Leadership Compass

Identity as a Service: Cloud-based Provisioning, Access Governance and Federation (IDaaS B2E)

Leaders in innovation, product features, and market reach for Identity as a Service offerings targeting full Identity and Access Management and Governance capabilities for employees in hybrid environments, but also delivering Single Sign-On to the Cloud and providing support for other groups of users. Your compass for finding the right path in the market.

Martin Kuppinger


1 Introduction

The KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership compass focuses on the market segment of Identity as a Service offerings targeting full Identity and Access Management and Governance capabilities for employees in hybrid environments, but also delivering Single Sign-On to the Cloud and providing support for other groups of users. In short, we named this segment IDaaS B2E for the solutions focusing on employees and the enterprise.

1.1 Market Segment

The IDaaS market has evolved over the past few years and is still growing, both in size and in the number of vendors. However, under the umbrella term of IDaaS, we find a variety of offerings. IDaaS in general provides Identity & Access Management and Access Governance capabilities as a service, ranging from Single Sign-On to full Identity Provisioning and Access Governance for both on-premise and cloud solutions. Solutions also vary in their support for different groups of users – such as employees, business partners, and customers – their support for mobile users, and their integration capabilities back to on-premise environments.

For that purpose, we have split the IDaaS market into three distinct market segments. Some vendors serve two or all three segments with their IDaaS services, while others focus on a single segment. The three IDaaS market segment in the KuppingerCole definition are

  • IDaaS SSO: IDaaS focused on providing a Single Sign-On experience to users. While the primary focus is on providing access for employees to cloud services, we also look for support of other groups of users such as business partners and customers, for mobile users, and for downstream SSO back to on-premise applications. Formerly, we referred to this market segment as “Cloud User and Access Management”.
  • IDaaS B2E: IDaaS focused on providing Identity Provisioning and Access Governance for on-premise environments, commonly complemented by Identity Federation capabilities and, based on these, at least baseline support for Single Sign-On to cloud services. These services provide a significantly stronger level of integration back to on-premise environments and should deliver Access Governance capabilities, in contrast to IDaaS SSO solutions. A significant portion of these offerings is delivered in Managed Service deployment models, in contrast to full SaaS models. B2E stands for Business-to-Employee, providing functionality focused on employee-centric IAM, but delivered from the cloud. Formerly, we referred to this market segment as “Cloud IAM & IAG”.
  • IDaaS Digital: This is a rather new segment, with “Digital” standing for solutions that support the emerging requirements organizations are facing in the Digital Transformation. Such solutions must provide strong support for both customers and business partners and should support more complex interaction and functionality, which can include IoT (Internet of Things) support, secure information sharing capabilities, and others.

All three market segments are covered in separate Leadership Compass documents. Mid-term, we expect to see some convergence. However, there will remain vendors focusing only on certain of these markets, e.g. delivering Cloud SSO capabilities for SMBs or at a departmental level, in contrast to the enterprise-level solutions required for both IDaaS B2E and IDaaS Digital.

1.2 Delivery models

Several vendors provide offerings that can be better described as Managed Services than as Software as a Service (SaaS) offerings. Pure-play SaaS solutions are multi-tenant by design. Customers can easily onboard, usually as simple as booking online and paying with a credit card. On the other side, Managed Service offerings are run independently per tenant. The criteria for considering solutions for this Leadership Compass are based on the customer perspective: From that perspective, two aspects are of highest relevance: Elasticity of the service and a pay-per-use license model. If these criteria are met, we include offerings in our evaluation.

Notably, many of the solutions we have covered in this Leadership Compass are based on traditional on-premise offerings, but delivered in SaaS style models. On the other hand, a couple of vendors in this market segment have created pure-play SaaS offerings from scratch. This might become a decision criterion for some customers.

1.3 Required Capabilities

For the segment of IDaaS SSO, at a high level we expect support for the following feature sets:

  • Support for hybrid infrastructures; in contrast to IDaaS SSO solutions, which are targeted at cloud services, IDaaS B2E must serve the hybrid environments that are the norm for organizations. Features supporting the management of on-premise applications, from SSO to provisioning, or tight integration with on-premise tools, are. Thus, expected.
  • Identity Provisioning capabilities are rated at a higher level than for IDaaS SSO. We expect good support for both cloud services and on-premise environments.
  • Access Governance features, at least at a baseline level, are expected as well. This includes advanced auditing capabilities, but also might cover access review, SoD (Segregation of Duties) controls, and other more advanced features.
  • Outbound Federation and Single Sign-On, providing access to Cloud services and web applications. This also includes Cloud Provisioning, i.e. the ability to provision users to Cloud services.
  • Directory Services for managing the users: These services must provide massive scalability, enabling organizations to deal efficiently not only with their employees, but potentially with millions of customers. They also must provide a highly flexible schema (data structure) that allows managing different types of users and their respective attributes, but also managing relationships between various objects within the directory. Relying just on existing on-premise directory services limits the flexibility and scalability of these services.
  • Authentication support, allowing configuration of the authentication requirements, step-up authentication based on risk and context, etc. We also expect to see significant support for upcoming standards that allow flexibly relying on existing strong authentication methods, such as the FIDO Alliance standard.
  • Access Management capabilities that allow configuring flexible policies for controlling access to Cloud service and web applications. Beyond just granting access, the ability for at least coarse-grained authorization management is a key capability for IDaaS B2E.
  • Inbound Federation and Self-Registration: while inbound federation support focuses on the rapid on-boarding of users from business partners that already have an Identity Federation infrastructure in place, self-registration capabilities are mandatory for other business partners and customers. Identity Federation will also gain momentum in the customer space, when relying on external Identity Providers.

IDaaS B2E also must provide integration with on-premise directories such as the Microsoft Active Directory, allowing employees to access the Cloud services and web applications managed by that service.

When evaluating the services, besides looking at the aspects of

  • overall functionality
  • size of the company
  • number of customers
  • number of developers
  • partner ecosystem
  • licensing models
  • core features of IDaaS SSO

We also considered a series of specific features. These include:

  • On-premise integration: Approach to integrating back to on-premise IAM environments, for instance Microsoft Active Directory.
  • Onboarding of externals: Approach and flexibility in onboarding of external users, including configurable workflows and flexible authentication schemes.
  • Location of datacentres: Location and operation of the datacentre, including regional datacentres, e.g. in Europe, and the question of whether the company owns datacentres or relies on partners.
  • APIs: Breadth and depth of APIs for managing, configuring and customizing the services.
  • Reporting capabilities: Built-in reporting capabilities and integration with on-premise Access Governance solutions or SIEM (Security Information and Event Management) solutions.
  • Preconfigured services: Number of preconfigured cloud services for rapid provisioning.
  • Depth of pre-configuration: Approach to pre-configuration of cloud services, i.e. level of detail (e.g. only authentication or advanced control about entitlements in these services).
  • Granularity of access controls: Granularity of access control policies for cloud services that can be configured in these applications.
  • Strong authentication: Support for strong authentication mechanisms and adaptive authentication, including features such as step-up authentication.
  • Standards support: Support for established and upcoming industry standards and engagement in standards initiatives.
  • Baseline cloud capabilities: These includes elasticity, flexibility in upgrades, etc., but also service levels and support.
  • Cloud security: These features include, for example, business continuity assurance, auditability, and overall security features.

The support for these functions is added to our evaluation of the products. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market. Among the innovative features in scope, there are

  • Support for new standards such as UMA (User Managed Access) and FIDO Alliance standards.
  • Flexible, graphical workflow engines for adaptation, e.g. of self-registration processes.
  • Advanced cloud provisioning capabilities, including but not limited to SCIM standard support.
  • A comprehensive and consistent set of REST-based APIs.
  • Self-service interfaces including access request for all common customer requirements.
  • Flexible support for authentication mechanisms.
  • Mobile management capabilities.

Please note, that while we only listed major features, we looked at a variety of other capabilities as well when evaluating and rating the various IDaaS B2E services.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.