Gluu Blog

Follow us:
Back to Blog

The Decline of SiteMinder

Michael Schwartz September 27, 2013


Although nine vendors are listed in The Forrester Wave™: Identity And Access Management Suites, Q3 2013, the highest mark for strategy is given to Computer Associates. Its a safe choice, because SiteMinder is currently the clear leader in terms of market share. But is SiteMinder really all that great?

If you were an enterprise in the early 2000’s, you were smart to deploy SiteMinder. In the late 90’s, the Netegrity team’s pioneering work on SiteMinder offered an epic improvement on home-grown SSO approaches. However, by 2003, the product was not too far from the product used today.

In a past life, I was a “buy side” equity analyst for a Wall Street firm. I followed a number of mergers involving Computer Associates. CA Management made their model clear to investors: buy mature products where customers are locked in, and no (or very little) innovation is required. Many of these deals contribute revenue long after their expected expiration date. From that perspective, the Netegrity acquisition was brilliant “strategy” (for CA…)

However, if you’re a customer of CA Siteminder, think back to 2003… There were no iPhones and Android would have to wait another five years to show up on the market. There were no cloud servers. Web Services meant SOAP. And the idea that Linux would replace Solaris in the enterprise seemed wildly over-optimistic. You’d think that an important enterprise security system would need an equally dramatic upgrade. Even when SiteMinder was owned by Netegrity, enhancements were slow to arrive. If there is a new SiteMinder feature you want, or a bug to be fixed, your only recourse is to wait for a patch. Expect to wait a long time. Maybe this is good — stability is good, right?

But as everyone knows, its hard to stand still in the tech market. Although commercial companies can get to market more quickly, these days it’s inevitable that open source software will follow. Usually it is better than the proprietary software. This is especially true for software that implements open standards, and integrates with open source products like the Apache HTTPD server. As SiteMinder stood relatively still for the last decade, open source software has risen to the occasion. At this point, its SiteMinder that needs to do the catching up, as the model for authorization is no longer centralized… its federated. Its not just one “Policy Server” for a domain that controls security for a website… but websites need to check with many authorization servers. Here is a hypothetical example: a website for the Army might need to check policies for the Army, the Dept of Defense, and other autonomous organizations.

I predict SiteMinder’s market share has peaked. Of course, organizations don’t want to overpay to be locked into proprietary software once there are any other options. The market for access management has gotten more competitive. Not only are there other enterprise suites (some of which are mentioned in the Forrester report linked above), there are also SaaS identity services and open source alternatives.

More and more organizations are adopting central authentication and authorization systems. With greater demand, prices have fallen dramatically. Lower prices have brought the technology within grasp of exponentially more organizations, thus increasing the total size of the market. Soon enough, many of SiteMinder’s customers will look at the current market price for the technology, and realize they are paying far too much. It will be hard for SiteMinder to adjust without destroying their current business model.

If you have CA SiteMinder… don’t despair! You did the right thing. It’s not too hard to move off of SiteMinder. In the next blog… I will tell you how!

How to move away from CA Siteminder to Open Source AuthN / AuthZ.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.

Reader Interactions