Skip to content
By CIAM

The CIAM Graveyard: Every Dead Identity Vendor and What Killed Them

Identity vendors rarely die of bankruptcy. They die of acquisition, then neglect, then a shutdown email. A complete history of every dead CIAM vendor, the pattern behind the deaths, and the questions that protect you from the next one.

The CIAM Graveyard: Every Dead Identity Vendor and What Killed Them, by Deepak Gupta on guptadeepak.com

Right now, in mid 2026, thousands of companies are running their customer logins on a product that has already been declared dead. Akamai Identity Cloud stopped accepting new customers in March 2024, froze feature development at the end of that year, and shuts down completely on December 31, 2027. Every company still on it is living inside a countdown.

That is not a rare event in identity. It is the normal life cycle.

I have spent 15 years in this market. I founded a CIAM platform and scaled it to more than a billion users, and for most of that time, my fastest-growing customer segment was refugees: teams fleeing a vendor that had just been acquired, absorbed, or shut down. When SAP bought Gigya, they called us. When Akamai bought Janrain, they called us. I wrote publicly back in 2019 that Janrain customers should expect the same disruption Gigya customers got. It took five years longer than I expected, but the prediction held.

So this is the article I wish someone had written a decade ago: a complete graveyard of the identity vendors that died, how each one actually went, how much notice customers got, and the pattern that connects nearly all of them. Because the pattern is the useful part. Identity vendors almost never die of bankruptcy. They die of acquisition, then neglect, then a politely worded email with a migration deadline in it.

If you are evaluating vendors right now, the CIAM Compass vendor index tracks who is alive, who is dying, and who to compare. This article is the history that explains why that tracking matters.

The graveyard

Stormpath (2011 to 2017): the five-month execution

Cause of death: acquired by Okta, shut down almost immediately.

Stormpath was the developer darling of its era: a clean REST API for authentication and user management, excellent SDKs, and documentation that developers genuinely praised. It was, in many ways, the blueprint that later developer-first auth companies followed.

Okta announced the acquisition on March 6, 2017. In the same announcement, Stormpath told customers the API and SDKs would shut down on August 17, 2017. That is five and a half months from "we have exciting news" to "your authentication provider no longer exists." The migration FAQ admitted that new Okta SDKs might not even be ready before the shutdown date. Okta's own SEC filings later showed the price: roughly $3.7 million in equity. The entire product, its customers, and their integration work were worth less to the acquirer than a mid-sized Series A.

Stormpath customers learned the most important lesson in this article the hard way: the announcement email and the shutdown email can be the same email.

Clef (2013 to 2017): death by no business model

Cause of death: ran out of road, shut down independently.

Clef is the rare entry that died the old-fashioned way. The two-factor authentication app had real traction, including more than a million active WordPress installs, but as the founder admitted plainly at shutdown: they could not find a business model that made the growth sustainable. The app went dark in June 2017, and the team joined Twilio.

Clef matters in this list precisely because it is the exception. Everyone assumes vendor risk means startup-runs-out-of-money risk. The rest of this graveyard shows that assumption is backwards. The companies most likely to strand you are not the ones that fail. They are the ones that succeed enough to get bought.

Gigya (2006 to 2017, absorbed): the marketing-stack burial

Cause of death: acquired by SAP for $350 million, dissolved into a product suite.

Gigya was a genuine CIAM pioneer. Social login, registration-as-a-service, consent management: much of what the industry now treats as table stakes, Gigya shipped first, and it had the enterprise B2C customer list to prove it.

SAP bought Gigya in November 2017 and folded it into its customer experience portfolio as SAP Customer Data Cloud. The product technically survives to this day, which makes this a burial rather than an execution. But survival and health are different things. The identity product became a feature of a commerce suite, sold primarily to existing SAP customers. Teams that chose Gigya as an independent best-of-breed identity platform woke up as customers of an ERP conglomerate, and many told my team directly that getting full SLAs and the service they were used to increasingly required moving deeper into the SAP stack.

I covered where the product stands today in the SAP Customer Data Cloud profile on CIAM Compass: still strong on consent and B2C depth, but enterprise-only, expensive, and mostly compelling if you are already an SAP shop. That is what absorption looks like eight years on.

Janrain (2002 to 2019 to 2027): the vendor that died twice

Cause of death: acquired by Akamai for $123.6 million, rebranded, neglected, and finally scheduled for shutdown.

Janrain has the strangest fate in the graveyard. It pioneered the CIAM category itself, built twenty years of B2C registration and social login expertise, and served Global 2000 brands. In January 2019, Akamai, a content delivery network, bought it for $123.6 million in cash, roughly half of what analysts had projected based on Janrain's revenue. Even the sale price was a warning sign.

The strategic logic was always about Akamai, not about identity customers: feed login and registration signals into Akamai's bot management and threat intelligence. Janrain became "Akamai Identity Cloud," and then, slowly, became nobody's priority. Akamai stopped selling it to new customers on March 7, 2024, announced end of life on October 31, 2024, froze features, and set the shutdown for December 31, 2027.

So Janrain died once in 2019, when it stopped being a company whose survival depended on its identity product winning, and it is dying again now, on a fixed calendar. Customers, mostly large B2C enterprises with deep consent-management integrations, get roughly three years from the EOL announcement to complete migrations of some of the most complex identity deployments in existence. I keep a current migration analysis in the Akamai Identity Cloud profile on CIAM Compass, including where B2C enterprises and cost-sensitive teams typically land.

Back in 2019, weeks after the acquisition closed, I wrote that Janrain customers should expect the same disruption Gigya customers experienced. I would rather have been wrong.

Idaptive (2018 to 2020): the two-year independence

Cause of death: acquired by CyberArk for $70 million, dissolved into a platform.

Idaptive barely got to exist. Spun out of Centrify in 2018 as an independent identity company, it was acquired by CyberArk in May 2020 and integrated into the CyberArk Identity Security Platform. The technology lives on, and to be fair, CyberArk had a coherent reason to buy it: pairing customer identity with its dominant privileged access management business. But as an independent vendor with its own roadmap and its own customer priorities, Idaptive lasted about two years. The CyberArk profile on CIAM Compass covers what became of it: a credible option mainly for existing CyberArk PAM customers, which is a much narrower promise than the one Idaptive made as a standalone company.

Stytch, the developer-API generation's first casualty of consolidation (2020 to 2025, acquired)

Cause of death: pending. Acquired by Twilio on October 30, 2025.

Stytch built one of the strongest developer-first auth APIs of the passwordless era and raised at a $1 billion valuation at its peak. Twilio acquired it in late 2025 (I wrote a full technical analysis when the deal broke: what the Twilio-Stytch acquisition means for developer CIAM). I am not writing Stytch's obituary, because the product is alive and Twilio has said the right things. But this entry belongs in the article for one uncomfortable reason: Twilio is the company that acquired Authy in 2015, and Authy's fate is worth reading closely.

Twilio shut down Authy's desktop apps in 2024, force-logging out every user, some of whom permanently lost 2FA tokens they had not synced to mobile. That same year, attackers exploited an unsecured Authy API endpoint to enumerate data tied to 33 million phone numbers. An acquired product's slow slide from flagship to liability rarely announces itself. Stytch customers should not panic, but they should watch the changelog cadence the way you watch a patient's heart monitor. History says the first 18 months post-acquisition tell you everything.

Azure AD B2C (2016 to 2026, in hospice): when the vendor is a hyperscaler

Cause of death: retired by its own parent in favor of a successor product.

This is the entry that should end any remaining belief that vendor size equals vendor safety. Azure AD B2C was Microsoft's CIAM, with a massive install base, including regulated and government workloads. Microsoft stopped selling it to new customers on May 1, 2025. The Premium P2 tier, including Identity Protection and the risk-based Conditional Access policies built on it, was retired for everyone on March 15, 2026. Tenants that depended on those risk signals lost the capability with no licensing path to restore it. The rest of the product runs in maintenance mode, supported until at least May 2030, with all investment flowing to its successor, Microsoft Entra External ID.

Microsoft's transition is more orderly than most in this graveyard, with years of runway and a genuinely better successor product. But make no mistake about what it is: every Azure AD B2C custom policy, every integration, every carefully tuned user flow is a migration project now, because custom policies do not auto-convert to the External ID model. I track the timeline and the migration decision in detail on the Entra External ID profile and the CIAM Compass changelog entry on the B2C retirement.

A company with a three trillion dollar market cap deprecated its own identity product. Nobody's login is too big to sunset.

The absorbed and the diminished: a shorter row of headstones

Not every death gets a long obituary. A few that deserve their markers:

Auth0's independence (2013 to 2021). Auth0 the product is alive and well, and I have written extensively about who should still buy it. But Auth0 the independent company, the one whose entire existence depended on developer love, died when Okta paid $6.5 billion for it in 2021. What followed was the pattern in slow motion: pricing power exercised against a locked-in base, renewal increases that customers document publicly, and a developer community that now hedges. Okta, to its credit, learned from Stormpath and kept the product alive. The customers still learned what it feels like when your vendor's incentives change ownership overnight.

ForgeRock the brand (2010 to 2023). A $2.3 billion acquisition by Thoma Bravo, immediately merged into Ping Identity, which Thoma Bravo had bought the year before for $2.8 billion. Two of the deepest enterprise identity platforms in the market became one company under private equity ownership, with overlapping product lines that could not both survive. Customers of both spent nearly a year in the dark during the DOJ review, legally unable to get roadmap answers. That silence, imposed or not, is its own kind of warning.

UnboundID (2007 to 2016) and the Sun Microsystems identity portfolio. For the students of history: Sun built some of the best directory and identity technology of its era, Oracle acquired Sun in 2010 and retired product lines that customers had built entire identity programs on, and ex-Sun engineers founded UnboundID, which Ping then acquired in 2016. The identity industry has been recycling this pattern, and these engineers, for twenty years.

The pattern: acquisition, then neglect, then the email

Line the headstones up and one fact stands out. Of everything in this graveyard, only Clef died of financial failure. Everything else died or diminished through acquisition. That inverts how most buyers think about vendor risk. Teams run financial due diligence on startups and skip it for incumbents, when the actual historical record says the dangerous moment is not your vendor running out of money. It is your vendor becoming a line item in someone else's strategy.

The mechanism is consistent enough to describe as a sequence:

Stage one: the strategic acquisition. The acquirer buys the vendor for a reason that is about the acquirer. Akamai wanted identity signals for bot defense. SAP wanted customer profiles for its commerce suite. CyberArk wanted a CIAM checkbox next to PAM. In every case, the identity product's original mission, winning the identity market on its own merits, quietly ends on closing day, whatever the press release says about acceleration and shared vision.

Stage two: the quiet years. The product keeps running. Renewals get processed. But the tells accumulate: the changelog slows from weekly to quarterly, the vendor's conference booth shrinks, the product's leaders leave for other companies, job postings for the product's engineering team dry up, and the roadmap deck starts featuring the acquirer's platform more than the product you bought. Janrain lived in this stage for five years. Gigya has arguably been in it for eight.

Stage three: the email. End of sale comes first, because stopping new revenue costs the acquirer nothing. Then the feature freeze. Then end of life with a migration window that reflects the acquirer's convenience, not your architecture: five months for Stormpath, three years for Akamai Identity Cloud, five for Azure AD B2C. You do not get to pick which precedent applies to you.

The 18-month warning signs, the ones visible in stage two, are the actionable part. If your identity vendor gets acquired, start a countdown and watch four things: changelog cadence, executive retention, whether the product keeps its own sales team, and whether new features serve you or serve integration with the acquirer's platform. Two or more of those degrading is your cue to start migration planning while it is still optional. Every migration in this article was cheapest for the customers who started before the email arrived. I wrote about what the forced version looks like in Auth Migration Hell, and the LogicBalls team's own vendor exit taught me that even a well-planned migration costs more than the invoice suggests.

The other death: the venture-backed vendor that stops growing

Acquisition is one road to the graveyard. There is a second, quieter one that never involves an acquirer at all, and it applies specifically to venture-funded vendors.

A CIAM company that raised a large round is now on a clock its investors control. Venture money is not patient capital. It expects a return through either a sale or continued hypergrowth toward one, and when neither is happening, the vendor enters a slow squeeze that is visible from the outside if you know the tells. The red flags, in rough order of severity:

They raised a big round and their customer base stopped growing. A vendor that took $10M+ and cannot show expanding logos is burning runway against a growth story it is no longer delivering. That gap closes one of two ways, a distressed acquisition or a wind-down, and neither is good for you.

Their team is shrinking, not hiring. Layoffs at an identity vendor, or a careers page that has gone quiet for a year, means the burn is being managed down. Companies manage burn down when the next round is uncertain. Watch engineering and support headcount specifically, since those are the teams whose absence you will feel first.

They have not raised in over five years and show no sign of profitability. In venture terms, a round is meant to last 18 to 24 months. A vendor four or five years past its last raise, with no acquisition and no public signal of profitability, has either quietly become sustainable (rare, and they usually say so) or is running on fumes (common, and they never say so). Silence on this question is itself the answer.

The founders and early leaders have left. Founders who believe in the outcome do not leave before it. A departed founding team, especially a departed founding CEO or CTO, at a still-private venture-backed vendor is often the earliest signal that the people with the most information have concluded the growth story is over.

Any two of these together is a reason to build your exit architecture now, before the distressed-sale email or the shutdown notice forces your timeline. The venture-backed vendor rarely dies of an acquisition you can see coming. It dies because the growth math stopped working, and by the time that is public, your window to migrate calmly has already narrowed.

The questions that protect you

Uptime SLAs are the most negotiated and least important clause in an identity contract. An SLA pays you service credits when the login page is slow. Nothing in it pays you when the vendor is acquired and your three-year roadmap becomes a migration deadline. Before signing with any identity vendor, I would want written answers to five questions:

1. What is the contractual data portability commitment? Not "can we export users." Specifically: do you get password hashes out, in what format, with what algorithm documentation, and on what timeline after a termination or EOL event? A vendor that will not export hashes is a vendor whose death forces every one of your users through a password reset. This single clause matters more than the entire SLA section.

2. What happens to this contract in a change of control? Does an acquisition let you exit early without penalty? Do pricing locks survive the new owner? Most standard contracts are silent here, which means the answer defaults to whatever the acquirer prefers.

3. How much of your integration is portable? Standard OIDC and SAML flows move between vendors. Proprietary extensibility does not: serverless hooks, custom policy languages, vendor-specific rule engines. Every hour invested in a proprietary layer is an hour you will spend again during an exit. Ask yourself honestly what percentage of your auth code would survive a vendor change, and treat that number as part of the price.

4. Is identity this vendor's business, or a feature of it? This is the question the whole graveyard teaches. Stormpath, Janrain, Gigya, and Idaptive were all healthy identity businesses that became features of bigger companies with other priorities. When you evaluate a vendor owned by a CDN, an ERP company, a communications platform, or a private equity portfolio, price in the fact that identity winning is no longer existential for anyone in the building.

5. What is the guaranteed minimum wind-down period? Get it in writing: if the product reaches end of life, you receive no less than N months of full operation and support. The historical range runs from five months to five years. Where your vendor would fall in that range should not be a surprise you discover in the announcement email.

The vendors that will outlive this article

Everything above is a warning, so let me balance it with the inverse, because the graveyard has a mirror image. If acquisition-then-neglect and venture-growth-collapse are the two ways identity vendors die, there is a profile that avoids both, and it is worth actively looking for.

The vendor most likely to still be standing when your contract renews five years from now looks like this: independent, growing, adding customers and shipping products, with developer-focused pricing and a genuinely good product. That combination is not a coincidence of good luck. It is structural.

An independent, profitable vendor has no investor holding a clock over its head, which means no pressure to force a fast sale or a bet-the-company pivot. It has no acquirer whose strategy could demote the product to a feature overnight. If it is growing its customer base on its own revenue, it does not need a rescue round, and if its pricing is developer-focused and fair rather than extraction-oriented, it is winning customers on product merit, which is the only durable moat in this market. A vendor like that is not going anywhere, precisely because nobody outside the building has the standing to make it go somewhere.

FusionAuth is the clearest live example. It bootstrapped to profitability with zero outside funding, made the Inc. 5000 as one of the fastest-growing private software companies in the US, doubled revenue year over year, and only then took a single growth round, from a position of strength rather than desperation, after five years of proven independent health. Its pricing is developer-friendly, its self-hosting option means you are not even dependent on the company's servers to keep running, and its whole market position is built on winning developers rather than locking in enterprises. That is close to the opposite of every profile in the graveyard above. I keep the current read in the FusionAuth profile on CIAM Compass.

The lesson is not "FusionAuth specifically." It is the pattern. When you evaluate a vendor, the boring financial and structural questions predict survival better than any feature comparison: Are they independent or owned? Profitable or burning? Growing logos or stalled? Winning on developer-friendly product and pricing, or on lock-in? A vendor that scores well on those is one you can build on without checking the changelog like a heart monitor. The self-hosted and open-source tier deserves a specific mention here too, because a product you can run yourself cannot be shut down out from under you at all. Even if the company behind Keycloak or FusionAuth's self-hosted edition changed direction tomorrow, the software you are already running keeps running. That is the strongest form of vendor-death insurance that exists.

Every dead vendor in this graveyard was, at some point, somebody's safe choice. Stormpath had the best developer experience of its day. Janrain invented the category. Gigya had the enterprise logos. Azure AD B2C had a three trillion dollar company behind it. None of that protected their customers, because the thing that kills identity vendors is not weakness. It is being valuable enough to buy and small enough, inside the acquirer, to neglect.

You cannot pick a vendor that will never die. You can pick vendors whose death you would survive: portable protocols over proprietary hooks, exportable credentials over convenient lock-in, contracts that anticipate a change of control instead of assuming permanence. And you can tilt the odds up front by choosing structurally durable vendors: independent, profitable, growing on their own revenue, priced on product rather than lock-in, and self-hostable where it matters. The CIAM Compass index exists partly for this reason, tracking not just capabilities but ownership, funding, and EOL events across the market, because in identity, the vendor's corporate health is a feature of the product.

The graveyard will grow. Consolidation in this market is accelerating, not slowing, and somewhere in the current vendor landscape is the next entry in this article. The only question that matters is whether its customers will have started their migration before the email, or because of it.

Which vendor do you think joins this list next? I have my guess, and I would genuinely like to hear yours.

Frequently asked questions

Why do identity vendors shut down so often?
Rarely from bankruptcy. Most identity vendor deaths follow acquisition: a larger company buys the vendor for strategic reasons (bot defense signals, commerce data, platform completeness), deprioritizes the standalone product, and eventually retires it. Of the major CIAM shutdowns since 2017, only Clef closed for financial reasons.

How much migration notice do customers usually get?
The historical range is wide. Stormpath customers got about five and a half months in 2017. Akamai Identity Cloud customers got roughly three years (EOL announced October 2024, shutdown December 31, 2027). Azure AD B2C customers got about five years to the earliest possible retirement. Nothing guarantees you land at the generous end unless your contract specifies a minimum wind-down period.

Is Akamai Identity Cloud really shutting down?
Yes. Akamai ended new sales on March 7, 2024, announced end of life on October 31, 2024, froze feature development, and set final shutdown for December 31, 2027. All remaining customers need an active migration plan.

Is Azure AD B2C dead?
It is retired for new customers (end of sale May 1, 2025) and its Premium P2 tier, including Identity Protection, was discontinued for all customers on March 15, 2026. The remaining product runs in maintenance mode with support committed until at least May 2030. Microsoft's successor product is Entra External ID, and custom B2C policies must be re-implemented rather than auto-migrated.

What are the warning signs that a vendor might be next?
It depends on the vendor's structure. For an acquired vendor, watch four signals over 18 months: slowing changelog and release cadence, departure of the product's original leaders, loss of a dedicated sales team for the product, and a roadmap that increasingly serves integration with the acquirer's platform rather than the product's own customers. For a still-independent venture-backed vendor, watch a different set: a large raise followed by stalled customer growth, shrinking team or a quiet careers page, no new funding in over five years with no sign of profitability, and departed founders. Two or more degrading in either set is a reason to begin optional migration planning.

Which identity vendors are the safe long-term bets?
The structurally safe profile is independent, profitable or self-sustaining, growing its customer base, and priced around developer-friendly product rather than lock-in. A vendor like that has no investor forcing a fast sale and no acquirer that can demote it to a feature. FusionAuth is a frequently cited example: bootstrapped to profitability before taking a single growth round from a position of strength. Self-hosted and open-source options (such as Keycloak or FusionAuth's self-hosted edition) add another layer of safety, since software you run yourself cannot be shut down out from under you.

What contract terms actually protect against vendor shutdown?
Four clauses matter more than the uptime SLA: exportable credentials including password hashes with documented formats, change-of-control provisions that allow early exit, a guaranteed minimum wind-down period after any EOL announcement, and data return timelines after termination. Portable protocol usage (standard OIDC and SAML rather than proprietary extensibility) is the architectural equivalent.

Deepak Gupta is a serial entrepreneur and cybersecurity expert who co-founded and scaled a CIAM platform to serve over 1 billion users globally. He now leads GrackerAI, a GEO platform for B2B SaaS and cybersecurity companies. He writes about AI, cybersecurity, and building companies at guptadeepak.com.

Get the newsletter

New writing on identity, AI security, and building software, delivered when it ships. No tracking pixels, no funnels, unsubscribe with one click.