Gartner Report on WAM
Market Guide for Web Access Management Software
Published: 23 December 2015 ID: G00276092
Analyst(s): Gregg Kreizman
Depth of OAuth2 and OpenID Connect support, social identity integration, context-aware access control and inclusion of basic identity administration features in the base product differentiate providers in an otherwise mature WAM software market.
All Web access management software providers deliver multiple methods of authentication, coarse-grained authorization enforcement, SSO and session
management using proxy, agent or federation architectures.
Authentication and SSO functions can be obtained from other types of products and services in adjacent markets, such as user authentication and IDaaS.
Differentiation in the WAM market is provided by the abilities of products to support native mobile apps with RESTful standards, to link social media identities to an
enterprise-owned identity, context-aware access control feature breadth, and basic identity administration and self-service features.
For IAM leaders:
Use WAM tools when there are needs to support authentication, SSO, session management and coarse-grained authorization to multiple Web-architected
applications, especially when the solution must scale to high transaction volumes.
Strongly consider WAM tools to incorporate native mobile applications into the same access control service as browser-based applications.
Strongly consider alternatives to WAM when your organization already owns products or services that meet authentication, SSO and authorization requirements, or when a
cloud delivery model is preferred.
Strategic Planning Assumption
By 2019, 50% of would-be WAM software customers will instead use IDaaS for their access management needs, up from 10% today.
The term “Web access management (WAM)” applies to technologies that use access control engines to provide centralized authentication, single sign-on (SSO), session
management and coarse-grained authorization capabilities for Web applications. WAM products usually include basic identity administration, such as self-service registration,
and profile update and password reset. SSO is provided using some combination of proxy or agent architectures, and using standards-based identity federation. Session
management provides capabilities to control one or more Web application sessions to provide session-state awareness and support logout in response to some event — for
example, forcing logout from all applications when one session is ended. WAM tools rely on directories or databases to support authentication functions and to hold
attributes for authorization decisions. Lightweight Directory Access Protocol (LDAP)- exposed directories are most common.
WAM tools log administrative and access events, and some basic reporting functions may be included. WAM tools also support a mix of built-in authentication methods, such
as password, public-key tokens, one-time password (OTP) apps for mobile devices and SMS-based out-of-band (OOB) authentication. Other authentication methods, such as
OOB push, OTP hardware tokens or biometric modes, may be offered by WAM vendors or integrated by third parties. Built-in or bundled contextual access capabilities are
becoming more common, such as the ability to use an Internet Protocol (IP) address or inferred geolocation to render an adaptive access decision and elevate trust through the
use of alternative authentication methods.
This Market Guide focuses on vendors that deliver WAM functionality in software or hardware appliance form factors to meet customer requirements for on-premises
The WAM market has been in existence since before the turn of the millennium, and products have been broadly adopted. Consumer- and employee-facing use cases have
been the mainstays, but there has been significant adoption due to requirements for federated SSO to SaaS applications. These needs have pushed vendors to add features
and support for newer identity protocols.
Well-established vendors made market gains in 2015. However, the WAM software market continues to be encroached upon by a variety of vendors from adjacent markets
that provide a subset of WAM functionality that may be good enough for organizations’ needs. For example:
Microsoft has steadily added features to Active Directory Federation Services (AD FS),
which is included as part of Windows Server. Gone is the limitation of using only Active Directory as an underpinning identity provider repository; other LDAP-exposed
directories can be used. AD FS also has the ability to use directory attributes, IP address ranges and device information for “conditional access.” Alternative
authentication methods can be decided based on intranet or extranet access, and can be invoked per application. Microsoft also includes the Web Application Proxy
capability as part of Windows Server. This allows customers to publish internally hosted Web applications, as with other WAM tools. AD FS has been broadly deployed
in the market. With these recent enhancements and a software license price tag of “nearly free,” it is difficult to say “No” to a Microsoft solution for WAM, particularly for
organizations that have made no other investments in WAM or other third-party identity and access management (IAM) products. Infrastructure is still needed to host
AD FS and Web Application Proxy, as is internal or contracted support personnel.
Many Gartner client organizations who have found the prospect of managing resilient AD FS and Web Application Proxy deployments daunting have been seeking
alternatives to identity and access management as a service (IDaaS).
Federated SSO is offered as an extension to authentication vendors’ products. This appeals to organizations that only need federated SSO, don’t need session
management and can’t successfully integrate the authentication vendors’ products for the organization’s target systems. Outlying systems need another tool for SSO.
Virtual directory vendors, such as Radiant Logic and Optimal IdM, have extended their products with federated SSO support based on authentication to the virtual directory and its integrated directories.
VPN vendors have provided proxy-based SSO support, and other networking product providers — notably F5 Networks with its Access Policy Manager (APM) — have
added proxy, coarse-grained authorization and federation support. F5’s APM has been favored by organizations that already have F5 for other functions, such as application
delivery controllers, and for supporting mostly employee-facing use cases.
API gateways are designed to protect APIs, but they also have authentication and federation functions to support SSO. They may be suitable for organizations that do not require full session management or authorization enforcement for multiple applications.
Conversely, WAM vendors are able to manage access to APIs in varying degrees. However, WAM products lack the content protection features found in traditional API gateways.
IDaaS providers can be expected to continue placing the greatest pressure on the WAM software market. The IDaaS market continued to expand in 2015, with larger
organizations starting to adopt IDaaS (see “Magic Quadrant for Identity and Access Management as a Service, Worldwide” ).
WAM tools, however, are still common and appropriate choices for organizations that have all or most of the needs described in the Market Definition section, have a set of
Web applications that run on a variety of Web application servers, and want an onpremises software or hardware appliance-based solution.
Other trends continue to affect the WAM software market:
Native mobile app and RESTful identity standards support: WAM tools have been
able to support native mobile apps that use embedded browsers as the user authentication interface. Most WAM vendors provide a software development kit
(SDK) approach to integrating native apps with the access server back end. There is also a trend to support Open Authorization (OAuth) flows from native apps, and
OpenID Connect (OIDC) is being supported, all or in part, by most vendors (see “Standards Drive Single Sign-On for Native Mobile Apps” ).
Federated SSO: Federated SSO using SAML and OpenID Connect is provided as part of the base WAM product in most cases, or these standards are supported in an
adjacent product offering.
Social identity integration: The desire for social identity integration to support consumer use cases has pushed vendors to provide social login, and “register and login” support using social IDs. Most WAM vendors support this now; however, there is uneven market support for automated linking of a social ID to an internal identity.
Integration or customization is required in some cases. There is also uneven support for canned integrations with specific social media sites; different WAM vendors
support different social media platforms.
Adaptive access features: WAM solutions have always supported multiple authentication methods. However, the ease with which individual authentication
methods can be compromised by endpoint-resident malware has highlighted the need to augment WAM to provide adaptive access, either by bundling WAM with a separate
online fraud detection or similar product, or by adding native support for contextual and adaptive techniques. Use of IP address range restrictions to limit access is common.
Use of device-provided geolocation data is less common. Use of device characteristics, such as browser type and release level, screen attributes, and installed software,
are becoming more common.
WAM provides support for these common use cases:
Extranet access: WAM functions are ideal for enterprises that wish to provide SSO functionality to Web applications in a consistent fashion for remote employees and contractors, partners, citizens, or consumers. Consumer use cases have driven the need for high scale, and most WAM vendors have demonstrated the ability to support implementations with millions of total users and thousands of authentication events per day.
Intranet access: WAM functions can be used to implement a single method of access to internal Web applications within an enterprise network.
Portal access: WAM provides an access management layer to a portal implementation. WAM protects the applications accessed through links on portals.
Some portal products have basic SSO and even federation capability, and these features may be useful in lieu of a WAM tool if there is no need to consistently
manage access for a broader set of applications in addition to those protected by the portal implementation.
Multiple SaaS application access: WAM functions can be used to provide Web SSO (via federations) and access management functions for employees who wish to consume multiple SaaS applications running in private or public cloud environments.
Federation participant: WAM and its included or adjunct federation functionality can be used as the access point for a federated network of WAM connections to provide
authentication across multiple companies, divisions or separate networks where necessary.
Based on Gartner client inquiries, we have identified several buying patterns that lead buyers to a subset of vendors for selection:
Midsize and large enterprises that have established relationships (even for non-IAM software) with CA Technologies, IBM, Micro Focus (NetIQ) or Oracle will tend to adopt
these vendors’ IAM solutions, including WAM — often because the incremental costs to add IAM software to contracts for other products are attractive relative to other
offerings. These vendors also have proven large-scale implementations with high volumes of users and applications.
Organizations that have had suboptimal experiences with these larger vendors, or that expect a vendor to be more nimble, to provide rapid product updates and to work with
the customer through complex technical integration issues, will tend to be more interested in smaller vendors that have proven, more-consistent, positive customer
experiences. ForgeRock, Ping Identity and SecureAuth are examples.
Organizations that prefer open-source solutions, even when code is predominantly managed by one vendor, tend to favor ForgeRock and vendors with smaller market
share, such as OpenIAM, WSO2, Gluu and Soffid. Some organizations that prefer free open-source solutions use CAS and Shibboleth — these two tools are prevalent in
higher education (see “Open-Source Options for Identity and Access Management, 2015 Update” ).
There is a trend away from the use of agent-based architectures. Almost all WAM vendors have the ability to support pure proxy-based WAM architectures. However,
when an organization wishes to use the WAM tool to externalize authorization functions for its own applications, or when an application cannot accept credentials
from a proxy, then application server agents are often required. Large deployments of agents on tens or hundreds of application servers can increase the effort for product
patch and upgrade management. Gartner estimates that 15% to 20% of WAM customers use WAM tools to externalize authorization for subfunctions of their inhouse-developed
applications. The majority use WAM to support out-of-the-box authorization to the “front door” — that is, the initial access URL of the application —
and subsequent authorization enforcement functions are handled by the application. Therefore, a proxy architecture can often support these needs without the requirement to implement server agents.
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.
This section highlights vendors and products that provide the core WAM and federation functionality identified in the Market Definition section of this Market Guide. We also list functional capabilities and adjacent products that show progress or fulfillment of the WAM buying requirements identified in the Market Direction section:
Adjacent products: Identifies related, but separately licensed, products that are integrated with the base WAM product to support the advanced functional
requirements listed for each vendor.
OAuth2 and OIDC standards support: Identifies the capabilities and techniques for integrating native mobile apps with the products to support authentication, and potentially SSO.
Context-aware access: All base WAM products can use data held in databases, and directories and data passed from identity providers to render access decisions.
Context-based access control identifies the environmental, device or behavioral data that can be used to augment repository-held data, or data passed from an identity
provider for the purposes of rendering access decisions and to potentially force additional authentication steps. Here we specifically note the use of IP address range
restrictions and geolocation, as well as device identification. Many vendors use other contextual data too, such as date and time of access, and velocity of change in
geolocation between two access events.
Social ID integration: Identifies abilities to support social ID registration, login and social identity linking with established identities for common social networks (Facebook, Twitter, Google, VK, QQ, Weibo, LinkedIn and others).
Identity administration: Identifies basic built-in or adjacent product features that allow administrators and users to add, change, and delete users’ identities in underlying repositories and provide self-service password reset.
Representative Vendors of Web Access Management Software
Figure 1 provides a summary of product features that can differentiate vendors’ offerings.
Figure 1. Base WAM and Add-On Module Features
Further explanation is provided for each vendor below.
Product Name: CA Single Sign-On
Adjacent Products: CA API Management, CA Risk Authentication, CA Identity Suite
CA Single Sign-On includes Security Assertion Markup Language (SAML)-based federation and OAuth2-relying party support as part of the base product. CA API
Management (APIM) can provide OAuth2 identity provider support. OIDC support is not included. Social identities can be used for sign-on to the CA product, but registration
with social identity requires the CA Identity Suite.
CA Single Sign-On natively supports IP address restrictions, and can use rules to support call-outs to third-party applications for additional data to make an authorization
decision. Geolocation support requires CA Risk Authentication. CA Single Sign-On can verify whether a session cookie is being used from the same device it was issued to and
help prevent session hijacking. CA Risk Authentication provides behavioral profiling and other contextual support, such as device identification, velocity of authentication
attempts and rule sets that cover typical fraud patterns.
CA Single Sign-On provides self-service password reset, but CA Identity Suite is required for basic or advanced identity administration.
Entrust Datacard (Entrust)
Product Name: Entrust GetAccess
Adjacent Product: Entrust IdentityGuard
GetAccess was one of the earliest products to include SAML-based federation as part of the base product. Password reset and basic identity administration are included as
GetAccess does not include OAuth, OIDC and social identity support. Entrust IdentityGuard supports additional authentication methods from the default methods
supported by GetAccess, and it provides device identification and geolocation support.
Product Names: OpenAM, OpenIG
Adjacent Products: OpenIDM, OpenDJ
ForgeRock’s OpenAM is the base WAM component that provides agent-based SSO, authorization enforcement and federation support. OpenIG provides the proxy
functionality. ForgeRock OpenAM has solid support for OAuth2 and OIDC. Social ID sign-on is supported natively, as is the ability to create an account based on a social ID
registration. OpenIDM is required to automatically link social identities to an established organizational identity.
OpenAM supports contextual access using IP address history, known cookie, device cookie, time since last login and geolocation. Also, device profiling allows device
identification based on characteristics of the device used. Multiple device profiles can be stored per user.
OpenAM supports basic user administration, self-service user registration and password reset. OpenIDM supports more advanced user administration capabilities.
Product Names: GlobalSign SSO, GlobalSign Trust
Adjacent Product: GlobalSign CustomerID
The SSO product provides the foundational WAM proxy capabilities and federated SSO. The product supports OAuth2 and OIDC. Social ID login support is included. Social ID
registration is provided by GlobalSign CustomerID. Social IDs can be linked to enterprise accounts.
GlobalSign SSO supports IP address range restrictions for contextual access, but does not support geolocation. Use of Customer ID adds device registration and subsequent
device identification for access decisions.
GlobalSign Customer ID provides administrator and self-service identity administration functions. GlobalSign SSO provides native password reset functionality
Product Name: IBM Security Access Manager (ISAM)
Adjacent Products: Federation add-on module, Advanced Access Control add-on module, IBM Security Trusteer, IBM MobileFirst Protect
IBM delivers its ISAM WAM components in an appliance. The base proxy and authorization enforcement engine come “turned on,” and customers can license and
enable Federation and Advanced Access Control as add-on feature sets. The base ISAM product comes with a lightweight Web application firewall.
OAuth2 and OIDC support are provided with ISAM, and social identities can be registered and used for authentication. Linking a social ID to an existing enterprise ID
requires the programmatic use of an ISAM API.
ISAM can perform device identification using a customizable device “fingerprint” consisting of attributes determined from the server side. ISAM also integrates with IBM
MobileFirst Protect enterprise mobility management (EMM) platform to provide additional device attributes. User self-service administration and password reset require the use of the Federated Identity Manager module.
Product Name: Sign&go
Adjacent Products: Sign&go Mobility Center, inWebo Authentication, Meibo
Ilex International delivers an access manager that includes federation and enterprise single sign-on (ESSO) functionality to support non-Web-architected applications.
Sign&go supports OAuth2 and OIDC, and simple implementations can be configured with included tools. More complex implementations require scripting with Java server
pages. Social ID registration and login are supported.
Self-service password reset functionality is included. Identity administration capabilities are provided by the add-on Meibo modules.
Product Name: Access Matrix Universal Access Management (UAM)
UAM provides federation and base access management features in one product. UAM supports OAuth2 and OpenID Connect as an identity provider through the use of
an SDK. Protocol and token translation between SAML and OAuth/OpenID Connect is not provided, but is roadmapped. Social ID registration, sign-on and ID linking with
anenterprise ID are supported. The product supports IP address restrictions, geolocation, device identification and several contextual attributes for use in rendering access decisions. Administrator and self-service identity administration and password reset are included in the base product.
Micro Focus (NetIQ)
Product Name: NetIQ Access Manager (NAM)
Adjacent Product: NetIQ Self Service Password Reset
NAM delivers federation and RESTful standards support as part of the base product. NAM supports OAuth2 and OIDC through a RESTful API and an SDK. Social ID
registration and sign-on are supported, as is the ability to link a social ID with an established identity.
IP address range and geolocation are supported for contextual access control. Device identification is not directly supported in the product, but rather through integration with external sources.
NAM provides administrator and user self-service administration for standard additions, changes and deletions. Self-service password reset is provided by the NetIQ Self
Service Password Reset module, which is available as a free entitlement to all NAM customers.
Product Name: Oracle Access Management Suite
Adjacent Products: Oracle API Gateway, Oracle Adaptive Access Manager (OAAM), Oracle Identity Governance (OIG)
Oracle Access Management Suite is the convergence of formerly separate products and components that include base WAM, federation, mobile application integration, social
media integration, adaptive authentication and externalized authorization management with Oracle Entitlements Server (OES).
Oracle’s converged product set includes SAML-based federation and OAuth2 support. OIDC support is not provided yet, but is roadmapped. A REST interface and SDK are
provided to support OAuth. Social ID sign-in, registration and linking with established identities are all supported.
IP address restrictions can be used for access control and is part of the base product set. The Access Management Suite provides device identification, geolocation support
and other analytics style functionality to support adaptive access. User administration and self-service administration require the use of the Oracle Identity
Governance. Self-service password reset can leverage either Adaptive Access Manager (within the Access Management Suite) or Oracle Identity Governance.
Product Names: PingAccess, PingFederate
Adjacent Products: PingID, PingOne (IDaaS)
Ping Identity delivers base WAM proxy functionality through its PingAccess product and PingFederate products.
OAuth2 and OIDC support are provided, and SDKs are available to support integration. Social identity registration and login are supported by PingFederate, and there are
several prebuilt social provider integrations. The product has an interface to support social ID linking to established identities.
PingAccess and PingFederate can provide IP address range restrictions for acces decisions. Geolocation is not currently supported, but is roadmapped. Device
registration and identification can be added with PingID, its user authentication offering. Ping Identity offers the PingOne IDaaS, which supports identity administration, selfservice user administration and password reset features. PingAccess and PingFederate products do not support self-service password reset. However, this feature is roadmapped.
Product Name: SecureAuth IdP
Adjacent Products: Not applicable.
SecureAuth IdP includes federation in the base product. OAuth2 and OIDC support are included. Social ID registration and login are supported, as is linking a social ID to an
enterprise ID. However, attributes retrieved from a social profile cannot be passed along to the enterprise repositories.
SecureAuth provides a wide range of authentication methods. IP address restrictions are supported for contextual access, as are data points from the browser in use, plugins,
user data storage and time zone. Geovelocity events can be used to identify improbable travel events for access decisions as well.
Basic identity administration and password reset functions for users and administrators are included in the base product.
Other WAM products in the market for which Gartner gets less client feedback include:
Dell: Cloud Access Manager
Evidian: Evidian Web Access Manager
Soffid: Soffid IAM (open source; see “Open-Source Options for Identity and Access
Management, 2015 Update” )
Gluu: Gluu Server (open source; see “Open-Source Options for Identity and Access
Management, 2015 Update” )
Central Authentication Service (CAS; open source; see “Open-Source Options for
Identity and Access Management, 2015 Update” )
Shibboleth (open source; see “Open-Source Options for Identity and Access
Management, 2015 Update” )
RSA, The Security Division of EMC, was covered in previous versions of this document.
RSA has discontinued development for Access Manager and is focusing development on the Via cloud-based access offering.
WAM remains an excellent choice for organizations that need authentication, SSO, session management and coarse-grained authorization to multiple Web applications
that run on disparate Web application servers, and when an on-premises deployment is desired. WAM tools have been proven to scale to support high-usage volumes and a
variety of use cases.
Strongly consider alternatives to WAM and AD FS when a service-based option (IDaaS) would make up for staffing shortfalls, or when software ownership and support are
problematic for other reasons. Also avoid WAM when owned alternative products or services meet SSO and authorization requirements, and when all in-scope applications
can be supported.
When integrating mobile apps, balance the enhanced features and ease of integration provided by available SDK approaches against potential lock-in. Use SAML and
OAuth/OpenID Connect when possible. When using proprietary SDKs, switching to another WAM product will lead to rewriting authentication and SSO commands.
If social login is required, also evaluate a WAM vendor’s abilities to retrieve attributes from social profiles to be used for user registration and other purposes.
This research was based on vendor survey data and years of client inquiries on the topic of Web access management and related topics.
© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services (/technology/about/policies/usage_guidelines.jsp) posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Gartner provides information technology research and advisory services to a wide range of technology consumers,
manufacturers and sellers, and may have client relationships with, and derive revenues from, companies discussed herein. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For
further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity. (/technology/about/ombudsman/omb_guide2.jsp)”
Site Index (http://www.gartner.com/technology/site-index.jsp)
IT Glossary (http://www.gartner.com/it-glossary/)
Contact Gartner (http://www.gartner.com/technology/contact/contact_gartner.jsp)