SSO: Okta vs Centrify

junderwood
New Contributor III

My company is considering an SSO solution and they've been looking at Okta. I've been urging them to consider Centrify since it seems to offer similar SSO services but also has some support built into JSS for AD binding.

Anyone use either of these for SSO? Anyone used Centrify for AD binding? How about MDM features? Would love to hear thoughts from users who have used one or both.

Ideally, we'd love to find something that makes AD binding more reliable and also has some sort of easy, kerberos-based autosetup of Outlook 2011 based on AD creds while still serving as a good SSO for our online services. Does Centrify do all this? Maybe a combo of Okta and Centrify?

PS - one thing that concerns me about Okta is the apparent spam reviews here on JAMFNation (as has been discussed elsewhere). Spammy looking Okta reviews will be taken with a huge grain of salt.

15 REPLIES 15

chriscollins
Valued Contributor

Well you can see who I work for in my profile so take that as what you will for spammy-ness.

We use Okta and it works well. It ties in to a TON of services. Since its all standards based though pretty much everything they support SHOULD be supported by Centrify. But I think Okta has more experience with this kind of service right now.

We have also used Centrify in the past for binding. To be honest we already have Casper so we didn't need the management features of their product (and yeah, you can manage MCX based policies from a central AD snap-in, but in our environment that is why we have Mac admins so one central place of management for that is pretty pointless for us) and as far as binding goes in a lot of situations it would work around AD issues in our environment better but then we'd find issues where it had more problems. Like in our environment users couldn't change their passwords over VPN. (An /etc/resolv.conf + built in Cisco VPN issue that the built in AD plugin doesn't have a problem with.)

Also it is funny that everyone always has issues with the built in AD plugin when a new OS comes out but we found the same thing happened when our users (who are given more liberty with things than in other companies, I am sure) would upgrade their machine to a new OS without updating their copy of Centrify and lock themselves out of the machine until it was updated). And sometimes we experienced issues on our file servers and client machines where Centrify would cause opendirectoryd to go crazy until the server or machine was restarted. So you can be trading in one issue with the built in plugin for another from Centrify.

Certify doesn't do anything like auto-setup of Outlook for Mac using Kerberos. Centrify will get you kerberos tickets just like the built in AD plugin does but you still have to script or manually set your preferences to use Kerberos.

pikeje
New Contributor

Have you checked out OneLogin? We actually talked with them today and went through a demo. Is there a reason they aren't being considered I should be aware of?

adamcodega
Valued Contributor

I know many colleagues of mine who have had OneLogin stability problems. They are trying to up their game but there's others in the same field who are already performing rock solidly.

junderwood
New Contributor III

Okta was the service my manager gravitated towards. I suggested Centrify because I manage a lot of the Casper duties and I noticed there was some built-in support for Centrify in Directory Binding Management Settings in the JSS. OneLogin may be an option too. Really just wanted to hear opinions from people who are already using these services in an JSS environment.

s_thompson
New Contributor

Been doing a similar evaluation myself. There are a number of good alternatives out there, I guess it just depends what you really want to do. We are evaluating SSO solutions and need to ensure solid AD bind for our Macs, but also need to enforce a few security settings on our Macs. We are also evaluating a solution to force a passcode and encryption for our ipads and make sure we can find them if they wander off. I was evaluating Okta for our SSO needs and a few mdm vendors as well.

We gave Centrify a try and found out they do most of what we are looking for. We get the ability to AD bind our Macs and in addition define policies in AD group policy manager to manage the configuration of the macs. Haven't used a lot of policies yet, but looks like there is lot you can do. We use it to configure printers and few other things. There is an SSO portal for users that has a devices tab which lets users manage their own devices. This is where we discovered that we can also enroll our mobile devices. We are using it for iPads, but looks like it supports other devices as well. We just simply deployed some policies to encrypt the iPads and force a strong passcode and configure our wifi and email. Been a pretty decent solution so far. No iPads have gone stolen yet, but we've located a few that have wandered off or been lost.

Good luck with your decision.

-- Stone

junderwood
New Contributor III

Thanks for the input, everyone. We'll be meeting with reps from Centrify next week. When we mentioned our interest in finding AD binding solutions for our Macs, the Okta rep suggested we look into Centrify. That surprised us, that he would suggest a competitor. He very confidently pointed out, however, that he made the suggestion knowing full well their SSO services couldn't compete with Okta's, so he wasn't concerned about them selling us on anything more than AD binding. Since I have no experience with either service, I must confess I don't see clearly the advantage Okta has over Centrify in SSO. Do any of you?

rderewianko
Valued Contributor II

Disclaimer: I work for an SSO Provider
Okta, and Centrify both have their place in their ecosystems.

Centrifies primary market for years was AD binding, while it's a great plugin. I really don't see it doing that much more/worth the extra cost if you've already got Casper in place. (unless you really feel a need to add a bit more complexity and manage macs with AD) If you're looking for binding *nix thats a whole separate ballgame. Their SSO platform, is a new addition to their product list so i'm undetermined on how well it works.

Where I work we do a native bind to the mac. It works, our goal of providing one username/one password for our users has been achieved.

My colleague @slapaglia and I did a talk at last years JNUC about what we did. @slapaglia then did a great q&a session, where we too went back with some new ideas. Talk Here

Okta on the flip side doesn't have anything on the client side as towards managing machines. They are strictly managing your cloud apps. Which is a totally different beast than centrifiy's bread and butter (ad binding)

s_thompson
New Contributor

Interesting response from Okta, I'm surprised as well. Seems that Centrify's solution provides the AD bridging for Mac as well as policy management for both Mac and mobile devices through AD group policy. They also provide SSO for cloud / SaaS apps. Their SSO solution has a pretty cool integration with their mobile management and delivers multi-factor authentication in the form of notifications to enrolled mobile devices. Centrify's solution provides automated provisioning as well. You can get all of this in one product with Centrify, where as with Okta, best I can tell, you just get the SSO for SaaS bit. According to the pricing on Centrify's site, it looks like their combined Mac / mobile management and SSO is cheaper than just the SSO stuff from Okta.

junderwood
New Contributor III

@rderewianko, thanks for the heads up on the talk link, I'll check that out.

Okta has quoted us cheaper for SSO and there service is definitely slick. Centrify's quote is slightly more expensive, but not a whole lot more when you consider all the Mac AD GPO capabilities.

At this point, having now seen both Okta and Centrify in demo, we're considering whether Centrify's AD GPOs are advantageous for us on top of JAMF or just redundant. We have a pretty extensive AD setup (at the behest of our higher-ups, who insist on AD over OD or even golden triangle), so we already have the groups and subgroups set up for email and staffing; more robust policy mgmt with those existing groups might be nice for us. Not sure.

I personally find working in JAMF tedious a lot of the time. The interface and layout is, imo, all over the place and often counterintuitive. The learning curve is fairly steep, especially if you have to jump into a big setup like ours (about 7500+ devices, dozens and dozens of policies and profiles). If we could move our accounts mgmt, binding, and config profiles to AD/Centrify and use JAMF for package policies only, that would actually make me happy--but not sure my leadership will think it's worth the investment.

dpcmiller
New Contributor

I think one thing to keep in mind with your evaluation is Centrify has come a long way from being the best solution for AD binding and Group Policy on Mac. It now includes SSO for SaaS apps as well as a full MDM for iOS and Android. So really you get more than the Okta solution for SSO plus the benefit of the other integrated capabilities without needing additional point solutions. In looking at the packaging and pricing on both vendor’s websites, with Centrify you get the SaaS identity piece (SSO, MFA, provisioning, etc.) plus Mac management plus MDM at a lower price vs. what you pay to get Okta that really just does the SaaS piece (i.e. they have no Mac piece and their MDM appears quite new and quite light), but you should confirm that by getting a quote from each vendor.

junderwood
New Contributor III

Thanks @dpcmiller. At this point, Okta's offer is cheaper for us, but Centrify isn't much more expensive and does have more varied and extensive offerings. However, one thing Centrify doesn't have (at least right now) is the ability for users to reset their forgotten password via Self Service. This is huge for us and for whatever reason, Okta has figured this out and Centrify has no solution. We haven't made a decision, but I think I have a clear picture of what our options are--and the input from JAMFNation has been helpful!!!

dpcmiller
New Contributor

Actually the new Centrify Cloud User Portal which is included with the Centrify subscription has user self service capabilities such as password reset (via the login screen before the password is entered) as well as changing a password once you have logged in, doing remote wipe or lock, policy push and enforcement, app inventory etc. Hopefully that is along the lines of what you are looking for.

Chubs
Contributor

Sorry to chime in on an older thread, but I'd like to throw my $.02 in here. We're currently utilizing Centrify Express since it's free and everything that the Centrify DC Console can do can be done via scripts. Everything that we use Centrify for is automated via the JSS and has been working wonderfully. SSO works great with SMB and AFP.

The reason why we went with Centrify is because our Infrastructure Services department wouldn't install the AD schema extensions for Mac. We've had the Macs joined to the domain for quite some time with consistent issues of the "falling out" or dropping from the domain. With Centrify, we haven't had a lick of issues. We didn't go with any other vendors due to cost.

I recommend Centrify Express for those needing a freebie and for those not afraid of terminal (bash/shell) scripting.

As far as your Outlook Setup, get comfortable with shell scripting. It'll be more reliable in the long run to manually do this via Casper.

I find your lack of faith disturbing

Kallendal
New Contributor III

OKTA has been working well for us. But glad you brought up Centrify as a alternative. Never realized that were using SSO technology now.

mwoodruff
New Contributor III
New Contributor III

Update: Casper Suite v9.93 was release today with full SAML support, including Okta and ADFS.

Casper Suite 9.93 Release Notes

Configure SAML support for Okta
Configure SAML support for ADFS