Improved user convenience and support cost reductions remain the top drivers for clients implementing enterprise single sign-on (ESSO). The "sweet spots" for ESSO implementations are in enterprises where password-related help desk costs are high, shared-workstation support is needed, and users must manage a sustained, politically unacceptable number of user IDs and passwords for at least the next two years, despite attempts to reduce this complexity with other reduced sign-on (RSO) tools and techniques.

In 2007, market competition created downward-pricing pressures. Larger vendors with broad sales and integrator resources had significant growth in customers, although several small vendors' sales stagnated. ESSO tools are still imperfect in their abilities to integrate easily with all possible target systems using "out of the box" administrative tools. However, integration capabilities are improving across the board, and some vendors are standing out. Potential customers still should require proofs of concept to demonstrate vendors' capabilities to integrate difficult applications.

Enterprises should make a frank assessment of the current and anticipated states of their password management scenarios. We typically see several types of password reduction initiatives in progress within our clients' organizations that can help reduce password management burdens on users and support organizations. Self-service password reset (SSPR) or synchronization initiatives; harmonized and simplified password policies; integration of stronger authentication with targets; and application authentication using Active Directory or Lightweight Directory Access Protocol (LDAP), Kerberos, Web single sign-on (SSO) and federation initiatives can reduce the number of IDs and passwords to be managed (see "Consider Present and Future Access Requirements for RSO/SSO").

Conversely, in many organizations, some legacy applications cannot be retired within two to five years. IT organizations supporting business unit applications may not have the clout to require these business units to purchase new systems that fit the standard identity management architecture, and merger and acquisition activity may bring about the implementation of nonstandard systems. The compliance trend for stronger passwords on targets also can exacerbate support issues for passwords. Integrating stronger authentication directly with many disparate targets can be difficult, particularly with legacy mainframe applications. Most enterprises' initial implementation times range from three to six months; this is the time it takes to integrate a planned set of applications (from 10 to 20) and to deploy an initial set of users (hundreds to 2,000). It takes roughly two years to recoup the costs associated with the purchase and integration of ESSO tools, and these costs may be soft, that is, associated with help desk labor savings that cannot be monetized.

Enterprises must analyze the set of known and anticipated simplification initiatives, balance these against the competing complexity factors and subjectively determine whether the results will provide a politically acceptable solution within a two- to three-year time frame. For example, will it be enough to reduce six user IDs and passwords to three for the anticipated use of direct application authentication to Active Directory?

The overall indication is that the ESSO market is continuing to mature. Some vendors have solidified or enhanced their installed bases in the market since 2006, while some smaller and midsize companies' installed bases have stagnated or grown only sluggishly. Of the vendors that enhanced their positions, Passlogix saw its reseller agreements with IBM and Oracle become fruitful, enabling Passlogix to increase its seat count and to gain relatively large customers. RSA, the security division of EMC, announced a deal with Passlogix to turn over RSA's customers to Passlogix and to discontinue selling RSA Sign-On Manager, a modified version of Passlogix v-GO Single Sign-On. Citrix continued to rapidly gain new, albeit smaller, customers. Imprivata's ease with target system integration, value pricing and an expanding channel partnership set have helped it quickly gain relatively small but numerous customers. ActivIdentity and its OEM partners, notably Novell and IdentiPHI, continue to leverage their customer bases for sales and to gain some new accounts. Gartner recently concluded a 2006 worldwide security software market share study, from which ESSO revenue data was collected for the first time. Gartner estimates that total 2006 software revenue for the ESSO market was approximately $128 million, growing at a rate of more than 19% over the prior year.

Last year, we collected pricing from vendors for 2,500 users, and the average pricing was $45 per user. In 2007, there was downward-pricing pressure overall, and vendors' stated pricing averaged $40 per user for 5,000 users of the base ESSO product. This is across all products and geographies, except European vendors, which reported higher pricing. However, we have seen pricing of $30 to $35 in the U.S. for 5,000 users, and even lower pricing when ESSO was purchased as part of an identity and access management (IAM) suite, or when a vendor wanted to get a foothold in an enterprise. Adding SSPR, shared workstation and vendor-supplied modules to support stronger authentication integration will raise the price to approximately $52 per user for 5,000 users. Some vendors include these functions in their base pricing. The costs for stronger authentication devices are not included in these average figures and can add $15 to $100 per user to implementation costs.

Ease of target system integration remained a focal point in our 2007 research. Based on references and client interactions, we have a clear picture of vendors' integration capabilities. Across the board, these tools can be integrated out of the box (with approximately 90% of their target systems) using the chosen product's automated discovery tools. Most remaining applications can be integrated using provided utilities, scripting or some customization. All harder-to-integrate applications add time to implementations, and tools that require custom coding external to the ESSO tool's native automation or scripting environment can add significant implementation time and costs. Few applications cannot be integrated; the causes of these failures are occasionally technical and usually because of proprietary or archaic methods that legacy applications use for the sign-on process.

Some applications can't be integrated for legal or political reasons. For example, an application that interfaces directly with medical equipment used in critical care may not be allowed to be augmented, per the license agreement. Shared-workstation support and the addition of post-sign-on menu or transaction navigation also can be complex. Imprivata is a standout in the "ease of integration" category. Again, based on references and client interactions, it is rare that standard administrative tools cannot be used to easily establish sign-on automation. MetaPass also claims this capability and has a unique approach to integration, virtualizing the graphical interface, although its product remains unproven in large customer environments.

ESSO tools serve as a proxy between client devices and target systems. Target systems still maintain independent credential stores and will present their own unique, sign-on prompts to users' client devices. ESSO tools provide various mechanisms to sense sign-on, password and password change prompts for different target systems. Automated sign-on logic can fail when sign-on or password update prompts change with new releases of target applications or operating systems (OSs). For example, an ESSO tool must rely on textual prompts for terminal, emulator-based applications and will fail when this text changes. If mitigated after the fact, then administrators must retrain the ESSO tool to recognize the new prompt. Therefore, enterprises that adopt ESSO tools must incorporate ESSO testing into the enterprise change management process when updating target systems.

All ESSO tools provide similar core functionality (see "Enterprise Single Sign-On Provides Value for Complex Environments"). However, there are key architectural differentiators among products, as discussed in the following sections.

All products now provide a graphical wizard that helps administrators "train" the tool to recognize various sign-on, password change and sign-off events. The wizards write scripts or XML parameter files that are input to the sign-on agent to drive automation. Well-designed, wizard-based administrative interfaces and sensing capabilities generally do a good job of making the automation integration task easy for administrators. These wizards tend to be easier to use than approaches that require script editing. However, wizards can lack flexibility within the tool for hard-to-integrate applications, and may force the administrator or integrator to make external calls to command line scripts and other executable code. This may cause difficulties for the tool's primary internal support staff.

Combination wizard-and-script approaches provide a common way to deal with hard-to-integrate applications, requiring one method to learn, rather than knowledge of various integration methods. Before purchasing, potential customers conducting evaluations or proof-of-concept exercises should provide shortlisted vendors with a set of representative Windows, Web, Java and legacy/terminal-based applications, and should demand that these vendors demonstrate the methodologies and efforts required to integrate the diverse application types.

The back-end repository used to hold objects such as identity attributes, encrypted credentials, application profiles, administrative options and security policies may be based on directories, databases and, less commonly, file systems. Most tools use directories and support Microsoft's Active Directory or LDAP implementations on various directories. Some tools use relational database management systems (RDBMSs) to hold all or some objects but may interface with directories to synchronize identity attributes. Potential customers should evaluate the vendors' repository architectural choices against internal architectural standards.

In a two-tiered architecture, ESSO client agents and administrative clients interact directly with the directory infrastructure. With the n-tiered approach, ESSO products use a physical and logical midtier architecture to interact with client and administrative agents, and to broker interaction with an RDBMS or directory. Implementing a midtier architecture may provide ESSO vendors with a platform for the following additional features for a two-tiered architecture:

The ability to limit access by workstation address, and to force a sign-off from one workstation if a user walks away and signs onto another workstation (an issue with shared workstations in clinical care):

• Fine-grained administration and delegation
• Web interface for administration
• User-provisioning connectors

Lack of built-in fault tolerance for the midtier is a problem with some vendors' implementations. Customers that purchase ESSO tools with midtier architectural components must ensure that these components are implemented redundantly — either with the chosen vendor's product or with separately purchased products. Two-tiered architectures inherit the fault-tolerance capability of the directory used to hold credentials and administrative information. Conversely, some two-tiered approaches require a directory schema extension to add administrative attributes or credential caches. Potential ESSO customers have expressed concerns about this, particularly in large organizations, because of potential directory failures or performance issues that can result from schema extensions. In most cases, two-tiered and n-tiered architectures enable users' encrypted credential stores to be held locally on the workstation or on a "smart" token. This can provide temporary SSO access to local resources and available network resources in case the directory or midtier repository is down.

Vendors offer many choices for integrating alternative authentication methods, such as fingerprint biometric technology, proximity badges, one-time password (OTP) tokens and smart cards. Vendors use varied integration methods, including ESSO-vendor-provided toolkits, toolkits provided by strong-authentication vendors, and standards-based integration that uses OS-provided utilities and interfaces, such as PC/smart card standards for smart cards. Customers should require ESSO vendors to articulate clearly the methods they use to integrate the selected authentication technology.

Vendors should be required to answer these key questions:

• Are integration software/drivers provided, or must they be purchased separately?
• How much expense will the solution add to deployment? A range of $15 to $100 per method is reasonable, depending on volume and device type.
• If needed, can the chosen authentication method be used in a second authentication event? Some customers require a second strong-authentication event for sensitive target applications.
• How is a second authentication event implemented? Is it handled simply by the administrator checking a box in an administrative tool, or does it require custom integration? Does the interface ask for the secondary authentication in line with accessing the target system (best), or does it force the user interface back to the main Windows authentication prompt before proceeding to the application?
• Does strong-authentication integration require that the Microsoft Graphical Identification and Authentication (GINA) dynamic link library be replaced? Doing so can be problematic for some organizations, because it may be incompatible with a new version of Windows. The ESSO product may have to replace the GINA only if strong-authentication methodology is used for the initial Windows logon, or if additional functionality, such as SSPR, is built into the augmented GINA. Most often, however, the ESSO's GINA enhancements are implemented by "chaining" to the Microsoft GINA, and no replacement is required.

All relevant vendors provide products that log key events for use in auditing. These log entries are coarse-grained in detail and provide information about who has access to which applications, and about who accessed which applications and when. Vendors differ in whether they provide canned reporting functionality as part of the offering, or whether they rely on exporting log data to third-party reporting or system management tools. Enterprises that have an overarching IAM strategy with a central audit and reporting repository likely will be less concerned with ESSO products that lack inherent reporting capabilities.

ESSO tools enable users to authenticate once to the tool, and to be subsequently and automatically authenticated to other target systems when these are accessed — almost always without modification to the target systems. ESSO tools provide this functionality for systems that use Windows, network, Web and terminal client interfaces. ESSO tools also handle password change requests from target systems and may support post-sign-on automation for additional tasks. ESSO is only one segment of the authentication market within the broader IAM market.

Vendors were included in this Magic Quadrant if their products have capabilities and attributes that:

• Enable users to sign in once and to be signed into secondary applications automatically without requiring a second identification and authentication action.
• Support target applications that require Windows (thick client), terminal emulator and Web client interfaces.
• Are manufactured by the vendor, or are significantly modified versions of the products obtained through OEM relationships (the products are not obtained without functional modification as part of reseller/partner agreements).
• Do not have password synchronization without SSO.
• Do not provide Web SSO only.
• Do not require bundling with the vendors' manufactured strong-authentication technologies only, and various stronger authentication types (for example, OTP tokens, biometric methods and smart cards) from multiple, third-party vendors are supported.

In 2006, we published a MarketScope (see "MarketScope for Enterprise Single Sign-On Products, 2006") rather than a Magic Quadrant that included the vendors covered in this Magic Quadrant with the following exceptions:

• Sentillion: Multi-industry presence was an inclusion criterion in 2006. This year, we noted ESSO's significance to the healthcare industry for ESSO tools, and Sentillion's strong presence in this industry brought it to our attention.
• MetaPass: MetaPass was just getting started in 2006 and was outside last year's inclusion criteria for number and size of customers. MetaPass has an interesting product because it has an architectural approach to automating sign-on that appears to avoid the common pitfalls of other tools, and it supports Linux, Macintosh OS X clients, Unix and Windows.

• RSA Security: RSA is the security division of EMC. RSA was an OEM reseller of the Passlogix v-GO product Sign-On Manager. RSA struck a deal to transition its Sign-On Manager customers to Passlogix and to allow it to focus attention on data security. We believe that Passlogix's reseller agreements with IBM and Oracle also drove the decision to transition out of the ESSO business.

• Product/Service: The ESSO product's functionality, architecture, ease of integration, scalability, resiliency, breadth and quality of stronger authentication support, and shared-workstation capability.
• Overall Viability (Business Unit, Financial, Strategy, Organization): The workforce directed to develop, sell and service the solution; installed base; and historical and forward-looking financial results for the product segment.
• Sales Execution/Pricing: Pricing for the base ESSO product and with options for different-size customer organizations, customer wins and seat sales.
• Market Responsiveness and Track Record: Ability to achieve competitive success, customer wins over competitors, changes in capabilities based on customer needs and significance in ESSO milestones.
• Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This also can include ancillary tools, customer support programs (and the quality thereof), availability of user groups and service-level agreements. Customer experiences with products and services, as obtained through references and Gartner's other client interaction channels, were very important. These interactions also helped in the evaluation of product/service capabilities (see Table 1).

• Market Understanding: Ability of the technology provider to understand buyers' needs and to translate these into products and services. ESSO's differentiating factors and response to an increasingly crowded market.
• Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect ESSO sales channels, the quality and reach of channel partners, and plans to tactically and strategically modify the channels moving forward.
• Offering (Product) Strategy: The ESSO product's top selling points, the vendor's future development plans, Vista support time frame, the vendor's professional services capability and the use of system integrators.
• Business Model: The soundness and logic of a technology provider's underlying business proposition. The focus for ESSO is the extent to which the vendor has alternative products or services to leverage toward ESSO sales, or to use ESSO to leverage the sales of other products, and the vendor's likelihood of surviving in a crowded market.
• Vertical/Industry Strategy: The technology provider's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals. Weight given to a broad and deep client base in many industries, with healthcare, financial services, manufacturing and government being most important.
• Geographic Strategy: The technology provider's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography directly or through partners, channels and subsidiaries, as appropriate for the geography and market (see Table 2).

Leaders in the ESSO market show a consistent ability to gain new customers in broad industries and geographies, and at the higher end of the quadrant, have very good to excellent customer references, products that easily or very easily integrate with target systems, and a commitment to rapidly provide the product updates their customers want.

Challengers have good products, good references and some unique capabilities. They may face hurdles in significantly growing their client bases outside their niches, or in establishing effective channels to grow globally.

Visionaries show fairly solid growth, and have very good distribution channels and other product offerings through which they can grow. However, they may not be growing in this market at the sustained rate of leaders, nor do they have the leaders' high, positive customer experiences.

Niche players in this market generally are failing to realize strong growth, have few or no new reference accounts and may lack the product features of their competitors. However, they may be completely appropriate for customers in particular industries and geographies, and that have functional requirements that can be met by these vendors' products.

• ActivIdentity (formerly ActivCard) acquired Protocom Development Systems and its SecureLogin products in 2005. Protocom has been in the ESSO business since 1991, making it one of the longer-standing ESSO vendors.
• ActivIdentity has continued to garner sales from large and small customers. Its pricing model is favorable relative to the market average. It has solid global coverage in sales and support, and it has several SecureLogin resellers in Europe and the U.S., as well as OEM relationships with IdentiPHI and Novell. Novell has made some significant software modifications, and we estimate that Novell sells approximately twice as many SecureLogin products as ActivIdentity does.
• ActivIdentity's combined wizard-and-script integration capabilities provide a common language to deal with difficult integration problems, although not having to use scripting would be best.
• SecureLogin supports a solid variety of stronger authentication mechanisms with particular strengths in smart-token integration, which also is provided.
• ActivIdentity added shared-workstation support with fast user switching in 2007, although not a stand-out strength.

• SecureLogin supports various directories; however, it requires a directory schema extension, and this can be a perceived negative for organizations with large, complex and highly distributed directory infrastructures. A separate instance of Microsoft Active Directory Application Mode (ADAM) could be an alternative.
• Although sales of SecureLogin have been steady, ActivIdentity lost money overall in 2006 and 2005. We remain concerned about the company's long-term viability; however, it improved its cash position and increased revenue in 2006.
• References and Gartner clients have mixed reviews of SecureLogin's integration automation, indicating that a significant portion of applications must be scripted. This highlights the need for prospective customers to conduct proofs of concept with hard-to-integrate applications.

• Avencis has been offering its SSOX product since 2001. This small company has made inroads in the European market. It runs "lean and mean" from a cost perspective.
• Avencis has excellent breadth of directory support.
• SSOX supports a wide variety of vendors and types of stronger authentication methods.
• Avencis has made up lost ground in features and against other competitors by introducing shared-workstation support.

• Avencis has only one office location — Paris, France — and its stated target of building a European and predominantly French-only customer base makes it a poor choice for geographies outside Europe.

• Beta Systems acquired the Focal Point product from Canadian-based Okiok in 2005. The product has been renamed SAM eSSO to fit in with Beta's other identity management offerings. The acquisition gave Beta Systems a customer presence in North America and Europe.
• Beta Systems can use the ESSO offering to leverage the sales of other IAM technologies, such as user provisioning.
• SAM eSSO's architecture is on a par with most other offerings.

• Beta Systems' overall financial position improved in 2007. Although the company added ESSO seat count to its established customer base, it gained only one net new customer in 2006.
• Sign-on automation is wizard-based for Web and Windows applications, but terminal emulator integration requires scripting.
• Shared-workstation support is lacking in the production version.

• CA's Single Sign On is part of its broader IAM suite. As with other vendors that offer identity and security products beyond ESSO, CA can leverage sales bidirectionally to upsell. The number of CA Single Sign On customers rose approximately 10% in 2006. CA has some very large installations, with one confirmed at 65,000 users.
• CA has a broad geographic range for selling and servicing its product. The company relies predominantly on its direct channel but has large system integrators as partners.
• Single Sign On offers a wide variety and depth of stronger authentication devices.
• The shared-workstation functionality is very good and provides automated logoff, application closing and activation/deactivation based on the presence or absence of stronger authentication.

• In 2006, CA was the only vendor to require administrators to use and edit only scripts to create sign-on and password change automation. CA created a large library of scripts that customers can use, but these may require modifications to work with target systems. Also in 2006, CA developed a wizard; however, it supports only Windows and Web applications. Terminal emulator and Java applications still require scripting in Tool Command Language. Based on references and our client feedback, the tool is stable when implemented, but CA's Single Sign On takes longer, on average, to implement than other solutions.
• Customers must pay for a "lite" version of CA's provisioning product to get SSPR added to Single Sign On.

• Citrix gained the most ground in adding new customers for Password Manager, gaining almost 1,200 customers — a 50% customer increase over 2006.
• Citrix clearly is able to leverage its Presentation Server and other products, and to sell its ESSO tool, Password Manager.
• Shared-workstation support is excellent. The Hot Desktop feature provides fast and easy user switching. With a combination of Password Manager and Presentation Server, users can reestablish application environments as they roam among workstations.
• Citrix has one of the most extensive, value-added reseller (VAR) and system integration networks worldwide.
• Citrix has a unique federation feature that provides SSO to external customers that use Active Directory and have Citrix Presentation Server clients on users' devices. Citrix leverages Active Directory Federation Services to do this.

• Out-of-the-box directory support is limited to Microsoft Active Directory. A consulting engagement is required to implement other LDAP-based directories as the identity store. Network file systems may be used as the identity store, but this configuration will reduce functionality.
• Sign-on integration is not perfect. However, customers regularly report good success and have few applications that must be integrated using capabilities outside the standard wizard interface.
• Most of Citix's new customers were small to midsize businesses, averaging fewer than 1,000 users.

• Encentuate was founded in 2001 and is currently an ESSO pure-play vendor. Overall, Encentuate has a very good product set that customers like and a high rate of out-of-the-box integration with target systems.
• Encentuate is the only vendor to provide access to all types of applications through a Web browser and without requiring the SSO client to be implemented on the workstation. The use of a virtual private network client is recommended for remote access from outside the network.
• The Encentuate product set integrates with a good set of stronger authentication options and includes a unique product called iTag. This is a passive proximity/radio frequency ID reader with a tag that can be affixed to anything the user carries (often a physical ID or physical access control badge) and can be used as a form of authentication for the ESSO tool.
• Encentuate's ESSO product set has excellent shared-workstation support and the ability to provide each user with a private desktop — not just the sharing of applications with a common desktop — as other vendors do.
• Encentuate's price-for-value proposition is very good, providing shared-workstation support, SSPR and stronger authentication integration for a lower price than most competitors.

• Encentuate's main challenge is to gain market share more aggressively. Management changes in 2006 left Encentuate to trail similarly staffed competitors in sales growth.
• Encentuate must establish broader sales and integration partner channels to gain market share.

• Evidian has rationalized its product line, keeping the two-tiered WiseGuard product it acquired from Enatel as the primary choice for customers. Evidian's original product, SAM SE, is offered to clients still seeking a midtier product that can support the delegated administration of users and group policies.
• Evidian has the strongest presence and sales record in Europe, and the most customers outside Europe, as compared with its European competitors.
• WiseGuard offers a capability that enables users to delegate SSO capabilities to other users, for example, when going on leave.
• Evidian added 55 customers in 2007, and its installed base averages 7,000 seats per customer. The company has some large customers, one with more than 80,000 users.

• In addition to its traditional competitors, ActivIdentity and Novell, Evidian faces increased competition from Citrix, Passlogix and Imprivata — all of which are making significant headway in the European market.

• i-Sprint Innovations has been successful in selling its AccessMatrix Universal Sign-On (USO) to banks predominantly in the Asia/Pacific region. USO is part of a larger access management and authentication portfolio.
• USO has a midtier architecture that provides granular administrative control, and good audit and reporting features. It also supports various back-end directories.
• USO's midtier architecture can be hosted on various OS platforms, including IBM z/OS, Linux, Unix and Windows. USO also supports a variety of databases to hold identity attributes and security policy data.
• USO can segregate administrative duties and can optionally require two different users to perform administrative functions, or can require two users to log in to particular target systems (analogous to requiring two keys to a safety deposit box). This unique feature was developed for banking environments.

• i-Sprint Innovations' customer base is small, as are its seat counts at customer sites. i-Sprint's largest customer has fewer than 10,000 seats implemented, and the company added approximately 40,000 seats and only 13 customers in 2007.
• Although i-Sprint has a niche in financial services and some government customers, adoption of its USO product must accelerate and the product must be proved outside this niche and geography for i-Sprint to become globally competitive.

• Imprivata's appliance-based approach and ease of target system integration are making the OneSign product an easy choice for many small and midsize businesses, financial institutions, healthcare organizations and governments. OneSign repeatedly stands out with its ability to integrate easily with target systems and to provide the needed sign-on, password change and follow-on automation, while rarely requiring external command calls.
• Imprivata more than doubled its customer base from 2006 and is about to surpass the 400-customer mark. It is successfully leveraging its VAR channels and is expanding its presence in Europe.
• OneSign has very good stronger authentication integration and shared-workstation support.
• The product also includes a solid set of canned reports.
• Pricing is extremely competitive, and Imprivata's is one of the least expensive solutions to implement overall, particularly for smaller organizations.

• The lack of demonstrated scalability is still the chink in Imprivata's armor. Appliance pairs provide failover redundancy within a confined network structure and for the set of users whose attributes are contained within the appliance pairs. However, failover is not provided among multiple appliance pairs, and separate appliance pairs may need to be deployed and managed for thousands of users across multiple geographies or business units. Imprivata plans to address this issue in 2007, but it currently remains a concern for large clients considering such alternatives.
• Implementations are generally small, averaging approximately 1,700 users, and the largest implementation has 8,000 users.

• MetaPass is new to the crowded ESSO marketplace, and the company is attempting to build its reputation and client base through a novel approach to target system integration that also helps it provide SSO on Windows, Linux and Macintosh OS X clients — the only ESSO vendor to do so. Rather than use different integration approaches for Windows, Web and terminal emulator target interfaces, MetaPass inserts itself into the graphical device interface, creating a "virtual integration" layer and a common approach to sensing target system events that has been adapted to the aforementioned client platforms.
• MetaPass provides one day of free, over-the-phone installation support and claims this is all that is needed to integrate a customer's target systems. The company also has confirmed rapid installation.
• MetaPass' novel integration approach and diverse client platform support are appealing, and the company has an eagerness to please.
• MetaPass has demonstrated a willingness to integrate new authentication products for free and usually within one week.
• Enterprises with SSO needs and heterogeneous client OS platforms that are not risk-averse should consider MetaPass.

• MetaPass has few paying customers, and client references are still scant. Its product is unproven in large, complex customer environments. Enterprises with heterogeneous client OS platforms and that are not risk-averse can consider MetaPass, but should perform a thorough proof-of-concept test.
• MetaPass has basic, shared-workstation support, with fast user switching and application shutdown after a timeout, or when the user's authentication device is removed. It does not yet support smooth roaming or clinical context object workgroup (CCOW) integration. It also lacks provisioning system linkages, although these are being developed.
• MetaPass established a reseller and integrator agreement with Siemens in 2006. This is a positive development, but Siemens is MetaPass' only major VAR or integrator.
• MetaPass' portfolio of supported stronger authentication technology is lean, as compared with those of other vendors.

• Novell delivers an OEM version of ActivIdentity SecureLogin but has added some key functionality for Novell customers. Novell sells roughly two-thirds of the overall SecureLogin seat licenses sold by ActivIdentity and all resellers.
• Novell inherits the technological capabilities of the ActivIdentity SecureLogin tool and integrates the Novell Modular Authentication Service (NMAS). Various third-party authentication providers have certified with NMAS, and NMAS provides a common authentication integration point for Novell e-Directory customers. Novell provides an iManager plug-in for SecureLogin that allows administrators to use a Web interface for portions of the administrative functionality, such as setting user and group policies to provide access to specific target systems. SecureLogin can use Microsoft ADAM as a repository, and no Novell infrastructure is required.
• Novell has a global reseller channel, "follow the sun support" and consulting services to support implementation.
• Novell has a full IAM suite to bidirectionally leverage sales.

• Novell inherits the pros and cons of ActivIdentity's combined wizard-and-scripting approach. Gartner clients have mixed reviews of SecureLogin's integration automation, indicating that a significant portion of applications must be scripted. This highlights the need for prospective customers to conduct proofs of concept with hard-to-integrate applications.
• NMAS functionality is suitable only when Novell eDirectory is the directory used for authentication and as the ESSO identity repository.
• Users must replace Windows' GINA with Novell's GINA when full Novell client functionality is required. SSPR requires the Novell Identity Manager and user application portal.

• PassGo Technologies has developed its SSO capability on the back of its password synchronization engine. The company has a strong customer presence in Africa, Europe, the Middle East, North America and the U.K., with a smaller percentage of customers in Asia/Pacific.
• PassGo's original product, now called SSO Classic, has a midtier authentication server. It forces authentication to an authentication server first, then the authentication server is a proxy for the user to the target system agents. Passwords are encrypted throughout the network.
• Another advantage of PassGo's architecture is that changes made to passwords directly on the target systems, perhaps by developers or users who don't have the client agent on their workstations at the time of change, can be synchronized automatically throughout, without user intervention. This benefit is unique to PassGo. Its new product, Enterprise SSO, is two-tiered and uses Active Directory for authentication and to hold identity attributes.
• PassGo's authentication server runs on various platforms, including several types of IBM z/OS, Unix and Windows platforms.

• PassGo is a small company whose challenge is to expand its presence in a crowded market. The company added 20,000 seats in 2006 but sold to no net new customers.
• Scripting still is required for terminal emulator applications and for some hard-to-integrate applications.
• Although the new ESSO tool does not require a midtier server, customers may prefer SSO Classic, or it may be required to accomplish some target system sign-on automation. The SSO Classic midtier authentication server is the only ESSO product that requires agents to be installed on target system platforms. Passwords on all target systems are synchronized so they are the same on all platforms. This can be considered a weakness. Other ESSO tools provide for different passwords for each target system because password formation rules and password change frequency must be set to match the rules of the least-capable system.
• Shared-workstation support provides a minimal feature set, as compared with other vendors' capabilities, and relies on Windows' user switching.

• Passlogix greatly leveraged its reseller relationships with IBM and Oracle this past year. It also made a deal with RSA to gain RSA Sign-On Manager customers. (Sign-On Manager was a modified OEM version of Passlogix v-GO.) Through this deal, Passlogix also obtained a tighter, more-streamlined integration of RSA SecurID to v-GO implementations.
• Passlogix has a number of very large implementations, some with more than 100,000 users, and this year it added HSBC, one of the world's largest banking and financial services organizations.
• v-GO's architecture is two-tiered, with credentials capable of being stored in a variety of back-end directories. Redundancy is predicated on the customer's directory implementation. Passlogix's sign-on automation is wizard- and parameter-based, so no scripts are used. Clients report that most applications can be integrated easily out of the box.
• Stronger authentication support is good and is implemented using Passlogix's add-on Authentication Manager product.
• Good, shared-workstation support comes with the add-on Session Manager product. Passlogix supports integration with various provisioning products using its add-on Provisioning Manager. It also provides an SSPR tool focused on the network password used for primary authentication for ESSO.

• Passlogix's internal support staff is relatively small, as compared with other larger vendors and given its growing customer base. Passlogix must leverage its resellers to provide support while still providing responsive code patch/fix support as problems are uncovered.
• Reporting and auditing capabilities are provided through third-party tools.
• Passlogix's standard pricing is one of the highest in this arena, when adding SSPR, stronger authentication support, and shared-workstation and provisioning support to the base-product purchase.
• Some target systems can be difficult to integrate and will require additional time.

• Sentillion has its roots and strength in the demanding healthcare industry. The company has provisioning capabilities, strong context management and remote access tools for ESSO.
• Sentillion also has a very good, project-oriented implementation methodology and fixed-price engagement for helping clients implement the SignOn Manager tool.
• Shared-workstation support is excellent and provides all the required functionality demanded by clinical healthcare environments.
• Sentillion's base pricing is high but includes SSPR and shared-workstation support, features that are considered options by most other ESSO vendors. Role-based application launch and CCOW support also are included.
• The company is developing a solution, for release in fourth-quarter 2007, that will decouple its role-based application launch and CCOW support, reduce some advanced shared-workstation functionality, improve wizard-based target system integration and add Active-Directory-based SSPR. The price of this new product should be significantly less than Sentillion's current offering.

• Sentillion's solution is one of the most expensively priced in the market, and the new product will not be ready until fourth-quarter 2007.
• Sentillion's client base is limited exclusively to the healthcare industry and almost exclusively to North America. The company faces competition within healthcare from the combined forces of CA, Citrix, Encentuate, Imprivata, Novell and Passlogix.
• Early versions of SignOn Manager required administrators to do extensive customization to integrate with target systems. Although Sentillion has improved the process by providing a wizard, scripting still is required to integrate with some target systems and to provide follow-on automation after signing on. JavaScript is the standard scripting language and format that the wizard creates and that administrators can customize.