Identity API Platforms
Identity API Platforms expose APIs to capabilities ranging from IAM to Federation and more while supporting both the agile and DevOps paradigms that address the more complex IT environments seen today. This Leadership Compass will give you an overview and insights into the Identity API Platform market; providing you a compass to help you find the product that you need.
Many different factors are driving Digital Transformation in the market today. One factor is the change in how businesses interact with their consumers requiring changes in the services they provided to their customers. Another factor is more on the technical side that addresses the implementation of new Digital Services that have become more complex due to the different environments and the many integration points to consider. This is driving the rapidly growing demand for exposing and consuming APIs. APIs are enabling organizations to create new business models, connect with partners and customers while providing a seamless experience by linking systems and services together.
These changes in which services expose and consume APIs are also enabling agile paradigms and DevOps by providing a well-defined set of APIs to security services instead of creating their own identity and security (and other) services in each and every application again and again. One of the most common use cases we currently see is around Digital Services for customers that are created against “identity backends. Although the concept and use of Application Programming Interfaces (APIs) have been around for quite some time, the availability of IAM and its associated APIs has grown into a new market segment KuppingerCole calls Identity API Platforms in this Leadership Compass. To get to the how or why this new Identity API Platforms market segment has developed; it may be helpful to look at how IAM has changed over time.
Traditionally, the IT environment has run within the walls of their perimeter. IAM solutions were more monolithic, centralized and identities were managed and stored on-premises. Local access control systems were used to ensure employees have access to just the resources they need through authentication & authorization, with the ability to audit user access.
And then we started to see federation hubs, or bridges that extended the reach of where identity and access controls reside. Federation allowed for the secure exchange user information that could be between divisions with organizations or between organizations in the same sector. Single sign-on (SSO) systems gave users the ability to authenticate once, not only across multiple IT systems but organizations too.
Cloud services gave organizations new options for IT, motivated by the business need to increase IT flexibility, and scalability, while reducing cost. Under the umbrella of IDaaS, there are many abilities. Not only traditional IAM but also capabilities ranging from SSO to full Identity Provisioning.
As organizations began reaching out to customers and gathering info about the consumers who are using their products & services, they found that they needed to provide a better digital experience. This improved user experience manifested through the use of consumer's mobile devices or social networks and providing an easier onboarding experience for consumers. But they also needed to be concerned about privacy compliance such as GDPR or PSD2.
Now we are beginning to see Identity APIs platforms becoming available. This market is driven by the need to meet emerging IT requirements such as hybrid environments that span across on-premises, the cloud, even multi-cloud environments supporting the different functional requirements of IAM, Federation, IDaaS & CIAM, as well as the ability to select these market segment capabilities a la carte as needed. By exposing key functionality via APIs, it allows for workflow and orchestration capabilities across environments as well as better DevOps support through automation. Another critical characteristic of Identity API Platforms is their focus on being developer-centric. In a nutshell, IAM is continuing to evolve to meet the growing list of IAM requirements.
1.1 Market Segment
The Identity API Platforms share many of the same capabilities seen in the IAM, CIAM, IDaaS, and Adaptive Authentication/Consumer Authentication market segments. In fact, many offerings in the market today are serving multiple segments. Although there are crossover capabilities between these segments, Identity API Platforms must support the basic functionality of identity and user management, authentication, authorization, and support for auditing. Other capabilities can be added to the Identity API Platforms based on the solutions target market use cases such as capabilities found in CIAM to support consumers like user consent management workflows, federation in IDaaS, or more intelligent authentication as seen with Adaptive Authentication as well as support for compliance and access governance offered by IGA solutions. Beyond these capabilities, evolving requirements such as IoT, workflows and orchestration, DevOps, and API security functionality are also taken into account.
Where Identity API Platforms diverge from the COTS solutions offered in the past, is defined by the use cases of Identity API Platforms. Identity API Platform use cases focus on vendors that allow its customers to build their identity backend for defined services through APIs whether on-premises, the cloud or in hybrid environments. Other Identity API Platform use cases are targeted at organizations that due to the complexity of internal processes and other operational reasons are looking to build their own C/IAM platform, automate or enhance existing IAM capabilities. Also, where traditional turn-key COTS are primarily UI driven, Identity API Platforms use cases require that the solution is developer ready and can provide anywhere in the range from COTS API Toolkits such as widgets and SDKs that facilitate rapid development to a pure API platform.
Since Identity API Platforms are developer-centric, useful online developer portals with proper API documentation and code examples, are all needed to build a good developer ecosystem.
This leadership compass focuses on those Identity API Platforms that provide a higher percentage of their IAM, CIAM, and IDaaS capabilities via API. All use cases (IAM, CIAM, IDaaS) should support APIs for core functionality at a minimum. Support for more advanced and modern technologies that support risk/ context-based authentication and authorization, biometrics, mobile support, and graph-based APIs, to name a few are evaluated in the ratings as well.
Picking solutions always require a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a particular customer and their needs. However, this Leadership Compass will help to identify those vendors that customers should look at more closely.
1.2 Delivery models
Since most of the solutions covered in our rating are designed to offer comprehensive Identity API Platform capabilities regardless of the location of the IT environment, we considered all delivery models in this Leadership Compass, which includes on-premises, private cloud, public cloud, multi-cloud, and hybrid deployment environments.
Although all delivery models are looked at, it is worth considering the pros and cons of each delivery model against the use case for Identity API platforms. For instance, an ideal Identity API Platform that can serve smaller use cases while also integrating e.g., identities of a company across all the digital services should be delivered in such a way that allows setting up instances of the service immediately. Also, it is good to be aware that in most cases public cloud solutions are generally multi-tenant, while some cloud services are actually single-tenant. Other approaches use container-based deployments to provide consistent delivery of a vendor’s solution, whether cloud-hosted or on-premises. Ultimately selecting the right Identity API platform delivery model will depend on the customer requirements and their use cases.
1.3 Required Capabilities
When evaluating the products, besides looking at the aspects of
- overall functionality
- size of the company
- number of customers
- number of developers
- partner ecosystem
- licensing models
- platform support
we also considered several specific features. These functional areas, which are reflected in the spider charts for each company in Chapter 5.1 include:
- Identity & User Mgmt APIs
APIs that allow for the management of identities and user account management, including associated directory services and databases.
- Authentication APIs
Authentication method support via APIs within the range of username/password to biometrics and anything in between. Also, consideration of SSO and session management availability.
- Authorization APIs
APIs that controls user or administrator permission/access rights to resources such as policy management, RBAC, or dynamic authorization.
- Audit & Compliance APIs
APIs that support monitoring of a user’s access to resources, or administrators changes to the system, as well as APIs that provide auditing and forensic capabilities to aid in industry compliance use cases and security incident analysis as examples.
- Workflow & Orchestration APIs
APIs that allow for the automation of workflows such as access requests, user self-registration or user consent, or the orchestration of more than one workflow or activity.
- API security
A solution’s ability to secure APIs against hacker attacks and other threats using methods such as encryption, rate limiting, content filtering, and schema validation.
- DevOps APIs
APIs that provide IT environment support options for both developers and the operations team with their tools, automation, and continuous integrations.
- API Developer Support
The vendor's ability to support the developers using the solution's APIs through documentation, tutorials, and tools as well as Knowledge-base, Community support / platform for developer.
In our effort to cover most aspects of Identity API Platforms in this Leadership Compass, we are not covering the products or elements of product functionality that:
- Strictly require UI interaction to use, control or configure their Identity product services
- APIs used only internally by the vendor company or product
- APIs used for managing specific partners only and their accounts (e.g. billing)
- Have a limited set of APIs that fail to meet the minimum required IAM functionality