Okta vs Pomerium

Our Recommendation

Okta’s identity management, while impressive, covers only the authentication aspect of a full zero trust architecture. Okta is best used with Pomerium to provide authorization per request, the other main component of what makes for good zero trust architecture.

Use Cases

• User identification — Okta’s platform provides strong identity-aware centralized access to upstream services.

• Identity verified for all users — A good SSO and MFA enforce point.

Strengths

• Oh, we know them! — SSO identity provider for authenticating access to your internal services and applications.

• One IdP for modern apps — This one IdP authenticates users, giving them an access token to traverse your internal ecosystem.

• One standard to rule them all — Okta has a strong influence on the open standards related to authentication.

Weaknesses

• No proxy, no protection — Okta’s not being a proxy means the applications it oversees access to are exposed to direct connections from any source, increasing unintended attack surface area for the applications you want to protect.

• A plague upon thee — Okta’s software must be set up on every server the platform manages access to. Setup is complex and each cluster must be maintained. Also, Okta’s client is CLI-only which may stress non-developer users.

• The birds have been at the breadcrumbs — Audit logs only cover SSH and does not cover auditing for RDP.

• No baggage please — Okta does not support your legacy applications that are not built to support modern SSO tech. Only Pomerium secures all legacy applications.

• Mileage efficiency decreases at scale — Okta’s pricing is based per server, and this increases the costs for organizations with high usage.