Comment by p_ing
19 hours ago
Running your own local AuthN/AuthZ is more than just 'install it on a box in the closet'. I don't blame anyone for letting one of the giants do this on their behalf -- they have the expertise, though I agree I wouldn't touch Okta.
Running your own AuthN/AuthZ with an off-the-shelf OSS is very straight-forward (as a SaaS product at least) and isn't any more burdensome from a security perspective than what you're already doing for your core service.
This isn't email.
Running Active Directory is as easy as it gets. Protecting the Golden Ticket is not.
For your average enterprise it really is that simple. Register some IDPs. Connect a backend. Add some clients over time.
Yes, you need someone to wear the IAM admin hat. But once you get it configured and running it requires 0.1 FTE or less (likely identical to whatever your Okta admin would be). Not worth 6+ figures a year and exposure to Okta breach risk.
No, it isn't "simple". Protecting your IdP is critical and not easy.
Yes, creating a SAML integration is easy, but that's only one piece of the puzzle.
Paying Azure a little bit to run an AD instance for you, IF you need to run your own IDP (a big if), is not a bad play and does not prevent you from saving lots of money by not using a dubious product like Okta.