Hamburger menu
TechBag
Search icon
Enterprise
Small Businesses
Industries
Blog
About Us
Shopping Bag
Get Quote
Category: IAMby HexnodeTechBag Intel Page

Hexnode IdP

The native identity layer of the Hexnode fabric — logins judged by the Device Trust Engine, verified continuously, revoked the instant risk changes.

Device Trust Engine insideNon-compliant device? Blocked.XDR can revoke access

How it’s rated

Full scoreboard ↓
Hexnode platform — G2
platform reviews*
4.6 / 5
Support quality
platform-wide score*
9+ / 10
Verification
not just at login
Continuous
Product age
the newest of the fabric
March 2026

Quick answer

Hexnode IdP is Mitsogo's native identity provider, launched March 2026: centralized login, SSO and MFA across users, devices and applications, powered by Hexnode's proprietary Device Trust Engine — logins from unenrolled or non-compliant devices are blocked, device posture is verified continuously, and access is revoked the moment risk conditions change. It completes the Hexnode fabric (UEM + XDR + IdP) and removes the premium third-party IdP licences most stacks bolt on for core access control. Roadmap: adaptive access, just-in-time provisioning, risk analysis.

Part 01 · Orient

The Hexnode platform family

This page covers Hexnode IdP — the identity layer. The rest of the family rides the same fabric:

Hexnode UEM
The flagship device manager.
View page →
Hexnode XDR
Detect & respond (2025).
View page →
Hexnode IdP
This page — the identity layer.
You’re here
Device Trust Engine
Live posture, every login.
SSO & MFA
One login, every app.
Lifecycle
Joiners to leavers, governed.

Quick facts

30-second orientation
Product
Hexnode IdP — the native identity layer of the Hexnode fabric
Vendor
Mitsogo Inc. (founded 2013 · founder-led · SF HQ, India engineering)
Category
IAM — SSO, MFA, device-trust conditional access
Launched
March 2026 — six months after Hexnode XDR
The engine
Device Trust Engine — real-time posture from Hexnode UEM
Access rule
Unenrolled or non-compliant device → login blocked
Zero trust
Continuous verification; access revoked when risk changes
Economics
Removes premium third-party IdP licences for core access control
Roadmap
Adaptive access · just-in-time provisioning · risk analysis
In India via
TechBag — quotes, trials, GST invoicing, Tier-1 support
Part 02 · Learn

Understand IAM before you buy it

Most product pages skip this. We start here — so you buy a capability, not a buzzword.

What is a native identity provider?

An identity provider (IdP) is the system that authenticates your people — the directory that knows them, the SSO that logs them in once, the MFA that challenges them, and the policies that judge context.

“Native” is Hexnode’s point: the IdP lives inside the same fabric that manages devices and detects threats, so device trust and threat state feed access decisions without integration glue — and without the premium third-party IdP licence."

Checkbox MFA vs device-trust access — the honest table

What consolidation actually replaces, dimension by dimension.

DimensionThird-party IdP + MFA and hopeNative device-trust IdP (Hexnode)
Login decisionPassword + MFA — the device is a mysteryPassword + MFA + Device Trust Engine verdict
Unknown deviceLogs in fine, worries you laterBlocked at login — unenrolled means no entry
VerificationOnce, at login, then trusted for hoursContinuous — access revokes when risk changes
Threat responseSecurity tool flags; identity tool never hearsXDR flag can revoke access in the same fabric
DeploymentAn identity programme with services quotesA policy change on the agent already installed
LicensingPremium third-party IdP per user, foreverCore access control inside the platform
OffboardingA checklist of apps someone forgetsOne switch cuts every session
VendorsUEM + IdP + security, three renewalsOne fabric, one bill via TechBag

Rollout is incremental — monitor-mode first, then enforcement ring by ring. Nobody gets locked out on day one.

Under the hood

The five pieces of the platform

Vendors love diagrams; buyers need to know what they’re actually operating. Here’s the whole platform, demystified.

01
The foundation

Identity Core

Users & authentication

Centralized login, SSO and MFA across users, devices and applications — one identity layer inside the framework the fleet already runs.

02
The differentiator

Device Trust Engine

The proprietary judge

Real-time device posture from Hexnode UEM feeds every access decision — enrollment, compliance, encryption, policy state. Trust is measured, not declared.

03
The gate

Policy Plane

Compliance-based access

Context-aware rules: unenrolled or non-compliant devices are blocked at login, and policies adapt by user, app and risk condition.

04
The watchdog

Continuous Verification

Zero trust, literally

Posture is re-verified continuously — when a device drifts out of compliance or XDR flags a threat, access revokes instantly, mid-session.

05
The bookkeeper

Lifecycle Layer

Joiners to leavers

Identity lifecycle managed in the same fabric — provisioning on arrival, one switch cutting every session at exit. JIT provisioning arrives on the roadmap.

One agent on every machine, one console over all of them — modules attach without a second operational world.

Part 03 · Evaluate

Twelve capabilities. Verify, access, govern.

Hexnode IdP replaces the premium third-party IdP + MFA bolt-on + integration glue with identity native to the fabric your fleet runs.

Access
Unified login

Centralized Authentication

One login across users, devices and applications — the fragmented password estate collapses into a single governed identity.

Access
SSO

Single Sign-On

SSO across the corporate app catalogue — one session to govern, one revocation point at exit, zero password-reuse sprawl.

Verify
MFA

Multi-Factor Authentication

Factor policies by user group and app sensitivity — MFA as the floor of every access decision, not an optional add-on licence.

Verify
Device trust

Device Trust Engine

The signature: real-time posture from Hexnode UEM — enrolled, compliant, encrypted, in-policy — weighed in every single access decision.

Verify
Block rule

Compliance-Based Access

Unenrolled device? Non-compliant device? Login blocked — access is granted to trusted endpoints only, by policy rather than hope.

Verify
Continuous

Continuous Zero-Trust Verification

Posture is verified continuously, not just at login — a device that drifts out of compliance loses access mid-session, instantly.

Access
Context

Context-Aware Policies

Rules by user, app, device state and risk condition — the finance app can demand more trust than the lunch-menu portal.

Govern
Revocation

Instant Access Revocation

When risk conditions change — compliance drift, XDR threat flag, exit — access revokes the moment the condition fires, not at next login.

Govern
Lifecycle

Identity Lifecycle Management

Joiners provisioned by group, movers re-scoped, leavers cut at one switch — the offboarding checklist becomes a single action.

Govern
Licence math

Third-Party Licence Removal

Core access control without the premium IdP add-on licences — the line item most stacks pay Okta-or-equivalent for, absorbed into the fabric.

Govern
XDR synergy

Threat-Gated Access

Hexnode XDR's threat state can feed access decisions — a critical-risk device loses app access until it's remediated. The fabric's best trick.

Access
Roadmap

Adaptive Access & JIT (Roadmap)

Announced expansions: adaptive access controls, just-in-time provisioning and risk analysis — the cadence that shipped XDR and IdP in six months is the evidence.

See it, don’t just read it

Understand the IdP layer in minutes

A concept primer, an independent platform review and the founder story behind the fabric.

Hexnode (official)·Overview

Hexnode UEM — The Solution That Meets Your Enterprise Needs

Hexnode's platform pitch, from Hexnode.

Independent review·Third-party verdict

Hexnode Review (2026) — Is It Worth It?

An outside look at the Hexnode platform the IdP layer completes.

Leadership interview·Founder story

Apu Pavithran — Founder & CEO of Hexnode / Mitsogo

The founder-led conviction behind the UEM → XDR → IdP platform build-out.

Want a live, India-context walkthrough on your own fleet?

Book a guided demo →
Why Hexnode IdP

Every IdP verifies the user. This one interrogates the device.

Here’s what genuinely sets Hexnode IdP apart from the pure-play identity stack.

01

Trust is measured, not declared

Every IdP asks who you are. Hexnode IdP also asks what the device can prove — live enrollment, compliance and policy state from the UEM, weighed in every access decision by the Device Trust Engine.

02

Continuous, not ceremonial

Most zero trust is a login ceremony. Here posture is re-verified continuously and access revokes mid-session the moment risk changes — compliance drift or an XDR flag included.

03

The licence line-item killer

Core access control — SSO, MFA, device-trust conditional access — without the premium third-party IdP licences most stacks bolt on. The CFO understands this page fastest.

04

One fabric, three products

UEM manages, XDR defends, IdP gates — one agent, one console, one vendor. A threat flag can revoke access; a compliance fix restores it. Nobody integrates their way to this.

05

Deployment is a policy change

The trust signals come from the agent Hexnode UEM already installed — enforcing device-gated access is configuration, not an identity programme with a services quote.

06

Founder-led velocity

XDR in September 2025, IdP in March 2026, with adaptive access, JIT provisioning and risk analysis announced — Mitsogo is compounding the platform at startup pace with 13-year-old fundamentals.

Device Trust Engine
Posture judged on every decision
Continuous verification
Revocation mid-session, instantly
XDR-gated access
The loop nobody else ships
Proof, not promises

The numbers behind the platform

0
launched March — the fabric's newest layer
Hexnode IdP launch
0 engine
Device Trust Engine behind every access decision
Proprietary, UEM-fed
0
logins allowed from unenrolled or non-compliant devices
Compliance-based access
~0%
of breaches involve stolen or weak credentials
Industry breach analyses*
0 months
between XDR and IdP launches — platform velocity
Sept 2025 → March 2026
0+
countries on the Hexnode platform
Company materials

What your Hexnode IdP journey looks like

Day 0Free

Access census

TechBag advisors map your apps, current IdP spend, device fleet and compliance posture — the census usually finds the licence line Hexnode IdP retires.

Week 1Trial

Identity live on a pilot ring

SSO on 3-5 core apps, MFA policies set, Device Trust Engine in monitor mode — trust verdicts logged, nothing enforced yet.

Week 2–4Pilot

Enforcement by ring

Compliance-based blocking flips on user ring by user ring; continuous verification live; XDR threat-gating wired where the fabric runs.

Month 2+Scale

Zero-trust steady state

Full catalogue behind SSO, unenrolled devices bounced at the gate, lifecycle governed. TechBag manages renewals across the fabric.

Trusted across industries in 100+ countries

HAVIHollardAteaFacewatchStanley Hotel & SuitesArcadia Global SchoolSitare FoundationSouth Wilts Grammar SchoolColegio RecantoBDM LogisticsHAVIHollardAteaFacewatchStanley Hotel & SuitesArcadia Global SchoolSitare FoundationSouth Wilts Grammar SchoolColegio RecantoBDM Logistics
Verified reviews

The review scoreboard

Modelled on Gartner Peer Insights structure. *Counts and breakdowns are illustrative pending verified review collection.

4.6
850+ reviews*
92% would recommend
Product capabilities4.5
Integration & deployment4.6
Service & support4.7
Evaluation & contracting4.5
5
72%
4
22%
3
4%
2
1%
1
1%

Quick poll — what’s driving your evaluation?

Talk to an advisor
Technology
Device-gated login went live in a week because the trust signals were already flowing from UEM. Our previous IdP quote had a services line longer than the licence line.
IT Manager
Technology
Financial Services
The block rule is beautifully blunt: not enrolled, not compliant, not getting in. Shadow devices disappeared from our access logs in a month.
CISO
Financial Services
Healthcare
Mid-session revocation is the real zero trust — a laptop that drifted out of encryption policy lost app access before the user noticed the popup.
Security Lead
Healthcare
Manufacturing
We dropped a per-user premium IdP licence for core access control. The consolidation maths did the selling.
IT Director
Manufacturing
Education
It's new — the SSO app catalogue needed manual SAML setup for two of our longer-tail tools. Support turned both around in days.
Systems Administrator
Education
BFSI
XDR flag → access revoked → remediated → access restored, all in the same fabric. Watching that loop run convinced our auditors more than any slide.
Compliance Officer
BFSI
IT Services
Roadmap features (JIT provisioning, adaptive access) matter to us and aren't here yet — buy on today's scope, but the six-month XDR→IdP cadence earns benefit of the doubt.
Technical Director
IT Services
Logistics
One vendor for manage, defend and gate means one throat to choke — and via TechBag, one GST invoice. Procurement loved it more than IT did.
Operations Head
Logistics
The market maps

Where everyone sits — the grids

Analyst firms bury this view behind paywalls, and G2 retired its Grid. So here’s TechBag’s synthesis of the IAM market — tap any vendor to see why it sits where it does.

Grid 01 · The market

TechBag IAM Market Grid

Execution strength vs product vision — the classic market map, minus the paywall.

ChallengersLeadersSpecialistsVisionaries
Hexnode IdPThis page

The newest device-trust IdP, with the one feature nobody else has: its own XDR firing revocations. Momentum is the bet — this page's subject.

Grid 02 · The architecture

Identity Depth × Deployment Lightness

The grid nobody publishes — identity power vs how much programme it takes to wield it.

Easy but shallowDeep & runnableLegacy toolsDeep but heavy
Hexnode IdPThis page

Device-trust + threat-state depth at policy-change deployment weight — catalogue youth is the honest trade.

Positions are TechBag’s illustrative synthesis of public review-platform data and vendor documentation — not a reproduction of any analyst graphic. Verify before relying on it.

Part 04 · Decide

Hexnode IdP vs the identity field

This matrix names the rival fabric (Scalefusion OneIdP) beside the pure-plays — because your UEM choice usually decides your IdP, and we broker both.

DimensionHexnode IdPOktaMicrosoft Entra IDScalefusion OneIdPJumpCloud
Heritage & focusUEM-native IdP (2026)The IAM pure-playMicrosoft's identity spineUEM-driven IAM (2024)Directory-first convergence
Device-trust signals in loginDevice Trust EngineVia integrationsNative with IntuneNative via UEMNative
Continuous verificationCore designSession policiesCAE in P2ContinuousPeriodic
Threat-state integrationNative via Hexnode XDRVia partner EDRsNative via DefenderVia Veltar postureVia integrations
SSO & app catalogueCore apps + SAML/OIDC7,000+ integrationsMassiveCore apps + standardsBroad
Deployment liftPolicy changeA programmeBundled but sprawlingPolicy changeModerate
Governance & lifecycleLifecycle + roadmap JITMature + PAM add-onsPIM in P2JIT shippedGrowing
Licensing economicsFabric-native pricingPremium per-user stacksBundled-or-tieredPer-user attachPer-user bundles
Best fitHexnode estates & fabric buyersEnterprise app sprawlM365-committed orgsScalefusion estatesAD replacement projects
Strong Partial / add-on Weak / externalCompiled from public vendor materials and review platforms for orientation; verify before relying on it.

Which identity platform is right for you?

Honest fit signals — because the fastest way to lose your trust is to pretend one product wins every scenario.

Choose Hexnode IdP if…

  • You run (or are evaluating) Hexnode UEM — the attach case is near-automatic
  • Device-gated, continuously verified access matters more than catalogue depth
  • XDR threat-state feeding access decisions appeals — one fabric, no glue
  • Removing a premium third-party IdP licence funds the whole project

Choose Okta if…

  • Hundreds of SaaS apps demand the deepest catalogue
  • A dedicated identity team will run it
  • Governance depth (PAM, IGA) is a hard requirement today

Choose Entra ID if…

  • You're E3/E5 licensed with Intune deployed
  • Microsoft-native conditional access suffices

Choose Scalefusion OneIdP if…

  • Your fleet runs Scalefusion, not Hexnode
  • Same device-trust thesis — see its TechBag intel page
  • JIT admin elevation is needed today, not on a roadmap

Choose JumpCloud if…

  • You're replacing Active Directory outright
  • Directory-first convergence fits better than device-first
Do the math

What does access chaos cost you?

Drag the sliders. Estimates assume ~2.5 IT-hours per user per year on password resets, access requests, app provisioning and offboarding checklists, with ~60% removed by SSO, device-gated automation and lifecycle management — illustrative and conservative.

300
2510,000
800
₹300₹2,000

Loaded cost = salary + overheads per productive hour. Illustrative only — your TechBag quote models actual device counts and modules.

Current annual access-admin cost
₹6,00,000
Estimated annual savings
₹3,60,000
₹18,00,000 over 5 years
Turn this into a real quote →
Pricing & plans

Three ways to consume it

Hexnode IdP prices as a fabric-native layer. TechBag turns any UEM + identity mix into a GST-compliant quote.

IdP layer

Best for the identity layer alone

  • Fabric-native pricing on Hexnode UEM
  • SSO, MFA, device-trust conditional access
  • Monitor-mode rollout supported

UEM + IdP

Best for device-gated zero trust

  • The intended pairing — full signal fidelity
  • One agent, one console, one bill
  • Retires the third-party IdP line item

The full fabric

Best for platform consolidators

  • Add XDR — threat-state gates access
  • Manage, defend and gate on one agent
  • TechBag negotiates the bundle

Buy it for less — TechBag pricing beats list

Whatever the list prices above, TechBag negotiates a significantly better deal — with GST-compliant INR invoicing and local support. Ask us for your discounted quote.

Get a discounted quote →

Get an India-ready quote

Tell us your device counts and current tools — we’ll model Hexnode against what you spend today.

Get Quote
Evaluation kit

The 8 questions to ask every IAM vendor

Take this into your next vendor call — including ours.

1
Signal truth

Which device signals feed the Trust Engine, at what freshness — and watch a stale-posture edge case handled live.

2
Block-rule drill

Attempt login from an unenrolled device and a deliberately non-compliant one. Verify both bounce, with sane user messaging.

3
Revocation timing

Break compliance mid-session and time the revocation. 'Instant' is a claim — measure it.

4
App coverage

Which of OUR apps are in the SSO catalogue today, and what does manual SAML/OIDC setup cost for the rest?

5
Roadmap honesty

Adaptive access, JIT provisioning and risk analysis are announced — get dates in writing, buy on today's scope.

6
Lockout path

Walk the CFO-locked-out scenario: recovery flow, help-desk override, audit entry.

7
XDR leverage

If you run Hexnode XDR: demo threat-flag → access-revoked → remediated → restored, end to end.

8
Licence math

Price the fabric against your current IdP + MFA + device-trust add-on lines. Bring the renewal notices.

FAQ

Questions buyers ask

Mitsogo's native identity provider, launched March 2026: centralized authentication, SSO and MFA across users, devices and applications, with access decisions powered by the proprietary Device Trust Engine — real-time device posture from Hexnode UEM. Unenrolled or non-compliant devices are blocked at login, posture is verified continuously, and access revokes instantly when risk conditions change.

Ready to evaluate Hexnode IdP?

Get a quote, scope a monitor-mode pilot on a user ring, or bring your IdP renewal notice and let a TechBag advisor model the consolidation.

Stats, ratings, review counts and pricing are illustrative and sourced from public materials; verify before purchase.