Support for mobile device management (MDM) and geographic zones make this a solid offering. Reporting functionality is much improved, particularly geographic functionality. Ability to manage the flow of identity/attribute information between multiple identity providers is among the best in the category.
Consumer Identity-Management-as-a-Service features are still in early access. Authentication to on-premises apps requires expensive hardware.
- Bottom Line
It's no surprise that Okta Identity Management is so well-respected in the Identity-Management-as-a-Service (IDaaS) arena. Having both a features list that includes security policies that support MDM and geolocation, the ability to integrate multiple sources of identity data, and all packaged in a solution that is relatively easy to use, makes Okta Identity Management one of the top IDaaS solutions on the market.
By Tim Ferrill
Okta Identity Management, an excellent Identity-Management-as-a-Service (IDaaS) solution, is one of the big names in the IDaaS space. Okta Identity Management's pricing structure has changed dramatically since the last time we took a look at the service, but the most basic features start at $3 per user per month, with key features such as multi-factor authentication (MFA) and automated Software-as-a-Service (SaaS) application user provisioning pushing the pricing up closer to $10 per month per user.
//Compare Similar Products
Okta Identity Management handles integration with an existing, on-premises Microsoft Active Directory (AD) store very well. But it really sets itself apart with its ability to integrate beyond AD to other identity services, including Google Apps, Workday, and more. For all of these reasons and more, Okta Identity Management is awarded Editors' Choice in this roundup of IDaaS solutions.
Setup and Configuration
Like most of the players in this space, one of the first steps in getting Okta Identity Management set up for your organization involves connecting the service to an existing AD domain. Okta Identity Management offers an AD agent that synchronizes user and security group objects to Okta's cloud-based Universal Directory.
Installing the agent consists of downloading the installer and walking through a wizard that requires you to input or confirm basic information about your on-premises AD store, such as the domain name, service account name, and service account password. When the installation wizard concludes, you are required to input your Okta Identity Management log-in information in order to initiate the connection between the agent and the Okta Identity Management service. Once installed, the Okta Agent Manager app allows for basic maintenance tasks such as stopping and starting the agent, adding other domains to the service, and configuring a proxy server.
Okta Identity Management supports numerous sources of user information, each of which can be synced with the Okta Universal Directory. One of the more powerful features Okta Identity Management brings to the table is the ability to configure which data source should be the master for a particular series of attributes. In many cases, AD will contain the majority of the master-level attribute data, but Okta Identity Management features the flexibility to pull this information from another source, massage the formatting by using their expression engine, and push it into another app or directory. For example, Okta Identity Management could be configured to pull employee information from a human resources (HR) SaaS app, portions of which could be configured as master attributes. These attributes could then be fed back down to AD, enabling HR-related changes to populate. The potential for this functionality is significant, especially in a world where automation can mean money in the bank. It's also on par with solutions like Optimal IdM, which place significant focus on integrating multiple directories and identity stores while retaining a pricing model attractive to small and midsized businesses (SMBs).
The AD agent facilitates the log-in process by maintaining an active session with the Okta Identity Management service. When a user attempts to log in to their single sign-on (SSO) portal, their credentials are validated against a corporate AD domain controller. By keeping a session open using the AD agent, Okta Identity Management circumvents the necessity for firewall rules to allow communication with the corporate network, allowing you to maintain security without adding complexity to the configuration process.
Beyond the AD agent, Okta Identity Management offers an optional password synchronization tool that lets you update the passwords for Okta Identity Management user accounts, and potentially SaaS app account passwords, when AD passwords are changed. To achieve this functionality, the password sync tool must be installed on each of the domain controllers in your organization to fully capture password changes. That requirement will give some security personnel nightmares but it's not unusual among IDaaS providers. For instance, Microsoft Azure Active Directory (Azure AD) does password synchronization, though it doesn't require a software installation on all domain controllers.
Okta Identity Management's consumer-facing identity management tools are known as "Social Identity Providers," which let users register by using existing credentials they have established with various social media accounts, such as Facebook, Google, LinkedIn, or Microsoft's Live service. Currently, the capabilities of Social Identity Providers are in an "Early Access" phase which, according to Okta, means the service is production-ready but has not been rolled out to all Okta Identity Management tenants. Social Identity Providers can be enabled by contacting the Okta support team.
Once the AD agent is installed and the directory integration settings configured, you can begin importing users. By default, this is accomplished on a scheduled basis. Okta Identity Management uses the import process to validate user account information based on whether the user matches an existing Okta Identity Management account (either an exact or partial match) or if they don't match any existing accounts. Depending on your organizational needs, you can configure how each of these categories are handled, automating the import process for specific scenarios or requiring hands-on by an administrator to ensure the account is properly provisioned.
Like most of its competition, Okta Identity Management supports the Security Assertion Markup Language (SAML) standard for SSO authentication to apps. Password vaulting is also supported for SaaS apps that don't support SAML. Adding SaaS apps to the user portal requires that the app first be added and then configured. The SAML app provisioning process requires both Okta Identity Management and the app to be configured to communicate with each other. Okta Identity Management provides the necessary steps (complete with screenshots) to enable and configure SAML authentication within the SaaS app you're configuring.
One nice feature of the Okta Identity Management app catalog is the ability to configure a service once and then link to multiple applications within the service (such as Google G Suite with Calendar, Drive, Mail, Sites, and your Google account) from the user portal. The final step in enabling SSO through the user portal involves assigning the app to users or groups within your directory. Okta Identity Management supports some advanced features for users of their mobile app, such as the ability to authenticate against certain mobile apps from the SaaS provider rather than a mobile webpage. These mobile access policies must be individually enabled for each app and mobile platform.
The user-facing portal can be branded by the admin team to match the organization's color scheme and graphics. Even log-in field labels, URLs, and Help files can be fully customized to provide the user interface (UI) that best fits your organization. Once a user logs in to this user portal, he or she can organize his or her SSO apps, including adding personal accounts, creating tabbed collections, and even configuring specific apps to automatically launch when he or she first logs in to the portal. A browser plug-in enables certain functionality such as password vaulting and also provides direct links into SaaS apps without forcing the user to return to their SSO portal. If desired, admins can even allow for certain self-service functionality such as password resets to flow back down to AD.
MFA can be enabled in multiple forms, including in Okta Identity Management's Verify mobile app, Google Authenticator, RSA SecureID, and a handful of other options. Individual apps can be configured with sign-in policies that define who, where, and when MFA must be used. Sign-in policies can be created based on individual users or groups and location (by IP address), and can be required on varying frequencies (e.g., every sign-in, once per session, once a week, only once, etc.) depending upon the need. While I'm a big fan of having multiple configurable security policies, I don't really like the fact that Okta Identity Management keeps them tied to the app. Ideally, you should be able to create individual policies and then apply them to users and apps, making the constraints of the policy reusable and reducing the admin workload.
Okta Identity Management's security capabilities have expanded in a couple of key areas since our last look at the service. Authentication policies can include references to Mobile Device Management (MDM) registration status, ensuring mobile devices meet the required corporate security posture, including device lock requirements or device encryption. Okta Identity Management's Zones feature lets you configure fine-grained, location-based policy triggers, which lets you specify IP address ranges, geographic locations such as countries, states, or provinces; and even check for anonymizers and proxy services such as Tor. For corporations still locally hosting apps supporting critical business processes, Okta has partnered with F5 Networks to offer authentication to apps hosted on-premises. This functionality is certainly tailored towards larger businesses as F5 appliances are designed for load balancing large-scale apps and are priced accordingly.
Last time we looked at Okta Identity Management, we dinged them somewhat for the lack of a comprehensive reporting solution. Okta has made some major strides in this particular arena, adding a suite of canned reports that covers categories such as app use, authentication requests, de-provisioning, MFA usage, and suspicious activity.
In addition to the canned reports, Okta Identity Management's system log is easy to parse. Pre-established views give you a solid starting point for most scenarios, filtering log events down to specific categories. Date/time filters, a text search, and a timeline view let you quickly achieve a further level of specificity. Once narrowed down to a manageable set of events, each line can be expanded to view details such as the individual involved in the event, the target and outcome of the event, information about the device and client software, and even geographic information down to a latitude and longitude. Speaking of location-based data: The event log offers a map view that breaks down where the events in your data set occurred, which potentially allows you to identify where bogus authentication requests are originating. this lets you take the appropriate measures to minimize the risk of a compromise.
Okta Identity Management's pricing structure is less about tiers and more about the features your organization needs. Okta Identity Management's Universal Directory, which provides the ability to manage identities sourced from multiple apps or directories, runs a very reasonable $1 per user per month. SSO, which is needed for handling authentication to apps and enforcement of password policies, costs an additional $2 per month. Access requests, group membership rules, provisioning features, and de-provisioning workflows are all part of the $4-per-month lifecycle management product. The MFA and mobility management products cost an additional $3 (for starters) and $4 per user, respectively. Some features, such as the basic user store, some reporting, and IP/app policies are included with all products at no additional cost. Okta Identity Management also supports SSO and provisioning to a single cloud app (including Microsoft Office 365 or Google's G Suite) for free by using Okta Cloud Connect.
Our two real points of hesitation at this point in time are the lack of a fully supported consumer IDaaS offering and the choice to partner with F5 Networks for authentication to on-premises apps. F5's core business is companies with large app deployments that need to load-balance between multiple servers and multiple sites. The use case, as well as the pricing, positions this solution well out of reach for many small or midsize businesses (SMBs). We feel less concerned about Okta Identity Management's consumer-facing features as all indications are that Okta will be a strong competitor in this arena once the Social Authentication product is launched.
Okta Identity Management has a solid reputation in the IDaaS space and their service backs it up. Their robust support for multiple identity providers, coupled with how well they do everything else expected from an IDaaS solution, pushes Okta Identity Management to the top of the list. In particular, Okta Identity Management's ability to fine-tune how attributes are moved between your directories and cloud services is impressive. It's enough to push Okta Identity Management over the top for an Editors' Choice in this IDaaS review roundup.
Tim Ferrill is an IT professional and writer living in Southern California. Follow him on Twitter @tferrill. More »
More Stories by Tim
Provisioning to Software-as-a-Service (SaaS) apps, a key component of modern Identity-Management-as-… More »
- Optimal IdM
Optimal IdM checks all the major boxes needed in an Identity-Management-as-a-Service (IDaaS) solutio… More »
- Vallum Halo Manager
Vallum Halo Manager keeps things simple, with features through apps that can be delivered quickly, a… More »