By Stephanie DeCamp Posted December 9, 2019
There’s been a lot of talk about retiring Active Directory lately. As an IT admin, considering this makes a lot of sense — the platform is 20 years old. As a result, you may be asking whether Okta® can retire AD for you.
That question, like many others, only you can answer definitively. Every IT environment is distinct, and every organization’s goals are no less unique. While only you know the specifics of your environment, this article will establish some larger-scale baselines to help begin your evaluation.
What’s the Difference Between Active Directory and Okta?
Active Directory is the dominant provider when it comes to directory services, and has been since it was first introduced in 1999. But when the directory service first hit shelves, the IT landscape was very different. It was almost entirely Windows®-based and on-prem, with systems not on-prem requiring VPN tunnels to access vital resources. Since then, the industry has seen a world of changes with the advent of the cloud. As IT environments have evolved, AD is no longer the one-size-fits-all solution for Identity and Access Management (IAM).
Over time, IT organizations added third-party solutions to keep AD as their core IdP, and one of their central needs was to extend user identities to web apps. This is where web application single sign-on (SSO) solutions, such as Okta, really made their name.
Okta is one of the leading SSO solutions today, and does a great job of channeling AD identities and federating them to web applications. This creates seamless access for users and grants IT admins more control and security.
But this is where the dovetail ends, because overall, AD is built as a core directory of user management for an organization — controlling authentication (AuthN) and authorization (AuthZ) to all Windows-based IT resources, including applications, networks, file servers and operating systems. Okta, in contrast, was historically built as a portal for web application SSO that integrates with other cloud-based work solutions.
When the Combination Fails
While integration of the two has been a viable solution for a long time, more and more IT organizations are starting to realize it’s not a total solution. Active Directory was virtually a monopoly for decades, and Okta didn’t have much choice but to extend their offerings on top of it. AD really works best managing Windows®-based systems and on-prem applications, and increasingly, more and more add-ons have been needed to accommodate it.
These add-ons include identity bridges, multi-factor authentication, privileged identity management, governance solutions, and much more. And in the evolving IAM landscape, this has meant further complexity and higher cost for IT admins. Not to mention that the more solutions are layered on top of one another, the more work there is to do — be it help-desk requests or mitigating genuine security hazards.
What to Consider when Replacing Active Directory
Aside from the layering effect of add-ons, Active Directory plays a critical role as the domain controller –– authenticating access to the domain, Windows systems and applications, and printers/file servers. Further, a critical capability for IT admins has been AD’s Group Policy Objects (GPOs), which provide fleet-wide Windows system management capabilities.
There are many utilities that admins need when it comes to controlling their IT environment. And taking all of this into consideration, it’s important to ask the following questions if you’re thinking about replacing Active Directory with an alternative solution:
- How will you authenticate access to Windows, macOS®, and Linux® systems?
- Do you have the ability to manage Windows, macOS, and Linux systems through GPO-like functions?
- Can you control access to Windows and Linux servers on-prem or in the cloud?
- How will you authenticate access to file servers, printers, WiFi networks, VPNs, etc.?
- Can you integrate add-ons such as MFA, SSO, governance, and more?
- Can you shift your IAM infrastructure to the cloud and integrate disparate solutions?
Okta Over Active Directory: Answers are Individual
When Active Directory is serving as your identity provider, and Okta is using those identities to federate to web applications, replacing one with the other means you could be giving up access to the file servers, on-prem apps, and networks that AD governed — not to mention system management features. So while you can retire AD in favor of Okta, you’ll need to ascertain if these are security controls that it makes sense for your organization to forego.
Keep in mind that if you’re considering a transition away from AD and toward the cloud, these questions are just a handful of what may be critical to ask. Every organization will have unique requirements and will likely add to this list.
However, if you’re seeking both a centralized, cloud-based IdP that also offers SSO solutions, you may want to consider JumpCloud® Directory-as-a-Service® as well. The JumpCloud platform provides user authentication and authorization to virtually all of the IT resources they may need, including on-prem and cloud-based applications, network access, and file servers. Furthermore, it does all of this with GPO-like functions for administration, and regardless of the user’s system — be it Windows, Mac, or Linux.