Ask HN: Is there still a reason to use Okta for SSO? Okta vs. Google SSO
Is there even a reason to use Okta SSO?
Every company actively decides at some point in time how employees shall login to SaaS vendors. The typical answer for early stage companies is Google SSO, whereas later stage companies tend to switch to Okta SSO.
In the early SSO days Okta was the best option to get MFA and granular controls. However, nowadays Google is offering 2FA as well. It’s also often the default option with many SaaS vendors and therefore neither requires manually setting up SSO nor requires an enterprise-subscription (see [sso.tax](http://sso.tax) for reference).
Therefore, why do you believe people should still use Okta?
- Is the biggest reason to use Okta their SCIM-Provisioning, RBAC etc.?
- Are there any limitations in Google Workspace that only Okta solves?
- Or for the Google folks out there: What’s the reason you are sticking with Google SSO? My company has been an Okta customer for several years and I'm responsible for administering it. However I don't have experience with other SSO products, so would be interested to hear what the experience is like on the other side. The key thing for me is SCIM provisioning support, but not just that. There are quite a few apps that don't support SCIM, but Okta has built integrations for them anyway using API keys, etc. I understand you can build your own via Okta workflows also but I haven't done this. We have oversight of all accounts linked to a given user, even if SSO is not supported by the service. Deprovisioning a user creates a task list of what should be manually eliminated also, which is great for our admin staff. It interacts with Intune via SCEP so we can know that logins are coming from a trusted corporate device. This is mandated by some of our larger clients. <potential-naivety>The final thing I like is that a large part of Okta's business is their IDP software (vs their Auth0 competitor they don't use). I do like specialist businesses for something like this. The software is less likely to end up in maintenance mode if it's not one product line out of hundreds.</potential-naivety> For personal projects I've been quite happy with Auth-0. I was initially worried when Okta purchased them, but not much has changed. The bar for entry and integration is one of the lowest out there but it's not what I would call the "enterprise" friendly choice from a capabilities standpoint. Large clients I work with are all Okta or Ping backed by AD. Literally none of them considered Google. I don't see why anyone would ever use Google anything for a business critical use. They seem allergic to providing customer support for anything other than advertising. Entirely anecdotal, but we've been using Google Worksapce since it was called Google Apps and my experiences with their customer support have been fairly positive. At one point, I had a rep chat with me for about 45 minutes trying to figure out a bizarre problem, then we figured out that it was likely something outside of Google's control and instead of saying "we can't help with that", he setup a call about an hour later with an engineer and himself so we could verify. Turned out to be a DNS misconfiguration (a TXT record was double quoted from what I recall), but we struggled to figure that out and after a 30 minute call, we had it fixed and they emailed me a week later saying they had updated both internal and public support docs to include my edge case and had introduced a more descriptive error. It's not the best support I've received in the IT sector (Linode has always been my favorite for that; I worry Akamai will ruin that though), but it was pretty close. Sorry to go against the stream but I have to say that they do have customer support for some businesses. They wouldn’t be the third cloud provider without that. Well, yes, but lack of support is the best-case scenario; the worst case is their tendency to abandon products entirely and on short warning. The worst case is locking you out of your account with no recourse. Many such cases To be fair, they do provide support including live chat if you have Google Workspace (previous called GSuite) subscription. There is no support if you are on free gmail. Not if an automated system has incorrectly banned you I used to pay Google around $5/month for a single-user g suite business account. As of a few years ago the support was surprisingly good. I could call even call them about issues outside the scope of g suite, like Google play store region setting bugs. They are fine as an enterprise vendor. Chill out about Google Reader or whatever. Two things jump to mind: * Okta has customer service people. So if there are issues, you can get help. * SSO is Okta's main business, as opposed to a side hustle competing for attention with a gushing cash machine. That means they'll continue to move it forward. I work for an Okta competitor, but those are the reasons that come to mind for me. That said, Google is great for companies up to a certain size and Okta isn't going to be cheap. But at some point you get what you pay for. Nothing related to Okta Vs Google SSO. But I think I can add my 2 cents on why people who are already using something like Okta, will take into consideration before switching. - Pricing, is it going to be significantly cheaper for the organisation in the long run? If not it's not worth disrupting 100s of applications for 1000s of people, and not to mention the overhead of tech ops setting this up for everyone for a few thousand dollars per year. But if the cost saving is in millions or 100s of thousands of dollars? why not .. i think then they can afford to disrupt the existing flow - Bandwidth to perform this migration, do we have enough room to do this. Chances are people are already fighting with the existing burning issues. - Customer support Okta is one of those companies that just dominates their niche. They're good enough and cheap enough that it's a no brainer. They're not going to go out of business and any SAAS that an organization might use will be supported. The upside of saving whatever handful of dollars per user you spend with Okta isn't worth the risk/hassle of switching away from what everyone else uses. The anecdotes of Google locking out accounts makes me distrust Google SSO. From memory: For an alleged violation on one Google service, all the other services were disabled too. For an alleged violation from one Google account, all the other accounts of the person were disabled too. All accounts of a company were disabled because of one employee's alleged misdeeds. I don't know whether Okta is good but my perception of all Google authentication is, and will always be, negative. You can also ask Okta. They should be able to list tangible benefits. If they struggle to answer the question, you still get your answer anyway. Google is unsurprisingly more convenient if you're already using Google workspace. I'd wager Google is only "more convenient" if you're pretty much exclusively using Google products and/or external services that already allowed personal/work accounts to authenticate via Google ...but even then - while GCP is [probably] the "best" big cloud vendor out there, they have a nasty reputation for being very hard to deal with Few things: - Okta is more enterprisey and complicated and works if you are a large company. It has now become one of those tools where "no one gets fired for buying IBM" analogy can be applied. CIos can justify Okta much faster than Google Workspace. - Google Workspace is simpler but may lack some granular controls that Okta provides. You got it right. Smaller companies are good enough with Google Workspace nowadays but larger ones need the "enterprise" stamp. Do you have some examples on what granular controls are provided with Okta but missing with Google? I believe okta can integrate with payroll systems - new employee immediately gets access to all accounts. Not sure if Google can do this. You want to enforce some more controls when you access to critical things, such as AWS, you can't with Google. It has no granular controls. Otherwise it's much easier. We use JumpCloud though, it's a mix between and more comprhensible. When talking about controls are you referring to provisioning? What are some examples for missing controls? Pretty sure he means audit compliance, proper RBAC, etc Hmm audit compliance? Google gives you a log of who logged in where, doesn't it?
And with "proper RBAC" you mean that you can put somebody into the "Developer" role, hence he gets AWS, GCP, Datadog, right? I don't know how extensive Google's logging is - heck, didn't even know they offered Enterprise SSO until a few days ago (every organization I know uses either Okta or M365/AD) :) Proper RBAC is as granular as necessary, but no more Proper RBAC also links everything needed by a certain role together Merely knowing who logged-in where and when, though, is not enough - you also need to know what they did while there (and that they did not do anything they were not supposed to be able to do (which links back to proper RBAC'ing)) CIS, HIPAA, FISMA, SOX, STIG and all the other alphabet soup compliance rules, frameworks, etc are a lot more extensive than just "who logged in where" :) -------- See NIST's page on RBAC for some of this: https://csrc.nist.gov/Projects/Role-Based-Access-Control Honestly the reason we went with okta is because many vendors seem to support it and have help articles specifically for how to integrate with Okta vs just OIDC/SAML or general SCIM. Google SSO does not support device passkeys such as Touch ID or Windows Hello. I'm sure that will change soon though If you already have sysadmin skills what's wrong with self-hosting an IdP like Zitadel or Keycloak? Because self-hosting mission-critical services that are not your business' core competency is almost always stupid As just one example - 20 years ago it made sense for many businesses to self-host email It has not made sense to do that for at least a decade That is the reason why we also provide a cloud service with zitadel. But it is important to us to let customers choose what they like more. Sometime the gained control (and responsibility) when self-hosting might be crucial for the specific use-case. does it count if you use Okta to log in to Google? Just use goauthentik.io, it's awesome. TIL: Google offers enterprise SSO