Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA
Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com
The Forrester Wave™: B2E Cloud IAM,
Q2 2015
by Andras Cser and Merritt Maxim, June 29, 2015
For: Security &
Risk Professionals
Key Takeaways
OneLogin And Okta Lead The Pack
Forrester’s research uncovered a market in which OneLogin and Okta lead the pack.
Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive
options. Bitium lags behind.
The B2E Cloud IAM Market Is Growing As S&R Pros Look For Simplicity,
SSO, And Directory Integration
The B2E cloud IAM market is growing because more S&R professionals see IDaaS as a
way to address their top IAM challenges without the long deployment times of legacy
IAM products. It’s also growing because S&R pros increasingly trust B2E cloud IAM
providers to act as a backbone for employee IAM to SaaS and on-premises apps.
API Security, Mobile Support, And Installed Base Are Key Differentiators
In The B2E Cloud IAM Market
Vendors that can provide API security and API-based integration for the Internet of
Things and mobile single sign-on and who can grow their installed base faster position
themselves to successfully deliver faster IAM to value to their customers.
Access The Forrester Wave Model For Deeper Insight
Use the detailed Forrester Wave model to view every piece of data used to score
participating vendors and create a custom vendor shortlist. Access the report online and
download the Excel tool using the link in the right-hand column under “Tools & Templates.”
Alter Forrester’s weightings to tailor the Forrester Wave model to your specifications.
© 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester®
, Technographics®
, Forrester Wave, RoleView, TechRadar,
and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To
purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.
For Security & Risk Professionals
Why Read This Report
In Forrester’s 17-criteria evaluation of B2E cloud identity and access management (IAM) vendors, we
identified the nine most significant SaaS providers in the category — Bitium, Centrify, IBM, Microsoft,
Okta, OneLogin, Ping Identity, SailPoint, and Salesforce — and researched, analyzed, and scored them.
This report details our findings about how well each vendor fulfills our criteria and where they stand in
relation to each other to help security and risk (S&R) professionals select the right partner for their B2E
cloud IAM, also known as identity-as-a-service (IDaaS), needs.
Table Of Contents
Cloud IAM Reduces Complexity And Cost,
Removes Barriers To Adoption
Two Types Of Vendor Offerings Compete For
Your Attention
An SSO Portal, SAML Support, And Mobile
Access Support Are Table Stakes Features
Vendors’ Future Plans Include Provisioning And
Access Governance
B2E Cloud IAM Evaluation Overview
Evaluation Criteria: Current Offering, Strategy,
And Market Presence
Included Vendors Offer Cloud IAM As A True
SaaS Service And AD Authentication
OneLogin And Okta Lead The Pack
Vendor Profiles
Leaders
Strong Performers
Contenders
Supplemental Material
Notes & Resources
Forrester conducted product evaluations in
March 2015 and interviewed 36 vendor and
user companies, including Bitium, Centrify,
IBM, Microsoft, Okta, OneLogin, Ping
Identity, SailPoint, and Salesforce.
Related Research Documents
Brief: Top 10 IAM Trends From The RSA
Conference 2015
The Forrester Wave™: Identity And Access
Management Suites, Q3 2013
The Forrester Wave™: Risk-Based
Authentication, Q1 2012
The Forrester Wave™: B2E Cloud IAM, Q2 2015
The Nine Providers That Matter Most And How They Stack Up
by Andras Cser and Merritt Maxim
with Stephanie Balaouras, Josh Blackborow, and Peggy Dostie
2
3
7
5
10
12
June 29, 2015
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 2
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
Cloud IAM Reduces Complexity And Cost, Removes Barriers To Adoption
In our Forrester Wave evaluation and conversations with S&R pros and vendors, Forrester found
that B2E cloud IAM has completely transformed the IAM market landscape. Why? It’s because
cloud IAM:
■	Allows S&R pros to manage employee identities across cloud environments. As both
business and technology leaders have eagerly adopted software-as-a-service (SaaS) such as
Salesforce, ServiceNow, and Workday, the task of managing identities and controlling access
to some of the firm’s most sensitive data fell to the security team.1
Luckily, cloud IAM came to
the rescue: Not only did it provide a unified view of user access to SaaS applications but it also
provided a single portal for employees to access these SaaS applications.
■	Limits complexity of IAM solutions. Historically, when S&R pros sought to deploy an
on-premises IAM solution, they insisted on solutions that could support 100% of their
brick-and-mortar legacy requirements.2
This resulted in implementations with a high
degree of customization and, of course, cost; stories of IAM projects turning into mini ERP
projects deterred firms from building out IAM solutions in earnest. Cloud IAM challenged
this mentality and ultimately succeeded in changing the deployment approach. From the
beginning, cloud IAM vendors started out with a simple set of capabilities: those focused on
offering employee single sign-on (SSO) into SaaS applications. As the only real viable option
for managing access across these cloud apps, S&R pros had to accept a simpler approach that
focused on essential requirements.
■	Reduces license and ongoing maintenance costs. Many vendors offer pay-as-you-go and
metered pricing models, which means that S&R pros are not hit by large, upfront per-user
perpetual license costs. It also offers flexibility; S&R pros can scale the number of users and
applications up or down as needed during their contract with the vendor. In addition, because
security teams need only manage IAM policies and are no longer encumbered with the
operational responsibilities of maintaining the solution itself, they need far fewer employees for
maintenance.3
For many small and medium businesses that can’t afford four to five employees
to support an on-premises IAM solution, cloud IAM is the answer. Even large enterprises are
evaluating cloud IAM solutions in the hopes of converting spend from capex to opex.
■	Offers support for legacy apps on-premises as well as for SaaS applications. Provisioning
and controlling access to cloud applications is but one challenge. S&R pros must still manage
IAM for a plethora of legacy on-premises apps. Vendors have listened: Now they offer an on-
premises component as part of their cloud IAM solution so that S&R pros can enable employees
to authenticate against Active Directory (AD) on-premises and access on-premises applications
without having to use the VPN. However, in customer interviews, Forrester found that today
20% of organizations use IDaaS for IAM to on-premises applications, while 80% organizations
use IDaaS to manage access to SaaS applications.
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 3
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
■	Supports SSO from and on mobile devices cost-effectively. S&R pros have to provide a
repeatable security framework for their developers so that they can focus on achieving the
business goals of their custom mobile applications and not have to worry about details of mobile
application SSO and even management. Cloud IAM vendors recognized this need and now
provide basic enterprise mobility management solutions (similar to mobile device management
and mobile application management), as well as simple SSO for mobile applications, built on the
emerging OpenID-based Native Applications Working Group (NAPPS) standard.4
Two Types Of Vendor Offerings Compete For Your Attention
This Forrester Wave focuses on business-to-enterprise (B2E) cloud IAM solutions. These solutions
provide access to SaaS applications and on-premises legacy web applications for the enterprise
workforce (e.g., employees and contractors). When evaluating the B2E cloud IAM vendor landscape,
Forrester found that solutions bifurcate into two types of offerings:
■	Vendors with an on-premises IAM pedigree offer capable B2E cloud IAM solutions. IBM,
Microsoft, and Ping Identity built cloud front ends to their existing, robust, and capable on-
premises IAM solutions. Although these solutions provide very extensive policy authoring
features, especially for access management, they require a somewhat larger effort to initially
implement and maintain.
■	Born-in-the-cloud B2E cloud IAM vendors offer simple and faster-to-implement solutions.
Bitium, Centrify, Okta, OneLogin, and Salesforce solutions were born in the cloud and don’t
have any background in on-premises solutions. As a result, solutions of this type may not offer
the same depth of policy management capabilities that the on-premises pedigree vendors do.
There are, of course, exceptions in every category: SailPoint developed its solution for the cloud,
but it also contains intellectual property from the company’s on-premises IdentityIQ access
governance product.
Forrester evaluated both of these types of vendors in this Forrester Wave because our clients
frequently ask us about and evaluate both types of vendors.
An Sso Portal, Saml Support, And Mobile Access Support Are Table Stakes Features
During the Forrester Wave evaluation, Forrester identified several nondifferentiating solution
features. All evaluated vendors:
■	Provide a cloud-based portal for employees to access SaaS applications. With VPN use
decreasing, all B2E cloud IAM solutions offer a portal that employees can access with their AD
credentials. In the portal, they see icons for every SaaS application they are authorized to access
as part of their job. Group information from the user store can drive which applications users
have access to.
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 4
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
■	Allow S&R pros to install an optional on-premises agent for the user store. All solutions we
evaluated have either: 1) a Windows service component that S&R pros need to install AD in
domain controllers or 2) an identity router that they need to put into the demilitarized zone
(DMZ). These components allow for: 1) reading user passwords from AD and 2) the cloud IAM
solution writing changed passwords to AD when users reset or change their passwords.
■	Offer bidirectional SAML SSO and single logout support. All evaluated vendors offer
inbound and outbound SAML (consumer and producer) with support for custom attribute
value injection into the SAML assertion from the identity provider (IdP). All solutions support
the concept of a URL for single logout to terminate the user’s session.
■	Provide native iOS and Android mobile applications for login and 2FA. B2E cloud IAM
solutions offer optional mobile applications for: 1) storing AD credentials that enable the user to
establish a PIN code and allow users to log into their SaaS applications from the mobile device
and 2) two-factor authentication (2FA) for step-up or greater strength authentication into
sensitive, high-risk applications. Many of the vendors’ mobile applications provide support for
forgotten password recovery and limited device management as well.
Vendors’ Future Plans Include Provisioning And Access Governance
While examining the solutions and vendor road maps for this Forrester Wave, Forrester found that
vendors have plans for the following common enhancements:
■	Extended provisioning for both cloud and on-premises apps. Today’s cloud IAM solution
support for SaaS and on-premises business application provisioning is simplistic. It usually
involves the System for Cross-domain Identity Management (SCIM, also known as “Simple
Cloud Identity Management”) or Security Assertion Markup Language (SAML) Just-in-Time
(JIT) standards-based provisioning of users. However, the IDaaS solutions today do not offer
fine-grained entitlement support provisioning in a separate user authorization store and usually
do not automatically deprovision users. Similarly, these processes are not as robust when it
comes to removing or deprovisioning access as it often has to be done manually.
■	Built-in support for attestation campaigns. With the exception of SailPoint, today’s cloud IAM
solutions have only zero-to-minimal attestation campaign management and true enterprise
business role-mining for access governance. Forrester expects that future solutions will
increasingly incorporate these requirements.
■	Access request management workflow. Today’s fine-grained application access request
management workflow capabilities in cloud IAM solutions are limited and are not on par with
on-premises identity management platforms.5
Forrester expects that vendors will greatly expand
graphical workflow design (similar to what is already available in IBM Cloud Identity Service)
and selection of approvers and approval types (quorum, sequential optional, etc.).
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 5
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
■	User store support for IaaS workloads. Today’s user stores in cloud IAM solutions are only for
managing access to the cloud IAM portal itself; they provide no capabilities to manage access to
workloads in IaaS applications. In this case, cloud IAM vendors need to provide robust AD-like
directory services. While Amazon Web Services (AWS) and JumpCloud offer this capability today,
Forrester expects that leading cloud IAM vendors will support this requirement in the future.
■	Extensive mobile app access management with risk-based authentication. While Centrify,
IBM, and Microsoft offer bundled enterprise mobility management solutions with their cloud
IAM, Forrester expects that vendors will implement risk-based authentication capabilities
complete with risk scoring that support desktops and mobile devices. Vendors are also working
on creating a cross-mobile application SSO using the OpenID Connect NAPPS standard, and
increasingly looking at the FIDO UAF specification to separate the business process from the
registration and authentication logic in an application.6
B2E Cloud IAM Evaluation Overview
To assess the state of the B2E cloud IAM market and see how the vendors stack up against each
other, Forrester evaluated the strengths and weaknesses of B2E cloud IAM vendors.
Evaluation Criteria: Current Offering, Strategy, And Market Presence
After examining past research, user need assessments, and vendor and expert interviews, Forrester
developed a comprehensive set of evaluation criteria which we grouped into three high-level buckets:
■	Current offering. We evaluated how well solutions provide: 1) user directory support; 2) access
management policy administration; 3) user account provisioning policy administration; 4) end
user self-services from the solution’s web portal; 5) end user self-services from the solution’s
mobile application; 6) API security and solution APIs; and 7) reporting and scalability. We also
evaluated the overall complexity of solutions.
■	Strategy. We reviewed each vendor’s strategy to determine vendor differentiation in: 1) future
product development and market plans; 2) customer satisfaction with the solution; 3) security
implementation services and OEM partnerships; 4) development, sales, and technical support
staffing; 5) pricing flexibility and transparency; and 6) customer reference scale and coverage.
■	Market presence. To determine market presence, we considered the vendors’: 1) revenue; 2)
installed base; and 3) vertical and geographic presence of the evaluated vendor’s cloud IAM solution.
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 6
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
Included Vendors Offer Cloud Iam As A True Saas Service And Ad Authentication
In a very crowded market of IDaaS vendors, Forrester included nine vendors in the assessment:
Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce. Each of
these vendors had on or before December 16, 2014 (see Figure 1):
■	A productized and publicly announced, true multitenant SaaS B2E cloud IAM offering.
The vendor should have an announced, true multitenant SaaS (not hosted service) B2E cloud
IAM offering. In Forrester’s and its clients’ assessment, the cloud IAM solution should have a
primary focus on IAM for enterprise (internal employee) types of users. The vendor should
have a strategy focus on the B2E cloud IAM solution, which should not be a “me too” checkbox
solution in the vendor’s solution portfolio.
■	A B2E cloud IAM offering capable of authenticating users against on-premises AD. The
solution should be able to manage and authenticate users against an on-premises AD user store.
■	At least $1 million in B2E cloud IAM subscription revenues in 2014. The vendor should have
at least $1 million in true, B2E cloud IAM subscription revenues. Hosted IAM solutions do not
count against this number.
■	At least 40 paying customer organizations in production. The B2E cloud IAM offering should
have at least 40 paying customer organizations in production at the cutoff date.
■	A mindshare with Forrester’s customers on inquiries. Customers should mention the vendor’s
name in an unaided context (“We looked at the following vendors for B2E cloud IAM”) on
Forrester’s inquiries and other interactions.
■	A mindshare with other B2E cloud IAM competitive vendors. When Forrester asks other
vendors about their competition on briefings, inquiries, and other interactions, other vendors
should mention the vendor as a real competitor in the B2E cloud IAM market space.
Forrester invited CA Technologies, Dell, ForgeRock, Gemalto, JumpCloud, Microfocus/NetIQ,
Oracle, RadiantLogic, RSA, SecureAuth, and SwivelSecure to this Forrester Wave, but these vendors
opted out.
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 7
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
Figure 1 Evaluated Vendors: Product Information And Selection Criteria
Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited.
Vendor
Bitium
Centrify
IBM
Microsoft
Okta
OneLogin
Ping Identity
SailPoint
Salesforce
Product evaluated
Bitium Enterprise
Centrify User Suite
IBM Cloud Identity Service
Microsoft Enterprise Mobility Suite
Okta Identity Management and Mobility Management Service
OneLogin
PingOne
SailPoint IdentityNow
Salesforce Identity
Vendor selection criteria
Has a productized and publicly announced, true multitenant SaaS B2E cloud IAM offering.
Has a B2E cloud IAM offering capable of authenticating users against on-premises AD.
Had at least $1 million in B2E cloud IAM subscription revenues in 2014.
Has at least 40 paying customer organizations in production.
Has mindshare with Forrester’s customers on inquiries.
Has mindshare with other B2E cloud IAM competitive vendors.
OneLogin And Okta Lead The Pack
The evaluation uncovered a market in which (see Figure 2):
■	OneLogin and Okta lead the pack. These vendors demonstrated broad capabilities for
user directory support, access policy administration, and a large catalog for supported SaaS
applications. They have also shown relative simplicity among the evaluated offerings and have a
large installed base.
■	Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options.
These vendors offer credible and robust offerings and outstanding future road maps for the
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 8
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
solution. Their solution complexity, customer satisfaction, customer reference scale, and
coverage of implementation (in different combinations for different vendors) may be behind
those of the Leaders.
■	Bitium lacks broad installed base but has potential. While showing a lot of promise for the
future for a small company with only a handful of developers and sales people, offering a very
simple and easy-to-use solution, Bitium today lacks a notable installed base, broad coverage of
verticals, support for APIs, and end user self-service from the portal.
This evaluation of the B2E cloud IAM market is intended to be a starting point only. We encourage
clients to view detailed product evaluations and adapt criteria weightings to fit their individual
needs through the Forrester Wave Excel-based vendor comparison tool.
Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15
Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited.
Risky
Bets Contenders Leaders
Strong
Performers
StrategyWeak Strong
Current
offering
Weak
Strong
Go to Forrester.com to
download the Forrester
Wave tool for more
detailed product
evaluations, feature
comparisons, and
customizable rankings.
Market presence
Bitium
Centrify
IBM
Microsoft
Okta
OneLogin
Ping Identity
SailPoint
Salesforce
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 9
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15 (Cont.)
Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited.
CURRENT OFFERING
User directory support
Access management
policy administration
User account provisioning
policy administration
End user self-service from
the solution’s web portal
End user self-service from
the solution’s purpose-built,
vendor-supplied mobile application
API security and solution APIs
Reporting and scalability
Overall solution complexity
STRATEGY
Future development and market
plans for cloud IAM and technology
Customer satisfaction
Security services and OEM partners
Development, sales, and technical
support staffing
Pricing flexibility and transparency
Customer reference scale and coverage
MARKET PRESENCE
Revenue
Installed base
Verticals and geographies
Forrester’s
Weighting
50%
14%
14%
12%
12%
12%
12%
12%
12%
50%
35%
25%
10%
10%
10%
10%
0%
33%
33%
33%
1.88
3.00
1.00
1.00
3.00
1.00
0.00
1.00
5.00
1.75
1.00
4.00
0.00
1.00
2.00
1.00
1.33
1.00
1.00
2.00
2.86
2.00
3.00
0.00
4.00
5.00
1.00
4.00
4.00
4.10
4.00
4.00
5.00
5.00
3.00
4.00
2.67
1.00
4.00
3.00
2.18
3.00
4.00
2.00
3.00
1.00
0.00
2.00
2.00
3.60
5.00
3.00
3.00
2.00
3.00
3.00
3.33
4.00
3.00
3.00
3.02
3.00
4.00
1.00
2.00
4.00
3.00
3.00
4.00
3.40
2.00
4.00
4.00
5.00
3.00
5.00
4.00
4.00
5.00
3.00
3.52
5.00
3.00
2.00
3.00
5.00
3.00
2.00
5.00
3.85
3.00
4.00
5.00
4.00
4.00
5.00
3.33
3.00
5.00
2.00
3.80
5.00
5.00
2.00
4.00
3.00
3.00
3.00
5.00
3.50
4.00
4.00
3.00
2.00
3.00
3.00
4.00
4.00
5.00
3.00
2.62
3.00
2.00
1.00
4.00
3.00
3.00
3.00
2.00
3.20
3.00
3.00
4.00
4.00
3.00
3.00
2.67
2.00
3.00
3.00
2.76
3.00
3.00
3.00
4.00
3.00
0.00
2.00
4.00
3.35
4.00
3.00
1.00
4.00
3.00
4.00
2.33
3.00
1.00
3.00
3.26
3.00
4.00
3.00
1.00
4.00
5.00
4.00
2.00
2.70
3.00
3.00
2.00
3.00
3.00
1.00
2.67
2.00
2.00
4.00
All scores are based on a scale of 0 (weak) to 5 (strong).
Bitium
Centrify
IBM
Microsoft
Okta
OneLogin
PingIdentity
SailPoint
Salesforce
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 10
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
Vendor Profiles
Leaders
Leaders provide an overall a great solution with broad installed bases and credible solution features:
■	OneLogin is a thought leader in authentication with plans to extend mobility support. The
solution is much less complex than other solutions evaluated in this Forrester Wave. It has
outstanding support for user directory configuration and integration, access management
policy administration, and end user self-service from the portal. The solution today lacks in
user provisioning policy administration, and the vendor does not have its own MDM solution.
Future plans of the vendor include: 1) developing mobile native SSO (NAPPS) and NAPPS
toolkits; 2) desktop and device authentication support; 3) enterprise mobile management
support; 4) third-party biometrics support; and 5) risk-based application access controls.
■	Okta has a large installed base, extensive mobility support, with plans for identity
intelligence. The solution is much less complex than other solutions evaluated in this Forrester
Wave. It has great capabilities for managing and integrating user directories, and end user self-
service from the solution mobile interface (Okta offers its own MDM capabilities). The vendor
has a large and powerful partner ecosystem for implementation and a large installed base of
1,250 direct customers. The solution lacks in the areas of reporting and scalability and user
account provisioning policy management. Forrester expects that the future plans of the vendor
include adaptive authentication, identity intelligence, ability to deploy in isolated instances,
enhanced mobility management, and passwordless authentication.
Strong Performers
These vendors offer robust and credible solutions but are behind Leaders in the areas of mobility
support, installed base, and partner ecosystems:
■	Centrify is strong in MDM, dashboards, and reporting. Centrify’s solution excels in the areas
of end user self-service from the mobile application (Centrify provides its own MDM solution,
bundled) and reporting: The solution has nice dashboards and 49 built-in reports. It lacks
features in user directory support: Centrify does provide a standalone cloud directory, but does
not support synchronization of attributes with the user’s on-premises user store to the cloud
directory. (Instead it maintains access to user attributes only in the on-premises user store. This
is by design.) While it does provide provisioning for cloud applications, it lacks user account
provisioning for on-premises applications as well as attestation and workflow. Centrify’s plans
include privileged IAM as a SaaS offering, managed security provider features, automated
password management, private (single tenant) pods and podscapes, and FedRAMP certification.
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 11
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
■	Microsoft has finally ventured into IAM in earnest with Azure AD Premium. The solution
has great capabilities in access policy administration, provides bundled MDM capabilities
(Intune), and a nice end user interface in the mobile application. The solution has a large SI
ecosystem and a large population estimated at 300 employees working on the development
of the solution. It requires the bundled Forefront Identity Manager to provision identities to
on-premises applications. It has no access recertification, and its end user self-service portal is
somewhat behind others: End users cannot add their own applications and cannot manage the
look and feel of the interface. Administrators cannot define new ad hoc reports. The vendor’s
future plans call for device identity-based, risk-based authentication, and expansion into the
B2B and partner collaboration IAM ecosystem.
■	SailPoint makes access governance available in its B2E cloud IAM solution. The solution
provides nice end user customization capabilities for its SSO web portal, allows a system
administrator to manage provisioning policies and periodic attestation campaigns (beyond
dashboards) to SaaS and on-premises applications. System administrators currently cannot create
ad hoc reports (this is planned), and there is no way to limit who can see which report.
Customers said that the solution meets their expectations. The SI partner ecosystem is fairly weak
for the solution, and the solution has a small installed base of 47 customer organizations today.
SailPoint plans to enhance its encryption and incorporate threat feeds and real-time code
analysis and introspection for zero-day threats and a full SSAE16 Type II and SOC 1 certification.
■	Salesforce provides well-rounded capabilities with a powerful admin user interface.
Salesforce offers its Salesforce Identity solution for free or at a discount for its CRM and
non-CRM clients. It has good capabilities for access policy and detailed provisioning policy
management (has a built-in graphical workflow) and end user interface in the mobile
application. The solution’s user interface — while capable — is somewhat more complex than
other solutions evaluated. Forrester estimates that a surprisingly small team of 15 developers
work on the solution, and customer references interviewed by Forrester have not deployed
it in production to more than 1,000 users and five applications. Salesforce plans to enhance
encryption, expand AppExchange with IAM vendors, and improve risk-based authentication,
security analytics, and malware detection.7
■	Ping Identity offers PingOne bundled with Ping Federate and Ping Access. The solution has
a strong partner SI ecosystem and a large developer base of 108. The vendor’s penetration is
great in the communications and media, high-tech, and financial services verticals. Clients have
deployed the solution into environments with more than 1,000 users and 20 applications, while
the largest deployment is 850,000 users and 30 applications. While the PingOne B2E cloud
IAM solution’s price includes the bundled Ping Federate and Ping Access products, customers
have to install, configure, and maintain these environments to be able to satisfy most of the use
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 12
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
cases’ requirements in this evaluation. Ping Identity plans to introduce adaptive authentication,
access control, a meta-registry for high scale connection management of federation, identity
orchestration, and identity analytics.
■	IBM’s acquisition of Lighthouse Gateway offers a powerful policy management front end.
IBM’s Cloud Identity Service solution has versatile access policy management capabilities (it is
based on the IBM Security Access Manager ISAM) for not only SaaS but also on-premises web
applications — a great benefit to those customers already familiar with IBM’s ISAM and IBM
Security Identity Manager products. The solution lacks a graphical workflow, and the mobile
application falls behind other vendors. IBM plans to support wizards for setting up federation
profiles and setting up a federation marketplace, introduce QuickLaunch (canned modules
of repeatable use cases to reduce professional services), integrate with CrossIdeas access
governance platform, and offer enhanced mobile support.
Contenders
Forrester found the following vendor’s solution to lack many of the capabilities of other evaluated
solutions, a convincing installed base, and some key functionality other vendors offer:
■	Bitium’s simple solution is tightly architected and exceeds customer expectations. In
Forrester’s assessment, this solution has a lot of potential: The vendor is agile, and with
only 14 developers created a viable solution. Users can customize the portal with their own
application URLs. However, it lacks access management and user account provisioning policy
administration capabilities, has no MDM solution of its own, and has no 2FA application
of its own or exposed API for integration and policy management. Reporting lags behind
other vendors with no custom, ad hoc reports, and only three different types of canned
reports. The largest publicly referenceable deployment has only 632 users. The vendor’s plans
include: password analysis, credential verification against external systems, support for Docker
environments, logging and API enhancements, and hardware security module (HSM) support.
Supplemental Material
Online Resource
The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed
product evaluations and customizable rankings.
Data Sources Used In This Forrester Wave
Forrester used a combination of four data sources to assess the strengths and weaknesses of each
solution:
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 13
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
■	Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation
criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where
necessary to gather details of vendor qualifications.
■	Product demos. We asked vendors to conduct demonstrations of their product’s functionality. We
used findings from these product demos to validate details of each vendor’s product capabilities.
■	Demonstration environment. Every vendor provided us with independent and unfettered
access to the solution in the vendor’s online demonstration environment. We conducted
independent tests and reviews of solutions in this environment.
■	Customer reference calls. To validate product and vendor qualifications, Forrester also
conducted reference calls with 3 of each vendor’s current customers.
The Forrester Wave Methodology
We conduct primary research to develop a list of vendors that meet our criteria to be evaluated
in this market. From that initial pool of vendors, we then narrow our final list. We choose these
vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate
vendors that have limited customer references and products that don’t fit the scope of our evaluation.
After examining past research, user need assessments, and vendor and expert interviews, we develop
the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we
gather details of product qualifications through a combination of lab evaluations, questionnaires,
demos, and/or discussions with client references. We send evaluations to the vendors for their review,
and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.
We set default weightings to reflect our analysis of the needs of large user companies — and/or
other scenarios as outlined in the Forrester Wave document — and then score the vendors based
on a clearly defined scale. These default weightings are intended only as a starting point, and we
encourage readers to adapt the weightings to fit their individual needs through the Excel-based
tool. The final scores generate the graphical depiction of the market based on current offering,
strategy, and market presence. Forrester intends to update vendor evaluations regularly as product
capabilities and vendor strategies evolve. For more information on the methodology that every
Forrester Wave follows, go to http://www.forrester.com/marketing/policies/forrester-wave-
methodology.html.
Integrity Policy
All of Forrester’s research, including Waves, is conducted according to our Integrity Policy. For more
information, go to http://www.forrester.com/marketing/policies/integrity-policy.html.
For Security & Risk Professionals
The Forrester Wave™: B2E Cloud IAM, Q2 2015 14
© 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015
Endnotes
1
	 For more details on cloud security taxonomy, please see the “An S&R Pro’s Guide To Security To, In, And
From The Cloud” Forrester report.
2
	 For more information, see the “The Forrester Wave™: Identity And Access Management Suites, Q3 2013”
Forrester report and see the “The Forrester Wave™: Role Management And Access Recertification, Q3 2011”
Forrester report.
For problems with on-premises IAM solutions, see the “Wake-Up Call: Poorly Managed Access Rights Are
A Breach Waiting To Happen” Forrester report and see the “User Account Provisioning For The Midmarket”
Forrester report.
3
	 For more information, see the “Use Commercial IAM Solutions To Achieve More Than 100% ROI Over
Manual Processes” Forrester report.
4
	 Source: “Native Applications Working Group,” OpenID (http://openid.net/wg/napps/).
5
	 Also known as work item approval and rejection.
6
	 For more information, see the “The Forrester Wave™: Risk-Based Authentication, Q1 2012” Forrester report
and see the “What You Need To Know About The FIDO Alliance And Its Impact On User Authentication”
Forrester report.
7
	 Encryption is in general availability since the cutoff date.
Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client
segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act
upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and
online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology
industry through independent fact-based insight, ensuring their business success today and tomorrow.	 113063
Forrester Focuses On
Security & Risk Professionals
To help your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk while
optimizing security processes and technologies for future flexibility.
Forrester’s subject-matter expertise and deep understanding of your
role will help you create forward-thinking strategies; weigh opportunity
against risk; justify decisions; and optimize your individual, team, and
corporate performance.
About Forrester
A global research and advisory firm, Forrester inspires leaders,
informs better decisions, and helps the world’s top companies turn
the complexity of change into business advantage. Our research-
based insight and objective advice enable IT professionals to
lead more successfully within IT and extend their impact beyond
the traditional IT organization. Tailored to your individual role, our
resources allow you to focus on important business issues —
margin, speed, growth — first, technology second.
for more information
To find out how Forrester Research can help you be successful every day, please
contact the office nearest you, or visit us at www.forrester.com. For a complete list
of worldwide locations, visit www.forrester.com/about.
Client support
For information on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer
quantity discounts and special pricing for academic and nonprofit institutions.

Forrester Report

  • 1.
    Forrester Research, Inc.,60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com The Forrester Wave™: B2E Cloud IAM, Q2 2015 by Andras Cser and Merritt Maxim, June 29, 2015 For: Security & Risk Professionals Key Takeaways OneLogin And Okta Lead The Pack Forrester’s research uncovered a market in which OneLogin and Okta lead the pack. Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options. Bitium lags behind. The B2E Cloud IAM Market Is Growing As S&R Pros Look For Simplicity, SSO, And Directory Integration The B2E cloud IAM market is growing because more S&R professionals see IDaaS as a way to address their top IAM challenges without the long deployment times of legacy IAM products. It’s also growing because S&R pros increasingly trust B2E cloud IAM providers to act as a backbone for employee IAM to SaaS and on-premises apps. API Security, Mobile Support, And Installed Base Are Key Differentiators In The B2E Cloud IAM Market Vendors that can provide API security and API-based integration for the Internet of Things and mobile single sign-on and who can grow their installed base faster position themselves to successfully deliver faster IAM to value to their customers. Access The Forrester Wave Model For Deeper Insight Use the detailed Forrester Wave model to view every piece of data used to score participating vendors and create a custom vendor shortlist. Access the report online and download the Excel tool using the link in the right-hand column under “Tools & Templates.” Alter Forrester’s weightings to tailor the Forrester Wave model to your specifications.
  • 2.
    © 2015, ForresterResearch, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester® , Technographics® , Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com. For Security & Risk Professionals Why Read This Report In Forrester’s 17-criteria evaluation of B2E cloud identity and access management (IAM) vendors, we identified the nine most significant SaaS providers in the category — Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other to help security and risk (S&R) professionals select the right partner for their B2E cloud IAM, also known as identity-as-a-service (IDaaS), needs. Table Of Contents Cloud IAM Reduces Complexity And Cost, Removes Barriers To Adoption Two Types Of Vendor Offerings Compete For Your Attention An SSO Portal, SAML Support, And Mobile Access Support Are Table Stakes Features Vendors’ Future Plans Include Provisioning And Access Governance B2E Cloud IAM Evaluation Overview Evaluation Criteria: Current Offering, Strategy, And Market Presence Included Vendors Offer Cloud IAM As A True SaaS Service And AD Authentication OneLogin And Okta Lead The Pack Vendor Profiles Leaders Strong Performers Contenders Supplemental Material Notes & Resources Forrester conducted product evaluations in March 2015 and interviewed 36 vendor and user companies, including Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce. Related Research Documents Brief: Top 10 IAM Trends From The RSA Conference 2015 The Forrester Wave™: Identity And Access Management Suites, Q3 2013 The Forrester Wave™: Risk-Based Authentication, Q1 2012 The Forrester Wave™: B2E Cloud IAM, Q2 2015 The Nine Providers That Matter Most And How They Stack Up by Andras Cser and Merritt Maxim with Stephanie Balaouras, Josh Blackborow, and Peggy Dostie 2 3 7 5 10 12 June 29, 2015
  • 3.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 2 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Cloud IAM Reduces Complexity And Cost, Removes Barriers To Adoption In our Forrester Wave evaluation and conversations with S&R pros and vendors, Forrester found that B2E cloud IAM has completely transformed the IAM market landscape. Why? It’s because cloud IAM: ■ Allows S&R pros to manage employee identities across cloud environments. As both business and technology leaders have eagerly adopted software-as-a-service (SaaS) such as Salesforce, ServiceNow, and Workday, the task of managing identities and controlling access to some of the firm’s most sensitive data fell to the security team.1 Luckily, cloud IAM came to the rescue: Not only did it provide a unified view of user access to SaaS applications but it also provided a single portal for employees to access these SaaS applications. ■ Limits complexity of IAM solutions. Historically, when S&R pros sought to deploy an on-premises IAM solution, they insisted on solutions that could support 100% of their brick-and-mortar legacy requirements.2 This resulted in implementations with a high degree of customization and, of course, cost; stories of IAM projects turning into mini ERP projects deterred firms from building out IAM solutions in earnest. Cloud IAM challenged this mentality and ultimately succeeded in changing the deployment approach. From the beginning, cloud IAM vendors started out with a simple set of capabilities: those focused on offering employee single sign-on (SSO) into SaaS applications. As the only real viable option for managing access across these cloud apps, S&R pros had to accept a simpler approach that focused on essential requirements. ■ Reduces license and ongoing maintenance costs. Many vendors offer pay-as-you-go and metered pricing models, which means that S&R pros are not hit by large, upfront per-user perpetual license costs. It also offers flexibility; S&R pros can scale the number of users and applications up or down as needed during their contract with the vendor. In addition, because security teams need only manage IAM policies and are no longer encumbered with the operational responsibilities of maintaining the solution itself, they need far fewer employees for maintenance.3 For many small and medium businesses that can’t afford four to five employees to support an on-premises IAM solution, cloud IAM is the answer. Even large enterprises are evaluating cloud IAM solutions in the hopes of converting spend from capex to opex. ■ Offers support for legacy apps on-premises as well as for SaaS applications. Provisioning and controlling access to cloud applications is but one challenge. S&R pros must still manage IAM for a plethora of legacy on-premises apps. Vendors have listened: Now they offer an on- premises component as part of their cloud IAM solution so that S&R pros can enable employees to authenticate against Active Directory (AD) on-premises and access on-premises applications without having to use the VPN. However, in customer interviews, Forrester found that today 20% of organizations use IDaaS for IAM to on-premises applications, while 80% organizations use IDaaS to manage access to SaaS applications.
  • 4.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 3 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Supports SSO from and on mobile devices cost-effectively. S&R pros have to provide a repeatable security framework for their developers so that they can focus on achieving the business goals of their custom mobile applications and not have to worry about details of mobile application SSO and even management. Cloud IAM vendors recognized this need and now provide basic enterprise mobility management solutions (similar to mobile device management and mobile application management), as well as simple SSO for mobile applications, built on the emerging OpenID-based Native Applications Working Group (NAPPS) standard.4 Two Types Of Vendor Offerings Compete For Your Attention This Forrester Wave focuses on business-to-enterprise (B2E) cloud IAM solutions. These solutions provide access to SaaS applications and on-premises legacy web applications for the enterprise workforce (e.g., employees and contractors). When evaluating the B2E cloud IAM vendor landscape, Forrester found that solutions bifurcate into two types of offerings: ■ Vendors with an on-premises IAM pedigree offer capable B2E cloud IAM solutions. IBM, Microsoft, and Ping Identity built cloud front ends to their existing, robust, and capable on- premises IAM solutions. Although these solutions provide very extensive policy authoring features, especially for access management, they require a somewhat larger effort to initially implement and maintain. ■ Born-in-the-cloud B2E cloud IAM vendors offer simple and faster-to-implement solutions. Bitium, Centrify, Okta, OneLogin, and Salesforce solutions were born in the cloud and don’t have any background in on-premises solutions. As a result, solutions of this type may not offer the same depth of policy management capabilities that the on-premises pedigree vendors do. There are, of course, exceptions in every category: SailPoint developed its solution for the cloud, but it also contains intellectual property from the company’s on-premises IdentityIQ access governance product. Forrester evaluated both of these types of vendors in this Forrester Wave because our clients frequently ask us about and evaluate both types of vendors. An Sso Portal, Saml Support, And Mobile Access Support Are Table Stakes Features During the Forrester Wave evaluation, Forrester identified several nondifferentiating solution features. All evaluated vendors: ■ Provide a cloud-based portal for employees to access SaaS applications. With VPN use decreasing, all B2E cloud IAM solutions offer a portal that employees can access with their AD credentials. In the portal, they see icons for every SaaS application they are authorized to access as part of their job. Group information from the user store can drive which applications users have access to.
  • 5.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 4 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Allow S&R pros to install an optional on-premises agent for the user store. All solutions we evaluated have either: 1) a Windows service component that S&R pros need to install AD in domain controllers or 2) an identity router that they need to put into the demilitarized zone (DMZ). These components allow for: 1) reading user passwords from AD and 2) the cloud IAM solution writing changed passwords to AD when users reset or change their passwords. ■ Offer bidirectional SAML SSO and single logout support. All evaluated vendors offer inbound and outbound SAML (consumer and producer) with support for custom attribute value injection into the SAML assertion from the identity provider (IdP). All solutions support the concept of a URL for single logout to terminate the user’s session. ■ Provide native iOS and Android mobile applications for login and 2FA. B2E cloud IAM solutions offer optional mobile applications for: 1) storing AD credentials that enable the user to establish a PIN code and allow users to log into their SaaS applications from the mobile device and 2) two-factor authentication (2FA) for step-up or greater strength authentication into sensitive, high-risk applications. Many of the vendors’ mobile applications provide support for forgotten password recovery and limited device management as well. Vendors’ Future Plans Include Provisioning And Access Governance While examining the solutions and vendor road maps for this Forrester Wave, Forrester found that vendors have plans for the following common enhancements: ■ Extended provisioning for both cloud and on-premises apps. Today’s cloud IAM solution support for SaaS and on-premises business application provisioning is simplistic. It usually involves the System for Cross-domain Identity Management (SCIM, also known as “Simple Cloud Identity Management”) or Security Assertion Markup Language (SAML) Just-in-Time (JIT) standards-based provisioning of users. However, the IDaaS solutions today do not offer fine-grained entitlement support provisioning in a separate user authorization store and usually do not automatically deprovision users. Similarly, these processes are not as robust when it comes to removing or deprovisioning access as it often has to be done manually. ■ Built-in support for attestation campaigns. With the exception of SailPoint, today’s cloud IAM solutions have only zero-to-minimal attestation campaign management and true enterprise business role-mining for access governance. Forrester expects that future solutions will increasingly incorporate these requirements. ■ Access request management workflow. Today’s fine-grained application access request management workflow capabilities in cloud IAM solutions are limited and are not on par with on-premises identity management platforms.5 Forrester expects that vendors will greatly expand graphical workflow design (similar to what is already available in IBM Cloud Identity Service) and selection of approvers and approval types (quorum, sequential optional, etc.).
  • 6.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 5 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ User store support for IaaS workloads. Today’s user stores in cloud IAM solutions are only for managing access to the cloud IAM portal itself; they provide no capabilities to manage access to workloads in IaaS applications. In this case, cloud IAM vendors need to provide robust AD-like directory services. While Amazon Web Services (AWS) and JumpCloud offer this capability today, Forrester expects that leading cloud IAM vendors will support this requirement in the future. ■ Extensive mobile app access management with risk-based authentication. While Centrify, IBM, and Microsoft offer bundled enterprise mobility management solutions with their cloud IAM, Forrester expects that vendors will implement risk-based authentication capabilities complete with risk scoring that support desktops and mobile devices. Vendors are also working on creating a cross-mobile application SSO using the OpenID Connect NAPPS standard, and increasingly looking at the FIDO UAF specification to separate the business process from the registration and authentication logic in an application.6 B2E Cloud IAM Evaluation Overview To assess the state of the B2E cloud IAM market and see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of B2E cloud IAM vendors. Evaluation Criteria: Current Offering, Strategy, And Market Presence After examining past research, user need assessments, and vendor and expert interviews, Forrester developed a comprehensive set of evaluation criteria which we grouped into three high-level buckets: ■ Current offering. We evaluated how well solutions provide: 1) user directory support; 2) access management policy administration; 3) user account provisioning policy administration; 4) end user self-services from the solution’s web portal; 5) end user self-services from the solution’s mobile application; 6) API security and solution APIs; and 7) reporting and scalability. We also evaluated the overall complexity of solutions. ■ Strategy. We reviewed each vendor’s strategy to determine vendor differentiation in: 1) future product development and market plans; 2) customer satisfaction with the solution; 3) security implementation services and OEM partnerships; 4) development, sales, and technical support staffing; 5) pricing flexibility and transparency; and 6) customer reference scale and coverage. ■ Market presence. To determine market presence, we considered the vendors’: 1) revenue; 2) installed base; and 3) vertical and geographic presence of the evaluated vendor’s cloud IAM solution.
  • 7.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 6 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Included Vendors Offer Cloud Iam As A True Saas Service And Ad Authentication In a very crowded market of IDaaS vendors, Forrester included nine vendors in the assessment: Bitium, Centrify, IBM, Microsoft, Okta, OneLogin, Ping Identity, SailPoint, and Salesforce. Each of these vendors had on or before December 16, 2014 (see Figure 1): ■ A productized and publicly announced, true multitenant SaaS B2E cloud IAM offering. The vendor should have an announced, true multitenant SaaS (not hosted service) B2E cloud IAM offering. In Forrester’s and its clients’ assessment, the cloud IAM solution should have a primary focus on IAM for enterprise (internal employee) types of users. The vendor should have a strategy focus on the B2E cloud IAM solution, which should not be a “me too” checkbox solution in the vendor’s solution portfolio. ■ A B2E cloud IAM offering capable of authenticating users against on-premises AD. The solution should be able to manage and authenticate users against an on-premises AD user store. ■ At least $1 million in B2E cloud IAM subscription revenues in 2014. The vendor should have at least $1 million in true, B2E cloud IAM subscription revenues. Hosted IAM solutions do not count against this number. ■ At least 40 paying customer organizations in production. The B2E cloud IAM offering should have at least 40 paying customer organizations in production at the cutoff date. ■ A mindshare with Forrester’s customers on inquiries. Customers should mention the vendor’s name in an unaided context (“We looked at the following vendors for B2E cloud IAM”) on Forrester’s inquiries and other interactions. ■ A mindshare with other B2E cloud IAM competitive vendors. When Forrester asks other vendors about their competition on briefings, inquiries, and other interactions, other vendors should mention the vendor as a real competitor in the B2E cloud IAM market space. Forrester invited CA Technologies, Dell, ForgeRock, Gemalto, JumpCloud, Microfocus/NetIQ, Oracle, RadiantLogic, RSA, SecureAuth, and SwivelSecure to this Forrester Wave, but these vendors opted out.
  • 8.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 7 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Figure 1 Evaluated Vendors: Product Information And Selection Criteria Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. Vendor Bitium Centrify IBM Microsoft Okta OneLogin Ping Identity SailPoint Salesforce Product evaluated Bitium Enterprise Centrify User Suite IBM Cloud Identity Service Microsoft Enterprise Mobility Suite Okta Identity Management and Mobility Management Service OneLogin PingOne SailPoint IdentityNow Salesforce Identity Vendor selection criteria Has a productized and publicly announced, true multitenant SaaS B2E cloud IAM offering. Has a B2E cloud IAM offering capable of authenticating users against on-premises AD. Had at least $1 million in B2E cloud IAM subscription revenues in 2014. Has at least 40 paying customer organizations in production. Has mindshare with Forrester’s customers on inquiries. Has mindshare with other B2E cloud IAM competitive vendors. OneLogin And Okta Lead The Pack The evaluation uncovered a market in which (see Figure 2): ■ OneLogin and Okta lead the pack. These vendors demonstrated broad capabilities for user directory support, access policy administration, and a large catalog for supported SaaS applications. They have also shown relative simplicity among the evaluated offerings and have a large installed base. ■ Centrify, Microsoft, SailPoint, Salesforce, Ping Identity, and IBM offer competitive options. These vendors offer credible and robust offerings and outstanding future road maps for the
  • 9.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 8 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 solution. Their solution complexity, customer satisfaction, customer reference scale, and coverage of implementation (in different combinations for different vendors) may be behind those of the Leaders. ■ Bitium lacks broad installed base but has potential. While showing a lot of promise for the future for a small company with only a handful of developers and sales people, offering a very simple and easy-to-use solution, Bitium today lacks a notable installed base, broad coverage of verticals, support for APIs, and end user self-service from the portal. This evaluation of the B2E cloud IAM market is intended to be a starting point only. We encourage clients to view detailed product evaluations and adapt criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool. Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15 Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. Risky Bets Contenders Leaders Strong Performers StrategyWeak Strong Current offering Weak Strong Go to Forrester.com to download the Forrester Wave tool for more detailed product evaluations, feature comparisons, and customizable rankings. Market presence Bitium Centrify IBM Microsoft Okta OneLogin Ping Identity SailPoint Salesforce
  • 10.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 9 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Figure 2 Forrester Wave™: B2E Cloud IAM, Q2 ‘15 (Cont.) Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited. CURRENT OFFERING User directory support Access management policy administration User account provisioning policy administration End user self-service from the solution’s web portal End user self-service from the solution’s purpose-built, vendor-supplied mobile application API security and solution APIs Reporting and scalability Overall solution complexity STRATEGY Future development and market plans for cloud IAM and technology Customer satisfaction Security services and OEM partners Development, sales, and technical support staffing Pricing flexibility and transparency Customer reference scale and coverage MARKET PRESENCE Revenue Installed base Verticals and geographies Forrester’s Weighting 50% 14% 14% 12% 12% 12% 12% 12% 12% 50% 35% 25% 10% 10% 10% 10% 0% 33% 33% 33% 1.88 3.00 1.00 1.00 3.00 1.00 0.00 1.00 5.00 1.75 1.00 4.00 0.00 1.00 2.00 1.00 1.33 1.00 1.00 2.00 2.86 2.00 3.00 0.00 4.00 5.00 1.00 4.00 4.00 4.10 4.00 4.00 5.00 5.00 3.00 4.00 2.67 1.00 4.00 3.00 2.18 3.00 4.00 2.00 3.00 1.00 0.00 2.00 2.00 3.60 5.00 3.00 3.00 2.00 3.00 3.00 3.33 4.00 3.00 3.00 3.02 3.00 4.00 1.00 2.00 4.00 3.00 3.00 4.00 3.40 2.00 4.00 4.00 5.00 3.00 5.00 4.00 4.00 5.00 3.00 3.52 5.00 3.00 2.00 3.00 5.00 3.00 2.00 5.00 3.85 3.00 4.00 5.00 4.00 4.00 5.00 3.33 3.00 5.00 2.00 3.80 5.00 5.00 2.00 4.00 3.00 3.00 3.00 5.00 3.50 4.00 4.00 3.00 2.00 3.00 3.00 4.00 4.00 5.00 3.00 2.62 3.00 2.00 1.00 4.00 3.00 3.00 3.00 2.00 3.20 3.00 3.00 4.00 4.00 3.00 3.00 2.67 2.00 3.00 3.00 2.76 3.00 3.00 3.00 4.00 3.00 0.00 2.00 4.00 3.35 4.00 3.00 1.00 4.00 3.00 4.00 2.33 3.00 1.00 3.00 3.26 3.00 4.00 3.00 1.00 4.00 5.00 4.00 2.00 2.70 3.00 3.00 2.00 3.00 3.00 1.00 2.67 2.00 2.00 4.00 All scores are based on a scale of 0 (weak) to 5 (strong). Bitium Centrify IBM Microsoft Okta OneLogin PingIdentity SailPoint Salesforce
  • 11.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 10 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Vendor Profiles Leaders Leaders provide an overall a great solution with broad installed bases and credible solution features: ■ OneLogin is a thought leader in authentication with plans to extend mobility support. The solution is much less complex than other solutions evaluated in this Forrester Wave. It has outstanding support for user directory configuration and integration, access management policy administration, and end user self-service from the portal. The solution today lacks in user provisioning policy administration, and the vendor does not have its own MDM solution. Future plans of the vendor include: 1) developing mobile native SSO (NAPPS) and NAPPS toolkits; 2) desktop and device authentication support; 3) enterprise mobile management support; 4) third-party biometrics support; and 5) risk-based application access controls. ■ Okta has a large installed base, extensive mobility support, with plans for identity intelligence. The solution is much less complex than other solutions evaluated in this Forrester Wave. It has great capabilities for managing and integrating user directories, and end user self- service from the solution mobile interface (Okta offers its own MDM capabilities). The vendor has a large and powerful partner ecosystem for implementation and a large installed base of 1,250 direct customers. The solution lacks in the areas of reporting and scalability and user account provisioning policy management. Forrester expects that the future plans of the vendor include adaptive authentication, identity intelligence, ability to deploy in isolated instances, enhanced mobility management, and passwordless authentication. Strong Performers These vendors offer robust and credible solutions but are behind Leaders in the areas of mobility support, installed base, and partner ecosystems: ■ Centrify is strong in MDM, dashboards, and reporting. Centrify’s solution excels in the areas of end user self-service from the mobile application (Centrify provides its own MDM solution, bundled) and reporting: The solution has nice dashboards and 49 built-in reports. It lacks features in user directory support: Centrify does provide a standalone cloud directory, but does not support synchronization of attributes with the user’s on-premises user store to the cloud directory. (Instead it maintains access to user attributes only in the on-premises user store. This is by design.) While it does provide provisioning for cloud applications, it lacks user account provisioning for on-premises applications as well as attestation and workflow. Centrify’s plans include privileged IAM as a SaaS offering, managed security provider features, automated password management, private (single tenant) pods and podscapes, and FedRAMP certification.
  • 12.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 11 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Microsoft has finally ventured into IAM in earnest with Azure AD Premium. The solution has great capabilities in access policy administration, provides bundled MDM capabilities (Intune), and a nice end user interface in the mobile application. The solution has a large SI ecosystem and a large population estimated at 300 employees working on the development of the solution. It requires the bundled Forefront Identity Manager to provision identities to on-premises applications. It has no access recertification, and its end user self-service portal is somewhat behind others: End users cannot add their own applications and cannot manage the look and feel of the interface. Administrators cannot define new ad hoc reports. The vendor’s future plans call for device identity-based, risk-based authentication, and expansion into the B2B and partner collaboration IAM ecosystem. ■ SailPoint makes access governance available in its B2E cloud IAM solution. The solution provides nice end user customization capabilities for its SSO web portal, allows a system administrator to manage provisioning policies and periodic attestation campaigns (beyond dashboards) to SaaS and on-premises applications. System administrators currently cannot create ad hoc reports (this is planned), and there is no way to limit who can see which report. Customers said that the solution meets their expectations. The SI partner ecosystem is fairly weak for the solution, and the solution has a small installed base of 47 customer organizations today. SailPoint plans to enhance its encryption and incorporate threat feeds and real-time code analysis and introspection for zero-day threats and a full SSAE16 Type II and SOC 1 certification. ■ Salesforce provides well-rounded capabilities with a powerful admin user interface. Salesforce offers its Salesforce Identity solution for free or at a discount for its CRM and non-CRM clients. It has good capabilities for access policy and detailed provisioning policy management (has a built-in graphical workflow) and end user interface in the mobile application. The solution’s user interface — while capable — is somewhat more complex than other solutions evaluated. Forrester estimates that a surprisingly small team of 15 developers work on the solution, and customer references interviewed by Forrester have not deployed it in production to more than 1,000 users and five applications. Salesforce plans to enhance encryption, expand AppExchange with IAM vendors, and improve risk-based authentication, security analytics, and malware detection.7 ■ Ping Identity offers PingOne bundled with Ping Federate and Ping Access. The solution has a strong partner SI ecosystem and a large developer base of 108. The vendor’s penetration is great in the communications and media, high-tech, and financial services verticals. Clients have deployed the solution into environments with more than 1,000 users and 20 applications, while the largest deployment is 850,000 users and 30 applications. While the PingOne B2E cloud IAM solution’s price includes the bundled Ping Federate and Ping Access products, customers have to install, configure, and maintain these environments to be able to satisfy most of the use
  • 13.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 12 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 cases’ requirements in this evaluation. Ping Identity plans to introduce adaptive authentication, access control, a meta-registry for high scale connection management of federation, identity orchestration, and identity analytics. ■ IBM’s acquisition of Lighthouse Gateway offers a powerful policy management front end. IBM’s Cloud Identity Service solution has versatile access policy management capabilities (it is based on the IBM Security Access Manager ISAM) for not only SaaS but also on-premises web applications — a great benefit to those customers already familiar with IBM’s ISAM and IBM Security Identity Manager products. The solution lacks a graphical workflow, and the mobile application falls behind other vendors. IBM plans to support wizards for setting up federation profiles and setting up a federation marketplace, introduce QuickLaunch (canned modules of repeatable use cases to reduce professional services), integrate with CrossIdeas access governance platform, and offer enhanced mobile support. Contenders Forrester found the following vendor’s solution to lack many of the capabilities of other evaluated solutions, a convincing installed base, and some key functionality other vendors offer: ■ Bitium’s simple solution is tightly architected and exceeds customer expectations. In Forrester’s assessment, this solution has a lot of potential: The vendor is agile, and with only 14 developers created a viable solution. Users can customize the portal with their own application URLs. However, it lacks access management and user account provisioning policy administration capabilities, has no MDM solution of its own, and has no 2FA application of its own or exposed API for integration and policy management. Reporting lags behind other vendors with no custom, ad hoc reports, and only three different types of canned reports. The largest publicly referenceable deployment has only 632 users. The vendor’s plans include: password analysis, credential verification against external systems, support for Docker environments, logging and API enhancements, and hardware security module (HSM) support. Supplemental Material Online Resource The online version of Figure 2 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings. Data Sources Used In This Forrester Wave Forrester used a combination of four data sources to assess the strengths and weaknesses of each solution:
  • 14.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 13 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 ■ Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where necessary to gather details of vendor qualifications. ■ Product demos. We asked vendors to conduct demonstrations of their product’s functionality. We used findings from these product demos to validate details of each vendor’s product capabilities. ■ Demonstration environment. Every vendor provided us with independent and unfettered access to the solution in the vendor’s online demonstration environment. We conducted independent tests and reviews of solutions in this environment. ■ Customer reference calls. To validate product and vendor qualifications, Forrester also conducted reference calls with 3 of each vendor’s current customers. The Forrester Wave Methodology We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that don’t fit the scope of our evaluation. After examining past research, user need assessments, and vendor and expert interviews, we develop the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of lab evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies. We set default weightings to reflect our analysis of the needs of large user companies — and/or other scenarios as outlined in the Forrester Wave document — and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and we encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve. For more information on the methodology that every Forrester Wave follows, go to http://www.forrester.com/marketing/policies/forrester-wave- methodology.html. Integrity Policy All of Forrester’s research, including Waves, is conducted according to our Integrity Policy. For more information, go to http://www.forrester.com/marketing/policies/integrity-policy.html.
  • 15.
    For Security &Risk Professionals The Forrester Wave™: B2E Cloud IAM, Q2 2015 14 © 2015, Forrester Research, Inc. Reproduction Prohibited June 29, 2015 Endnotes 1 For more details on cloud security taxonomy, please see the “An S&R Pro’s Guide To Security To, In, And From The Cloud” Forrester report. 2 For more information, see the “The Forrester Wave™: Identity And Access Management Suites, Q3 2013” Forrester report and see the “The Forrester Wave™: Role Management And Access Recertification, Q3 2011” Forrester report. For problems with on-premises IAM solutions, see the “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen” Forrester report and see the “User Account Provisioning For The Midmarket” Forrester report. 3 For more information, see the “Use Commercial IAM Solutions To Achieve More Than 100% ROI Over Manual Processes” Forrester report. 4 Source: “Native Applications Working Group,” OpenID (http://openid.net/wg/napps/). 5 Also known as work item approval and rejection. 6 For more information, see the “The Forrester Wave™: Risk-Based Authentication, Q1 2012” Forrester report and see the “What You Need To Know About The FIDO Alliance And Its Impact On User Authentication” Forrester report. 7 Encryption is in general availability since the cutoff date.
  • 16.
    Forrester Research (Nasdaq:FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 113063 Forrester Focuses On Security & Risk Professionals To help your firm capitalize on new business opportunities safely, you must ensure proper governance oversight to manage risk while optimizing security processes and technologies for future flexibility. Forrester’s subject-matter expertise and deep understanding of your role will help you create forward-thinking strategies; weigh opportunity against risk; justify decisions; and optimize your individual, team, and corporate performance. About Forrester A global research and advisory firm, Forrester inspires leaders, informs better decisions, and helps the world’s top companies turn the complexity of change into business advantage. Our research- based insight and objective advice enable IT professionals to lead more successfully within IT and extend their impact beyond the traditional IT organization. Tailored to your individual role, our resources allow you to focus on important business issues — margin, speed, growth — first, technology second. for more information To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about. Client support For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.