Magic Quadrant for Access Management, Worldwide

Published: 07 June 2017 ID: G00315479



The access management market has evolved beyond supporting traditional web applications to support mobile applications and APIs, as well as adding contextual and adaptive access features. Vendors offering an IDaaS option outnumber those that don't, and now there are more choices than ever.

Strategic Planning Assumptions

By 2019, more than 80% of organizations will use access management software or services, up from 55% today.

By 2021, IDaaS will be the majority access management delivery model for new purchases, up from less than 20% today.

Market Definition/Description

Access management (AM) applies to technologies that use access control engines to provide centralized authentication, single sign-on (SSO), session management and authorization enforcement for target applications in multiple use cases. Access managers have evolved from early "web access managers." Target applications may have traditional web application architectures using web browsers and web application servers, and these applications may run on customers' premises or in the cloud. Capabilities have expanded to support native mobile or hybrid mobile applications. In addition, these applications may run on internet-connected things with or without human operators. Protected target resources may include on-premises or SaaS applications and web services APIs across business-to-employee (B2E), B2B and B2C use cases.

AM tools may also include the following noncore functionality:

  • Basic identity administration, such as self-service registration and user profile updates.

  • Password reset.

  • Enterprise mobility management (EMM).

  • Basic identity synchronization to a limited set of target systems.

  • Identity repository services to hold attributes used in access decisions.

SSO is provided using some combination of proxy and agent architectures, and standards-based identity federation. AMs may also support password vaulting and forwarding for target applications that are not easily interfaced with proxy or agent, or with federation standards. Gartner recommends against using password vaulting and forwarding unless the customer is willing to accept the associated risks of potential password compromise. AMs support a mix of built-in or bundled user authentication capabilities and can also be integrated with other third-party user authentication tools. AM tools support session management and allow for the initiation and termination of user sessions based on configured policies.

Built-in or bundled contextual and adaptive access control capabilities are becoming more common. These capabilities apply rules or analytics to stored and contextual data to trigger adaptive access policy decisions that can require trust elevation, such as requiring additional user authentication methods or requiring that a process be completed, such as contacting a help center. AMs may also support bring your own identity (BYOI), for example, through use social identity integration for purposes of registration, account linking (to established accounts) and user authentication.

This Magic Quadrant focuses on vendors that deliver AM functionality to support multiple common use cases, and that provide solutions in software or hardware appliance form factors, or as a service to meet customer requirements for access control to applications and services on-premises or in private and public clouds.

Magic Quadrant

Figure 1. Magic Quadrant for Access Management, Worldwide
Research image courtesy of Gartner, Inc.

Source: Gartner (June 2017)

Vendor Strengths and Cautions

Atos (Evidian)

Evidian provides its Web Access Manager as software. It uses a proxy architecture to house the policy decision points and enforcement points, and can work as an identity provider (IdP) for the SAML protocol simultaneously. Agents with the same architecture as the proxy can be installed on application servers for performance improvements, for example, in high-volume transactional environments. The product comes bundled with an OpenLDAP directory service implementation that customers can use, or they can use other LDAP exposed directories.

  • References reported that features and performance are overall very good.

  • Web Access Manager provides good contextual and adaptive access.

  • Evidian has IGA and traditional enterprise single sign-on (ESSO) tools that help it synergistically support new and legacy apps.

  • Evidian's scenario pricing average was in the lowest one-third of vendors rated in this Magic Quadrant.

  • The current product supports OpenID Connect as a relying party only.

  • Evidian IGA or a third-party tool must be used for reporting logged access events.

  • Most of Evidian's business is in Europe, and marketing efforts outside of Europe have been inadequate and need to be improved for the company to grow in a crowded market.

  • Evidian lacks an IDaaS offering, which could be problematic as buying organizations are trending toward favoring IDaaS solutions.

CA Technologies

CA Technologies offers core AM functionality through its on-premises CA Single Sign-On (SSO; formerly Siteminder) software product and its cloud offering, CA Identity Service. The CA Identity Service made its market debut in late 2016. CA Technologies augments its foundational AM offerings with the CA Advanced Authentication product that provides contextual/adaptive access, and CA API Management that is a full-life-cycle API management product that includes an API gateway. CA Technologies also has identity governance and administration (IGA) and privileged access management (PAM) tools to round out its identity and access management (IAM) portfolio.

  • CA Technologies has significant sales channels and a sizable customer base for its IAM products.

  • CA Technologies can now offer its customers a choice of cloud, software and hybrid delivery models, and, thus, provides its existing AM customers an identity and access management as a service (IDaaS) that integrates with CA SSO and provides an alternative to other IDaaS-based providers.

  • CA Advanced Authentication used in combination with CA SSO provides synergy through a wide variety of choices in user authentication methods and contextual and adaptive access methods.

  • CA SSO has been proven over many years to support high-scale needs across multiple use cases, and its mixture of proxy and agent-based architectures allows CA Technologies to support a variety of new and legacy web and mobile applications.

  • CA Identity Service is in its early days. CA Technologies will need to expand the feature set and the scope of SaaS target system support to compete outside of its installed software customer base, particularly for the use case of workforce users with needs to access a large volume of SaaS applications.

  • Customers using CA Identity Service and CA SSO in a hybrid configuration must use different management interfaces to set up access control for apps under control of each offering.

  • At this time, the Identity Service supports only the out-of-band SMS authentication method. CA SSO or Advanced Authentication is required to obtain additional methods. CA SSO is required to support customers' applications hosted on-premises.

  • As of the analysis date, CA Technologies did not support OpenID Connect (OIDC) in CA SSO or the CA Identity Service. Since then, CA SSO 12.7 has been released with support for OIDC as an identity provider but not a relying party.


Centrify's Identity Service is an IDaaS offering. Its base AM functionality provides web application SSO using federation standards or password vaulting and forwarding, and there are application plug-ins for common app servers to support customers' on-premises apps. Lightweight identity administration features to support some of customers' apps are also part of the service. The service comes with integrated EMM capabilities that provide many of the features of stand-alone EMM vendors. Notable EMM features include security configuration and enforcement, device X.509 credential issuance and renewal, remote device location and wiping, and application containerization. Centrify also sells PAM functionality.

  • Centrify has a broad sales channels with many partners worldwide.

  • Centrify's base product includes an application proxy gateway to support customers' on-premises applications that use common web application servers. This functionality can obviate the need for a separate VPN if the apps protected by Identity Service are the only apps in scope for support.

  • Centrify's Identity Service provides a broad set of user authentication methods to choose from, including out of band (OOB) push mode and mobile endpoint biometric modes.

  • Centrify's integrated mobile device management (MDM) feature set provides the ability to provision X.509 credentials and applications to mobile device endpoints and to use deep device context to render access decisions for workforce use cases.

  • Centrify provides common platform components for adaptive multifactor authentication (MFA), SSO, federation, remote access and risk analytics to deliver consistent access management functionality that supports different use cases including those for both regular and privileged users.

  • Centrify Identity Service does not currently protect APIs, and OAuth support is limited to underpinning OpenID Connect for SSO flows.

  • Centrify has the technological capabilities to support B2B and B2C use cases; however, the company has yet to gain market traction for these use cases.

  • Customers for Centrify Identity Service are predominantly in the small business to midsize enterprise range, with global enterprise deals being more rare.

  • Integration of applications with password vaulting and forwarding functions is not as easy as with other solutions covered in this Magic Quadrant, and clients report that this functionality is in an early state of maturity.


Covisint sells AM functionality through its Identity Platform, an IDaaS offering. User administration —including delegation — audit and reporting are part of the platform. The AM functionality is split between two tiers of service: the Core service level includes user authentication and adaptive access capabilities, and the Enterprise service level, which also includes SSO. Covisint sells in a direct model and through partners such as Cisco and Tech Mahindra that embed Covisint's platform in other offerings. Following the analysis for this Magic Quadrant, Covisint and OpenText announced an agreement for OpenText to acquire Covisint.

  • Covisint continues to show leadership in support of Internet of Things (IoT) initiatives, particularly in the automotive industry. The company has also gone to market with partners to support other IoT use cases. It continued to deepen its entity relationship management capabilities, specifically to support complex relationships among identities, entitlements and things.

  • Covisint made its service granularly accessible through microservices and APIs; it can be implemented in public or private cloud, and it can be delivered to support partners that white-label the offering.

  • Covisint excels in B2B use cases that require complex application integrations.

  • Covisint's access management capabilities have synergies with its IoT Platform and Connected Vehicle Platform.

  • Covisint does not provide traditional web access management (WAM) functionality that can support customers' applications that need reverse-proxy-style architectures; although, the vendor has demonstrated integration with other common AM solutions to support this need.

  • While the Identity Service can provide federated access to SaaS, Covisint has not prioritized SaaS enablement and does not compete against vendors that have done so.

  • Although it can support workforce-to-SaaS scenarios, Covisint's focus on large customers with enterprise B2B use cases will make it a less likely choice for small and midsize enterprises.

  • Covisint has made investments in its technology and in sales and marketing, which has contributed to its continued lack of profitability since separating from Compuware in 2014.


ForgeRock has moved from a product segmentation model that had four core IAM products, two of which provided AM functionality, to a platform model that is sold by function. The Access Management, Access Gateway, and User-Managed Access products comprise the AM part of the offering set. ForgeRock also has user provisioning and directory products that share common components with AM products. The platform uses the software delivery model and ForgeRock partners to deliver the functionality as managed and hosted services. The products are available in an open-source model, and maintenance and support are sold by ForgeRock.

  • Gartner clients and reference customers tell us that ForgeRock's products scale and perform well.

  • ForgeRock is one of the few vendors in the AM market that provides user-managed access (UMA) support and API target protection with authentication, authorization and traffic throttling functions.

  • ForgeRock's capabilities and strategy for supporting IoT are advanced relative to most vendors in this market.

  • ForgeRock has had particular success in selling to consumer IAM use cases.

  • ForgeRock's average scenario pricing provided for this Magic Quadrant was one of the lowest.

  • One of ForgeRock's product strengths is that customers have access to the source code and can customize it. However, feedback from the portion of Gartner clients and ForgeRock references who have chosen to customize indicate that significant in-house or third-party skills are needed for such customization, and the implementations can lead to problems with support.

  • While ForgeRock has made fairly rapid customer gains in its seven-year lifetime, the vendor is venture-funded and details of its profitability are not yet public.

  • ForgeRock will face increasing pressure from competition for IoT use cases. It will need to expand investment to stay ahead.

  • ForgeRock lacks its own IDaaS offering, which could be problematic as buying organizations are trending toward favoring IDaaS solutions.


IBM delivers AM functionality in appliance and IDaaS forms. IBM Security Access Manager (ISAM) is the hardware or software-based appliance that comes with all functionality available, but enabled as customers license the different modules. ISAM also includes web application firewall (WAF) functionality. IBM Cloud Identity Service (CIS) runs on IBM SoftLayer IaaS and a significant portion of the CIS is underpinned by the same technology in ISAM. However, the offerings vary in their support for different user authentication methods, SSO specifications, social identity integration, and the extent to which target applications are enabled out of the box versus manual configuration. IBM has a large portfolio of products to cross-sell with AM including an API gateway and other IAM and security products.

  • IBM is a profitable global company with a history of strong traction in the AM markets and a large installed base for ISAM.

  • IBM's product and service offerings provide broad support for multiple AM use cases.

  • IBM has built a WAF into ISAM, potentially alleviating the need for customers to have separate WAF product.

  • References report good experiences with IBM's sales and support staff, and are overall satisfied with ISAM and CIS offerings.

  • Since IBM's offering targets enterprises with complex needs, the startup costs for the service is higher relative to most other vendors in this this Magic Quadrant, partly due to the need for professional services.

  • While the availability of out-of-the-box SaaS application connections is improving, CIS does not rival other vendors that have built extensive SSO integrations. This makes IBM's CIS offering a less likely choice for support of the workforce-to-SaaS use case, particularly with midsize and smaller enterprises.

  • CIS does not yet support push mode and biometric authentication.

  • IBM tends to be overlooked by Gartner clients that are not already IBM customers.

i-Sprint Innovations

Singapore-based i-Sprint Innovations delivers its AccessMatrix Universal Access Management (UAM) as software. In 2011, the company was acquired by Teamsun Group in China, and this has provided i-Sprint entry to the Chinese market. UAM was initially developed to meet the needs of i-Sprint Innovations' banking customers. The company also offers a stand-alone or integrated user authentication product, an enterprise single sign-on product to support legacy applications with password vaulting and forwarding, and a PAM toolset.

  • The backing and locality of i-Sprint Innovations' parent company has enabled i-Sprint to move into China and Southeast Asian markets.

  • i-Sprint Innovations has grown its channel partner network, and while it is early days in these relationships, this network will likely help it with customer acquisition and revenue growth.

  • UAM has deep encryption functionality and delegated administration functionality to support segregation of duties (SOD) needs and granular policy setting for different user populations.

  • i-Sprint Innovations' average scenario pricing provided for this Magic Quadrant was one of the lowest.

  • UAM has global session management, but lacks granular session management for individual applications found in other software-based AM products and services.

  • While social sign-on is supported, registration of a social identity is not directly enabled in the product. Administrators must set up users' accounts to support subsequent sign-on, or developers must develop to UAM's user registration API to support social registration.

  • i-Sprint Innovations has implemented its products for banks to support some large consumer use cases. However, the vendor is relatively small and has mostly small and midsize enterprises as customers.

  • i-Sprint Innovations has few customers outside of the Asia/Pacific region, and its marketing execution is limited.

Micro Focus

Micro Focus delivers its Access Manager as software and, since late 2016, as a service. Access Manager comes with some contextual access features and the company sells a separately licensed Advanced Authentication Framework product. Micro Focus also sells directory, IGA, PAM and ESSO products, as well as other security and IT operations products. At the time of this writing, Micro Focus was in the process of merging with Hewlett Packard Enterprise's Software Business Segment.

  • Micro Focus Access Manager supports all major use cases, and it has features that make setting up a B2B federation hub configuration relatively straightforward.

  • Micro Focus has a wide sales channel for distribution.

  • Micro Focus Access Manager comes with an analytics component to support canned and custom reporting on AM events.

  • Micro Focus is a long-standing vendor with a mature AM product.

  • Micro Focus has a considerable customer base, which continues to grow; however, the company lags market leaders in new customer acquisition.

  • Micro Focus has not marketed its products well and lacks use of broad channels for marketing, which inhibits brand awareness of Micro Focus for AM.

  • The Micro Focus IDaaS offering is very new, and the vendor has not yet achieved proven and significant market penetration for customers with different use cases, especially for the use case of workforce users with needs to access a large volume of SaaS.

  • Access Manager does not currently protect API targets.


Microsoft's AM offering is Azure Active Directory (Azure AD) Premium. It uses an IDaaS delivery model, and therefore includes Azure AD Connect to support on-premises directory integration and synchronization. Additionally, it includes Active Directory Federation Services (AD FS) as an option to support SSO. AD FS has also been widely deployed on its own for many years. Azure AD Premium includes reporting, security analytics and multifactor authentication, and limited user provisioning functionality for SaaS apps. It also includes a license to use Microsoft Identity Manager, its software tool, which provides identity synchronization with some workflow support for on-premises systems. Microsoft has a broad portfolio of infrastructure, platforms, applications and services, many of which are underpinned by Azure AD.

  • Microsoft has had significant success selling Azure AD Premium usually bundled with other offerings such as Office 365, and the Enterprise Mobility + Security and Secure Productive Enterprise suites.

  • Microsoft has broad international presence for its service offerings, and continues to leverage its channels worldwide to grow its service adoption.

  • Microsoft's strategy continues to demonstrate a strong understanding of the market trends that will shape its offerings going forward, and this is underscored by the company's bundling of IAM, EMM, rights management and cloud access security broker (CASB) functionality.

  • Microsoft has a substantial set of services and a very large customer base. The company has been able to take data from myriad service interaction and its experiences protecting its online assets from threats and turn that data into functional service components that give customers threat analytics and contextual access controls.

  • Customers may need multiple product components to bring non-SaaS applications under common management and to give users a single dashboard view into their applications. Microsoft AD FS, the Microsoft Application Proxy component of Azure AD and products from Ping Identity may all be needed — the latter for apps that cannot easily support federation standards or reverse-proxy technology.

  • Microsoft's support is solid for workforce users accessing SaaS applications. Consumer and business-to-business components of Azure AD Premium offerings are relatively immature and not yet geared for strategic buyers looking for packaged functionality to enable their external constituencies.

  • Microsoft's average scenario pricing provided for this Magic Quadrant was one of the highest. Gartner clients have also articulated concerns about Microsoft's B2C pricing model, which includes components for named users and authentication transactions, thereby making it difficult to budget for the service unless organizations have reliable estimates for these metrics.

  • Registration and sign-on functionality to use social media identities is supported. Linking social identities to an established identity is not yet publicly available.


Okta delivers AM functionality using a multitenant IDaaS model, with lightweight on-premises components for repository and target system connectors. The vendor also delivers reporting and identity administration and provisioning capabilities. AM is provided for web-architected applications, and API protection was added in 2016. The vendor also has an integrated mobility management product.

  • Okta continued to invest heavily in sales, marketing and product development. The strategy paid off with a robust rise in customer acquisition, and the company went public in April 2017.

  • References and Gartner clients have continued to report predominantly positive experiences with rapid implementation, service functionality, reliability and support.

  • Okta added API access management as a service, thereby demonstrating an understanding of market dynamics and the increasing need to protect APIs.

  • Okta acquired Stormpath, a vendor that provided a developer-centric IDaaS offering. The acquired intellectual property and people should help Okta make the Okta Platform's APIs easier to use.

  • Okta's market expansion and its decision to go public incurred significant expenditures, and the company went into the IPO reporting a large net loss.

  • Okta raised its prices significantly during the past year, and Okta's average scenario pricing provided for this Magic Quadrant was one of the highest.

  • Okta does not have a reverse-proxy component to support applications that need HTTP header-based authentication, like those provided by traditional WAM tools. Okta partners for this functionality with F5 Networks, Palo Alto Networks, Citrix and ICSynergy.

  • While having EMM integrated with identity services is a positive, that integration is limited to administration and application provisioning. The EMM offering is not yet delivering device context information that can be used in access enforcement.


OneLogin delivers AM functionality in IDaaS, and lightweight integration components are used for on-premises connections. IAM is OneLogin's core business. AM functionality is delivered through a service and a customer-hosted access manager for support of customers' traditional web applications. The vendor also delivers basic identity administration and provisioning capabilities for cloud apps and reporting functions as well.

  • OneLogin provides an AM that supports web applications that need reverse proxy and agent technology, thereby bringing all of customers' web applications under management of the IDaaS and making them accessible in users' application dashboards.

  • OneLogin Desktop allows Windows and Mac users to authenticate to OneLogin's cloud directory service using the desktop operating system login, and to gain access to the customer's web-based applications without using local directory services or a VPN.

  • OneLogin delivers a virtual LDAP service, which enables application servers, VPN and Wi-Fi networking components that need LDAP authentication and attribute retrieval to use OneLogin as an LDAP server.

  • The vendor acquired Portadi in 2016, which allowed OneLogin to give its users more flexible and capable onboarding of apps that require password-based authentication. OneLogin also acquired Sphere Secure Workspace to add a mobile app container capability to its offerings.

  • OneLogin's references and Gartner clients continue to report positive experiences with rapid implementation, service functionality, reliability and support.

  • OneLogin continues to face increased competition from larger vendors. It is venture-funded and details of its profitability are not yet public.

  • At the time of analysis, OneLogin did not yet support OIDC. OIDC identity provider support, but not relying party support, has since been added to the service.

  • Features for user self-service profile data update are limited, which may increase development effort for customers' development for B2C use cases.

  • OneLogin's vision and strategy is focused on IAM, which can make it a lower-priority choice for prospects looking for an AM vendor that has a broader offering set in security and adjacent markets.

Optimal IdM

Optimal IdM delivers AM as software and an IDaaS. Its Optimal Federation and Identity Services (OFIS) is its on-premises software offering and The OptimalCloud is the single-tenant IDaaS offering. The OptimalCloud product includes the core offering, and there are separate offerings for authentication and reporting. Optimal IdM's products and services evolved from the vendor's early days as a virtual directory provider with specialty offerings to support SharePoint integration. This is Optimal IdM's first appearance in a Gartner Magic Quadrant.

  • The OptimalCloud is delivered as a managed and hosted service configured by the vendor and run on private dedicated servers. This allows customers to have some flexibility in the functionality that is delivered, but the work is performed by the vendor.

  • Optimal uses a flat-fee pricing model for its services that is tenant-based — not user- or transaction-based. This provides consistent budgeting for customers.

  • Optimal IdM's pedigree in virtual directory products can help customers incorporate data from multiple disparate identity repositories in access decisions.

  • Optimal IdM is a small vendor focused on IAM; however, it has not demonstrated a broader vision and strategy. The company will need to expand its resources and its marketing, sales, and support programs to compete globally and beyond its core competencies.

  • The OptimalCloud supports social identity registration and sign-on functionality. OFIS does not.

  • OFIS does not have contextual access control features, and The OptimalCloud has only basic contextual endpoint identification using endpoint software profiles.


Oracle delivers AM through its long-standing Oracle Access Management (OAM) suite as software and through Oracle Identity Cloud Service (IDCS). The OAM suite brings together functionality provided by formerly separated products for proxy- and agent-style web access management, federated identity management, adaptive access, and fine-grained access management. IDCS became generally available in late 2016. IDCS is delivered on top of Oracle's IaaS and PaaS. These two offering sets allow Oracle to service hybrid IAM needs for cloud and on-premises application sets. The company can leverage a large portfolio of other products and services for selling IAM as well.

  • Oracle is a large, profitable company with global direct and indirect sales channels.

  • Oracle has one of the largest installed bases in the market for AM products, and these products have been used in large enterprises for complex needs.

  • OAM suite has broad contextual and adaptive access support.

  • The combination of OAM suite and IDCS give Oracle the ability to support the full set of target web application and cloud architectures and to manage the policies and access entitlements through one administrative interface.

  • Oracle's strategy and its developments and acquisitions demonstrate its understanding of IAM markets and a future in which IAM underpins applications and platforms.

  • Gartner clients and Oracle's references indicate that OAM is complex to implement and requires skills that are difficult to obtain in the market, and to retain.

  • IDCS is in its early days. Oracle will need to expand the feature set and the scope of SaaS target system support to compete outside of its installed software customer base, particularly for the use case of workforce users with needs to access a large volume of SaaS.

  • OAM does not have any user administration and password reset function services built in, which clients tend to require when buying AM stand-alone and when they don't own other password management tools. Oracle sells its Identity Governance product, which includes these features.

  • Oracle API Management is a new and separate service, and the integration between Oracle's access management products and this service was not generally available at the time of the assessment. The integration has been made available.

Ping Identity

Ping Identity (which was acquired by Vista Equity partners in 2016) provides AM functionality using software and IDaaS delivery models. PingFederate together with PingAccess form the software delivery offerings. PingOne Cloud is Ping Identity's multitenant IDaaS. The company also sells the PingID authentication service that can be used with its software or IDaaS AM tools. PingFederate and PingAccess provide bridge connectivity for PingOne when customers need support for on-premises or private cloud-based applications.

  • Gartner clients and Ping Identity's references regularly report positive experiences with the vendor's sales support, its products and its technical support.

  • The acquisition of Ping Identity provided the company the capital it needed for development and its own acquisitions.

  • Ping Identity has broad vertical and geographic market penetration through its value-added reseller (VAR) and system integrator partner networks.

  • Ping Identity is one of the few AM vendors covered in this Magic Quadrant that can provide the authentication and authorization support for API targets.

  • Ping Identity's market emphasis is on large enterprise customers. The company's average scenario pricing provided for this Magic Quadrant was well above average. This is one of the factors that makes its AM offerings less attractive to midsize and small organizations.

  • Ping Identity's access event reporting is rudimentary for its software and IDaaS offerings.

  • Password vaulting and forwarding is supported by the PingOne IDaaS, but not by Ping Identity's software products.


SecureAuth provides appliance and IDaaS delivery models for AM. SecureAuth's Cloud Access IDaaS offering was new in 2016. SecureAuth IdP was the company's original AM offering and represents the vast majority of what SecureAuth has sold into the market. The vendor sells IdP in different tiers, with the higher tiers providing adaptive access and phone fraud protection.

  • SecureAuth IdP has the broadest set of user authentication methods supported of all AM vendors covered in this Magic Quadrant.

  • SecureAuth IdP has a broad set of adaptive access features and is the only vendor covered in this Magic Quadrant that provides functionality to protect against fraudulent transference of users' phone numbers to new devices and to new carriers. This functionality can inhibit attackers' abilities to assume the device's identity and intercept authentication challenges rerouted from legitimate users to the attacker.

  • SecureAuth IdP has a solid set of user administration and self-service functionality. The product also performs user provisioning to a small set of SaaS applications.

  • While the SecureAuth Cloud Access service is new and is missing some features relative to the IdP product, the vendor is able to support hybrid on-premises and cloud use cases and is able to provide customers with alternative delivery models for core AM features.

  • The Cloud Access service is new and unproven in the broader market.

  • SecureAuth Cloud Access has no support for OAuth, and OpenID Connect support is limited to being an OpenID Connect relying party. Therefore, there is no API target support.

  • SecureAuth Cloud Access service must be used in combination with SecureAuth IdP to obtain social identity registration and to link to an established enterprise identity.

  • The vendor's strategy and its limited resources will likely inhibit its ability to sell to customers looking for broader IAM functionality from a single vendor.

  • SecureAuth's average scenario pricing provided for this Magic Quadrant was one of the highest.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

This is a new Magic Quadrant

Inclusion and Exclusion Criteria

Vendors evaluated in this Magic Quadrant for access management must have had 400 discrete AM customers, each with their own contracts, at the end of 2016. AM products that cannot support, or are not marketed to support all major use cases (workforce B2E, B2C and B2B) were excluded. For example, solutions that are mostly marketed to support only B2C uses were excluded.

The following functionalities are required for a vendor's AM product or service to be included in this analysis. In this research, the word product is used to mean product or service. These functions may be offered through multiple products, but they must be the vendors' products and not those of third parties unless stipulated below.

  • User authentication — The product must provide inherent support for password authentication to the AM. Support for additional authentication methods from the AM vendor and its partners, and contextual and adaptive authentication methods are considered in the evaluation criteria but not inclusion criteria.

  • Trust elevation — The product must, at minimum, be able to let administrators set policies that require trust elevation for access to specific applications. Ability to require step-up user authentication, or reauthentication is the baseline requirement.

  • Use of analytics and contextual information to perform trust elevation and the ability to initiate other types of required actions (such as requiring an alternative authentication method be used or denying the transaction) are considered in the evaluation criteria, but not as inclusion criteria.

  • SSO — The products must provide single sign-on to web applications using SAML. The product must also support the specific use case of users authenticating to Windows/Active Directory and being provided with SSO to protected applications not integrated with Windows/Active Directory. Products must also support sign-on to the AM using one or more social media identities. This implies support for OAuth 2 and potentially OpenID Connect.

  • The following SSO methods were analyzed as part of evaluation criteria:

    • Standards-based SSO using SAML and OpenID Connect

    • Use of a reverse proxy (with credentials transported in HTTP headers)

    • Use of an application server agent to interact with the AM

    • Use of password vaulting and forwarding techniques

    • Functionality to support transmittal of authentication and authorization information to APIs as part of application flows for previously authenticated users.

  • Session management — The product must provide some functionality that maintains session state when users are authenticated to one or more applications. Session management enables single sign-on because the product is "aware" of an established session. Session management functionality can also provide individual (or multiple) application session termination based on administrator-configured settings (such as using timeout parameters, or based on users logging out of one more sessions).

  • Security token services — Once a user authenticates to the product or an identity provider federated with the product, then the product must provide protocol and security token translation to enable SSO to target applications that use different security token formats and syntaxes and SSO protocols.

  • Security token services used to protect APIs as targets will be considered in the evaluation criteria but are not considered as inclusion criteria.

  • Authorization enforcement — The product must, at minimum, be able to allow or disallow users' access to the primary access point (the "front door" — usually referenced by a URL) of applications based on attribute data available in identity repositories such as directories and databases. The products must also allow for administrators to create, manage and put into production access policies used by the product to render access decisions and enforce those decisions.

  • The following functionalities were considered in evaluation criteria, but are not inclusion criteria:

    • Ability to support authorization enforcement to APIs

    • Ability to use contextual information such as geolocation, device characteristics and date or time of day as input to an access decision

    • Ability to perform fine-grained authorization enforcement on subobjects within applications

    • Ability to use complex combinations of rules and attributes to render access decisions

  • Developer access to AM functionality — Vendors must provide a set of APIs or an SDK to allow developers to make calls to the AM from applications to support externalization of authentication and authorization functions from these applications.

This Magic Quadrant does not cover the following types of related offerings:

  • AM offerings that lack an access policy decision and enforcement engine, for example, pure user authentication products and services, or products that began as pure user authentication products and then were functionally expanded to support SSO via SAML or OpenID Connect, but that cannot manage sessions or render authorization decisions (see "Market Guide for User Authentication" ).

  • AM offerings that are only or predominantly designed to support operating systems and/or privileged access management (see "Market Guide for Privileged Access Management" ).

  • Remote or on-premises "managed" AM, that is, services designed to take over management of customer-owned or -hosted AM products rather than being provided by delivery of the vendor's own intellectual property (see "Market Guide for IAM Professional Services, North America" ).

  • AM functions provided only as part of broader infrastructure or business process outsourcing agreement. AM must be provided as an independently available and priced product or service offering.

  • IGA functionality (see "Magic Quadrant for Identity Governance and Administration" ).

  • Full life cycle API management (see "Magic Quadrant for Full Life Cycle API Management" ).

  • Enterprise mobility management (see "Magic Quadrant for Enterprise Mobility Management Suites" ).

  • Password managers. Traditional password management tools provide self-service password reset and synchronization. Password reset was considered as a feature in the evaluation of product and service.

  • Cloud access security brokers (see "Market Guide for Cloud Access Security Brokers" ).

Evaluation Criteria

Ability to Execute

Product or Service

  • The architecture, security and capabilities, quality, and feature sets of AM that can be integrated with any of a variety of enterprise and cloud-based systems.

  • The range and quality of AM features, richness of support for mobile endpoints, incorporation of third-party identities, and controls demonstrated to help ensure the continuity, security and privacy of customers and their data.

  • The applicability and suitability of these offerings to a wide range of use cases and different application architectures across different communities of users and different enterprise and cloud-based systems.

  • Elements of evaluation include:

    • General product architecture and security

    • User authentication, contextual and adaptive access

    • Authorization enforcement

    • SSO and session management

    • Standards support

    • BYOI (especially social media integration)

    • User administration functions

    • Logging and reporting

    • SaaS application enablement

    • Enablement for customers' applications and APIs, and for IoT

Overall Viability

  • The vendor's overall financial health, its financial success in the AM market and the likelihood that the vendor will continue investing in its AM portfolio and sustain its presence in the AM market.

  • Success in the AM market as demonstrated by its customer acquisition, competitiveness, retention and customer significance in terms of implementation scale. This aspect of overall viability was weighted heavily.

Sales Execution/Pricing

  • The breadth and overall effectiveness of the sales channel, including value-added resellers and other third parties.

  • The vendor's track record in competitive wins and business retention.

  • Pricing over a number of different scenarios. This aspect of sales execution and pricing was weighted heavily.

Market Responsiveness and Track Record

  • The vendor's demonstrated ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, and market dynamics change.

  • How the vendor can meet customers' evolving AM needs over a variety of use cases. This criterion was weighted heavily.

Marketing Execution

  • This criterion refers to marketing activities and messaging. The clarity, quality, creativity and efficacy of programs designed to deliver the vendor's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers.

  • It also includes visibility, that is, the mind share driven by a combination of publicity, promotional initiatives, and thought leadership, word-of-mouth, and sales activities.

Customer Experience

  • The vendor's relationships and services/programs — such as technical support and professional services — that facilitate customers' successful implementations and use of the vendor's AM offerings. This includes:

    • Customer relationship and services

    • Customer satisfaction processes

    • References and other Gartner client feedback — This aspect was weighted heavily


  • The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis — that is, people and processes.

Table 1.   Ability to Execute Evaluation Criteria

Evaluation Criteria


Product or Service


Overall Viability


Sales Execution/Pricing


Market Responsiveness/Record


Marketing Execution


Customer Experience




Source: Gartner (June 2017)

Completeness of Vision

Market Understanding

The vendor's understanding of buyers' needs and how it translates these needs into offerings. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those wants with their added vision. This criterion includes:

  • Customer needs

  • The future of the AM market and the vendor's place in it

Marketing Strategy

The clarity, differentiation and performance management of the vendor's marketing messages and campaigns. In addition, the appropriateness of the vendor's use of social media, other online media and traditional media as part of its marketing efforts. The criterion includes:

  • Communication and brand awareness

  • Use of media

Sales Strategy

The vendor's strategy for selling its AM offerings that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Subcriteria include:

  • Structure and geographic distribution of sales organization

  • Effectiveness of channel and technology partner network

Offering (Product) Strategy

The vendor's approach to developing and delivering its AM offerings that meet customers' and prospects' needs with respect to their key selection criteria and other market dynamics. The criterion refers to:

  • How the vendor will increase the competitive differentiation of its AM products and services.

  • The vendor's participation in AM and adjacent standards development.

  • How the vendor's AM offerings and strategy fit into current and planned adjacent offerings in IAM as well as other markets. This aspect (including subcriteria) is weighted heavily. Subcriteria include:

    • Meeting customer's selection criteria and the needs created by architectural and operational changes to endpoint, identity provider and target resources

    • Specific development plans

    • Miscellaneous strategy elements

Business Model

The soundness and logic of the vendor's underlying business proposition, including:

  • Purpose in the AM market

  • Distinction in the AM market

  • Milestones reached

  • Future growth plans

Vertical/Industry Strategy

The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including small or midsize businesses (SMBs) and vertical industries, and its demonstrated success in serving a breadth of industries. This includes:

  • Customer breakdown by industry

  • Trends in customer industry breakdown

  • Strategy for verticals and other segmentation


The vendor's continuing track record in market-leading innovation, and the provision of distinctive products, functions, capabilities, pricing models and so on. We focus on technical and nontechnical innovations introduced since January 2016, as well as the vendor's roadmap over the next few years, including:

  • Foundational and recent innovations

  • Planned innovations

Geographic Strategy

How the vendor directs resources, skills and offerings to meet the specific needs of geographies outside its home geography — either directly or through partners, channels and subsidiaries — as appropriate for each geography and market. Subcriteria include:

  • Customer breakdown by geography

  • Trends or changes and strategy in customer geographic breakdown

  • Global support and technical or professional service capabilities

Table 2.   Completeness of Vision Evaluation Criteria

Evaluation Criteria


Market Understanding


Marketing Strategy


Sales Strategy


Offering (Product) Strategy


Business Model


Vertical/Industry Strategy




Geographic Strategy


Source: Gartner (June 2017)

Quadrant Descriptions


Leaders in the AM market generally have significant customer bases. They provide feature sets that are appropriate for current customer use-case needs. Leaders also show evidence of strong vision and execution for anticipated requirements related to technology, methodology or means of delivery; and they show evidence of how AM plays a role in a collection of related or adjacent product offerings. Leaders typically demonstrate solid customer satisfaction with overall AM capabilities, the sales process and/or related service and support.


Challengers also show strong execution, and have significant customer bases. However, they have not shown the Completeness of Vision for AM that Leaders have. Rather, their vision and execution for marketing, technology, methodology and/or means of delivery tend to be more focused on or restricted to specific functions, platforms, geographies or services. Challengers have relatively low brand awareness. Challengers' clients are relatively satisfied.


Vendors in the Visionaries quadrant provide products that meet many AM client requirements, but they may not have the market penetration to execute as Leaders do. Visionaries are noted for their innovative approach to AM technology, methodology and/or means of delivery. They may see AM as a key part of a much broader service portfolio. They often may have unique features, and may be focused on a specific industry or specific set of use cases. In addition, they have a strong vision for the future of the market and their place in it.

Niche Players

Niche Players provide AM technology that is a good match for specific use cases. They may focus on specific industries or have a geographically limited footprint, but they can actually outperform many competitors. Vendors in this quadrant often have relatively fewer customers than competitors in other quadrants, but they may have large customers as well as a strong AM feature set. Brand awareness is usually low relative to vendors in other quadrants. Vision and strategy may not extend much beyond feature improvements in current offerings. Pricing might be considered too high for the value provided by some niche vendors. Inclusion in this quadrant, however, does not reflect negatively on the vendor's value in the more narrowly focused product spectrum. Niche solutions can be very effective in their areas of focus.


Vendors evaluated in this Magic Quadrant come from distinctly different backgrounds. Their pedigrees vary greatly, as do their abilities to provide AM that can support all target systems that buyers have. The vendors' aspirations for servicing customers by geography, industry and customer-size segmentation also vary.

Clients are strongly cautioned not to use vendors' positions in the Magic Quadrant graphic as the sole source for determining a shortlist of vendors. Vendors were evaluated with regard to their ability to provide a general set of AM functionalities across multiple use cases, and in multiple geographies and industries, and to do so by providing solid value for money as perceived by their customers. All vendors covered in this Magic Quadrant have succeeded in providing customers with products and services that meet their needs.

Important Decision Factors for Vendor Selection

IDaaS or Software

Organizations must decide whether operational management of AM solutions is core to their business, or whether the functionality can be outsourced. Setting aside vendors' variable abilities to meet different functional requirements, organizations that choose to manage AM solutions themselves tend to have the requisite staff expertise to manage the products and believe that they will retain these staff. Software buyers also tend to be risk-averse with regard to having a third party manage their authentication and authorization services. Of course IDaaS delivery was not widely available and able to meet broad use case needs until recently. And the AM market got its start around the turn of the millennium, thus, there is a tremendous installed base of software.

Buyers who choose IDaaS tend to be more focused on rapid time to value and do not view operational management of IAM functionality to be core to the business. Vendors in the IDaaS market began selling solutions to predominantly small and midsize enterprises that had less ability to manage IAM. However, average size of organizations purchasing IDaaS has risen. IDaaS is often used by midsize and large enterprises as an augmentation of existing IAM software implementations. IDaaS and software can be bridged together to deliver hybrid use cases (see "How to Choose Between On-Premises and IDaaS Delivery Models for Identity and Access Management" ).

Use Cases and Target System Support

Our evaluation of vendors' products and services in this Magic Quadrant included consideration of how well vendors can meet needs to support common use cases and target system architectures.

The primary driver for new AM purchases has been the need for workforce users to access SaaS applications. B2C is second, and different topologies for B2B and workforce users accessing internal systems (i.e., B2E) is third. All vendors covered in this Magic Quadrant can support these use cases. However, IDaaS delivery models tend to be superior for their SaaS enablement. Vendors create and maintain connections to SaaS vendors so buyers don't have to. Gartner clients also are more often interested in an IDaaS model for B2C needs. Gartner has observed an inquiry pattern in which clients are replacing homegrown IAM capabilities for their consumer-facing applications and wish to gain rapid time to value. They often do not feel as strongly that consumer identities must be managed internally.

Target system enablement is an area of vendor differentiation. Traditional AM software vendors had to develop federation, proxy and agent architectures into their products to support web applications with diverse authentication architectures. All AM vendors, regardless of their delivery models support standards-based federation, with SAML support ubiquitous and OpenID Connect support maturing. Differentiation is most often found in vendors' abilities to directly support applications that require reverse proxy and HTTP header-style authentication. There are also commercial applications that can't easily support externalized access management, and these get integrated to the AM with "agents" or "integration kits." Traditional AM software vendors tend to support these tricky scenarios, but support from pure IDaaS vendors is maturing. For example, Okta does not deliver the proxy or agent style of application enablement. Rather it chooses to integrate with organizations' existing AM tools from its cloud service, or it partners for this functionality. Microsoft also can provide AM for customers' applications using federation or reverse proxy, but it relies on Ping Identity for applications that can be supported by one of Ping Identity's integration kits. Clients needing support for legacy web applications should focus their vendor evaluations and proofs of concept to ensure that AM vendors can support all target applications.

As organizations expose services through APIs, the need to protect the APIs and services behind them grows. API protection has long been the domain of the API gateway — a component of "full life cycle API management" products and services (see "Magic Quadrant for Full Life Cycle API Management" ). API gateways are placed between calling services or applications and the target API. These tools provide a number of functions including token and protocol translation, authentication, authorization, threat detection, data privacy, traffic and quality of service management, and service routing.

In some customer environments, API gateways are integrated with AMs because AMs manage users' sessions and API gateways generally do not. This combination of tools allows a web application to offload user authentication, SSO and session management to the AM. Then, if the application needs to call an API (to complete a transaction, for example), the request — along with user attributes and security tokens — is sent to the API gateway to be parsed and evaluated to allow or disallow access to the API. The AM market is evolving to handle some API gateway functions within the AM product. For example, Ping Identity and ForgeRock have functionality in their toolsets to perform API authentication, authorization and traffic throttling. Okta has introduced an API access management service component. However, most buying organizations will continue to use a mixture of AM and full-featured API gateways because of the additional value and functionality they provide.

IoT and AM

AM tools must increasingly support a variety of devices as source and target endpoints. The proliferation of devices, especially smart devices, has provided challenges to AM vendors, but also opportunities. One of the first challenges was to support new application architectures including native mobile applications, single-page apps and hybrid apps. AM vendors have done that by supporting OAuth and OpenID Connect as well as providing proprietary SDKs and APIs into their AM services. The opportunity that comes with the device proliferation challenge is that vendors have begun to use device context as input to render access decisions. This presents an additional capability to help deter bad actors (see the User Authentication, Contextual and Adaptive Access section).

Most AMs can now deal with basic use cases that require managing access to support the relationships between people, their smart devices and the target resources that must be accessed. However, the incorporation of constrained devices and interactions with device intermediaries, such as gateways and controllers, remains a niche pursuit. ForgeRock and Covisint are two vendors covered in this Magic Quadrant that have architectural capabilities to take on this multifaceted relationship management need, and they have production customers leveraging the capabilities. We expect that more AM vendors will enable products and services with the protocols and the policy decision capabilities to support IoT more broadly during the next three years.

However, complete IAM solutions for IoT require several capabilities. It is difficult, and likely a bad idea, for an IAM pure-play vendor to develop them all and provide the scalability demanded by large implementations. Many IoT security vendors are starting to deliver device access management capabilities including contextual device authentication and credential management. As IoT requirements vary significantly across industries, AM vendors will likely target specific industries, and partner with relevant device manufacturers and IoT security vendors to offer AM for IoT. AM vendors that are good at analyzing early opportunities and building partnerships will have a better chance to succeed.

User Authentication, Contextual and Adaptive Access

AM tools all have the coarse-grained foundational capabilities to require "step up" authentication when users have a specific set of attribute values associated with them and when accessing specific target systems. For example, if the user is a member of a finance group in the underpinning directory used by the access manager, then the AM can allow only those users access to the application and force the user to reauthenticate — or perhaps authenticate with something stronger than a password — when accessing the finance system. These were and remain important capabilities, but, alone, are not enough in today's climate of increased online fraud and other malicious access.

Capabilities that had their genesis in the financial services industry have seeped into vendors' AM products and services — first as stand-alone products and then becoming more common as features within base products. This began several years ago; for example, products from Oracle and CA Technologies have had "adaptive" and "advanced" authentication capabilities and were sold separately from the base AM tool. Now, most AM vendors can use contextual information, such as date and time, endpoint information, such as browser and software characteristics, and IP address or real geolocation as input to access decisions.

Buyers of AM products from vendors that also sell and integrate EMM products can expect more device context to be used in access decisions. For example, is the device registered, jailbroken or rooted? Does it contain a device certificate? Does it have the latest security patches? Centrify and Microsoft are examples of vendors covered in this Magic Quadrant that can leverage these types of context in access decisions.

SecureAuth has added features that can detect fraudulent porting of phone numbers to another carrier and device, thereby inhibiting impersonation and subsequent fraud. Microsoft has incorporated third-party data and its own data from myriad attack attempts on its services. It has been able to use this data to provide analytics and reporting to Azure administrators on security threats, as well as to be able to elevate trust or deny access to Azure services. Buyers of AM products should expect more contextual and adaptive access features to become commonly available in vendor offerings during the next three years and beyond.

Security Concerns With IDaaS Delivery and Target Systems That Support Only Password Authentication

Password vaulting and forwarding is a feature set that AM vendors offer to their customers to support target applications that do not supported federated SSO standards. Common, widely used SaaS applications support federation, which transmits security tokens (not passwords) to target systems. Federated architectures also imply that an AM tool or service is between the user and the application, and can therefore implement multifactor authentication, an adaptive access control, as part of the sign-on sequence. However, the long tail of smaller SaaS application vendors does not support federation. It is common for AM buyers to want to leverage password vaulting and forwarding to give their users the convenience of SSO for most or all their apps.

AM vendors encrypt password data at rest; however, there remains potential for attackers to circumvent controls that protect encrypted data. Gartner recommends against the use of password vault and forward functionality provided by AM vendors — especially vendors delivering with IDaaS — due to this potential loss of the "keys to the kingdom." Standards-based federation should be used instead whenever possible.

However, for the remaining password-based apps, many organizations will find the pressure to provide users convenience through password vaulting and forwarding unbearable. Use of additional authentication methods and adaptive access help mitigate some types of attacks that leverage endpoint device and network vulnerabilities, but they do not help if the centrally held password data is compromised. Unfortunately, passwords are a weak form of authentication. Organizations choosing to allow SSO using password authentication are accepting the risks of potential password compromise. Gartner recommends that organizations push their application vendors to support standards-based federation as an alternative to password authentication only. These organizations should also maintain and test procedures for resetting users' accounts and passwords should a breach occur.


Gartner asked vendors to provide "street" price quotes for several use-case and volume usage scenarios. Vendors were cautioned against providing list prices. However, some vendors chose to respond with list prices or prices that were below list, but higher than we have observed in Gartner client contract reviews. Vendors were asked to provide all costs, including startup costs, over a three-year subscription period and including costs for customers' computing platforms and staffing full-time equivalents (FTEs) needed to support the solution. Gartner provided vendors with standardized unit costs for these computing and FTE elements. Vendors estimated the volume of compute resources and FTEs needed for their proposed solutions.

Average scenario prices are included below. Gartner clients should use the figures below for budgeting purposes. However, we recommend that clients treat the pricing below as budgetary, and should expect to pay less (on average) than these figures would indicate due to the inflated prices that some vendors chose to deliver for our surveys. Real pricing can be affected by many factors such as term length and inclusion of other products and services in a deal.

Scenario 1: Workforce users accessing your AM products or services — variants for 1,000, 10,000 and 50,000 workforce users
  • All users are considered regularly active.

  • Users need access to the following resources protected by the AM:

    • Ten internally hosted web applications that are hosted on a mixture of Microsoft Internet Information Services (IIS), IBM WebSphere, Oracle WebLogic and Apache JBoss web servers using proxy, agent or both.

    • Oracle E-Business Suite: May not support standard proxy

    • SAP (web interface): May not support standard proxy

    • Ten SaaS applications: five of these 10 support SAML 2.0; three of the 10 support OpenID Connect; and two of the 10 do not support any standard federated SSO protocol, but SSO is still needed.

    • One native mobile application that runs on iOS and Android. Once the user is authenticated through the AM, the app makes calls to APIs that should be protected by your AM solution if possible.

  • All users must be challenged using multifactor authentication when the first session protected by the access manager is invoked.

  • The AM must enforce authorization policies that grant access to the "front door" of each web application and to each API.

Average three-year total costs for workforce use cases:

  • 1,000 users = $268,000

  • 10,000 users = $544,000

  • 50,000 users = $1,326,000

Scenario 2: Low- and high-security consumer IAM use cases — variants for 10,000, 100,000, 1,000,000 and 5,000,000 consumer users
Low security:
  • Users need access to 10 applications; five of which are deployed on-premises, run on web application servers like the ones in the workforce scenario.

  • Users also need access to one native mobile application that runs on iOS and Android. Once the user is authenticated through the AM, the app makes calls to APIs that should be protected by the AM solution if possible.

  • Users should be able to register with a Facebook ID, and if those users desire to do so, link that Facebook ID to the customer's established in-house identity for that user. Subsequently, they should be able to sign on using the Facebook ID or the established customer ID using password authentication.

  • Users must be able to reset their passwords and be provided a way to deal with forgotten IDs and passwords.

  • The assumption is that 20% of all users at the different user volume levels will be active at any given time.

Average three-year total costs for consumer IAM use cases:

  • 10,000 users = $321,000

  • 100,000 users = $611,000

  • 1,000,000 users = $1,280,000

  • 5,000,000 users = $2,437,000

High security:
  • In addition to the low-security requirements, add in authentication and adaptive access capabilities that are deemed best to elevate trust and inhibit fraudulent transactions from being conducted.

Average three-year total costs for consumer IAM use cases:

  • 10,000 users = $374,000

  • 100,000 users = $755,000

  • 1,000,000 users = $1,450,000

  • 5,000,000 users = $2,747,000

Scenario 3: B2B use case — variants for 50,000 and 100,000
  • Customer must provide access to 100 business partners and the partners' users.

  • The number of applications requiring support is 10; five of which are deployed on-premises, run on web application servers like the ones in the workforce scenario.

  • Users also need access to one native mobile application that runs on iOS and Android. Once the user is authenticated through the AM, the app makes calls to APIs that should be protected by the AM solution if possible.

  • Fifty of the partners will require federated access to the customer's applications using partner identity providers. Thus, 50 bilateral federations must be enabled.

  • Users from the other 50 partners will authenticate directly to the access manager on first application access.

  • Basic identity administration functions must be provided for all users (ability to register themselves, and add, update, and delete profile information). The customer also requires the ability to delegate user administration to partners' administrators for those who want to have one or more central administrators perform all user administration functions.

Average three-year total costs for business-to-business use cases:

  • 50,000 = $1,010,000

  • 100,000 = $1,484,000

Market Overview

This Magic Quadrant was produced in response to evolving market conditions for AM, such as:

  • What was once considered a mature market for web access management that served only web browser clients and web applications using static or semistatic data for access decisions, has evolved to one that better supports more diversity in user authentication methods, contextual and adaptive access, mobile computing, internet-connected things, and API target systems.

  • Vendors that have developed AM as a service have risen in popularity.

  • Large established vendors and others that provided only traditional software and appliance-based AM solutions have moved to offer IDaaS delivery models as options for their AMs (see "Identity and Access Management as a Service Takes Its Rightful Place as a Delivery Model Rather Than a Stand-Alone Market" ).

Twelve of the 15 vendors covered in this Magic Quadrant deliver AM as IDaaS as their only delivery model, or as an option:

  • Only as a service: Centrify, Covisint, Microsoft, Okta, OneLogin

  • Software or IDaaS: CA Technologies, IBM, Micro Focus, Oracle, Ping Identity, Optimal IdM, and SecureAuth.

  • Only as software: Evidian, ForgeRock and i-Sprint Innovations. (In some cases, there are partners that can deliver these products as managed or hosted services.)

Based on Gartner survey data, 1 IDaaS is still the minority delivery model in use today, but the trend is clearly moving toward adoption of IDaaS. IDaaS adoption for new purchases will outpace traditional delivery models by 2021. Any IAM function can be delivered as a service, but AM is particularly well-suited for the IDaaS delivery model.

Gartner estimates that the AM market revenue for the vendors covered in this Magic Quadrant was $1.2 billion at the end of 2016. Readers, particularly Invest clients, are cautioned not to interpret this revenue estimate as accounting for all access management products and services available in the market. There are numerous vendors that could not be included in this Magic Quadrant and that can meet at least partial requirements, for example, by providing user authentication and SSO when authorization enforcement is not needed by the customer.


1 Gartner conducted a survey (n = 298) on IAM program management and technology adoption patterns in September of 2016.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.