Okta - Any thoughts?

rgerman
Contributor

Our user base is small compared to many of the users I see posting on this forum. I have about 60 users and could potentially have another 60 or more by next year. I am starting to feel some provisioning lifecycle pains with all of the cloud services, 365, Slack, Trello and numerous others. For the administrators using okta, is there a minimum company size or tipping point where okta makes sense? It looks like a significant project to set up but the benefits and automation look very attractive. I would love to hear any input from the community on how they are dealing with SSO and life cycle management.

5 REPLIES 5

mrben
New Contributor III

The sooner the better if it's within your budget. We use it to manage IAM for thousands of employees and millions of customers/advocates/developers/community. It replaced a hodgepodge of legacy apps LDAP sync scripts.

Madmax85
New Contributor III

We use Okta as our main idP. When I started at my current company, we had around ~80 employees and Okta was already in place. It took some getting used to but once I learned the ropes it was easy to manage. We are continually adding more apps to Okta if they support SSO. It's especially great if the apps support provisioning (which some do including Slack, Trello and 365). Of course, as you grow you may need to create rules and groups that fit your needs. As far as whether it makes sense with 60 users, that's a tough call. I'm nearly certain that we had it in place before we hit 60 people and as we've grown I've found it much easier to manage than some other solutions. Keep in mind that we also use some other automation tools for tasks (like new hire provisioning) that connect to Okta and a lot of other cloud apps.

tlarkin
Honored Contributor

So here are the pros/cons from my personal experience, so take with a grain of salt.

Tech like LDAP is pretty ancient, but still widely used. Also, LDAP does take some effort to setup and maintain, and while it is great for auth and attributes, it doesn't always really play nice with federation auth to a single point. With tech like SAML you now see lots of IdP solutions popping up, and for a newer Org, or a start up, these are more ideal than standing up LDAP. For one, LDAP in the cloud is still maturing. Azure AD is great, but it does not meet feature to feature of on prem AD.

Okta has some pretty solid features. SCIM provisioning probably being one of its best ones, but it also has a few lackluster things about it. However, and I think I shouldn't have to state this, all software and tech does. The Okta Verify App works pretty well with smart phones and even the Apple Watch. In fact, I think the Apple Watch is a much better UX than a Yubikey, but MFA is the important thing to note here. Nothing is perfect. The things that are pain points about Okta right now are:

  • doesn't support nested groups from AD/AAD
  • the AAD connector still doesn't quite work, so you can circumvent this with IaaS on prem AD in the cloud (not ideal) via an agent
  • There are no added security features like continual conditional access (and someone really needs to work on this, I think it is the future)
  • there is no way to natively cache credentials with out something like jamf connect for macOS, and caching credentials on Windows 10 does work but has caveats (PRT Token refresh issues) that are apparently being worked on in the current Okta Preview version. This is more of an Apple thing than an Okta thing overall, but it is annoying that Windows can mostly do this out of the box with little configuration and macOS cannot.
  • I do not know all the price points of every SSO/IdP out there, but I think Okta is one of the more expensive ones if that matters

That being said, if you are a new company and have nothing IdP can get you going pretty quickly, and typically doesn't have the tech debt that LDAP may have. Overall, I think Okta is a solid product, as it works most of the time for us, it is not too hard to reset passwords and reset MFA for employees (which is great, because the longer and more difficult that process is, the crappier the end user experience is) and users can setup their MFA devices right in the web view with the Okta Verify App.

I will say I wish the integration was better with Okta and that Okta would invest into things like continual conditional access, where we could automate allowing/disallowing auth based on the state of the systems.

Robert_Lavender
New Contributor II

Yeah Okta is pretty solid, we have been using it for quite a long time now and Okta have fixed most of the issues we had with their product over the years, but i must state they tend to be very slow with development and the senior management within the company cannot decided on what direction/market to follow. The only real issue is the price and i think you have to pay extra for the provisioning feature now on supported Apps. Okta can integrate well with a lot of different products like F5 and 3rd party MFA's but they do tend to setup their product in a way that will make it difficult to migrate to an alternative. I would look into what Microsoft now offer as the market is maturing and Microsoft are pouring money into this area to dominate the field.

rgerman
Contributor

I really appreciate everyone sharing their real world experience. The details provided are invaluable. My take away is Okta will do the job, is a bit pricier and like anything else is not perfect. I haven't looked into Microsoft's solutions yet... but since everything is going to revolve around our AD, it is probably worth a hard look to see what they have been up to... If I find anything interesting or compelling, I will update this post. Once again, thank you for providing so much detailed information, its a huge help!