Rationale
Okta is the IAM platform we use for managing access to hundreds of applications used across our company. It allows us to give access to applications without disclosing credentials and maintaining a least privilege approach.
The main reasons why we chose it over other alternatives are:
- It is SaaS, allowing us to forget about maintaining the infrastructure it relies on.
- Being a SSO platform, talent only need to remember their Okta password. Everything else can be accessed once they're inside.
- It provides a universal directory that allows us to have users, departments, applications and permissions in a single place.
- It supports Multi-factor authentication by using OTP's that regenerate every thirty seconds and Push notifications through its Okta Verify app on both IOS and Android.
- As Multi-factor authentication can be done on the user's phone, we do not need to manage independent security tokens.
- Its Multi-factor authentication uses OOBA, a state of the art authentication process that uses two different communication channels, one for the application itself and a separate one for the verification method. Such process reduces the chances of identity theft, as both channels would need to be compromised by an attacker.
- It enforces Biometric MFA for both face and fingerprint if the device supports it.
- It supports serverless automatic provisioning, allowing us to keep other directories from services like Google Workspace and AWS IAM automatically synchronized without additional effort.
- It supports SAML and OAuth, allowing us to give users access to applications without having to manage credentials.
- It supports thousands of preconfigured integrations.
- It provides in-depth reports and logging regarding security and overall user usage.
- It provides a RADIUS agent for authenticating on external infrastructure like VPN's.
- It allows strong password enforcement.
- It can be managed using Terraform.
Alternatives
- OneLogin: We used it for three years. It did not support as many integrations. It's automatic provisioning was not as flexible.
- Duo: It did not support as many integrations. It's automatic provisioning was not as flexible.
- Authentik: It did not support as many integrations. It did not support automatic user provisioning to Google Workspace, which would force us to manually keep its directory synced with Google. It is not part of the Cloudflare ZTNA IAM list, which would force us to use a generic approach towards provisioning users.
Usage
We use Okta for:
- Managing apps, groups, users and permissions
- Managing AWS roles with SAML
We do not use Okta for:
- Managing users via universal directory: We are currently returning from JumpCloud.
- Managing RADIUS: The Okta RADIUS Agent only supports PAP as authentication protocol, being the reason why we decided to look for other RADIUS providers once returning from JumpCloud is finished.