Okta Identity Management, an excellent identity management service that begins at $2 per user per month, is one of the big names in the Identity-Management-as-a-Service (IDaaS) space, even earning top marks in a 2016 Gartner Magic Quadrant report. While kudos from an industry analyst firm can be an indicator of a strong product, most potential users are more concerned with features and pricing, areas in which Okta doesn’t disappoint either. Pricing tiers range from $2 to $8 per user per month, although key features such as multifactor authentication (MFA) and automated Software-as-a-Service (SaaS) application user provisioning require more than the Basic tier. Okta Identity Management handles integration with an existing Active Directory (AD) as well as anyone in the business. But it really sets itself apart when integrating with multiple identity providers such as AD, Google Apps, Workday, and more. For all these reasons and more, Okta Identity Management is awarded Editors’ Choice in this roundup of identity management services.
Setup and Configuration
Like most of the players in this space, one of the first steps in getting Okta Identity Management set up for your organization involves connecting the service to an existing AD domain. Okta Identity Management offers an AD agent that synchronizes user and security group objects to Okta’s cloud-based Universal Directory.
Installation of the agent consists of downloading the installer and walking through a wizard that requires you to input or confirm basics about your AD such as the domain name, service account name, and service account password. At the conclusion of the installation wizard, you are required to input your Okta Identity Management log-on information in order to initiate the connection between the agent and the Okta service. Once installed, the Okta Agent Manager application allows for basic maintenance tasks such as stopping and starting the agent, adding other domains to the service, and configuring a proxy server.
Okta Identity Management supports numerous sources of user information, each of which can be synced with the Okta Universal Directory. One of the more powerful features Okta Identity Management brings to the table is the ability to configure which data source should be the master for particular attributes. In many cases, AD will contain the majority of the master-level attribute data, but Okta Identity Management features the flexibility to pull this information from another source, massage the formatting by using their expression engine, and push it into another application or directory. For example, Okta Identity Management could be configured to pull employee information from a human resources (HR) SaaS application, portions of which could be configured as master attributes. These attributes could then be fed back down to AD, enabling HR changes to be automatically populated. The potential for this functionality is pretty significant, especially in a world where automation is money in the bank.
The AD agent facilitates the log-on process by maintaining an active session with the Okta Identity Management service. When a user attempts to log on to their single sign-on (SSO) portal, their credentials are validated against a corporate AD domain controller. By keeping a session open using the AD agent, Okta Identity Management circumvents the necessity for firewall rules to allow communication with the corporate network, allowing you to maintain security without adding complexity to the configuration process.
Over and above the AD agent, Okta Identity Management offers an optional password synchronization tool that allows you to update the passwords for Okta Identity Management user accounts, and potentially SaaS application account passwords, when AD passwords are changed. In order to achieve this functionality, the password sync tool must be installed on each of the domain controllers in your organization in order to fully capture password changes. Clearly, this functionality will give some security personnel nightmares but it’s not unusual among IDaaS providers. For instance, Windows Azure Active Directory (Azure AD) does password synchronization by default, though it doesn’t require a software installation on all domain controllers.
Once the AD agent is installed and the directory integration settings are configured, you can begin importing users, a process that, by default, is accomplished on a scheduled basis. Okta Identity Management uses the import process to validate user account information based on whether the user matches an existing Okta Identity Management account (either an exact or partial match) or if they don’t match any existing accounts. Depending on your organizational needs, you can configure how each of these categories are handled, automating the import process for specific scenarios or requiring hands-on by an administrator to ensure the account is properly provisioned.
Like most of its competition, Okta Identity Management supports the Security Assertion Markup Language (SAML) standard for SSO authentication to applications. Password vaulting is also supported for SaaS applications that don’t support SAML. Adding SaaS applications to the user portal requires that the application first be added and then configured. The SAML application provisioning process requires both Okta Identity Management and the application to be configured to communicate with each other. Okta Identity Management provides the necessary steps (complete with screenshots) to enable and configure SAML authentication within the SaaS application you’re configuring.
One nice feature of the Okta Identity Management application catalog is the ability to configure a service once and then link to multiple applications within the service (such as Google Apps with Mail, Drive, Calendar, Sites, and your Google Account) from the user portal. The final step in enabling SSO through the user portal involves assigning the application to users or groups within your directory. Okta Identity Management supports some advanced features for users of their mobile app such as the ability to authenticate against certain mobile applications from the SaaS provider rather than a mobile webpage. These mobile access policies must be individually enabled for each application and mobile platform.
The user-facing portal can be branded by the admin team in order to match the organizations color scheme and graphics. Even log-on field labels, URLs, and Help files can be fully customized in order to provide the interface that best fits your organization. Once a user logs on to their user portal, they can organize their SSO applications including adding personal accounts, creating tabbed collections, and even configuring specific applications to automatically launch when the user first logs on to the portal. A browser plug-in enables certain functionality such as password vaulting, and also provides direct links into SaaS applications without forcing the user to return to their SSO portal. If desired, administrators can even allow for certain self-service functionality such as password resets to flow back down to AD.
MFA can be enabled in multiple forms including Okta Identity Management’s Verify mobile application, Google Authenticator, RSA SecureID, and a handful of other options. Individual applications can be configured with sign-on policies that define who, where, and when MFA must be used. Sign-on policies can be created based on individual users or groups and location (by IP address), and can be required on varying frequencies (e.g., every sign-on, once per session, once a week, only once, etc.) depending upon the need. While I’m a big fan of having multiple configurable security policies, I don’t really like the fact that Okta Identity Management keeps them tied to the application. Ideally, you should be able to create individual policies and then apply them to users and applications, making the constraints of the policy reusable and reducing the admin workload.
This might be Okta Identity Management’s only weak point. Okta Identity Management’s reporting engine is more about raw data than it is about charts and graphs. Where other vendors tend to provide administrators with a dashboard to see key indicators, Okta Identity Management gives a handful of color-coded indicators but then provides you with a wealth of log data that is fully searchable, sortable, and (best of all) downloadable. While it doesn’t necessarily qualify as a reporting engine, particularly with its lack of customization and scheduling, the ability to consume so many types of raw information is refreshing. Compared to the other IDaaS products reviewed, Okta Identity Management doesn’t offer the depth of information available, say, in Windows Azure Active Directory (Azure AD), nor do you get custom reports like the ones OneLogin offers. However, the information you can retrieve with Okta Identity Management is head and shoulders above what you can get with Ping Identity PingOne, and certainly more than what you can get withLastPass Enterprise.
Okta Identity Management’s pricing structure starts at a cost of $2 per user per month for their service, which provides the absolute basics. To get features such as MFA, self-service password management, user profile management, customizable attribute transformations, and security policies, you’ll need to step up to the $4 per user per month midlevel tier. For $8 per user per month, you can get access to basic provisioning features as well as custom federation from multiple sources. The Enterprise Plus tier requires you to call Okta for a quote but provides complete control over user information, including data transformation and the ability to define the master source for individual attributes. Volume discounts are available for customers with a large user base.
Okta Identity Management has a solid reputation in the IDaaS space and their service backs it up. Their robust support for multiple identity providers, coupled with how well they do everything else expected from an IDaaS solution, pushes Okta Identity Management to the top of the list. In particular, its ability to fine-tune how attributes are moved between your directories and cloud services is impressive, and enough to push Okta Identity Management over the top for an Editors’ Choice.