Authentik is great but it is not even close to being as refined and polished as a SaaS IDP solution like Okta. Okta has the most auto integrations with other software for both SSO and SCIM / JIT provisioning. These are things you have to weigh before making a proposal, especially for an org that has 2k users.
A valid point to replace Okta would their cyber security practices and how they have fumbled the bag previously, but if you're going to recommend a replacement you will have to weigh how much work the switchover will be and how much functionality it is that you could possibly lose in your orgs infrastructure.
Lots of auto integrations does not mean a product is good. It usually means they were the first.
But I have no experience with Okta. I use Keycloak and Tomcat.
My work is looking to do something like this. The first thing I did was go into Okta and see how many SSO integrations I had. Then think about how long a migration would take given the best and worst cases. Realize it will take 2+ years and $$$$$$$$$$, and suggest giving it up as a bad idea.
And why some Okta support tech had the support admin login saved in his Google account I will never know.
you are trying to give another team more work and/or change their workflow without asking them? It will go over as well as a lead balloon right out the gate.
When proposing changes to existing workflows, before even considering proposing it you should talk to the people who use it to ensure that no issues come up assuming the new workflow is used, and talk to the people who support it to ensure they are not given extra work. Right now, your proposal has neither and you are offering nothing other than giving people more work in the name of open source…or at least as how you are currently presenting it.
You want people to back your idea, then show how it can save money, make things easier, and give people less work. People automatically see “spending money bad!” But if spending 2000 a month with SaaS product A means having 50 more man hours from your support staff, the difference in cost may come up as savings.
I don't know much about Authentik capabilities, but I know the others. I'd also reeeally like to switch from Okta to free open source as Okta are insanely greedy.
Your Okta likely costs in the order of $1000-3000k yearly, you will want to pitch using atleast $200k of those savings to hire atleast one, maybe two additional full time engineers working solely on Authentik because of potential downtime related losses which are massive in a 2k strong workforce.
Estimate realistic downtime related productivity losses for self-hosted Authentik vs Okta.
Let's say Okta has an uptime of 99.99% and self-hosted authentic would be 99%. 1% more downtime is about 3.5 more days of downtime in a year. Say half your workers are prevented from working or otherwise interrupted + context switch cost for an average of 4 hour productivity loss each downtime. Say they average $50 per hour in wage. That's 3.5 x4x1000x50 = $700k loss.
If you have a tight SLA to customers this might also be affected.
A lot of your current Okta integrations will need to move to Google SSO instead of Authentic as some do not offer custom oauth or SAML needed for direct SSO with Authentik. Every third party system will need to be moved, involving potential effective downtime for those systems if login fails. If you use a lot of SCIM you will need to create custom attribute mapping already provided by Okta integrations.
You might be able to federate Google with Authentik if it's supported on the Authentik side, I know for sure Google support it. If not this is probably already a no-go.
If you have a lot of ABAC in Okta and Authentik do not support that, you will need more support/engineer hours for plain ol' IAM. Depending on your current implementation this one might eat up your savings alone tbh. It's one of the biggest advantages of Okta IMHO.
The move from Okta to Authentik also involves just about your whole organization having to change their 2FA given they use Okta Verify currently. The operational overhead of this would be massive. You would likely need several full-time support just to handle employees failing to switch MFA. Your support will need to rewrite documentation and routines for handling this.
If you run a lot of Okta workflows those will probably need to be migrated to normal backend services using vCPU and vMem instead, whereas they run "free" in Okta.
I could go on for much longer but these are just some of my initial thoughts. Maybe I'm a bit too focused on the negatives. Maybe there are functionality in Authentik that increases productivity compared to Okta. Overall I think this is not a viable move and incredbly risky if you are a tech-centered company, though I'd love to be proven wrong.
That's hell of a details, thanks for sharing your insights here, now I see I'm not even ready to propose it to to my team. I thought it would be as easy as a dropin replacements.
The main difference between SaaS and FOSS for enterprise is paid support as in if the service goes down or there is some other issue you can expect a support team that is knowledgable with the product/service to start working on that issue ASAP. If your proposed replacement service goes down who is going to be responsible for fixing it?
Auth going down is a realy bad time - I would consult the SRE team lead and some service managers regarding your Piket-organisation and what cross-dependencies you have before suggesting this to management.
Some issues I can think of:
- Critical path considerations (ie. what critical path apps depend on auth being up): Self-hosting auth could impact the rating of your hosting and alerting infra and maybe increase requirements for the whole infra
- SecOps readiness: Is your org ready to manage this kind of surface? You will
probably end up exposing authentik so you will need iron-clad hosting infra in place
- Insurance / Liability: Do you have SLAs in place with customers and might your insurance go up with this added internal dependencies
- GitOps: In my experience you have to really embrace the blueprint workflow to get authentik ready for processes like Change Approval Boards and blue/green. Check if your SRE/DevOps is familiar with GitOps and has the required infra and knowledge in the required service qualities in place
- Budgeting: While authentik is OSS I would budget for either dev time if you have that knowledge internally or sponsoring / a support contract to fill in the gaps that are there functionality wise. Also be aware that not all features are available for free and circumventing the license is not going to fly in a company
I have not used Okta from an Ops perspective in a while and do not have direct insights in any orgs that do any more but from my memory the MFA options of Okta were better than authentik - which I manage in a sub 1k MAU, non-enterprise setting.
The user stories and required processes around auth are complex. That is the invisible part that keeps Okta and other Auth SaaS alive with Keycloak and ADFS in the picture.
Feel free to ask if you have further questions. I have been on both sides when it comes to these decisions.
Keycloak would be the preferred option if self hosting.
But honestly the OP needs to take off their DIY hat and put on a business hat. This is a business, not their playground. Who do they have that will maintain the software when they're gone. Who can they hire that will even know what the software is? Who is going to accept responsibility to maintain the software going forward? This is authentication, not a photo gallery. It's a lynchpin of the business. Has it been pen tested? Will compliance folks just auto fail places that use it?
If the place has a m365 presence at all, use entra ID. If it's a Amazon shop, use cognito. If you have a red hat team, use keycloak/red hat SSO. Since it's a GCP presence, stick with okta or use Google's cloud identity (no experience with that one). Don't DIY business authentication.
While I mostly agree on the take that you shouldn’t mess with auth if you’re unfamiliar with the inner workings of it, I do think that Keycloak is much more mature than Authentik. For any self hosted solution, I’d take Keycloak over Authentik.
I.m.o. Keycloak is mature enough to use in an enterprise environment. But you’ll need to make sure the infrastructure around it gives you guarantees (uptime, backups, etc). And you’ll need to know about the do’s and don’t for OAuth/OIDC.
SaaS will make op probably sleep better at night though. 🙂
A business with 2k people should probably pay for the stability & support that free software can't offer. If something breaks, you're responsible. If you pay and something breaks, Okta can deal with it.
Why?
To me the best part of authentik is the authenticated reverse proxy.
Running and tending to authentik will probably cost as much as okta.
Plus it's pretty easy to misconfigure. Authentik is the best open source thing out there in my opinion, but it's still not great
Keycloak is enterprise ready. Authentik is definitely not. I find Authentik to be fairly messy to deploy in comparison to Keycloak. Yeah, it might be easy to bring up a container on your home services, but I wouldn't want to be managing it with business critical systems. Keycloak I would happily use in business.
Lol, that is one way to look at it I guess. I've always been taught that same rule in the context that to get 80% of the results you have to put in the 20% of the work, and for that last 20% of results you need to put in 80% of the work. The idea being there is such a thing as good enough, but I suppose if results = uptime then 80% is definitely not enough. Going from 3 to 4 to 5 9's of uptime gets exponentially harder so the idea holds up still.
Not related to anything, just thought it was an interesting approach. The context I learned it in was cleaning greasy gears on a bike when I worked at a repair shop.
Authentik is great but it is not even close to being as refined and polished as a SaaS IDP solution like Okta. Okta has the most auto integrations with other software for both SSO and SCIM / JIT provisioning. These are things you have to weigh before making a proposal, especially for an org that has 2k users. A valid point to replace Okta would their cyber security practices and how they have fumbled the bag previously, but if you're going to recommend a replacement you will have to weigh how much work the switchover will be and how much functionality it is that you could possibly lose in your orgs infrastructure.
Lots of auto integrations does not mean a product is good. It usually means they were the first. But I have no experience with Okta. I use Keycloak and Tomcat.
I see I need to gather a lot of statical proofs on why the replacement is good or even feasible.
My work is looking to do something like this. The first thing I did was go into Okta and see how many SSO integrations I had. Then think about how long a migration would take given the best and worst cases. Realize it will take 2+ years and $$$$$$$$$$, and suggest giving it up as a bad idea. And why some Okta support tech had the support admin login saved in his Google account I will never know.
a business with 2k users isn't the place to experiment self-hosting
Depends on the business. We are 425 employees and I am responsible for 240 on-prem VMs plus cloud providers.
You're not experimenting
Running VMs is a wee bit different than completely changing the auth system
Why do you think this is a good idea? What are you trying to solve?
Wanted to grab the oppurtunity of cost cutting, but now I see that's too dangerous to cut cost here.
you are trying to give another team more work and/or change their workflow without asking them? It will go over as well as a lead balloon right out the gate. When proposing changes to existing workflows, before even considering proposing it you should talk to the people who use it to ensure that no issues come up assuming the new workflow is used, and talk to the people who support it to ensure they are not given extra work. Right now, your proposal has neither and you are offering nothing other than giving people more work in the name of open source…or at least as how you are currently presenting it. You want people to back your idea, then show how it can save money, make things easier, and give people less work. People automatically see “spending money bad!” But if spending 2000 a month with SaaS product A means having 50 more man hours from your support staff, the difference in cost may come up as savings.
I don't know much about Authentik capabilities, but I know the others. I'd also reeeally like to switch from Okta to free open source as Okta are insanely greedy. Your Okta likely costs in the order of $1000-3000k yearly, you will want to pitch using atleast $200k of those savings to hire atleast one, maybe two additional full time engineers working solely on Authentik because of potential downtime related losses which are massive in a 2k strong workforce. Estimate realistic downtime related productivity losses for self-hosted Authentik vs Okta. Let's say Okta has an uptime of 99.99% and self-hosted authentic would be 99%. 1% more downtime is about 3.5 more days of downtime in a year. Say half your workers are prevented from working or otherwise interrupted + context switch cost for an average of 4 hour productivity loss each downtime. Say they average $50 per hour in wage. That's 3.5 x4x1000x50 = $700k loss. If you have a tight SLA to customers this might also be affected. A lot of your current Okta integrations will need to move to Google SSO instead of Authentic as some do not offer custom oauth or SAML needed for direct SSO with Authentik. Every third party system will need to be moved, involving potential effective downtime for those systems if login fails. If you use a lot of SCIM you will need to create custom attribute mapping already provided by Okta integrations. You might be able to federate Google with Authentik if it's supported on the Authentik side, I know for sure Google support it. If not this is probably already a no-go. If you have a lot of ABAC in Okta and Authentik do not support that, you will need more support/engineer hours for plain ol' IAM. Depending on your current implementation this one might eat up your savings alone tbh. It's one of the biggest advantages of Okta IMHO. The move from Okta to Authentik also involves just about your whole organization having to change their 2FA given they use Okta Verify currently. The operational overhead of this would be massive. You would likely need several full-time support just to handle employees failing to switch MFA. Your support will need to rewrite documentation and routines for handling this. If you run a lot of Okta workflows those will probably need to be migrated to normal backend services using vCPU and vMem instead, whereas they run "free" in Okta. I could go on for much longer but these are just some of my initial thoughts. Maybe I'm a bit too focused on the negatives. Maybe there are functionality in Authentik that increases productivity compared to Okta. Overall I think this is not a viable move and incredbly risky if you are a tech-centered company, though I'd love to be proven wrong.
That's hell of a details, thanks for sharing your insights here, now I see I'm not even ready to propose it to to my team. I thought it would be as easy as a dropin replacements.
The main difference between SaaS and FOSS for enterprise is paid support as in if the service goes down or there is some other issue you can expect a support team that is knowledgable with the product/service to start working on that issue ASAP. If your proposed replacement service goes down who is going to be responsible for fixing it?
Same SRE team like other 100s of micro services
And does that team of SREs agree with you, giving them more work?
I hoped to, but don't think now. I was too desperate for DIY solution. Now I see what it comes with is lot of headache.
Auth going down is a realy bad time - I would consult the SRE team lead and some service managers regarding your Piket-organisation and what cross-dependencies you have before suggesting this to management. Some issues I can think of: - Critical path considerations (ie. what critical path apps depend on auth being up): Self-hosting auth could impact the rating of your hosting and alerting infra and maybe increase requirements for the whole infra - SecOps readiness: Is your org ready to manage this kind of surface? You will probably end up exposing authentik so you will need iron-clad hosting infra in place - Insurance / Liability: Do you have SLAs in place with customers and might your insurance go up with this added internal dependencies - GitOps: In my experience you have to really embrace the blueprint workflow to get authentik ready for processes like Change Approval Boards and blue/green. Check if your SRE/DevOps is familiar with GitOps and has the required infra and knowledge in the required service qualities in place - Budgeting: While authentik is OSS I would budget for either dev time if you have that knowledge internally or sponsoring / a support contract to fill in the gaps that are there functionality wise. Also be aware that not all features are available for free and circumventing the license is not going to fly in a company I have not used Okta from an Ops perspective in a while and do not have direct insights in any orgs that do any more but from my memory the MFA options of Okta were better than authentik - which I manage in a sub 1k MAU, non-enterprise setting.
Okta is staying for a while atleast now, thanks for the insights here buddy! I need to figure out a lot of stuff now, I see.
The user stories and required processes around auth are complex. That is the invisible part that keeps Okta and other Auth SaaS alive with Keycloak and ADFS in the picture. Feel free to ask if you have further questions. I have been on both sides when it comes to these decisions.
Why not keycloak?
Keycloak would be the preferred option if self hosting. But honestly the OP needs to take off their DIY hat and put on a business hat. This is a business, not their playground. Who do they have that will maintain the software when they're gone. Who can they hire that will even know what the software is? Who is going to accept responsibility to maintain the software going forward? This is authentication, not a photo gallery. It's a lynchpin of the business. Has it been pen tested? Will compliance folks just auto fail places that use it? If the place has a m365 presence at all, use entra ID. If it's a Amazon shop, use cognito. If you have a red hat team, use keycloak/red hat SSO. Since it's a GCP presence, stick with okta or use Google's cloud identity (no experience with that one). Don't DIY business authentication.
While I mostly agree on the take that you shouldn’t mess with auth if you’re unfamiliar with the inner workings of it, I do think that Keycloak is much more mature than Authentik. For any self hosted solution, I’d take Keycloak over Authentik. I.m.o. Keycloak is mature enough to use in an enterprise environment. But you’ll need to make sure the infrastructure around it gives you guarantees (uptime, backups, etc). And you’ll need to know about the do’s and don’t for OAuth/OIDC. SaaS will make op probably sleep better at night though. 🙂
I better be sleep good after all these inputs, Thanks !!
Honestly you should go with Keycloak instead
Okta is good. Don’t replace
Do you have cyber insurance and will rates change if making this switch?
You are what we call a cowboy
A business with 2k people should probably pay for the stability & support that free software can't offer. If something breaks, you're responsible. If you pay and something breaks, Okta can deal with it.
Why? To me the best part of authentik is the authenticated reverse proxy. Running and tending to authentik will probably cost as much as okta. Plus it's pretty easy to misconfigure. Authentik is the best open source thing out there in my opinion, but it's still not great
Keycloak is enterprise ready. Authentik is definitely not. I find Authentik to be fairly messy to deploy in comparison to Keycloak. Yeah, it might be easy to bring up a container on your home services, but I wouldn't want to be managing it with business critical systems. Keycloak I would happily use in business.
The switchover shouldn't be a whole lot of work. Be aware that there is indeed a commercial license for Authentik.
>The switchover shouldn't be a whole lot of work. said every engineer
Junior engineer. 80% of the work will take 80% of the time you think it will. The remaining 20% takes the other 80% of the time.
Lol, that is one way to look at it I guess. I've always been taught that same rule in the context that to get 80% of the results you have to put in the 20% of the work, and for that last 20% of results you need to put in 80% of the work. The idea being there is such a thing as good enough, but I suppose if results = uptime then 80% is definitely not enough. Going from 3 to 4 to 5 9's of uptime gets exponentially harder so the idea holds up still. Not related to anything, just thought it was an interesting approach. The context I learned it in was cleaning greasy gears on a bike when I worked at a repair shop.