PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

The Best Identity Management Solutions

Cloud services and hybrid workers are blurring your network perimeter more than ever, which can make secure authentication a nightmare for IT. We tested eight end-to-end identity management solutions that can help.

Related:

Managing user authentication has come a long way from the days when all IT had to consider was one local password for every user. The shift took off when cloud services became popular a decade ago. Now that the pandemic has created so many widely distributed workers while simultaneously forcing businesses to depend on a weave of third-party cloud services, securely managing identity and authentication isn't just more important than ever; it's also more complex.

With workers toiling from home, many small to midsized businesses (SMBs) and enterprises have begun to rely much more on third-party cloud services to fill their software needs. That's great for deployment because it gives users access to tools in a software-as-a-service (SaaS) model that's not only cheaper but has zero local management issues.

The problem is that those apps require individual per-user authentication. Combine that with pre-pandemic back-end services, which could be in the cloud or on-premises and also require user authentication, and you're looking at a complex, organically-growing identity scenario that'll be rife with security holes if it's left alone. That's where identity management (IDM) comes in.

You Can Trust Our Reviews

Since 1982, PCMag has tested and rated thousands of products to help you make better buying decisions. Read our editorial mission & see how we test.

Deeper Dive: Our Top Tested Picks

  • Okta Identity Management

    Okta Identity Management

    Best All Around
    4.5 Excellent

    Bottom Line:

    Okta has been a leader in the IDM space for a long time and has a mature, robust platform to show for it. No other identity management platform matches its flexibility in terms of policies and automation, and Okta does it while keeping prices competitive.
    • Pros

      • A host of options for managing application assignments
      • Configurable behavior detection factors
      • Easy integration with MDM platforms for evaluating device trust
      • Flexible automation through workflows
    • Cons

      • Contract minimums make Okta a tough sell for very small businesses
  • VMware Workspace One

    VMware Workspace One

    Best for Advanced IDM
    4.5 Excellent

    Bottom Line:

    Workspace One Access is just one example of why VMware is an industry heavyweight. This broadly capable IDM solution is aimed squarely at enterprises, however, so SMBs should beware its complexity.
    • Pros

      • Integrates tightly with both VMware MDM solutions and VMware Horizon resources
      • Relatively competitive pricing and bundle structure
    • Cons

      • No workflow-based approval for applications
    Get It Now
  • Auth0

    Auth0

    Best for DevOps
    4.0 Excellent

    Bottom Line:

    Auth0 is the DIY of IDM (identity management). You'll need a hefty skill set and a significant time investment to match what you can get out of the box from other vendors, but the result will ultimately meet your business needs better than anything pre-built.
    • Pros

      • Customizable DevOps-focused toolset
      • Easy integration with third-party identity extensions
    • Cons

      • Spartan interface for point-and-click admins
      • Requires developers to create full-featured IDM capability
      • Weak integrations
    Get It Now
    Learn MoreAuth0 Review
  • OneLogin

    OneLogin

    Best for Straightforward Authentication
    3.5 Good

    Bottom Line:

    OneLogin gets every feature right—except for adaptive MFA, which is one of the key reasons to utilize a modern IDM. Even so, it's a solid option if your business can tolerate MFA based on more static policies.
    • Pros

      • Mappings enable automation with minimal effort or tech knowledge required
      • Connectors for school information systems enable easy management of student accounts
    • Cons

      • Policy architecture leaves functionality gaps
      • MDM integration is possible, but support trails the competition
    Learn MoreOneLogin Review
  • Ping Identity PingOne

    Ping Identity PingOne

    Best for A-La-Carte IDM Builders
    3.5 Good

    Bottom Line:

    Ping One isn't a top-rank IDM solution on its own, but becomes much more competitive when teamed with other Ping products like PingFederate, PingID, and PingCentral.
    • Pros

      • Comparable to some of the best IDM solutions with the right components
      • Highly extensible when used with other products in Ping's catalog
    • Cons

      • Confusing product catalog with overlapping feature sets
      • Key features missing when not bundling products
  • SecureAuth

    SecureAuth

    Best for Enterprise IDM
    3.5 Good

    Bottom Line:

    SecureAuth is an enterprise IDM that has the usual tradeoffs between deep features and a complex interface, but for the most part ticks all the boxes businesses will need for identity security.
    • Pros

      • Authentication policies cover most of the key components and support third-party threat feeds
      • Offers a simplified interface until you need a deeper level of detail
      • Flexible deployment methods for enterprise customers
    • Cons

      • New, modern admin console needs some maturing
      • Logging for cloud-based deployments requires SIEM or other external logging endpoint
      • Workflow-based tools approving user access to resources require third-party solutions
    Get It Now
  • PortalGuard

    PortalGuard

    Best for Biometric IDM
    3.0 Good

    Bottom Line:

    BIO-key's acquisition of PortalGuard has led to some interesting strategic moves, especially the MobileAuth app with PalmPositive that provides biometric IDM via your smartphone camera.
    • Pros

      • Focus on biometrics via MobileAuth app with PalmPositive
      • Flexible on-premises installation option
    • Cons

      • No integration with MDM/UEM solutions
      • No dynamic risk scores
      • IDaaS offering lacks key administration features
  • CyberRes NetIQ Identity Management

    CyberRes NetIQ Identity Management

    Best for On-Premises Hosting
    2.5 Fair

    Bottom Line:

    Micro Focus' NetIQ Access Manager checks many of the boxes for authentication policies and managing access to cloud apps, but falls short of its SaaS rivals in several ways.
    • Pros

      • Robust policy engine with support for dynamic evaluation of risk
      • Cloud-curated app catalog provides instant access to catalog updates
      • Flexibility for customizing deployment for hosting on-premises or in a private cloud
    • Cons

      • Self-hosted architecture requires more management and support overhead
      • UI isn't as intuitive as cloud-based competitors'
      • Weak integration support

Buying Guide: The Best Identity Management Solutions

What is Identity Management (IDM)?

IDM exists because businesses need a way to easily create and manage users (aka, identities) across their entire software portfolio. IT administrators need to give users single sign-on (SSO) capability across the organization's entire app library, but that's only part of the problem.

Controlling the depth of access in SaaS apps is just as crucial for on-premises apps and even local network resources. So not just who gets access to the app, but precisely what they can access once they're using it. This can be critical in many business apps, which means it's also critical to manage those roles across different apps and combine basic authentication with more advanced technology, like multi-factor authentication (MFA).

MFA has become almost ubiquitous for those using cloud service software because it requires more than just a single step, like simply entering a user name and password. MFA also requires additional steps, such as a physical token of some kind (a smart card or USB stick, for example) or a biometric measure (a fingerprint scan, for instance).

The big hurdle that IDM systems address is managing these new cloud service identities along with existing authentication measures most companies already have in place. These are typically centered around Identity Providers (IDPs), such as Microsoft Active Directory (AD) or human resources (HR) software. IDMs need to incorporate data from all identity repositories and then combine those records to manage authentication across every software touchpoint.

In many cases, identity information may be sourced from multiple repositories. This requires a way to manage identities in different systems, synchronize information among these systems, and provide a single source of truth. The pandemic has undoubtedly made this a top-of-mind problem, but it was a problem even before COVID-19 since the Internet of Things (IoT) had such a sudden growth spurt.

An ever-broader array of IoT devices means more traffic and more requests for authorized access in both directions. That's a complex problem to solve in the background. It is also why identity and security are driving IoT growth, as shown in this chart from the market research firm, Statista.

Size of IoT Application Market, 2020 (Billions Euros)

(unknown)

To make all of this happen, admins need the ability to manage users in a fast-changing environment, preferably without having to manually perform actions to a user's group membership properties in Microsoft AD. Manually adjusting permissions, access, and control properties across dozens, hundreds, or even thousands of users every time a new SaaS service shows up is cumbersome. Automated scripting can help, but not enough.

Cloud IDM systems have become the standard solution for this headache, and it's made them a core component of many IT pro toolsets. As a baseline, a good IDM system clearly organizes your user data. It should also handle hybrid SSO and adapt to additional security layers, especially token or biometric MFA. Other criteria you should consider include: customization capabilities, the size and method of the system's third-party integration library, whether it'll meet your compliance needs, and several other factors we'll outline below.

Connecting Identities in the Cloud

Most IDaaS providers use a common method to handle authentication by using identities contained in your organization's existing network directory. The most prevalent option is to have a piece of software installed on your local network, known as an agent, which allows the IDaaS provider to communicate with your directory. That way, admins can keep using the same directory tools they always have, yet seamlessly access apps and resources outside the company network.

This communication is typically a combination of synchronization (where directory users and groups are pulled up to the service) and on-demand communication (known as "federation") to perform authentication requests back against the directory. Most IDaaS solutions offer the ability to customize the synchronization process, particularly which user attributes are allowed to be synchronized. A couple of reasons why you would customize attribute synchronization are either security- or privacy-related (e.g., in case you have attributes that may contain confidential data) or due to functionality (e.g., if you need to make custom attributes available to the IDaaS provider to use them within the service).

Another common way to connect your on-premises directory with an IDaaS solution is to expose a standard directory protocol or authentication provider to the IDaaS. Some examples of this are the Lightweight Directory Access Protocol (LDAP), an open standard, or Active Directory Federation Services (ADFS), a popular but proprietary technology available from Microsoft and popular due to its easy integration with Microsoft's very popular Active Directory.

LDAP is a standards-based method of communicating with a directory (either AD or one of several alternatives) while ADFS is a role in Windows Server that allows web apps to glean specific information from AD. Not all IDaaS providers support these capabilities, and, in most cases, they'll require a lot of configuration, including firewall rules, but they're often your best option. For example, organizations with increased security requirements or privacy regulations may need to limit the software installed on domain controllers or have increased control over what data is available to an external IDaaS solution that is essentially running on someone else's servers.

Connecting With Customers and Partners

A business isn't worth much without relationships with partners, and more importantly, customers. In this age of technology and instant gratification, the ability to collaborate with partners or provide customers access to their information while simultaneously respecting their privacy and security is critical. Many of the IDaaS solutions we've reviewed offer the ability to offer business partners SSO access to apps through a portal functionally identical to the one available to normal corporate users. This allows your business to foster business relationships without automatically providing partners direct access to your corporate network or even standing up a new app specifically for partner access.

Customer management is another area in which IDaaS solutions can offer value. Most customers already have one or more identities established on social media or other popular websites. Many of the solutions we've reviewed offer a consumer IDaaS aspect, typically licensed separately from the core IDaaS product due to the potential for a high volume of authentications. Normally, a consumer IDaaS will allow a user to register by using an account they already own, such as a Facebook or Google account, which will then provide them access to the resources you authorize. Depending on your corporate use case, this authentication process could allow users access to a custom web app designed to provide information specific to them, or users could be redirected to the customer area of a customer relationship management (CRM) solution. In most cases, the IDaaS platform gives you options over how the authentication request is processed, which allows you to use a standard protocol or provide an application programming interface (API) for developers to access through custom code.

Augmenting Existing Infrastructure

In many cases, an IDaaS solution can significantly benefit your existing infrastructure over and above the inherent benefits of using cloud apps. One significant benefit is an obvious one: managing identities. The larger a business, the more identities there are to manage, and often, these identities begin to reside in multiple places. Frequently, there are software apps that manage employees, their pay, and their organizational structure. Likewise, one or more corporate directories often contain similar information. Companies with multiple business interests or branches can usually require separate identity stores; similarly, businesses (such as hospitals or industrial complexes) can often require segregation of network resources for compliance or safety reasons.

An IDaaS solution can ease the management of these identities in multiple source locations, including providing self-service capabilities, delegation, approval workflows, and automation. These features can also give a logging element for reporting and compliance audit purposes. In many cases, the IDaaS app can also provide synchronization or translation capabilities with automation, which lets you manage an identity once and have those changes flow to other systems where appropriate.

Another way IDaaS solutions can help with your existing infrastructure is with apps hosted within the local network. In many cases, these apps are core to the company business. Providing access to off-site users requires exposing the app to the internet with a firewall rule or first requiring the user to connect to a virtual private network (VPN) tunnel. While either of these scenarios has their place and are perfectly suitable for many situations, some IDaaS tools offer another option. Using a software-based agent installed inside the corporate network, an app can be accessed through an IDaaS SSO portal in the same way you would a SaaS app hosted in the cloud. Most of the heavy lifting in this scenario is handled by an encrypted tunnel between the IDaaS provider and the software agent installed on your network.

IDM Security Considerations

There are several security concerns for IT shops looking into using SaaS apps and IDaaS solutions. In some situations, avoiding SaaS apps is next to impossible, so finding the best method to manage and secure the accounts needed to use these apps is imperative. Other organizations may not be considering SaaS apps out of necessity, so security concerns must be weighed against convenience and efficiencies.

Overall, there are four core areas of security to consider when evaluating IDaaS providers. The connection method used to integrate an existing corporate directory is the first area to consider. Software-based synchronization agents support a secure connection between your directory and the IDaaS provider but many IT shops will (rightly) have hesitations about installing an agent on their domain controllers. Considering an IDaaS solution that supports an authentication standard such as LDAP or ADFS might be a better option as they offer increased control over authentication and security.

The second area of concern for corporations looking into any cloud service is the data stored within the service, which will be corporate users and groups in the case of an IDaaS solution. In general, IDaaS solutions don't sync and store password hashes from your users; however, several IDaaS providers do offer this as an option to maintain the same passwords between multiple accounts (local directory, IDaaS, and even SaaS apps). These options should be carefully evaluated from security and legal points of view. Additionally, each of the IDaaS providers does have to store passwords related to SaaS apps in order to perform SSO functionality.

Third, consider the communication between your IDaaS provider and your entire portfolio of SaaS apps. Without exception, the IDaaS options tested here use a combination of Security Assertion Markup Language (SAML) and password vaulting. SAML is an extensible markup language (XML)-based authentication standard. The identity provider and SaaS app can handle authentication without requiring interaction from a user or the population of a web form. The ability of an IDaaS provider to authenticate your users to their SaaS apps is dependent upon the SaaS app to support the SAML standard for authentication. In cases in which a SaaS app doesn't support SAML, most IDaaS providers will revert to password vaulting, which essentially handles the process of completing and submitting a login form on a webpage.

In terms of security, SAML can offer increased security in the form of a mutually authenticated connection through SSL certificates tying the two services together. As with SAML itself, these additional security features depend on support from both the SaaS and IDaaS providers. For my part, I tag SAML as the preferred authentication method for SSO from an IDaaS provider; in fact, I'd say you probably shouldn't even consider a solution that doesn't leverage that standard.

The last critical aspect to the IDaaS security picture is locking down the sign-on process for users. One common feature among all of the IDaaS players is support for MFA, which helps prevent security breaches due to a compromised password by requiring a second form (multiple factors) of authentication such as a randomly generated password or a hardware key.

Another common scenario is requiring different security levels based on the user's network location (typically handled based on IP address), such as allowing a basic username or password login when connecting through the corporate network but requiring MFA when using another connection. In general, both MFA and IP address restrictions are handled by using security policies, which is another must-have feature for an IDaaS provider. In fact, you probably want to look for an option that lets you configure multiple policies as not all apps or users have the same security needs.

Single Sign-On

From a user's perspective, the primary purpose of having an IDaaS solution is to make signing into web apps easier. A user portal that provides quick SSO access to SaaS apps is a feature in most IDaaS options. Most solutions also offer plug-ins for the major web browsers and mobile apps that mirror the functionality of the SSO portal.

In most cases, the user portal is presented as a grid or list of icons indicating the apps available to a user. This list is populated based on the SaaS apps assigned to the user by the IDaaS admins, either manually or through automated means such as membership in an AD group. The ideal provisioning method for efficiency is based on the System for Cross-domain Identity Management (SCIM), a set of standards-based interfaces that allow user provisioning within SaaS apps. However, many IDaaS providers will use app-specific application programming interfaces (APIs) to handle provisioning. If supported by both the IDaaS and SaaS providers, users can be automatically provisioned in the SaaS app based on conditions you define in the IDaaS solution. Often, this condition is simply membership in an AD group or based on an attribute of your choosing.

Big Data, Compliance, and Reporting

Let's face it: most companies aren't investing in tools just because it makes life easier for users. If there's a security benefit or the solution satisfies compliance requirements, that's a different story.

Consider a scenario in which an IT admin team has to manage users in several SaaS apps and provide detailed reports containing usage information, user login history, security changes, and other potential audit factors. Trying to gather this sort of information from multiple different locations will be a significant task. The ideal solution to collect and provide these audit artifacts is to use IDM to track each factor across multiple apps automatically. Many of the offerings we've reviewed offer comprehensive reporting solutions that get into detail on authentication events, even down to the user's geographic location and what sort of device they used. Often, these reports can be exported to Microsoft Excel or some other reporting or business intelligence (BI) tool where you can perform further analysis or get the numbers properly organized for an audit.

Some of the solutions we reviewed will even proactively monitor your exposure to recent security breaches, such as credentials for sale on the internet, or monitor for things such as simultaneous logins from opposite ends of the globe. These solutions can use this sort of advanced analytics and machine learning to impact the security score for your identities. This gives you the power to require increased authentication security such as MFA or the use of a registered device.

Don't Let The Cloud Ex-SaaS-perate You

SaaS apps offer too many benefits in cost-savings and ease of use for any business to ignore the trend. But, without proper user and resource organizations, a SaaS portfolio can quickly sprawl and degenerate into a chaotic mess. Understanding IDaaS solutions and what they can offer is a big first step toward gaining the full benefits of moving key workloads to SaaS, rather than taking on the burden of managing separate identities for every user across the web. If SaaS is on your horizon (or already on your users' desktops in quickly growing numbers as it is in most organizations), then do yourself a favor and learn the pros and cons of cloud-based identities.

Compare SpecsThe Best Identity Management Solutions
Our Pick
Editor's Rating
Editors' Choice
4.5 Excellent
Review
Editors' Choice
4.5 Excellent
Review
4.0 Excellent
Review
3.5 Good
Review
3.5 Good
Review
3.5 Good
Review
3.0 Good
Review
2.5 Fair
Review
User-Customizable SSO Portal
User Self-Service
Multiple SSO Policies
Password Sync
SaaS Provisioning
Directory Connector
Multiple Directory Integration
Authentication to On-Premises Apps
Third-Party Multifactor Providers
Third-Party MDM Integration
Report Library

About Oliver Rist