Leadership Compass

Identity Provisioning

Leaders in innovation, product features, and market reach for Identity Provisioning. Delivering the capabilities for managing accounts and entitlements across heterogeneous IT environments on premises and in the cloud. Your compass for finding the right path in the market.

Martin Kuppinger

mk@kuppingercole.com

1 Introduction

The KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership compass focuses on the market segment of Identity Provisioning. While there are many vendors that have integrated offerings, combining Access Governance and Identity Provisioning into what today frequently is named IGA (Identity Governance and Administration), others continue offering separate products for the two areas of IGA or cover only one of the two.

More important, still many customers are looking either for an Identity Provisioning solution with only baseline Access Governance capabilities or they focus on Access Governance. The latter can be the case if they already have Identity Provisioning in place or when their starting point is Access Governance. Some of the scenarios we observe in the market are based on service infrastructures, where Access Governance is run by the organization itself, while fulfillment through Identity Provisioning is a managed service. Reality is that there are various scenarios and many customers that either only need Identity Provisioning or Access Governance, but not a combined solution.

Therefore, we decided to create three distinct Leadership Compass documents in that area:

  • LC Identity Provisioning: This Leadership Compass focuses on solutions with strong support for Identity Provisioning. We expect some baseline Access Governance capabilities. However, we also look at complete IGA offerings if they have strong Identity Provisioning support.
  • LC Access Governance: Here, the focus is on Access Governance capabilities, with only the required integration into Identity Provisioning tools. Again, we also look at complete IGA offerings if they have strong Access Governance capabilities.
  • LC Identity Governance and Administration: In the third Leadership Compass, our focus is only on offerings that are strong in both their Identity Provisioning and their Access Governance capabilities. This includes single product offerings, but also offerings that are combinations of separate offerings from the same vendor and, in combination, deliver strong IGA capabilities.

These three LCs are complemented by two other Leadership Compass documents. One focuses on comprehensive IAM suites, which add further capabilities such as Privilege Management, Enterprise SSO, Identity Federation and Web Access Management to IGA in integrated offerings. The other focuses on IGA for SMBs (small and medium businesses), which have different requirements on IGA solutions than large organizations commonly have.

With the various LCs, we provide customers the information they need to select vendors based on their specific use cases, whether these are IGA-driven, provisioning-driven, or e.g. focused on one comprehensive, integrated IAM suite.

1.1 Market Segment

Identity Provisioning is, despite the rise of integrated IGA offerings, one of the core segments of the overall IAM market – and it is an essential part of IGA anyway. Identity Provisioning is about provisioning identities and access entitlements to target systems. This includes creating and managing accounts in such connected target systems and associating the accounts with groups, roles, and other types of administrative entities to enable entitlements and authorizations in the target systems. Identity Provisioning is about automating these tasks, based on defined processes for creating, updating, and deleting identity-related information in the target systems. Despite the emergence of Access Governance solutions that focus on Access Request Management, Access Recertification, or SoD (Segregation of Duties) management and enforcement, Identity Provisioning remains a core capability of IAM infrastructures.

Identity Provisioning products are commonly organized around some key components:

  • Workflow engine for supporting request and approval processes and automation of the management of identities and access
  • Connectors that allow interfacing with a variety of target systems
  • Connector toolkits for rapidly adding custom connectors
  • Identity repository, managing the links between the identities managed by the provisioning system and the accounts in the connected systems
  • Reconciliation engine for identifying unauthorized changes in target systems
  • User self-services for e.g. password resets and managing their own identities
  • Delegated administration capabilities

Most solutions also provide some level of Access Governance capabilities. However, for this Leadership Compass, we only looked at very baseline capabilities in that area, not expecting sophisticated features.

It is impossible to understand Identity Provisioning complexity without having a quick look backward. Most historical Identity Provisioning products in the market date back to the late 1990’s and early 2000’s. They were designed back then and have evolved over time. That was the time of central authentication repositories and meta-directories, and the area of three-tier web architectures. In fact, those years fit with the explosion of distributed systems which IT departments had to handle. On the one hand the number of systems (servers, desktops, applications, network hardware, etc.) to control was growing exponentially, while the number of skilled system administrators wasn’t growing at the same rate.

On the other hand, the number of requests from business units to add new users, grant privileges, enforces policies etc. was exploding. Finally, everything had to be executed faster and faster and served at a lower cost.

As a result, early Identity Provisioning systems were designed to help automate systems administration of IT. Before Identity Provisioning, it was common to wait days or even weeks for a user to get an account on a mainframe or network resource or application. With Identity Provisioning, business owners became able to serve end-user requests almost in real time from a small web interface, this without asking the permission of any mainframe or network administrator.

For those reasons, the first Identity Provisioning systems started to focus on connectivity with targeted systems: how to populate a user on an IBM-3270, how to enable someone on Cisco's VPN. Obviously as soon as the system administration bottleneck was handled, the problem moved to the next level. As it was now simple to grant access to any resource, users had accounts on multiple systems, and the issue moved from “how do I grant access to John on this or that system?” to “how do I control what John has access to?”. To verify that grants were given on purpose, Identity Provisioning introduced the concept of workflow to verify authorizations before accepting a request. Then, to keep track of allocated resources, a central repository was built, coupled with a reconciliation engine.

Finally, as requests were now handled directly by business owners or end-users, traditional command lines became a “no go” option and a friendly graphical UI became one of the most important components of any Identity Provisioning implementation.

Identity Provisioning has changed over the years. But Identity Provisioning still is an essential capability for organizations, not only for managing user accounts and their access in on premises systems, but also in cloud services. Whether such solutions are implemented isolated, as pure-play Identity Provisioning, or in combined offerings, depends on the current IT infrastructure, the IT service and delivery model, and the specific requirements of the customer. But some form of Identity Provisioning is inevitable for any mid-sized and large IT infrastructure.

1.2 Delivery models

This Leadership Compass is focused on offerings that run on premises, either at the customer or at a Managed Service Provider (MSP). We do not look at IDaaS (Identity as a Service) offerings in that Leadership Compass.

KuppingerCole has published Leadership Compass documents on IDaaS, including IDaaS B2E, which is focused on IDaaS solutions supporting IGA for hybrid environments, delivered as a service.

1.3 Required Capabilities

When evaluating the products, we look, generally speaking, at the aspects of

  • overall functionality
  • size of the company
  • number of customers
  • number of developers
  • partner ecosystem
  • licensing models
  • traditional core features of Identity Provisioning

Within the area of functionality, the required capabilities are centered around the key components listed above:

  • Workflow support for request and approval processes
  • Workflow/process support for automating the management of identities and access, i.e. the flow of data back and forth from and to target systems
  • Tools that graphically support creating and customizing workflow
  • Breadth and depth of connectors that allow interfacing with a variety of target systems
  • Cloud connectors, adding provisioning support for common cloud services
  • Connector toolkits for rapidly adding custom connectors
  • Identity repository, managing the links between the identities managed by the provisioning system and the accounts in the connected systems
  • Customization of mapping rules between central identities and the accounts per target system
  • Reconciliation engine for identifying unauthorized changes in target systems
  • User self-services for e.g. password resets and managing their own identities
  • Delegated administration capabilities

Beyond that, we also considered some specific features. These include, amongst others:

  • Heritage of connectors
    Having connectors as OEM components or provided by partners is considered a risk for ongoing support and available know-how at the vendor.
  • ESB interfaces
    Having interfaces to ESBs (Enterprise Service Bus) adds architectural options for integrating Identity Provisioning with existing systems and for connecting to target systems.
  • SRM interfaces
    We expect that systems provide out-of-the-box integration to leading SRM (Service Request Management) systems for manual fulfilment of provisioning requests.
  • SPML/SCIM support
    Support for these two standards (Service Provisioning Markup Language/ System for Cross-domain Identity Management) and in particular SCIM is recommended.
  • Deployment models
    Supporting different deployment models like hard/soft appliances and optional MSP services gives customer a broader choice.
  • Customization
    Systems that require little or no coding and that support scripting or, if programming is required, a range of programming languages, are preferred. We here also look for transport systems between development, test, and production, and the ability of keeping customizations unchanged after upgrades.
  • Mobile interfaces
    Secure apps providing access to certain key capabilities of the product.
  • Authentication mechanisms
    We expect Identity Provisioning systems to support different types of authentication to the system, including strong authentication options, to limit the risk of fraud using these systems.
  • Internal security model
    All systems are required to have a sufficiently strong and fine-grained internal security model.
  • Multi tenancy
    Given the increasing number of cloud deployments, but also specific requirements in multi-national and large organizations, support for multi-tenancy is highly recommended.
  • Baseline Access Governance
    Provisioning should be feasible based on role concepts and with support for the definition of SoD rules (Segregation of Duties), despite the fact that Access Governance tools are increasingly used on top of Identity Provisioning.
  • Shopping cart paradigm
    These approaches are pretty popular for simplifying the access request management process by using shopping cart paradigms familiar to the users.

The support for these functions is added to our evaluation of the products. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.