Okta and O365

  • 1.2K Views
  • Last Post 02 November 2015
AlexeiS posted this 19 October 2015

Hi all Wondering if anyone on this forum has used the Okta solution for SSO with O365?  If so, what were the reasons for choosing that over DirSync plus ADFS? Also keen to hear about your experience with their MFA solution if you chose to use it. ThanksAlexei

Order By: Standard | Newest | Votes
Ravi.Sabharanjak posted this 19 October 2015

I can tell you why not to choose it :)
- Paid versus ADFS + dirsync: free- more importantly, while they may do a password-less, SAML based authentication to O365 for signing on the user, your password will be sent to Okta - out of your network - for the initial user authentication to Okta. That IMO is a deal breaker..
-Ravi


show

ThomasVuylsteke posted this 20 October 2015

I’ve never seen Okta in the wild, but saying that ADFS+DirSync is free is a bit unfair…

 

You need (typically) 5 servers: 2x ADFS Proxy (WAP) + 2x ADFS + 1x Azure AD Connect (DirSync). Those are installed on Windows OS which you need to license, backup,

monitor, protected (AV), patch… And it doesn’t stop there. You need load balancing capabilities in both “DMZ” (for the proxies) and the LAN (ADFS). So saying they are free is not correct… In larger environments they are just small pieces you add to the puzzle.

And they’ll probably have hardware LB you can “reuse”. But not all customers are in this situation…

 

If I’m not mistaken Okta uses an agent and thus might be considered less heavy on the infrastructure requirements… it’s a trade off…

 

Regards,

Thomas

 

show

kebabfest posted this 20 October 2015

H Alexei,
I have never heard of Okta before and will be interested to hear about peoples experience with it.However as somebody who had never set up ADFS with SSO for Office365 until about 2 weeks ago I can tell you it is relatively straightforward to setup and inexpensive.Now I have only implemented this in a small organisation , so I haven't invested heavily in infrastructure. Is Okta designed for large organisations (1000 users +) ? 


show

danj posted this 20 October 2015

I evaluated Okta vs ADFS for a large banking client at the start of the year. If you want to do SSPI (integrated auth) sign-on from your corporate network, you

need to install local Okta servers, which are effectively a webservice that does broadly the same thing as ADFS does, except it still relies on IIS. So not really much less footprint than the pure ADFS solution, for a 3rd party app that runs on

IIS. In addition for ADFS you can reuse existing reverse proxy e.g. Netscaler or F5 APM instead of the WAP, depends on what you have currently.



The agent you refer to is for the domain controllers, to sync objects up to the cloud, in the same way as Azure AD Sync/dirsync does.

 

I liked their cloud offering in terms of automated provisioning and general integration with a ‘marketplace’ of apps, that did seem superior to what MSFT were

doing with Azure, although you’d need to evaluate exactly which apps were in scope for your org as not all have the provisioning API linked with Okta (or Azure for that matter).

 

Dan

 

 

show

yawpee posted this 20 October 2015

So  you  think for the cost /  investment    ADFS  solution  is  better.  What  about  security  in  terms of  password  sync.
 
Thanks.
 

show

gkirkpatrick posted this 20 October 2015

Okta makes the most sense when you either don’t have AD (or want to decommission your AD) and do all your IAM in the cloud; that’s

what they are optimized for. If you’re taking the hybrid approach and want to do your IAM in AD, I think Azure+ADFS+DirSync is a better solution.

 

-g

 

show

Ravi.Sabharanjak posted this 21 October 2015

In my opinion, ADFS has better security. With ADFS, you authenticate to the ADFS server using Kerberos (ideally) and then get a token that your browser sends to the resource (O365).  The token proves your identity. Your passwords never really leave your network.
From what I understand about Okta, you authenticate to Okta first before you are passed on to any other connected apps. To authenticate, you send your password to the Okta network from where it is sent back to your network over an SSL back channel that is held open for this purpose. This back channel is set up when you install the agent that synchronizes your user ID's with the cloud.
For me, It's highly important that my passwords don't go over to a third party network - even over SSL - as I have no control over the infrastructure that processes them. (Do they / will they for example log the passwords by mistake in a debug log file etc?)
Point taken that the ADFS + dirsync solution will need a few more servers, however the Okta solution will need the sync servers as well. On the flip side, once set up, the same ADFS servers can authenticate you to any number of services - without a per user cost. With VM's and unlimited licensing for VM's once you license datacenter for your virtualization host, the OS cost is not much of a concern any way...
Contrast that with the per user cost of the Okta solution. Yes - the first app you connect to is free, but you start paying quite a bit with app #2..
-Ravi


show

Parzival posted this 02 November 2015

Hi








I too was looking at okta for a customer. They wanted it for the management of objects that they can delegate within the okta suite and assign permissions to each region and it admins group. Something that is still hard to get through AAD or o365 directly. 




I also checked pingID as another customer was using that for authentication (ping federate) to connect to multiple (non trusting) ad forests. 




Both products make sense if you have a large infrastructure with a lot of different active directories (or other identity sources) that are not fully connected or trusted. It removes the need to deploy multiple identity sync engines and adfs farms and

configure redirection on them if you have the same upn's for all of the AD's. They would also allow for a single view on logins, audits and traces.  




With regards to 2fa the external applications for identity management have a small flaw. They do not fully support 2fa as AAD premium /o365 does. As all o365 authentications are treated as a single authentication on the backend federation service (on premises

or okta or pingID) you cannot set 2fa on Crm online while not requesting it for owa for example. There is simply no call made again to the backend federation service if you browse directly from one service to another (instead of using the 3rd party portals

that can request the 2fa from within their console). If you want 2fa for (individual) o365 components you are stuck with AAD premium. (Or a combination of 3rd party and native built in o365. But that requires the users to use two ways of providing mfa). 




_R

Sent from my phone


On Oct 21, 2015, at 04:01, Ravi Sabharanjak <ravi.sabharanjak@xxxxxxxxxxxxxxxx> wrote:











In my opinion, ADFS has better security. With ADFS, you authenticate to the ADFS server using Kerberos (ideally) and then get a token that your browser sends to the resource (O365).  The token proves your identity. Your passwords never really leave your

network.




From what I understand about Okta, you authenticate to Okta first before you are passed on to any other connected apps. To authenticate, you send your password to the Okta network from where it is sent back to your network over an SSL back channel that

is held open for this purpose. This back channel is set up when you install the agent that synchronizes your user ID's with the cloud.




For me, It's highly important that my passwords don't go over to a third party network - even over SSL - as I have no control over the infrastructure that processes them. (Do they / will they for example log the passwords by mistake in a debug log file etc?)




Point taken that the ADFS + dirsync solution will need a few more servers, however the Okta solution will need the sync servers as well. On the flip side, once set up, the same ADFS servers can authenticate you to any number of services - without a per

user cost. With VM's and unlimited licensing for VM's once you license datacenter for your virtualization host, the OS cost is not much of a concern any way...




Contrast that with the per user cost of the Okta solution. Yes - the first app you connect to is free, but you start paying quite a bit with app #2..




-Ravi

show

mcasey posted this 02 November 2015

If you area looking for alternatives or additional flexibility, Optimal IdM's federation solutions are strong when dealing with the challenges of large and complex environments (e.g. numerous forests/domains, disparate 2FA/MFA solutions/requirements).  They are priced very competitively when compared to Okta and the like.  You can deploy their fed solution on-premises, cloud, hybrid, etc.; you can sync users, not sync users, sync some users; however you prefer and/or require.
https://optimalidm.com/products/on-premise/federation-identity-services/
https://optimalidm.com/products/hosted/optimalcloud/


show

Close