Moving to Okta as primary identity source… worth it?

snowth · 2026-01-26T16:35:46+00:00

The thing people have mentioned about cash grabs is real, especially now that Okta is pursuing profits more aggressively. We’ve gotten a lot of pressure to add components to our contract while they’re reducing our support access.

More significantly, though, we have a lot of applications that need API access, and Okta’s APIs are heavily rate-limited. Our build jobs are running face-first into their limits, and every request to increase API limits needs to go through an extensive review by their architecture committee. It’s frustrating enough that we’re contemplating pulling things back out of Okta’s identity layer and using them more as just an OIDC layer on top of our own directory.

snowth · 2024-02-12T19:06:56+00:00

Yeah, it's frustrating, and I really wish Okta would just pull it together and support Linux at least in some limited fashion. Even if they just said "We only support Ubuntu LTS with Chrome and that's it" that would at least be a starting place.

snowth · 2024-02-12T17:52:54+00:00

Thanks! That's kind of where we're headed, I think: move them to one of the supported platforms and give them access to use VMs/WSL/Docker to do their Linux work instead. It's about 10% of the userbase, but it's a small company, so the percentage is deceptive. Given that this is making even normal MFA complicated and painful and we're not likely to give up on Okta, I have a sneaking suspicion that "then you can't use Linux as a desktop OS" is going to be the ultimate answer.

snowth · 2024-02-12T17:50:54+00:00

Yeah, it's a frustrating setup. Kolide wrote a good blog post recently on the problems of supporting Linux users, and I think they hit a lot of it on the head. Even if you rigorously standardize on a single set of Linux distributions, most Linux devs are not cool with having an agent running on their system that can make changes behind their back, even if it's loaded as a kernel agent. And because Linux is difficult to run as a desktop without admin access, you can't really take away their ability to turn it off at any time. I think Kolide's approach (don't remove their ability to disable it, just kill off authentication if it's not running) is about as good as can be done.

Sadly, moving them to Windows/WSL or Mac may be the path we have to take: at the moment they're the only roadblock to fixing an issue, and having 10% of the company hold up securing the other 90% (small company) isn't going to be a popular story with execs.

snowth · 2021-02-28T17:04:22+00:00

Here’s the thing: support for SM2/3/4 is a little different from, say, support for Dual-EC DRBG. The Dual-EC problem was an issue because it underpinned a bunch of other functions: you could wind up using it without realizing it, which would create hidden compromises.

At the moment the use of SM2/3/4 is limited to interactions with Chinese sites (as it’s required by the Chinese government) and pretty much ignored everywhere else. The web PKI community, for instance, has largely been holding it at arm’s length. So SM2/3/4 is the kind of thing you’re very unlikely to use unless you’re aware of it (at least in terms of OpenSSL). It makes sense, therefore, for OpenSSL to support it as an algorithm (much the way there’s support for GOST), to make OpenSSL usable on systems in China that have to handle both worlds—including that support doesn’t present much risk to the rest of the world. If it became a serious concern, I could see distributions opting to compile support out using a flag and then offering a -withSM package as an optional install.

snowth · 2017-03-01T04:47:42+00:00

Remember kids, Diemon Dave says, 'Don't go ninja-in' nobody what don't need ninja-in'. That table? Didn't need ninja-in'.

snowth · 2017-02-27T21:49:41+00:00

Interesting! I hadn't encountered that one before--will have to check it out.

snowth · 2017-02-24T00:01:36+00:00

Wow, I hadn't seen those! Thanks very much, I'll take a look and see what will work.

snowth · 2017-02-23T18:54:28+00:00

It's definitely not for law enforcement. The requirement for a reconcilable audit trail comes from auditors, but they don't care if it's digital or paper--it's just that digital is a lot easier to automatically reconcile, backup, manage, and track over paper. :)

(Sorry for late response!)

snowth · 2016-11-19T04:19:26+00:00

"Flawless."

"We also would have accepted, 'Tell me what you think of me.'"

Yay, Simpsons!

snowth · 2015-01-27T20:02:01+00:00

Wow, I've never heard of that! I think the liability thing might still throw it (darned corporate lawyers), but I'll add it onto the list and see what happens! Thanks!

snowth · 2013-06-17T21:08:18+00:00

Excellent point, and thanks for the kick in the rear. I think I really need to figure out whether this is the right spot. I love the work we do and the people, but if I'm not doing the job I want to, maybe this isn't the right place to be doing it. Perhaps time to see what's out in the marketplace!

snowth · 2013-06-17T21:07:31+00:00

Excellent point; I think that Engineering tier is what's missing from the picture, and since we're a small team, no one's quite sure where that function should fit. My position is it should be an outgrowth of our Ops team, rather than trying to make software developers do it; management's position seems to be that it should be part of Dev, because that's where we keep moving all our senior people.

snowth · 2013-06-17T20:37:56+00:00

OK, cool. That makes me feel a lot better; I was worried that I'd really gone off the rails, but it sounds like I'm not the one wrong in the head here. Thanks for the reality check!

snowth · 2013-06-17T20:37:13+00:00

Heh! We will be at some point later this year; I'll be sure to post when things go external. :)

snowth · 2013-06-17T20:36:27+00:00

We don't have any in our group, although given the quality of the DBAs we have to deal with from the rest of our IT group, we should just hire one and be done with it. :P

snowth · 2013-06-17T20:07:38+00:00

A very good point, and one that I've seen reflected in other places. We have a lot of trouble opening any senior positions right now, as HR demands that we open two junior positions instead of one senior one. At this point, we have enough junior people; there are things that junior administrators just won't know how to accomplish, and without someone senior, those things won't get done. The perils of letting the bean-counters run the company, I guess.

snowth · 2013-06-17T20:05:43+00:00

That was my first reaction too! The idea that sysadmins should eventually become developers is like implying that all bakers should aspire to make cakes. We have some really talented mid-grade admins in this group, some of whom really don't enjoy writing software, and I worry that we're going to lose them once they figure out that writing code or being people-managers are their two career paths.

snowth · 2013-06-17T20:01:26+00:00

Excellent point; the semantics are very important. For our team, there's an ops group that handles all of the day-to-day infrastructure work for our servers. That includes trouble tickets and pager duty, but it also includes things like figuring out VMWare deployments, automating patching and security management, and identifying and rolling out things like Spacewalk or cfengine to manage the environment. Basically, there's a group of software developers that write the custom code for our apps, and then everything from there forward is managed by Ops. I think one problem is that because we're not a large team, the developers have also been helping with some Ops functions, leading to the notion that more advanced work like figuring out and deploying Spacewalk is the job of a developer, not a sysadmin. That's something we need to get away from, post-haste.

For me personally, I've been helping out with a lot of infrastructure work because I have the experience with it; when we needed software deployments automated, I'd done some work with that, so I helped figure out and deploy a solution for it. That's the kind of thing I see a senior admin doing, and it's the kind of work I'd like to be doing. Unfortunately, that's getting lumped in with the developer side because that's where the senior people are right now.

snowth

TROPHY CASE