One Identity

Identity/IAMPAM Visit website →
Best for: Mid-market to large enterprises wanting IGA and PAM from a single vendor with strong AD management
Pricing: Contact for pricing

What One Identity actually does

One Identity is a Quest Software division offering three main product lines. Identity Manager is an IGA platform handling access requests, certifications, role management, and provisioning. It connects to SAP, Active Directory, cloud apps, and custom systems to govern who gets access to what.

Safeguard is the PAM suite — Safeguard for Privileged Passwords (vault), Safeguard for Privileged Sessions (recording and monitoring), and Safeguard for Privileged Analytics (behavior analysis). It covers the core PAM use case without the complexity of CyberArk.

Active Roles is an AD management and migration tool that simplifies identity administration in complex AD environments. KACE Systems Management handles endpoint management. OneLogin (acquired in 2021) provides SSO and MFA, rounding out the identity platform from access management to governance.

Who it’s best for

  • Mid-market organizations looking for IGA and PAM without buying two separate platforms
  • Enterprises with complex Active Directory environments needing advanced AD management
  • SAP-heavy organizations needing deep SAP identity governance integration
  • Teams evaluating SailPoint or CyberArk but finding the cost or complexity prohibitive
  • Organizations in the Quest/Dell ecosystem already using other Quest products

Pricing reality check

One Identity typically comes in 30-50% below SailPoint for IGA and below CyberArk for PAM. Licensing varies by product — Identity Manager is per-managed-identity, Safeguard is per-privileged-user, Active Roles is per-managed-object. Bundled pricing is available when buying multiple products.

Implementation costs are lower than SailPoint but still significant for Identity Manager. Expect 4-12 months for a full IGA deployment depending on scope. Safeguard deployments are faster — 4-8 weeks for basic vault and session management. The integration between Identity Manager and Safeguard exists but isn’t as seamless as you’d hope from a single vendor.

Alternatives to consider

  • SailPoint — The IGA market leader. Deeper governance features, larger ecosystem, higher cost.
  • CyberArk — PAM market leader. Deeper vault and secrets management. Significantly more expensive.
  • Delinea — Simpler PAM. Faster deployment. No IGA offering.
  • Saviynt — Cloud-native IGA with PAM capabilities. Stronger in cloud environments.

The Charting Cyber take

One Identity makes sense when you need both IGA and PAM and don’t want to manage two separate vendor relationships. The individual products are competent — not market-leading, but capable and more affordable than the category leaders.

The honest limitation is that One Identity tries to be many things. Identity Manager competes with SailPoint but has a smaller integration catalog. Safeguard competes with CyberArk but has less depth. If IGA is your primary concern, evaluate SailPoint and Saviynt first. If PAM is the priority, look at CyberArk and Delinea. One Identity wins when “good enough at both, from one vendor, at a lower price” is the buying criteria — and that’s a perfectly valid strategy for many organizations.

Get a quote for One Identity

Related vendors

1Password
Organizations that need a password manager employees will actually use, with solid developer secrets management bolted on.
Identity/IAM
Attivo Networks (SentinelOne)
Enterprises dealing with identity-based attacks and lateral movement that want deception-based detection layered into their endpoint security.
Identity/IAMMDR/MSSP
BeyondTrust
Organizations needing PAM, endpoint privilege management, and secure remote access in one vendor
Identity/IAMPAM