The native identity layer of the Hexnode fabric — logins judged by the Device Trust Engine, verified continuously, revoked the instant risk changes.
How it’s rated
Full scoreboard ↓Quick answer
Hexnode IdP is Mitsogo's native identity provider, launched March 2026: centralized login, SSO and MFA across users, devices and applications, powered by Hexnode's proprietary Device Trust Engine — logins from unenrolled or non-compliant devices are blocked, device posture is verified continuously, and access is revoked the moment risk conditions change. It completes the Hexnode fabric (UEM + XDR + IdP) and removes the premium third-party IdP licences most stacks bolt on for core access control. Roadmap: adaptive access, just-in-time provisioning, risk analysis.
This page covers Hexnode IdP — the identity layer. The rest of the family rides the same fabric:
Most product pages skip this. We start here — so you buy a capability, not a buzzword.
An identity provider (IdP) is the system that authenticates your people — the directory that knows them, the SSO that logs them in once, the MFA that challenges them, and the policies that judge context.
“Native” is Hexnode’s point: the IdP lives inside the same fabric that manages devices and detects threats, so device trust and threat state feed access decisions without integration glue — and without the premium third-party IdP licence."
What consolidation actually replaces, dimension by dimension.
| Dimension | Third-party IdP + MFA and hope | Native device-trust IdP (Hexnode) |
|---|---|---|
| Login decision | Password + MFA — the device is a mystery | Password + MFA + Device Trust Engine verdict |
| Unknown device | Logs in fine, worries you later | Blocked at login — unenrolled means no entry |
| Verification | Once, at login, then trusted for hours | Continuous — access revokes when risk changes |
| Threat response | Security tool flags; identity tool never hears | XDR flag can revoke access in the same fabric |
| Deployment | An identity programme with services quotes | A policy change on the agent already installed |
| Licensing | Premium third-party IdP per user, forever | Core access control inside the platform |
| Offboarding | A checklist of apps someone forgets | One switch cuts every session |
| Vendors | UEM + IdP + security, three renewals | One fabric, one bill via TechBag |
Rollout is incremental — monitor-mode first, then enforcement ring by ring. Nobody gets locked out on day one.
Vendors love diagrams; buyers need to know what they’re actually operating. Here’s the whole platform, demystified.
Centralized login, SSO and MFA across users, devices and applications — one identity layer inside the framework the fleet already runs.
Real-time device posture from Hexnode UEM feeds every access decision — enrollment, compliance, encryption, policy state. Trust is measured, not declared.
Context-aware rules: unenrolled or non-compliant devices are blocked at login, and policies adapt by user, app and risk condition.
Posture is re-verified continuously — when a device drifts out of compliance or XDR flags a threat, access revokes instantly, mid-session.
Identity lifecycle managed in the same fabric — provisioning on arrival, one switch cutting every session at exit. JIT provisioning arrives on the roadmap.
One agent on every machine, one console over all of them — modules attach without a second operational world.
Hexnode IdP replaces the premium third-party IdP + MFA bolt-on + integration glue with identity native to the fabric your fleet runs.
One login across users, devices and applications — the fragmented password estate collapses into a single governed identity.
SSO across the corporate app catalogue — one session to govern, one revocation point at exit, zero password-reuse sprawl.
Factor policies by user group and app sensitivity — MFA as the floor of every access decision, not an optional add-on licence.
The signature: real-time posture from Hexnode UEM — enrolled, compliant, encrypted, in-policy — weighed in every single access decision.
Unenrolled device? Non-compliant device? Login blocked — access is granted to trusted endpoints only, by policy rather than hope.
Posture is verified continuously, not just at login — a device that drifts out of compliance loses access mid-session, instantly.
Rules by user, app, device state and risk condition — the finance app can demand more trust than the lunch-menu portal.
When risk conditions change — compliance drift, XDR threat flag, exit — access revokes the moment the condition fires, not at next login.
Joiners provisioned by group, movers re-scoped, leavers cut at one switch — the offboarding checklist becomes a single action.
Core access control without the premium IdP add-on licences — the line item most stacks pay Okta-or-equivalent for, absorbed into the fabric.
Hexnode XDR's threat state can feed access decisions — a critical-risk device loses app access until it's remediated. The fabric's best trick.
Announced expansions: adaptive access controls, just-in-time provisioning and risk analysis — the cadence that shipped XDR and IdP in six months is the evidence.
A concept primer, an independent platform review and the founder story behind the fabric.
Hexnode's platform pitch, from Hexnode.
An outside look at the Hexnode platform the IdP layer completes.
The founder-led conviction behind the UEM → XDR → IdP platform build-out.
Want a live, India-context walkthrough on your own fleet?
Book a guided demo →Here’s what genuinely sets Hexnode IdP apart from the pure-play identity stack.
Every IdP asks who you are. Hexnode IdP also asks what the device can prove — live enrollment, compliance and policy state from the UEM, weighed in every access decision by the Device Trust Engine.
Most zero trust is a login ceremony. Here posture is re-verified continuously and access revokes mid-session the moment risk changes — compliance drift or an XDR flag included.
Core access control — SSO, MFA, device-trust conditional access — without the premium third-party IdP licences most stacks bolt on. The CFO understands this page fastest.
UEM manages, XDR defends, IdP gates — one agent, one console, one vendor. A threat flag can revoke access; a compliance fix restores it. Nobody integrates their way to this.
The trust signals come from the agent Hexnode UEM already installed — enforcing device-gated access is configuration, not an identity programme with a services quote.
XDR in September 2025, IdP in March 2026, with adaptive access, JIT provisioning and risk analysis announced — Mitsogo is compounding the platform at startup pace with 13-year-old fundamentals.
TechBag advisors map your apps, current IdP spend, device fleet and compliance posture — the census usually finds the licence line Hexnode IdP retires.
SSO on 3-5 core apps, MFA policies set, Device Trust Engine in monitor mode — trust verdicts logged, nothing enforced yet.
Compliance-based blocking flips on user ring by user ring; continuous verification live; XDR threat-gating wired where the fabric runs.
Full catalogue behind SSO, unenrolled devices bounced at the gate, lifecycle governed. TechBag manages renewals across the fabric.
Trusted across industries in 100+ countries
Modelled on Gartner Peer Insights structure. *Counts and breakdowns are illustrative pending verified review collection.
“Device-gated login went live in a week because the trust signals were already flowing from UEM. Our previous IdP quote had a services line longer than the licence line.”
“The block rule is beautifully blunt: not enrolled, not compliant, not getting in. Shadow devices disappeared from our access logs in a month.”
“Mid-session revocation is the real zero trust — a laptop that drifted out of encryption policy lost app access before the user noticed the popup.”
“We dropped a per-user premium IdP licence for core access control. The consolidation maths did the selling.”
“It's new — the SSO app catalogue needed manual SAML setup for two of our longer-tail tools. Support turned both around in days.”
“XDR flag → access revoked → remediated → access restored, all in the same fabric. Watching that loop run convinced our auditors more than any slide.”
“Roadmap features (JIT provisioning, adaptive access) matter to us and aren't here yet — buy on today's scope, but the six-month XDR→IdP cadence earns benefit of the doubt.”
“One vendor for manage, defend and gate means one throat to choke — and via TechBag, one GST invoice. Procurement loved it more than IT did.”
Analyst firms bury this view behind paywalls, and G2 retired its Grid. So here’s TechBag’s synthesis of the IAM market — tap any vendor to see why it sits where it does.
Execution strength vs product vision — the classic market map, minus the paywall.
The newest device-trust IdP, with the one feature nobody else has: its own XDR firing revocations. Momentum is the bet — this page's subject.
The grid nobody publishes — identity power vs how much programme it takes to wield it.
Device-trust + threat-state depth at policy-change deployment weight — catalogue youth is the honest trade.
Positions are TechBag’s illustrative synthesis of public review-platform data and vendor documentation — not a reproduction of any analyst graphic. Verify before relying on it.
This matrix names the rival fabric (Scalefusion OneIdP) beside the pure-plays — because your UEM choice usually decides your IdP, and we broker both.
| Dimension | Hexnode IdP | Okta | Microsoft Entra ID | Scalefusion OneIdP | JumpCloud |
|---|---|---|---|---|---|
| Heritage & focus | UEM-native IdP (2026) | The IAM pure-play | Microsoft's identity spine | UEM-driven IAM (2024) | Directory-first convergence |
| Device-trust signals in login | Device Trust Engine | Via integrations | Native with Intune | Native via UEM | Native |
| Continuous verification | Core design | Session policies | CAE in P2 | Continuous | Periodic |
| Threat-state integration | Native via Hexnode XDR | Via partner EDRs | Native via Defender | Via Veltar posture | Via integrations |
| SSO & app catalogue | Core apps + SAML/OIDC | 7,000+ integrations | Massive | Core apps + standards | Broad |
| Deployment lift | Policy change | A programme | Bundled but sprawling | Policy change | Moderate |
| Governance & lifecycle | Lifecycle + roadmap JIT | Mature + PAM add-ons | PIM in P2 | JIT shipped | Growing |
| Licensing economics | Fabric-native pricing | Premium per-user stacks | Bundled-or-tiered | Per-user attach | Per-user bundles |
| Best fit | Hexnode estates & fabric buyers | Enterprise app sprawl | M365-committed orgs | Scalefusion estates | AD replacement projects |
Honest fit signals — because the fastest way to lose your trust is to pretend one product wins every scenario.
Drag the sliders. Estimates assume ~2.5 IT-hours per user per year on password resets, access requests, app provisioning and offboarding checklists, with ~60% removed by SSO, device-gated automation and lifecycle management — illustrative and conservative.
Loaded cost = salary + overheads per productive hour. Illustrative only — your TechBag quote models actual device counts and modules.
Hexnode IdP prices as a fabric-native layer. TechBag turns any UEM + identity mix into a GST-compliant quote.
Best for the identity layer alone
Best for device-gated zero trust
Best for platform consolidators
Whatever the list prices above, TechBag negotiates a significantly better deal — with GST-compliant INR invoicing and local support. Ask us for your discounted quote.
Tell us your device counts and current tools — we’ll model Hexnode against what you spend today.
Take this into your next vendor call — including ours.
Which device signals feed the Trust Engine, at what freshness — and watch a stale-posture edge case handled live.
Attempt login from an unenrolled device and a deliberately non-compliant one. Verify both bounce, with sane user messaging.
Break compliance mid-session and time the revocation. 'Instant' is a claim — measure it.
Which of OUR apps are in the SSO catalogue today, and what does manual SAML/OIDC setup cost for the rest?
Adaptive access, JIT provisioning and risk analysis are announced — get dates in writing, buy on today's scope.
Walk the CFO-locked-out scenario: recovery flow, help-desk override, audit entry.
If you run Hexnode XDR: demo threat-flag → access-revoked → remediated → restored, end to end.
Price the fabric against your current IdP + MFA + device-trust add-on lines. Bring the renewal notices.
Get a quote, scope a monitor-mode pilot on a user ring, or bring your IdP renewal notice and let a TechBag advisor model the consolidation.
Stats, ratings, review counts and pricing are illustrative and sourced from public materials; verify before purchase.