MarketScope for Web Access Management

15 November 2013 ID:G00247867
Analyst(s): Gregg Kreizman


Federation requirements for SaaS access, mobile application single sign-on and social login continue to drive feature changes and new and expanded business in the Web access management market. Gartner clients are looking for lower complexity and costs for these features.

What You Need to Know

The Web access management (WAM) market has existed since 1999. Over time, most organizations that needed a WAM tool obtained one, and the market's growth began to decelerate. The nexus forces of cloud, mobile and social — along with other changes — have reinvigorated the market:

  • Mobility — WAM tools have been able to support mobile devices that use browsers as the application user interface. However, "bring your own device" (BYOD) policies have led to mobile device, operating system and browser diversity. WAM tools are challenged by the uptake of native mobile applications that don't use the devices' browsers. WAM vendors' solutions for native mobile apps emerged last year, and are beginning to mature.
  • Cloud — Continued SaaS application adoption accentuates requirements for federation, but the need is being met by vendors selling products in adjacent markets. WAM is not the only answer. This is putting more pressure on WAM vendors to be competitive (see "Choosing Among Federated Identity Management Options").
  • Social Identity and Other Third-Party Identity Integration — The desire for social identity integration to support consumer "sign-up and login with Facebook "-style use cases has pushed vendors to provide federation support using newer REST-based protocols — specifically, OpenID and OpenID Connect underpinned with OAuth. Gartner predicts that there will be an increased use of externally provided identity, from social media and other providers, to access an enterprise's applications.
  • IDaaS — Identity and access management as a service (IDaaS) vendors provide WAM and federation functions, and deliver these in a hybrid cloud/on-premises model. Vendors offering IDaaS are now providing a viable alternative delivery model to on-premises WAM software deployments.
  • Addition of Adaptive Access Features — WAM solutions have always been a tool to abstract and support multiple authentication methods. However, the ease with which individual authentication methods can be bypassed has highlighted the need to augment WAM to provide adaptive access, either by bundling a separate Web fraud detection or similar product or by adding native support for contextual authentication and adaptive capabilities.
  • Open Source — Open-source options for WAM and federation have taken a small share of the overall market from traditional commercial solutions, and some Gartner clients prefer to use open-source software.
  • SharePoint Support — The need for granular SharePoint object access control support beyond "front door" access to a SharePoint site or subsite is becoming more acute for Gartner clients. This is leading some WAM vendors to develop specialized agents for SharePoint.

All vendors continue to incrementally fine-tune their offerings for performance, scale and operating environment support, and they are bundling WAM with other products such as enterprise single sign-on (ESSO), identity federation, externalized authorization management (EAM; see "Technology Overview for Externalized Authorization Management") and Web services security to support new or more complete sets of use cases.

Many prospective customers will continue to buy point solutions, such as basic WAM, EAM and federation technologies, to address niche requirements and fill out a capability set. However, vendors with broad access product portfolios are providing access product suite bundles and real integration among components — particularly for administration, policy management and consolidated activity data. Identity federation will also continue to play a key role in WAM implementations. Support for multiple protocols will be important, with Security Assertion Markup Language (SAML) preferred for the next three years, and OpenID Connect, underpinned by OAuth. OpenID Connect is being implemented by some prominent SaaS providers (see "Technology Overview for Federated Identity Management").

EAM tools may supplement the "new and improved" WAM, or will be incorporated into WAM products to provide finer-grained authorization resolution. Fine-grained authorization will be slowly adopted by enterprises due to the established authorization logic embedded in legacy applications, and challenges such as lack of mature enterprise identity governance to feed EAM tools with quality attributes for access-control decisions. Large players made the greatest gains again this year. Oracle, IBM, CA Technologies and NetIQ gained or held on to the most significant market shares. However, ForgeRock; RSA, The Security Division of EMC; Ping Identity; and SecureAuth had strong sales increases.

Small and midsize businesses (SMBs) offer some growth opportunities, and have been the mainstay of cloud-delivered WAM and federation as a service, although we have begun to see some larger deals being made for IDaaS (see "Are You and the IDaaS Market Ready for Each Other?"). This trend will accelerate and drive the increasing use of service-based WAM and federation delivery.

WAM pricing models and prices remained consistent with 2012 levels. Traditional user-based pricing models are still prevalent. Prices for external users who access protected applications are generally priced at 20% to 25% of the price for internal users. The average list price for basic WAM functionality delivered to a single internal user is in the range of $15 to $20. This price generally begins to drop at the 1,000-user level and above, and continues to drop with volume purchases. Vendors will also create enterprise deals, or sell by the CPU.

We provided vendors with two pricing scenarios and asked for "street pricing" of full costs for software purchase or subscription, and maintenance and support, for a three-year period:

  1. A regional midsize hospital network with six locations, 11,000 total employees, uses predominantly Microsoft .NET-developed applications with some Linux systems for high-performance processing needs. There is a requirement to federate to 10 medical supply companies and an ambulance service. The average price for this scenario was $293,189.
  2. A consumer-facing implementation by a cable operator. One million consumers are registered. Consumers access a set of five WAM-protected applications, and two applications connected via federation. Login with Facebook, Twitter, and Google ID is allowed in addition to a cable-operator-provided consumer ID. Access by each consumer averages once per month. The average price for this scenario was $943,083.

Larger, well-established identity and access management (IAM) vendors were generally priced higher than smaller vendors.


WAM delivers an access control "engine" to provide centralized authentication, generally coarse-grained authorization capabilities (protection of resources that can be referenced by a URL), and an administration component to manage access policies. WAM solutions have delivered these functions to thousands of customers. WAM has provided enterprises with SSO to Web applications, both for internal applications and to applications that service enterprises' customers, partners and other stakeholders. Some core WAM vendors are repositioning WAM as part of a larger access management bundle that includes these other functional components:

  • EAM tools provide centralized fine-grained entitlement enforcement policy repositories and policy decision and enforcement points for new enterprise applications (Web and non-Web). Oracle and IBM have EAM products in their portfolios, and Oracle's now underpins access and administration software bundles. Axiomatics specializes in EAM and is a partner with some WAM vendors that do not have an EAM product (see "Technology Overview for Externalized Authorization Management").
  • ESSO. (See "Market Overview for Enterprise Single Sign-On Tools.")
  • Virtual directories or metadirectories. (See "Virtual Directories: Where Do They Fit In?")
  • Federated SSO. (See "Choosing Among Federated Identity Management Options.")
  • Adaptive access and contextual authentication, alone or as part of Web fraud detection offerings. (See "Magic Quadrant for Web Fraud Detection.")

Emphasis is increasingly being placed on the use of WAM as a first-stage cloud computing solution for SSO. Federation technology, included with or sold as an adjunct to WAM, provides the extension to SaaS applications.

Approximately half of the vendors rated in this report include federation as part of the base WAM product. The availability of open-source federation software and the 2011 introduction of SAML support in Microsoft Active Directory Federation Services have put pressure on WAM vendors that sell stand-alone federation software to reduce their pricing or bundle federation with WAM.

WAM products also provide proprietary integration points for some non-Web applications — in addition to their core function of brokering authentication to Web applications — although the use of WAM for non-Web application access control remains very limited. WAM products may also include basic identity administration. However, vendors that also sell identity governance and administration (IGA) products will either provide the most rudimentary identity administration as part of WAM, or will completely remove user administration functionality in favor of pushing a bundled purchase of WAM and IGA tools. The vendor may offer integration with other IAM tools, but such integration tends to be minimal.

Market/Market Segment Description

The term "WAM" applies to technologies that use access control engines to provide centralized authentication and authorization capabilities for Web applications. WAM products may also include basic identity administration, and audit and federation capabilities, as well as standardized or proprietary integration points for non-Web applications. They also provide a mix of native authentication method support and password, X.509, soft one-time password (OTP) and out-of-band SMS OTP. Third-party authentication methods such as hardware OTP token, biometric authentication or adaptive authentication methods are often integrated by third parties. Contextual access capabilities are becoming more common, such as the ability to use an IP address or inferred geolocation to render an access decision.

WAM Use Cases

The most common use cases for core WAM are:

  • Extranet access, Web SSO: Core WAM functions are ideal for enterprises that wish to provide SSO functionality to Web applications in a consistent fashion for remote employees, partners, citizens or consumers.
  • Intranet access, Web SSO: Core WAM functions can be used to implement a single method of access to internal Web applications within an enterprise network perimeter.
  • Portal access: Core WAM functions (which may include Web SSO) are provided as an access management "front end" to a portal implementation. Often, the WAM solution will be integrated with portal authentication, authorization and administration functions.
  • Multiple SaaS access: Core WAM functions or WAM plus federation can be used to provide Web SSO and access management functions for employees who wish to consume multiple SaaS applications running in a private or public cloud environment.
  • Federation participant: Core WAM and its included or adjunct federation functionality can be used as the access point for a federated network of WAM connections to provide authentication across multiple companies, divisions or separate networks where necessary.

Inclusion and Exclusion Criteria

This market includes general-purpose authentication and authorization engines that mainly enable SSO for multiple Web applications on disparate Web application platforms without requiring client agents. A traditional WAM product consists of access policy administration and enforcement, and it is usually deployed in a proxy or agent architecture, or a combination of these architectures.

WAM products include standards-based federated SSO, or the vendor is expected to sell federation functionality as a companion product, and that product can be sold stand-alone.

ESSO products and SSL-based and other clientless remote-access products may offer basic authentication and coarse-grained authorization for Web-based applications. In some cases, they present strong alternatives to WAM. However, these tools differ from WAM tools:

  • VPNs provide authentication and SSO to Web applications using a proxy architecture. However, they provide little or no authorization functions.
  • ESSO products usually require a client, and therefore are often not appropriate for external user-facing applications. Moreover, ESSO does not provide authorization functions.
  • VPNs and ESSO products generally have not been shown to scale to large, extranet-type populations, with users numbering in the hundreds of thousands or in the millions.

Therefore, products that are primarily considered ESSO or VPN products were excluded. We included WAM vendors that were referenced by Gartner clients and that were able to identity at least 50 production customers and year-over-year growth in customers or user counts.

Vendors Added

  • Ping Identity

Vendors Dropped

  • Atos, which has not demonstrated progress in the market in terms of number of customer implementations

Other Vendors Not in the MarketScope

The following vendors did not meet the market penetration inclusion criteria for WAM. However, these vendors' products may be viewed as functionally sufficient or superior to basic WAM tools for some clients' needs.

  • EmpowerID The EmpowerID WAM system is an extension of the base EmpowerID platform, which includes metadirectory, role-based access control (RBAC) engine, SSO connection framework and workflow automation services for IGA.
  • OpenIAM OpenIAM provides open-source IGA and WAM products in an integrated platform. The WAM product includes federated SSO. OpenIAM products are sold in an open-source subscription model.

Other Alternatives to Commercial WAM Tools

The Jasig Central Authentication Service (CAS) has been implemented broadly within higher education, and is often augmented with Shibboleth for federation capability. The Internet2 Middleware Initiative's Shibboleth federation software has been implemented by hundreds of higher educational institutions, and some governments and private-sector organizations. These are open-source tools with community support.

Microsoft supports WAM-like functionality in Microsoft-only environments with Active Directory Domain Services and Active Directory Federation Services (AD FS), but has left WAM functionality for heterogeneous environments to third-party vendors. Active Directory and AD FS can technically be used as a WAM tool in use cases where Web application servers can leverage users' Active Directory/Kerberos authentication to enable SSO for those applications, and when these applications can use Active Directory group membership as input to authorization decisions. AD FS extends these environments to provide SSO to partner and SaaS applications using either WS-Federation or SAML 2.0 protocols. Microsoft also provides IDaaS, including access control services, through Azure Active Directory. In "Are You and the IDaaS Market Ready for Each Other?" we cover vendors that provide WAM and federation functions from the cloud, and may also offer user provisioning and intelligence functions.

Some Gartner clients are leveraging the basic SSO proxy and federation capability provided by network equipment vendors such as F5 Networks and Juniper Networks. F5's Access Policy Manager is a very capable access manager that is predominantly favored for employee use cases and when other F5 products are already being used.

Rating for Overall Market/Market Segment

Overall Market Rating: Positive

Core WAM has been implemented by more than 10,000 customers over the past decade. It is frequently the starting project for enterprises that need to implement other IAM components. The movement by WAM vendors to enhance products to support changing technological demands, combined with the relative overall maturity of established implementations, earns WAM a Positive rating.

Clients may be concerned that there are no vendors rated Strong Positive in this MarketScope, and that there are many vendors rated Positive. Larger vendors, particularly IBM, Oracle and CA Technologies, have gained many customers and have deployed large-scale, high-performance implementations. However, operational complexity, support complaints or high costs have continued to mar customer perceptions of these vendors' products. Ping Identity, SecureAuth and RSA improved their lots this year. RSA made some solid business gains and some key acquisitions. SecureAuth and Ping Identity have made major gains in customer acquisition and have solid references. The MarketScope is a coarse-grained ratings tool. Therefore, clients are encouraged to give more credence to the vendor write-ups, and to call Gartner to discuss particular vendors to help understand vendors' nuances.

Clients should not automatically dismiss vendors that receive a Caution rating. All vendors rated here have been delivering very capable products to the WAM marketplace. All vendors in this MarketScope have reference customers that rate them highly. Resource constraints, or lack of marketing and sales channels relative to large traditional IAM vendors, may have limited these vendors' abilities to achieve global market penetration or deliver some advanced product features. Nevertheless, these vendors may be completely appropriate for enterprise consideration.

Evaluation Criteria

Table 1. Evaluation Criteria

Evaluation Criteria



Offering (Product) Strategy

A technology provider's approach to product development and delivery that emphasizes innovation, differentiation, functionality, methodology and feature set as they map to current and future requirements. Specific subcriteria are:

  • Product themes
  • Foundational or platform differentiation
  • Strategic focus on enterprisewide access management and service-based functionality
  • Bundled or associated support for REST-based identity specifications: e.g., OpenID and OAuth
  • Dynamic access control — time-or situation- or other dynamic-data-based rules
  • Integration with network access control (NAC) and VPN systems
  • Support for multiple security zones or multiple per-user roles
  • Bundled or associated support for federation to SaaS applications


Vertical/Industry Strategy

The technology provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Subcriteria are:

  • Breadth of industries represented in the customer base
  • Industry-specific support


Geographic Strategy

The technology provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market. Specific subcriteria are:

  • Home market
  • International distribution



Core goods and services offered by the technology providers that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc. Specific subcriteria are:

  • Password self-service
  • Management of identities
  • Integration with other identity and access management components
  • User interfaces and their usefulness to clients
  • XACML support
  • Fine-grained access control capabilities for Web and non-Web applications
  • Access control policy administration features
  • Global session management
  • Reporting/audit capabilities
  • Multirepository support
  • Interfaces for IAM suites and ESSO products (see "Market Overview for Enterprise Single Sign-On Tools")
  • Bundled or associated identity federation support


Overall Viability (Business Unit, Financial, Strategy, Organization)

Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, offering the product and advancing the state of the art within the organization's portfolio of products. Specific subcriteria are:

  • Customer acquisition
  • Contribution of WAM to revenue growth


Sales Execution/Pricing

The technology provider's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Specific subcriteria are:

  • Pricing
  • Innovative pricing options
  • Market share

Additional purchases required (for example, relational database management system [RDBMS], application server, Web server and so on).


Customer Experience

Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups, service-level agreements (SLAs), etc. Specific subcriteria are:

  • Customer support programs
  • SLAs
  • References


Source: Gartner (November 2013)

Figure 1. MarketScope for Web Access Management
Figure 1.MarketScope for Web Access Management

Source: Gartner (November 2013)

Vendor Product/Service Analysis

CA Technologies

CA Technologies continued to hold on to a significant share of the WAM market in 2013 and had reasonable customer gains for the year. CA SiteMinder has market-demonstrated scalability and fault tolerance. It has broad platform support, advanced authentication options, and comprehensive SSO management and administration.

CA continued to refine its CloudMinder offerings as IDaaS alternatives to on-premises deployments. CA customers can augment SiteMinder with AuthMinder, RiskMinder or CloudMinder Advanced Authentication for contextual authentication needs. The solution has a solid set of canned reports and can integrate with CA's User Activity Reporting Module. Other CA Technologies' products are required for full identity life cycle management.

Some limited Web services support was added into SiteMinder. SiteMinder Web Services Security (previously CA SOA Security Manager) is part of the base SiteMinder installation and provides service-oriented application integration. After the first five protected Web services, it is an add-on license that uses the SiteMinder architecture.

CA Technologies acquired Layer 7 Technologies in 2013, which brought extensive add-on support to SiteMinder for Web services security and API management. The Layer 7 Mobile Access Gateway adds significant RESTful standards to support developers creating native mobile applications.

CA now includes use of the SiteMinder Secure Proxy Server, which offers federation functionality for up to five federation partner connections and five protected Web services in the base SiteMinder product. This move should help stave off some competition for customers with minimal federation needs.

Rating: Positive


Entrust provides WAM, wide-focus authentication with IdentityGuard and federation functionality in the access product line. The federation module of GetAccess is included free with WAM and has rich SAML standards support. Support for centralized authentication and authorization via Web services through Secure Transaction Platform (STP) is available at an additional one-time cost. The product comes with prepackaged reports and has access reporting capabilities. As one of the oldest WAM products on the market, it has a rich feature set for administrators (with a flexible delegation model) and developers alike. GetAccess is also one of the most cost-competitive WAM solutions, and established customers rate Entrust support as good.

However, Entrust's product enhancements have resulted from current customer input, and less in response to market forces. The product lacks support for OpenID, OpenID Connect and OAuth, and there is no developer support for native mobile apps. Entrust added support for additional operating systems and databases to host its software and identity repositories, respectively. References confirm that the administrative user interface experience is poor and dated when measured against the offerings of competitors. The company's ability to bid for new customers has been hindered by limited marketing and aggressive competitors, resulting in declining market share and few opportunities for growth.

Rating: Caution


Evidian's Web Access Manager is recognized in Europe as a capable access management tool. Evidian stresses Web Access Manager and integration with its Enterprise SSO product integration, which has been improved in 2013. The vendor offers professional services to ease integration and implementation. This integration results in Active Directory Kerberos support and the use of SAML in its cross-domain SSO support. High-availability options of the software are available at additional cost. An add-on EAM product that supports the XACML standard can provide fine-grained authorization based on directory attributes and WAM rules, and an add-on auditor product can provide some basic intelligence. WAM functionality is well-priced relative to the competition.

Web Access Manager includes federation, and protocol support includes SAML 1.1 and 2.0, OpenID, and OAuth. Evidian's product has prebuilt integration for major social login providers. There is no protocol translation between federation partners. Authentication options are solid. While Evidian's European presence is strong, and some customers have been gained in the U.S. and the Asia/Pacific region, it does not have broad name recognition outside the continent. As a result, Evidian improved its market growth and adoption with its established customers, but customer counts and gains in 2012 remained low compared with larger competitors, and growth has been slow. Evidian provides identity administration and self-service functions as part of Web Access Manager. More-advanced provisioning functions — such as authoritative source integration, white and yellow pages, and workflow — are handled by Evidian's provisioning product, Identity & Access Manager. Password expiry notification and resolution were added this year, as was Windows 64-bit server support.

Rating: Promising


ForgeRock provides WAM, directory and identity administration products using an open-source model similar to Red Hat's. ForgeRock's OpenAM WAM product has Sun OpenSSO as its predecessor. Prior to Sun Microsystems' acquisition by Oracle, Sun's IAM stack was widely deployed and well-regarded by its customers. ForgeRock's customer acquisition momentum was very good in 2012 and the first half of 2013, and the company received a new infusion of venture capital during 2013.

OpenAM includes federation, both coarse- and fine-grained entitlements enforcement, Web services security, contextual authentication, and password replay. The product supports all major federation protocols and use cases. OpenID Connect and OAuth support are included. OAuth 2.0 support and the product's REST API are being used by customers to develop native mobile applications. OpenAM supports a wide choice of authentication methods. Canned reporting is extremely limited. However, event data is logged and can be retrieved and used by reporting tools and security information and event management (SIEM) systems.

References have been very favorable, and ForgeRock continues to build its customer base and work its way toward profitability.

Rating: Positive


IBM has made significant gains in its customer base for its base WAM product, IBM Security Access Manager for Web (ISAM for Web), and Federated Identity Manager (FIM). ISAM for Web includes a virtual appliance installation mode. ISAM for Web is also sold in a hard appliance model, and includes some Web application firewall capability and load balancing for a fixed price. Mobile application support is sold as an add-on to the ISAM for Web software and hardware appliances. Gartner client and reference feedback continues to emphasize IBM's solid technical capabilities and scalability, balanced against concerns with configuration and administration complexity, as well as costs. The appliance approach could lead to more favorable feedback regarding reduced complexity and costs. Currently, IBM tends to be favored by larger organizations with established relationships with IBM for other products.

The product set supports Active Directory Kerberos natively, and has .NET support and some SharePoint integration. ISAM for Web and Federated Identity Manager can expose its event logs to IBM's QRadar for reporting, as well as SIEM products from other vendors. The product is offered through a Web access management IDaaS delivery model, and IBM has a partnership with providers Lighthouse Security Group, Ilantus Technologies and Pirean for IDaaS. IBM has broad technical standards support in access management architecture, and the company has kept pace with newer identity standards by augmenting Federated Identity Manager with OAuth 1.0 and 2.0 support. Federated Identity Manager can join multiple repositories for authentication and authorization, leveraging the embedded IBM Directory Integrator to do so. Another add-on product, Security Policy Manager, is required for fine-grained authorization and Web services security policy management functionality.

Rating: Positive


Ilex sells ESSO, WAM and federation as separately priced options within a single platform — Sign&go — making it one of only a few vendors to do so. These three access functions are managed through the same administrative interface, and share common security servers and underlying repositories.

Ilex supports a relatively diverse set of authentication methods and products, and in 2013, it added out-of-band SMS one-time password authentication. The company supports OpenID and OAuth relying parties. Android and iOS native apps are now supported through a software development kit (SDK) and WebKit approach, and there is an iOS SSO client that is prebuilt with the SDK. There is also a remote thin-client option for mobile using a combination of Dell Wyse and Citrix technology.

There is simple canned reporting and an open-source reporting tool that is included to facilitate custom reports. Self-service password reset is included. Most dynamic authorization decisions are directly configurable, but complex ones can also be addressed by scripting. However, Ilex has added a connector to delegate authorization decisions to an XACML-based externalized authorization manager.

While Ilex's multifunction product has appealed to its customers, the company's greatest challenge to becoming a global player continues to be expanding its customer base, which is almost completely limited to France. Ilex has gained few customers compared with its competitors, and its overall base remains small. However, new customer references and its largest existing customer reference continue to be pleased with the solution.

Rating: Caution

i-Sprint Innovations

i-Sprint Innovations is a division of Automated Systems Holdings, which is a subsidiary of the Teamsun Group. With parent company backing, i-Sprint has been working to expand into the Chinese market and further on into other Asian markets. Solid gains have been made in Asia/Pacific, where i-Sprint chooses to focus, but i-Sprint's footprint has not expanded in other geographies.

Because i-Sprint's background is in banking, its relatively small customer base is concentrated there, with some customers in other industries. There are also government customers. Its banking pedigree has led to a solid focus on strong authentication integration, segregation-of-duties controls and audit functionality. Several authentication methods are supported out of the box, and an add-on authentication service can support additional methods, with voice and fingerprint biometric life cycle support added during the past year. A solid set of canned reports are included. i-Sprint's industry and geographic focus has helped it secure some deals over larger competitors.

The vendor's ESSO, WAM, federation and versatile authentication servers run on a common platform. Authorization functions can support discrete application method invocation based on attribute/value pairs, as well as time and location restrictions. Federation support is basic, with limited OAuth support added to its established SAML 2.0 support.

Automated Systems Holdings' ownership of i-Sprint has helped this year and continues to portend future growth. i-Sprint Innovations currently has a regionally focused, small customer base. Customers in Asia/Pacific should consider i-Sprint for its fundamental WAM capabilities, authentication support and audit capabilities.

Rating: Caution


NetIQ Access Manager (NAM) made solid customer gains in 2012 and 2013. Access Manager is part of a modular and well-integrated IAM offering that also includes user provisioning, ESSO and SIEM. It provides Web SSO in proxy mode with no modification to Web servers, and supports any HTTP-standards-based Web application. Agents are included for major Java containers. NAM includes a full federation service and a self-service password reset function. NetIQ includes a VPN in NAM; however, this feature will be supported but not enhanced in future versions of the product.

NetIQ has begun to modularize its access management offerings with multiple soft appliances to meet specific use cases. For example, CloudAccess provides user provisioning, deprovisioning, federated SSO, proxy-based delegated authentication, and auditing and reporting. It is designed to support the enterprise in employee-to-SaaS administration and access use cases. NetIQ also has SocialAccess, a stand-alone soft appliance for extending access management to social media sites. The appliances are the only offerings that provide OAuth relying party support. NetIQ has also developed enhanced WS-Federation support to enable Microsoft Office 365 use cases. This provides an alternative to Microsoft AD FS.

Support for varied authentication methods is extensive, with NetIQ Sentinel SIEM providing a rich foundation for intelligence and reporting. Integration with ESSO is also good. NetIQ has broad industry customer coverage and a worldwide channel presence.

Compared to its competitors, NetIQ has limited operating system support for its WAM components, and, out of the box, NAM can only support LDAP-enabled directories for identity data stores. Databases can be used with custom integration. There are fewer limitations for Web application platform support — all major Web application platforms are supported. Policy storage is handled by an embedded copy of eDirectory. Authorization granularity is coarse-grained, but NetIQ partners with EAM vendor Axiomatics for fine-grained authorization.

Rating: Positive


In 2013, Oracle continued to enhance and stabilize its 11gR2 Access Management Suite with good customer adoption momentum. While Oracle Access Manager (OAM) and Oracle Identity Federation (OIF) can be purchased independently, Oracle is strongly focused on selling its comprehensive, modularized Access Management Suite (AM Suite). This suite features fully converged WAM, federation, mobile security, social login and security token service (STS) products that are managed with the same administration console, server and back-end data infrastructure. Oracle continued to enhance its mobile and social platform, which uses an SDK or REST interface approach to let developers integrate native mobile apps with AM Suite for authentication and SSO. OAM and AM Suite are also underpinned by Oracle Entitlements Server (OES), which provides fine-grained authorization policy management and enforcement. A purchase of OAM apart from AM Suite includes only a limited-use license of OES, which can be used for fine-grained access decisions for OAM-protected apps only. Oracle continues to lead with its per-processor pricing model. For example, AM Suite components are all sold by the processor quantity needed to run the configurations that meet the customer's performance and resiliency requirements. Oracle also sells OAM by the traditional user-based pricing model, which should benefit customers with smaller implementations. Oracle's mobile and social identity modules provided as part of the AM Suite enhance OAM's ability to serve as OpenID and OAuth relying parties, as well as support mobile device use cases. Access Management Suite Plus includes Oracle Adaptive Access Manager (OAAM) and full use of OES.

The core OAM module has good delegation capability and supports attribute retrieval from multiple repositories in sequence, and simultaneous retrieval with the use of add-on product Oracle Virtual Directory (OVD). All WAM deployment modes are supported (agent, proxy or combo), and the solution supports native failover between server engines and repositories. OAM provides native forced password change functionality and password reset support through a limited-use license of Oracle Identity Manager. SIEM integration is minimal, although, as with other access management products, Oracle's event log data can be exported to established SIEM systems. Oracle's IAM components underpin their public cloud application services and a growing hosted IAM offering; however, the company is not yet offering multitenant IDaaS.

Gartner clients and Oracle's references report that the products scale and perform well, but concerns about implementation and upgrade complexity remain.

Rating: Positive

Ping Identity

Ping Identity provides three offerings: a well-regarded multiprotocol federation product (PingFederate), a reverse-proxy WAM product (PingAccess) and an IDaaS (PingOne). PingFederate supports multiple authentication types, user repositories and devices. Once authenticated, PingFederate can deliver Web SSO to external applications that leverage federation standards, as well as internal SSO for on-premises Web applications through a set of integration kits. Through the integration kits, PingFederate can connect with third-party WAM systems or leverage Integrated Windows Authentication. Overall, Ping Identity's support for OAuth and OpenID Connect is strong, and it is an influential player in standards bodies.

Ping Identity was not included in previous Gartner WAM Magic Quadrants and MarketScopes because PingFederate did not include a policy decision engine to make authorization decisions. The current version (v7.0) supports coarse-grained authorization. PingFederate gathers attribute data from one or more user repositories and makes an authorization decision based on the attribute values. If the user is not authorized, PingFederate will not issue a SAML assertion or OAuth token.

PingAccess, introduced in 2013, is a separately ordered, reverse-proxy-based product that delivers additional authorization via its WAM and API gateway capabilities. PingAccess leverages PingFederate for SSO, authentication and password management — and supports Web browser clients, native mobile applications, and API-based Web services.

PingFederate and PingAccess can integrate with externalized authorization managers for fine-grained access control. Ping Identity has established a partnership with EAM vendor Axiomatics to provide this functionality. Ping Identity has a solid reputation in the market, and its standards-based approach, along with the addition of these authorization capabilities, is helping Ping Identity to grab a significant share of the WAM market.

Rating: Positive

RSA, The Security Division of EMC

In 2013, RSA acquired Aveksa and Passban. The Passban acquisition will help strengthen the capabilities of RSA Adaptive Authentication — a separate offering that supports email, phone, and SMS out-of-band authentication methods and dynamic knowledge-based Q&A. Passban should help fortify Adaptive Authentication by adding device and location context and additional authentication. In 2013, RSA continued to better integrate Adaptive Authentication with Access Manager. It also included other environmental enhancements to update application server and agent-supported platforms.

As a stand-alone WAM vendor, RSA has developed a product architecture with good OS support that allows for integration with multiple competitor IAM solutions. RSA Access Manager offers identity administration functionality, including a three-tiered delegated administration model and a Web-based user self-service console, both of which are relatively customizable compared with other WAM competitors. The company leverages its authentication heritage in use cases where risk-appropriate authentication is required with WAM. It has relatively good channels worldwide, as well as balanced global market penetration and name recognition. Fine-grained authorization is supported. Java & Web services APIs can be used for extending product capabilities.

Federation capability is offered through RSA Federated Identity Manager, which has its own user interface separate from Access Manager. Aveksa's IGA IDaaS offering integrates with OneLogin for SSO and provisioning to SaaS applications, and gives RSA a potentially stronger play in the emerging IDaaS market. RSA will need to rationalize these offerings to provide a cohesive, price-competitive set of IDaaS functionality to the market. In addition, RSA Access Manager has not kept pace with the market regarding support for OAuth and OpenID Connect to support social login use cases and standards-based mobile application authentication and authorization.

Access Manager supports standard password, X.509, NT LAN Manager, Integrated Windows Authentication and RSA Authentication Manager (a separate product), among other methods. Monitoring and reporting require separate products. RSA enVision and RSA Security Analytics are both options. RSA Adaptive Directory is a version of Radiant Logic's Virtual Directory Server. The product is integrated, sold and supported directly by RSA. Customer gains in 2012 and 2013 were significant in terms of RSA's growth, but were modest relative to larger competitors.

Rating: Positive


SecureAuth continued to show solid customer gains in 2012 and 2013, and it added a cloud-hosted offering in 2013.

SecureAuth provides the authentication functions of a WAM, and supports multiple forms of authentication out of the box, as well as federations using multiple protocols. SecureAuth can also function as a bridge to disparate protocols. SecureAuth's product provides authentication to Web applications without using a reverse proxy or target system agents, by using an authentication-and-redirect architecture to accept and assert secure identity tokens in accepted formats, such as SAML 1.1, SAML 2.0, OpenID, IWA, OAuth, LTPA, FBA and WS-Federation. SecureAuth serves up device certificates from its cloud-based service, and these certificates can be used for device authentication to augment other supported authentication methods.

For resources that cannot take an identity assertion, SecureAuth can expose a Web service for the purpose of identity transference. Session management is handled by the target Web applications. The product can read directory attributes and pass these to target applications to be used for authorization decisions.

The product also can conduct authorization for services that can call the SecureAuth server via a Web service. For this functionality, SecureAuth uses a service account to establish elevated rights to check the authorization on the behalf of users that do not have the rights to check such permissions.

SecureAuth may be a good choice for organizations that need basic Web application authentication using an agentless, zero-proxy approach and the ability to provide federated SSO to SaaS applications, and don't need fine-grained authorization support.

SecureAuth fortified its mobile device support in 2012, and has developed an integration toolkit for mobile Web and resident mobile applications; this software development kit operates across iOS, Android and Windows RT mobile operating systems. SecureAuth has been aggressive in meeting customers' needs for product enhancements, and has provided attractive pricing. These factors have helped SecureAuth grab a piece of the WAM market. SecureAuth is also covered in "Magic Quadrant for User Authentication."

Rating: Positive

Strategic Planning Assumption

By 2016, the traditional Web access management market will become a full-fledged access management market as mobile application support, adaptive authentication and fine-grained authorization needs force WAM vendors to provide converged access management products.


The MarketScope for Web Access Management was developed by incorporating existing WAM customer feedback (both from vendor-recommended customers and from direct client contact) with Gartner research, as well as through analysis of feedback from detailed WAM vendor surveys. This was supplemented by vendor briefings.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Gartner MarketScope Defined

Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs.

In the table below, the various ratings are defined:

MarketScope Rating Framework

Strong Positive
Is viewed as a provider of strategic products, services or solutions:

  • Customers: Continue with planned investments.
  • Potential customers: Consider this vendor a strong choice for strategic investments.

Demonstrates strength in specific areas, but execution in one or more areas may still be developing or inconsistent with other areas of performance:

  • Customers: Continue planned investments.
  • Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations.

Shows potential in specific areas; however, execution is inconsistent:

  • Customers: Consider the short- and long-term impact of possible changes in status.
  • Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor.

Faces challenges in one or more areas:

  • Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact.
  • Potential customers: Account for the vendor's challenges as part of due diligence.

Strong Negative
Has difficulty responding to problems in multiple areas:

  • Customers: Execute risk mitigation plans and contingency options.
  • Potential customers: Consider this vendor only for tactical investment with short-term, rapid payback.