Identity vendors extend roles in mobile and cloud

Profile picture for user pwainewright By Phil Wainewright March 20, 2014
SailPoint and OneLogin sit at opposite extremes of the identity and access management spectrum. Their CEOs discuss mobile, cloud and Europe

I met with a couple of vendors in London for the Gartner Identity and Access Management Summit this week. Their different perspectives illustrated how diverse and fragmented this aspect of technology infrastructure still remains — and how much this landscape is changing because of the advent of cloud and mobile working.

They come from opposite extremes of the IAM spectrum. OneLogin focuses on cloud identity management and is now making a push into mobile. It tends to work with agile, early adopters that already rely on many cloud applications. In contrast, SailPoint comes from a background of on-premise identity management and is now making a push into cloud. Its milieu is a more conservative enterprise market where cloud applications are sideshows to the core IT systems.

Going native with SSO

Thomas Pedersen
Thomas Pedersen, OneLogin

OneLogin CEO Thomas Pedersen briefed me on the company's backing for a proposed standard for single sign-on to native mobile applications.

"Mobile is a huge bet for us this year," he told me. "We're putting a lot of R&D into it.

"I think the need for mobile is accelerating cloud adoption. Whenever people are launching a mobile strategy it's usually cloud apps they're accessing."

The proposed standard, an offshoot of OpenID Connect called Napps (short for Native Applications), aims to automate and simplify the way users log on to an organization's mobile applications. In the web browser world, users only have to sign in once to an identity vendor's portal, which then uses the SAML protocol behind the scenes to spare them the hassle of having to sign into each individual cloud application.

Because SAML was designed to be used in a web environment, the process works less well with native mobile applications, which have to pop up some browser code to handle the SAML authentication. Napps will remove that clunky step from the process and reduce the risk of phishing attacks, said Pedersen.

OneLogin hopes this will attract some of the spending currently going into generic mobile device management (MDM). It will give enterprises an alternative means of keeping corporate apps secure in BYOD environments, where they coexist with an individual's personal applications and content. Pedersen argued this will be a better option than indiscriminate MDM solutions that remote-wipe everything on the device if there's a security breach.

"I think MDM is kind of a panic reaction to BYOD," he told me.

"I really think this is going to solve a huge problem for enterprises ... If you've solved the identity problem a lot of the other problems go away."

Currently OneLogin's mobile portal only works for mobile web apps, so the proposed standard is important for the vendor in enabling it to provide the same functionality for native apps. The Napps specification has backing from, AirWatch, Mobile Iron and Ping Identity as well as OneLogin. Pedersen said it is likely to be ratified in the second half of this year and he expects widespread adoption in 2015.

Enterprise adds SaaS

Kevin Cunningham, Sailpoint

OneLogin's singular focus on SAML is a world away from where SailPoint operates. Cloud identity management started with SAML because that was what the early SaaS vendors were using, and it is well supported by Microsoft Active Directory, popular with the type of mid-sized business that has been an early adopter of cloud applications.

SailPoint's customers have a lot more on their mind than single sign-on to cloud applications and Microsoft Exchange. They're more likely to be worrying about managing access to mainframe systems and SAP and Oracle application stacks.

"To do enterprise scale provisioning you have to do a lot more than just leveraging Active Directory," CEO Kevin Cunningham told me.

"In on-premise it was web applications that kicked off the SSO need. SaaS has come since and needs to be added in."

A recent customer win is a global high-tech manufacturer that has a SaaS first policy for procurement. It will deploy SailPoint initially for single sign-on but what sold the solution was the ability to quickly follow up with other functionality such as auditing user access and automating provisioning processes when staff join, move roles or leave the company.

Like most of SailPoint's customers, that implementation will begin on-premise because of the richer feature set available, but with an option to port the implementation to the vendor's multitenant cloud instance later on.

Larger enterprises, especially in conservative sectors such as financial services, are locked into very specific processes and aren't tempted by the lower cost of a more standardized cloud alternative, whereas midmarket manufacturers are showing interest in the cloud option, said Cunningham.

"Financial services will probably the last to migrate over. They're set in their processes.

"There's going to be a trade-off. Economic factors are going to come into it. For now they're willing to pay the price.

"A manufacturing firm is more likely to bend their processes to get the financial gain."

At this end of the market, the state-of-the-art in mobile is giving users an app that lets them reset their on-premise password without having to log a support call. Delivering a mobile portal for easy access to enterprise apps isn't yet on the radar.

Keeping it in Europe

The one thing these two vendors have in common is the inevitability of a European datacenter presence. SailPoint has built its cloud service on Amazon Web Services and will bring an instance into the AWS EU region in Dublin next quarter.

OneLogin is launching twin datacenters in London and Amsterdam, which will operate as a physically separated hot standby pair in the same way as its Chicago and Dallas datacenters in the US.

With cloud vendors like and Box bowing to European sensitivities with local datacenters, the vendors that manage access to those applications have no choice but to do the same. As Pedersen put it: "We hold the keys to the kingdom."

Disclosure: and Box are diginomica partners.

Image credits: Electronic padlocks © kreizihorse -; headshots courtesy of OneLogin and SailPoint respectively.