A comprehensive approach to CIAM vendor selection


If you are here then you are likely to be interested in a couple of topics:

  1. You are looking for guidance and help in selecting a CIAM Vendor and/or
  2. You are looking for specific detail on how you might implement key CIAM use cases

Let’s deal with 1.

Selecting a CIAM vendor

Once you have identified that a CIAM solution is the right place to start when delivering services, products and solutions to consumers and citizens then you will initially need to do some desktop research. Typically this falls into both looking at the requirements and looking at the market. In terms of the former, on top of your own specific needs, we have found that our enterprise customers have benefited from our “Ultimate CIAM Buyers Guide”, which helps identify the typical CIAM requirements and evaluation criteria for buyers.

In terms of looking at the market, the next place to research is via the Analysts. This article deals with the work we have done with Forrester, however other analysts are also available.

Typically, analyst reports begin in a similar fashion: the team conducts primary research on a given technology area to develop a list of vendors to consider for evaluation. From that initial list, the vendors are narrowed down based on various inclusion criteria until the final list is determined. While different firms take different approaches to reach their conclusions, this is the point at which Forrester will gather details on the product and strategy of each vendor through a detailed questionnaire, along with use-case demos, briefings, and customer reference interviews. Forrester takes those inputs, along with each of its analyst’s experience and expertise in the marketplace, to score vendors using a rating system that compares each vendor against others in the evaluation.

The approach taken by Forrester in their Wave for CIAM report is extensive, much like a full vendor selection, evaluation and proof process we would see from an Enterprise customer and in some cases more so.

This year, 15 vendors were asked to provide a thorough RFI response detailing their strategy and market presence. As the head of the Sales Engineering organization at ForgeRock, I’ve been involved in our response to numerous requests for proposal from prospective customers, including some of the world’s largest enterprises, and I’ve rarely seen any request as exhaustive as the one submitted by Forrester for this report. Their evaluation included 22 criteria, including detailed descriptions of our product vision, roadmap, market approach, partner ecosystems, delivery models, revenue, and number of live installations, including such details as the largest number of customer authentication attempts per hour at a single client organization. We were also asked to supply a list of customers so that Forrester could conduct reference interviews. Which they did.

Each vendor also had to document how it delivers a set of key use cases. The use cases for the latest Forrester Wave™ for CIAM included:

  • Data orchestration: configure intelligent workflow scenarios (aka low-code approaches to deployments). What kinds of visual workflows are available?
  • Users and roles: manage role-based access control (RBAC), including adding users to roles and roles to users, editing fine-grained permissions, and using role inheritance and/or embedded roles.
  • Customer IDV and registration: configure identity verification of a new user. What out-of-the-box integrations are available?
  • Consent management: configure privacy-by-design (data residency) for customer PII that the CIAM solution stores. Show configurations for multiple customer countries, geographical segmentation of users, etc.
  • Authentication methods: configure protection against credential stuffing, account takeover, and password spraying, and how to enable single sign-on (SSO), passwordless, biometrics, and tokens for multi-factor authentication.
  • Risk-based authentication: configure risk-based customer authentications and rule-based risk scores, and configure which authentication methods will be invoked based on the risk score.
  • Customer self-service: configure policies for customers to recover a forgotten user ID, manage their devices, update their profile, and more.
  • Business systems integration: configure the CIAM solution to integrate with CRM (e.g., Salesforce), MDM, web analytics, eCommerce portal, and others. What features are available beyond SCIM?
  • IDV and fraud management: configure the CIAM solution to integrate with third-party IDV solutions, such as Equifax, Experian, LexisNexis, TransUnion, etc., and with an Enterprise or Retail Fraud Management solution, among others.
  • Reporting, dashboarding, and scalability: set up, define, and run an ad-hoc report. Show filtering, changing the order of columns, hiding/showing columns in the output. And show how to set up customized dashboards for CIAM administrators.

And this is where it is a little different, for Forrester, written explanations were inadequate: they required vendors to demonstrate each use-case scenario in real time to the analyst, which typically took three hours. Under each of the use cases listed above were five or more specific use cases. Vendors had to document and demonstrate their effectiveness in all of them, for a total of 50 use case demos. Beyond just responding to and demonstrating the use cases documented, the analyst can “go off-script,” asking the team to demonstrate other capabilities or prove something out a little further — this is a real examination both of the platform and the team presenting.

In many ways, this part of the process is like a detailed PoC that we would run with a large enterprise but where we might typically prove out up to 20 use cases, here we had to demonstrate 50 and be ready to go off script and show others at a moment’s notice.

The use cases Forrester examined for its analysis represent a comprehensive set of requirements for any modern CIAM solution. We believe that any organization considering buying and implementing identity for their customer- or citizen-facing services should be looking at these capabilities and understanding why certain vendors outperformed others.

The team at Forrester has many years of experience in the IAM and CIAM segment and rigorously tests vendors. But we believe this rigor is exactly why ForgeRock obtained the highest score possible in many areas, including data orchestration, users and roles, customer IDV and registration, consent management, authentication methods, risk-based authentication, and customer self-service. And ForgeRock earned the highest overall score amongst all vendors for product offering and strategy.

When investing in an essential technology, like CIAM, it’s important to examine the capabilities that matter most to your organization’s success. Reading the Forrester Wave™: Customer Identity and Access Management, Q4 2022 is a great place to start.

Further reading

Identity Cloud use cases: