Magic Quadrant For Access Management: Strategic Planning Assumptions

16/09/2019 Gartner Reprint
Licensed for Distribution
Magic Quadrant for Access Management

Published 12 August 2019 - ID G00433910 - 67 min read
By Analysts Michael Kelley, Abhyuday Data, Henrique Teixeira
SaaS-delivered access management has become the norm, as has advanced user
authentication including MFA. AM vendors are maturing their approaches to session
management, contextual and adaptive access, and API protection, which will begin to
enable CARTA-aligned access management approaches.
Strategic Planning Assumptions

By 2022, 60% of access management (AM) implementations will leverage user and entity
behavior analytics (UEBA) capabilities and other controls to provide continuous authentication,
authorization and online fraud detection, up from less than 10% today.
By 2022, 60% of all single sign-on (SSO) transactions will leverage modern identity protocols like
SAML, OAuth2 and OIDC over proprietary approaches, up from 30% today.
By 2024, the use of multifactor authentication (MFA) for application access through AM
solutions will be leveraged for over 70% of all application access, up from 10% today.
Market Definition/Description
This document was revised on 14 August 2019. The document you are viewing is the corrected
version. For more information, see the Corrections
(http://www.gartner.com/technology/about/policies/current_corrections.jsp) page on
gartner.com.
Gartner defines the AM market as vendors providing solutions that use access control engines
to provide centralized authentication, SSO, session management and authorization enforcement
for target applications in multiple use cases (B2E, B2B and B2C). Adaptive and contextual
authentication are core elements, as is support for modern identity protocols such as SAML,
OAuth2 and OIDC.
AM vendors also include API and software development kit (SDK) capabilities for integrating
authentication and authorization into applications and services. Target applications may have
traditional web application architectures using web browsers and web application servers, or
they could be native or hybrid mobile applications, or these applications may run on things with
or without human operators. Protected target systems may include web application services or
APIs, and may run on customer’s premises or in the cloud.
https://www.gartner.com/doc/reprints?id=1-1OE2UNB6&ct=190814&st=sb 1/40
AM may also include the following functionality that are not core functions, but are maturing in
AM vendors offerings:
■ Basic user self-service identity administration, such as self-service registration and profile
management
■ Authentication and authorization of APIs (using OAuth/OIDC)
■ Password management
■ Basic identity synchronization to a set of target systems
■ Identity repository services
■ Social ID integration
Vendors often provide SSO using some combination of proxy and agent architectures, and using
standards-based identity federation. AM products and services may also support password
vaulting and forwarding for target nonstandard applications that are not well supported by proxy
or agent, or by federation standards. Gartner strongly recommends against using password
vaulting and forwarding due to the associated risks of potential password compromise; instead,
use standards-based federation when possible.
AM tools support a mix of built-in or bundled user authentication capabilities and allow for third
parties to integrate other authentication capabilities. AM vendors support session management
and, depending on the protocols used to allow for the initiation and termination of user
sessions, they also support reauthentication — step-up authentication — if policy and user,
device context and risk scores require it.
Built-in or bundled contextual and adaptive access capabilities have matured, as have the
inclusion of analytics capabilities that use repository-held data and contextual data to trigger
adaptive access policy decisions that can require trust elevation. These include requiring
additional user authentication methods or requiring a process to be completed such as
contacting a help center. AM vendors should also support bring your own identity (BYOI) — for
example, social identity integration for purposes of registration, profile establishment, account
linking (to established accounts) and user authentication,(see “Innovation Insight for
Decentralized and Blockchain Identity Services”).
AM Methods
ESSO
Enterprise SSO (ESSO), web access management (WAM) and federated identity management
(FIM) are all somewhat different approaches to AM, and have different strengths and
weaknesses. Enterprise SSO is a legacy approach used in a few verticals such as healthcare
and manufacturing with many legacy “thick” client applications. ESSO tools consist of agents
installed on Windows devices that intercept requests for logins and password change requests
from applications.
ESSO tools can be thought of as agent-based, password store-and-forward mechanisms, where

the authentication interaction remains between the user and the applications being accessed,
and actual credentials including passwords are being sent to the application.
The benefit of this approach is a basic SSO capability; the weakness of this approach is that
credentials are being exposed to all applications through store and forward mechanisms.
Compromise of those credentials exposes everything, and synchronization of credentials across
all applications is challenging. This approach also makes it difficult to impossible to centrally
control a session termination or to maintain ongoing visibility of a user session when things
change.
FIM
AM platforms that use modern identity protocols (SAML, OAuth2, OIDC, etc.) approach
application access from a different perspective. Federation using SAML, for example, provides
every application with a unique ticket, an assertion or a piece of signed data that does not
expose a user ID or password. One central authentication, using MFA when possible, can be
reused across applications without sharing or synchronizing credentials.
Interaction, from an authentication perspective, is only between the user and the identity
provider (IdP), meaning that, while the applications require authentication, they no longer
actively participate in authentication challenges. Rather, they accept the IdP’s assertion that the
user has been authenticated to an acceptable degree of confidence. Central control of logout
functionality remains a challenge for federation.
The weakness of this approach has been in SAM only scenarios, which have traditionally been
confined to web-based applications. These scenarios have struggled to provide federation to
web applications not structured to communicate via modern identity protocols, or thick clients,
which do not have a web or HTML interface. AM vendors supporting federation have been
addressing this scenario by expanding functionality using newer, API-driven mechanisms like
OIDC, and OAuth2. They have also adopted WAM-centric approaches with agents and identity-
aware proxies, which translate modern identity protocols into an interaction understood by the
target application.
WAM
Finally, WAM is a more traditional approach for SSO. Instead of using a distributed identity
infrastructure, which means that various components for federation can be located anywhere
and are securely bound by modern identity protocols and transactions, WAM approaches use an
integrated infrastructure method, including agents, proxies and proprietary approaches. WAM
implementations are typically offered as a suite of software installed in a data center, or within
infrastructure as a service (IaaS), with significant and complex support efforts required.
The trade-off between choosing a WAM solution as opposed to federation approaches is that
federation typically requires less infrastructure support efforts, and is ideal for companies with
a vision for a universal access platform. WAM approaches traditionally have provided more
control in terms of visibility of how applications are interacting with users.
But federated SSO vendors are adding new capabilities geared toward achieving a continuous
adaptive risk and trust assessment (CARTA)-aligned approach. UEBA; integration with cloud
access security brokers (CASBs), unified endpoint management (UEM), and web application
firewall (WAF) platforms; more granular session management capabilities; and controls to drive
session terminations and reauthentications are becoming available for responses to changing
dynamics of an authenticated session.
Pricing
To help illustrate a high-level perspective for vendor pricing, in the description for each vendor in
this Magic Quadrant, we comment on the pricing of individual products, using terms such as
“well above average,” “above average,” “average,” “below average” and “well below average.” The
average for a particular component refers to the average score for all vendors evaluated in this
research for a variety of different AM pricing scenarios.
Magic Quadrant
Figure 1. Magic Quadrant for Access Management
Source: Gartner (August 2019)
Vendor Strengths and Cautions

Atos (Evidian)
Evidian provides a traditional WAM product, Evidian WAM, and an enterprise SSO product
(Evidian Enterprise Access Management) for enterprise SSO, desktops and thick clients,
password management, and MFA. Both products are delivered as software and through
managed service provider (MSP) partners. Evidian has yet to introduce a SaaS-delivered AM
offering. The WAM product supports modern identity protocols through SAML and OIDC, and
provides basic capabilities for API protection with authentication and authorization functions
through OAuth 2.0. Session management functionality is also basic, providing global control
settings, but not supporting granular application-level controls, and Evidian also offers some
limited contextual and adaptive authentication methods. Evidian has partnered with Siemens to
develop Internet of Things (IoT) capabilities with its AM platform.
Product pricing tends to be uneven, depending on the complexity of AM scenarios, but its
average pricing for different AM scenarios is just around the market average.
Strengths
■ Evidian received one of the higher scores in the customer survey for customer experience due
to having a good customer service strategy and positive customer reviews.
■ Evidian can act as a reverse proxy for enabling nonstandard applications through credential
injection into HTTP headers.
■ The vendor has good sales and support coverage in Europe.
■ Evidian is working to solve “things” management, partnering with ENACT, a European

consortium, to apply IAM to IoT.
Cautions
■ Evidian lacks vision regarding several popular market trends, especially in relation to
microservices and DevOps.
■ Evidian lacks a SaaS-delivered AM product, and while this has been on its roadmap, no SaaS
offering is yet available today.
■ The vendor’s marketing strategy is centered around event participation only. Evidian is one of
the few vendors without a specific marketing campaign focusing on developers.
■ Geographically, Evidian has a limited presence in North America and the Asia/Pacific region.
Auth0
Auth0 offers an AM solution with a strong developer community heritage. There are four
versions of its IAM platform: Auth0 Free, Developer, Developer Pro and Enterprise. Auth0 is
delivered via a multitenant SaaS, or as a managed offering hosted in customer data centers or
on IaaS. Auth0 offers mature adaptive and contextual authentication as well as mature session
management functionality, including additional configurations for session timeouts for long-
lived sessions for supporting social media applications. Auth0 has a partnership with Amazon
Web Services (AWS), enabling it to be only one of two offerings that can be natively selected for
IAM services in AWS, alongside the AWS IAM platform, Amazon Cognito.
Auth0 pricing is below the market average value for almost all of the different AM scenarios.
Strengths
■ Auth0 takes a developer-focused approach to AM, and it is a very successful strategy for it
among developer communities. It has two developer-focused offerings to facilitate rapid
integration of applications.
■ Device authentication flow capabilities for input-constrained devices were recently launched
for use cases like media, consumer electronics, industrial and medical devices.
■ An extensive list of BYOI integrations — including the major social IdPs, enterprise and legal
identity providers, such as Swedish and Norwegian bank IDs, and the Dutch NetID — is
supported in the base product, which is helpful for CIAM use cases.
■ Auth0 offers features called Rules and Hooks to extend functionality and create chained rules
for more-complex scenarios for authentication.
Cautions
■ Very basic device-based contextual authentication signals exist in the Auth0 product; a UEM
integration will be required for companies that wish to leverage device-specific information.
■ The platform logs access event data, but reporting and analytics functionality are minimal.
The vendor provides methods for getting log data to third-party analytics platforms.
■ Due to its focus on the developer community, non-developer-focused IAM teams will find
workforce AM (B2E) implementations more complex, particularly for SaaS application
enablement, compared to competitors that take more of a configuration-based approach.
■ Auth0 does not fully support the Second Payment Services Directive (PSD2), and its list of
preintegrated SaaS applications for customers is extremely limited, with only a dozen or so
available.
Broadcom (CA Technologies)

CA Technologies (which was acquired last year by Broadcom), offers a WAM-based AM
platform called Layer7 SiteMinder (formerly CA SSO). Layer7 SiteMinder is a software-delivered
platform; Broadcom has no SaaS-delivered capability for AM. Layer7 SiteMinder supports the
use of API interfaces for basic authentication and authorization, and supports modern identity
protocols for modern authentication. Broadcom can combine DeviceDNA, which supports
continuous validation of the endpoint involved with the session, with session management
controls to achieve a basic continuous authorization model. Broadcom has rolled out a portfolio
license product (PLA) that, for one price, gives clients unlimited access to all IAM products,
including AM, privileged access management (PAM), and identity governance and
administration (IGA).
Pricing is very competitive, with quotes for pricing scenarios below the average for the market
as a whole.
Strengths
■ Broadcom/CA has redirected its marketing strategy to only its existing 1,000 largest clients,
creating custom landing pages for each. This could help existing customers in that segment
to successfully adopt the Layer7 SiteMinder product.
■ Broadcom/CA still has a significant customer base with its software-delivered AM products,
giving it opportunities to expand its market from a strong base.
■ Broadcom/CA has IAM and security capabilities that can be leveraged through additional
integrations with the AM product.
■ Broadcom/CA rated high for geographic strategy, and it has good support coverage for all
markets, including North America, Europe and Asia/Pacific region, with strong language
support for global customers.
Cautions
■ Broadcom/CA received the lowest score for the customer experience category among all the
vendors evaluated in this research. Its customer reference scores were also the lowest of all
vendors.
■ The branding strategy for reflecting Broadcom’s acquisition of CA to the market has been
inadequate. This ambiguity in messaging creates confusion regarding how Broadcom can
help new customers solve AM problems. Also, Broadcom/CA was one of the few vendors
without a specific marketing campaign focusing on developers.
■ Broadcom/CA has dropped its SaaS-delivered AM solution, and its product remained
architecturally unchanged since last year’s evaluation. This impacted scoring in market
responsiveness, resulting in one of the lowest scores among all vendors.
■ Broadcom/CA divested CA’s professional services team to HCL Technologies.
ForgeRock
ForgeRock delivers the ForgeRock Identity Platform; this platform consists of multiple modules,
including ForgeRock Access Management, ForgeRock Directory, ForgeRock Customer
Experience and others, which can be combined or purchased separately. ForgeRock delivers its
AM service through software; there is not currently a SaaS alternative for its workforce AM
solution, although there are two ForgeRock components, ForgeRock Identity Cloud (CIAM) and
Open Banking, that are available through SaaS. ForgeRock has good session management
capabilities and extensive adaptive and contextual authentication capabilities. The vendor has a
unique capability in support of the open banking movement, providing a SaaS-based solution
called the Open Banking Sandbox where, in support of banks in the EU and U.K. meeting
regulatory requirements, secure APIs are exposed for banking transactions.
The vendor’s pricing falls in line with the market average for different AM scenarios.
Strengths
■ This year, ForgeRock introduced a SaaS-delivered offering for a DIY “kit” (code, configurations
and reference architectures) for helping customers to comply with open banking regulations
like Open Banking in the U.K., and BerlinGroup and PSD2 in Europe.
■ ForgeRock has one of the strongest IoT offerings in the market, and has expanded its
extensive capabilities for supporting AM solutions in IoT use cases.
■ Combined with session management, ForgeRock’s graphical configuration feature,

“authentication trees,” can facilitate some elements of continuous authentication and
authorization functionality.
■ ForgeRock is active in defining authentication and authorization standards and, as such,

supports all open federation standards, SAML, OIDC and even user-managed access (UMA).
Cautions
■ ForgeRock lacks a SaaS-delivered offering for workforce (B2E) AM.
■ While ForgeRock has extensive experience with IoT use cases, those scenarios are only
supported by the software-delivered version of ForgeRock Identity Platform.
■ ForgeRock’s SaaS offering is limited in approach compared to the market. Currently, only two
offerings are available as SaaS — Express Edition and Open Banking — which are CIAM-
focused.
■ ForgeRock lacks extensive global and regional BYOI (social ID) network options; this is a key
capability for CIAM use cases.
IBM
IBM offers two options for AM services: a mature software-delivered AM product called IBM
Security Access Manager (ISAM) and a SaaS-delivered AM product called Cloud Identity. Both
provide core AM capabilities. ISAM is a traditional WAM product, providing proprietary SSO for
internal and nonstandard applications, while the Cloud Identity platform provides a modern-
identity-protocol-based approach to AM for SaaS and internal applications. IBM has an
extensive library of IAM and security capabilities that can be leveraged through additional
integrations with the AM products. The ISAM platform offers granular controls for session
management, while Cloud Identity only offers basic functionality. IBM has driven innovation with
its commitment to public blockchain infrastructure, leading to its work with decentralized
identity standards, and the IBM Blockchain Trusted Identity product for identity proofing.
The pricing for IBM products falls just above average for all AM scenarios.
Strengths
■ IBM has experience in providing B2E, B2B and B2C AM implementations with anti-fraud
integration.
■ Besides integrations with third parties, IBM offers integrations for adjacent technologies
within its own portfolio, including IBM Trusteer for online fraud detection and prevention, and
API Connect and DataPower for full API life cycle management. Endpoint contextual data can
be provided through the UEM product, MaaS360 with Watson.
■ IBM has extensive global sales, support and service capabilities, as well as solid regional
language support, making it a good option for global customers.
■ Clients have highlighted the products’ stability and flexibility.
Cautions
■ IBM’s approach to B2C compliance with regulations such as the General Data Protection
Regulation (GDPR) is largely addressed only via APIs that require significant amounts of
custom coding development.
■ The ISAM platform has the most extensive AM capabilities when compared to the SaaS
offering. IBM will need to continue investment in and commitment to SaaS-delivered AM.
■ Complex use cases will require additional capabilities in the software-delivered ISAM product
that are not supported by the SaaS version (for example, extensible authentication and
identity proofing frameworks).
■ Clients and customers have consistently cited complexity as a key concern for the AM
product.
Idaptive
Idaptive is a new company created through a divestiture from Centrify (see the Vendors Added
and Dropped section). Idaptive offers Idaptive Application Services as a SaaS-delivered AM
solution that delivers core AM features, but also includes a basic enterprise endpoint
management (EMM) solution, and additional factors for authentication and authorization,
through the endpoint. The Idaptive AM platform offers a good set of adaptive and contextual
authentication controls, and a competitive set of session management capabilities compared to
other vendors. Idaptive session management can support periodic checks of contextual factors
to force a reauthentication if factors have changed. The vendor has partnered with Palo Alto
Networks for threat intelligence based on network-based attacks.
The acquisition of Centrify by Thoma Bravo and the subsequent spinoff of Idaptive have been
disruptive, with uneven pricing scenarios reported mostly above industry averages. Clients are
advised to ask for clarity on product roadmaps for the next two years.
Strengths
■ Idaptive offers a capability called Brokered Authentication, which abstracts authentication

across multiple directories in support of remote and cloud users that don’t log in
conventionally to Active Directory (AD).
■ The vendor provides a software-delivered reverse proxy called the App Gateway service to
integrate applications that don’t support modern identity protocols.
■ The Idaptive EMM provides a series of controls that allow Idaptive to use contextual factors
related to endpoint devices.
■ Idaptive MFA offers a basic UEBA capability that applies machine learning to create risk
scoring based on user behavior.
Cautions
■ Idaptive’s API protection capabilities are basic, lacking advanced functionality like support for
malicious content detection and validation, content encryption, and proprietary token
translation found in other AM product offerings
■ It is unclear how the divestiture from Centrify will affect Idaptive’s AM services; customers
should be clear in communicating their requirements and in gaining an understanding of how
the vendor can meet them.
■ Idaptive does not natively offer a capability for fine-grained authorization in the AM platform.
■ Idaptive Application Services provides only very basic EMM services; for fully capable EMM
controls, customers will need to add the Idaptive Endpoint Services package.
Micro Focus
Micro Focus offers NetIQ Access Manager as software and as a service (IaaS). Micro Focus
provides access to an extensive portfolio of IAM platforms for extending the capabilities of
NetIQ Access Manager, from IGA to PAM. Micro Focus has strong adaptive and contextual
authentication features and leverages a reverse proxy for integrating nonstandard applications.
Micro Focus offers granular session management controls, even offering a rudimentary
continuous authentication capability. In 2019, Micro Focus acquired Interset, whose software
applies machine learning and UEBA for threat detection. Micro Focus has announced its
intention to integrate Interset UEBA capabilities into its IAM products, including NetIQ Access
Manager.
The vendor’s pricing falls in line with the market average for different AM scenarios.
Strengths
■ NetIQ Access Manager offers a good API management capability within its own portfolio.
■ Micro Focus has a decentralized identities approach via integrations with Micro Focus Global
Product Authentication Service (GPAS), a cloud-based identity and authentication service that
leverages decentralized identity infrastructure.
■ Micro Focus includes an LDAP-based directory, eDirectory, for identity data with NetIQ Access
Manager.
■ The vendor bundles a basic CASB solution with its product, but also supports integration with
other leading CASB products to add monitoring and control of intended, or unintended,
misuse of SaaS applications beyond just providing authentication to the services.
Cautions
■ Micro Focus lacks a SaaS-delivered AM product, while some components follow a SaaS
delivery model (the product Micro Focus calls SaaS). NetIQ Access Manager is more
accurately defined as an IaaS-hosted model, meaning it hosts servers running AM software
for customers to manage.
■ Micro Focus provides a very limited catalog for preintegrated applications, containing only a
few hundred compared to thousands for other vendors.
■ The software-delivered NetIQ Access Manager can offer role- and attribute-based
authorization mechanisms for access to applications through integration with NetIQ IGA, but
this integration is not available for NetIQ Access Manager.
■ While a wide range of user authentication mechanisms are available, many are not included in
NetIQ Access Manager and require the purchase of additional licensing for the Advanced
Authentication package.
Microsoft
Microsoft offers AM through Azure Active Directory (Azure AD) Premium and Azure AD B2C. All
AM solutions from Microsoft through Azure are offered as a multitenant SaaS platform.
Microsoft still supports ADFS, the Active Directory-based IdP, but newer functionality is being
offered through the Azure IdP, including a catalog with preintegrated SaaS applications.
Although Azure AD is a SaaS application, many companies continue to leverage software-
delivered components like ADFS and Azure AD Connect for core AM functionality. Azure AD
offers very strong adaptive and contextual authentication through conditional access rules, and
offers an extensive assortment of user authentication mechanisms. Session management is the
least mature of any offering reviewed, with only a global session lifetime available to Azure
users. Microsoft’s Intelligent Security Graph is a promising risk-scoring mechanism that
generates risk scores for users accessing any Microsoft platform, which can then be leveraged
to make authentication and authorization decisions by Azure.
Microsoft products’ list prices are priced above average, sometimes well above average, for a
series of pricing scenarios.
Strengths
■ Microsoft has achieved one of the highest scores for market understanding and customer
experience.
■ Microsoft has led innovation in the market in several areas, including the push to eliminate
passwords and the drive to decentralize identity for CIAM use cases.
■ Microsoft includes core AM functionality as well as conditional access and MFA features for
all Office 365 customers with Azure AD.
■ Many organizations have struggled with the impact of mergers, acquisitions and divestitures
on management of identities in the Microsoft tenant. Microsoft is leveraging a “merger and
acquisitions as a service” offering using Azure AD Sync solutions for a growing segment of
the enterprise customer base. This service includes everything required to address merger
and acquisition scenarios, with no migration costs or costly long-term contracts.
Cautions
■ While many competitors have added proxies and other capabilities for nonstandard
application enablement, Microsoft still requires partnerships with third parties like Ping
Identity for HTTP headers-based authentication and other nonstandard application scenarios.
■ Microsoft is continuing to quickly add market share for Azure AD Premium due to it being a
requirement for Office 365. However, many customers are opting to purchase a separate AM
platform due to the gaps in functionality for support of nonstandard applications.
Nonstandard applications supported by the Microsoft Application proxy are limited to
integrated Windows Authentication and Kerberos Constrained Delegation.
■ Microsoft licensing is extremely complex, and because features are bundled in layers,
customers that may desire one or two features in the higher license level are forced to buy
licenses that they may not fully use.
■ Microsoft B2B and B2C use cases are still relatively immature.
Okta
Okta provides a SaaS-delivered AM solution, including two base products: Okta Single Sign-On
and Okta Adaptive Single Sign-On. Add-ons include Universal Directory, Adaptive Multi-Factor
Authentication and API Access Management. Okta has grown substantially in the past year,
taking a larger share of the CIAM market, a quickly growing segment of AM. Okta addressed a
gap from last year by adding a reverse proxy capability to help integrate nonstandard
applications. Okta has extensive adaptive and contextual authentication, and its session
management capability, while not extensive enough to support a continuous authentication
approach, is adequate for most use cases. In the past year, Okta has developed a capability
called ThreatInsight, which correlates data from all Okta logins across the Okta environment for
an extensive collection of threat intelligence for the AM platform.
Although Okta is one of the most frequently discussed solutions in the AM market, per Gartner
client inquiry statistics, the pricing for different AM scenarios is well above the market average.
Strengths
■ Okta received the highest score for the customer experience category. Customer comments
widely complement the product’s ease of deployment and use.
■ In Gartner analysis, Okta ranked very high for its market responsiveness and track record.
This past year saw several key acquisitions and announcements of improvements in the
vendor’s portfolio, like Okta Access Gateway for protecting legacy on-premises applications,
addressing an important requirement for hybrid cloud and on-premises protection scenarios.
■ Okta developed a capability called Okta Hooks that allows it to provide extensibility in
authentication and authorization flows, to accommodate new requests and use cases.
■ Okta’s approach to using contextual and adaptive authentication, along with a basic UEBA
capability, is being used to achieve passwordless authentication.
Cautions
■ IoT support is very basic, and social identity integration is limited to Microsoft, LinkedIn,
Google and Facebook out-of-the-box.
■ The Okta Access Gateway reverse proxy announcement is still very recent, and is not yet
available to all customers. In addition, its capabilities and scalability have yet to be proven on
a global scale.
■ Okta is typically the highest-priced alternative in customers’ analysis; customers complain

about the price of licensing, and the quality of postsales support.
■ While OAuth 2.0 protects API interactions for authentication and authorization, the API
protection capabilities of Okta are less mature than expected, lacking support for malicious
content detection, content encryption, proprietary token translation and API denial-of-service
protection, among others.
OneLogin
OneLogin provides the Unified Access Management platform that bundles directory services,
authentication, MFA, authorization and life cycle management. The OneLogin product is SaaS-
delivered, with some software-delivered components that extend functionality. For example, a
OneLogin endpoint agent, OneLogin Desktop, can provide passwordless logins through an
endpoint certificate. OneLogin provides adaptive and contextual authentication, but user
authentication methods and endpoint context factors are less extensive than others in the
market. Session management provides granular controls, but nothing exists yet for continuous
authentication controls. OneLogin provides a good capability for nonstandard application
enablement through agents and/or a reverse proxy capability.
As analyzed, the pricing of OneLogin products for different AM scenarios is above the industry
averages.
Strengths
■ Customers consistently praise OneLogin for its ease of implementation, integration and
usage.
■ OneLogin achieved an impressive increase in its global partner portfolio, which will lead to
more customers resulting from partner relationships, if managed well.
■ Larger clients may benefit from OneLogin’s increased focus on enterprise accounts versus
midsize enterprises, which were the focus in the past.
■ OneLogin bundles its product offering, which provides customers an extensive selection of
AM features and functionality natively supported in the product.
Cautions
■ No API protection capabilities are included in the product, not even basic ones. There are
roadmap plans for an API authorization product (in 2Q19).
■ The MFA platform does not support key features like fingerprint and other active and passive
biometrics.
■ Although an endpoint agent exists, many key endpoint data points, which would be helpful in
contextual authentication, are missing.
■ OneLogin has communicated no clear plans for integration with third-party identity proofing
solutions.
Optimal IdM
Optimal IdM has a unique approach to AM — it offers a product that is a full-service offering for
customers requiring high levels of customization and/or a desire to outsource AM operations.
The Optimal IDM product used by the great majority of its customers, Optimal Cloud, is a single-
tenant SaaS solution. Customers can have Optimal IdM create highly customized IAM
implementations that include directory services, authentication and authorization for
applications. Optimal IdM offers adaptive and contextual authentication, but does not have
UEBA capabilities or established partners for providing these types of capabilities. Optimal IdM
offers basic API protection capabilities and session management is granular, with global and
application-level controls. Optimal has added partnerships for added behavioral biometric
authentication with vendors like TypingDNA, which uses typing patterns to authenticate and
identify users.
Optimal IDM AM pricing is above the industry averages; however, the vendor primarily uses a flat
fee pricing model for its services that is tenant-based — not user- or transaction-based — which
may be beneficial for larger customers.
Strengths
■ Optimal IdM provides a virtual directory for clients, which does not synchronize identity data,
but instead references identity data in source directories in real time.
■ Given Optimal IdM’s business model of providing more comprehensive services to a smaller
number of customers, it can provide clients with direct access to its engineers and a more
individualized experience for each organization.
■ The single-tenant cloud model allows for a higher level of privacy, customizability and
flexibility.
■ Organizations that want to outsource core IAM support and have a heavy need for
customization are also a good fit for the Optimal IdM model.
Cautions
■ Optimal IdM received one of the lowest scores for the customer experience category among
all vendors evaluated. There are very few published success references and reference stories
for the vendor.
■ Support for nonstandard applications is limited to an IIS-based agent, with no proxy server
available for credential injection.
■ Optimal IdM promotes a single-tenant option for its SaaS delivery model. Where Gartner sees
a clear trend of vendors and clients adopting more services from multitenant vendors,
Optimal IdM has chosen to focus on a shrinking target market, which will eventually affect its
growth and stability.
■ Optimal IdM’s understanding of the IAM market continues to lack in areas such as potential
use cases for IAM protection of multicloud environments, anti-fraud and API protection.
Oracle
Oracle provides several solutions for AM services. Its software delivered AM offering, Oracle
Access Manager (OAM), provides proprietary WAM-based SSO with core AM functionality.
Oracle Identity Cloud Services (IDCS) is a SaaS-based AM platform that offers standards-based
SSO and core AM functionality, including good OIDC and OAuth functionality, and it has not yet
achieved feature parity with OAM. Both platforms offer mature adaptive and contextual
authentication, with OAM generally having a more extensive capability compared to IDCS. OAM
session management capabilities are mature, with application-level controls, while IDCS is
limited to global session controls. Yet IDCS offers UEBA capabilities not found in OAM through
integration with the Oracle CASB Cloud Service and other partners.
Pricing is below the industry average — in some cases, well below — for a series of pricing
scenarios evaluated by Gartner.
Strengths
■ Oracle plans to add a WAF at no additional cost for its IDCS customers to provide additional
security features and the ability to extend WAF protection for multicloud environments.
■ IDCS offers above-average API protection capabilities, and also can be extended with full API
life cycle management integration through Oracle’s own portfolio or third-party providers.
■ Oracle’s strategy of including IDCS with other Oracle Cloud product offerings will benefit
Oracle customers that are also in the market for an AM solution. For example, Oracle Human
Capital Management (HCM) clients can leverage synergies of out-of-the-box capabilities
enabled by the two products when used together.
■ Oracle has a bring your own license (BYOL) program that allows existing customers to
convert support fees paid for software-delivered AM products into reduced subscription
costs for IDCS, easing the migration path for customers upgrading from OAM to IDCS.
Cautions
■ Gartner Peer Insight reviews about Oracle were less favorable than the provided customer
reference scores. In fact, Peer Insight scores for Oracle were the lowest among all vendors in
this research, with the most common complaint being the complexity to implement OAM.
■ Oracle has adopted poor identity proofing/anti-fraud strategies for its legacy Oracle AM
product, which still relies on knowledge-based authentication (KBA). External anti-fraud
integrations are possible, but are not available out of the box and require customization.
■ While IDCS indicates a commitment from Oracle to SaaS-delivered AM capabilities, existing

Oracle OAM customers participating in inquiries with Gartner are looking to upgrade to
competing platforms, with very rare mentions of IDCS.
■ Only basic API protection capabilities exist in OAM; advanced capabilities require the addition
of the Oracle API Platform Cloud.
Ping Identity
Ping Identity offers several AM platforms: PingFederate and PingAccess are components of a
software-delivered AM platform, and PingOne for Enterprise, along with PingID and the new
PingOne for Customers, provides AM capabilities in a SaaS-delivered package. As with other
vendors with a mature software-delivered capability, the SaaS offering has not completely
achieved feature parity with that capability. PingFederate has granular session management
capabilities, and PingOne for Enterprise only supports a global timeout. Coupled with
PingAccess, visibility of user activity is maintained throughout the session. Both platforms
support mature adaptive and contextual authentication, and Ping continued to build on its API
protection capabilities with the introduction of PingIntelligence for APIs, a machine learning
capability for API protection designed to prevent many kinds of attacks. When coupled with
PingAccess, and PingDataGovernance, Ping supplies advanced capabilities in context-aware
authorization, and API and data security.
Product pricing can be uneven depending on the complexity of AM scenarios, ranging from low
to very high, but the vendor’s average pricing for different AM scenarios is just below the market
average.
Strengths
■ Ping has presented several updates to its AM functionality, including an extended partnership
with Microsoft by offering its own products within Azure AD Premium. Ping also offers
standard methods for authentication with Azure AD Connect and ADFS, receiving one of the
highest scores in terms of market responsiveness and track record.
■ A new release of a dedicated CIAM product (PingOne for Customers) provides a developer-
friendly, API-oriented platform that was missing in Ping’s portfolio. Also, acquisition of Elastic
Beam, now PingIntelligence for APIs, will provide new options for API protection to Ping’s
clients’ multicloud and serverless environments.
■ Customers comment positively about the product’s flexibility, ease of deployment and
integration.
■ Ping is heavily involved in standards development for modern authentication and works with
key partners to lead several industrywide initiatives for progressing modern identity protocols
in AM.
Cautions
■ Some customers complain about the GUI not being very easy to use.
■ PingOne for Customers is a relatively new offering (GA in 4Q18) and does not include support
for regulation compliance or consent management, and provides only limited support for
BYOI (requires integration with on-premises bridge).
■ While API protection capabilities are mature, neither PingOne for Enterprise nor PingFederate
offer anything beyond basic functionality for full API protection; customers will also need
PingAccess or PingIntelligence for full API protection.
■ SaaS offerings continue to lag behind the software platform in feature parity.
SecureAuth
SecureAuth provides a software-delivered AM product called SecureAuth Identity Platform. This
capability is built around a hardened virtual appliance that can be hosted in a customer data
center or in AWS, with additional functionality like MFA provided from the SecureAuth cloud. The
SecureAuth Identity Platform has a very strong adaptive and contextual authentication
capability, as well as an extensive set of user authentication capabilities. Session management
settings are defined globally, per realm. SecureAuth has a native UEBA capability. While this
capability can detect many kinds of attacker activity, it is currently unable to be leveraged with
session management controls for visibility of changes within user sessions to drive additional
authentication or authorization actions when required. This year, SecureAuth divested Core
Security, an IGA and security tool company it acquired just 18 months ago.
The vendor’s pricing is competitive; pricing for different scenarios is generally around the
market average.
Strengths
■ As noted above, the adaptive and contextual authentication capabilities of the SecureAuth
platform are the strongest and most mature for all AM vendors reviewed. In addition,
SecureAuth Identity Platform offers an extensive list of authentication methods for MFA.
■ SecureAuth offers basic UEBA capabilities in the SecureAuth Identity Platform.
■ Customers like the product’s flexibility and broad integration options.
■ SecureAuth has added the SecureAuth Access Gateway for integration of nonstandard
applications.
Cautions
■ SecureAuth has incomplete API protection capabilities. Standard API protection requirements
such as authentication, authorization and token translation functionality to protect APIs
require integration with an external API gateway (provided by a third party).
■ SecureAuth does not provide a true SaaS-delivered AM product. Its product is more
accurately described as an IaaS-hosted model.
■ Some customers comment about product complexity, especially when configuring and
managing “realms,” a collection of policies assigned to a single application or group of
applications.
■ SecureAuth’s strategy for addressing emerging AM use cases like IoT and BYOI lags behind
its competitors.
Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result
of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A
vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily
indicate that we have changed our opinion of that vendor. It may be a reflection of a change in
the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
Added
Although there are more vendors now providing AM services, none were able to meet our
inclusion criteria, and so none were added. We have included some vendors in our Honorable
Mentions section, both for traditional AM and those that provide only CIAM, products. There
was a change for one vendor: Centrify, previously a provider of both AM and PAM software, and
included in the 2018 Access Management Magic Quadrant, has split into two organizations. The
name “Centrify” has become the brand for the PAM products, and the previous AM products
have been migrated to a new company, Idaptive.
Dropped
As noted above, Centrify will no longer be a part of the Magic Quadrant, due to its exclusive
focus on PAM. In addition, i-Sprint Innovations AM services have been dropped, i-Sprint
Innovations continues to provide software providing AM capabilities, but did not meet our
inclusion criteria this year for global marketing and support capabilities.
Inclusion and Exclusion Criteria

The following inclusion criteria applies to this Magic Quadrant:
■ Vendors must have had 600 or more current AM customers as of 31 December 2018. Those
customers must be discrete AM customer organizations — not customers for other products
— that had their own contracts with the vendor. Free or “freemium,” nonpaying customers
could not be included in customer totals.
■ Vendors must have substantial customer numbers and adequate delivery and support
capabilities in these major markets: North and South America; Europe, the Middle East and
Africa (EMEA); and the Asia/Pacific (APAC) region.
■ Vendors must have marketed and sold products and services in 2018 to support all major use
cases (B2E, B2C and B2B). Substantial customer numbers for each use case were required.
For example, CIAM solutions that are only or mostly marketed to support only B2C use cases
were excluded.
■ Vendors must own the intellectual property for the AM products and services they sell. Those
that resell other vendors’ products, or that have merely augmented other vendors’ AM
products and services for resale or for managed or hosted service offerings, were excluded.
The following functionalities are required for a vendor’s AM product or service to be included in
this analysis (Note: The word “product” is used to mean a product or service. These functions
may be offered through multiple products, but they must be the vendors’ products and not those
of third parties, unless stipulated below.):
■ User authentication — The product must provide inherent support for password
authentication to the AM tool. The product must provide support for additional authentication
methods from the AM vendor and its partners, and use of contextual data and adaptive
access for authentication methods were considered.
■ Trust elevation — The product must at a minimum be able to enable adaptive access by
letting administrators set policies that require trust elevation for access to specific
applications. Ability to require step-up user authentication, or reauthentication, was the
baseline requirement.
■ Use of analytics and contextual information to calculate risk scores for trust elevation and
ability to initiate other types of required actions were considered in the evaluation criteria.
■ SSO — Products must provide SSO to web applications using SAML and OIDC. The product
must also support the specific use case of users authenticating to Windows/AD and being
provided with SSO to protect applications not integrated with Windows/AD. Products must
also support sign-on to the AM using identities from one or more social media networks to
enable BYOI. This implies support for OAuth and OpenID Connect.
The following SSO methods were analyzed as part of the evaluation criteria:
■ Standards-based SSO using modern authentication protocols like SAML, OIDC and OAuth
■ Inclusion and use of a reverse proxy (with credentials transported in HTTP headers)
■ Inclusion and use of an application server agent to interact with the AM tool
■ Use of password vaulting and forwarding techniques
■ Transmission of authentication and authorization information (i.e., access tokens) to APIs,

as part of application flows for previously authenticated applications and users.
■ Session management — Products must provide functionality that maintains session state
when users are authenticated to one or more applications. Session management enables
SSO because the product is “aware” of an established session. Session management
functionality should also provide individual or multiple application session termination based
on configured policies, and administrator-configured settings (such as using timeout
parameters or those based on users logging out of one or more sessions).
■ Security token services (STS) — Products must provide protocol and security token
translation to enable SSO based on an initial client authentication to the product and
subsequent attempts by a user to access a target application that uses a different security
token format and syntax, and a different authentication or SSO protocol.
■ Once a user authenticates to the product or an identity provider federated with the product,
the product must provide protocol and security token translation. This enables SSO and
attribute transmittal to target applications that use different security token formats and
syntaxes and SSO protocols.
■ STS used to protect APIs and services involved in authentication and authorization as
targets are considered in the evaluation criteria. STS types include:
■ WS-Trust
■ Proxy-based STS
■ REST-based STS to exchange credentials (proprietary)
■ REST-based STS to exchange credentials (standards-based using the IETF draft-ietf-

OAuth-token-exchange)
■ Authorization enforcement — Products must, at minimum, allow or disallow users’ access to

the primary access point (the “front door,” usually referenced by a URL) of applications based
on attribute data available in identity repositories such as directories and databases, and just-
in-time attributes sent in JSON Web Tokens (JWTs) or X.509 authentication. The products
must also allow for administrators to create, manage and put into production access policies
used by the product to render access decisions and enforce those decisions.
The following functionalities are considered in the evaluation criteria:
■ Ability to support authorization enforcement to APIs
■ Ability to use contextual information from endpoint devices and software, such as
geolocation, interaction metrics, history, device characteristics, and date or time of day as
input to an access decision, and other third-party sources.
■ Ability to perform fine-grained authorization enforcement on subobjects within applications
■ Ability to use complex combinations of rules and attributes to render access decisions
■ Ability to use analytics engines that can augment or replace rule-based policy engines
■ Ability to use external authorization server integrations, extensible access control markup
language (XACML servers) and programmable triggers
■ Developer access to AM functionality — Vendors must provide a set of APIs or development

libraries to allow developers to make calls to the AM tool from applications to support
externalization of authentication and authorization functions from these applications.
■ Password reset — This function is often included in products from adjacent markets,
particularly IGA. However, the need for password reset is common as part of AM flows.
Inclusion of password reset functionality with the AM product is considered in the evaluation
criteria.
■ UEM signals for authentication and authorization — Some vendors integrate UEM with IAM,
and UEM functionality is used to support the rendering of access decisions. Vendors’
inclusion of endpoint information and signals with their core AM products, provided through
either internal capabilities or strategic partners, are considered in the evaluation criteria.
This Magic Quadrant does not cover the following:
■ AM offerings that lack an authorization and authentication policy decision and enforcement
engine. This includes pure user authentication products and services, or products that began
as pure user authentication products and were then functionally expanded to support SSO via
SAML or OIDC, but cannot manage sessions or render authorization decisions.
■ AM offerings that were only or predominantly designed to support operating systems and/or
PAM (see “Magic Quadrant for Privileged Access Management”).
■ AM products that cannot support or are not marketed to support all major use cases
(workforce, B2C and B2B). For example, CIAM solutions that are only or mostly marketed to
support only B2C use cases will be excluded.
■ AM products that are not marketed and supported globally; there must be significant
representation of customers, sales and support in all major markets, namely North and South
America, EMEA and the Asia/Pacific region.
■ Remote or on-premises “managed” AM — services designed to take over management of

customers’ owned or hosted AM products, rather than being provided by delivery of the
vendor’s own intellectual property.
■ AM functions provided only as part of broader infrastructure or business process outsourcing

agreements. AM must be provided as an independently available and priced product or
service offering.
■ IGA functionality. This is a separate, but related market covered by other Gartner research
(see “Magic Quadrant for Identity Governance and Administration”).
■ Full life cycle API management. Although API functionality is growing in AM products, this
capability is typically focused on API protection capabilities, as opposed to full life cycle
management of APIs. This is a separate, but adjacent market covered by other Gartner
research (see “Magic Quadrant for Full Life Cycle API Management”).
■ UEM. Although some AM products offer elements of UEM functionality, UEM is a separate,
but related market covered by other Gartner research.
■ CASBs. Although some AM products offer some CASB functionality, CASB is a separate, but
related market covered by other Gartner research (see “Magic Quadrant for Cloud Access
Security Brokers”).
Honorable Mentions
Commercial Vendors
These vendors provide B2E, B2B, and B2C AM services, but failed to meet the inclusion criteria
for this Magic Quadrant (whether number of discrete customers or global presence):
■ Cisco-Duo Security
■ eMudhra
■ Exostar-Pirean
■ Identity Automation
■ i-Sprint Innovations
■ iWelcome
■ OpenText-Covisint
■ Symantec
■ Thales (Gemalto)
■ Transmit Security
Open-Source Vendors
These vendors also provide AM functionality; this Magic Quadrant did not include open-source
AM vendors for analysis:
■ Gluu
■ Keycloak (Red Hat Single Sign-On)
■ OpenIAM
■ Soffid
■ Shibboleth Consortium
■ WSO2
CIAM-Only Vendors
These are vendors that provide only B2C and B2B AM services:
■ Akamai
■ LoginRadius
■ Salesforce
■ SAP
■ TrustBuilder
Evaluation Criteria
Ability to Execute
Gartner analysts evaluate vendors on quality and efficacy of the processes, systems, methods
or procedures that enable IT provider performance to be competitive, efficient and effective, and
to positively impact revenue, retention and reputation within Gartner’s view of the market.
Product or Service: The architecture, security and capabilities, quality and feature sets of AM
that can be integrated with any of a variety of enterprise and cloud-based systems. We evaluate
offerings that were generally available and documented as of 30 March 2019.
The range and quality of AM features, richness of support for mobile endpoints, incorporation of
third-party identities, and controls demonstrated to help ensure the continuity, security and
privacy of customers and their data were also assessed.
The applicability and suitability of these offerings to a wide range of use cases and different
application architectures, across different communities of users and different enterprise and
cloud-based systems, were evaluated.
Elements of evaluation criteria include:
■ General product architecture
■ Security, reliability, scalability and availability
■ User authentication and adaptive access
■ Authorization enforcement
■ SSO and session management
■ Standards support
■ BYOI (social media identity integration)
■ User administration functions
■ Logging and reporting
■ Cloud application enablement
■ On-premises application enablement
■ API target enablement
Overall Viability: The vendor’s overall financial health, its financial and practical success in the
AM market. The likelihood that the vendor will continue investing in its AM portfolio and sustain
its presence in the AM market was also evaluated, as was its success in the AM market, as
demonstrated by its customer acquisition, competitiveness, retention and customer
significance in terms of implementation scale.
Sales Execution/Pricing: The vendor’s capabilities in such areas as deal management, presales
support and the overall effectiveness of the sales channel, including value-added resellers and
third-party managed service providers. The vendor’s track record in competitive wins and
business retention was also assessed, as was its pricing over a number of different scenarios.
Criteria include:
■ Sales execution
■ Revenue breakdown by channel
■ Revenue breakdown by use case (B2E, B2B, B2C)
■ Competitors’ mentions
■ Pricing under several scenarios — This subcriterion was weighted heavily. Vendors were
strongly encouraged to identify actual expected deal pricing with appropriate discounts for
the different scenarios. Lower costs for the same functionality among vendors were scored
higher.
Market Responsiveness/Record: The vendor’s ability to respond, change direction, be flexible

and achieve competitive success as opportunities develop, competitors act, customer needs
evolve and market dynamics change. This criterion also considered the vendor’s history of
responsiveness to changing market demands. How the vendor can meet customers’ evolving
AM needs over a variety of use cases was also assessed, as was how the vendor has embraced
standards initiatives in the AM and adjacent market segments, and responded to relevant
regulation and legislation.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver
the vendor’s message in order to influence the market, promote the brand, increase awareness
of products and establish a positive identification in the minds of customers. This mind share
can be driven by a combination of publicity, promotional, thought leadership, social media,
referrals and sales activities.
Customer Experience: Products and services and/or programs that enable customers to
achieve anticipated results with the products evaluated. Specifically, this includes quality
supplier/buyer interactions, technical support and account support. This may also include
ancillary tools, customer support programs, availability of user groups, service-level agreements,
etc.
Criteria include:
■ Customer relationship and services
■ Customer satisfaction
■ References and other Gartner client feedback
Operations: The ability of the vendor to meet goals and commitments. Factors include quality of
the organizational structure, skills, experiences, programs, systems and other vehicles that
enable the vendor to operate effectively and efficiently.
Table 1: Ability to Execute Evaluation Criteria
Evaluation Criteria Weighting
Product or Service High
Overall Viability High
Sales Execution/Pricing Medium
Market Responsiveness/Record Medium
Marketing Execution Low
Customer Experience High
Operations Medium
Completeness of Vision
Gartner analysts evaluate vendors on their understanding of buyer wants and needs, and how
well the vendor anticipates, understands, and responds with innovation in their product offering
to meet those needs. Vendors who demonstrate a high degree of completeness of vision,
demonstrate a capacity to understand challenges that buyers in the market are facing, and for
shaping their product offerings to help buyers meet those challenges.
Market Understanding: Ability to understand customer needs and translate them into products
and services. Vendors who show a clear vision of their market demonstrated a high capacity to
listen, understand customer demands, and shape or enhance market changes with their added
vision
Criteria include:
■ Understanding and meeting customer needs
■ Vendor awareness of the future of the AM market, and its strategy for responding
Marketing Strategy: Clear, differentiated messaging consistently communicated internally, and

externalized through social media, advertising, customer programs and positioning statements.
Criteria include:
■ Deal close rate
■ Lead development breakdown

Sales Strategy: A sound strategy for selling the vendor’s AM offerings that uses the appropriate
networks, including direct and indirect sales, marketing, service, and communication. Whether
the vendor has partners that extend the scope and depth of its market reach, expertise,
technologies, services and customer base was also assessed.
Criteria include:
■ Sales organization and partnerships
■ Revenue breakdown by channel
■ Program for internal sales enablement
Offering (Product) Strategy: The vendor’s approach to product development and delivery that
emphasizes market differentiation, functionality, methodology and features as they map to
current and future requirements. How the vendor will increase the competitive differentiation of
its-AM products and services was assessed, as was the vendor’s participation in AM and
adjacent standards development. How the vendor’s AM offerings and strategy fit into current
and planned adjacent offerings in IAM as well as other markets was evaluated.
Criteria include:
■ Meeting customers’ selection criteria and the needs created by architectural and operational
changes to endpoint, identity provider and target resources
■ Specific development plans
■ Miscellaneous strategy elements
Business Model: The design, logic and execution of the vendor’s business proposition to
achieve continued success, including:
■ Purpose in the AM market
■ Distinction in the AM market
■ Milestones reached
■ Future growth plans
Vertical/Industry Strategy: The strategy to direct resources (sales, product, development), skills
and products to meet the specific needs of individual market segments, including verticals.
Criteria include:
■ Customer breakdown by industry
■ Trends in customer industry breakdown
■ Strategy for verticals and other segmentation
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or

capital for investment, consolidation, defensive or preemptive purposes. The vendor’s
continuing track record in market-leading innovation, and the provision of distinctive products,
functions, capabilities, pricing models and so on, were assessed. We focused on technical and
nontechnical innovations introduced since January 2018, as well as the vendor’s roadmap over
the next few years.
Criteria include:
■ Foundational innovations
■ Recent innovations (during the past year)
■ Planned innovations
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the
specific needs of geographies outside the “home” or native geography, either directly or through
partners, channels and subsidiaries, as appropriate for that geography and market.
Criteria include:
■ Customer breakdown by geography, with representation in all major markets
■ Trends or changes in customer geographic breakdown
■ Strategy for changes in geographic coverage
■ Global support capabilities
Table 2: Completeness of Vision Evaluation Criteria
Market Understanding High
Marketing Strategy Low
Sales Strategy Medium
Offering (Product) Strategy High
Business Model Medium
Vertical/Industry Strategy Low
Innovation High
Geographic Strategy Medium
Quadrant Descriptions
Leaders
Leaders in the AM market generally have significant customer bases, and a global presence for
sales and support. They provide feature sets that are appropriate for current customer use-case
needs and develop capabilities to solve new problems in the market. Leaders also show
evidence of strong vision and execution for anticipated requirements related to technology,
methodology or means of delivery; and they show evidence of how AM plays a role in a
collection of related or adjacent product offerings. Leaders typically demonstrate solid
customer satisfaction with overall AM capabilities, the sales process, and/or related service and
support.
Challengers
Challengers show strong execution and have significant customer bases. However, they have
not shown the Completeness of Vision for AM that Leaders have. Rather, their vision and
execution for marketing, technology, methodology and/or means of delivery tend to be more
focused on or restricted to specific functions, platforms, geographies or services. Challengers
have relatively low brand awareness. Challengers’ clients are relatively satisfied.
Visionaries
Vendors in the Visionaries quadrant provide products that meet many AM client requirements,
but they may not have the market penetration to execute as Leaders do. Visionaries are noted
for their innovative approach to AM technology, methodology and/or means of delivery. They
may see AM as a key part of a broader service portfolio, or they may provide functionality,
marketing and sales to successfully target specific buying segments, such as developers. They
often may have unique features and may be focused on a specific industry or specific set of use
cases. In addition, they have a strong vision for the future of the market and their place in it.
Niche Players
Niche Players provide AM technology that is a good match for specific use cases. They may
focus on specific industries or have a geographically limited footprint; however, they can
outperform many competitors. Vendors in this quadrant often have relatively fewer customers
than competitors in other quadrants, but they may have large customers, as well as a strong AM
feature set. Brand awareness is usually low relative to vendors in other quadrants. Vision and
strategy may not extend much beyond feature improvements in current offerings. Pricing might
be considered too high for the value provided by some niche vendors. However, inclusion in this
quadrant does not reflect negatively on the vendor’s value in the more narrowly focused
spectrum. Niche solutions can be very effective in their areas of focus.
Context
Vendors evaluated in this Magic Quadrant come from distinctly different backgrounds. Their
pedigrees vary greatly, as do their abilities to provide AM that can support all target systems
that buyers have. The vendors’ aspirations for servicing customers by geography, industry and
customer-size segmentation also vary.
Clients are strongly cautioned not to use vendors’ positions in the Magic Quadrant figure as the
sole source for determining a shortlist of vendors. Vendors’ ability to provide a general set of
AM functionalities across multiple use cases, and in multiple geographies and industries, as
well as to provide solid value for the price, as perceived by their customers, was evaluated. All
vendors covered in this Magic Quadrant have succeeded in providing customers with products
and services that meet their needs.
Important Decision Factors for Vendor Selection

SaaS-Delivered or Software-Delivered AM
In line with other Gartner research (see “How to Choose Between Software and SaaS Delivery
Models for Identity and Access Management”), the description of IDaaS has been changed.
Gartner has determined that a less ambiguous term for these services is SaaS-delivered IAM,
and it has been expanded to include not only AM, but also IGA and PAM, to reflect the broader
scope of product offerings.
Software-delivered IAM has been defined traditionally as “on-premises IAM.” However, with IaaS
and platform as a service (PaaS), cloud computing is becoming an extension of the traditional
data center and the term “on-premises” is becoming less meaningful. Software-delivered IAM is
defined as all single-tenant solutions delivered as traditional software installations or virtual
appliances installed locally, on a server in the data center, or remotely hosted in IaaS or offered
as a native part of PaaS.
SaaS-delivered IAM (formerly IAM as a service [IDaaS]) is increasingly being widely adopted
and, in fact, SaaS has become the preferred delivery method for the vast majority of brand new
AM deployments. Buyers that choose SaaS-delivered AM have established that ease of
deployment and use, time to value, and frequent, easy-to-consume functional upgrades are
benefits that outweigh the concerns of having a third party manage their authentication and
authorization services and hold personal information; especially when there is a lack of skills to
manage traditional software solutions.
On the other hand, IAM leaders that still purchase software-delivered IAM are more likely to have
legacy applications that don’t support standards-based SSO. They may be difficult to convert to
standards-based SSO, and products from traditional software-based access managers can
provide some additional flexibility to support proprietary application integration techniques.
There are also situations where jurisdictional regulations and political concerns may limit
adoption of services that cannot host data exclusively within a jurisdiction, or that are operated
by foreign companies.
Setting aside vendors’ variable abilities to meet different functional requirements, IAM leaders
that choose to manage AM solutions themselves tend to have the requisite staff expertise to
manage the products and believe that they will retain these staff. There is still a significant
installed base of software-delivered AM products; however, existing clients are evaluating
alternatives to either expand or migrate their workloads to the cloud. For those situations, SaaS-
delivered and software-delivered AM solutions can be bridged together to deliver hybrid use
cases (see “How to Choose Between On-Premises and IDaaS Delivery Models for Identity and
Access Management”).
IAM leaders must decide whether operational management of AM solutions is core to their
business, or whether the functionality can be outsourced. Gartner’s evaluation of products and
services in this Magic Quadrant included new considerations about the vendor’s primary ability
to provide a full SaaS-delivered AM solution, and its flexibility to be extended with software-
delivered AM components for a hybrid delivery model approach.
Use Cases
Our evaluation of vendors’ products and services in this Magic Quadrant included consideration
of how well vendors can meet the need to support all three common use cases: B2E, B2B and
B2C.
The primary driver for new AM purchases continues to be the need for workforce users to
access SaaS applications, but CIAM scenarios (B2C) have increased significantly. Topologies
for B2B and workforce users accessing internal systems (i.e., B2B) is the third driver. All vendors
covered in this Magic Quadrant can support these use cases. However, SaaS-delivered AM
solutions tend to be superior for SaaS enablement use cases. Vendors create and maintain
connections to SaaS vendors, so buyers don’t have to. Gartner clients are more often interested
in a SaaS-delivered AM model for B2C needs. We have observed an inquiry pattern in which
clients are replacing homegrown IAM capabilities with consumer-facing applications and are
looking for rapid time to value. They often do not feel as strongly that consumer identities must
be held on-premises.
Gartner is seeing increased interest among clients in adopting a CIAM capability, as customers
are looking for vendors that can help them with several key elements. First, it is widely
recognized that the power of a good user experience online creates competitive leverage in
crowded markets. Many homegrown solutions have ceased to be effective in the age of digital
business, and have likely even lost business due to new channels, increased cybersecurity
threats and higher expectations for ease of use.
In addition, the growth in privacy regulations is driving growth in CIAM adoption. There are
several key pieces of privacy regulation driving CIAM adoption — from the GDPR in the EU to the
General Data Privacy Law (GDPL) in Brazil and the California Consumer Privacy Act (CCPA) for
California consumers. At this writing, just in the U.S., there are at least 11 state-level bills and six
federal-level bills under consideration. In addition, many countries around the world — from
Canada to Great Britain and others — are developing privacy regulation to address the need to
provide consumer protections.
While all the vendors covered by this Magic Quadrant provide B2C (CIAM), there are vendors
that specialize only in CIAM (B2C and B2B; see the Honorable Mentions section). These CIAM
vendors are adding tools to assist customers in complying with privacy regulations. However,
Gartner also recommends that customers with advanced needs in privacy compliance should
integrate their CIAM tool with a mature consent and privacy management tool (see “Market
Guide for Consent and Preference Management”).
Target System Support

Target system enablement is an area of vendor differentiation. Traditional AM software vendors
had to develop federation, proxy and agent architectures into their products to support web
applications with diverse authentication architectures. All AM vendors, regardless of their
delivery models, support standards-based federated authentication and SSO, with ubiquitous
SAML support and maturing OIDC support. Differentiation is most often found in vendors’
abilities to directly support applications that require reverse proxy and HTTP header-style
authentication. There are also commercial applications that can’t easily support externalized
AM, and they are integrated into AM tools with “agents” or “integration kits.”
Traditional AM software vendors, such as Broadcom (CA Technologies), IBM, Micro Focus, Ping
Identity and Oracle, tend to support these tricky scenarios; however, support from pure SaaS-
delivered AM has matured since last year. For example, Okta announced its own Access
Gateway technology for on-premises integrations, and continues to support existing
partnerships with other gateway vendors. OneLogin provides Access EP in its Unified Access
Management Access product for legacy app integrations. Microsoft can also provide AM for
customers’ applications using federation or reverse proxy. However, it still relies on Ping
Identity’s PingAccess product for applications that are architected to transmit proprietary
information in HTTP headers for authentication and authorization.
Clients that need support for legacy web applications should focus their vendor evaluations and
proofs of concept on ensuring that AM tool vendors can support all kinds of target applications.
Gartner recommends that organizations, particularly those with numerous applications and
diverse application architectures, take a systematic approach to taking inventory of those
applications, their use cases and architectures. The result of this exercise should put IAM
leaders in a better position to evaluate alternative offerings to meet their needs (see “How to
Make the Right Choices for Access Management and Single Sign-On”).
IoT and AM
AM tools must increasingly support a variety of devices as source and target endpoints, and this
support is beginning to extend into support of IoT devices. The proliferation of devices,
especially smart devices, has provided challenges to AM vendors, as well as opportunities. One
of the first challenges was to support new application architectures, including native mobile
applications, single-page apps and hybrid apps. AM vendors have done that by supporting
OAuth2 and OIDC, as well as providing programming libraries and APIs in their AM services. The
opportunity that comes with the device proliferation challenge is that vendors have begun to use
a variety of device posture data points or context as inputs to render access decisions. This
presents an additional capability that makes it more difficult for bad actors to compromise a
user.
Most AM tools can now deal with basic use cases that require managing access to support the
relationships among people, their smart devices and the target resources that must be
accessed. However, the incorporation of constrained devices and interactions with device
intermediaries, such as gateways and controllers, remains a niche pursuit:
■ ForgeRock has an edge gateway designed to integrate downstream devices and controllers
with its platform.
■ Evidian has partnered with Siemens to develop IoT capabilities.
■ Broadcom has several production IoT applications.
■ Ping Identity, Microsoft and Oracle are actively exploring this application.
We expect more AM vendors to enable products and services with the protocols and policy
decision capabilities to support IoT more broadly during the next three years.
CARTA
The tremendous growth in cloud computing — from SaaS application adoption to data center
migrations to IaaS to digital transformation focused on changing the way people work — has
changed the dynamic of security. Those drivers have shifted security from perimeter-based
approaches to identity context-based approaches. However, the AM market has been slow to
respond to developments that would mature that continuous assessment approach. Modern
identity protocols will continue to improve in providing full support of the CARTA approach, so
AM tools will need to add additional controls like integrations with WAFs, CASBs and other
complementary platforms. This is to gain enough information and signals to establish
continuous risk scoring, in order to support comprehensive adaptive access, leading to
continuous authentication and continuous authorization.
Many authentication vendors claiming “adaptive” approaches provide only simple rule-based
conditional authentication or evaluate only contextual data that provides “familiarity signals,”
ignoring “negative” signals that would indicate specific attacks or elevated identity risk.
It is fundamental to differentiate conditional access controls from adaptive and continuous

access controls. Gartner recommends the implementation of identity corroboration
contiguously with AM or fraud prevention tools that provide user/customer session
management to enable CARTA for all interactions/transactions (see “Transform User
Authentication With a CARTA Approach to Identity Corroboration”).
Gartner’s evaluation of vendors’ products and services in this Magic Quadrant included new
considerations about the vendors’ primary ability to provide AM solutions that either offer
embedded or integrated identity corroboration capabilities for CARTA.
All AM tools have the coarse-grained basic capabilities to require step-up authentication when
users have a specific set of static attribute values associated with them and when accessing
specific target systems. For example, if the user is a finance group member in the underpinning
directory used by the access manager, then the AM system can allow only those users access
to the application and force users to reauthenticate. Otherwise, it can authenticate with
something stronger than a password when accessing the finance system. These were, and
remain, important capabilities.
However, by themselves, they’re not enough in today’s climate of increased online fraud and
malicious access. Most AM vendors can use contextual information, such as date and time;
endpoint information, such as browser and software characteristics; and IP address or real
geolocation as input to access decisions. This is now being more accurately described by
vendors as “conditional” access.
To embrace a truly adaptive approach, Gartner evaluated AM vendors’ capabilities to address at

least these three needs:
■ Context-based “conditional” access control, as described above.
■ Integration between applications and other sources of risk context information. This can be
provided via an externalized authorization architecture (OFA, CASB); an application wrapper
and protocol interpretation; a WAF; zero-trust network access (ZTNA; formerly a software-
defined perimeter); or an API gateway.
■ Continuousness. Risk and trust automatically assessed for every interaction throughout every
session — and this can come only through integration with applications.
AM tools should support open integration of or data interchange with third-party tools. They
should also favor flexible workflows that can map complex paths for consuming inputs and
making adaptive responses. For example, Auth0 and now Okta use “hooks,” programming
extensions and rules, and ForgeRock uses authentication trees — both examples of enabling the
ability to accommodate complex approaches to consuming inputs and enabling adaptive
responses.
API Protection and Life Cycle Management
There is an increasing demand for digital transformation and application rearchitecture that is
impacting AM buying patterns within organizations. IAM decisions are now starting to be
shared or are shifting between IAM leadership teams and software engineering teams.
Developers are leading the process of building internal apps, services and meshes, and they
need AM tools that can keep up with all of that.
Enterprise architects have an important job to standardize and deploy security best practices
while adopting more agile DevOps processes associated with AM tools (this is where
ForgeRock, Auth0, Keycloak, IdentityServer4 and Curity come in). For that, AM vendors must
provide, at a minimum, a set of APIs or development libraries to allow developers to make calls
to the AM tool from applications to support externalization of authentication and authorization
functions from these applications. And ideally, AM vendors in this Magic Quadrant should be
providing a clear strategy for API protection, either embedded or through integrated
partnerships with full API gateways.
As organizations expose more services through APIs, the need to protect the APIs and services
behind them grows. API protection has long been the domain of the API gateway — a
component of full life cycle API management products and services (see “Magic Quadrant for
Full Life Cycle API Management”). API gateways are placed between calling services or
applications and the target API. These tools provide a number of functions, including token and
protocol translation, authentication, authorization, threat detection, data privacy, traffic and
quality of service management, and service routing.
In most customer environments, where the AM tool doesn’t provide embedded API protection
capabilities, API gateways may be integrated to provide advanced security. AM tools handle
users’ sessions and API gateways generally do not. This combination of tools allows a web
application to offload user authentication, SSO and session management to the AM tool. If the
application needs to call an API (e.g., to complete a transaction), the request — along with user
attributes and security tokens — is sent to the API gateway to be parsed and evaluated to
allow/disallow API access.
The AM market is evolving to handle some API protection functions within the AM product. For
example, Ping Identity and ForgeRock have functionality in their toolsets to perform some basic
API authentication, authorization and traffic throttling, and Ping Identity added expanded
security capabilities in this area with PingIntelligence for APIs. Okta has also introduced an API
AM service component. However, most buying organizations will continue to use a mixture of
AM and full-featured API gateways, because of the additional value and functionality that the
gateways provide.
Security Concerns With SaaS-Delivered and IaaS-Hosted AM Protecting Target

Systems That Support Only Password Authentication
Password vaulting and forwarding, also referred to as forms-based authentication using static
usernames and passwords, is a feature set that AM vendors offer to their customers to support
target applications that do not support federated SSO standards. It is common for AM buyers to
want to leverage password vaulting and forwarding to give their users the convenience of SSO
for most or all of their apps. Common, widely used SaaS applications support federation, which
transmits security tokens (not passwords) to target systems. Federated architectures also imply
that an AM tool or service is between the user and the application, and, therefore, can leverage
MFA and adaptive access control as part of the sign-on sequence. Unfortunately, the long tail of
smaller SaaS application vendors does not support federation..
AM vendors encrypt password data at rest; it would be difficult, but not impossible for attackers
to obtain access to encrypted data. Gartner recommends against the use of password vault and
forward functionality provided by AM vendors — especially vendors of SaaS-delivered AM
products — due to this potential loss of the “keys to the kingdom.” Standards-based federation
should be used instead, whenever possible.
However, for the remaining password-based apps, many organizations will find the pressure to
provide users convenience through password vaulting and forwarding unbearable. The use of
additional authentication methods and adaptive access mitigates some types of attacks that
leverage endpoint device and network vulnerabilities, but they do not help if the centrally held
password data is compromised. Unfortunately, passwords are a weak form of authentication.
Organizations choosing to allow SSO using password authentication are accepting the risks of
potential password compromise.
Gartner strongly recommends that organizations push their application vendors to support
standards-based federation as an alternative to password authentication only. These
organizations should also maintain and test procedures for resetting users’ accounts and
passwords, should a breach occur (see “IDaaS Security Will Never Be Perfect — Buyers Must
Mitigate Risk”).
Market Overview
This Magic Quadrant was produced in response to market conditions for AM, including the
following trends:
■ The AM market has evolved to better support more diversity in user authentication methods,
managing basic access to IOT devices, contextual and more intelligent adaptive access,
mobile computing, and API target services. These feature sets continue to mature in 2019.
■ Vendors that have developed AM as a service have risen in popularity. Gartner estimates that
90% or more of clients based in North America and approximately 65% in Europe and the
Asia/Pacific region countries are also seeking SaaS-delivered models for new AM purchases.
This demonstrates a preference for agility, quicker time to new features, elimination of
continual software upgrades, reduction of supported infrastructure and other SaaS versus
software benefits demonstrated in the market (see “How to Choose Between Software and
SaaS Delivery Models for Identity and Access Management”).
■ Large, established vendors and others that provided only traditional software- and appliance-
based AM solutions have moved to offer SaaS delivery models as options for their AM tools.
Ten of the 14 vendors covered in this Magic Quadrant deliver AM as SaaS as their only delivery
model, or as an option:
■ Only as a service: Idaptive, Microsoft, Okta, OneLogin and Auth0 (also delivers a managed
offering)
■ Software- or SaaS-delivered AM: ForgeRock (only CIAM for SaaS), IBM, Oracle, Ping Identity
and Optimal IdM.
■ Only as software: Broadcom (CA Technologies), Micro Focus, Evidian and SecureAuth. These
vendors have partners that can deliver these products as managed or hosted services.
Gartner estimates that the AM market revenue for the vendors covered in this Magic Quadrant
was $1.4 billion at the end of 2018. Readers, particularly investment clients, are cautioned not to
interpret this revenue estimate as accounting for all AM products and services available in the
market. Numerous vendors that could not be included in this Magic Quadrant can meet at least
partial requirements — for example, by providing user authentication and SSO when
authorization enforcement is not needed by the customer.
Evidence
■ Vendor surveys
■ Reference interviews
■ Peer insights
■ Secondary resource services
■ Gartner inquiries
Evaluation Criteria Definitions

Ability to Execute
Product/Service: Core goods and services offered by the vendor for the defined market. This
includes current product/service capabilities, quality, feature sets, skills and so on, whether
offered natively or through OEM agreements/partnerships as defined in the market definition
and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health,
the financial and practical success of the business unit, and the likelihood that the individual
business unit will continue investing in the product, will continue offering the product and will
advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure
that supports them. This includes deal management, pricing and negotiation, presales support,
and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve

competitive success as opportunities develop, competitors act, customer needs evolve and
market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver
the organization's message to influence the market, promote the brand and business, increase
awareness of the products, and establish a positive identification with the product/brand and
organization in the minds of buyers. This "mind share" can be driven by a combination of
publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be

successful with the products evaluated. Specifically, this includes the ways customers receive
technical support or account support. This can also include ancillary tools, customer support
programs (and the quality thereof), availability of user groups, service-level agreements and so
on.
Operations: The ability of the organization to meet its goals and commitments. Factors include
the quality of the organizational structure, including skills, experiences, programs, systems and
other vehicles that enable the organization to operate effectively and efficiently on an ongoing
basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to
translate those into products and services. Vendors that show the highest degree of vision
listen to and understand buyers' wants and needs, and can shape or enhance those with their
added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated

throughout the organization and externalized through the website, advertising, customer
programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and
indirect sales, marketing, service, and communication affiliates that extend the scope and depth
of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that
emphasizes differentiation, functionality, methodology and feature sets as they map to current
and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to
meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or

capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the
specific needs of geographies outside the "home" or native geography, either directly or through
partners, channels and subsidiaries as appropriate for that geography and market.
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc.
and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior
written permission. It consists of the opinions of Gartner's research organization, which should not be
construed as statements of fact. While the information contained in this publication has been obtained from
sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or
adequacy of such information. Although Gartner research may address legal and financial issues, Gartner
does not provide legal or investment advice and its research should not be construed or used as such. Your
access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its
reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles
on Independence and Objectivity."
About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send
Feedback
© 2018 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Magic Quadrant For Access Management: Strategic Planning Assumptions

Uploaded by

Copyright:

Available Formats

Magic Quadrant For Access Management: Strategic Planning Assumptions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Magic Quadrant For Access Management: Strategic Planning Assumptions

Uploaded by

Copyright:

Available Formats

16/09/2019 Gartner Reprint

Licensed for Distribution

Magic Quadrant for Access Management

Strategic Planning Assumptions

■ Authentication and authorization of APIs (using OAuth/OIDC)

■ Basic identity synchronization to a set of target systems

■ Identity repository services

ESSO tools can be thought of as agent-based, password store-and-forward mechanisms, where

Source: Gartner (August 2019)

Vendor Strengths and Cautions

■ The vendor has good sales and support coverage in Europe.

■ Evidian is working to solve “things” management, partnering with ENACT, a European

Broadcom (CA Technologies)

to successfully adopt the Layer7 SiteMinder product.

■ Broadcom/CA divested CA’s professional services team to HCL Technologies.

■ Combined with session management, ForgeRock’s graphical configuration feature,

■ ForgeRock is active in defining authentication and authorization standards and, as such,

■ ForgeRock lacks a SaaS-delivered offering for workforce (B2E) AM.

■ Clients have highlighted the products’ stability and flexibility.

■ Idaptive offers a capability called Brokered Authentication, which abstracts authentication

misuse of SaaS applications beyond just providing authentication to the services.

■ Okta is typically the highest-priced alternative in customers’ analysis; customers complain

individualized experience for each organization.

■ While IDCS indicates a commitment from Oracle to SaaS-delivered AM capabilities, existing

■ SecureAuth offers basic UEBA capabilities in the SecureAuth Identity Platform.

■ Customers like the product’s flexibility and broad integration options.

Vendors Added and Dropped

Inclusion and Exclusion Criteria

■ Use of password vaulting and forwarding techniques

■ Transmission of authentication and authorization information (i.e., access tokens) to APIs,

■ REST-based STS to exchange credentials (proprietary)

■ REST-based STS to exchange credentials (standards-based using the IETF draft-ietf-

■ Authorization enforcement — Products must, at minimum, allow or disallow users’ access to

The following functionalities are considered in the evaluation criteria:

■ Ability to support authorization enforcement to APIs

■ Ability to perform fine-grained authorization enforcement on subobjects within applications

■ Developer access to AM functionality — Vendors must provide a set of APIs or development

This Magic Quadrant does not cover the following:

■ Remote or on-premises “managed” AM — services designed to take over management of

■ AM functions provided only as part of broader infrastructure or business process outsourcing

■ Keycloak (Red Hat Single Sign-On)

Elements of evaluation criteria include:

■ General product architecture

■ Security, reliability, scalability and availability

■ User authentication and adaptive access

■ SSO and session management

■ BYOI (social media identity integration)

■ User administration functions

■ Logging and reporting

■ Cloud application enablement

■ On-premises application enablement

■ API target enablement

■ Revenue breakdown by channel

■ Revenue breakdown by use case (B2E, B2B, B2C)

Market Responsiveness/Record: The vendor’s ability to respond, change direction, be flexible

■ Customer relationship and services

■ References and other Gartner client feedback

Table 1: Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting