Finally, the long “Will they or won’t they” wait is over for CIAM customers of Ping Identity and ForgeRock. More specifically, will Thoma Bravo (their private equity owner) keep Ping and ForgeRock as separate entities or will they be mashed together. Or perhaps be triple-mashed-up with SailPoint (another Thoma Bravo company).
The U.S. Department of Justice spent 12+ months investigating the merger, fearing it would be detrimental for customers, but ultimately approved the deal.
Verdict: mashup it is.
And now, customers have one fewer choice.
Keep or sunset?
Now begins the next big waiting game: which products might the Ping Identity and ForgeRock product teams keep and which ones could get killed? Or, put another way, will the Ping or ForgeRock CIAM customer base be force-migrated into a new product?
With a nearly duplicative product portfolio (and little customer overlap) between these two competitors, it seems like that's one of the next major decisions in the product teams' queue. And it’s a doozie.
I know because, in a previous role as the CTO of a leading workforce IAM vendor (also owned by a private equity firm), I lived it.
When a deal like this is announced everyone talks publicly about all the great new tech and capabilities that have come together. But the biggest challenge is often people. Post merger you’ve got two of everything: VPs of Product, VPs of Customer Success, Directors of Engineering? On each side you’ve got leaders that are emotionally invested in their products and customers. But someone has to make some hard calls because typically there are only so many R&D dollars to go around (remember, this is funded by private equity, not a growth-oriented VC firm).
I’ve had to deal with all this and it’s not pretty.
For the products that don’t make it, even harder decisions await. How do you do the right thing for the existing customer? Do you provide a migration or upgrade path? Offer a replacement? Or – worst case – put the product in maintenance mode and slap an end of life date on it?
For the customer, none of the choices are ideal.
Side note: For the teams managing products that could get sidelined or axed, we’re hiring!
5 key CIAM decisions to watch closely
As the Ping Identity and ForgeRock braintrust works their way through those – literally hundreds – of product decisions, we think their CIAM customers should watch out for a few key answers that are likely to have an outsized impact on the trajectory of both new and existing CIAM implementations:
- What’s the CIAM platform of choice?
The conventional wisdom seems to be that ForgeRock will be the go-forward customer IAM platform while Ping becomes the workforce IAM platform. Customers of the un-chosen platform will likely need to do some scrambling over the next couple of years, depending on when their current contract is up.
- Who’s conducting the orchestra: DaVinci or ForgeRock Intelligent Access Trees?
Both Ping and ForgeRock’s CIAM “solutions” are really a collection of multiple independent products. One of those many products is their “orchestration” product. So now there are two: PingOne DaVinci and ForgeRock Intelligent Access. DaVinci, which is based on yet another company (Singular Key) that Ping acquired back in September 2021, is generally considered the better product. But ForgeRock Trees is more widely deployed. If the product teams select ForgeRock as the go-forward CIAM “platform” and PingOne DaVinci as the orchestration tool, it may make things hard for all the ForgeRock products to play nicely.
- Which cloud architectures?
Both Ping and ForgeRock started as on-prem IAM providers. Over the years they have evolved and added new “cloud washed” deployment models. I say “cloud washed” because, in my view, they’ve both taken their on-prem products and moved them to the cloud – but without all of the cloud-native features (like auto-scaling, for example) that customers expect from a modern cloud architecture.
In addition, both vendors also have SaaS offerings. But from what I've seen, they don’t have all the same features as their “cloud washed” or on-prem offerings. Keep an eye on which cloud architectures Ping Identity keeps and sunsets as well as their timeline for getting their SaaS offerings to feature parity with their on-prem solutions.
- How easy will Ping Identity make it to migrate to the go-forward CIAM solution?
We’ve done our fair share of Ping replacements and in our experience Ping doesn’t make it easy. Then again, why would they? Better to keep customers locked in.
Take password migration, for example. In cases where we've replaced Ping, it has been nearly impossible for orgs to use the existing password hashes as part of a just-in-time migration (JIT) to another CIAM solution.
Protip: JIT migration avoids putting all of your customers through a password reset process.
If conventional wisdom is true and ForgeRock is the go-forward customer platform, keep an eye on how easy Ping makes it do migrate in a customer-friendly way.
- What about SailPoint?
During the DOJ investigation there was much speculation about whether Thoma Bravo would merge its other portfolio company, SailPoint, into the Ping and ForgeRock combo.
SailPoint provides identity governance capabilities that Ping Identity and ForgeRock have historically lacked – and they can be helpful for B2B CIAM use cases.
So far the tea leaves point to no triple mash-up. But who knows … maybe once the dust settles Thoma Bravo might take another look.
Recommendations for Ping Identity's and ForgeRock's CIAM customers
While many of the actions in the standard My-XYZ-Vendor-Was-Just-Acquired Playbook apply here, I think this merger is unique because of the product overlap and the likelihood that Ping Identity will choose to sunset a CIAM product that is used by half its customer base. That creates a lot of risk for existing customers.
If you're concerned about that, here are some proactive steps you can take to mitigate that risk.
- Ask for details and dates
As I write this on October 4, 2023, Ping’s website says they’ll be announcing product rationalization plans “in the coming weeks”. While the initial statements about future direction may come in weeks, I believe the devil is in the details and that could take months.
Push for the details. If the answer is “we don’t know yet” then ask when they will know. Write it down and ask them again. And get all product, feature, or support commitments in writing.
- Prepare for a challenging transition – to include a total reinstall
In my experience, neither company’s CIAM products were very easy to use, and both tried to lock customers in by making it hard to migrate. It’ll take work (and budget) to make the transition.
If you end up with the short straw and Ping Identity doesn’t choose to support your CIAM product indefinitely or choose it as its go-forward “platform” (and I expect that PingOne for Customers will be the name on that short straw) you'd be looking at a complete reinstall. Which leads us to recommendation #3.
- Create options by exploring other CIAM vendors
I know, this one is self-serving. But it’s also solid advice with no downsides. Your best leverage against uncertainty is to have options.
The Forrester Wave: Customer Identity and Access Management, Q4 2022 – which you can get here without filling out any form – named three leaders. Now there are two: Ping Identity and Strivacity.
Even if your contract renewal is a couple years out, get familiar with CIAM vendors like Strivacity and look for smaller projects to pilot them on.
- Lower your expectations for innovation and investment
I think it's fair to say that any roadmap you’ve seen in the last 12 months is likely to get a rewrite. Innovation always takes a back seat to integration.
Case in point: the current state of things nearly 18 months after Okta’s acquisition of Auth0, where they’ve still got two different brands, overlapping products and innovation is arguably lagging.
That feature request you’re waiting on? It may not materialize for a while (if ever). Confirm any enhancements your own customer satisfaction roadmap is relying on.
Better yet, repeat Step 3 and come up with Plan B.
Want to learn more?
We’ve seen a sharp uptick in interest since the announcement of the Ping Identity and ForgeRock merger. I’ll spare you the pitch but here are why customers tell us they’re seeking us out.
- We’re the only other CIAM vendor positioned as a Leader in the Forrester CIAM Wave.
- We have the most modern cloud-native architecture.
- We’re the most comprehensive CIAM alternative. Replacing Ping and ForgeRock with Strivacity can save you money.
- We’re 100% focused on CIAM and continuing to innovate.
Need a little bit more info, here's a quick guide: