There are many ways to design IAM architecture:
- Traditional organizations usually sync Active Directory (on-prem) with a nearly “all-in-one” cloud IAM solution like Okta or Entra ID.
- In fully remote workspaces, some might opt to go all-in with a cloud provider like AWS, using AWS IAM for workforce IAM and AWS Cognito for CIAM.
- In certain industries, such as higher education, institutions often rely on a mix of 10+ solutions, (many of which are industry-specific, like those provided by InCommon) all centered around a directory service like Active Directory for centralized user management.
- Large enterprises (e.g. finance, defense) often deploy a layered IAM ecosystem: a general IAM solution (e.g. Okta), IGA solution (e.g. SailPoint), and PAM solution (e.g. CyberArk) centered around Active Directory as the LDAP backbone to meet strict compliance.
How IAM architecture is designed depends largely on how a company stores data, strictness of compliance requirements, and complexity of its access needs.
Note: The following list of IAM solutions is not exhaustive.
IAM solutions
Microsoft – Most large enterprise IAM architecture is centered around Microsoft’s Active Directory on a Windows server on-premises.
Products: Active Directory, Entra ID (formerly Azure AD), Entra External ID (formerly Azure AD B2C)
Documentation: Active Directory | Entra ID | Entra External ID
Certification: Microsoft Certified: Identity and Access Administrator Associate
Okta – Closest thing to an “all-in-one” cloud IAM tool with an extensive integration network.
Products: Okta Workforce Identity, Okta Customer Identity Cloud
Documentation: Okta Docs
Certification: Okta Certified
CyberArk – Most popular Privileged Access Management (PAM) solution.
Products: CyberArk PAM, CyberArk Privilege Cloud
Documentation: CyberArk Docs
Certification: CyberArk Certified
AWS – Huge cloud platform with built-in IAM/CIAM tools.
Products: AWS IAM, AWS Cognito
Documentation: AWS Docs
Certification: AWS Certified Security Specialty (not IAM specific, but covers IAM)
Keycloak – Most popular open-source IAM solution.
Products: Keycloak (free)
Documentation: Keycloak Documentation
Certification: N/A
SailPoint – Focused on customizability and complex identity governance needs.
Products: SailPoint IdentityIQ, SailPoint Identity Security Cloud (IdentityNow)
Documentation: SailPoint Product Documentation
Certification: SailPoint Certified
Ping Identity – Focused on federation capabilities and complex B2B scenarios.
Products: Ping Identity (PingFederate is the most popular solution within the suite)
Documentation: Ping Identity Documentation
Certification: Ping Certified
Saviynt – Cloud-first identity governance tool.
Products: Saviynt
Documentation: Saviynt Documentation
Certification: Saviynt Certified Professional
BeyondTrust – PAM solution known for smooth deployment in complex environments.
Products: BeyondTrust
Documentation: BeyondTrust Technical Documentation
Certification: BeyondTrust University
Oracle – Ideal for organizations requiring seamless integration with Oracle applications and databases.
Products: Oracle Identity Management
Documentation: Oracle Identity Management Documentation
Certification: N/A
Fischer Identity – Affordable “all-in-one” solution popular for higher education, non-profits, and employee-owned corporations.
Products: Fischer Identity
Documentation: N/A
Certification: Fischer University
InCommon (by Internet2) – Open source tools designed specifically for higher education.
Products: Shibboleth, Grouper, COmanage, midPoint
Documentation: InCommon Trusted Access Platform Library
Certification: N/A