The identity and access management (IAM) market for single sign-on (SSO) is increasingly important as security and supporting remote work have moved to the forefront of IT agendas. Small and medium-sized enterprises (SMEs) use an abundance of web applications and need secure, frictionless access to those resources. Therefore, it’s important for IT admins to consider the available options and to seek out the “best-of-breed” solution. This article compares Okta and OneLogin SSO, two popular enterprise-class IAM vendors, with consideration for the needs of SMEs.
Okta and OneLogin are just two of the many players in the SSO market. JumpCloud offers SSO via multiple protocols with integrated unified endpoint management (UEM). Major tech giants including Google and Microsoft also provide solutions. It can be a difficult task to determine which solution is better for your IT environment when there are so many options to consider.
Okta and OneLogin were originally extensions for Active Directory, but have evolved to become enterprise IAM platforms that are intended for use cases such as delivering identity management for enterprises, including extending on-premises security models to the cloud, and Customer Identity and Access Management (CIAM), i.e., B2C access for big customers and partners. They’re much less focused on establishing identity as a secure perimeter and endpoint management.
Web App SSO Was Created to Help Active Directory
IT admins traditionally used Microsoft Active Directory on Windows servers to manage users and systems. Then, Software-as-a-Service (SaaS) revolutionized how applications and software were delivered. The ease of use and low costs resulted in the thousands of SaaS products available today. However, the dominant identity provider (IdP) at the time, Active Directory (AD), wasn’t built to connect with these non-Microsoft, web-based applications. Admins needed to manage user access to this new type of resource, and SSO providers emerged in response.
The IAM category has matured significantly over the years, the threat environment has become riskier, and UEM is no longer a separate consideration from access control strategies. In response, Okta and OneLogin have targeted their platforms to primarily serve enterprise requirements. We’ll begin by examining their key features, how they’re different, and offer guidance for SMEs that may be better served by an alternative.
Okta and Onelogin Key Features Comparison
SSO and MFA Capabilities
- Both platforms feature a user portal and comparable baseline SSO for web protocols and multi-factor authentication (MFA) functionality, including:
- Native third-party integrations
- A password manager
- Authenticator apps
- Support for biometrics and FIDO 2.0/WebAuthn factors
- Browser extensions
- Okta adds ThreatInsight, a security intelligence layer with threat hunting, to block suspicious users and permits admins to log events for auditing.
- OneLogin calculates user risk scores using artificial intelligence. These capabilities are considered to be enterprise-grade identity governance features and require dedicated training and configuration to implement.
User Provisioning and Deprovisioning
Both vendors provide user provisioning capabilities and identity lifecycle management. Okta edges OneLogin out with automation, an application programming interface (API) for access management, and the capacity to perform LDAP authentications via agent-based directory integration.
Integration With Third-Party Applications
Okta and OneLogin both leverage integrations for third-party SaaS apps, external directories, and HR systems. Okta places heavier emphasis on on-premises enterprise apps with additional access management and data loss prevention tools. Okta’s enterprise app features include:
- Application programming interface (API) management
- Cloud access security broker (CASB)
- Customer data integrators
- Virtual private network (VPN)
Okta also provides a customer identity service to manage customers and partner access to enterprise applications. For instance, a worldwide lab diagnostic company uses this service to book appointments and provides secure access to patient information at over 2,000 locations.
Some SMEs may require a few of these capabilities, but granting custom access to on-premises apps won’t be a requirement if an organization is a heavy user of SaaS applications, or lacks a large IT team that can build out and support an enterprise-grade data center infrastructure.
Reporting and Analytics
Okta provides a reporting interface that analyzes user activity, security events, and system logs. OneLogin offers reports on apps, events, logins, and users; it analyzes suspicious user behaviors and flags any weak passwords. The available reports may differ among subscription tiers.
Mobile Device Management (MDM)
Okta and OneLogin don’t provide UEM; rather, they integrate with those services and, in Okta’s case, Endpoint Detection and Response (EDR) systems. Okta uses device telemetry via integrations with security services for its authentication decisions. Neither vendor can establish a security posture for endpoints without another subscription from a different software maker.
Pricing Comparison
Okta Pricing Plans
- At the time of publication, Okta’s SSO plans range from $2/month per user for its standard offering for cloud and on-premises apps to $6/month per user for adaptive MFA. The former includes basic MFA and its ThreatInsight security layer; adaptive MFA adds contextual access management that takes risk, device state, location, and other factors into account.
- Fully functional MFA, i.e., push notifications, texts, and support for external hardware keys, is available for $3/month per user. More advanced MFA features are included in a premium subscription tier at $6/month per users.
- There may be additional a la carte costs for advanced server access, directory integration, API access management, lifecycle management, automation workflows, et al. Costs may total as much as $22/month per user with a minimum contract of $1,500.
- On-prem components such as Okta Gateway require dedicated server resources.
- Okta doesn’t provide UEM or MDM, which must be obtained separately for secure device state.
- Support plans range from basic with 24-hour service-level agreements (SLAs) to several premium packages that offer more immediate support and/or dedicated support managers and VIP onboarding. Pricing for these services isn’t transparent, and customers must work with Okta sales representatives.
OneLogin Pricing Plans
- OneLogin’s starter tier begins at $2/month per user with a 25 user minimum. It bundles desktop SSO, SaaS app integrations, and standard reporting.
- MFA isn’t available unless users are assigned an “advanced” license at $4/month per user (minimum 10 users). Enterprise subscribers receive custom app connectors; security policies such as password specifications and session controls; internationalization; and the ability to integrate with VPNs.
- Its “professional” tier adds directory integrations and user provisioning, syncing with HR systems, custom attributes, and lifecycle management utilities. It costs $8/month per user.
- OneLogin doesn’t offer UEM outside of OneLogin Desktop, which has third-party MDM deployment support. This feature costs an additional $4/month per user.
- An assortment of a la carte services ranging from RADIUS, to automation workflows, to HR-driven identity provisioning are priced separately. Its “universal connector” for API, automated data syncing, and directory integrations doesn’t have a flat price. Customers must call in and negotiate their own pricing.
- All plans include support, but they are quote-based support packages.
Comparison of Costs and Value
Okta may be cost prohibitive for SMEs due to its higher subscription entry point. OneLogin offers a clearer breakdown of its services that may be a better value for SMEs, but has minimum cost thresholds. Neither vendor provides a timely or rapid response with their basic support plans. Reliance on third-party integrations for device management may increase support cases.
Okta or OneLogin SSO
Okta vs. OneLogin: Target Market
Both Okta and OneLogin have centered the creation of their products around mid-market and enterprise-size organizations, though Okta leans more heavily toward enterprises.
Okta vs. OneLogin: Key Features and Cons
Okta offers:
- Primarily SSO and MFA
- User and lifecycle management
- Directory integrations (plus its own store)
- API access management
- Server access controls
- ThreatInsight and integration with EDR systems
- Components that extend access control for on-prem enterprise apps
Cons of Okta:
- Cost
- Focused on large-scale enterprises
- Not a directory service — you have to integrate it with an existing directory service
- Setup can be difficult and implementation can be slow; for instance, Okta needs additional integrations to create the support for common network protocols
- Lack of UEM
OneLogin offers:
- Primarily SSO and MFA
- User provisioning
- Lifecycle identity management
- Directory integrations
- SmartFactor authentication for AI-based risk determinations
Cons of OneLogin:
- Primarily a web app SSO solution — not a comprehensive IAM solution
- Minimum licensing blocks to purchase
- Lack of customization options outside of premium tiers
- Unreliable features and integrations at times, as well as inconsistent support
- Lack of UEM
- Was acquired by One Identity, highlighting a significant market shift from SSO point solutions to holistic IAM solutions
*Cons are based on user reviews across sites such as TrustRadius, GetApp, and G2.
Alternatives to Okta and OneLogin
Other SSO Solutions on the Market
JumpCloud: Is an open directory platform that combines IAM with environment-wide MFA, natively supports common network protocols, and has integrated UEM. Google, a JumpCloud partner, recommends JumpCloud as a directory solution for SMEs using Workspace.
Microsoft Azure Active Directory (AAD): AAD is an enterprise-grade cloud directory service that cordons off features into Free, Premium 1, and Premium 2 tiers. It offers a wide range of separate add-on services, which may or may not be bundled with it, including Intune for device management. Microsoft positions AAD as a migration path for enterprise AD users or for a hybrid infrastructure where customers pay for cloud services on top of on-premises licensing.
Factors to Consider When Choosing an SSO Solution
- A catalog of pre-made integrations for SAML and OAuth apps
- SCIM provisioning for authorization into resources
- The ability to make your own custom integrations
- Entitlements management that is mature with dynamic groups that account for changes in user attributes from directories and HR systems
- Workflows and automations that reduce administrative burden
- Support for network protocols including LDAP and RADIUS
- Openness and the capacity to federate with IdPs
- A password manager for systems where SSO isn’t available or is too costly
- Environment-wide MFA with flexible and phishing-resistant options
- The capacity to ensure that devices that are accessing resources are compliant
- The capacity for conditional access where policies protect privileged identities
- The total cost of the solution, including support, on-premises resources, and any third-party licensing to ensure that endpoints are managed
- Enough security to meet your organization’s requirements (e.g., some organizations may be highly regulated and must meet those mandates; others must balance the solution’s total cost of ownership (TCO) and management overhead against security)
A Modern Approach to IAM and SSO
A modern IdP needs to manage the authentication and authorization of far more than web apps — think, on-prem applications, cloud infrastructure, devices, physical and virtual file storage, Wi-Fi and VPN access, and much more. The right IAM platform doesn’t provide just SSO to web apps, but also to a wide range of IT resources. At JumpCloud, we call this approach True Single Sign-On™, and it transcends web application SSO providers. What makes True SSO different is that it securely manages and connects users to virtually all of their IT resources regardless of platform, protocol, provider, and location. JumpCloud also integrates UEM to make devices a secure gateway and identities, versus on-premises infrastructure, as the new network perimeter.
JumpCloud Features
SSO and MFA Capabilities
- An open directory platform with existing pre-built integrations with Google Workspace, Microsoft 365, and Okta. It gets better: we’ll soon be leveraging tokenized, federated authentication of users. Identity federation will make it possible to manage users, authentication, and access to resources everywhere while avoiding vendor lock-in.
- SSO to virtually all IT resources — not just web applications, including certificate-based authentication for RADIUS without needing on-premise components.
- SCIM provisioning for authorization and rapid user onboarding
- A provisioning API (coming soon)
- A decentralized password manager to support apps that can’t be configured for SSO.
- JumpCloud offers more password management features and better storage security than Okta
- It doesn’t reply on master passwords, which can be a security risk
- MFA with an integrated authenticator app that supports biometrics, TOTP, and push notifications.
- JumpCloud is in the process of bringing a device-bound credential that’s hardware protected and phishing resistant to the market. This is an upcoming feature that’s intended to make passwordless modern authentication accessible and easy for SMEs to adopt by eliminating expensive hardware keys.
- Privileged access management through optional conditional access policies that account for device posture, location, and more.
- Cloud LDAP with MFA
- Cloud RADIUS with MFA
User Provisioning and Deprovisioning
- Identity governance and administration with indicators of compliance (coming soon)
- User lifecycle management with HR system integration and automated dynamic groups
Integration With Third-Party Applications
- SSO using Custom SAML Application Connectors and ODIC (no extra charge)
- SCIM provisioning
- Pre-built web application connectors
- A provisioning API (coming soon)
Reporting and Analytics
- Easy SIEM integrations
- Directory and System Insights™ that combine system and directory events without requiring integration with third-party security services
- JumpCloud also provides additional pre-built reports for SSO, OS patch status, and other pertinent information that empowers you to secure users identities for frictionless access to resources, without breaking your budget
Mobile Device Management
- Device management for Android, Linux, Mac, and Windows endpoints. UEM is configured via native agents, MDM for Apple and Windows, and EMM for Android
- Policy templates and orchestration to improve compliance and security
- Command line access to manage your desktop fleet
- Optional cross-OS patch management for endpoints and web browsers
- Chrome may also be fully managed for additional security
- Free unlimited remote assistance across every supported desktop OS
- A multi-tenant portal (MTP) for MSPs and partners that makes it possible to extend your business and take actions on users and devices across different organizations
JumpCloud — SSO to Any Resource From Trusted Endpoints
True SSO provides IT admins with one platform where they can manage user access to virtually all of their IT resources from managed devices. IT admins can abandon a costly, cumbersome, multi-solution approach in favor of a single, cloud-based, comprehensive core identity provider. In addition to increasing productivity for end users, IT admins also benefit by gaining a secure, well-controlled environment. With just one solution, IT organizations can automate onboarding/offboarding and enforce secure authentication across all IT resources.
Unifying cross-domain identity and device management with JumpCloud will enable you to reduce costs, improve operational efficiencies, strengthen cybersecurity, support workplace and identity transformation, and reduce the pressure on your IT admins and security teams.
Ultimately, there are many SSO options to consider, but by asking the right questions (such as, “what’s the TCO?”) you’ll be able to determine which solutions will provide you with the level of identity management you’re looking for. Our pricing is workflow-based and transparent.
Consider the JumpCloud Directory Platform to serve as your comprehensive, cloud-based directory and an alternative to Okta or OneLogin. If you would like to learn more about using JumpCloud please drop us a note or sign up for a free trial. We offer complimentary chat support to get you started.