The KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership compass focuses on the market segment of Identity Provisioning. While there are many vendors that have integrated offerings, combining Access Governance and Identity Provisioning into what today frequently is named IGA (Identity Governance and Administration), others continue offering separate products for the two areas of IGA or cover only one of the two.
More important, still many customers are looking either for an Identity Provisioning solution with only baseline Access Governance capabilities or they focus on Access Governance. The latter can be the case if they already have Identity Provisioning in place or when their starting point is Access Governance. Some of the scenarios we observe in the market are based on service infrastructures, where Access Governance is run by the organization itself, while fulfillment through Identity Provisioning is a managed service. Reality is that there are various scenarios and many customers that either only need Identity Provisioning or Access Governance, but not a combined solution.
Therefore, we decided to create three distinct Leadership Compass documents in that area:
- LC Identity Provisioning: This Leadership Compass focuses on solutions with strong support for Identity Provisioning. We expect some baseline Access Governance capabilities. However, we also look at complete IGA offerings if they have strong Identity Provisioning support.
- LC Access Governance: Here, the focus is on Access Governance capabilities, with only the required integration into Identity Provisioning tools. Again, we also look at complete IGA offerings if they have strong Access Governance capabilities.
- LC Identity Governance and Administration: In the third Leadership Compass, our focus is only on offerings that are strong in both their Identity Provisioning and their Access Governance capabilities. This includes single product offerings, but also offerings that are combinations of separate offerings from the same vendor and, in combination, deliver strong IGA capabilities.
These three LCs are complemented by two other Leadership Compass documents. One focuses on comprehensive IAM suites, which add further capabilities such as Privilege Management, Enterprise SSO, Identity Federation and Web Access Management to IGA in integrated offerings. The other focuses on IGA for SMBs (small and medium businesses), which have different requirements on IGA solutions than large organizations commonly have.
With the various LCs, we provide customers the information they need to select vendors based on their specific use cases, whether these are IGA-driven, provisioning-driven, or e.g. focused on one comprehensive, integrated IAM suite.
1.1 Market Segment
Identity Provisioning is, despite the rise of integrated IGA offerings, one of the core segments of the overall IAM market – and it is an essential part of IGA anyway. Identity Provisioning is about provisioning identities and access entitlements to target systems. This includes creating and managing accounts in such connected target systems and associating the accounts with groups, roles, and other types of administrative entities to enable entitlements and authorizations in the target systems. Identity Provisioning is about automating these tasks, based on defined processes for creating, updating, and deleting identity-related information in the target systems. Despite the emergence of Access Governance solutions that focus on Access Request Management, Access Recertification, or SoD (Segregation of Duties) management and enforcement, Identity Provisioning remains a core capability of IAM infrastructures.
Identity Provisioning products are commonly organized around some key components:
- Workflow engine for supporting request and approval processes and automation of the management of identities and access
- Connectors that allow interfacing with a variety of target systems
- Connector toolkits for rapidly adding custom connectors
- Identity repository, managing the links between the identities managed by the provisioning system and the accounts in the connected systems
- Reconciliation engine for identifying unauthorized changes in target systems
- User self-services for e.g. password resets and managing their own identities
- Delegated administration capabilities
Most solutions also provide some level of Access Governance capabilities. However, for this Leadership Compass, we only looked at very baseline capabilities in that area, not expecting sophisticated features.
It is impossible to understand Identity Provisioning complexity without having a quick look backward. Most historical Identity Provisioning products in the market date back to the late 1990’s and early 2000’s. They were designed back then and have evolved over time. That was the time of central authentication repositories and meta-directories, and the area of three-tier web architectures. In fact, those years fit with the explosion of distributed systems which IT departments had to handle. On the one hand the number of systems (servers, desktops, applications, network hardware, etc.) to control was growing exponentially, while the number of skilled system administrators wasn’t growing at the same rate.
On the other hand, the number of requests from business units to add new users, grant privileges, enforces policies etc. was exploding. Finally, everything had to be executed faster and faster and served at a lower cost.
As a result, early Identity Provisioning systems were designed to help automate systems administration of IT. Before Identity Provisioning, it was common to wait days or even weeks for a user to get an account on a mainframe or network resource or application. With Identity Provisioning, business owners became able to serve end-user requests almost in real time from a small web interface, this without asking the permission of any mainframe or network administrator.
For those reasons, the first Identity Provisioning systems started to focus on connectivity with targeted systems: how to populate a user on an IBM-3270, how to enable someone on Cisco's VPN. Obviously as soon as the system administration bottleneck was handled, the problem moved to the next level. As it was now simple to grant access to any resource, users had accounts on multiple systems, and the issue moved from “how do I grant access to John on this or that system?” to “how do I control what John has access to?”. To verify that grants were given on purpose, Identity Provisioning introduced the concept of workflow to verify authorizations before accepting a request. Then, to keep track of allocated resources, a central repository was built, coupled with a reconciliation engine.
Finally, as requests were now handled directly by business owners or end-users, traditional command lines became a “no go” option and a friendly graphical UI became one of the most important components of any Identity Provisioning implementation.
Identity Provisioning has changed over the years. But Identity Provisioning still is an essential capability for organizations, not only for managing user accounts and their access in on premises systems, but also in cloud services. Whether such solutions are implemented isolated, as pure-play Identity Provisioning, or in combined offerings, depends on the current IT infrastructure, the IT service and delivery model, and the specific requirements of the customer. But some form of Identity Provisioning is inevitable for any mid-sized and large IT infrastructure.