Leadership Compass

Access Management 2022

This Leadership Compass provides up to date insights to the leaders in innovation, product features, and market reach for Access Management on-premises, cloud, and hybrid platforms. Your compass for finding the right path in the market.

Richard Hill


1 Introduction / Executive Summary

Access Management refers to the group of capabilities targeted at supporting an organizations' access management requirements traditionally found within Web Access Management & Identity Federation solutions, such as Authentication, Authorization, Single Sign-On, Identity Federation.
These access management capabilities are well-established areas in IAM's broader scope (Identity and Access Management). They are continuing to gain attraction due to emerging requirements for integrating business partners and customers.

Web Access Management (WAM) & Identity Federation started as distinct offerings. (Web) Access Management is a traditional approach that puts a layer in front of web applications that takes over authentication and – usually coarse-grained – authorization management. Also, tools increasingly support APIs for authorization calls to the system. Identity Federation, on the other hand, allows splitting authentication and authorization between an IdP (Identity Provider) and a Service Provider (SP) or Relying Party (RP). Although Identity Federation can be used in various configurations, most vendors today provide integrated solutions that support centralized access management based on federation protocols such as SAML v2, OAuth, and OIDC.

Over the years, vendors have made significant changes to their product architecture to make them cloud-ready while extending to on-premises applications. These methods include delivering a single sign-on (SSO) experience to users across multiple web sites and allow for centralized user management, authentication, and access control.

These technologies are enabling technologies for business requirements such as agility, compliance, innovation (for instance, by allowing new forms of collaboration in industry networks or by adding more flexibility in the R & D supply chain), and the underlying partnership & communication.

The enterprise requires access to systems, either on-premise or in the cloud, for all types of user populations
Figure 10: The enterprise requires access to systems, either on-premise or in the cloud, for all types of user populations

Although traditional on-premises Access Management solutions have focused on WAM & Identity Federation solutions in the past, KuppingerCole sees a convergence of this market with Access Management focused IDaaS solutions. Therefore, this Leadership Compass considers Access Management solutions deployed on-premises, in the cloud, or as a hybrid model. Solutions offered as a managed service are also be considered when the technology is owned by the MSP (Managed Service Provider).

1.1 Market Segment

Access Management and Identity Federation should not be seen as separate segments in the IT market, but rather these technologies are inseparable. The business challenge is to support the increasingly growing "Connected and Intelligent Enterprise." Businesses require support for both external partners and customers. They need access to external systems, rapid onboarding, and request for access to external services such as Cloud services. Mobile devices are needed for organizations to support their workforce's desires to work anywhere from any device. These are only a few of the challenges organizations must face today.

The increasingly connected enterprise ecosystem
Figure 11: The increasingly connected enterprise ecosystem

The Access Management market provides a number of options to organizations. In the IDaaS market, with its ease of adoption and cloud-native integrations, is slowly overtaking the on-premises IAM market. At the same time, the IDaaS market continues to evolve. As an alternative to organizations managing the Access Management solutions themselves, some vendors provide offerings described as Managed Services, whether on-premises or Software as a Service (SaaS) offerings. There’s a varying level of support available from Access Management vendors to manage CIAM functions that support requirements for managing and complying with data sharing and privacy regulations, such as consumer notification and consent management.

The support for open identity standards continues to shape the direction of Access Management implementations. Some of the most popular authentication and identity federation standards include support for LDAP, Kerberos, OpenID, OAuth, SAML, and RADIUS. Organizations with a need for dynamic authorization management might require support for XACML or UMA. User provisioning services commonly require support for SCIM. And having access to the Access Management solution's functionality via APIs or other programmable interfaces will go a long way in keeping your IAM flexible and sustainable. API-based platforms typically require a developer-ready solution, providing API toolkits such as widgets or SDKs that facilitate rapid development.

Access Management continues to evolve beyond the traditional capabilities seen in the past. Increasingly, we see Access Management solutions providing security for APIs becoming more readily available and driven by the need to meet emerging IT requirements that include hybrid environments that span across on-premises, the cloud, and even multi-cloud environments. And although Fraud Detection solutions, also referred to as Fraud Reduction Intelligence Platforms (FIPS), is often considered a different market with their separate offerings, there has been a noticeable up-tick in Access Management solutions providing some level of Fraud Detection capabilities ranging from the detection of identity fraud through Identity Proofing to the detection of unauthorized account takeover, response mechanisms, or support for user and device profiling as some examples. More recently, there has been some indication and interest of Access Management support for Verifiable Credentials. This Leadership Compass evaluates and reports on the level of Fraud Detection, and Verifiable Credentials support for each vendor, giving the reader an indication of the extent of this trend in the Access Management market.

Besides these technical capabilities, we also evaluate participating Access Management vendors on the breadth of supported capabilities, operational requirements such as support for high availability and disaster recovery, strategic focus, partner ecosystem, quality of technical support, and the strength of market understanding and product roadmap. Another area of emphasis is providing Access Management capabilities out-of-the-box, rather than delivering functionality partially through 3rd party products or services. Finally, we also assess their ability to deliver a reliable and scalable Access Management service with desired security, UX, and TCO benefits.

1.2 Delivery Models

Increasingly there is a clear trend in the market to move Access Management solutions from an on-premises delivery model to a cloud delivery model. And even though vendors are helping customers to make this transition easier, there will still be valid reasons that organizations will need to maintain an on-premise presence, such as the continued use of legacy and sometimes in-house developed custom systems, among other reasons. Because of this, it is safe to assume that a hybrid delivery model will be a viable option for the foreseeable future. Therefore, this Leadership Compass will consider all delivery models.

Although all delivery models are looked at in this Leadership Compass, it is worth considering each delivery model's pros and cons against the use cases for Access Management solutions. For instance, some customers still focus on on-premise products due to specific internal organizational reasons such as security policy requirements. It is also good to be aware that public cloud solutions are generally multi-tenant in most cases, while some cloud services are single-tenant. Other approaches use container-based microservice deployments to provide consistent delivery of a vendor's solution, whether cloud-hosted or on-premises. An alternative approach offered is a managed service by a Managed Service Provider that outsources the responsibility for maintaining an organization's Access Management. Ultimately selecting the right Access Management solution delivery model will depend on the customer requirements and their use cases.

1.3 Required Capabilities

When evaluating the products, we start by looking at standard criteria such as:

  • overall functionality
  • size of the company
  • number of customers
  • number of developers
  • partner ecosystem
  • licensing models
  • platform support

Each of the features and criteria listed above will be considered in the product evaluations below. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative product features that distinguish them from other market offerings.

When looking at this market segment, we evaluate solutions that support a broad range of features that span the Access Management capabilities within the portfolios of a wide range of vendors in the market. Aside from the baseline Access Management characteristics such as federation, authentication, authorization, reporting, etc., we expect to see at least some of the capabilities listed in the required qualifications below as necessary features. Furthermore, Access Management solutions must support centralized management of user access to various types of applications and services and the overall configuration of the solution itself.

Features such as mobile support, governance, integration with ITSM solutions, or analytics, and intelligent capabilities are also considered but are not mandatory for this category of products. However, delivering a very comprehensive set of capabilities will influence our ratings. In the case of fraud detection, the level of ability will be measured and reported but weighted to a lesser extent.

Expected features include, amongst others:

  • Authentication, including:
    • Flexible support for different types authenticators
    • Strong authentication (e.g., 2FA, MFA)
    • Risk- and context-based authentication
    • Adaptive, step-up, and continuous authentication
    • Passwordless Authentication
    • Device Authentication (e.g., IoT)
    • Toolkits for adding additional authenticators
  • Authorization and Policy Management
  • Password Management
  • Session Management (e.g., Single Sign-On, Secure Token Translation, etc.)
  • Identity Federation
    • Support for inbound and outbound federation
    • Including broad support for federation standards and related standards
    • Support for non-federation-enabled applications
  • Support for a broad range of deployment models, including on-premise deployments
  • Integration to existing directory services
  • Support for access protocols (OAuth, OIDC etc.) and open identity standards such as FIDO, etc.
  • Support for user self service
  • User onboarding and registration
  • Centralized management of users, authorization policies, dashboards, reporting, etc.
  • Some level of access to the solutions capabilities via APIs
  • API Security
  • Security Orchestration
  • Support for audit, forensics, compliance, and reporting
  • Solution architecture (e.g., how modern is the architectures and the technologies used)
  • Support for Administrators and DevOps

We expect solutions to cover a majority of these capabilities at least at a good baseline level.

Other capabilities that are highly valued and considered but not quite mandatory for this category of products. However, delivering a very comprehensive set of capabilities will influence our ratings:

  • Mobile support
  • API Security
  • Access management automation
  • Analytics and access intelligence
  • Fraud detection
  • Security orchestration
  • Managing access to Container repository/registry
  • Integration with ITSM solutions
  • Integrations with threat intelligence solutions
  • Access Governance
  • Verifiable Credential support

Inclusion criteria:

  • A baseline level of support for the capabilities listed above
  • On-premises, cloud, or hybrid solutions
  • Support for both Access Management & Identity Federation capabilities
  • IAM suites providing a comprehensive feature set for Access Management and Identity Federation

Exclusion criteria:

  • Point solutions that support only isolated capabilities such as 2FA or Enterprise SSO centric solutions, but little support the other expected features
  • MSP solutions that are based on technology of other vendors, with the MSP not owning the IP on the technology
  • Vendors without active deployments at customers (e.g., start-ups in stealth mode) will not be considered.
  • Solutions that lack a comprehensive set of APIs will not be considered.

We’ve reached out to a large number of vendors for providing a comprehensive overview of the current state of the market. In the end, picking the right vendor will always depend on your specific requirements and your current and future IT landscape that will be managed.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.