Okta vs Ping:
Comparison, Features, and Advice

Okta vs Ping Identity – Deciding which solution is the right choice for my organization

Okta and Ping Identity are often compared when companies are looking for a platform to provide authentication and authorization services to their applications.

Helping select the right vendor for an organization’s specific needs is an important part of what our Advisory teams do at Integral Partners.

The Challenges Driving Adoption and Where to Start

Organizations of all sizes are confronting challenges resulting from the accelerated adoption of cloud-based technologies. As infrastructure, applications, services, and data move outside the network perimeter, enterprises must have a way to control access. Identity is the one common element in these scenarios: a user needs access to a resource. Most cloud-based vendors support Single Sign On (SSO) protocols such as SAML and OAuth. These protocols can help organizations exert some control over third party services by requiring that users sign in via a centralized platform.

Products in this space are typically referred to as Identity and Access Management (IAM) tools. These tools all provide the same basic SSO functionality but vary widely in cost, complexity, and advanced features. Organizations considering a purchase of one of these platforms should carefully assess their current and future requirements as well as more practical concerns such as the pricing model and implementation cost.

Every organization has unique requirements and constraints and each IAM solution has strengths and weaknesses. While there are dozens of IAM solution vendors, only a handful of established companies make up most of the market share. These solutions cover the vast majority of use cases and have built a reputation for reliability and security over many years. An organization considering an IAM solution should include these market leaders in their search.

Okta and Ping Identity are two of the most common IAM platforms in use today. Both offer rich feature sets that can be tailored to the needs of the organization. However, there are some key considerations that may make one of these products a better fit for your organization.

For example, a person adding a printer would be elevated for that one task and then the elevation would no longer apply. Monitoring is not as much of a concern, as the user is using their own credentials and not an administrator account, and the task is scoped by the PAM solution so that only that task is allowed. Because of the extensibility of these tools, they can also manage additional areas, such as controlling what applications can be installed and run.

Knowing the difference between IGA and Access Management

We often see that organizations confuse what they’ll get from an Access Management tool like Ping or Okta vs an IGA tool like Saviynt or SailPoint.

Identity Governance & Administration (IGA) is a platform to manage the lifecycle of a user, most often a workforce user rather than customers. IGA can automate the onboarding and offboarding of users, and provision access based upon approved requests. In addition, IGA can help with the user attestation of access, as well as manage the access request process itself.

Access Management (AM), on the other hand, is purpose built to be the interface a user utilizes to authenticate and get access to the software they need in an organization. AM offers SSO and MFA, as well as an improved user experience with less friction. These users are often workforce but can just as often be customers.

Hosting Flexibility (Cloud vs Self-hosted)

Okta is a cloud-native platform. This is an excellent model for the SMB market and for organizations which primarily consume SaaS offerings. It is extremely easy to set up connections to these applications with Okta’s rich library and to quickly improve your user experience with streamlined SSO and MFA options. Custom or self-hosted applications can also be connected to Okta through use of industry standard protocols such as SAML and OAuth. Okta agents provide connectivity to existing identity stores such as Active Directory and provide some support for legacy applications which do not yet support modern SSO protocols. However, agents must connect out to the cloud, which can add some latency and security challenges in certain industries where self-contained environments are preferred.

Organizations with a large hosting footprint or strict regulatory requirements may benefit from a self-hosted or private cloud model. Ping supports these scenarios with highly flexible and customizable deployment options that include not just cloud, but on-premise solutions as well.

Self-hosting can reduce latency and provide an easier integration pathway to SSO for applications that do not have modern protocol support. It also reduces the number of agents required for installation and maintenance since the components can be placed within the same network. Ping offers a similar library of SaaS integrations to make onboarding applications easy, regardless of the hosting model, and a highly flexible policy engine for tailoring the user experience, including MFA.

Okta and Ping Identity Advanced Use Cases

Both Okta and Ping provide excellent features and will work equally well for the vast majority of enterprise use cases. However, there may be certain use cases where you need fine grained control over the authentication process.

For example, Ping allows fine grained control over risk scoring for adaptive authentication, which may ease issues for certain organizations where users are coming in from various network locations. In these cases, Ping typically has more options than Okta. Ultimately, if you have a use case that Okta cannot satisfy it is likely supported by Ping.

Identity Store Lock-in

Okta and Ping both provide secure, robust user databases with options to customize and adjust the attributes to meet your needs. However, it is not always necessary to store users at all. When you are allowing partner organizations via federation or you have legacy user stores, it may make sense to simply pass them through the IAM solution without storing their information. This is not possible with Okta, where each user must be represented in the Okta user store. This increases the likelihood that an organization will stick with Okta for subsequent rounds of licensing, but it does not necessarily provide value to the solution. Ping does not force you to use their user store and is extremely flexible in these scenarios.

Automation

Ping and Okta both offer a robust, low-code orchestration platform. With Okta, organizations can create workflows with a drag and drop style interface. Inputs and outputs are customizable, and advanced operations such as making a custom API call are possible. Thankfully, a rich library of pre-made workflow connections exists for most automation tasks and low level customization is typically not needed. The same can be said of Ping Davinci but the ecosystem is not as mature as Okta.

While Okta indeed has the capabilities for fine-grained access, it is more difficult to setup and our experience is that the cost is higher. In the end, both solutions offer a catalog of integrations. Many of them overlap, but it is worth listing out your critical applications and comparing with the catalog of each vendor to determine if they have an ability to connect, as well as the Authentication and Authorization features for the integration you require. It is also worth noting that while Okta can cover many fine-grained access needs, Ping is more mature in this area, with a more expansive toolset to apply authorizations.

Passwordless

Going passwordless has gained increasing interest and momentum over the last year, with good reason. A password is a security problem, not a solution. Passwords have been shown to be the “weakest link” in security. Users re-use passwords, use easy to remember passwords that are then easier to hack, forget passwords, and store them in unsafe ways. There are better ways to authenticate users, and that is what Passwordless employs to improve the user experience as well as improve security.

While the Passwordless journey ultimately seeks removing passwords altogether (they would no longer be stored at all in user directories), it is a journey that can be started by introducing MFA and allowing users to authenticate with that MFA alone. The MFA itself can be implemented so that it covers multiple factors:

• Something you have, like your phone to receive a push notification
• Something you know, like the pin or pattern on your phone
• Something you are, like your fingerprint or face used to unlock your phone

This change can be a huge improvement for users that are exhausted from seemingly endless password changes, copying and pasting passwords into web sites, and having to reset forgotten passwords. It is also worth mentioning the operational improvement: most help desks report that password resets are a significant portion of their support calls. Implemented correctly, this approach can drastically reduce or eliminate that call volume and allow the help desk to concentrate on solving other issues.

Okta and Ping’s approach to pricing and licensing

It is difficult to provide guidance around pricing for these vendors. Each has multiple modules based on use case needs, and each prices their modules differently. Frankly, the pricing can be hard to estimate, and the quotes are often more or less than expected.

With opaque pricing and many configuration options, the guidance we can give is to solidify your use cases and requirements so that you can engage each vendor to get a quote for planning that takes into account what you know about your needs at the time. That will give you an idea on cost to make future decisions and eventually update the quoted solution.

How we approach evaluating needs to find the best fit

Our approach for developing a recommendation is a holistic approach to use case and requirements gathering, as well as an understanding of what gaps exist in the environment Access Management is intended to fill, and comparing vendors against those gaps for the best fit.

Our process for this follows this methodology:

• Identify key stakeholders that own or are part of the IAM processes (this list is often much larger than our clients expect. Many more people are involved in IAM than just IT)
• Interview these stakeholders, gather IAM processes, use cases, requirements, and current configurations
• Use this discovery to document and categorize use cases by category, and the gaps discovered
• Measure this documentation against the AM solutions, and analyze for best fit
• Make recommendations with notes on areas of concern for coverage as well as the modules needed to achieve AM objectives

This approach has allowed us to help many organizations find the best fit for their environment and specific user and IT needs.

Next Steps – A vendor agnostic approach to picking right tools and approach to fit your needs

Finding the best fit for your organization depends upon a lot of factors. There is no perfect solution, just the solution that is the best fit for your needs.

If you would like to talk to one of our Okta/Ping experts about your needs, we are happy to have a discussion.

Integral Partners also offers free workshops on a variety of IAM topics, including an overview of the Access Management space and. Please reach out if you’re interested in discussing a workshop – we’re happy to help.

Click here to schedule 15 minutes directly on our calendar to get started.