Leadership Compass

Access Management and Federation

This Leadership Compass provides insights to the leaders in innovation, product features, and market reach for Web Access Management and Identity Federation on-premises platforms. Your compass for finding the right path in the market.

Martin Kuppinger

mk@kuppingercole.com

Richard Hill

rh@kuppingercole.com

1 Introduction

With the growing demand of business for tighter communication and collaboration with external parties such as business partners and customers, IT has to provide the technical foundation for such integration. Web Access Management and Identity Federation are critical technologies for that evolution. They enable organizations to manage access both from and to external systems, including cloud services, in a consistent way. Organizations have to move forward towards strategic approaches to enabling that integration, in support of the Connected and Intelligent Enterprise.

While Web Access Management technologies are well established, and Identity Federation has also been around for years; we have observed tremendous growth in interest and adoption of these technologies over the past years. Customers – and specifically their business departments – are requesting solutions for emerging business requirements such as the onboarding of business partners, customer access to services, access to cloud services, and many more. IT has to react and create a standard infrastructure for dealing with all the different requirements of communication and collaboration in the Extended and Connected Enterprise. In consequence, Access Management and Federation are moving from tactical IT challenges towards strategic infrastructure elements that enable business agility.

There are many vendors in that market segment. Most of them provide solutions for both Web Access Management and Identity Federation. The major players in that market segment are covered within this KuppingerCole Leadership Compass.

This Leadership Compass provides an overview and analysis of the Web Access Management and Identity Federation market segment, sometimes referred to as Access Management/Federation. The sole focus is on solutions that are available on premises, even while we consider the fact that several of these solutions also are offered as cloud services. This can be valuable to customers if they want to start on-premises and gradually move to the cloud.

Technologies typically support both Web Access Management as a gateway approach, sitting in front of standard applications and doing authentication and authorization for backend applications, and Identity Federation. Identity Federation is strategically the more important concept; however, support of existing applications frequently favors the use of traditional Web Access Management. In addition, some Access Management solutions add features such as self-registration of users. Others also add Reverse Proxy capabilities and, based on this, Web Application Firewall functionality, which we consider as an important and valuable add-on to the core features in-scope of this document.

Overall, the breadth of functionality is increasing. Support for social logins such as Facebook or Google+, standard support for established Cloud Service Providers, and the support for new federation and related standards such as OAuth 2.0, OpenID Connect or UMA are just some of the examples for features increasingly common for this type of product.

The entire market segment is relatively mature but still evolving, and we expect to see more changes within the next few years. However, given the surging demand of businesses, organizations now have to start with implementing a standard infrastructure for (Web) Access Management and Federation. This KuppingerCole Leadership Compass provides an overview of the leading vendors in that market segment.

Besides the established vendors providing complete IAM (Identity and Access Management) product portfolios, there are some smaller vendors with interesting offerings and also specialists that purely focus on that part of the overall IAM (Identity and Access Management) market.

Picking solutions always require a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a particular customer and their requirements. However, this Leadership Compass will help with identifying those vendors that customers should look at more closely.

1.1 Market Segment

Access Management and Identity Federation are frequently still seen as separate segments in the IT market. However, when looking at the business problems to be solved, these technologies are inseparable. The business challenge to solve is how to support the growing “Connected and Intelligent Enterprise”. Business demands support for business processes incorporating external partners and customers. They demand access to external systems and rapid onboarding of externals for controlled and compliant access to internal systems. They request access to external services such as Cloud services, as well as capabilities to use their acquired access data to drive intelligence within their systems. The use of mobile devices is also leveraged onto organizations as the changing workforce desires to work anywhere from any device. IT has to provide an infrastructure for this increasingly connected and intelligent enterprise, both for incoming and outgoing access; both for customers and other externals such as business partners; as well as for existing and new on-premise applications, cloud services, and mobile devices.

The Computing Troika pushes organizations to create an IT Infrastructure that goes beyond the perimeter of the organization.
Figure 12: The Computing Troika pushes organizations to create an IT Infrastructure that goes beyond the perimeter of the organization.

Various drivers have led to this situation. At the core is the need for agility in a complex competitive landscape. Business models have to adapt more rapidly than ever before. Supply chains include more suppliers and become increasingly more complex, with reduced vertical integration in manufacturing. Organizations also need to react more rapidly to new attack vectors that are continually changing. Customers today expect vendor’s systems to provide the intelligent access capabilities needed to combat these new threats than ever before. The changing workforce is also changing the idea that access to an organization’s resources can only be performed on-premises breaking down the traditional perimeter model. While organizations always had challenges of their changing IT environments, the density and pace of change has increased as well as the need for IT support of a more Connected and Intelligent Enterprise.

All of these trends affect today’s IT - the Computing Troika of Cloud, Mobile, Social and Intelligent Computing- stand for a shift towards an open, integrated enterprise that extend beyond the perimeter of the organization itself. Whether you tend to name this the Connected Enterprise or opt for Intelligent Enterprise does not matter. It is about the need for connecting and intelligently adapting today’s on-premise IT with the outer world in various ways.

Supporting the Connected and Intelligent Enterprise helps organizations addressing major business challenges.
Figure 13: Supporting the Connected and Intelligent Enterprise helps organizations addressing major business challenges.

Various technologies support all the different requirements customers are facing today. The requirements are:

  • Use Cloud Services: Enabling an organization to flexibly use cloud services, with maximum control of the internal and external identities using this service and the access rights they have.
  • Device Form Factors: Support for the increasing number of different device form factors used in the enterprise, including desktops, tablets, mobile phones, and IoT devices.
  • Access Business Partner Systems: Enable your employees to have controlled access to business partner systems with flexible onboarding and full compliance; ensure that you meet the liability agreements etc. that you have with your business partners.
  • Collaborate in Industry Networks: Participate in industry networks such as healthcare professional networks, allowing the re-use of identities on such networks and the controlled access by your employees to the network as well as by network members to your systems.
  • Support new Working Models: Support new working models with freelancers, mobile workers, and other forms of collaboration that allow them to work from anywhere using any device.
  • Changing Attack Vectors: Provide IT security solutions that can quickly adapt and react to new forms of attacks using intelligent access controls.
  • Onboarding of Business Partners: Allow your business partners to flexibly access your systems in a controlled, compliant way.
  • Customer Interaction: Integrate your customers, support different types of identities such as social logins and self-registered identities, and extend your business processes to the customer.

Enabling this shift in IT from the traditional, internal-facing approach towards an open IT infrastructure supporting the Connected and Intelligent Enterprise requires various new technologies. Amongst these technologies are new types of cloud-based directory services, various other types of Cloud services including Cloud Identity Services, and improved technologies for authentication and authorization, such as risk- and context-based Access Management, also sometimes called “adaptive” authentication and authorization. However, the foundation is Access Management and Identity Federation which allows managing access to applications.

(Web) Access Management is a rather traditional approach that puts a layer in front of web applications that takes over authentication and – usually coarse-grained – authorization management. That type of application also can provide services such as HTTP header injection to add authorization information to the HTTP header that is then used by the backend application. Tools are increasingly supporting APIs for authorization calls to the system.

Identity Federation, on the other hand, allows splitting authentication and authorization between an IdP (Identity Provider) and a Service Provider (SP) or Relying Party (RP). The communication is based on protocols. Backends need to be enabled for Identity Federation in one way or another, sometimes by using the Web Access Management tool as the interface. Identity Federation can be used in various configurations, including federating from internal directories and authentication services to Cloud Service Providers or between different organizations.

Thus, these services are the foundation for enabling the various customer requirements mentioned above – enabling the Connected and Intelligent Enterprise without support for Access Management/Federation will not work.

In other words: These technologies are enabling technologies for business requirements such as agility, compliance, innovation (for instance by allowing new forms of collaboration in industry networks or by adding more flexibility in the R&D supply chain), and the underlying collaboration & communication.

Dealing with all types of user populations will require adaptive authentication and federation/SSO.
Figure 14: Dealing with all types of user populations will require adaptive authentication and federation/SSO.

The Connected Enterprise means that organizations have to deal with more and larger user populations than ever before. Beyond the employees and some externals that have been so far managed in internal systems, more business partners, customers, and even potential customers are being added. They require access to systems, either on-premise or in the cloud. While some of the digital identities representing these persons are managed in the organization’s internal directories, others will be federated in from external Identity Providers or managed by employing Cloud Directories.

Thus, especially Identity Federation is a technology that is essential for any organization. It allows the enterprise to deal with the external identities and all the different user populations.

Federation and Web Access Management are essential technologies to connect all types of users to all types of applications
Figure 15: Federation and Web Access Management are essential technologies to connect all types of users to all types of applications

Web Access Management, on the other hand, comes into play when managing access to on-premise applications that do not support Identity Federation. While some vendors support lightweight integration to Identity Federation for such applications, in many cases customers will still rely on an upstream layer for authentication and authorization provided by a Web Access Management solution.

Based on our view on the market and the current demand, we opted for looking at both traditional Web Access Management and Identity Federation features in this Leadership Compass document. This view is underpinned by the fact that a number of vendors already have integrated their formerly separate offerings into a single product or at least a tightly integrated suite. Some few vendors either only support Identity Federation or still deliver two separate products. In the latter case, we have combined the separate products in our rating.

1.2 Delivery models

The focus is on on-premise solutions for this Leadership Compass. We also see a growing number of cloud services provided in particular Identity Federation capabilities, but also traditional Web Access Management features. However, many customers still focus on on-premise products for this area. Notably, most of the providers covered in this Leadership Compass also have cloud-based offerings, either based on the product covered in the Leadership Compass or as a separate product. This Leadership Compass only rates available cloud/SaaS (Software as a Service) versions as a positive feature, enabling customers to gradually switch to a SaaS approach.

Purely cloud-based offerings are covered in other KuppingerCole Leadership Compass documents, in particular, the Leadership Compass on Cloud User and Access Management, which includes companies such as Okta, OneLogin, Microsoft with their Azure Active Directory, and many more.

1.3 Required Capabilities

When evaluating the products, besides looking at the aspects of

  • overall functionality
  • size of the company
  • number of customers
  • number of developers
  • partner ecosystem
  • licensing models
  • platform support

We also considered several specific features. These include:

  • Federation Inbound: Inbound federation that allow organizations to accept credentials from third party services like partner organizations or social networking services. Clearly one of the most important criteria is the support for federation standards and related protocols such as SAML 2.0, OAuth 2.0.
  • Federation Outbound: Outbound federation that allow organizations to access external services such as SaaS applications, cloud providers and partner services. Support for single sign-on as well as federation standards and their related protocols such as SAML 2.0, OAuth 2.0 is also needed.
  • Backend integration: Besides supporting federation-enabled backends, there is a need for supporting existing applications. Integration with such applications, be it through APIs, HTTP header injection, or other technologies, is an important criterion for this analysis.
  • Adaptive Authentication: Adaptive authentication is increasingly becoming an expected capability. Support for WAM integration and interoperability via SSO is important, as well as support for multiple authenticators, ability to perform real-time risk analysis of behavioral and environmental factors, as well as the degree in which it integrates with security intelligence and forensic systems.
  • Registration: Registration has become more important than before which includes user self-registration, self-maintenance of attributes, and bulk provisioning.
  • User Stores/Directories: Here we are looking at the breadth and flexibility of support for user stores such as directory services that can be used by the Web Access Management and IdP capabilities of the products. We also look for support of virtual directory services, allowing for flexibly combining various user stores. It also includes capabilities for supporting strong and flexible (versatile) authentication of users.
  • Security models: Both the internal security model of the tools and the ability for fine-grain, secure management of access policies of users are important features for products in this category.
  • Deployment models: In today’s IT environments, flexibility in deployment models is of high importance. We looked at support for soft appliance, hard appliance, and Cloud/MSP deployment models.
  • Customization: The less you need to code and the more you can configure, the better – that’s the simple equation we took into account around customization. However, we also looked for features like a transport system to segregate development, test, and production environments. Notably, copying configuration files does not count for a transport system.
  • Multi-tenancy: Given the increasing number of SaaS deployments, but also specific requirements in multi-national and large organizations, support for multi-tenancy is highly recommended.

The support for these functions is added to our evaluation of the products. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.