Okta Id Administration, a wonderful Identity-Management-as-a-Service (IDaaS) resolution, is without doubt one of the huge names within the IDaaS area. Okta Id Administration’s pricing construction has modified dramatically for the reason that final time we took a have a look at the service, however probably the most fundamental options begin at $three per person per thirty days, with key options reminiscent of multi-factor authentication (MFA) and automatic Software program-as-a-Service (SaaS) software person provisioning pushing the pricing up nearer to $10 per thirty days per person.
Okta Id Administration handles integration with an present, on-premises Microsoft Lively Listing (AD) retailer very nicely. However it actually units itself aside with its skill to combine past AD to different id providers, together with Google Apps, Workday, and extra. For all of those causes and extra, Okta Id Administration is awarded Editors’ Alternative on this roundup of IDaaS options.
Setup and Configuration
Like a lot of the gamers on this area, one of many first steps in getting Okta Id Administration arrange in your group entails connecting the service to an present AD area. Okta Id Administration presents an AD agent that synchronizes person and safety group objects to Okta’s cloud-based Common Listing.
Putting in the agent consists of downloading the installer and strolling by way of a wizard that requires you to enter or verify fundamental details about your on-premises AD retailer, such because the area title, service account title, and repair account password. When the set up wizard concludes, you’re required to enter your Okta Id Administration log-in data to be able to provoke the connection between the agent and the Okta Id Administration service. As soon as put in, the Okta Agent Supervisor app permits for fundamental upkeep duties reminiscent of stopping and beginning the agent, including different domains to the service, and configuring a proxy server.
Okta Id Administration helps quite a few sources of person data, every of which will be synced with the Okta Common Listing. One of many extra highly effective options Okta Id Administration brings to the desk is the flexibility to configure which information supply must be the grasp for a specific collection of attributes. In lots of instances, AD will comprise nearly all of the master-level attribute information, however Okta Id Administration options the flexibleness to tug this data from one other supply, therapeutic massage the formatting through the use of their expression engine, and push it into one other app or listing. For instance, Okta Id Administration could possibly be configured to tug worker data from a human resources (HR) SaaS app, parts of which could possibly be configured as grasp attributes. These attributes may then be fed again all the way down to AD, enabling HR-related modifications to populate. The potential for this performance is critical, particularly in a world the place automation can imply cash within the financial institution. It is also on par with options like Optimal IdM, which place vital concentrate on integrating a number of directories and id shops whereas retaining a pricing mannequin enticing to small and midsized companies (SMBs).
The AD agent facilitates the log-in course of by sustaining an lively session with the Okta Id Administration service. When a person makes an attempt to log in to their single sign-on (SSO) portal, their credentials are validated in opposition to a company AD area controller. By retaining a session open utilizing the AD agent, Okta Id Administration circumvents the need for firewall guidelines to permit communication with the company community, permitting you to take care of safety with out including complexity to the configuration course of.
Past the AD agent, Okta Id Administration presents an non-compulsory password synchronization instrument that permits you to replace the passwords for Okta Id Administration person accounts, and doubtlessly SaaS app account passwords, when AD passwords are modified. To attain this performance, the password sync instrument have to be put in on every of the area controllers in your group to totally seize password modifications. That requirement will give some safety personnel nightmares nevertheless it’s commonplace amongst IDaaS suppliers. For example, Microsoft Azure Active Directory (Azure AD) does password synchronization, although it would not require a software program set up on all area controllers.
Okta Id Administration’s consumer-facing id administration instruments are generally known as “Social Id Suppliers,” which let customers register through the use of present credentials they’ve established with numerous social media accounts, reminiscent of Fb, Google, LinkedIn, or Microsoft’s Stay service. Presently, the capabilities of Social Id Suppliers are in an “Early Entry” section which, in accordance with Okta, means the service is production-ready however has not been rolled out to all Okta Id Administration tenants. Social Id Suppliers will be enabled by contacting the Okta assist group.
As soon as the AD agent is put in and the listing integration settings configured, you’ll be able to start importing customers. By default, that is completed on a scheduled foundation. Okta Id Administration makes use of the import course of to validate person account data primarily based on whether or not the person matches an present Okta Id Administration account (both a precise or partial match) or if they do not match any present accounts. Relying in your organizational wants, you’ll be able to configure how every of those classes are dealt with, automating the import course of for particular situations or requiring hands-on by an administrator to make sure the account is correctly provisioned.
Like most of its competitors, Okta Id Administration helps the Safety Assertion Markup Language (SAML) customary for SSO authentication to apps. Password vaulting can be supported for SaaS apps that do not assist SAML. Including SaaS apps to the person portal requires that the app first be added after which configured. The SAML app provisioning course of requires each Okta Id Administration and the app to be configured to speak with one another. Okta Id Administration gives the mandatory steps (full with screenshots) to allow and configure SAML authentication throughout the SaaS app you are configuring.
One good function of the Okta Id Administration app catalog is the flexibility to configure a service as soon as after which hyperlink to a number of functions throughout the service (reminiscent of Google G Suite with Calendar, Drive, Mail, Websites, and your Google account) from the person portal. The ultimate step in enabling SSO by way of the person portal entails assigning the app to customers or teams inside your listing. Okta Id Administration helps some superior options for customers of their cell app, reminiscent of the flexibility to authenticate in opposition to sure cell apps from the SaaS supplier fairly than a cell webpage. These cell entry insurance policies have to be individually enabled for every app and cell platform.
The user-facing portal will be branded by the admin group to match the group’s colour scheme and graphics. Even log-in subject labels, URLs, and Assist information will be totally custom-made to supply the person interface (UI) that most closely fits your group. As soon as a person logs in to this person portal, she or he can set up his or her SSO apps, together with including private accounts, creating tabbed collections, and even configuring particular apps to robotically launch when she or he first logs in to the portal. A browser plug-in permits sure performance reminiscent of password vaulting and likewise gives direct hyperlinks into SaaS apps with out forcing the person to return to their SSO portal. If desired, admins may even permit for sure self-service performance reminiscent of password resets to stream again all the way down to AD.
MFA will be enabled in a number of kinds, together with in Okta Id Administration’s Confirm cell app, Google Authenticator, RSA SecureID, and a handful of different choices. Particular person apps will be configured with sign-in insurance policies that outline who, the place, and when MFA have to be used. Signal-in insurance policies will be created primarily based on particular person customers or teams and placement (by IP tackle), and will be required on various frequencies (e.g., each sign-in, as soon as per session, as soon as per week, solely as soon as, and so forth.) relying upon the necessity. Whereas I am an enormous fan of getting a number of configurable safety insurance policies, I do not actually like the truth that Okta Id Administration retains them tied to the app. Ideally, it is best to have the ability to create particular person insurance policies after which apply them to customers and apps, making the constraints of the coverage reusable and decreasing the admin workload.
Okta Id Administration’s safety capabilities have expanded in a few key areas since our final have a look at the service. Authentication insurance policies can embody references to Cell Machine Administration (MDM) registration standing, making certain cell gadgets meet the required company safety posture, together with gadget lock necessities or gadget encryption. Okta Id Administration’s Zones function allows you to configure fine-grained, location-based coverage triggers, which helps you to specify IP tackle ranges, geographic places reminiscent of nations, states, or provinces; and even test for anonymizers and proxy providers reminiscent of Tor. For firms nonetheless regionally internet hosting apps supporting crucial enterprise processes, Okta has partnered with F5 Networks to supply authentication to apps hosted on-premises. This performance is definitely tailor-made in the direction of bigger companies as F5 home equipment are designed for load balancing large-scale apps and are priced accordingly.
Final time we checked out Okta Id Administration, we dinged them considerably for the shortage of a complete reporting resolution. Okta has made some main strides on this explicit area, including a set of canned stories that covers classes reminiscent of app use, authentication requests, de-provisioning, MFA utilization, and suspicious exercise.
Along with the canned stories, Okta Id Administration’s system log is straightforward to parse. Pre-established views provide you with a stable start line for many situations, filtering log occasions all the way down to particular classes. Date/time filters, a textual content search, and a timeline view allow you to rapidly obtain an additional degree of specificity. As soon as narrowed all the way down to a manageable set of occasions, every line will be expanded to view particulars reminiscent of the person concerned within the occasion, the goal and consequence of the occasion, details about the gadget and consumer software program, and even geographic data all the way down to a latitude and longitude. Talking of location-based information: The occasion log presents a map view that breaks down the place the occasions in your information set occurred, which doubtlessly permits you to establish the place bogus authentication requests are originating. this allows you to take the suitable measures to reduce the chance of a compromise.
Okta Id Administration’s pricing construction is much less about tiers and extra in regards to the options your group wants. Okta Id Administration’s Common Listing, which gives the flexibility to handle identities sourced from a number of apps or directories, runs a really affordable $1 per person per thirty days. SSO, which is required for dealing with authentication to apps and enforcement of password insurance policies, prices a further $2 per thirty days. Entry requests, group membership guidelines, provisioning options, and de-provisioning workflows are all a part of the $Four-per-month lifecycle administration product. The MFA and mobility administration merchandise price a further $three (for starters) and $Four per person, respectively. Some options, reminiscent of the fundamental person retailer, some reporting, and IP/app insurance policies are included with all merchandise at no further price. Okta Id Administration additionally helps SSO and provisioning to a single cloud app (together with Microsoft Office 365 or Google’s G Suite) without cost through the use of Okta Cloud Join.
Our two actual factors of hesitation at this time limit are the shortage of a totally supported client IDaaS providing and the selection to associate with F5 Networks for authentication to on-premises apps. F5’s core enterprise is firms with massive app deployments that must load-balance between a number of servers and a number of websites. The use case, in addition to the pricing, positions this resolution nicely out of attain for a lot of small or midsize companies (SMBs). We really feel much less involved about Okta Id Administration’s consumer-facing options as all indications are that Okta might be a powerful competitor on this area as soon as the Social Authentication product is launched.
Okta Id Administration has a stable popularity within the IDaaS area and their service backs it up. Their strong assist for a number of id suppliers, coupled with how nicely they do all the pieces else anticipated from an IDaaS resolution, pushes Okta Id Administration to the highest of the listing. Particularly, Okta Id Administration’s skill to fine-tune how attributes are moved between your directories and cloud providers is spectacular. It is sufficient to push Okta Id Administration excessive for an Editors’ Alternative on this IDaaS evaluate roundup.