Over the weekend we took a look at some of the major players in the authentication market. We’ve been looking for a replacement to our internal database that more easily allows us to federate our customers and brings multi-factor authentication out of the box. We considered the following service providers:
- Azure Windows AD
Of course, this is by no means an exhaustive list, and as a healthcare SAAS provider we are not interested in connecting social media accounts so our selections are biased to corporate solutions.
Compliance is a primary concern in the healthcare space. Our customers want at least SOC2 type 2 compliant providers and would prefer those who will sign a business associated agreement. Of all the providers, only Microsoft and Auth0 offered this service. The other providers varied greatly in their SOC2 reports and not all reported on all five trust service principles.
From a single sign on perspective, all vendors support SAML 2.0 and Jason Web Tokens (JWT). We did not evaluate Oauth2 support. ADFS integration through SAML is always an option, but OneLogin, Okta, and Auth0 offer onprem applets to sync the directory into their service. Microsoft has their dirsync tool for AD synchronization.
MultiFactor support is relatively consistent between all evaluated providers. Everyone except Microsoft supported the usual set of providers including RSA, google authenticator, and Duo. Microsoft’s solution is based on their acquisition of PhoneFactor in 2012. Oka and PingIdentity offer a wide range of MFA options including Verisign and Symantec.
All providers have API support. Our experience in writing test code was that this ranges from very developer friendly (auth0) to inconsistent, painful, and spotty (Microsoft graph API).
All providers offer self-reset of passwords and self-registration.
Branding support was highly variable. Microsoft’s branding is minimal and consists of being able to place a logo and add some text strings. The experience is inconsistent and difficult for an end-user to understand. We do not recommend Microsoft for this reason. Furthermore, users cannot use regular email addresses in azure unless they are within the tenant subdomain or federated. This lack of usability is a real pain.
Auth0 offers extensive branding support including css/html on pages and email templates. The experience can be seamless and easy to use.
The PingIdentity branding solution was flexible but very complex even for a seasoned developer.
Okta’s branding support was good. Logos and themes can be changed, emails can be customized. All in all, pretty easy to use.
OneLogin had sophisticated branding with logos, colors and emails that can be modified to suit your needs. The end-user experience for an administrator was excellent.
So, what’s the takeaway? We recommend Auth0 on the basis of price, flexibility and ease of use. Okta and One Login provide superb services but at a higher cost. We do not recommend Microsoft Azure Active Directory.