How to choose an IAM platform

CIOs, CISOs, identity architects, IT directors, and security engineers in 200- to 50,000-person organizations evaluating a primary workforce IAM platform. Useful whether you are replacing AD/LDAP, consolidating point tools, or buying IAM for the first time.

Choosing an IAM platform matters most when you are scaling past 200 employees, adopting SaaS aggressively, facing SOC 2 / ISO / SOX scope, integrating after an acquisition, or replacing AD/legacy SSO. The wrong pick locks you into 3-5 years of migration cost.

Build a weighted scorecard across coverage, authentication strength, lifecycle, governance, developer surface, observability, compliance, and TCO. Shortlist 3 vendors that already serve customers your size and shape. Run a 4-week POC with real apps and real users — not a vendor-driven demo. Negotiate after the POC, not before.

• User and app coverage

  How many SaaS apps, on-prem apps, and infrastructure systems will it federate? Look for a deep pre-built SAML/OIDC catalog (1,000+ integrations) and clean fallbacks (SCIM, header-based, password vaulting) for the long tail.

• Authentication strength

  Phishing-resistant MFA (FIDO2/WebAuthn, passkeys, smartcards), risk/adaptive policies, device posture signals, and step-up auth. Avoid platforms still leaning on SMS as the recommended default.

• Lifecycle and provisioning

  SCIM 2.0 push provisioning to your top apps, joiner/mover/leaver flows, HR-driven source of truth (Workday, BambooHR, SAP SuccessFactors), and clean deprovisioning. Manual offboarding is a real breach risk.

• Governance hooks

  Access reviews, separation of duties, role mining, and exportable evidence for SOX/SOC 2/ISO. Either built in or via a tight integration with an IGA vendor.

• Developer surface

  OIDC for first-party apps, OAuth 2.1 for APIs, SDKs in your languages, custom claims, hooks/actions for inline logic, and a sane test/staging story.

• Observability and SIEM

  Real-time event streams, full audit log retention, and native connectors to Splunk, Sentinel, Datadog, Snowflake, or your SIEM of choice.

• Compliance and data residency

  FedRAMP, HIPAA, ISO 27001, SOC 2 Type II, GDPR, and regional data residency (EU, AU, JP) where you need it.

• Migration and exit

  How does data get in (LDAP, Azure AD/Entra, Okta, ForgeRock, AD)? How does it get out? Hashed password export, custom claim mapping, and bulk SCIM are make-or-break for replacing an incumbent.

• Inventoried all federated apps (SaaS + on-prem + custom)
• Counted internal vs external (contractor, partner) user populations
• Documented MFA factors required by your regulator or cyber insurer
• Mapped HR system as authoritative source
• Confirmed SCIM provisioning for your top 20 apps
• Validated SAML/OIDC + WS-Fed legacy app support
• Tested phishing-resistant MFA (passkey/FIDO2) end-to-end
• Reviewed audit log retention, export, and SIEM connector
• Pressure-tested deprovisioning on a real user
• Negotiated total cost across users, MFA, governance, and APIs

• Plan a 3- to 6-month rollout: identity sync → SSO for top apps → MFA enforcement → lifecycle automation → governance.
• Pick a clean HR source of truth before turning on provisioning — bad HR data poisons every downstream system.
• Pilot with 1-2 friendly business units before global enforcement.
• Document break-glass admin accounts stored offline.
• Plan AD/LDAP coexistence; most enterprises run hybrid for 12+ months.

• Expect per-user/per-month pricing with separate tiers for SSO, MFA, lifecycle, and governance.
• Watch out for adaptive/risk MFA, API access management, and IGA being separate SKUs.
• Contractor and external user pricing varies a lot; model it explicitly.
• Enterprise deals often include implementation credits — ask.
• Open source self-hosted is free in license but real in TCO (infra, on-call, upgrades).

• What is your SLA for the authentication and management planes separately?
• How do you handle a regional AWS/Azure outage in our primary geography?
• Which phishing-resistant MFA factors do you support, and how is enrollment enforced?
• Do you support SCIM 2.0 push to our top 20 apps, with which attributes?
• How is audit data retained, exported, and streamed to a SIEM?
• What is your data residency posture for the EU, UK, and (if applicable) FedRAMP?
• Show me deprovisioning end-to-end on a real terminated user.
• What is the realistic effort to migrate from our current IdP?
• Which features are core vs add-on at our user count?
• Show me your latest SOC 2 Type II and any recent security incident postmortems.

• Buying on brand instead of fit — enterprise suites are overkill for 300-person SaaS shops.
• Treating MFA as a checkbox and shipping SMS as the recommended factor.
• Not wiring HR as the authoritative source, leaving stale accounts everywhere.
• Skipping the deprovisioning test in the POC.
• Forgetting non-employee identities (contractors, partners, agencies).
• Underestimating legacy app federation work.
• No exit plan — assuming you will never switch IdPs.