Ping, ForgeRock, Thoma Bravo, the power of open source, and the madness of IAM
Be careful what you do lest you be asked to undo it. - anonymous
Ping, ForgeRock, Thoma Bravo, the power of open source, and the madness of IAM
Nineteen years ago this week, I nearly joined Ping Identity.
Instead, I joined Sun Microsystems.
It’s funny how things turn out.
But I’m getting ahead of myself.
Summer 2004
In the summer of 2004, CriticalPath was two companies: a failed email hosting service and a modestly successful identity management business. Years earlier, the company imploded after the SEC caught the criminals running the company cooking the books. A steady run of office closures and layoffs followed.
I survived eight rounds of cuts over three and a half years, presumably because I was the product manager in the identity management business that made money by selling actual products to real customers. But the handwriting was on the wall, and I was hunting for a new job.
Ping Identity was still in its infancy, having secured a Series A in April. CEO Andre Durand was growing the company and expanding the business. A chance encounter at the Burton Group’s annual Catalyst conference in July connected me to Andre. We discussed a product management role, and I was ready to move by the end of August.
Ping is headquartered in Denver, and taking the role meant relocating from the Bay Area. A few nights before heading from San Francisco to Denver to finalize the agreement and search for accommodations, I learned I was going to be a dad. After much deliberation and soul searching, we decided to stay in the Bay Area close to family and friends. Andre understandably wanted his PM for his young company at HQ in Denver, so the deal was off.
Within days, I received an email from a Sun Microsystems recruiter asking if I was interested in a product manager role. Sun’s identity business was on fire, led by the ex-Waveset executive team (Sun acquired Waveset in late 2003,) and I wanted to be a part of the ride.
Summer 2005
I joined Sun in January 2005.
From the get-go, I felt involved in some delicious subversion. Here was a company employing people with titles like “Director of Voodoo Sciences” and openly promoting open source as the future of software. Plans were underway to open source the Solaris operating system and the Glassfish J2EE application server. People worked hard on the CDDL license those projects (and others) would eventually use.
In that environment, the identity exec team handed me the opportunity to take the biggest risk of my career: transform a commercially successful enterprise product by open-sourcing it wholesale. Just give it away for free, forever. At Sun, this didn’t seem like a risky decision.
Sun released the OpenSolaris, Glassfish, and OpenDS projects in June, and it smelled like victory.
At the Burton Group’s Catalyst Conference in July, we released OpenSSO like a clap of rolling thunder.
Those six months felt like six years. My daughter was born in May, and decided sleeping through the night was a luxury our family could not afford. For the last two months of the project, I clocked maybe two consecutive hours of sleep a night. Twice, I fell asleep in my car in the parking lot of building 14 on Sun’s Santa Clara campus.
Meanwhile, Sun wasn’t in great shape. CEO Jonathan Schwartz held an infamous all-hands meeting where he recounted the story of a customer who left Dell servers sitting on his loading dock while desperately, and ultimately unsuccessfully, trying to buy Sun servers. The identity product team did sales training, where it became apparent the sales organization’s compensation model was at odds with our go-to-market model. A regional vice president implied the sales team would never sell our products: “I have a $120M bag this quarter, and you’ve got a product that will take me nine months to retire $500k of quota. No thanks.”
We talked deliberately about what open source meant: resilience against the vagaries of a cruel economy. Some openly admitted that should things at Sun not work out, they would just take the source code and start a company.
What happened next was not an accident.
Spring 2009 - Spring 2010
I left Sun for Oracle in late 2006 after it became evident that Sun’s software business, indeed all of Sun, was struggling. Sun was committed to hardware and the Solaris operating system; everything else–especially the enterprise software business–was an afterthought.
Oracle made a series of acquisitions to bolster its position in the identity management space. Joining the company presented a unique opportunity to build products, buy companies, and create a portfolio that could dominate a market. It was a different kind of rocket ship where you operated with almost no autonomy somewhere along the company’s tyrannical, top-down, unified chain of command. But it was a rocket ship nonetheless. We experienced hang-on-for-dear-life growth.
In April 2009, Oracle announced its intent to acquire Sun in an all-cash deal. Following a drama where regulators in the US and Europe were clearly pressured into approval (any fool could see the deal was objectively anti-competitive), the deal closed in January 2010.
Observers wouldn’t call the acquisition a success. Oracle paid $7.4B for a software business it didn’t want and a hardware business it didn’t know what to do with in exchange for control of Java and MySQL’s growing market share.
Instead, what the acquisition demonstrated was the power of open source.
Key people left as fast as possible, taking their software with them and giving King Larry the proverbial finger.
OpenSolaris survived as OpenIndiana, Hudson as Jenkins, and MySQL as MariaDB. J2EE and Glassfish survived via Jakarta EE.
OpenSSO survived as OpenAM, and OpenDS survived as OpenDJ, becoming the core products of the newly founded ForgeRock.
Because you can’t keep a good (open source) product down, OpenDS also survived as the core technology of UnboundID’s directory platform. (UnboundID was formed in 2007, before the Oracle acquisition, after Sun inexplicably laid off the US-based directory team.)
Had they not been open source, many of Sun’s software products would have landed in the dustbin.
There is no product school to teach you what to do when an acquisition lands two perfectly overlapped product portfolios in your lap. In the case of the two identity management businesses, we went through a “keep-kill” exercise. Each company sold a directory, single sign-on and federation, and identity administration products. Oracle already had three SSO products, two directories, a directory proxy, and a virtual directory by the time of the Sun acquisition.
The first, most obvious, and undeniably terrifying decision you have to make is which customer base to alienate. Oracle’s executive leadership assigned us the task of evaluating our options and proposing a product strategy and roadmap. Keep the Oracle products? Keep the Sun products? Devise some amazing combination of products that crushes all enemies and doubles your market share!
Yeah, right.
I knew I had to choose Oracle Access Manager and Oracle Identity Federation. When we met, I told the Sun team as gently as I could, “Your products are going away. But, hey, there’s OpenSSO and OpenDS.”
Our prize for choosing Oracle software to anchor our product strategy was a roadshow. Travel the world, meet interesting people, and tell them Oracle was retiring the products they’d spent millions on and built their identity processes around.
Oracle makes no room for acts of subversion.
Time passes…
Meanwhile, the ForgeRock team built an impressive company around open source products, raising hundreds of millions in financing and gathering thousands of customers on the way to a September 2021 IPO.
UnboundID also built an impressive company, quickly building a solid customer base and excellent product, prompting Ping to buy them in 2016.
The Waveset team had been reluctant to open source the identity admin and provisioning product, and Lighthouse didn’t survive Oracle’s absorption of Sun despite being the superior product. However, the Waveset team had another plan: founding Sailpoint and building an even better product version.
Private equity firm Thoma Bravo woke to the potential of big returns from IAM in 2022. They spent $12B to buy Sailpoint, Ping, and ForgeRock, a figure barely the total value of the 2023 identity market. Their investment thesis seems… shaky. The identity landscape is fragmented by emerging product categories and dotted with dozens of companies bruising one another for a slice of the pie.
Last week, Thoma Bravo completed its acquisition of ForgeRock and announced intentions to merge the company with Ping Identity.
Regulators full of bark and still lacking bite almost twenty years later approved the deal over obvious anti-competitive concerns. (I wonder if another WikiLeaks smoking gun is lurking out there?)
Thoma Bravo wasn’t a company in 2005, so they weren’t around for the Sun-Oracle drama. They have, perhaps unwittingly, created the same conditions we faced. Sun’s product legacy lies scattered across Thoma Bravo’s newly acquired companies. They’ve battled head-to-head in the market for years now. Ping’s and ForgeRock’s product portfolios overlap, and there is no place in a combined company for two identical sets of products.
I’ve sat in that chair and sympathize with the people making those difficult choices. Sadly, ForgeRock stepped away from its commitment to open source over the past few years. I fear the risk I took in 2005 won’t pay off a second time. Still, $2.3B ain’t bad.
While I have a soft spot for ForgeRock and its products, I am rooting for the same people I was the last time: the customers. Identity management is hard, and those customers invest heavily to make a solution work for their company. The product deployments are deep and hard to unwind.
Through no fault of their own, those customers face some tough choices.
What alternatives emerge this time?
Hi Eric, I just came across this article, and even though I've been involved with this story for a while, it's nice to gain some insider context. Thanks!
Since our IAM solutions relied on these open-source products, these turbulences caused us some headaches. However, because we strongly believe in the principles of open source, we founded the Wren Security initiative to preserve the legacy, see https://wrensecurity.org/. Hopefully, this could be one of the alternatives worth considering. Thanks again, Ondrej.
Fantastic story. Great insights. One thing though: “and those customers invest heavily to make a solution work for their company”. I don’t think anyone ever bought a solution. The customers bought a tool. A tool they invest in heavily to turn into solution. If there’s one thing my last 23 years in the IAM business have taught me, it’s that there are no of the shelf solutions. It’s how you use the tools you buy. Combined with a talented group of colleagues, best practices and common sense.
Other than that, fantastic insight in the world of takeovers. Thank you!