NetIQ federation depth
Two decades of regulated-IAM deployment. SAML 2.0, OAuth 2.0, OIDC, WS-Federation, and long-tail federation protocols. Cloud-native IAM often skips the long tail.
OpenText • Identity and access management
OpenText Access Manager
OpenText Access Manager carries the NetIQ Access Manager lineage with SSO, federation, web access management, and modern authentication for regulated and on-prem-heavy enterprises that have not migrated workforce identity to cloud-only options.
When Merito stands up Access Manager, the engagement covers federation policy across SAML, OAuth, OIDC, and the long-tail protocols regulated environments still use, with NetIQ Identity Manager pairing for provisioning and the rest of the OpenText IAM line wired in alongside.
- Best for
- Identity architects running federation across SAML, OAuth, and OIDC, IAM leaders modernizing legacy NetIQ Access Manager, Workforce identity architects in regulated and on-prem-heavy environments
- Hosting
- Hybrid
- Time to value
- First federation flow live in two to four weeks. Modern authentication and OpenText IAM integration in four to eight weeks. Enterprise rollout typically runs three to nine months.
- Security posture
- GDPR, HIPAA-aligned design, PCI DSS-aligned design
- Last reviewed
- 2026-04-26
What it is
OpenText Access Manager in the enterprise stack
OpenText Access Manager carries the NetIQ Access Manager lineage. NetIQ has been the regulated-industry IAM platform for two decades, with substantial deployment in financial services, government, defense, and healthcare. Access Manager covers SSO, federation (SAML, OAuth, OIDC), web access management, and modern authentication. The 2024-2025 rebrand from NetIQ to OpenText is cosmetic at the engine level.
Federation depth is the historical strength. Access Manager supports SAML 2.0, OAuth 2.0, OpenID Connect, WS-Federation, and a long tail of federation protocols regulated environments still use. Programs running heterogeneous SSO landscapes (legacy SAML providers alongside modern OIDC, SOAP-shaped web services alongside REST APIs) get one federation layer that handles all of them. Cloud-native IAM products often skip the long-tail protocols and force the program to migrate every consumer.
On-prem and hybrid operational shape is the second strength. Programs subject to data sovereignty, regulated workforce identity, or air-gap constraints run Access Manager on-premises while consuming cloud SSO as needed for SaaS apps. Cloud-only IAM (Okta, Microsoft Entra) is competitive on cloud-native programs but does not always fit regulated environments. Programs picking Access Manager are usually picking the regulated and on-prem operational shape, not generic SSO.
What derails Access Manager adoption is treating it as a generic SSO replacement. Access Manager is operationally substantial: federation policy, integration with NetIQ Identity Manager for provisioning, integration with Privileged Access Manager for elevated access, and on-prem operational discipline all require sustained investment. Programs that adopt Access Manager without operational discipline find the platform underused. Merito's engagement designs the operating model alongside the deployment, and Managed Services run it long-term for programs that want OpenText engineering without internal headcount.
Ideal use cases
- Workforce SSO and federation across heterogeneous protocols
- Regulated workforce identity in financial services, government, defense, healthcare
- On-prem and hybrid IAM where cloud-only is ruled out
- Modern authentication (FIDO2, passwordless) on regulated workforce
- NetIQ Access Manager modernization and version upgrades
What it is best at
Where OpenText Access Manager earns its seat
On-prem and hybrid operational shape
Programs subject to data sovereignty, regulated workforce identity, or air-gap constraints get an IAM that fits. Cloud-only IAM is not always an option.
Native pairing with NetIQ Identity Manager
Provisioning from Identity Manager flows into Access Manager federation policy. Programs running both get coordinated identity and access.
Modern authentication (FIDO2, passwordless)
Passwordless and FIDO2 support paired with Advanced Authentication for risk-based MFA across workforce, customer, and privileged users.
Regulated compliance posture
FedRAMP-aligned editions where applicable, FIPS 140-2/3 cryptographic modules, audit-ready evidence for regulated workforce identity mandates.
Core capabilities
OpenText Access Manager capabilities, grouped by outcome
Federation and SSO
Where Access Manager does the work across heterogeneous identity protocols.
SAML 2.0 federation
SAML 2.0 IdP and SP roles for workforce SSO across SaaS and internal applications.
OAuth 2.0 and OIDC
OAuth 2.0 authorization server and OpenID Connect provider for modern API and SaaS integration.
Long-tail federation protocols
WS-Federation, WS-Trust, Kerberos, and legacy federation protocols regulated programs still use.
Web access management
Web reverse-proxy and policy-driven web access management for legacy applications.
Modern authentication
Passwordless and risk-based authentication on regulated workforce.
FIDO2 and passwordless
FIDO2 webauthn and passwordless authentication for workforce SSO.
Advanced Authentication integration
Native pairing with OpenText Advanced Authentication for risk-based MFA and adaptive authentication.
Step-up authentication
Risk-based step-up authentication on sensitive operations.
Operations and integration
Access Manager inside the OpenText IAM line.
Identity Manager integration
NetIQ Identity Manager provisioning flows into Access Manager federation policy.
Privileged Access Manager pairing
Privileged identity flows through Access Manager for SSO into PAM-managed elevated sessions.
Identity Governance integration
Access reviews and SOD enforcement applied to Access Manager-managed entitlements.
Compliance reporting
Audit-ready evidence for SOX, HIPAA, PCI DSS, and regulated workforce identity mandates.
Where it fits in the stack
How OpenText Access Manager connects to the rest of your landscape
OpenText IAM line (native)
Native- OpenText Identity ManagerProvisioning into Access Manager federation policy.
- OpenText Privileged Access ManagerPrivileged identity SSO into PAM-managed sessions.
- OpenText Identity GovernanceAccess reviews and SOD enforcement on Access Manager entitlements.
- OpenText Advanced AuthenticationRisk-based MFA and adaptive authentication for SSO flows.
- OpenText Core Identity FoundationModernization path to SaaS IAM bundle.
Identity protocol ecosystems (certified)
Certified- Active Directory, Azure AD/Entra ID, NetIQ eDirectory, LDAPDirectory-source integration for identity store backing.
- SAML 2.0, OAuth 2.0, OIDC, WS-FederationFederation protocol coverage.
- Kerberos, WS-TrustLegacy federation protocols where regulated environments still use them.
- ServiceNow, Workday, Salesforce, M365Major SaaS application SSO integration.
Custom integrations
Custom- Internal applications and proprietary identity storesCustom integration for non-standard applications and identity stores.
- Legacy web applicationsWeb reverse-proxy and policy-driven access management for legacy applications.
- Federal and sovereign-cloud identityFedRAMP-aligned federation and sovereign-cloud workforce identity.
Deployment and implementation
How it rolls out
- Hosting
- Hybrid (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First federation flow live in two to four weeks. Modern authentication and OpenText IAM integration in four to eight weeks. Enterprise rollout typically runs three to nine months.
- Prerequisites
- Existing identity store inventory (AD, LDAP, NetIQ eDirectory)
- Application landscape requiring SSO and federation
- Named identity architect and IAM owner
- Federation-protocol scope (SAML, OAuth, OIDC, legacy)
- Operating-model decision (in-house vs. partner-managed)
- What Merito usually handles
- OpenText Access Manager runs on-prem, hybrid, or BYOC. Merito handles infrastructure design, deployment, federation policy, OpenText IAM line integration, and operating-model design.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Access Manager is licensed by user count, deployment shape (on-prem, hybrid, BYOC), and edition. Pricing depends on coverage breadth and federation scope. License acquisition flows through Merito; the federation and SSO program scopes under a separate engagement.
- Editions and modules
Access Manager on-prem
On-prem deployment for regulated and sovereign workforce identity.
Best for: Regulated programs that cannot adopt cloud-only IAM.
Access Manager hybrid
On-prem with cloud federation extensions for SaaS apps.
Best for: Programs running mixed cloud and on-prem workforce identity.
Access Manager Government Cloud
FedRAMP-aligned editions for federal and government workforce identity.
Best for: Federal programs requiring FedRAMP-aligned IAM.
- Common expansion areas
- Add Identity Manager for identity lifecycle and provisioning
- Add Privileged Access Manager for privileged identity
- Add Identity Governance for access reviews and SOD
- Add Advanced Authentication for risk-based MFA
- Plan modernization path to Core Identity Foundation when constraints relax
Merito services
How Merito helps you win with OpenText Access Manager
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Access Manager Implementation
Infrastructure design, deployment, federation policy, OpenText IAM line integration, operating-model design.
Explore service02Upgrade and Migration
NetIQ Access Manager version upgrades and modernization path to Core Identity Foundation where applicable.
Explore service03MAPS Assessment
IAM program scoping for Access Manager alongside Okta, Microsoft Entra, PingFederate, and ForgeRock.
Explore service04DevOps Consulting
Application SSO integration, federation policy authoring, and identity-pipeline design.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Access Manager.
Explore service06Managed Services
Long-term partner-managed run for programs that want OpenText engineering without internal headcount.
Explore service07Training and Enablement
Role-based training for identity architects, IAM operators, and compliance leads.
Explore service08Staff Augmentation
Merito-placed identity engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Access Manager licensing
License Access Manager. Author the federation policy. Same engagement.
Access Manager pricing arrives with infrastructure design, federation policy, OpenText IAM line integration, and operating-model design that turn 20 years of NetIQ workforce-identity depth into a sustained capability rather than a static deployment.
Merito point of view
Okta is dominant in cloud-native enterprises. NetIQ Access Manager is the right answer when cloud-only does not fit.
Merito has scoped IAM modernizations where Okta or Microsoft Entra is exactly the right answer (cloud-native enterprises with modern application landscapes) and others where NetIQ Access Manager remains the right answer (regulated programs subject to data sovereignty, on-prem operational constraints, or air-gap requirements). Programs picking OpenText Access Manager are usually picking the regulated and on-prem operational shape, not generic SSO.
Merito recommends OpenText Access Manager specifically for programs already running NetIQ, modernizing legacy NetIQ Access Manager, or subject to regulatory constraints that rule out cloud-only IAM. For greenfield cloud-native programs, Okta is usually the stronger pick. For programs already running PingFederate or ForgeRock, the migration tradeoff goes the other way. Merito surfaces those alternatives honestly during scoping.
Cross-product OpenText IAM line integration is the platform claim that pays back when the program runs the full line. Identity Manager for provisioning, Access Manager for SSO and federation, Privileged Access Manager for elevated access, Identity Governance for access reviews, Advanced Authentication for MFA. Programs running standalone Access Manager get SSO; programs running it inside the line get coordinated identity operations.
What buyers usually underestimate
- Adopting Access Manager when cloud-native Okta or Microsoft Entra would fit better.
- Migrating off mature Okta or Entra deployments without an honest assessment of delta value.
- Running Access Manager standalone without integration with Identity Manager, Privileged Access Manager, and Identity Governance.
- Skipping operating-model design and finding the platform underused.
- Treating the NetIQ rename as cosmetic without modernization planning toward Core Identity Foundation where applicable.
Related from Merito
Continue exploring OpenText Access Manager on Merito
Related solutions
Related services
Related products
- OpenText Identity ManagerIdentity lifecycle and provisioning for Access Manager.
- OpenText Privileged Access ManagerPrivileged identity paired with Access Manager SSO.
- OpenText Identity GovernanceAccess reviews and SOD on Access Manager entitlements.
- OpenText Advanced AuthenticationRisk-based MFA paired with Access Manager SSO.
- OpenText Core Identity FoundationModernization path to SaaS IAM bundle.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Access Manager FAQs
Consultation request
Talk to Merito about OpenText Access Manager
Share your federation landscape, regulated identity constraints, and OpenText IAM footprint. A Merito OpenText specialist follows up within one business day.
NetIQ federation depth
Long-tail protocol coverage
SAML, OAuth, OIDC, WS-Federation, Kerberos, WS-Trust. Cloud-native IAM often skips the long tail.
Regulated and on-prem
Where cloud-only is ruled out
On-prem and hybrid IAM for sovereign-cloud, air-gapped, and regulated workforce identity.
Next step
Run NetIQ where it fits. Modernize when constraints change.
A Merito Access Manager engagement scopes federation policy, IAM line integration, and operating model. Programs that treat the rename as cosmetic without modernization planning leave value on the table.