Identity as a Service: Single Sign-On to the Cloud (IDaaS SSO)
Leaders in innovation, product features, and market reach for Identity as a Service offerings targeting Single Sign-On to the Cloud for all types of users, with primary focus on cloud services but some support for on-premise web applications. Your compass for finding the right path in the market.
The KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership compass focuses on the market segment of Identity as a Service which delivers a Single Sign-On experience to users, with a focus on Single Sign-On to cloud services, but not limited to these. In short, we named this segment IDaaS SSO.
1.1 Market Segment
The IDaaS market has evolved over the past few years and is still growing, both in size and in the number of vendors. However, under the umbrella term of IDaaS, we find a variety of offerings. IDaaS in general provides Identity & Access Management and Access Governance capabilities as a service, ranging from Single Sign-On to full Identity Provisioning and Access Governance for both on-premise and cloud solutions. Solutions also vary in their support for different groups of users such as employees, business partners, and customers, their support for mobile users, and their integration capabilities back to on-premise environments.
For that purpose, we have split the IDaaS market into three distinct market segments. Some vendors serve two or all three segments with their IDaaS services, while others focus on a single segment. The three IDaaS market segment in the KuppingerCole definition are:
- IDaaS SSO: IDaaS focused on providing a Single Sign-On experience to users. While the primary focus is on providing access for employees to cloud services, we also look for support for other groups of users such as business partners and customers, for mobile users, and for downstream SSO back to on-premise applications. Formerly, we referred to this market segment as “Cloud User and Access Management”.
- IDaaS B2E: IDaaS focused on providing Identity Provisioning and Access Governance for on-premise environments, commonly complemented by Identity Federation capabilities and, based on these, at least baseline support for Single Sign-On to cloud services. These services provide a significantly stronger level of integration back to on-premise environments and should deliver Access Governance capabilities, in contrast to IDaaS SSO solutions. A significant portion of these offerings is delivered in Managed Service deployment models, in contrast to full SaaS models. B2E stands for Business-to-Employee, providing functionality focused on employee-centric IAM, but delivered from the cloud. Formerly, we referred to this market segment as “Cloud IAM & IAG”.
- IDaaS Digital: This is a rather new segment, with “Digital” standing for solutions that support the emerging requirements organizations are facing in the Digital Transformation. Such solutions must provide strong support for both customers and business partners and should support more complex interaction and functionality, which can include IoT (Internet of Things) support, secure information sharing capabilities, and others.
All three market segments are covered in separate Leadership Compass documents. Mid-term, we expect to see some convergence. However, there will remain vendors focusing only on certain of these markets, e.g. delivering Cloud SSO capabilities for SMBs or at a departmental level, in contrast to the enterprise-level solutions required for both IDaaS B2E and IDaaS Digital.
1.2 Delivery models
Several vendors provide offerings that can be better described as Managed Services than as Software as a Service (SaaS) offerings. Pure-play SaaS solutions are multi-tenant by design. Customers can easily onboard, usually as simply as booking online and paying with a credit card. On the other side, Managed Service offerings are run independently per tenant. The criteria for considering solutions for this Leadership Compass is based on the customer perspective: from that perspective, two aspects are of highest relevance – elasticity of the service and a pay-per-use license model. If these criteria are met, we include the offerings in our evaluation.
1.3 Required Capabilities
For the segment of IDaaS SSO, at a high level we expect support for the following feature sets:
- Outbound Federation and Single Sign-On, providing access to Cloud services and web applications. This also includes Cloud Provisioning, i.e. the ability to provision users to Cloud services.
- Directory Services for managing the users: These services must provide massive scalability, enabling organizations to deal efficiently not only with their employees, but potentially with millions of customers. They also must provide a highly flexible schema (data structure) that allows managing different types of users and their respective attributes, but also managing relationships between various objects within the directory. Relying just on existing on-premise directory services limits the flexibility and scalability of these services.
- Authentication support, allowing configuration of the authentication requirements, step-up authentication based on risk and context, etc. We also expect to see significant support for upcoming standards that allow flexibly relying on existing strong authentication methods, such as the FIDO Alliance standard.
- Access Management capabilities that allow configuring flexible policies for controlling access to Cloud service and web applications. Beyond just granting access, the ability for at least coarse-grained authorization management is a key capability for IDaaS SSO.
- Inbound Federation and Self-Registration: While inbound federation support focuses on the rapid on-boarding of users from business partners that already have an Identity Federation infrastructure in place, self-registration capabilities are mandatory for other business partners and customers. Identity Federation also will gain momentum in the customer space, when relying on external Identity Providers.
Beyond these capabilities, we see a couple of other feature sets that can add to these services. This includes Access Request portals, allowing users to request access to additional services. It includes the capability for providing access to on-premise applications, which remain in use in most organizations, thus delivering a comprehensive SSO experience beyond just cloud services.
IDaaS SSO also must provide integration with on-premise directories such as the Microsoft Active Directory, allowing employees to access the Cloud services and web applications managed by the service.
When evaluating the services, besides looking at the aspects of
- overall functionality
- size of the company
- number of customers
- number of developers
- partner ecosystem
- licensing models
- core features of IDaaS SSO
we considered a series of specific features. These include:
Approach to integrating back to on-premise IAM environments, for instance Microsoft Active Directory.
Onboarding of externals
Approach and flexibility in onboarding of external users, including configurable workflows and flexible authentication schemes.
Location of datacentres
Location and operation of datacentre, including regional datacentres e.g. in Europe and the question of whether the company owns datacentres or relies on partners.
Breadth and depth of APIs for managing, configuring and customizing the services.
Built-in reporting capabilities and integration with on-premise Access Governance solutions or SIEM (Security Information and Event Management) solutions.
Number of preconfigured cloud services for rapid provisioning.
Depth of pre-configuration
Approach to pre-configuration of cloud services, i.e. level of detail (e.g. only authentication or advanced control of entitlements in these services).
Granularity of access controls
Granularity of access control policies for cloud services that can be configured in these applications.
Support for strong authentication mechanisms and adaptive authentication, including features such as step-up authentication.
Support for established and upcoming industry standards and engagement in standards initiatives.
Baseline cloud capabilities
These includes elasticity, flexibility in upgrades, etc., but also service levels and support.
These features include e.g. business continuity assurance, auditability, and overall security features.
The support for these functions is added to our evaluation of the products. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market. Among the innovative features in scope, there are
Support for new standards such as UMA (User Managed Access) and FIDO Alliance standards.
Flexible, graphical workflow engines for adaptation, e.g. of self-registration processes.
Advanced cloud provisioning capabilities including, but not limited to, SCIM standard support.
A comprehensive and consistent set of REST-based APIs.
Self-service interfaces including access request for all common customer requirements.
Flexible support for authentication mechanisms.
Mobile management capabilities.
Please note, that we only listed major features, but looked at a variety of other capabilities as well when evaluating and rating the various IDaaS SSO services.