I’ll take SSO over manually logging into 8-10 company apps I use. If the team implementing an onprem SSS/IDP solution has deep domain knowledge and sys admin skills go for it. Had issues before and cloud based providers like Okta were much better, IMHO.
If Windows didn't turn into a shit-show post-Windows 7 I would prefer Active Directory over all of this mess. Log in once with your password or smartcard and that auth magically works across all applications without ever seeing a login screen or dozens of redirects to do the SAML flow, at least for internal tools. For external stuff, SAML/OIDC is kind of a necessary evil I think (I'm not sure if there's anything preventing external tools from interoperating with Kerberos).
Modern Windows has great improvements at the kernel level and OS internals but both the UI and general direction of the product (more focused on media consumption, services and the “attention economy”) is a massive downgrade.
This is very different than Facebook. This isn't a company that also happens to provide auth to get more tracking for their main product. The auth is the main service for okta and it's used by people making decision about whether they want to build this in-house or outsource it.
Sure it's their current offering. But they want to be an "Identity Platform". They have just proven they're a political platform too.
> Why are we blocking Users from access to Okta Service?
> In support of our customers’ and Okta’s existing contractual obligations with respect to U.S. export control laws, Okta customers are not permitted to access the Okta Service (including the Auth0 Platform) from Cuba, Iran, North Korea, Syria, the regions of Crimea, Luhansk or Donetsk without prior approval from the U.S. Government. This restriction applies even if a User is temporarily visiting any of the aforementioned regions.
Total utter bs. Next they will start filtering your business, customers etc.. Then just stop all together, because there's always something not right within larger orgs.
> Can Okta handle these OFAC controls for me?
> As a Customer, you are responsible for ensuring your own compliance with applicable laws. As outlined in the Okta Master Subscription Agreement, you must use the Okta Service in compliance with applicable laws.
How can you be responsible if you don't have the power to make decisions anymore? If they think they know better, they should face the consequences when something goes wrong (some north Korean login for example)
US export controls don't apply to other countries. Why don't they have foreign entities for this? Because even if they have, they don't want to, because they became a political vehicle. A political vehicle for the CEO who thinks he's smarter than anybody who has a different opinion or who wants more power/influence, or maybe some bribes, I mean lobbyists at the door.
These days everybody seems to be a politician, pro athlete, doctor, scientist, code, entrepreneur, etc.
Number 1: don't do that
Number 2: Only do that if you are in control of SSO, or if you are very certain you won't have problems contacting the provider. (so not google in this case)
In reality: you do this if TCO of doing it internally < TCO of doing it externally + risk. There's quite a few people who estimate the risk is worth it.