Joining forces to compete against Microsoft and Okta

A couple of months ago, the series of acquisitions of SailPoint, ForgeRock, and Ping Identity by Thoma Bravo triggered discussions and rumors about the impact on the broader Identity & Access Management (IAM) market. Recently, Thoma Bravo announced that ForgeRock would be combined into Ping Identity. Such merger & acquisition (M&A) developments prompt the spate of usual questions:

  • What does this mean to customers of the two companies?
  • What to expect strategically from the combined companies?
  • Where are the risks of such a combination?
  • How could this potentially impact the market?

As always, responding to these questions is a mixture of known facts, experience from other mergers and acquisitions, knowledge of the companies and markets as well as the competitive landscape, and last but not least, some educated guessing.

The impact on customers

As with every transaction of this type, this raises questions about the impact on the mutual product roadmaps. Will the combined companies increase or slow down product development? Will products be discontinued? Will there arise a need for major migration projects?

For understanding the potential impact, there are a couple of aspects to look at, such as:

  • The functional and technological differences and similarities
  • The target customers
  • The impact on corporate strategies

The functional differences and similarities can be well-analyzed by utilizing reference architectures such as the KuppingerCole Analysts IAM Reference Architecture. Both companies offer Access Management solutions, including Adaptive Authentication / Passwordless Authentication, Web Access Management, and Identity Federation. Also, both companies provide their Directory Services and a certain level of API Management.

On the other hand, there are unique product areas. In particular, ForgeRock supports Identity Governance & Administration (IGA) capabilities, while Ping Identity supports identity verification and acquired a specialist in the decentralized identity space a while ago. Additionally, some services, such as multi-factor authentication, have different deployment options across the two vendors.

When examining the types of identities served by the respective platforms Ping Identity is concentrated primarily on business identities (such as workforce, customer, and partner identities), while ForgeRock, in addition to consumer and customer use cases and support for partner and workforce use cases, adds specific support for IoT and Edge computing use cases, supporting both consumer IoT devices and industrial IoT (IIoT) scenarios. Ping Identity also has limited support for consumer IoT device management, CIAM-related user self service capabilities, and also provides Data Governance features.

From a technology perspective, there are significant differences between the Ping and the ForgeRock product portfolio. ForgeRock, rooted in open source, provides a solution that is very flexible for customization. However, such customization comes at the expense of complexity. Ping, on the other hand, provides more a commercial-off-the-shelf (COTS) solution. Ping has also already developed a robust multi-tenant cloud solution.

Feature-wise, the DaVinci orchestration capabilities of Ping Identity are also a relevant differentiator. There is no doubt that convergence of the product portfolios will be a daunting task, even though modern architectures with microservices and API-based integration allow for easier integration of different technology stacks than it had been the case in the past. The DaVinci orchestration capabilities can become an important factor for such integration, though.

We expect, due to the structure of the transaction and with Andre Durand, CEO of Ping Identity, becoming the CEO of the combined entity, Ping Identity being in the lead, but with joint teams from both companies. Thus, Ping Identity will have more influence on the joint strategy. From a strategic perspective, with both companies being (in different stages) on their journey to the cloud, there is no strategy disruption to be expected.

If you are a customer of Ping Identity or ForgeRock or in the procurement process, feel free to reach out to the KuppingerCole Analysts team for further insights and advice.

The strategic potential

With the mutual portfolios, and the individual strengths of both vendors, there is a potential of Ping and ForgeRock building a powerful platform for Digital Identity Management that covers all types of identities, from humans (consumers, customers, partners, and workforce) to silicon identities, including the IoT and IIoT space.

The previous investments of Ping Identity into orchestration technology, identity verification and support for decentralized identity provide a foundation for a fundamental modernization of approaches in this area, beyond today’s established IAM solutions.

Potentially, Ping/ForgeRock can provide a modern, integrated, feature-rich cloud-based Identity Fabric as a strategic solution approach to their customers, beyond serving isolated use cases. Moving towards this target will take some time and is best done by evolving a modern, cloud-based solution stack with a high degree of integration that allows smooth migration at least for customers that already are relying on cloud-based solutions.

The risks

Other than the common risks of mergers and acquisitions such as building a joint organization, there are several challenges to face.

One is that many ForgeRock customers are still using legacy on-premises solutions, and many also have customized the solution significantly, baking it, for instance, into their digital services. Evolving from there will become more challenging than it is for other COTS solutions. This requires offerings involving well-thought-out migration paths with both technical and consulting support.

As always, communicating a strong strategy, a well-thought-out roadmap, and a migration path that simplifies migration for existing customers and allows them to migrate at their own pace (within boundaries) is key to success.

Another specific risk is the pace of the competition. In each market Ping Identity and ForgeRock are playing, there is fierce competition. Thus, the combined entity will need to move fast with strategy and roadmap and execute on these plans, to not give room to their competitors.

The market impacts

While Ping Identity and ForgeRock are well-known players in the broader IAM space, they are facing strong competition.  In addition to established vendors such as Broadcom (which acquired identity products from CA Technologies), Oracle, IBM, SAP, RSA, and others that are strong in large enterprises, there are many specialist vendors across all market segments Ping Identity and ForgeRock play in.

Specific competitors to watch are Okta and Microsoft, with Microsoft 365 present in a majority of organizations, involving also Entra ID. Both have strong offerings competing directly with the Ping Identity and ForgeRock portfolios, and both are significantly larger than the new, combined entity.  In addition, privileged access management leader CyberArk has recently expanded into access management, and the space is also seeing a major influx of new entries, including a fast-growing customer identity company Transmit Security.

Thus, it will be essential for Ping Identity to demonstrate innovativeness beyond merging portfolios but also delivering some breakthrough innovation. Ping Identity has built the foundation with their previous acquisitions. Even then, the combined entity will face fierce competition.

Conclusion & recommendations

The combination of Ping Identity and ForgeRock shows potential. Ping Identity is well-advised to focus on breakthrough innovation and thinking beyond the established state of IAM, also to differentiate from their competitors.

End users, as common at such stages, are best advised to keep calm until further information about strategy, roadmaps, and the future product portfolio are released.