The IDaaS market has evolved over the past few years and is still growing, both in size and in the number of vendors. However, under the umbrella term of IDaaS, we find a variety of offerings. IDaaS in general provides Identity & Access Management and Access Governance capabilities as a service, ranging from Single Sign-On to full Identity Provisioning and Access Governance for both on-premise and cloud solutions. These solutions also vary in their support for different groups of users - such as employees, business partners, and customers - their support for mobile users, and their integration capabilities back to on-premise environments.
For that purpose, we have distinguished the IDaaS market into three distinct market segments. Some vendors serve two or all three segments with their IDaaS services, while others focus on a single segment. The three IDaaS market segments in the KuppingerCole definition are
- IDaaS SSO: IDaaS focused on providing a Single Sign-On experience to users. While the primary focus is on providing access for employees to cloud services, we also look for support of other groups of users such as business partners and customers, for mobile users, and for downstream SSO back to on-premise applications. Formerly, we referred to this market segment as “Cloud User and Access Management”.
- IDaaS B2E: IDaaS focused on providing Identity Provisioning and Access Governance for on-premise environments, commonly complemented by Identity Federation capabilities and, based on these, at least baseline support for Single Sign-On to cloud services. These services provide a significantly stronger level of integration back to on-premise environments and should deliver Access Governance capabilities, in contrast to IDaaS SSO solutions. A significant portion of these offerings is delivered in Managed Service deployment models, in contrast to full SaaS models. B2E stands for Business-to-Employee, providing functionality focused on employee-centric IAM, but delivered from the cloud. Formerly, we referred to this market segment as “Cloud IAM & IAG”.
- IDaaS Digital: This is a rather new segment, with “Digital” standing for solutions that support the emerging requirements organizations are facing in the Digital Transformation. Such solutions must provide strong support for both customers and business partners and should support more complex interaction and functionality, which can include IoT (Internet of Things) support, secure information sharing capabilities, and others.
- Mid-term, we expect to see some convergence. However, there will remain vendors focusing only on certain of these markets, e.g. delivering Cloud SSO capabilities for SMBs or at a departmental level, in contrast to the enterprise-level solutions required for both IDaaS B2E and IDaaS Digital.
Several vendors provide offerings that can be better described as Managed Services than as Software as a Service (SaaS) offerings. Pure-play SaaS solutions are multi-tenant by design. Customers can easily onboard, usually as simple as booking online and paying with a credit card. On the other side, Managed Service offerings are run independently per tenant. The criteria for considering solutions for this Leadership Compass are based on the customer perspective: From that perspective, two aspects are of highest relevance: Elasticity of the service and a pay-per-use license model. If these criteria are met, we include offerings in our evaluation.
For the segment of IDaaS SSO, at a high level we expect support for the following feature sets:
- Support for hybrid infrastructures; in contrast to IDaaS SSO solutions, which are targeted at cloud services, IDaaS B2E must serve the hybrid environments that are the norm for organizations. Features supporting the management of on-premise applications, from SSO to provisioning, or tight integration with on-premise tools, are thus, expected.
- Identity Provisioning capabilities are rated at a higher level than IDaaS SSO. We expect good support for both cloud services and on-premise environments.
- Access Governance features are expected at least at a baseline level. This includes advanced auditing capabilities, but also might cover access review, SoD (Segregation of Duties) controls, and other more advanced features.
- Outbound Federation and Single Sign-On, providing access to Cloud services and web applications. This also includes Cloud Provisioning, i.e. the ability to provision users to Cloud services.
- Directory Services for managing the users: These services must provide massive scalability, enabling organizations to deal efficiently not only with their employees, but potentially with millions of customers. They also must provide a highly flexible schema (data structure) that allows managing different types of users and their respective attributes, but also managing relationships between various objects within the directory. Relying just on existing on-premise directory services limits the flexibility and scalability of these services.
- Authentication support, allowing configuration of the authentication requirements, step-up authentication based on risk and context, etc. We also expect to see significant support for upcoming standards that allow flexible relying on existing strong authentication methods, such as the FIDO Alliance standard.
- Access Management capabilities that allow configuring flexible policies for controlling access to Cloud service and web applications. Beyond just granting access, the ability for at least coarse-grained authorization management is a key capability for IDaaS B2E.
- Inbound Federation and Self-Registration: While inbound federation support focuses on the rapid on-boarding of users from business partners that already have an Identity Federation infrastructure in place, self-registration capabilities are mandatory for other business partners and customers. Identity Federation will also gain momentum in the customer space, when relying on external Identity Providers.
IDaaS B2E also must provide integration with on-premise directories such as the Microsoft Active Directory, allowing employees to access the Cloud services and web applications managed by that service.