ Marketing programs have been signicantly bolstered in 2015; however, brand awareness in

IDaaS continues to lag primary competitors.

■ Centrify is facing increased competition from larger vendors.

Covisint

Covisint is the longest-standing IDaaS vendor in the market. The company may not be well-known

among prospects in some industries, geographies and small businesses due to its early focus on

larger enterprises. Moreover, Covisint's functionality is often "white-labeled" by its customers.

Covisint got its start in the automotive industry and provided integration broker, portal and identity

services to support supply chain connectivity. The company has grown those lines of business into

other industries. Its work in the automotive industry and in supporting vehicle identities also has

helped it build foundation services that can be used in other Internet of Things (IoT) applications. In

addition, the company has a history of working through tough integration issues with demanding

customers.

Strengths

■ Covisint provides strong identity assurance features, with several ID proong vendor

integrations and support for several authentication methods — its own and those from third

parties.



6/37

■ Covisint IDM includes user administration workow abilities and capable administrative

delegation, along with access certication features.

■ The vendor provides deep identity federation and provisioning integration functions using

standards and proprietary techniques.

■ Covisint has shown leadership in support of IoT initiatives, particularly in the automotive

industry, and IoT is stated as a strong focus going forward.

■ Covisint added a data center in Germany to support customers there, and to grow its presence

in the region.

■ Covisint made its service granularly accessible through APIs; it has rearchitected the service to

make it more easily implemented in public or private cloud, and to support white labeling.

Cautions

■ Although it can support employee-to-SaaS scenarios, Covisint's focus on large customers withenterprise B2B use cases will make it a less likely choice for small or midsize businesses

(SMBs) that are seeking only employee-to-SaaS use-case support.

■ The scenario pricing that Covisint provided for this research was high for most scenarios,

compared with competitors.

■ Covisint is not protable and has had negative net income since completely separating from

Compuware in 2014.

■ Although still selling through a direct sales team, Covisint's channel partner strategy to supply

its platform as a service (PaaS) to other service providers as a white-labeled service — although

it could be protable for the vendor — is risky because it could disintermediate Covisint fromcustomers.

Exostar

Exostar entered the IDaaS market when it was formed by a community of aerospace and defense

companies to support their IAM needs related to supply chain. Exostar also created a secure

collaboration platform based on top of Microsoft SharePoint, and now it delivers secure email, le

transfer and WebEx services. The company augments its core services with identity proongthrough third parties, but also provides a video "in person" identity proong service using subjects'

webcams for interviews. In addition, Exostar delivers public-key infrastructure (PKI) and one-time

password (OTP) token credential management services. Exostar provides IAM that is fully cloud-based, or it can join community participants to the hub via a gateway. Exostar's target market is

large companies with cross-organizational collaboration requirements. Exostar views IDaaS as a

critical component of its offering, but primarily in the context of helping it to deliver its overall

business collaboration capabilities.

Strengths

■ Exostar is a long-standing IDaaS vendor, and is one of the few small vendors that is protable.



7/37

■ Because of its legacy in highly secure markets, Exostar has strict audit requirements to ensure

that conditions for security and industry compliance issues are met. The identity proong

capabilities also are unique in this market, and Exostar's identity services are certied by the

U.S. government and the SAFE-BioPharma Association.

■ In 2014 and early 2015, Exostar expanded its vertical industry support to the healthcare andairline industries, and within life sciences. Exostar is delivering similar sets of IAM and

collaboration functionality to them, with an emphasis on these communities' needs for

intellectual property protection.

■ The company has strong customer relationships, and reference customers report that Exostar is

a solid partner for implementation, as well as for incorporating customer requirements into its

roadmap.

■ Exostar has strong B2B federation and administration capabilities, and it can handle data

exchanges in support of complex business agreements for its established communities. In

2014, Exostar added an entitlements management framework to enable user provisioning and

the provisioning of application-specic features using customizable workow components.

Cautions

■ The company and its offerings are not geared toward the broader general-purpose IAM market,

which would focus on enterprise users' access to SaaS applications, or on consumers' inbound

access to enterprises' applications as primary use cases. Rather, Exostar's target market is

large companies with cross-organizational collaboration requirements.

■ Authentication and SSO integration features are limited compared with vendors that support

general-purpose SSO use cases. Password vaulting and forwarding, as well as social

registration and login, are not supported.

■ Exostar provides IDaaS functions to users in multiple geographies, but these users and their

companies are predominantly using the services at the behest of Exostar's anchor tenants in

aerospace and defense and in life sciences. Exostar picked up a customer in Japan, but

otherwise, there is not a strong international presence for Exostar customers and data centers,

nor is there broad internalization support.

Fischer International

Fischer International, a pure-play IAM provider, was one of the rst vendors to deliver IDaaS.

Fischer's capabilities are available in IDaaS, dedicated hosted, managed or on-premises software

delivery models. Fischer provides functionally deep user administration and fulllment capabilities,

some governance functionality, privileged account management, and federated SSO.

Strengths

■ Reference customers rate the product and support highly.



8/37

■ Fischer's experience and technical capabilities enable it to support IAM functions for legacy on-

premises applications in addition to SaaS applications.

■ User administration functionality is deep, with strong connector support to a variety of

directories, databases and applications, and access certication features are included. Fischer

International emphasizes conguration of out-of-the-box features rather than scripting andcustom development. This results in rapid deployment times relative to other deep functionality

vendors. However, prospects must ensure that this type of implementation can meet their

business process requirements.

■ Fischer's scenario pricing is among the lowest, and references nd that this provides solid value

for the money.

Cautions

■ Despite Fischer's long tenure in the IDaaS market, its brand recognition, market penetration and

overall growth have been low compared with its competitors.■ The focus of Fischer's marketing and sales on the U.S. geographic market and higher education

vertical industry has limited the company's growth in other geographies and vertical industries.

■ Access management is limited to SSO, without the authorization enforcement capabilities found

in other IDaaS access services.

■ Native mobile application support is not included in the product.

IBM

This is IBM's rst year on the IDaaS Magic Quadrant. In 2014, IBM purchased Lighthouse Security

Group, a vendor that delivered its IDaaS underpinned by IBM software. Lighthouse Security Group

was evaluated in the 2014 "Magic Quadrant for Identity and Access Management as a Service."

IBM has rebranded the offering as Cloud Identity Service, which is provided in a multitenant model.

However, components of the service can be delivered in a dedicated model. With the acquisition,

IBM can bring its signicant resources and relationships to bear in order to advance Cloud Identity

Service along with its other offerings.

Strengths

■ IBM's functional offering is deep and aligns with the functionality provided by IBM's software

deployed on-premises.

■ IBM's offering will be made deeper with the planned incorporation of the functionality obtained

through the acquisition of CrossIdeas' IGA capabilities, as well as the integration of Fiberlink's

MaaS360 mobile device management (MDM) capabilities.

■ IBM's acquisition of Lighthouse Security Group and its breadth of resources should appeal to

customers that are risk-averse and have concerns with smaller vendors. IBM has geographically

expanded its data center locations, and IBM's support and professional services organizations

are supporting Cloud Identity Service.



9/37

■ The company has some very large customers and can demonstrate high scalability.

Cautions

■ Customers report that Cloud Identity Service can take signicant effort to go live. This is partly

due to the complex nature of projects that IBM takes on for larger customers. IBM will need to

deliver a service offering that is more congurable and easy to implement, without requiring

signicant professional services, in order to compete down-market.

■ While indicators point to the growth of IBM's offering, new clients have not yet translated into

references.

■ Despite pricing reductions in 2015, IBM's pricing for several use-case scenarios was among the

highest.

Ilantus

Ilantus provides IDaaS in a dedicated hosted tenant model. The company began as an IAM system

integrator, and has experience with traditional large-vendor IAM stacks. It offers four functional

services: Identity Express for identity administration, Compliance Express for access governance,

Sign On Express for SSO and Password Express for password management. This is Ilantus' rstyear on the IDaaS Magic Quadrant.

Strengths

■ Ilantus' customer references gave the vendor high marks for implementation, support and rapid

deployments.

■ Its solutions have been deployed by companies in most vertical industries, and its IGA functionality helps Ilantus support regulated industries.

■ Ilantus' feature set and pricing are strong for the midmarket, which is its current "sweet spot"

for customer acquisition.

■ Ilantus' Sign On Express for SSO provides SSO to thick-client applications, in addition to the

Web-architected applications that other vendors support.

Cautions

■ The company has low penetration in the global IDaaS market. Ilantus has been in the U.S.

market as a system integrator since 2000, but has not advanced its IDaaS offerings there or in

Europe. However, Ilantus has good penetration in India, and has a foothold in other Asia/Pacic

countries in which English is widely spoken.

■ Similar to other small vendors, Ilantus lacks brand recognition, so it will need to step up

marketing efforts and sales channel development in order to expand more rapidly.



10/37

■ Ilantus demonstrates an understanding of market trends, but its roadmap plans are incremental

and mostly designed to keep the service on par with current competitors' capabilities.

■ Building IGA connectors for custom applications is time-consuming and prolongs projects,

according to reference customers.

■ Ilantus' federated access to Microsoft Ofce 365 SSO features lacks Microsoft's rich client

support that other IDaaS vendors have. However, Sign On Express for SSO can provide this

functionality for Windows clients.

iWelcome

Netherlands-based iWelcome provides its IDaaS in a dedicated single-tenant delivery model to

allow for customization and customer branding. Its offering is heavily based on open-source

software and includes authentication, SSO, federation, self-service registration, and user

provisioning support for on-premises and SaaS applications. iWelcome has a specic focus on

larger enterprise customers with complex requirements.

Strengths

■ iWelcome is the only established IDaaS vendor rated in this Magic Quadrant with headquarters

located in continental Europe. As a result, it has an early-mover advantage in that region.

■ iWelcome has strong capabilities in access management — particularly in authentication

method, federation protocol and identity repository support.

■ iWelcome has grown a signicant portion of its business by supporting B2C use cases, and

owes this success to consumer-oriented features such as supporting multiple authentication

methods, social registration and login, congurability of the user experience, and customerportal integration.

■ iWelcome expanded its API support for more functions and added attribute provisioning and

validation. Customers can enable or disable these capabilities through the administrative

interface.

■ During 2014 and early 2015, the company made advancements in authentication method

support, and added identity intelligence features, role administration and provisioning, and

System for Cross-Domain Identity Management (SCIM) support.

Cautions

■ iWelcome lacks delegated administration. It also lacks core identity governance features (such

as access certication and recertication), and its provisioning approval workow capabilities

are minimal. iWelcome relies on integration with customers' established IGA toolsets.

■ The company's overall customer base is small compared with most competitors, although the

company grew the business proportionately well for its size during 2014.



11/37

■ In 2014, although iWelcome began to enhance its sales resources and marketing efforts

internally and through partnerships in other European countries, these efforts will need to

expand rapidly in order for the vendor to stay ahead.

■ Support resources and customer engagement will need to expand as well. Existing customers

report that the platform is reliable and performs well, but that technical support could be moreresponsive.

Microsoft

This is Microsoft's rst year on the IDaaS Magic Quadrant. Microsoft entered the IDaaS market in

May 2014 with its business-to-employee (B2E)-focused Azure Active Directory services. There are

three service levels; the Premium offering provides features that are in line with other Web-centric

IDaaS providers, and includes licenses for Microsoft Identity Manager (MIM) that are to be used with

customers' on-premises systems. Microsoft also offers Azure Active Directory Premium as part of

its Enterprise Mobility Suite, along with Microsoft Intune and Azure Rights Management.

Strengths

■ Microsoft joined an established IDaaS market, and was able to leverage its current and

substantial customer base — particularly Ofce 365 customers — to add Azure Active Directory

to contracts. The company has broad and deep marketing, sales and support capabilities.

■ Microsoft already has demonstrated high scalability with Azure Active Directory. The service

underpins other Microsoft Azure services.

■ Microsoft has a strong international presence for its service offerings, and continues to expand

its infrastructure as a service (IaaS) presence worldwide.

■ The company is able to leverage data sources and machine learning to support intelligence

functions, such as identifying known bad IP addresses and devices to help prevent fraudulent

activity.

■ Microsoft's strategy demonstrates a strong understanding of technology, socioeconomic,

security and jurisdictional trends that will shape its offerings going forward.

Cautions

■ Microsoft does not yet provide a B2C IDaaS offering. It is planned for 2015.

■ Microsoft's on-premises "bridge" components are Active Directory Federation Services and Azure Active Directory Sync. Customers must implement and manage these two components

on their own. Microsoft's Azure AD Connect (similar to other IDaaS vendors' approaches), which

will combine these functions, is now in preview.

■ While Azure Active Directory Premium includes access licenses for MIM, customers are

responsible for managing that implementation themselves, or with the help of third parties.



12/37

■ Microsoft can provide user provisioning to some cloud apps; however, Web-centric competitors

have a lead in terms of the number of apps they can provision to, as well as the depth of SaaS

fulllment that supports the provisioning of roles, groups and other attributes.

■ Microsoft can provide provisioning and SSO for enterprise users to social media sites, and has

APIs and software development kits (SDKs) for social media support; however, the service doesnot yet provide packaged social registration and sign-on to Azure Active Directory or target

systems.

Okta

Okta's IDaaS offering is delivered multitenant, with lightweight on-premises components for

repository and target system connectors. IDaaS is Okta's core business. Okta delivers basic identity

administration and provisioning capabilities, access management for Web-architected applications

using federation or password vaulting and forwarding, and reporting. Okta also provides phone-as-

a-token authentication capabilities. Okta added Mobility Management in 2014.

Strengths

■ The company's marketing and sales strategies have been effective, as demonstrated by brand

recognition and an increased volume of customers. Okta's customer base grew signicantly in

2014 and early 2015.

■ Okta's continued investment in its API set has led to the delivery of Okta Identity Platform for

developers to support integrations with customers' applications and workows.

■ Gartner again received numerous references, and has conrmed predominantly positive

experiences. Okta's investments in mobility management have begun to bear fruit; customers

are beginning to use the fundamental MDM functionality integrated with IDaaS to supportfunctions such as mobile SSO, device access policies and device PIN reset.

■ Okta has maintained high, if not perfect, availability.

Cautions

■ Okta can synchronize identities from enterprise directories, and has added delegated

administration functionality; however, the vendor does not have user provisioning approval

workow beyond one level, nor does it have identity governance features.

■ Okta's canned and custom reporting capabilities are limited.

■ Okta does not yet support the use of social identities for registration and logon. These

capabilities were in beta test at the time of publication.

■ Okta's current customer base is predominantly located in the U.S., as are its data centers, but

Okta has invested in European and Asia/Pacic expansion in terms of sales and data center

location strategies.

■ Okta is facing increased competition from larger vendors.



13/37

OneLogin

OneLogin's service architecture is multitenant, and lightweight integration components are used for

on-premises connections. IDaaS is OneLogin's core business. OneLogin also markets a federated

search capability that allows customers to search for content across connected applications, and

for these users to be authenticated automatically when search results are returned and selected.

Strengths

■ OneLogin signicantly expanded its customer base in 2014 and early 2015, and has some large

customers.

■ OneLogin has taken a standards-based approach to native mobile application integration, and

is one of the vendors that champions the OpenID Native Applications Working Group (NAPPS)

specications.

■ OneLogin has started improving its global sales by expanding its sales organization and

developing its channel partnerships. OneLogin secured a third round of venture funding that willhelp it expand.

■ References were mostly solid, and appreciated the support they received from OneLogin.

Cautions

■ OneLogin faces increased competition from larger competitors.

■ OneLogin lacks its own deep user administration and provisioning and identity governance

functionalities.

■ OneLogin had some issues with service availability in 2015. However, it handled those issueswell with customers and is improving the resilience of its service.

■ OneLogin maintains a singular focus on IDaaS, but has not developed a strategy for other

product offerings. This could make it difcult to compete against vendors with broader

offerings.

Ping Identity

The PingOne service is a multitenant Web-centric offering. Ping Identity provides a lightweight self-

service bridge component to integrate a customer's Active Directory to the service, and also uses

the well-established PingFederate product as the on-premises bridge component for customers

when broad protocol and directory support are needed. In addition, PingAccess can be deployed to

support proxy access to internal Web applications and APIs. PingID is offered to provide phone-as-

a-token authentication methods.



14/37

Strengths

■ By leveraging the PingFederate technology for the bridge component, Ping can provide SSO by

integrating with a variety of identity repositories, existing customer access management

systems and target application systems.

■ Ping Identity has demonstrated support for multiple workforce and external identity use cases,

as well as strong service provider support, via its many service provider customers.

■ Ping Identity has shown strong leadership in identity standards development, as well as

openness in working with customers and competitors to evolve the standards.

■ Ping Identity has broad vertical and geographic market penetration through its value-added

reseller (VAR) and system integrator partner networks; also, it has made inroads with managed

service providers that can offer PingOne functionality.

Cautions

■ PingOne is one of the services with strong access features, but very lightweight IGA

capabilities. User self-service access request, provisioning workow and most identity

governance features are missing.

■ PingOne has lagged its primary competitors in brand recognition and customer adoption.

■ Ping Identity's reporting capabilities are weak compared with its competitors.

■ Language internationalization features for the administrative and user interfaces are lacking

relative to competitors; however, they are improving, with versions becoming available for Ping

Identity's target markets later in 2015.

SailPoint

SailPoint IdentityNow was developed predominantly in-house, and features access request and

provisioning, access certication, password management, and SSO service elements. The

architecture is multitenant and can deliver services completely in the cloud, or it can be bridged to

enterprise environments to support on-premises applications.

Strengths

■ SailPoint's legacy of providing strong on-premises IGA has helped it deliver a subset of the

functionality from the IdentityIQ product in IdentityNow. The more full-featured IdentityIQ can bedelivered as a hosted managed service through partners as an alternative. This helps SailPoint

strongly support employee-facing use cases.

■ SailPoint's full complement of provisioning connectors provides fulllment capabilities to a wide

variety of identity repositories and target systems, and signicant product updates have been

made to the password management functionality.

■ SailPoint provides SSO options that include federated SSO and password vaulting and

forwarding.



15/37

■ SailPoint has a broad geographic presence for sales and support as a foundation for selling its

IDaaS, and it has added data centers in Europe and Sydney, with other Asia/Pacic data

centers roadmapped for 2015.

■ The company is protable, and Thoma Bravo became a majority owner in SailPoint, thereby

bringing additional resources to the vendor.

Cautions

■ SailPoint's IDaaS market share is growing, but still small.

■ IdentityNow does not support social identity use cases.

■ IdentityNow is limited in its ability to support delegated administration for B2B use cases, but

this feature is roadmapped for 2015.

■ SailPoint has strong VAR and system integration partner sets, but it is just beginning to leverage

them for IDaaS market penetration.

Salesforce

Salesforce provides Salesforce Identity as part of its Salesforce PaaS. It sells Identity as an

independent service offering, but also includes Identity for established Salesforce customers.

Identity Connect is Salesforce's on-premises bridge component that is sold separately. The service

includes the baseline functionality required for inclusion, as well as social registration and login,

federation gateway functionality, and deep access request and user provisioning workowfunctionality.

Strengths

■ Salesforce is able to place commoditization pressure on the market by including IDaaS

functionality in its core offering, thereby providing incentives to keep its substantial customer

base from being drawn to alternatives.

■ Salesforce Identity takes advantage of the deep access request and approval workow

functionality inherent in the Salesforce platform.

■ Salesforce's strategy demonstrates a strong understanding of technology, socioeconomic,

security and jurisdictional trends that will shape its offerings going forward.

■

Salesforce Identity has strong social media and identity standards support.

Cautions

■ Salesforce does not support password vaulting and forwarding capabilities for SSO.

■ Salesforce Identity does not provide proxy-based access to on-premises Web applications.



16/37

■ The bridge component of Salesforce Identity does not provide the ability to synchronize cloud

directory changes to enterprise directories. Professional services are needed to deliver this

functionality.

■ Despite Salesforce's considerable PaaS market presence and recent awareness campaigns,

Salesforce Identity's brand is not yet well-known in the market. The service is in its second yearof availability.

Simeio Solutions

Simeio Solutions provides a mixture of dedicated hosted and on-premises managed service

offerings. Its services are underpinned by products from other well-established IAM software

vendors, which allows Simeio to provide Web access management (WAM), identity administration,

access request, role and compliance, privileged account management, data loss prevention, risk

intelligence, IT governance, risk and compliance services, and directory services.

Strengths

■ Simeio's use of major IAM stack vendors' technologies provides it with an arsenal of products

that delivers deep functional support for Web and legacy applications. The same vendor

partnerships provide referrals to Simeio for customer acquisitions. Simeio also became Dell's

exclusive as-a-service provider for Dell's IAM offerings.

■ Simeio's Identity Intelligence Center provides actionable insight into patterns of usage among

users that may exist across multiple vendor identity sources and other security systems.

■ Simeio's history as an integrator has given it the experience to help customers plan, design and

integrate their IDaaS offerings. A signicant portion of Simeio's staff serves in professional

services roles. Simeio continues to enhance its administration and user interfaces asabstraction layers among the multiple underpinning vendors' technologies to help with

consistency and time to value with implementations.

■ Simeio's service-based roots have enabled it to have a positive cash ow since its inception. A

recently announced private equity investment should allow Simeio to further accelerate its

growth.

■ Simeio has a good spread in its vertical industry and geographic representation; references

highlighted Simeio as a good partner and rated it highly overall.

Cautions

■ Simeio's organization and its overall customer base grew in 2014 and early 2015, but not as

rapidly as we would have expected, given its relationship with Dell.

■ Simeio's use of OEM software requires the incorporation of these third-party vendors' software

licensing costs in its offerings. This tends to make Simeio's pricing high, even for pure Web

application use cases.



17/37

■ Simeio is still relatively unknown in the IDaaS marketplace, but is slowly building its customer

base and brand awareness, thanks to vendor partners, some of which are also competitors.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as marketschange. As a result of these adjustments, the mix of vendors in any Magic Quadrant or

MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope

one year and not the next does not necessarily indicate that we have changed our opinion of that

vendor. It may be a reection of a change in the market and, therefore, changed evaluation criteria,

or of a change of focus by that vendor.

Added

Microsoft, Ilantus and Salesforce were added to the Magic Quadrant this year. Also, IBM was added

because it acquired Lighthouse Security Group.

Dropped

Symplied's intellectual property and some of its people were acquired by RSA, The Security

Division of EMC; therefore, Symplied was dropped from the Magic Quadrant. RSA has just

announced its Via offering, which leverages Symplied's technology, but RSA did not meet

customer and revenue inclusion criteria for this Magic Quadrant.

In addition, Lighthouse Security Group was dropped because it was acquired by IBM.

Other Vendors of Note

There has been some Gartner client interest in two vendors that specialize in social identity

integration: Gigya and Janrain. However, neither one met the IAM functional inclusion criteria for this

Magic Quadrant, notably in the IGA functional areas.

Pirean and Wipro did not meet the nancial or market penetration criteria for this Magic Quadrant.

However, these vendors have functionally deep IAM offerings, and also have international

headquarters, which may help them to be considered as alternatives to U.S.-based companies.

Bitium offers a Web-centric IDaaS, but it did not meet the revenue criteria for inclusion in this Magic

Quadrant.

Intermedia offers AppID, but it did not meet the customer and revenue criteria for inclusion in thisMagic Quadrant.



18/37

Inclusion and Exclusion CriteriaThe vendor must provide a minimum level of functionality in all the IAM functional areas outlined in

the Market Denition/Description section.

Vendors that deliver only one or two of these core IAM functions as a service, such asauthentication only, were not covered as part of this research. The following additional inclusion

criteria were used.

■ Longevity of offering: Each IDaaS offering has been generally available since at least 31

December 2014 and is in use in multiple customer production environments.

■ Origination of offering: The offering is manufactured and operated by the vendor, or is a

signicantly modied version obtained through an OEM relationship. (We discount any service

offering that has merely been obtained without signicant functional modication through a

licensing agreement from another vendor — for example, as part of a reseller/partner or service-

provider agreement.)

■ Number of customers and end users (including customers of third-party service providers

and their end users): As of 31 December 2014, the vendor had:

■ More than 20 different active customer organizations using its IDaaS offerings in a

production environment.

■ Revenue attributed to fees for IDaaS service usage that was greater than $4 million for the

year ending 31 December 2014.

■ Verifiability: Customer references must be available.

Evaluation Criteria

Ability to Execute

Product or Service

■ The service's overall architecture, with emphasis on the service's global availability and

resiliency features, and its exibility to support on-premises identity repositories and cloud-only

implementations. The level of support and expertise required by customers to help maintain the

components. The extent to which a service's functions are exposed via APIs for customers'system integration.

■ Security and privacy: The physical and logical controls implemented by the vendor and any

underpinning IaaS provider; security for on-premises bridge components and connections

between the bridge and the IDaaS; controls for data security, particularly regarding personal

information; and vendors' third-party certications received for the services.



19/37

■ The variety of on-premises identity repositories that can be supported, and the quality of

integration with same.

■ The depth and breadth of IGA functionality:

■

Access request.■ Access approval workow depth and functionality.

■ Access certication.

■ Attribute discovery and administration.

■ Administrative access enforcement — for example, to identify, alert and prevent

inappropriate access.

■ Provisioning create, read, update, delete (CRUD) user identities and entitlements to target

systems.

■ Conguring target system connectors.

■ The depth and breadth of access functionality:

■ User authentication methods supported.

■ Breadth of SSO support for target systems.

■ Federation standards.

■ Support for mobile endpoints and native mobile application integration.

■ Authorization enforcement.

■ The depth and breadth of identity monitoring and reporting:

■ Canned reporting.

■ Customized reporting.

■ Data export to on-premises systems.

■ Analytics.

■ Integration with Microsoft Ofce 365, Microsoft SharePoint, customers' on-premises VPNs and

WAM systems.

■ Deployment requirements, such as speed of proof of concept and deployment, customerstafng requirements, and factors that add complexity and may affect speed to deployment and

stafng.

Overall Viability

■ Overall nancial health.



20/37

■ Success in the IDaaS market in terms of the number and size of customer implementations.

This aspect is heavily weighted.

■ The vendor's likely continued presence in the IDaaS market.

Sales Execution/Pricing

■ The vendor's capabilities in such areas as deal management and presales support, and the

overall effectiveness of the sales channel, including VARs and integrators.

■ The vendor's track record in competitive wins and business retention.

■ Pricing over a number of different scenarios. This aspect is heavily weighted.

Market Responsiveness/Record

■ The vendor's demonstrated ability to respond, change direction, be exible and achieve

competitive success as opportunities develop, competitors act and market dynamics change.

■ How the vendor can meet customers' evolving IDaaS needs over a variety of use cases.

■ How the vendor has embraced standards initiatives in the IDaaS and adjacent market

segments, and responded to relevant regulation and legislation.

Marketing Execution

■ The clarity, quality, creativity and efcacy of programs designed to deliver the vendor's message

in order to inuence the market, promote the brand and business, increase awareness of the

products, and establish a positive identication with the product/brand and organization in the

minds of buyers. This mind share can be driven by a combination of publicity, promotionalinitiatives, thought leadership, word of mouth and sales activities. For example:

■ Marketing activities and messaging.

■ Visibility in the press, social media and other outlets.

■ Vendor's appearance in vendor selection exercises, based on Gartner-client interactions.

■ Brand depth and equity.

Customer Experience

■ Customer relationship and services.

■ Customer satisfaction program.

■ Customer references: This evaluation subcriterion was weighted heavily and included input from

vendor-supplied references, as well as unsolicited feedback from Gartner-client interactions.



21/37

Operations

■ People — that is, the size of the organization and the track record of key staff members.

■ Quality and security processes.

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product or Service High

Overall Viability Medium

Sales Execution/Pricing High

Market Responsiveness/Record Medium

Marketing Execution Medium

Customer Experience High

Operations Low


Completeness of Vision

Market Understanding■ Understanding customer needs: Methods, the effects of the Nexus of Forces (cloud, mobile,

social and information) and the IoT.

■ The future of IDaaS and the vendor's place in the market. Also, the vendor's views on top

technological, nontechnological and regulatory changes in the market.

Marketing Strategy

■ Communication and brand awareness: The clarity, differentiation and performance management

of the vendor's marketing messages and campaigns.

■ The appropriateness of the vendor's use of events, social media, other online media andtraditional media as part of its marketing efforts.

Sales Strategy

■ The vendor's strategy for selling its IDaaS offerings that uses the appropriate network of direct

and indirect sales, marketing, service and communication afliates, which extend the scope and

depth of market reach, skills, expertise, technologies, services and the customer base.



22/37

Offering (Product) Strategy

■ The vendor's approach to developing and delivering its IDaaS offerings, which meet customers'

and prospects' needs with respect to their key selection criteria, the needs created by the

Nexus of Forces and other market dynamics. Also, the vendor's ability to exploit the Nexus of

Forces to improve its IDaaS products and services.

■ The strength of the vendor's roadmap, and how the vendor will increase the competitive

differentiation of its IDaaS and ancillary services.

Business Model

■ The soundness and logic of the vendor's underlying business proposition:

■ The vendor's views of key strengths and weaknesses relative to competitors.

■ Recent company milestones.

■ Path chosen for future growth.

Vertical/Industry Strategy

■ Customer breadth and penetration into various industries and sizes of customer organizations.

■ Views of industry trends and special needs.

■ Strategy for expanding IDaaS adoption in different industries.

Innovation

■ Foundational technological and nontechnological innovations.

■ Recent and planned innovations.

■ Organizational culture and how it affects innovation.

Geographic Strategy

■ Global geographic reach of customer base and trends.

■ Strategy for expanded geographic customer acquisition.

■ Global nature of technical support and professional services, and language internationalization

for administrative and user interfaces.



23/37

Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding Medium

Marketing Strategy Medium

Sales Strategy Medium

Offering (Product) Strategy High

Business Model Medium

Vertical/Industry Strategy Low

Innovation High

Geographic Strategy Low


Quadrant Descriptions

Leaders

Leaders in the IDaaS market generally have made strong customer gains. They provide feature sets

that are appropriate for current customer use-case needs. Leaders also show evidence of strong

vision and execution for anticipated requirements related to technology, methodology or means ofdelivery. Leaders typically demonstrate solid customer satisfaction with overall IDaaS capabilities

and/or related service and support.

Challengers

Challengers also show strong execution, and have signicant sales and brand presence. However,

they have not shown the Completeness of Vision for IDaaS that Leaders have. Rather, their vision

and execution for technology, methodology and/or means of delivery tend to be more focused on or

restricted to specic functions, platforms, geographies or services. Challengers' clients are relatively

satised, but ask for additional functionality, more timely support and higher service levels than are

currently delivered. There are no Challengers in this Magic Quadrant.

Visionaries

Vendors in the Visionaries quadrant provide products that meet many IDaaS client requirements, but

they may not have the market penetration to execute as Leaders do. Visionaries are noted for their

innovative approach to IDaaS technology, methodology and/or means of delivery. They may see

IDaaS as a key part of a much broader service portfolio. They often may have unique features, and



24/37

may be focused on a specic industry or specic set of use cases. In addition, they have a strong

vision for the future of the market and their place in it.

Niche Players

Niche Players provide IDaaS technology that is a good match for specic use cases. They may

focus on specic industries or have a geographically limited footprint, but they can actually

outperform many competitors. Vendors in this quadrant often have relatively fewer customers than

competitors, but they may have large customers as well as a strong IDaaS feature set. Pricing might

be considered too high for the value provided by some niche vendors. Inclusion in this quadrant,

however, does not reect negatively on the vendor's value in the more narrowly focused service

spectrum. Niche solutions can be very effective in their areas of focus.

Context Vendors rated in this Magic Quadrant come from distinctly different backgrounds. Their pedigrees

vary greatly, as do their abilities to provide IAM functional depth and support for different use cases.

Their aspirations for servicing customers by geography, industry and customer-size segmentation

also vary.

Clients are strongly cautioned not to use vendors' positions in the Magic Quadrant graphic (see

Figure 1) as the sole source for determining a shortlist of vendors. Vendors were evaluated with

regard to their ability to provide a general set of IAM functionalities across multiple use cases, and in

multiple geographies and industries, and to do so by providing solid value for money as perceived

by their customers. All vendors covered in this Magic Quadrant have succeeded in providing

customers with services that meet their needs. However, client requirements — particularly those

for IAM functional depth, speed to implementation, geographic coverage and price — are most

likely to strongly affect their choices for a shortlist:

1. Clients focused on Web-architected application targets, employee-to-SaaS and consumer-

facing needs should strongly consider Centrify, Microsoft, Okta, OneLogin, Ping Identity and

Salesforce. These vendors also have experience with SMBs, even as they aspire to move

upmarket to serve larger clients and have begun to do so. Currently, however, these vendors

have limited IGA abilities. They tend to lack multilevel provisioning approval workows, as well

as identity governance features such as access certication, segregation of duties violation

detection, or role engineering and certication. These vendors' provisioning connectors for

legacy application targets also are lacking.

2. Clients that need more functional depth in IGA and legacy on-premises application targets

should strongly consider CA Technologies, Covisint, Fischer International, IBM, Ilantus, Simeio

Solutions and SailPoint. European clients especially may be interested in iWelcome. More of

these vendors also provide dedicated hosted instances of their offerings as options.

3. Clients that need IAM served as part of a community of interest or an industry consortium

should strongly consider Covisint and Exostar. These vendors have a history of providing IAM in

a hub conguration that is designed to support collaboration among participants, or to serve



25/37

the community's common business partners for access to a set of community-owned

applications. Exostar also is recommended for clients that need secure collaboration services

on top of IDaaS.

Clients generally should expect more complex, time-consuming and costly implementations when

they have requirements for IGA functional depth, and when they have legacy (non-Web-architected)on-premises application targets. These requirements generally indicate a stronger need for IAM

process and data modeling and target system integration functions, such as connector

development and conguration. System integrators have been needed when clients implemented

traditional IAM software suites with these types of requirements. Several of the vendors listed above

in No. 2 come from system integration backgrounds. IDaaS customers should expect best practices

and operational excellence from these vendors due to their familiarity with the software components

that underlie the solutions. There should be some deployment and integration efciency gains

relative to do-it-yourself approaches. However, customers should not expect to easily "forklift" an

existing, complex IAM implementation with multiple IGA workows and many legacy system

connectors to the cloud without signicant integration work and quality assurance testing.

Dedicated per-client IAM infrastructure also drives up the cost of the offering relative to multitenantofferings. The cost of underlying IAM third-party software licenses also may drive up the overall

costs of the implementation.

Security

Gartner clients rightly express concerns with regard to data security and protection of enterprise

users' passwords when IDaaS is being considered. The following are generally true for IDaaS

security practices, with some exceptions:

■ Some user identity data will be held in the cloud. Most commonly, this data includes rst and

last names and email addresses. Some vendors, such as Centrify and Ping Identity, require nouser attributes to be held in the cloud, with the assumption that all data needed for provisioning

users to SaaS application targets is held in the on-premises directory and can be accessed by

the vendors' bridge components. Centrify offers on-premises-only or hybrid cloud

implementation, and the hybrid implementation requires some identity data to reside in the

cloud. Ping Identity's solution works similarly. Generally, as the number of attributes needed to

provision users' accounts grows, that data must at least pass through vendors' IDaaS services

in order to be provisioned to SaaS targets. A cloud-only implementation of IDaaS must hold all

these attributes.

■ Data is encrypted in transit over networks. However, one exception is that passwords are sent

in the clear during transmittal to target systems when federation is not supported and Secure

Sockets Layer (SSL) is not used between the browser and target system. This is essentially the

same as when a user's browser interacts directly with an application without IDaaS controlling

the access. Also, SSL usually is used for SaaS sign-on ows, whether an IDaaS is brokering the

access or not.

■ Identity data in the vendor's cloud is encrypted at rest. Vendors have different strategies for

managing encryption keys. Most vendors generate different encryption key pairs for each

customer's instance of the service, and there is variance in how those keys are managed.



26/37

Technically, the keys may be under the customer's strict control, or the vendors' operations staff

may control the keys. In the latter case, the vendors claim that their personnel will have other

controls in place to ensure that there is no inappropriate use of the keys.

■ On-premises bridge components will use SSL/Transport Layer Security (TLS) to communicate

with the service, and many of the vendors will require no inbound rewall port to be opened tosupport this. Communications are initiated outbound from the bridge.

■ With few exceptions, providers use IaaS providers, rather than their own operations centers, to

host their offerings. All vendors maintain some type of third-party security certication, as do

the IaaS providers that host the IDaaS. SOC 2 is common. ISO/IEC 27001 is becoming more

common.

No security is perfect. Ultimately, prospective customers must decide whether vendors' stated

control sets are sufcient for their needs. IDaaS vendors give signicant attention to ensure the

security of their platforms. Based on the number of enterprise security breaches that have been

made public, and the lack of any such breaches for IDaaS providers, Gartner believes that IDaaS

vendors are more likely to provide better security for IAM services than their customers could do for

themselves.

Availability

The use of IDaaS may introduce a single point of failure. IDaaS vendors generally have taken care to

architect their services with network and system redundancy features, and to host their services on

an IaaS that has been provisioned with sufcient redundancy to guarantee adherence to IDaaS

vendors' service-level agreements. Also, IDaaS vendors have generally architected their on-

premises bridge components to be implemented redundantly, if the customers choose to do so.

Nevertheless, a major system failure with the IDaaS has the potential to temporarily leave customerswithout access to the applications that IDaaS serves. Some vendors had outages during 2014 and

2015 that lasted a day or less. These events were isolated and rare. Organizations face similar risks

when they manage their own IAM services, and when components such as federation servers fail.

Clients that choose to accept the risks of using IDaaS should have an emergency business

continuity process in place that includes these steps:

■ Bring up any available in-house federation technology and federate to key target systems, if

possible.

■ If federation services are not available, then temporarily turn off federation at target systems and

fall back to password-based authentication.

■ Issue temporary passwords for all target application accounts that can support password-

based authentication.

■ Fall back to manual user provisioning processes.



27/37

Data Residency

Most of the vendors covered in this research are U.S.-based. Gartner clients from other countries

may have concerns about employees', business partners' and customers' personal data that could

be held in the cloud. Despite the use of local or regional data centers to host services and data,

international clients still may be concerned about the U.S. government's ability to get access to thedata. This is currently a risk that clients must evaluate, and then determine whether it is acceptable.

We recommend the following for clients that intend to use IDaaS, but have concerns about U.S.

providers:

■ Have the vendor prove Safe Harbor certication, or, preferably, require the vendor to sign the

EU's model contracts on privacy.

■ Require your sole ownership of encryption keys, if possible, and evaluate the controls

associated with the development and operations staff, and their access to the keys.

If these recommendations do not provide enough comfort, then Gartner recommends that clients

evaluate IDaaS providers in suitable jurisdictions.

Pricing

Gartner asked vendors to provide "street" price quotes for several use-case and volume usage

scenarios. Vendors were cautioned against providing list prices. However, several vendors chose to

respond with list prices. Vendors were asked to provide all costs, including startup costs, over a

three-year subscription period. Three of the most commonly required scenarios are included below,

with a range of costs and averages. Gartner clients should use the gures below for budgeting

purposes. However, clients should expect to pay signicantly less (on average) than these gures

would indicate, due to the inated prices that some vendors chose to deliver for our surveys.

Gartner's observations of the price quotes submitted by our clients have corroborated this nding.

Scenarios 1 and 2: 1,000-Employee and 10,000-Employee Workforces, Web-Architected

Applications

■ Number of users: 1,000 in the workforce ("any" staff) who use the service several times daily.

■ Endpoints: Company-owned PCs; approximately 60% Windows Active Directory and 10% Mac

OS X, 30% mix of Apple and Android tablets and smartphones.

■ User location: Could be anywhere — a mix of on-premises corporate LAN and external use

cases.

■ All identities and attribute data are held in Active Directory.

■ Support to: Five externally hosted (SaaS) applications and ve internal Web application targets.

■ Allow the company's administrator to directly manage users' identities, and provision these to

Active Directory. Subsequently and automatically provision accounts to the ve SaaS

applications, with the assumption that there is an available provisioning API for all ve, and that



28/37

the vendor already has created provisioning connectors for three of the ve applications. Two of

the applications need connectors created for the customer.

■ User self-service application access request, administrator approval, subsequent provisioning

as described above, and user self-service password reset.

■ User authentication to the service and SSO to all target applications, three using SAML

federation and two using password vaulting and forwarding; support for identity-provider-

initiated federated SSO to your service, based on an Active Directory authentication; and

service-provider-initiated redirect authentication for an externally located user who connects to

SaaS rst, and to support authentication against your service and corporate Active Directory.

■ Reporting for all administrative and access events.

We requested pricing for two variants. Scenario 1 included support of the above requirements for

1,000 internal users. Scenario 2 included support of the above requirements for 10,000 users, and

with the added requirement that 5,000 of those users be provided with SMS or voice-based OTP

authentication. Here are the results:

■ The average three-year cost of the 1,000-user scenario was $144,216.

■ The average three-year cost of the 10,000-user scenario was $611,269.

In both scenarios, vendors that had signicant gaps in the required functionality were removed from

the average calculation, as were the high pricing and low pricing that were signicantly out of line

with the other vendors' pricing.

Scenario 3: 100,000-User Consumer-Facing and Business-Facing Implementation

■ 100,000 external consumers (50,000 individual consumer users and 50,000 business partners'users from 100 companies).

■ Average usage: Once per month per user.

■ Endpoints: Any endpoint with a Web browser from any location.

■ Access to three internal on-premises Web applications, and two SaaS applications.

■ Identity data for the on-premises applications to consume will be held in an on-premises LDAP-

exposed directory.

■ Self-service user administration and password reset.

■ Delegated user administration for business partner administrators to serve their own users.

Administrators can grant or deny user access to any of the ve applications.

■ Automated user provisioning to any approved application, with the assumption that all targets

have a provisioning API available, and that the vendor has not yet created a connector for any

of these applications.

■ User authentication and SSO for all users to all applications.



29/37

■ Acceptance of Facebook and LinkedIn identities for initial consumer registration, account

linking, and subsequent login to the service, and also subsequent SSO to a customer's

applications.

■ Five of the largest business partners must have support for federated authentication to your

applications using SAML, and be based on user authentication at the business partner's internalidentity provider.

■ Reporting for all administration and access events.

There was wide variance in the pricing for this scenario. However, there also was wide disparity

between two groups of vendors. There was one group of seven vendors that could deliver the

functionality for an average price of $307,423. The other higher-priced group of seven vendors

averaged a price of $1,610,575. Pricing for consumer-facing implementations is in its early days,

and vendors are at various stages of maturity in responding realistically to these requests from

customers.

In all cases, clients are strongly encouraged to understand their own total costs of ownership formanaging the same IAM functions in-house, so that these costs can be compared with IDaaS

pricing. Gartner also collected pricing data for other scenarios, including those requiring more in-

depth IGA functionality and legacy on-premises application support. Pricing was highly variable for

these implementations. Clients interested in these scenarios should contact Gartner for more

information.

Trends

What key trends are shaping the IDaaS market, and how will the market evolve?

Acquisitions and IaaS and PaaS Vendor Momentum Are Changing the Competitive Forcesin the Market

Microsoft made Azure Active Directory Premium generally available in May 2014. Since that time,

Microsoft's sales organization has been very active in its customer base, and has been offering

Azure Active Directory Premium during renewals and as augmentations to existing contracts.

Microsoft also has the extensive and rapidly growing Ofce 365 customer base to sell to. To

paraphrase multiple Gartner clients, Microsoft is selling on the idea that, "You already have your

organization's identities in Azure Active Directory for Ofce 365 or other Azure services. Why not

take advantage of the broader feature set of Premium?" Other Web-centric IDaaS vendors are now

repeatedly identifying Microsoft as the vendor that is "showing up" most often in competitive

situations.

Salesforce became more active in the IDaaS market in 2014 and early 2015. It also makes the case

to its extensive customer base that IDaaS is built into the Salesforce platform, and therefore, is easy

to take advantage of. The vendor currently offers Salesforce Identity free to licensed users of

Salesforce products; this has helped it to build continued loyalty to the platform, and opened up

opportunities to sell Salesforce Identity to nonlicensed users.



30/37

In 2014, IBM acquired Lighthouse Security Group, which provided a relatively full-featured IDaaS

that was underpinned by IBM's software, and IBM was Lighthouse's key partner. Therefore, the

acquisition was highly synergistic, and it was the latest of three IAM acquisitions by IBM; the others

were Trusteer (Web fraud detection) and CrossIdeas (IGA). IBM already has an extensive service arm

and the SoftLayer IaaS. IBM is now poised to deliver deep IDaaS functionality to the broader

market.

RSA acquired the intellectual property of Symplied and hired some of its employees. In April 2015,

RSA announced Via, its rebranded IDaaS offering that features access management as well as user

administration and identity governance functionality, which was originally obtained from the Aveksa

acquisition.

Intermedia, a provider of hosted Microsoft products and unied communications services, acquired

IDaaS vendor SaaSID in 2013. Intermedia has incorporated the acquired functionality into AppID, a

service that can be purchased stand-alone or with other Intermedia services.

In "Microsoft and Salesforce.com Make Waves in the IDaaS Pool," we predicted that, "By 2019,40% of IDaaS revenue will accrue to PaaS vendors, up from less than 5% in 2014." The acquisitions

and competitive strategies highlighted above continue to support this prediction. Furthermore, the

incorporation of IDaaS into PaaS offerings exerts a considerable commoditization force on the Web-

centric IDaaS markets. While there is plenty of business to go around, and stand-alone IDaaS

players aren't in immediate danger of extinction, these vendors will need to continue nding ways to

differentiate themselves in this highly competitive market.

Web-Centric IDaaS Leads the Market in Terms of Customer Acquisition

Web-centric IDaaS vendors continue to make solid gains in the market. Gartner estimates that 85%

of client interactions on the topic of IDaaS indicate a need for Web-centric solutions to support B2ESaaS target system integration and consumer-facing use cases. Ten percent of interactions indicate

a need for more full-featured B2E IDaaS with legacy on-premises application support and IGA

needs. Five percent of interactions indicate specialized needs for B2B Web-centric requirements,

such as those needed by SaaS providers to serve their customers, or hub-and-spoke congurations

to support collaboration and supply chain requirements.

As Web-centric vendors have moved upmarket, they nd that larger organizations tend to have

existing IAM software solutions in place. These prospects, which may wish to extend their current

implementations with IDaaS, or which are hoping to replace their on-premises solutions, tend to

have needs for deeper IGA functionality than the Web-centric vendors typically provide. These

prospects also tend to require customization and integration with legacy architected systems aswell as a variety of directories and databases. This is forcing shallow-function, Web-centric IDaaS

vendors to add deeper functionality and integration capabilities to their roadmaps. Web-centric

vendors have begun to develop these features, such as multilevel access approval workow and

access certication, but, mostly, they have not been delivered to the market yet.

Conversely, the IDaaS vendors with deeper IAM functionality and integration capabilities tend

toward implementations that are larger and more complex, and they do not have their offerings

price-tuned for rapid handling of the down-market Web-centric use cases. These vendors will need



31/37

to provide a streamlined, rapidly deployable offering for these use cases if they wish to gain a piece

of the SMB market.

Mobile Support Continues to Improve

IDaaS vendors' native mobile application support remains a frontier capability, particularly for

authentication and SSO. Most IDaaS vendors support a portal-like interface on mobile devices for

Web applications that are under IDaaS management. IDaaS vendors' support for customers' and

third-party native apps is nascent. IDaaS vendors began supporting customers' mobile apps by

offering SDKs. Customers can develop their apps using the IDaaS vendor's SDK, which will provide

authentication to the IDaaS vendor's service. However, this is generally a proprietary approach that

would require some rework, should the customer switch IDaaS vendors.

Centrify provides this approach, but it also supports a containerization approach, and provides

MDM features as part of its offering. Okta released Okta Mobility Management in 2014, and it

includes MDM features. The product also includes Mobile Connect, which provides SSO for native

mobile apps using SAML.

Some vendors are choosing to support OpenID Connect NAPPS. The OpenID Foundation NAPPS

continues to develop a standards-based approach to supporting authentication and SSO for

multiple native apps. Ping Identity and OneLogin have been heavily involved in the evolution of the

NAPPS specications. The work is moving along slowly; however, if this working group is

successful, then customers should have a standardized approach for getting authentication and

SSO functions for native mobile apps; also, they should have easier portability for these apps in

terms of switching IDaaS vendors, or even moving to on-premises access managers that support

the standards. Containerization approaches will remain proprietary, but will offer customers security

protections beyond authentication and SSO, such as data security, jailbreak detection and security

policy enforcement.

IDaaS vendors are in various stages of maturity in providing API-based access to their services. We

are also noting that several IDaaS vendors tout their services' directory integration with other

sources of identity, such as Salesforce, Google, Microsoft and Workday.

Thus, IDaaS has a future of supporting traditional enterprise needs as well as service-to-service

needs — for example, use cases wherein enterprise CRM systems call an IDaaS to create an

identity, and then provision that identity to several systems within the enterprise and on SaaS

applications (see "Provisioning User Accounts to Cloud Applications").

Several IAM functions will commoditize. SSO to Web applications is a commodity, and IGA andintelligence functions will take a bumpy and winding road to commoditization. User self-service

access request and prole management, password reset, access approvals and account

provisioning to Web-centric targets, and canned and customized reporting are on the way to

commoditization. More advanced IGA and analytics features will take longer, or will remain as

differentiators for some vendors. Clients should expect overall downward pricing pressure in the

market for the next three years.



32/37

On-Premises Replacement

Wholesale replacement of traditional on-premises IAM software stacks, which are serving multiple

use cases for large enterprises, has been relatively rare. These on-premises implementations are

long-standing, tend to be well-staffed and have been deployed to support legacy architected

systems — not just Web-architected and SaaS apps. Nevertheless, there are vendors that cansupport multiple use cases, have software with deep functionality that can be cloud-delivered, and

are capable of replacing legacy on-premises IAM tools. These vendors have been conservatively

building businesses to do these things, and more customers are starting to use these vendors.

However, these kinds of deals are an order of magnitude less in number than the more popular and

easy-to-deliver Web-centric IDaaS deals. Full-featured IDaaS implementations that support legacy

applications can be deployed more rapidly, and can remove some of the complexity of traditional

software deployments. Integration with legacy systems, multistep approval workows, access

certication, and other IGA functions that are prevalent in mature IAM implementations still take

time to plan, design and implement, and they add costs to implementations. Decisions to outsource

complex IAM implementations aren't made easily.

Therefore, enterprises that are considering a "build" or "extend" versus "outsource" decision should

focus on two key areas.

1. Inhibitors to successful on-premises IAM adoption, or issues with the current implementation

that would potentially be alleviated or circumvented by the move to IDaaS, such as:

■ Inappropriate stafng levels or skills

■ Organizational battles over duplicative IAM implementations obtained through mergers,

acquisitions or independent organizational buying decisions

■

Insufcient planning prior to tool selection and implementation■ Project scope creep

■ Poor operational efciency by IAM, resulting in too much time taken for IAM functions

■ Poor operational effectiveness by IAM, resulting in audit ndings for access violations

With the exception of inappropriate stafng levels or skills, these inhibitors will not be

automatically removed by switching to IDaaS. There often are root causes for these inhibitors

that have nothing to do with the delivery model for IAM, and these issues must be addressed

with solid IAM program management and governance. IDaaS simply may help to go around the

problems, or alleviate some of them.

2. Total cost of ownership. There is no free lunch. Clients that judge IDaaS to be too expensive

may not have done their homework in terms of understanding the full costs of managing on-

premises IAM. These costs include:

■ Fully burdened staff costs for implementers, operations staff members and a portion of the

help desk personnel

■ Software investment costs and ongoing maintenance



33/37

■ Estimated patch and upgrade costs

■ Infrastructure and operations for resilient implementations and business continuity

See "Use Business Drivers and Cost Analysis to Make IDaaS Versus On-Premises Software Delivery

Model Choices."

Market OverviewThis Magic Quadrant underscores a market that is still in its early days and is largely driven by Web

application use cases.

Competitive forces have increased due to PaaS vendors entering the market, and because of

acquisitions by IBM and RSA. Salesforce and especially Microsoft are beginning to have profound

effects on the market in terms of competition and downward price pressure. These also are the

reasons why this Magic Quadrant features fewer Leaders and Challengers compared with the 2014version.

The IDaaS market originally was fueled by SMBs that made SaaS the predominant application

delivery model. Most of their applications already were in the cloud, and they preferred to buy rather

than build infrastructure. In turn, SaaS applications became new identity silos, each with their own

administration, authentication and event-logging capabilities.

IDaaS vendors can create connections one time to SaaS vendors for the purposes of

authentication, SSO and account management (when SaaS vendors provide APIs to enable this).

These connections can then be reused for new clients. This relieves the IDaaS customers of having

to create these connections themselves. IDaaS vendors also can bridge to customers' on-premises

identity and authentication services, and use data held or removed from there (such as directorygroup or organizational unit membership) to provision and deprovision accounts on SaaS targets.

This automation saves customers the effort of manually provisioning and deprovisioning accounts,

and also can help with avoiding orphaned and active accounts on SaaS that can leave enterprises

vulnerable and paying for unused accounts.

In the past few years, vendors with the ability to broker all the functions between enterprise users

and SaaS have become appealing to organizations of all sizes. Cloud security and data residency

concerns, however, often are key factors in evaluating IDaaS vendors. The growth of the IDaaS

market has been driven by the following factors:

■ The need to instill IAM disciplines for managing identities for SaaS applications

■ The need to gain faster time to value over traditional on-premises software

■ The desire to avoid IAM implementation failures

■ The desire to reduce IAM talent costs in design, implementation and support



34/37

Gartner estimates that the market size for multifunction IDaaS at year-end 2014 was $283 million.

We estimate that 2015 revenue will be approximately $400 million. The 2014 estimate does not

include revenue from vendors that provide single-function IDaaS offerings — for example,

authentication-as-a-service vendors. However, revenue from authentication-as-a-service vendors

was believed to be approximately $480 million in 2014 — that is, 20% of a $2.4 billion user

authentication market. Authentication as a service is a simple function to deliver, compared with

multifunction IDaaS. Over the past few years, Web-centric IDaaS vendors have made solid gains at

the lower ends of the market, supporting the employee-to-cloud use case. As these vendors have

moved upmarket, they nd that larger organizations tend to have IAM solutions in place, and have

deeper IGA functionality needs than Web-centric vendors can provide. These prospects also require

integration with legacy architected systems. This is forcing shallow-function, Web-centric IDaaS

vendors to add deeper functionality and integration capabilities to their roadmaps. Conversely,

IDaaS vendors with deeper IAM functionality and integration capabilities tend toward larger,

complex implementations, and do not have price-tuned offerings for rapid handling of Web-centric

use cases. These vendors will need to provide a streamlined, rapidly deployable offering for these

use cases if they wish to gain a piece of the SMB market.

The employee-to-cloud use case drove growth in the early IDaaS market, and it still predominates.

B2C use cases have grown in importance as organizations look to replace a mixture of custom-

developed IAM products and traditional on-premises IAM products. Some larger organizations also

are "peeling off" the part of their IAM needs that are served by IDaaS, even when they may own IGA

and access tools that could be extended to the cloud. For this use case, IDaaS is being viewed as a

quick win, and sometimes as a way to standardize a solution for one part of the enterprise IAM

problem space.

(See the Context section above for a deeper analysis of market trends, a closer look at security and

data residency concerns, and information on pricing.)

Gartner Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"How Markets and Vendors Are Evaluated in Gartner Magic Quadrants"

"Microsoft and Salesforce.com Make Waves in the IDaaS Pool"

"Use Business Drivers and Cost Analysis to Make IDaaS Versus On-Premises Software Delivery

Model Choices"

"Magic Quadrant for Us

Documents

Magic Quadrant for Identity June 2015