Ask HN: Is there still a reason to use Okta for SSO? Okta vs. Google SSO

37 pointsmathiasn2y ago34 comments

Is there even a reason to use Okta SSO?

Every company actively decides at some point in time how employees shall login to SaaS vendors. The typical answer for early stage companies is Google SSO, whereas later stage companies tend to switch to Okta SSO.

In the early SSO days Okta was the best option to get MFA and granular controls. However, nowadays Google is offering 2FA as well. It’s also often the default option with many SaaS vendors and therefore neither requires manually setting up SSO nor requires an enterprise-subscription (see [sso.tax](http://sso.tax) for reference).

Therefore, why do you believe people should still use Okta?

- Is the biggest reason to use Okta their SCIM-Provisioning, RBAC etc.?

- Are there any limitations in Google Workspace that only Okta solves?

- Or for the Google folks out there: What’s the reason you are sticking with Google SSO?

34 comments

gtsteve2y ago

My company has been an Okta customer for several years and I'm responsible for administering it. However I don't have experience with other SSO products, so would be interested to hear what the experience is like on the other side.

The key thing for me is SCIM provisioning support, but not just that. There are quite a few apps that don't support SCIM, but Okta has built integrations for them anyway using API keys, etc. I understand you can build your own via Okta workflows also but I haven't done this.

We have oversight of all accounts linked to a given user, even if SSO is not supported by the service. Deprovisioning a user creates a task list of what should be manually eliminated also, which is great for our admin staff.

It interacts with Intune via SCEP so we can know that logins are coming from a trusted corporate device. This is mandated by some of our larger clients.

<potential-naivety>The final thing I like is that a large part of Okta's business is their IDP software (vs their Auth0 competitor they don't use). I do like specialist businesses for something like this. The software is less likely to end up in maintenance mode if it's not one product line out of hundreds.</potential-naivety>

tstrimple2y ago

For personal projects I've been quite happy with Auth-0. I was initially worried when Okta purchased them, but not much has changed. The bar for entry and integration is one of the lowest out there but it's not what I would call the "enterprise" friendly choice from a capabilities standpoint. Large clients I work with are all Okta or Ping backed by AD. Literally none of them considered Google.

TheCoelacanth2y ago

I don't see why anyone would ever use Google anything for a business critical use. They seem allergic to providing customer support for anything other than advertising.

apocalyptic0n32y ago

Entirely anecdotal, but we've been using Google Worksapce since it was called Google Apps and my experiences with their customer support have been fairly positive. At one point, I had a rep chat with me for about 45 minutes trying to figure out a bizarre problem, then we figured out that it was likely something outside of Google's control and instead of saying "we can't help with that", he setup a call about an hour later with an engineer and himself so we could verify. Turned out to be a DNS misconfiguration (a TXT record was double quoted from what I recall), but we struggled to figure that out and after a 30 minute call, we had it fixed and they emailed me a week later saying they had updated both internal and public support docs to include my edge case and had introduced a more descriptive error.

It's not the best support I've received in the IT sector (Linode has always been my favorite for that; I worry Akamai will ruin that though), but it was pretty close.

speedgoose2y ago

Sorry to go against the stream but I have to say that they do have customer support for some businesses. They wouldn’t be the third cloud provider without that.

kerblang2y ago

Well, yes, but lack of support is the best-case scenario; the worst case is their tendency to abandon products entirely and on short warning.

postsantum2y ago

The worst case is locking you out of your account with no recourse. Many such cases

codegeek2y ago

To be fair, they do provide support including live chat if you have Google Workspace (previous called GSuite) subscription. There is no support if you are on free gmail.

Macha2y ago

Not if an automated system has incorrectly banned you

iudqnolq2y ago

I used to pay Google around $5/month for a single-user g suite business account.

As of a few years ago the support was surprisingly good. I could call even call them about issues outside the scope of g suite, like Google play store region setting bugs.

Spooky232y ago

They are fine as an enterprise vendor. Chill out about Google Reader or whatever.

mooreds2y ago

Two things jump to mind:

* Okta has customer service people. So if there are issues, you can get help.

* SSO is Okta's main business, as opposed to a side hustle competing for attention with a gushing cash machine. That means they'll continue to move it forward.

I work for an Okta competitor, but those are the reasons that come to mind for me.

That said, Google is great for companies up to a certain size and Okta isn't going to be cheap. But at some point you get what you pay for.

funnyfoobar2y ago

Nothing related to Okta Vs Google SSO.

But I think I can add my 2 cents on why people who are already using something like Okta, will take into consideration before switching.

- Pricing, is it going to be significantly cheaper for the organisation in the long run?

If not it's not worth disrupting 100s of applications for 1000s of people, and not to mention the overhead of tech ops setting this up for everyone for a few thousand dollars per year.

But if the cost saving is in millions or 100s of thousands of dollars? why not .. i think then they can afford to disrupt the existing flow

- Bandwidth to perform this migration, do we have enough room to do this. Chances are people are already fighting with the existing burning issues.

- Customer support

treis2y ago

Okta is one of those companies that just dominates their niche. They're good enough and cheap enough that it's a no brainer. They're not going to go out of business and any SAAS that an organization might use will be supported. The upside of saving whatever handful of dollars per user you spend with Okta isn't worth the risk/hassle of switching away from what everyone else uses.

lovelearning2y ago

The anecdotes of Google locking out accounts makes me distrust Google SSO. From memory:

For an alleged violation on one Google service, all the other services were disabled too.

For an alleged violation from one Google account, all the other accounts of the person were disabled too.

All accounts of a company were disabled because of one employee's alleged misdeeds.

I don't know whether Okta is good but my perception of all Google authentication is, and will always be, negative.

monster_group2y ago

You can also ask Okta. They should be able to list tangible benefits. If they struggle to answer the question, you still get your answer anyway.

nitwit0052y ago

Google is unsurprisingly more convenient if you're already using Google workspace.

warrenm2y ago

I'd wager Google is only "more convenient" if you're pretty much exclusively using Google products and/or external services that already allowed personal/work accounts to authenticate via Google

...but even then - while GCP is [probably] the "best" big cloud vendor out there, they have a nasty reputation for being very hard to deal with

codegeek2y ago

Few things:

- Okta is more enterprisey and complicated and works if you are a large company. It has now become one of those tools where "no one gets fired for buying IBM" analogy can be applied. CIos can justify Okta much faster than Google Workspace.

- Google Workspace is simpler but may lack some granular controls that Okta provides.

You got it right. Smaller companies are good enough with Google Workspace nowadays but larger ones need the "enterprise" stamp.

PhLR2y ago

Do you have some examples on what granular controls are provided with Okta but missing with Google?

luminati2y ago

I believe okta can integrate with payroll systems - new employee immediately gets access to all accounts. Not sure if Google can do this.

CSDude2y ago

You want to enforce some more controls when you access to critical things, such as AWS, you can't with Google. It has no granular controls. Otherwise it's much easier. We use JumpCloud though, it's a mix between and more comprhensible.

PhLR2y ago

When talking about controls are you referring to provisioning? What are some examples for missing controls?

warrenm2y ago

Pretty sure he means audit compliance, proper RBAC, etc

1 more reply

atonse2y ago

Honestly the reason we went with okta is because many vendors seem to support it and have help articles specifically for how to integrate with Okta vs just OIDC/SAML or general SCIM.

kpollls2y ago

Google SSO does not support device passkeys such as Touch ID or Windows Hello. I'm sure that will change soon though

elevation2y ago

If you already have sysadmin skills what's wrong with self-hosting an IdP like Zitadel or Keycloak?

warrenm2y ago

Because self-hosting mission-critical services that are not your business' core competency is almost always stupid

As just one example - 20 years ago it made sense for many businesses to self-host email

It has not made sense to do that for at least a decade

ffo2y ago

That is the reason why we also provide a cloud service with zitadel.

But it is important to us to let customers choose what they like more.

Sometime the gained control (and responsibility) when self-hosting might be crucial for the specific use-case.

kalupa2y ago

does it count if you use Okta to log in to Google?

Mave832y ago

Just use goauthentik.io, it's awesome.

warrenm2y ago

TIL: Google offers enterprise SSO

j / k navigate · click thread line to collapse

34 comments

gtsteve2y ago

It interacts with Intune via SCEP so we can know that logins are coming from a trusted corporate device. This is mandated by some of our larger clients.

tstrimple2y ago

TheCoelacanth2y ago

I don't see why anyone would ever use Google anything for a business critical use. They seem allergic to providing customer support for anything other than advertising.

apocalyptic0n32y ago

It's not the best support I've received in the IT sector (Linode has always been my favorite for that; I worry Akamai will ruin that though), but it was pretty close.

speedgoose2y ago

Sorry to go against the stream but I have to say that they do have customer support for some businesses. They wouldn’t be the third cloud provider without that.

kerblang2y ago

Well, yes, but lack of support is the best-case scenario; the worst case is their tendency to abandon products entirely and on short warning.

postsantum2y ago

The worst case is locking you out of your account with no recourse. Many such cases

codegeek2y ago

To be fair, they do provide support including live chat if you have Google Workspace (previous called GSuite) subscription. There is no support if you are on free gmail.

Macha2y ago

Not if an automated system has incorrectly banned you

iudqnolq2y ago

I used to pay Google around $5/month for a single-user g suite business account.

As of a few years ago the support was surprisingly good. I could call even call them about issues outside the scope of g suite, like Google play store region setting bugs.

Spooky232y ago

They are fine as an enterprise vendor. Chill out about Google Reader or whatever.

mooreds2y ago

Two things jump to mind:

* Okta has customer service people. So if there are issues, you can get help.

* SSO is Okta's main business, as opposed to a side hustle competing for attention with a gushing cash machine. That means they'll continue to move it forward.

I work for an Okta competitor, but those are the reasons that come to mind for me.

That said, Google is great for companies up to a certain size and Okta isn't going to be cheap. But at some point you get what you pay for.

funnyfoobar2y ago

Nothing related to Okta Vs Google SSO.

But I think I can add my 2 cents on why people who are already using something like Okta, will take into consideration before switching.

- Pricing, is it going to be significantly cheaper for the organisation in the long run?

If not it's not worth disrupting 100s of applications for 1000s of people, and not to mention the overhead of tech ops setting this up for everyone for a few thousand dollars per year.

But if the cost saving is in millions or 100s of thousands of dollars? why not .. i think then they can afford to disrupt the existing flow

- Bandwidth to perform this migration, do we have enough room to do this. Chances are people are already fighting with the existing burning issues.

- Customer support

treis2y ago

lovelearning2y ago

The anecdotes of Google locking out accounts makes me distrust Google SSO. From memory:

For an alleged violation on one Google service, all the other services were disabled too.

For an alleged violation from one Google account, all the other accounts of the person were disabled too.

All accounts of a company were disabled because of one employee's alleged misdeeds.

I don't know whether Okta is good but my perception of all Google authentication is, and will always be, negative.

monster_group2y ago

You can also ask Okta. They should be able to list tangible benefits. If they struggle to answer the question, you still get your answer anyway.

nitwit0052y ago

Google is unsurprisingly more convenient if you're already using Google workspace.

warrenm2y ago

I'd wager Google is only "more convenient" if you're pretty much exclusively using Google products and/or external services that already allowed personal/work accounts to authenticate via Google

...but even then - while GCP is [probably] the "best" big cloud vendor out there, they have a nasty reputation for being very hard to deal with

codegeek2y ago

Few things:

- Google Workspace is simpler but may lack some granular controls that Okta provides.

You got it right. Smaller companies are good enough with Google Workspace nowadays but larger ones need the "enterprise" stamp.

PhLR2y ago

Do you have some examples on what granular controls are provided with Okta but missing with Google?

luminati2y ago

I believe okta can integrate with payroll systems - new employee immediately gets access to all accounts. Not sure if Google can do this.

CSDude2y ago

PhLR2y ago

When talking about controls are you referring to provisioning? What are some examples for missing controls?

warrenm2y ago

Pretty sure he means audit compliance, proper RBAC, etc

1 more reply

atonse2y ago

Honestly the reason we went with okta is because many vendors seem to support it and have help articles specifically for how to integrate with Okta vs just OIDC/SAML or general SCIM.

kpollls2y ago

Google SSO does not support device passkeys such as Touch ID or Windows Hello. I'm sure that will change soon though

elevation2y ago

If you already have sysadmin skills what's wrong with self-hosting an IdP like Zitadel or Keycloak?

warrenm2y ago

Because self-hosting mission-critical services that are not your business' core competency is almost always stupid

As just one example - 20 years ago it made sense for many businesses to self-host email

It has not made sense to do that for at least a decade

ffo2y ago

That is the reason why we also provide a cloud service with zitadel.

But it is important to us to let customers choose what they like more.

Sometime the gained control (and responsibility) when self-hosting might be crucial for the specific use-case.

kalupa2y ago

does it count if you use Okta to log in to Google?

Mave832y ago

Just use goauthentik.io, it's awesome.

warrenm2y ago

TIL: Google offers enterprise SSO

j / k navigate · click thread line to collapse