Top 8 Customer Identity and Access Management Tools

ForgeRockAuth0Omada IdentityWSO2 Identity ServerSalesforce IdentityOkta Customer IdentitySAP Customer Identity and Access ManagementPingOne
  1. leader badge
    Their access management solution, OpenAM, is most valuable because it meets the needs of a lot of users.I like the intelligent authentication feature.
  2. The valuable features are that it is extremely secure and that it's developer-friendly.The most valuable feature is that it is simple to integrate, irrespective of your codebase.
  3. Find out what your peers are saying about ForgeRock, Auth0, Omada and others in Customer Identity and Access Management. Updated: May 2021.
    501,818 professionals have used our research since 2012.
  4. It has a lot of out-of-the-box features. It is flexible, and there are a lot of possibilities to configure and extend it. It is user-friendly. It has an interface that is end-user or business-user friendly.
  5. It's very easy to implement everything.I would rate the solution's stability eight or nine out of ten.
  6. The user experience was great because it had all the features that the client needed. It was fully customized for the client, and it was very simple. It was the best solution at that time.
  7. There is no password hash saved on the cloud, which is the part that I like the most. The most valuable feature of this solution for most customers is access management.
  8. report
    Use our free recommendation engine to learn which Customer Identity and Access Management solutions are best for your needs.
    501,818 professionals have used our research since 2012.
  9. The most valuable aspect of the product is the provisioning of a lot of SAP systems. It offers automated provisioning.

Advice From The Community

Read answers to top Customer Identity and Access Management questions. 501,818 professionals have gotten help from our community of experts.
Evgeny Belenky
Dear IT Central Station community, What advice can you share with the community (especially with enterprise users) on Password Day 2021? Thanks, IT Central Station Community Team
author avatarSylvain Déjardin
Real User


As requested by Evgeny, my 2 cents.

Nowadays "Password" are still needed. They should be kept in a vault in order to copy/paste them with some kind of security feeling. Mandatory in IT with compliancies and good thing at home.

Tomorrow maybe endusers would have a "security device" to protect their access and share their controlled identity through unique Authentification service. (Because SMS and OTP are not so secure)

Today only few public website use security device.

But more and more company use them at least to secure each employee vault like Big 4 IT/Compagnies

Kind Regards

author avatarreviewer1324719 (PAM Architect at a tech services company with 11-50 employees)
Real User

The very question is endemic of the problem associated with passwords. A day devoted to password considerations. Tomorrow they will be long forgotten. As I see it, there are a few levels of considerations to be included in this question:

  1. Personally related

    1. Banks

    2. Brokerages

    3. Utilities

    4. Commercial credit cards

  2. Private Memberships

    1. Organization memberships

    2. Financial responsibilities

    3. Membership Roles & Access

  3. Professional

    1. Internal organizational

      1. Email

      2. SharePoint

      3. Workday

    2. Client based

      1. VPN

      2. Access oriented (Systems, applications, resources)

Most personal users use the same password for ALL their connections. Worse, many users cache and remember these connections in their browsers. This is the #1 area I would suggest addressing to have the greatest positive impact for Home User scenarios.

A good password with length and complexity is the start, followed by having a password vault, with Norton Password Safe being my favorite, but Pwsafe and KeePass are good candidates for storage of many complex passwords.

Apply these principles personally and professionally.

Insider data breaches can be a real problem in businesses. One way to address this issue is by implementing an identity and access management solution.  What tips do you have for ensuring that one's identity and access management solution is effective?
author avatarChris Bunn (IS Decisions)

The simplest and most common activity for every insider threat action is the logon. Nearly all threat actions require a logon using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.

Remember also that almost every external attack eventually looks like an insider. The use of compromised internal credentials is the most common threat action in data breaches.

To ensure the best out of any access management solution, think around five primary functions – all working in concert to maintain a secure environment. 

  • Two Factor Authentication – Regulating user access involves authentication to verify the identity of a user. But authentication using only a strong user name and password doesn’t cut it anymore. Two-factor authentication combines something you know (your password) with something you have (a token or authenticator application).

  • Access Restrictions – Policies can be added on who can logon when, from where, for how long, how often, and how frequent. It can also limit specific combinations of logon types (such as console- and RDP-based logons).

  • Access Monitoring – Awareness of every single logon as it occurs serves as the basis for the enforcing policy, alerting, reporting, and more.

  • Access Alerting – Notifying IT - and users themselves - of inappropriate logon activity and failed attempts helps alert on suspicious events involving credentials.

  • Access Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.

The potential insider threat scenarios that are now thwarted include:

  • It protects exploited users (from phishing attacks or malicious colleagues) with controls that make genuine but compromised employee logins useless to attackers.

  • It out-rightly restricts certain careless user behavior such as password sharing, shared workstations left unlocked, or logging into multiple computers.

  • Access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously, ensures a quick response to suspicious activity, offers evidence to address violations that do occur, and makes all users more careful with their actions.

author avatarEnrique Leon, CISA
Real User

With experience in both IT and Audit, I can say the answer most often leads to a tried and true combination of preventative and detective mechanisms/controls. These two methods though very different help with achieving the goal of minimizing breaches and detecting them so the right action is triggered when a breach does occur. Since every business has to place on a scale cost vs risk, unless the business has endless monies, there will be some risks too expensive to prevent so you must have the means to detect and then react with the goal of minimizing the exposure and learning from it.

A ridiculous example but proves my point: Every employee has a second or third employee watching and validating every action carried out by the first employee to ensure no data breaches. So the risk is minimized and maybe even eliminated but the cost is more than most companies will ever contemplate. I will leave alone the topic of collusion since that is more than we can explain in this short answer. Now remove the 3rd watcher person and reduce the 2nd by 50% to save money but scope the first person's actions. If the first employee's actions are limited by the roles assigned (in a system or manual), the activity carried out by the employee is controlled and scoped which in turn limits risk. The remainder is added to detective mechanisms such as DLP in a system or even a human reviewing (maybe sampling) the first person's activities.

It is a roundabout way to say, you need a combination of both types of controls where access is scoped and monitored. Where the availability of the data is limited to the degree cost-effective and then the less costly but less reliable detective means are used.

author avatarJoeValero
Real User

The premise of any effective Identity and Access Management solution is that 100% "Trust" exists.  Unfortunately, trusting someone to the "keys of the kingdom" is best left to Hollywood, while ensuring the business stays afloat in the real world requires that a robust zero trust mechanism be implemented.  New employees, whether experienced or fresh out of school,  do not have the luxury of developing the level of trust that can be deemed "100%".  

author avatarEnrique Leon, CISA
Real User

There are easily a dozen low hanging fruit and I would start with the none tech vector: data owners and stewards. Then comes the education and policy dissemination of the company’s stand on data loss. After a move to the tech implementation to detect common signs such as DLP identifying when large and frequent data transfers via email, copy to external drives which include cloud and thumb. 

author avatarMark Adams
Real User

Once you've selected the right solution for your business, you need to make the implementation a formal project and involve all key stakeholders, including those from the business, not just IT folks. Identify all of your information assets, classify them based on sensitivity and criticality (e.g. Public, Internal Use Only, Confidential, and Restricted), then create rules for the granting, revocation and modification of access to those assets. Once that is done and everyone is aware of the policies and procedures governing access, you can implement the solution accordingly. Post-implementation you will want to have a process in place for periodic review of access based on applicable regulatory, audit and security requirements. You may have to create custom reports if the canned reports are not sufficient. Data owners should be involved in the review since they are usually in a better position to determine if individual's access is still legitimate. 

author avatarJoeValero
Real User

Bearing in mind that 100% trust is impossible, it is best to get to zero trust as soon as possible within the confines of your company's risk appetite and with the best tools your company can afford.  There are many Identity and Access Management products and services out there - choose wisely and carefully. 

See more Customer Identity and Access Management questions »
Find out what your peers are saying about ForgeRock, Auth0, Omada and others in Customer Identity and Access Management. Updated: May 2021.
501,818 professionals have used our research since 2012.