Okta Identity Management

Okta Identity Management(IM), a superb Identity-Management-as-a-Service (IDaaS) solution, is one amongst the large names in the IDaaS space. Okta Identity Management's pricing structure has modified dramatically since the last time we took a glance at the service, however the most basic features begin at $3 per user per month, with key features like multi-factor authentication (MFA) and automated Software-as-a-Service (SaaS) application user provisioning pushing the valuation up nearer to $10 per month per user.

Okta Identity Management handles integration with an already existing, on-premises Microsoft Active Directory (AD) store really well. however it really sets itself apart with its ability to integrate beyond AD to different identity services, as well as Google Apps, Workday, and more. For all of those reasons and a lot more, Okta Identity Management is awarded Editors' choice in this roundup of IDaaS solutions.

Setup and Configuration

Like most of the players in this field, one of the primary steps in obtaining Okta IM setup for your organization involves connecting the service to anexisting AD domain. Okta Identity Management offers an advertising agent that synchronizes user and security cluster objects to Okta's cloud-based Universal Directory.

Installing the agent consists of downloading the installer and walking through a wizard that needs you to input or ensure basic info regarding your on-premises AD store, like the domain name, service account name, and service account password. once the installation wizard concludes, you're needed to input your Okta Identity Management log-in info in order to initiate the connection between the agent and the Okta Identity Management service. Once installed, the Okta Agent Manager app permits for basic maintenance tasks like stopping and beginning the agent, adding different domains to the service, and configuring a proxy server.

Directory Integration

Okta Identity Management supports various sources of user info, each of which can be synced with the Okta Universal Directory. one of the more powerful options Okta Identity Management brings to the table is that the ability to configure which data source ought to be the master for a selected series of attributes. In several cases, AD willcontain mostly of the master-level attribute data, however Okta Identity Management features the flexibility to get this info from another source, massage the formattingby utilising their expression engine, and push it into some another application or directory. for instance, Okta IM could be designed to pull employee info from a human resources (HR) SaaS app, parts of that could be configured as master attributes. These attributes could then be fed back to AD, enabling HR-related changes to populate. The potential for this functionality is critical, particularly in a world where automation can mean cash in the bank. it is also on par with solutions like optimal IdM, which place significant focus on integration multiple directories and identity stores while holding a pricing model attractive to little and midsized businesses (SMBs).

The AD agent facilitates the log-in method by maintaining an active session with the Okta Identity Management service. once a user tries to log in to their single sign-on (SSO) portal, their credentials are validated against a company AD domain controller. By keeping a session open utilising the AD agent, Okta IM circumvents the necessity for firewall rules to permit communication with the company network, allowing you to take care of security without adding complexity to the configuration method.

Beyond the AD agent, Okta IM provides an optional password synchronization tool that allows you to update the passwords for Okta IM user accounts, and potentially SaaS app account passwords, once AD passwords are modified. To get this functionality, the password synchronise tool should be installed on every of the domain controllers in your organization to completely capture password changes. That requirement will give some security personnel nightmares however it isn't uncommon among IDaaS providers. for example, Microsoft Azure Active Directory (Azure AD) does password synchronization, though it does not need a softwareinstallation on all domain controllers.

Okta Identity Management's consumer-facing identity management tools are known as "Social Identity providers," which let users register by using existing credentials they have established with numerous social media accounts, like Facebook, Google, LinkedIn, or Microsoft's Live service. Currently, the capabilities of Social Identity providersare in an "Early Access" part which, according to Okta, means that the service is production-ready however has not been rolled out to all Okta Identity Management tenants. Social Identity providers can be enabled by contacting the Okta support team.

User Provisioning

Once the Active Directory agent is installed and the directory integration settings configured, you can begin importing users. By default, this is achieved on a scheduled basis. Okta Identity Management uses the import method to validate user account info based on whether the user matches an existing Okta Identity Management account (either a precise or partial match) or if they do not match any existing accounts. depending on your organizational wants, you can configure how every of these categories arehandled, automating the import method for specific situations or requiring hands-on by an administrator to make sure the account is correctly provisioned.

Like most of its competition, Okta Identity Management supports the security Assertion markup language (SAML) normal for SSO authentication to apps. passwordvaulting is also supported for SaaS apps that do not support SAML. Adding SaaS apps to the user portal needs that the app 1st be added then configured. The SAML app provisioning process requires both Okta Identity Management and also the app to be configured to interact with one another. Okta Identity Management provides the mandatory steps (complete with screenshots) to enable and configure SAML authentication within the SaaS app you are configuring.

Single Sign-On

One nice feature of the Okta IM app catalog is the ability to configure a service once then link to multiple applications within the service (such as Google G Suite with Calendar, Drive, Mail, Sites, and your Google account) from the user personal portal. the ultimate step in enabling SSO through the user portal involves assigning the app to users or teams within your directory. Okta Identity Management supports some advanced options for users of their mobile app, like the ability to authenticate against certain mobile apps from the SaaS provider instead of a mobile webpage. These mobile access policies should be separately enabled for every app and mobile platform.

The user-facing portal can be branded by the administration team to match the firm's color scheme and graphics. Even log-in field labels, URLs, and help files can be totallycustomised to provide the user interface (UI) that most closely fits your organization. Once a user logs in to this user portal, he or she will organize his or her SSO apps, as well as adding personal accounts, making tabbed collections, and even configuring specific apps to automatically launch once he or she 1st logs in to the portal. A browser plug-in permits certain functionality like password vaulting and additionally provides direct links into SaaS apps without forcing the user to come back to their SSO portal. If desired, admins can even allow certain self-service functionality like password resets to flow back to AD.

MFA can be enabled in multiple forms, including in Okta Identity Management's Verify mobile app, Google authenticator, RSA SecureID, and some of different choices. Individual apps can be configured with sign-in policies that outline who, where, and when MFA should be used. Sign-in policies is created supported individual users or groups and site (by internet protocol address), and can be required on varying frequencies (e.g., every sign-in, once per session, once every week, only once, etc.) depending upon the requirement. while we are enormous fan of having multiple configurable security policies, i do not like the very fact that Okta Identity Management keeps them tied to the app. Ideally, you should be able to create individual policies then apply them to users and apps, creating the constraints of the policy reusable and reducing the admin work.

Okta Identity Management's security capabilities have expanded in a couple of key areas since our last look into the service. Authentication policies can include references to Mobile Device Management (MDM) registration status, making certain mobile devices meet the required company security posture, including device lock needs or device encryption. Okta Identity Management's Zones feature allows you to configure fine-grained, location-based policy triggers, which allows you to specify Internet Protocol address ranges, geographic locations like countries, states, or provinces; and even check for anonymizers and proxy services like Tor. for companies still domestically hosting apps supporting critical business processes, Okta has partnered with F5 Networks to offer authentication to apps hosted on-premises. This functionality is definitely tailored towards larger businesses as F5 appliances are designed for load leveling large-scale apps and are priced accordingly.

Reporting

Last time we looked at Okta Identity Management, we dinged them somewhat for the shortage of a comprehensive reporting solution. Okta has created some major strides in this specific arena, adding a suite of canned reports that covers classes like app use, authentication requests, de-provisioning, MFA usage, and suspicious activity.

In addition to the canned reports, Okta Identity Management's system log is simple to parse. Pre-established views provide you with a solid starting point for mostscenarios, filtering log events down to specific classes. Date/time filters, a text search, and a timeline view allow you to quickly accomplish a further level of specificity. Once narrowed right down to a manageable set of events, every line can be expanded to view details like the individual involved within the event, the target and outcome of the event, info regarding the device and client software, and even geographic info right down to a latitude and longitude. Speaking of location-based data: The event log offers a map view that breaks down where the events in your data set occurred, which potentially permits you to spot where fake authentication requests are originating. this allows you to take the appropriate measures to reduce the danger of a compromise.

Pricing

Okta Identity Management's pricing structure is less regarding tiers and a lot of regarding the features your organization desires. Okta IM's Universal Directory, which provides the ability to manage identities sourced from multiple apps or directories, runs a really affordable $1 per user per month. SSO, which is requiredfor handling authentication to apps and enforcement of password policies, costs an additional $2 per month. Access requests, cluster membership rules, provisioning features, and de-provisioning workflows are all a part of the $4-per-month lifecycle management product. The MFA and mobility management products value an extra $3 (for starters) and $4 per user, respectively. Some features, like the essential user store, some reporting, and IP/app policies are included with all products at no extra price. Okta Identity Management additionally supports SSO and provisioning to one cloud app (including Microsoft office 365 or Google's G Suite) free by using Okta Cloud Connect.

Our 2 real points of hesitation at this point in time are the shortage of a completely supported consumer IDaaS giving and the option to partner with F5 Networks for authentication to on-premises apps. F5's core business is firms with giant app deployments that require to load-balance between multiple servers and multiple sites. the use case, also as the pricing, positions this solution well out of reach for several tiny or midsize businesses (SMBs). we feel less concerned regarding Okta IM's consumer-facing features as all indications are that Okta will be a powerful rival in this arena once the Social Authentication product is launched.

Okta Identity Management has a solid reputation in the IDaaS fields and their service also backs it up. Their robust support for multiple identity providers, including how well they do everything else expected from an IDaaS solution, pushes Okta IM to the top of the list. specially, Okta Identity Management's ability to fine-tune how attributes are moved between your directories and cloud services is spectacular. It's enough to put Okta Identity Management at the top for an Editors' choice in this IDaaS review roundup.