Publication section: Compete | Format: Competitive Intelligence Assessment | Last-verified date for Thales/Ping product and roadmap claims: May 2026 (based on publicly available Thales and Ping Identity product pages, press releases, and EDUCAUSE community coverage). Claims marked [UNVERIFIED — CONFIDENCE: LOW] require field confirmation before use in live deal situations. Deal-motion section reflects pattern analysis; production version should be strengthened with Gong/Clozd win-loss data, which is structurally unavailable for this demo.
ForgeRock did not end up in Tier 1 research universities by accident. The institutions that deployed it — and there are meaningful numbers of them, concentrated in the R1 and large public flagship segment — made a deliberate choice. They needed an identity platform that could handle complex federation requirements, support deep customization for research computing workflows, and scale to the kind of identity surface that a major research university actually has: tens of thousands of human identities, hundreds of service accounts, multiple research computing environments, and a compliance posture that touches HIPAA, FISMA, and export control simultaneously. ForgeRock's policy engine, its scripting extensibility, and its track record in complex enterprise environments made it a credible answer to that problem.
Start there. A rep who skips that history will not have a credible conversation with a Tier 1 CISO who has lived with ForgeRock for a decade.
The Acquisition Stack, Briefly
The ownership lineage matters for understanding what Tier 1 institutions are navigating. Thales acquired Ping Identity in late 2022. Ping Identity acquired ForgeRock in early 2023. The resulting structure placed ForgeRock's Access Management, Identity Governance, and Directory products inside a Ping Identity portfolio that was itself inside Thales's cybersecurity division, which also includes hardware security modules, data protection products, and the OneWelcome customer identity platform that Thales had been building separately.
The integration roadmap that Thales/Ping announced in late 2024 — the one that positioned OneWelcome as the converged platform for both workforce and customer identity — is what "18 months in" refers to in this assessment. That roadmap is the source of both the genuine capability story and the uncertainty that Tier 1 buyers are navigating.
Integration Reality: What Has Shipped
What is verifiable as of May 2026: Ping Identity has shipped unified administrative tooling that allows organizations running ForgeRock Access Management to manage some policy configurations through a shared console with PingOne, Ping's cloud-native identity service. Single sign-on between ForgeRock AM and PingOne environments is documented and available. The ForgeRock Identity Governance product has been rebranded under the Ping portfolio and continues to receive maintenance releases.
Where roadmap clarity is thinner: The deeper integration between ForgeRock AM's on-premises/private cloud deployment model and the OneWelcome platform's cloud-native architecture remains, as of available public documentation, a work in progress. Thales has described OneWelcome as the destination platform for converged identity, but the migration path for institutions running ForgeRock AM in complex on-premises configurations — which describes most Tier 1 research university deployments — has not been documented in a form that gives those institutions a clear upgrade timeline. [CONFIDENCE: MEDIUM — based on public documentation; field confirmation from institutions in active migration conversations would strengthen this assessment.]
The ForgeRock Directory Services product, which several Tier 1 institutions use as their core LDAP infrastructure, has received less public roadmap attention than Access Management. Institutions that built their identity stack on ForgeRock DS as the authoritative directory have not seen clear guidance on its long-term positioning within the OneWelcome architecture. [CONFIDENCE: LOW — flag for field verification before use in deal conversations.]
What Tier 1 Institutions Are Experiencing
The pattern that emerges from EDUCAUSE community discussions and higher education press coverage is not a story of ForgeRock failing. The product continues to function. Institutions that deployed it are not experiencing outages or security failures attributable to the acquisition. What they are experiencing is a more corrosive problem: roadmap opacity at exactly the moment when they need to make consequential infrastructure decisions.
Research universities on three-to-five-year technology planning cycles are trying to decide right now whether to invest in extending their ForgeRock deployments — adding NHI governance capabilities, integrating with cloud research platforms, expanding their identity governance coverage — or whether to treat the current deployment as a maintenance-mode asset while they evaluate alternatives. That decision requires roadmap confidence that the current Thales/Ping communications have not consistently provided.
Support continuity is a secondary concern but a real one. ForgeRock's professional services organization was absorbed into Ping's services structure post-acquisition. The institutional knowledge that resided in ForgeRock's higher education-focused professional services team — knowledge about InCommon federation integration, research computing identity patterns, TIER program interoperability — has not been fully preserved in the combined organization. Tier 1 institutions that relied on ForgeRock PS for complex deployment work are reporting longer response times and less domain-specific expertise in support engagements. [CONFIDENCE: MEDIUM — composite from EDUCAUSE community forum discussions; production version should verify with named institutional contacts.]
The pricing environment has also shifted. Thales's enterprise licensing model differs from ForgeRock's pre-acquisition structure, and several Tier 1 institutions approaching renewal are encountering contract terms that reflect the combined portfolio's pricing logic rather than the standalone ForgeRock terms they negotiated originally. This is not unusual in post-acquisition environments, but it is creating friction at renewal that did not previously exist. [CONFIDENCE: LOW — flag for Gong/Clozd verification; this pattern is consistent with acquisition-era dynamics but requires deal-specific confirmation.]
The Competitive Signal Set
A Tier 1 buyer experiencing ForgeRock/Thales uncertainty tends to surface it in specific ways. The patterns below are not universal, but they recur often enough to be worth recognizing.
The roadmap question surfaces early. Buyers who are uncertain about ForgeRock's trajectory ask about roadmap in discovery calls in a particular way: not "what features are coming" but "how do you think about long-term platform commitment." That framing signals they are evaluating whether a vendor will still be a coherent entity in five years, not just whether the product will add a feature. It comes from watching an acquisition unfold in real time.
The support experience becomes a reference point. Buyers who have had degraded support experiences post-acquisition will bring it up when evaluating alternatives, often framed as a risk concern rather than a complaint. "We need to understand what your support model looks like for complex deployments" is frequently a proxy for "our current vendor's support has gotten worse and we don't want to repeat that."
The NHI gap creates a forcing function. Tier 1 institutions that are actively trying to extend their identity governance to cover research computing service accounts, agentic AI workflows, or cloud research platform credentials are discovering that their ForgeRock deployment doesn't have a clear path to those capabilities within the OneWelcome roadmap. This shows up when a VP for Research asks the IAM team how they're going to govern the credentials their new AI-assisted research platform is generating. That question creates urgency that the acquisition uncertainty amplifies.
Renewal timing concentrates the decision. The competitive opening is most pronounced in the 12-to-18-month window before a major ForgeRock contract renewal. Institutions in that window are doing the math on whether to re-commit to a platform whose roadmap they can't fully read, extend a deployment they're uncertain about, or use the renewal as a forcing function to evaluate alternatives. That window is identifiable from renewal cycle data, and it is where the conversation is most likely to be productive.
What the Opening Looks Like
The Tier 1 buyer who is experiencing ForgeRock/Thales uncertainty has already done the acquisition-risk analysis. Repeating it back to them is not useful. What they are looking for is evidence that an alternative can handle the complexity they built into their ForgeRock deployment — the custom policy logic, the research computing federation requirements, the TIER program integrations — without requiring them to rebuild from scratch.
The conversation that lands is about migration reality: here is how institutions with comparable complexity made this transition, here is what they preserved, here is what they rebuilt. The buyer's concern is not ending up with a worse product. It is spending three years in a migration and emerging with a deployment that doesn't handle their specific research computing identity requirements as well as what they had.
Institutions that moved successfully are the reference that closes this conversation. The deal-motion section of this assessment would be materially strengthened by Gong/Clozd win-loss data from Tier 1 accounts where ForgeRock displacement was the competitive scenario — that data is structurally unavailable for this demo and should be treated as a production gap.
ForgeRock remains a serious incumbent at Tier 1. The uncertainty created by the Thales/Ping/OneWelcome integration timeline is real, but it opens a conversation rather than winning one. A rep who conflates those two things will lose the trust of a CISO who spent a decade building on ForgeRock and knows exactly what it can do.