ForgeRock's IPO, Identity Crisis, and Path Forward

ForgeRock had a long and arduous journey toward its IPO: 11 years, $233.7 million in funding, and three CEOs. This is a deeper look at ForgeRock's path to IPO and post-IPO trajectory.
ForgeRock's IPO, Identity Crisis, and Path Forward

ForgeRock ($FORG), an identity and access management startup, IPO'd on Thursday, September 16, 2021. The IPO occurred quickly (ForgeRock's S-1 was filed on August 23, 2021) amid relatively low fanfare among public investors and within the cybersecurity industry. The stock did well in early trading, up 44% after its first day.

History will likely consider this a good, but not great, exit for the 11 year old company. ForgeRock IPO'd at a ~$2 billion valuation. It raised $233.7 million in venture capital funding across five rounds. The return for investors is roughly 8x.

The company's road to an IPO has been a long and arduous one. Living in the shadow of Okta, a decacorn and pioneer of pure SaaS businesses, is a difficult existence. Life won't get any easier for ForgeRock a public company in a competitive access management market.

The story of ForgeRock boils down to its growth prospects, late entry into the cloud identity market, and reliance on third party partnerships for growth.

Revenue, Growth, and Metrics

S-1 filings are usually interesting because they disclose details of a non-public company's financials for the first time. ForgeRock's S-1 filing was no exception — they had provided little financial transparency other than periodic disclosures of revenue in the past two years.

Coincidentally, the timing of ForgeRock's S-1 filing and Okta's Q2 earnings release, which I covered in detail last week, make for an interesting point-in-time comparison. Okta's disclosure of Auth0's financials for the first time adds an additional dimension to the mix.

The punch line is this: Okta has significantly outperformed ForgeRock financially in the decade since the companies were founded. Okta started in January 2009. ForgeRock was founded in February 2010. This 13 month difference inextricably links the companies and their financial performance, particularly since they are competing in the same market.

Auth0 has matched or outperformed ForgeRock on several financial metrics despite being founded in early 2013, roughly three years after ForgeRock. Its $6.5 billion valuation at the time of acquisition was a substantially greater exit than ForgeRock's ~$2 billion IPO. Current growth metrics also have Auth0 on a much higher trajectory than ForgeRock going forward.

A comparison of core financial metrics says a lot about the historical performance and growth trajectory of each company. It's difficult to do a direct comparison since many numbers are opaque or based on forecasts. However, a few interesting comparisons are:

  • Revenue: ForgeRock is slightly smaller than Auth0 in terms of revenue. Okta is a significantly larger company than both with nearly 6x greater revenue. [1]

  • Revenue Growth: ForgeRock's revenue growth is good but inconsistent. This is attributable to many nuanced factors that markets ultimately don't care about. Okta's 50% growth rate is staggering, especially because its revenue is already ~6x higher than ForgeRock. [2]

  • Customer Retention: ForgeRock's customer retention is good, but still 14% lower than Auth0 and 9% lower than Okta. This number factors in both customer retention and growth, so it's not necessarily surprising for Auth0 and Okta to have a higher NRR given their strong growth rates. [3]

  • Large Customers: Despite ForgeRock's reputation as an enterprise identity company, Okta has over 6x more large customers. Auth0 is typically regarded as a bottoms-up company with minimal enterprise sales effort. Their count of large customers is slightly more than ForgeRock. [4]

  • Net Losses: All three companies are losing a decent amount of money. However, ForgeRock is currently losing nearly as much money as Okta, a larger company with a larger growth rate. [5]

To be fair, Okta and Auth0 are anomalies in the broader SaaS market. Unfortunately for ForgeRock, sharing an industry with them is tough — metaphorically similar to growing up in a family with a sibling who is an Olympian and another who is an esteemed neuroscientist.

ForgeRock has done a commendable job building itself into a strong performer and carving out a place in the broader identity and access management market. An IPO is a major accomplishment no matter the circumstances. The addition of another standalone cybersecurity company in public markets is a major win for the industry. The comparisons between ForgeRock and Okta are inescapable, though — and have likely become too substantial to overcome barring a major stumble by Okta.

ForgeRock's Identity Crisis

Even with the achievement of an IPO, ForgeRock faces an identity crisis that has been lingering for years. In short, the company is in a position of being all things to all customers in the identity market. Cloud or on-premise? Sure. Workforce or customers? Yep, we do that. Open or closed source? Yeah, about that... ForgeRock's products are the metaphorical kitchen sink of the identity and access management industry — a tool for everything, but not a clear leader of anything yet.

To understand the nature of the problem, we need to rewind back to the origins of the company and its open source technology platform. ForgeRock's core product, Access Management, is based on OpenSSO, an open source project released by Sun Microsystems in late 2008. ForgeRock's origin as a company occurred because Oracle ended support for OpenSSO in February 2010 after acquiring Sun:

OpenSSO Express has been removed for download from Oracle's website, leaving users of the community version of what was Sun's single sign-on platform to either, build their own version from source code, or to go to a third party. Norwegian company ForgeRock has stepped in and released OpenAM, based on OpenSSO source code.

ForgeRock's Directory Services platform is also based on an open source project from Sun. The company's other core products were developed internally and not based on Sun products.

The confusion starts with ForgeRock's status as an open vs. closed source company. ForgeRock was firmly an open source company from the start, making the following declaration on their original website back in February 2010:

“We will work and contribute in the Open Source Community as 1st class citizen.” Lasse Andresen, CEO, ForgeRock

Six years later, ForgeRock silently separated open source and commercial development. The current model for open source is Community Editions, essentially end-of-life versions of prior open source projects maintained by ForgeRock. Community Editions include the four core products: Access Management, Identity Management, Directory Services, and Identity Gateway. Recently developed products like Identity Governance and Autonomous Identity are not currently available.

Beginning as a company built from open source and pivoting to essentially a closed source platform is a curious turn of events. It's also a move typically frowned upon by the open source community. A majority of ForgeRock's customers are large enterprises. These organizations aren't the type to run unsupported open source software — they're paying for licenses and support.

The most logical explanation I can think of is that ForgeRock's continued investment in product development and new product launches over more than a decade finally reached a tipping point. The company may have believed their contributions were more valuable than the original open source code and contributions made by the open source community. A viewpoint like this would make it easier to rationalize a change to proprietary development and an (essentially) closed source licensing model.

The next point of confusion is about ForgeRock's target market. The company has marketed itself as a leader in Customer Identity (CIAM) for most of its existence. Based on revenue, this CIAM is a market Okta now leads by a wide margin. I covered this last week when analyzing Okta's Q2 results:

Finally, McKinnon mentioned a state many people in the industry aren't aware of. Okta has the largest CIAM revenue of any company in the industry:

"We talked about 30 -- about 33% of our ACV, roughly about $1 billion of ACV, it's $330 million roughly. And that's the biggest CIAM vendor by far. It's not even close if you look at the other competitors. It's hard to tease apart some of the platform guys, but the point competitors is not even close."

By comparison, the total annual recurring revenue for Ping Identity and ForgeRock are $279.6 million and $155 million, respectively. Revenue for both companies includes a mix of workforce and customer identity. Okta's CIAM revenue alone is at least $50m larger than its close competitors. Okta is leading the CIAM market, but the competition in this emerging market is far from over.

The first CIAM-related marketing content appeared on its website in 2013, then known as "identity relationship management." Despite the marketing and sales focus on CIAM, future product development continued to reflect the needs of both the workforce and customer markets. ForgeRock's newest major products, Identity Governance and Autonomous Identity, are almost exclusively workforce-focused products.

This is exactly the problem: customer identity and workforce identity are distinctly different markets with different needs. It's challenging but possible to offer products for both markets (as Okta does). This strategy comes at the risk of diluting the products and features for both markets. In ForgeRock's case, the Identity Management and Identity Governance products are both examples of this limitation. Neither product is as mature as SailPoint, a company who focused specifically on workforce identity management. ForgeRock may resolve this problem over time as the products mature; however, they need to be the market leader in something if they're going to be successful as a public company.

The final point of confusion is around ForgeRock's identity as a SaaS company. Despite statements in the S-1 filing about being a "next-generation cloud identity company," ForgeRock is a new entrant into that specific market. The initial version of its Identity Cloud Platform was launched in November 2019, a decade after Okta's debut as a cloud identity product and two years after Okta's IPO. The "enterprise-grade" SaaS offering debuted in September 2020.

This confusion plays out from a technical perspective in ForgeRock's S-1 filing:

Our differentiated SaaS architecture facilitates strong customer data protection and high performance. Our proprietary tenant isolation approach is designed to enhance individual customers’ data security and sovereignty. We have improved upon a typical multi-tenant SaaS architecture by never commingling customer data with each other.

The S-1 mentions tenant isolation multiple times and highlights several benefits — all valid ones. It glosses over an important nuance, though: ForgeRock essentially had no other choice but to use this tenant isolation approach. ForgeRock's technology was built for on-premise deployments. Re-architecting the platform to function as a true multi-tenant SaaS application is a serious and expensive undertaking.

Put differently, ForgeRock's SaaS model is "we will deploy an instance of ForgeRock and host it for you instead of you hosting it yourself." The product you get from ForgeRock's Identity Cloud is exactly what you'd get if you hosted the product in your own data center or private cloud. There are advantages to isolating tenants, especially at enterprise scale. However, it's relevant to note this architectural decision wasn't intentional — it was a consequence of moving their on-premise applications to the cloud.

ForgeRock's S-1 filing did not disclose the breakdown in revenue between cloud vs. on-premise subscription revenue, so it's hard to get an accurate picture about the success of the cloud platform. The timing alone is telling: to launch a SaaS offering over a decade after a large competitor and one year before an IPO is conspicuously late in the game. ForgeRock didn't necessarily want to be in the cloud identity business, but the competitive landscape and shifting technology trends gave them no other choice.

Reliance on Third Parties

ForgeRock's business has a unique trait: the company is reliant on third parties (partners, alliances, distributors, etc.) to sell their product. The company does have a large sales and marketing team; however, many of its large enterprise deals get done with the help of partners.

Partnerships and alliances are so important to their business that it was highlighted as a key driver of growth in the S-1:

Partner and alliance leverage. Continue to capitalize on key strategic partnerships and alliances, such as our alliances with global system integrators, or GSIs, including Accenture, Deloitte, and PwC, to win new business.

CEO Fran Rosch shared additional details about the trend of revenue growth driven by third parties while debriefing on Thursday's IPO:

ForgeRock boosted its share of new annual recurring revenue (ARR) sourced through leads originating from channel partners from just 15 percent in 2018 to 31 percent in 2019 and 44 percent in 2020. The company has capitalized on the engagement SIs like Accenture, Deloitte and PwC have with large enterprises early in the procurement process as part of their digital transformation projects, he said.

Global System Integrator (GSI) partnerships are the unspoken driver of ForgeRock's success. Large GSIs have supported ForgeRock for years because the product is primarily deployed on-premise and requires consulting hours to implement. This isn't the case with other pure cloud identity platforms like Okta.

An upward trend in leads originating from channel partners isn't necessarily a good thing. Yes, it drives pipeline and revenue growth. However, it also creates reliance and reduces the company's ability to drive revenue growth on its own. In a perfect world, a majority of ForgeRock's growth would be driven by its own sales teams and marketing efforts. That's not the case here at all. Worse, the consequences of reversing the trend of partner reliance without a plan for independently driving sales is a bad situation.

The reliance is somewhat mutual — GSIs sell consulting services, and revenue is higher for complex, on-premise implementations. The mutual reliance is important enough that Accenture Ventures invested in ForgeRock's most recent Series E round and serves as a formal advisor to ForgeRock's board. ForgeRock needs GSIs to grow, and GSIs need ForgeRock to win large system implementation projects. However, GSIs are far more diversified and resilient in terms of projects and vendor relationships. ForgeRock needs GSIs more than GSIs need ForgeRock.

ForgeRock's own professional services business is immaterial: $4.26 million in annual revenue (just 3.3% of total revenue) at the end of the company's 2020 fiscal year. The company talked about expanding its services business in the S-1; however, the focus appears to be on customer success and not full-scale implementation projects.

Large consulting firms are massively influential in the enterprise software market. ForgeRock's success in partnering with them years ago as a startup was quite possibly one of the main reasons they reached an IPO. However, partner relationships are fickle. The tides can change quickly. Seemingly overnight, partners move on to the next big thing, and sales pipelines dry up.

ForgeRock understands this risk and clearly stated it in the S-1:

We also may not achieve anticipated revenue growth from our partners if we are unable to attract and retain additional motivated partners, if any existing or future partners fail to successfully market, resell, implement or support our platform or offerings for their customers, or if they represent multiple providers and devote greater resources to market, resell, implement and support the products and solutions of other providers. For example, some of our partners also sell or provide integration and administration services for our competitors’ products, and if such partners devote greater resources to marketing, reselling and supporting competing products, our business, financial condition, and results of operations could be adversely affected.

At this point, ForgeRock is essentially locked into its parter-driven distribution model. Put differently, much of their future growth is beholden to others. The company doesn't have many options other than to accept the risk and try to keep its partners happy and engaged. Top-down sales models work — they're just more complicated and tumultuous when powerful third parties are involved.

ForgeRock's Future as a Public Company

After the glory of an IPO wears off, reality as a public company sets in. ForgeRock has a place as a public company in the competitive identity and access management market. The question is whether its financial performance can meet the expectations of investors.

There will be a customer base of large enterprises for the foreseeable future. Some companies can't, or simply won't, move to cloud identity providers. Ironically, this might be ForgeRock's biggest competitive advantage: being the "anti-SaaS" platform. Despite its late push to enter the cloud identity market, maintaining the option of on-premise deployments gives ForgeRock an advantage over pure SaaS products like Okta and Auth0. This advantage only holds in scenarios where customers demand an on-premise implementation, but it's an advantage nonetheless.

Now on its third CEO, ForgeRock is competing against founder-led companies who are have the potential to become generationally great companies — some of the best SaaS companies of our time. Exponential growth is unforgiving, and the multipliers aren't on ForgeRock's side. Its growth numbers are still good, though, and they have a chance to be a reliable performer as a public company if they can maintain these growth rates for an extended run.

If ForgeRock stumbles as a public company, especially if growth lingers, I wouldn't be surprised to see the company taken private by a private equity fund. It's equally possible that the market is large enough to support the value ForgeRock brings. For now, an IPO is a meaningful milestone that's worth celebrating as an industry.

  1. ForgeRock's revenue for the most recent six months was $84.8 million, roughly $170 million if applied to a full year. Auth0's Q2 revenue was $38 million with a projection of $200 million for the current fiscal year. Okta's projected annual revenue is $1.05 billion, excluding the projected $200 million for Auth0. ↩︎

  2. ForgeRock's revenue grew by 53.2% in the most recent six months; however, growth for the last full fiscal year was 22.1%. Auth0's revenue growth wasn't reported, but Annual Contract Value (ACV) growth was 63% in Q2. Okta is projecting 50% revenue growth for its full fiscal year. ↩︎

  3. ForgeRock's Net Retention Rate (NRR) for the most recent six months was 113% and consistently in that range for the past two years. Auth0 and Okta had a NRR of 127% and 122% in Q2. ↩︎

  4. ForgeRock had 353 large customers (customers with greater than $100,000 annual revenue) as of June 30, 2021. Auth0 had 375 large customers as of Q2. Okta had 2,225 (excluding Auth0) as of Q2. ↩︎

  5. ForgeRock's net loss was $73.3 million for the most recent six months, a significant improvement over the prior period. Auth0's net loss was $150 million, which was abnormally high because it included several one-time expenses related to the acquisition. Okta is projecting losses of up to $119 million for their current fiscal year. ↩︎

Disclosure: While at PwC, I worked on a team that established a Joint Business Relationship (JBR) between ForgeRock and PwC. Aside from a general familiarity with ForgeRock's business, the information used for this article was researched from publicly available sources (primarily ForgeRock's S-1 filing).
You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.