Comment by pphysch
19 hours ago
Sadly many people will spend a million dollars to use Okta for their 10,000 logins/day (read: <1 tps) instead of running their own Keycloak or Authentik or whatever.
OIDC is not scary, and advanced central authorization features (beyond group memberships) are a big ole YAGNI / complexity trap.
Running your own local AuthN/AuthZ is more than just 'install it on a box in the closet'. I don't blame anyone for letting one of the giants do this on their behalf -- they have the expertise, though I agree I wouldn't touch Okta.
Running your own AuthN/AuthZ with an off-the-shelf OSS is very straight-forward (as a SaaS product at least) and isn't any more burdensome from a security perspective than what you're already doing for your core service.
This isn't email.
Running Active Directory is as easy as it gets. Protecting the Golden Ticket is not.
For your average enterprise it really is that simple. Register some IDPs. Connect a backend. Add some clients over time.
Yes, you need someone to wear the IAM admin hat. But once you get it configured and running it requires 0.1 FTE or less (likely identical to whatever your Okta admin would be). Not worth 6+ figures a year and exposure to Okta breach risk.
No, it isn't "simple". Protecting your IdP is critical and not easy.
Yes, creating a SAML integration is easy, but that's only one piece of the puzzle.
2 replies →
The workload to run Authentik locally is about identical to the workload to set up and configure Okta. (Or you could just fine someone who will host Authentik for you, if deploying a container is too hard for you.)