MarketScope for Web Access Management

This document was revised on 13 December 2012. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

In 2011, we noted that Web access management (WAM; that is, Web-enabled single sign-on [SSO], authentication, basic authorization and administration for Web application access) had matured. There was little differentiation among vendors' offerings, and there was little customer pressure to change this. However, several technological and delivery model changes have combined to add some dynamism to this aging market, with leading vendors addressing market needs:

• Mobility — WAM tools have been able to support mobile devices that use browsers as the application user interface. However, lenient "bring your own device" (BYOD) policies have led to mobile device, operating system and browser diversity. WAM tools are also challenged by the update in mobile resident applications that don't use the devices' browsers. WAM vendors are just beginning to innovate to better support these challenges.
• Cloud — Continued software as a service (SaaS) application adoption accentuates requirements for federation, but the need is being met by vendors selling products in adjacent markets. WAM is not the only answer. This is putting more pressure on WAM vendors to be competitive (see "Choosing Among Federated Identity Management Options").
• Social — The desire for social media ID integration to support consumer "sign up and login with your Facebook ID"-style use cases has pushed vendors to provide federation support using newer representational state transfer (REST)-based protocols.
• IDaaS — Identity and access management as a service (IDaaS) vendors are putting pressure on vendors who only offer WAM software.
• Addition of Adaptive Access Features — WAM solutions have always been a tool to abstract and support multiple authentication methods. However, the ease with which individual authentication methods can be bypassed has highlighted the need to augment WAM with Web fraud detection as part of an overall adaptive authentication strategy. Vendors have been adding adaptive authentication features to WAM or providing separate or bundled product offerings.
• Open Source — Open-source options for WAM and federation have taken a small share of the overall market from traditional commercial solutions.
• SharePoint Support — The need for granular SharePoint object support beyond "front door" access to a SharePoint site or subsite is becoming a more acute need for Gartner clients. This is leading some WAM vendors to develop specialized agents for SharePoint.

All vendors continue to incrementally fine-tune their offerings for performance, scale and operating environment support, and they are bundling WAM with other products such as enterprise single sign-on (ESSO), identity federation, external authorization management and Web services security to support new or more complete sets of use cases.

Many prospective customers will continue to buy point solutions, such as basic WAM, ESSO, externalized authorization managers and federation technologies, to address niche requirements and fill out a capability set. However, vendors with broad access product portfolios will increasingly provide access product suite bundles and real integration among components — particularly for administration, policy, and attribute storage and consolidated intelligence data. As WAM converges with adaptive access management, it will be augmented by technologies such as data loss prevention (DLP) to provide greater granularity and more context for authorization events.

Identity federation will also continue to play a key role in WAM implementations. Support for multiple protocols will be important, with Security Assertion Markup Language (SAML) preferred for the next three years, and OpenID Connect, underpinned by Open Authorization (OAuth), still emerging (see "Technology Overview for Federated Identity Management"). Externalized authorization management tools will supplement the "new and improved" WAM, or will be incorporated into WAM products to provide finer-grained authorization resolution. Fine-grained authorization will be slowly adopted by enterprises due to the established authorization logic embedded in legacy applications and the challenges with changing application development techniques to externalize authorization decisions from applications.

Larger players made the greatest gains again this year. Oracle, IBM, CA Technologies and NetIQ gained or held on to the most significant market shares. However, ForgeRock gained a solid foothold this year. Business has also continued to pick up for RSA Security, Ping Identity and SecureAuth.

Small and midsize businesses (SMBs) offer some growth opportunities, and have been the mainstay of the cloud-delivered WAM and federation as a service, although we have begun to see some larger deals being made for IDaaS (see "A Guide to Making the Right Choices in the Expanding IDaaS Market"). This trend will accelerate and drive the increasing use of service-based WAM and federation delivery.

WAM pricing models and prices remain at 2011 levels. Traditional user-based pricing models are still prevalent. Prices for external users who access protected applications are generally priced at 20% to 25% of the price for internal users. Average list price for basic WAM functionality delivered to a single internal user is in the range is $15 to $20. This price generally begins to drop at the 1,000-user level and above, and continues to drop with volume purchases. Vendors will also create enterprise deals, or sell by the CPU.

WAM delivers an access control "engine" to provide centralized authentication, generally coarse-grained authorization capabilities, and an administration component to manage access policies. WAM solutions have delivered these functions to thousands of customers. WAM has provided enterprises with SSO to Web applications, both for internal applications and to applications that service enterprises' customers, partners and other stakeholders. Some core WAM vendors are repositioning WAM as part of a larger access management bundle that includes these other functional components:

• Externalized authorization managers (EAMs) that provide centralized fine-grained entitlement enforcement policy repositories and policy decision and enforcement points for new enterprise applications (Web and non-Web). Oracle and IBM have EAM products in their portfolios, and Oracle's now underpins access and administration software bundles.
• ESSO. (See "Market Overview for Enterprise Single Sign-On Tools.")
• Virtual directories or metadirectories. (See "Virtual Directories: Where Do They Fit In?")
• Federation. (See "Choosing Among Federated Identity Management Options.")
• Adaptive (risk)-based authentication, alone or as part of Web fraud detection offerings. (See "Magic Quadrant for Web Fraud Detection.")

Emphasis is increasingly being placed on the use of WAM as a first-stage cloud computing solution for SSO. Federation technology, included with or sold as an adjunct to WAM, provides the extension to SaaS applications.

Approximately half of the vendors rated in this report include federation as part of the base WAM product. The availability of open-source federation software and the 2011 introduction of SAML support in Microsoft Active Directory Federation Services have increasingly put pressure on WAM vendors that sell stand-alone federation software to reduce their pricing or bundle federation with WAM.

WAM products also provide proprietary integration points for some non-Web applications — in addition to their core function of brokering authentication to Web applications — although the use of WAM for non-Web application access control remains limited. WAM products may also include basic identity administration. However, vendors that also sell user provisioning products will either provide the most basic identity administration as part of WAM, or will completely remove user administration functionality in favor of pushing a bundled purchase of WAM and user provisioning. The vendor may offer integration with other identity and access management (IAM) tools — for example, ESSO (but this integration tends to be minimal), Secure Sockets Layer (SSL) virtual private networks (VPNs), various authentication methods, and enterprise fraud and misuse management systems.

Market/Market Segment Description

The term "WAM" applies to technologies that use access control engines to provide centralized authentication and authorization capabilities for Web applications. WAM products may also include basic identity administration, very basic role/rule administration, and audit and federation capabilities, as well as standardized or proprietary integration points for non-Web applications. They also provide a mix of native authentication method support, such as password and X.509 authentication, and third-party authentication method support, such as one-time password tokens, biometric authentication or adaptive authentication methods.

WAM Use Cases

The most common use cases for core WAM are:

• Extranet access, Web SSO: Core WAM functions are ideal for enterprises that wish to provide remote access and SSO functionality to Web applications in a consistent fashion for remote employees, partners, citizens or consumers.
• Intranet access, Web SSO: Core WAM functions can be used to implement a single method of access to internal Web applications within an enterprise network perimeter.
• Portal access: Core WAM functions (which may include Web SSO) are provided as an access management "front end" to a portal implementation. Often, the WAM solution will be integrated with portal authentication, authorization and administration functions.
• Multiple SaaS access: Core WAM functions or WAM plus federation can be used to provide Web SSO and access management functions for employees who wish to consume multiple SaaS applications running in a private or public cloud environment.
• Federation participant: Core WAM and its included or adjunct federation functionality can be used as the access point for a federated network of WAM connections to provide authentication across multiple companies, divisions or separate networks where necessary.

Inclusion and Exclusion Criteria

This market includes general-purpose authentication and authorization engines that mainly enable SSO for multiple Web applications on disparate Web application platforms without requiring client agents. A traditional WAM product consists of access policy administration and enforcement, and it is usually deployed in a proxy or agent architecture, or a combination of these architectures. ESSO products and SSL-based and other clientless remote-access products may offer basic authentication and coarse-grained authorization for Web-based applications. In some cases, they present strong alternatives to WAM. However, these tools differ from WAM tools:

• VPNs provide authentication and SSO to Web applications using a proxy architecture. However, they provide little or no authorization functions.
• ESSO products usually require a client, and therefore are not appropriate for external-facing applications. Moreover, ESSO does not provide authorization functions.
• VPNs and ESSO products generally have not been shown to scale to large extranet-type populations with users numbering in the hundreds of thousands or in the millions.

Therefore, products that are primarily considered ESSO or VPN products were excluded. We included WAM vendors that were referenced by Gartner clients and that were able to identity at least 10 production customers and year-over-year growth in customers or user counts.

Vendors Added

• ForgeRock
• SecureAuth

Vendors Dropped

None

Other Vendors Not in the MarketScope

The following vendors did not meet the functional inclusion criteria for WAM. However, these vendors' products are viewed as functionally sufficient or superior to WAM tools for some clients' needs.

Ping Identity — Ping Identity provides three offerings: a well-regarded multiprotocol federation product (PingFederate), as well as the PingOne and Ping Enterprise Identity Bridge for salesforce.com IDaaS services. PingFederate supports multiple authentication types, user repositories and devices. Once authenticated, PingFederate can deliver Web SSO to applications that leverage federation standards, including salesforce.com, Google Apps and Microsoft Office 365. Ping Identity provides integration kits for popular on-premises Web applications that do not support federation standards (for example, third-party WAM systems and applications that leverage Integrated Windows Authentication).

The 6.10 version of PingFederate released this year now supports "token authorization," which provides WAM-like basic authorization for SAML-aware applications. PingFederate gathers attribute data from one or more user repositories and makes an authorization decision based on the attribute values. If the user is not authorized, PingFederate will not issue a SAML assertion for the application.

In addition to its internal authorization engine, PingFederate can integrate with externalized authorization managers for fine-grained access control. Ping Identity has established a partnership with EAM vendor Axiomatics to provide this functionality. Ping Identity has a solid reputation in the market, and its standards-based approach, along with the addition of these authorization capabilities, is helping Ping Identity to grab a share of the WAM market.

Dell (Quest Software) — Quest Software has had a basic WAM tool for several years. However, it has not actively marketed this tool; thus, market penetration is minimal. The acquisition of Symlabs in 2011 gave Quest Software a federation tool, and the 2012 acquisition of BiTKOO has added externalized authorization management to its portfolio.

Other Alternatives to Commercial WAM Tools

Yale University's Central Authentication Service (CAS) has been implemented broadly within higher education, and is often augmented with Shibboleth for federation capability. The Internet2 Middleware Initiative's Shibboleth federation software has been implemented by hundreds of higher educational institutions, and some governments and private-sector organizations. These are open-source tools with community support.

Microsoft supports WAM-like functionality in Microsoft-only environments with Active Directory Domain Services and Active Directory Federation Services (AD FS), but has left WAM functionality for heterogeneous environments to third-party vendors. Active Directory and AD FS can technically be used as a WAM tool in use cases where Web application servers can leverage users' Active Directory/Kerberos authentication to enable SSO for those applications, and when these applications can use Active Directory group membership as input to authorization decisions. AD FS extends these environments to provide SSO to partner and SaaS applications using either WS-Federation or SAML 2.0 protocols. AD FS 2.0, with SAML 2.0 support, was released in April 2010.

In "A Guide to Making the Right Choices in the Expanding IDaaS Market," we cover vendors that provide WAM and federation functions from the cloud, and may also offer user provisioning and intelligence functions.

Rating for Overall Market/Market Segment

Overall Market Rating: Positive

Core WAM has been implemented by more than 10,000 customers over the past decade. It is frequently the starting project for enterprises that need to implement other IAM components. The movement by WAM vendors to enhance products to support changing technological demands, combined with the relative overall maturity of established implementations, earns core WAM a Positive rating.

Clients may be concerned that there are no vendors rated Strong Positive in this MarketScope. Larger vendors, particularly IBM, Oracle and CA Technologies, have gained many customers and have deployed large-scale, high-performance implementations. However, operational complexity, support complaints or high costs have marred customer perceptions of these vendors' products. Some smaller vendors are making solid inroads into the WAM market and are providing sufficient functionality, scalability and performance to meet needs and serve customers that don't want to invest in the large vendors' solutions.

Clients should not automatically dismiss vendors that receive a Caution rating. All vendors rated here have been delivering very capable products to the WAM marketplace. All vendors in this MarketScope have reference customers that rate them highly. Resource constraints, or lack of marketing and sales channels relative to large traditional IAM vendors, may have limited these vendors' abilities to achieve global market penetration or deliver some advanced product features. Nevertheless, these vendors may be completely appropriate for enterprise consideration.

Evaluation Criteria

Source: Gartner (December 2012)

Source: Gartner (December 2012)

Vendor Product/Service Analysis

Atos

Atos DirX Access is a relatively complete offering with proxy and agent support. It includes SAML federation, security token services and fine-grained authorization. The federation functionality, while built-in, is a separately priced component. Emphasis is on standards support, so authorization is XACML-based and LDAP v.3-compliant for directory integration. Supported authentication methods are extensive. The product also exhibits strong service-oriented architecture (SOA) support by exposing core functionality through its native Java foundations. There is import/export support for XACML-based policies as well. Basic user administration functionality is provided, along with delegated administration functionality. However, password management is part of Atos' identity administration product. Fault tolerance and high-availability configurations are supported. While Atos' customers are predominantly European, more than one-third are worldwide, and the company does have global reach from a sales and support perspective.

DirX Access itself does not have out-of-the-box reporting, and depends on the add-on product DirX Audit to provide basic intelligence functions. Atos has few WAM customers compared with most competitors in the market, and did not grow the access business appreciably in 2011 and early 2012. DirX Access is sold and deployed predominantly by Atos' integration teams as part of broader technology deployments. However, the product has been extended for customers to support specific plug-ins for auditing, authentication and interfaces for session management for legacy applications.

Rating: Caution

CA Technologies

CA Technologies held a significant share of the WAM market in 2012. The SiteMinder product continues to show a breadth of function and use across all WAM use cases in every customer segment. SiteMinder has market-demonstrated scalability and fault tolerance. It has broad platform support, advanced authentication options, and comprehensive SSO management and administration.

CA's major focus points for the SiteMinder family this year were rationalizing its product set for on-premises and cloud delivery models (under the CloudMinder brand), and enhancements to support SharePoint agent integration with its DataMinder product to support granular access control based on SharePoint document content, expanded management of SiteMinder agents, additional controls for dynamic Web applications, and enhancements to simplify SiteMinder Federation. CA customers can augment SiteMinder with RiskMinder or CloudMinder Advanced Authentication, which was obtained and enhanced after the 2010 Arcot acquisition. The 12.5 version also upgraded its forgotten password support to include the password reset function. The solution has a solid set of canned reports and can integrate with CA's User Activity Reporting Module. Other CA Technologies' products are required for full identity life cycle management. CA SiteMinder Web Services Security (previously CA SOA Security Manager) provides service-oriented application integration, and is a layered product that uses the CA SiteMinder architecture.

CA is one of the few vendors that sell their federation product separately, generally charging by the federation partner connection. SiteMinder Federation integrates well with the base SiteMinder product for common administration and user session management. However, CA will continue to be challenged by other vendors that include federation within their WAM product, and by vendors that provide federation as part of other product and service types. SiteMinder supports cookie and cookieless session management through its proxy service, thereby enabling access from mobile browsers with varying cookie session management capabilities.

Rating: Positive

Entrust

Entrust provides WAM, risk-appropriate authentication (IdentityGuard) and federation from a single vendor. The federation module of GetAccess is included free with WAM and has rich SAML and other access management standards support. Support for centralized authentication and authorization via Web services through Secure Transaction Platform (STP) is available at an additional one-time cost. The product comes with prepackaged reports and has core intelligence capabilities. As one of the oldest WAM products on the market, it has a rich feature set for administrators (with a flexible delegation model) and developers alike, and enjoys some name recognition in the access market. GetAccess is also one of the most cost-competitive WAM solutions, and established customers rate Entrust support as good.

Entrust GetAccess supports fewer platforms for the main WAM components than competitors (Windows, Solaris and Red Hat Enterprise Linux), although numerous Web target operating systems are supported. References confirm that the administrative experience is poor and dated when measured against the offerings of competitors. Software updates have been made to support Windows 2008, and there have been some updates to the SAML federation protocol and administration support. The company's ability to bid for new customers has been hindered by limited marketing and aggressive competitors, resulting in declining market share and few opportunities for growth. Going forward, Entrust's emphasis will be on leveraging and extending GetAccess functionality toward identity-as-a-service offerings.

Rating: Caution

Evidian

Evidian's Web Access Manager is recognized in Europe as a capable access management addition. Evidian stresses Web Access Manager and Enterprise SSO integration (each a separate product from the company) and professional services to ease integration and implementation. This integration results in Active Directory Kerberos support and the use of SAML in its cross-domain SSO support. High-availability options of the software are available at additional cost. An add-on authorization management product that supports the XACML standard can provide fine-grained authorization based on directory attributes and WAM rules, and an add-on auditor product can provide some basic intelligence. WAM functionality is well-priced relative to the competition.

Web Access Manager includes federation, and protocol support includes SAML 1.1 and 2.0, OpenID, and OAuth. There is no protocol translation between federation partners. Authentication options are solid, and Evidian has added quick response (QR) code authentication to its list of supported methods.

While Evidian's European presence is strong, it does not have broad name recognition outside the continent. As a result, Evidian improved its market penetration, but customer counts and gains in 2011 were low compared with larger competitors, and growth has been slow. Evidian provides identity administration and self-service functions as part of Web Access Manager. More-advanced provisioning functions — such as authoritative source integration, white and yellow pages, and workflow — are handled with Evidian's provisioning product, Identity & Access Manager. Password expiry notification and resolution were added this year, as was Windows 64-bit server support.

Rating: Caution

ForgeRock

ForgeRock provides WAM, directory, identity and administration/user provisioning products using an open-source model similar to Red Hat's. Prior to Sun Microsystems' acquisition by Oracle, Sun's IAM stack was widely deployed and well-regarded by its customers. ForgeRock has been able to attract former Sun developers, and has also created partnerships with established integrators that are experienced with Sun's products. ForgeRock's customer acquisition momentum has been steadily building during 2012, and the company received an infusion of venture capital that it is using to expand its reach.

With its pedigree as Sun OpenSSO, ForgeRock's WAM product, OpenAM, includes federation, both coarse- and fine-grained entitlements enforcement, Web services security, adaptive authentication, and password replay. The product supports all major federation protocols and use cases. OpenID and OAuth support are included. OAuth support and the product's REST API are being used by customers to develop resident mobile applications. OpenAM supports a wide choice of authentication methods. Canned reporting is extremely limited. However, event data is logged and can be retrieved and used by reporting tools and security information and event management (SIEM) systems.

References have been favorable, and ForgeRock continues to build its customer base. Its challenge will be to continue this momentum and achieve sufficient global recognition to compete with larger players.

Rating: Promising

IBM

IBM has made significant gains in its customer base for Federated Identity Manager. IBM subscribes to the concept of core WAM being part of a broader access management architecture in enterprises. The Federated Identity Manager bundle includes Access Manager for e-business (the reverse-proxy-based core access management engine) and federation components. IBM also sells the federation component, called Federated Identity Manager Business Gateway, independently. With an emphasis on federation and more-significant administrative capabilities, Federated Identity Manager seeks to differentiate itself. Gartner client and reference feedback continues to emphasize Federated Identity Manager's solid technical capabilities and scalability balanced against concerns with configuration and administration complexity, as well as costs. IBM tends to be favored by larger organizations with established relationships with IBM for other products.

The product set supports Active Directory Kerberos natively, and has .NET support and some SharePoint integration. Federated Identity Manager can expose its event logs to IBM's QRadar for reporting as well as SIEM products from other vendors. The product is offered through a Web access management IDaaS delivery model, and IBM has a partnership with provider Lighthouse Security Group. IBM has broad technical standards support in access management architecture, and the company has kept pace with newer identity standards by augmenting Federated Identity Manager with OAuth 1.0 and 2.0 support. Federated Identity Manager can join multiple repositories for authentication and authorization, leveraging the embedded IBM Directory Integrator to do so. Another add-on product, Security Policy Manager, is required for fine-grained authorization and Web services security policy management functionality.

Rating: Positive

Ilex

Ilex sells ESSO, WAM and federation as options within a single platform — Sign&go — one of only a few vendors to do so. These three access functions are managed through the same administrative interface, and share common security servers and underlying repositories.

Ilex supports a relatively diverse set of authentication methods and products, and in 2012, it added QR code and virtual keypad authentication. OpenID and OAuth relying party support were also added. There is simple canned reporting and an open-source reporting tool that is included to facilitate custom reports. Integration with user provisioning tools is currently limited to Ilex's Meibo product. Further, Meibo is required for user administration and self-service password reset. Authorization granularity is limited to resources that can be addressed by a URL. Most dynamic authorization decisions are directly configurable, but complex ones can also be addressed by scripting. However, Ilex added a connector to delegate authorization decisions to an XACML-based externalized authorization manager.

While Ilex's multifunction product has appealed to its customers, the company's greatest challenge to becoming a global player continues to be expanding its customer base, which is almost completely limited to France. Ilex has gained few customers relative to competitors, and its overall base remains small. However, one of its new customers has deployed Sign&go in a very large multimillion-consumer-facing implementation. This customer has challenged Sign&go's scalability. Improvements and demonstrated ability to scale should position Ilex well going forward.

Rating: Caution

i-Sprint Innovations

i-Sprint Innovations is a division of Automated Systems Holdings, a subsidiary of the Teamsun Group. With parent company backing, i-Sprint has been working to expand into the Chinese market and further on into other Asian markets. Some gains have been made, but i-Sprint's overall market progress has been slow relative to international competitors.

Because i-Sprint's background is in banking, its small customer base is concentrated there, with some customers in other industries. There are also significant government customers. The banking pedigree has led to a solid focus on strong authentication integration, segregation-of-duties controls and audit functionality. Several authentication methods are supported out of the box, and an add-on authentication service can support additional methods. A solid set of canned reports are included. i-Sprint's industry and geographic focus have helped it secure some deals over larger competitors.

Similar to Ilex, i-Sprint's ESSO, WAM, federation and versatile authentication servers run on a common platform. Authorization functions can support discrete application method invocation based on attribute/value pairs, as well as time and location restrictions. Federation support is basic, with only SAML 2.0 supported.

While the acquisition by Automated Systems Holdings bodes well for the future, i-Sprint Innovations currently has a regionally focused, small customer base. To compete globally, it must demonstrate an ability to grow significantly. However customers in Asia/Pacific should consider i-Sprint for its fundamental WAM capabilities, authentication support and audit capabilities.

Rating: Caution

NetIQ

NetIQ's Access Manager (NAM) made solid customer gains in 2012. Access Manager is part of a modular and well-integrated IAM offering that also includes user provisioning, ESSO and SIEM. It provides Web SSO in proxy mode with no modification to Web servers, and supports any HTTP-standards-based Web application. Agents are included for major Java containers. NAM includes a full federation service that supports all of the major federation protocols, and NetIQ is the only WAM vendor to include a VPN component that can be implemented with Access Manager or on its own service. NetIQ released NAM 3.2 in 2012. It introduced a full 64-bit hosting option to improve performance. NAM 3.2 includes a self-service password reset function.

NetIQ has begun to modularize soft appliances to meet specific use cases. For example, the Access Gateway for Cloud provides user provisioning, deprovisioning, federated SSO, proxy-based delegated authentication, and auditing and reporting. It is designed to support the enterprise employee-to-SaaS administration and access use cases. This appliance is also the only offering that currently provides OAuth2 relying party support.

NetIQ has also developed enhanced WS-Federation support to enable Microsoft Office 365 use cases. This provides an alternative to Microsoft AD FS.

Support for varied authentication methods is extensive, and NetIQ's Sentinel SIEM provides a rich foundation for intelligence and reporting. Integration with ESSO is also good. NetIQ has broad industry customer coverage, and a worldwide channel presence.

Compared to competitors, NetIQ has limited operating system support for the WAM components, and, out of the box, NAM can only support LDAP-enabled directories for identity data stores. Databases can be used with custom integration. There are fewer limitations for Web application platform support — all major Web application platforms are supported. Policy storage is handled by an embedded copy of eDirectory. Authorization granularity is coarse-grained, but NetIQ partners with Axiomatics for fine-grained authorization.

Rating: Positive

Oracle

In 2012, Oracle released Oracle Identity Management 11g R2. While its Oracle Access Manager (OAM) product can be purchased independently, Oracle is strongly focused on selling its comprehensive, modularized Access Management Suite (AM Suite). This suite now features fully converged WAM, federation, mobile security, social identity, and security token service (STS) products that are managed with the same administration console, server and back-end data infrastructure. OAM and AM Suite are also underpinned by Oracle Entitlements Server (OES), which provides fine-grained authorization policy management and enforcement. Oracle Identity Management 11g R2 represents a significant planning and upgrade exercise for established Oracle customers.

Oracle has also changed the thrust of its pricing strategy to a per-processor model. For example, AM Suite components are all sold by the processor quantity needed to run the configurations that meet the customer's performance and resiliency requirements. Although it's in its early days, this model will likely favor large deployments. Oracle also sells OAM by the traditional user-based pricing model, which should benefit customers with smaller implementations. Oracle's mobile and social identity modules provided as part of the OAM Suite enhance OAM's ability to serve as OpenID and OAuth relying parties, as well as support mobile device use cases.

The core OAM module has good delegation capability and supports multiple repositories with the use of add-on product Oracle Virtual Directory (OVD). All WAM deployment modes are supported (agent, proxy or combo), and the solution supports native failover between server engines and repositories. OAM provides password expiry and reset support through a limited use license of Oracle Identity Manager. SIEM integration is minimal, although, as with other access management products, Oracle's event log data can be exported to established SIEM systems. Oracle's IAM components underpin their public cloud application services; however, the company is not yet offering IDaaS.

Rating: Positive

RSA, The Security Division of EMC

In 2012, RSA released a service pack for Access Manager that extend support for out-of-the-box integration with RSA Adaptive Authentication — a separate offering that supports email and phone out-of-band authentication methods and dynamic knowledge-based Q&A. It also included other environmental enhancements to update application server and agent-supported platforms. EMC's acquisition of Silver Tail Systems, a Web fraud detection vendor, will likely bolster RSA's position in authentication and access management markets.

As a stand-alone WAM vendor, RSA has developed a product architecture with good OS support that allows for integration with multiple competitor IAM solutions, particularly user provisioning. EMC has a strategic IAM partnership with Courion for IAM suite opportunities. RSA Access Manager offers identity administration functionality, including a three-tiered delegated administration model and a Web-based user self-service console, both of which are relatively customizable compared with other WAM competitors. The company leverages its authentication heritage in use cases where risk-appropriate authentication is required with WAM. It has relatively good channels worldwide, as well as balanced global market penetration and name recognition. Fine-grained authorization is supported, with Java and Web services applications that can be invoked based on repository attributes. Federation capability is offered through Federated Identity Manager, which has its own user interface separate from Access Manager. RSA also introduced Adaptive Federation as a service offering this year.

Access Manager supports standard password, X.509, NT LAN Manager, Integrated Windows Authentication and RSA authentication, among other methods. Monitoring and reporting require separate products. RSA enVision is an option. RSA Adaptive Directory is a version of Radiant Logic's Virtual Directory Server. The product is integrated, sold and supported directly by RSA. Customer gains were significant in terms of RSA's growth, but were modest relative to larger competitors.

Rating: Promising

SecureAuth

SecureAuth provides the authentication functions of a WAM, and can support multiple forms of authentication, and supports federations using multiple protocols. SecureAuth can also function as a bridge to disparate protocols. SecureAuth's product provides authentication to Web applications without using a reverse proxy or target system agents, by having embedded logic to accept and assert secure identity tokens in accepted formats, such as SAML 1.1, SAML 2.0, OpenID, IWA, OAuth, LTPA, FBA and WS-Federation. For resources that cannot take an identity assertion, SecureAuth can expose a Web service for the purpose of identity transference. Session management is handled by the target Web applications. The product can read directory attributes and pass these to target applications to be used for authorization decisions.

The product also can conduct authorization for services that can call the SecureAuth server via a Web service. For this functionality, SecureAuth uses a service account to establish elevated rights to check the authorization on the behalf of users that do not have the rights to check such permissions.

SecureAuth may be a good choice for organizations that need basic Web application authentication using an agentless, zero-proxy approach and the ability to provide federated SSO to SaaS applications, and don't need fine-grained authorization support.

SecureAuth fortified its mobile device support in 2012, and has developed an integration toolkit for mobile Web and resident mobile applications; this software development kit operates across iOS, Android and Windows RT mobile operating systems. SecureAuth has been aggressive in meeting customers' needs for product enhancements, and has provided attractive pricing. These factors have helped SecureAuth grab a piece of the WAM market. SecureAuth is also covered in "Magic Quadrant for User Authentication."

Rating: Promising