Okta

Rationale

Okta  is the IAM  platform we use for managing access to hundreds of applications used across our company. It allows us to give access to applications without disclosing credentials and maintaining a least privilege  approach.

The main reasons why we chose it over other alternatives are:

• It is SaaS , allowing us to forget about maintaining the infrastructure it relies on.
• Being a SSO  platform, talent only need to remember their Okta  password. Everything else can be accessed once they’re inside.
• It provides a universal directory  that allows us to have users, departments, applications and permissions in a single place.
• It supports Multi-factor authentication  by using OTP’s  that regenerate every thirty seconds and push notifications  through its Okta Verify app  on both IOS  and Android .
• As Multi-factor authentication  can be done on the user’s phone, we do not need to manage independent security tokens .
• Its multi-factor authentication  uses OOBA , a state-of-the-art authentication process that uses two different communication channels, one for the application itself and a separate one for the verification method. Such a process reduces the chances of identity theft, as both channels would need to be compromised by an attacker.
• It enforces Biometric MFA  for both face and fingerprint if the device supports it.
• It supports serverless automatic provisioning , allowing us to keep other directories from services like Google Workspace  and AWS IAM  automatically synchronized without additional effort.
• It supports SAML  and OAuth , allowing us to give users access to applications without having to manage credentials.
• It supports thousands  of preconfigured integrations.
• It provides in-depth reports and logging  regarding security and overall user usage.
• It provides a RADIUS agent  for authenticating on external infrastructure like VPN’s .
• It allows strong password  enforcement.
• It can be managed  using Terraform .

Alternatives

• OneLogin : We used it for three years. It did not support as many integrations. Its automatic provisioning was not as flexible.
• Duo : It did not support as many integrations. Its automatic provisioning was not as flexible.
• Authentik : It did not support as many integrations. It did not support automatic user provisioning to Google Workspace, which would force us to manually keep its directory synced with Google. It is not part of the Cloudflare ZTNA IAM list , which would force us to use a generic approach towards provisioning users.

Usage

We use Okta  for:

• Managing apps, groups, users and permissions 
• Managing AWS roles with SAML 

We do not use Okta  for:

• Managing users via universal directory : We are currently returning from JumpCloud .
• Managing RADIUS : The Okta RADIUS Agent  only supports PAP  as an authentication protocol, which is why we decided to look for other RADIUS  providers once returning from JumpCloud  is finished.