"Unfortunately, the default way to get identity information into a SaaS is to administer directly," said Kreizman. "A FTP or a might be involved." Dropbox is a service that has suffered several security failures, including one this week involving a password-management problem that left user information exposed.

Companies today wanting to extend their corporate identity management systems to the cloud can seek to extend corporate identity-management systems, such as those from CA (which acquired Arcot Systems) or IBM, to specific cloud providers, if it's supported, in a hybrid arrangement. In addition, Exostar and Covisint fall into a realm now called a "community federation hub" to serve specific types of groups, in this case mainly aerospace, defense, auto manufacturing and healthcare. "It's a collection of users willing to pay for identity services under established federations and SaaS providers," Kreizman said.

There's a stampede of new choices racing into the identity-management market to hook up to the cloud, creating a "volatile market" and even "kind of a Wild West here," said Kreizman.

Among the players are Okta, Clavid, Symplified, Onelogin, Ping Identity (which also offers stand-alone federation software) and Nordic Edge (acquired by Intel). Some traditional identity and access management vendors, including Fisher International, idEntropy, Novell and Lighthouse, are selling packages and services for the benefit of cloud providers and customers.

VMware last August acquired TriCipher with the expectation of giving customer easier controls for SaaS in the future. And RSA technologies are expected to be leveraged in the cloud-trust authentication system that's expected to go into beta soon.