Why Enterprise Single Sign-On (E-SSO) is More Than Just a Tactical Add-on
Blogger: Phil Schacter
Today’s announcement of IBM’s acquisition of Encentuate, primarily positioned as a supplier of enterprise SSO technology, is a significant milestone in the maturing of the market for E-SSO. Two years ago E-SSO was viewed as a standalone product that was somewhat complementary to the deployment of stronger authentication and a convenient way to support legacy applications with internal logic that prompted for login credentials, typically a user id and a simple password.
Most identity and access management vendors were content to license or resell technology obtained from smaller specialist firms. IBM, Oracle and Sun partnered with Passlogix, while Novell works with ActivIdentity and Quest with Evidian. CA has its own E-SSO offering stemming from an earlier acquisition of Platinum/Memco.
However, the identity and access management vendors discovered that E-SSO was both a market accelerator and offered some important features of interest to customers with regulatory compliance requirements. E-SSO has a shorter sales cycle (typically six months or less) and is able to deploy more rapidly (one to three months depending on the complexity of the environment). Cost for E-SSO varies but many deals are less than $100K, which is easier on the IT budget than most user provisioning software and service projects. Customers could start with E-SSO and then over time add user provisioning, web SSO, federated SSO, and other components of the identity management suites. E-SSO technology also can provide an audit trail of user sessions and any interactions with applications accessed through the E-SSO system.
So who wins in the IBM deal to acquire Encentuate? First, it’s a big win for Encentuate’s 80 plus customers that can look forward to continued support and a more aggressive product roadmap funded by a premier vendor. Although no financial numbers were shared the deal provides an exit strategy for investors that poured about $24M into Encentuate over the years. The 160 plus customers of IBM’s TAM ESSO v6 will have support from IBM for three years from v6’s general availability date of February 2007. They also will have to choose between continuing to use ESSO v6, and transitioning to become a direct Passlogix customer, or migrating to IBM’s new v7 offering, based on the technology acquired from Encentuate. TAM ESSO v7 is expected to be available in Q3 2008 and will include planned enhancements to Encentuate’s product plus address IBM’s integration requirements.
IBM also plans to build on the engineering talent obtained as a part of this acquisition to build out a Security Software Lab in Singapore for more than just the E-SSO and former Encentuate product lines. This area offers high quality engineering talent and a more efficient operational infrastructure and cost than labs based in some other regions. Another key reason for IBM’s shift to a new technology provider is that Encentuate builds on a J2EE foundation, as do most other Tivoli product offerings.
Another interesting question is what is the impact of the IBM deal on their former partner, Passlogix? Clearly IBM will try hard to convince existing customers that they should migrate to TAM ESSO v7, but any migration is hard and it’s not clear who will fund the professional service cost of doing so. Passlogix expects to derive significant ongoing maintenance revenue from a portion of IBM’s 160 customers, and that this revenue stream will more than offset any lost OEM royalties. There is also the question of what happens to the healthy pipeline for ESSO v6 and whether Passlogix can convert any of these prospects into direct customers. Overall Passlogix is prospering in a strong market for E-SSO and related offerings, and indicates that no one source contributes more than a sixth of overall business revenue.
One final observation about the impact of this deal is that it’s likely to start one final wave of consolidation, with Oracle and Sun considering the business risk of the other acquiring Passlogix first. Another acquisition that should probably happen is for Novell to buy ActivIdentity. Novell already provides the channel for 80% of ActivIdentity’s business, so why not bring this important function inhouse?
Hi Phil,
Interesting words on IBM's latest acquisition and its relevance for the market as a whole. With regard to market consolidation and ActivIdentity specifically, is it really a done deal in terms of it ending up at Novell should we see a consolidation wave? I understand the OEM relationship with Novell is strong and obvious, but there's also a strong relationship between Sun and ActivIdentity (also at product integration level so I've understood).
I also always asssumed Passlogix and Oracle do more business than Sun and Passlogix do, making Oracle a more logical fit. Given Sun's cash position, I would say ActivIdentity could go very well Sun's way, rather than Novell?
Do you have any thoughts on this (I know you can't predict the future ;-))
Posted by: Thomas van Vooren | March 18, 2008 at 07:58 AM
My suggestion that Novell would be a better fit for ActivIdentity is based on their long relationship and Novell’s dominance as a revenue source and partner for ActivIdentity. I do agree that Oracle is a better fit for Passlogix. Since Sun tactically resells multiple products and hasn’t branded an OEM version of any partner offering, they have the flexibility to go either way or to look for a third option. Oracle isn’t likely to act until after their fiscal year end in May, but I doubt that we’ll have to wait long for the next consolidation event(s) and predict at least one more before the end of 2008.
-Phil
Posted by: phil schacter | March 18, 2008 at 06:59 PM