This week I was at Oktane, the conference put on by Okta, the identity and access management (IAM) as-a-service vendor.
This is the first time I’ve written about Okta, but I’ve been following them for a while since identity is an increasingly important part of EMM. Okta also started an MDM service a year ago.
Today I'll introduce Okta for readers that might not be familiar, and go over their new announcements. Read on—they’re doing a lot of interesting things. (Also for more interesting reading, check out their Businesses at Work report from earlier this year.)
IAM—these days it’s more than just SSO
Federated identity and single sign on (especially using SAML) are probably the first thing you think about with IAM companies like Okta, but there’s a lot more to it than that.
But of course federation, SSO, and SAML are a huge part of what Okta does, and they support about 550 SAML-enabled application. For apps that don’t support SAML, they provide do password vaulting (a nicer term for password stuffing). They’re also working on support for OpenID, a protocol that’s better for mobile devices, devices that don’t have browsers, and IoT.
After federation and SSO, one of the next big frontiers in identity is the ability to provision user accounts in cloud applications. This has been a part of the identity conversation for a while, but the reality is that making it work just takes a lot of time and effort. There are standards that can be used to do basic provisioning, but more advanced integration are often done manually. Some SaaS ISVs have provisioning APIs, and Okta will integrate with these when possible. To encourage more ISVs to support provisioning, at Oktane Okta announced an SDK that ISVs can use to build provisioning APIs.
When all of these provisioning integrations are in place, the results are pretty slick. Okta demonstrated how user identities and account changes can be synchronized all over the place, including in Active Directory, in Okta, and in other apps. Another big part of this is enabling users and non-IT staff to request and grant access to applications. On the back end, IT can create rules and workflows to make this happen automatically.
Adaptive multi-factor authentication is another focus area for Okta. They support a variety of factors (including the Okta Verify app) and they highlighted different variables that could be used to create policies, including networks, location, users, groups, and by application. They’re planning to add more proactive automatic policies, like detecting impossible travel scenarios. They’re also working on more new authentication factors like TouchID, voice, and FIDO.
Besides corporate identity management, Okta also works as a platform that companies can can use to build identity in their own products, including for consumer-facing applications. They talked about all sorts of customer case studies, like Adobe (identity in Creative Cloud); Etihad Airways (unifying frequent flier accounts among subsidiary airlines); and MGM Resorts (customer loyalty accounts).
This week Okta announced support for social identities (login with Facebook, Google, or LinkedIn), and new customizable social login widgets.
Okta Mobility Management
A year ago Okta expanded into mobile device management, and now they have over 100 customers on it. Among other things, they view it as a way to secure the SaaS apps in the “last mile” down to mobile devices.
Okta’s approach is based on MDM and the native mobile app management capabilities that are built into mobile operating systems these days. To that end, this week they announced support for Android for Work, as well as support for managed app configuration (an MDM-based MAM technique).
(This does limit them from some unmanaged device use cases, but that’s a separate (and long and nuanced) conversation. For now, their approach is good and pragmatic, and we’ll just have to wait and see how the EMM space evolves.)
This week Okta also announced support for Mac OS X MDM management, and that Windows 10 MDM support will come next year. They’re also working on support for the Apple Volume Purchase Program and Device Enrollment Program.
Of course what makes Okta Mobility Management interesting is that it’s tightly coupled to Okta’s identity platform. This enables options like making mobile apps available to users when they get access to SaaS apps. It also enables more contextual access policies—today, Okta can require devices that access Office 365 to be enrolled in MDM; in the future they’ll expand this to all apps.
One of the more important features Okta is working on is certificate management. Certificates on MDM-enrolled devices can act as an authentication factor and be an alternative to usernames and passwords, making native mobile app SSO easier.
In the meantime, Okta announced a few enhancements for mobile SSO:
- For web apps that aren’t SAML-enabled, Okta now has a Safari extension that can fill in username and password fields.
- Using a new iOS 9 feature called Safari View Controller, Okta can also make it for apps that are SAML-enabled to share credentials among each other, meaning that users don’t have to enter their username and password for every single login.
- On Android, Okta can use custom keyboards to fill in login details for managed apps that aren’t SAML enabled.
Other observations from the Oktane conference
The identity and access management field is certainly very active, and there are others (including the likes of Microsoft, VMware, Centrify, and BlackBerry) that are also into converged IAM and mobility management.
Throughout the conference, Okta highlighted their independence and neutrality, as well as the breadth of their support for SAML apps and provisioning. But overall they didn’t spend too much time talking about the competitive landscape in the keynotes and general sessions—instead they concentrated on their bounty of new announcements, their ambitious roadmap, and customer references.