Identity as a Service: Auth0 vs Okta vs Azure AD B2C – First Look

Note: this blog post is a first look!  I haven’t had enough time to compare all of the features and capabilities so go easy on me!

This isn’t the first time I’ve blogged about SSO, but this is the first time that I’m taking a look a deeper look at the Identity-as-a-Service space (IdaaS as it’s known).

For the typical enterprise use cases I’ve encountered previously, I’ve been totally satisfied with AD FS and Microsoft’s now retired Windows Azure Access Control Service product, which was retired this April.  I find that to be a shame because it really was “AD FS in the cloud”. It was extremely easy to use, easy to setup, and easy to manage — even in the old, gen 1 Silverlight based console that never got updated.  Of course it lacked a lot of features compared to Auth0, Okta, and even Azure AD that define this emerging space.  Tools like Auth0, Okta, and Azure AD add many integrated capabilities that enterprises expect today in an identity management platform such as multi-factor authentication, activity tracking, anomaly detection, and user management among other things.

There is currently no production ready functionality that matches Azure ACS.  Instead Microsoft somewhat fragmented their offerings with Azure Active Directory, Azure Active Directory B2B (a subset of Azure AD), and Azure Active Directory B2C.  Of these three solutions, only B2C offers true federation capabilities which is still in preview mode using what is known as Custom Policies.  Azure AD and B2B work great — as long as you don’t need/want direct federation.  Microsoft has a handy page with a good comparison of the two (note that direct federation is a future feature of Azure AD B2B so we could see B2C eventually folded into a single offering) and Tomasz Onyszko has a good write up with details that I’ll quote:

  • Azure AD is an identity as a service provider aimed at organization users to provide and control access to cloud resources
  • Azure AD B2B is not a separate service but a feature in Azure AD. It allows cross-organization collaboration in applications from an identity standpoint.
  • Azure AD B2C is an independent service for building consumer application identity repository. If you need a service to handle email or Facebook login it is there for you.

Of course, the question is what if you have a product that bridges external users with cross-organization and enterprise users — a true cloud SaaS?

This is, then, a scenario where federation is required and described in the Azure AD B2C documentation:

Azure AD B2C use cases

In planning for the future of innovoPOINT, my team has started to investigate options for more modern authentication to offer our customers as we move the product forward.  Ideally, we can satisfy the needs of our organizational customers as well as their external collaborators while offering an easy to use, secure, and easy to manage solution.

Let’s take a look at some first impressions.

Azure AD B2C Custom Policies

By far, this is the most immature solution of the three at this time.  Operations that are straightforward in Auth0 are straight up clunky in B2C requiring modifications of multiple XML files with not enough depth in the documentation to really give you a good idea of what’s going on.  From the very moment that you create the B2C tenant, it starts to get confusing because you have to go back to your main directory and link the B2C tenant to it for billing purposes.

Don’t get me wrong, for Microsoft documentation, it’s pretty good.  The code and configuration even works once you get it all wired up correctly.  But it took me the better part of two days and multiple tries before getting things working right due to instructions which were too straight forward and lacked a high level conceptual description.  For example, when setting up B2C custom policies, there are 4 places where it’s possible to set up app registrations.  There’s the top level app registration and you can register an app under your AAD (they’re actually the same).  Then when you create your B2C tenant, it actually exists as an entirely separate container. So there’s an entirely separate set of app registrations.  But you need both for the setup to work.

In an attempt to help clarify how all of the pieces are linked together, I hope someone (perhaps me in a few weeks) finds the following diagram useful:

Critical to understanding how all of the bits and pieces are wired up.  There are two different app registrations required! The one in the main tenant enables the federation and is referenced in TrustFrameworkExtensions.xml.  The one in the B2C tenant allows the MVC web app to access the B2C tenant.

While I give credit to Microsoft’s documentation for being direct and accurate, the problem is that when you’re working in two directories in Azure, you’re working in two directories and you have to switch your workspace back and forth and it’s super easy to do app registration in the wrong browser window.  This alone caused me at least a half days worth of work as I retraced my steps (tends to happen when you’re manually editing XML files) just to find out that I was referencing the app registration in the wrong directory.  In some sense, I feel like if Microsoft wants to separate B2C from Azure AD, they should use different terminology so it’s more clear (for example, Auth0’s usage of “client”).

Here’s what you see when you log into your main Azure portal and try to access B2C:

Why not list my B2C directories here?

To actually switch into your B2C directory, you have to go to your profile and pick one:

Need to make sure you’re in the right directory!

Once you get to the Identity Framework Experience where the custom policies are managed, you’re left with a very sparse interface where you’re going to be editing and uploading a bunch of XML files and follow along with the ASP.NET Core MVC 2.0 guide since a lot of the authentication code has changed between Core 1.x and 2.0.  By the way, there’s no direct link from the Azure AD B2C configuration guide to the code, which would have been helpful!  There’s a very important note in that guide that is buried 2/3’s of the way down the page and that’s that the Authority must have tfp in the path like this:

It’s a small detail that’s very easy to miss.

Auth0

After getting the Azure AD B2C scenario working, the Auth0 experience was a breeze.  Basically, all of the editing and setup in the B2C tenant is nicely configured in two screens.  First, the Enterprise Connections:

Microsoft Azure AD right at the bottom.  One thing to note: Auth0 gives you a longer trial period and gives you all of the features available in the Enterprise version including AD/LDAP connections (not available in the developer preview version of Okta!)

And the documentation and guide for how to set it up is crystal clear.  And there’s a really nice touch in their documentation:

Really like the way the team approached the docs.

The next step is to set up the “client” (the terminology here is simply much, much clearer):

Associate a “connection” with a “client”.

And then follow the easy to access guide for hooking up your application:

Easy access guide to the documentation for your platform of choice.

While I mentioned above that the documentation for B2C was “good”, that’s relative to a lot of the documentation you tend to get from Microsoft.  The Auth0 documentation is next level stuff.

It was a relative cakewalk; I was able to get it up and kinda working within 2 hours of starting.  The problem is that it didn’t work.  When I get to the login screen, nothing happens.  No console errors logged, no observable HTTP requests going out.  It seemed like a script error on their side.

Nothing happens; no console errors, no HTTP requests.

I posted a question and waited several hours with no response until it clicked that I had forgotten to set a domain alias to serve as a home realm.  Once that was set, everything worked as expected.  A helpful console error or other notification would have been great!

Okta

After my successful outing with Auth0, I felt it was a good time to keep chugging and try out Okta, one of the industry leaders in this space according to Gartner:

Okta ranked very highly with Gartner, but Microsoft has been catching up each year (surely on the backs of AD FS, Azure AD and B2B, not B2C!)

As our customers are in life sciences, it was promising to see both Shire and Allergan in their customer list; pharma and cloud have traditionally been like oil and water.  Like Auth0, its clean, modern, and logically oriented UI is refreshing after dealing with Azure blades (can’t believe that that thought it was a superior design).

The only problem is that there’s seemingly no way to add Azure AD as an IdP:

Not even a raw OIDC configuration available.

Is this a result of my “Developer” account?  I’m not sure; the pricing page seems to indicate it should be available.  I posted a question in their developer forums, but as with Auth0, there was no feedback at all!  Thinking that I missed something, I Googled various combinations of Okta Azure AD to no avail; there was no link to any documentation that documented this scenario.  The guide linked from the Okta interface sends me here:

Is this my Azure tenant?

This application registration portal seems tied to my Azure AD tenant, but it doesn’t show up anywhere in my Azure portal once registered and there’s no documentation that walks through if/how this ties back to my Azure AD tenant.

I gave up at this point because I was expecting better documentation and a better overall experience from an industry leader.  I don’t know how many employees Auth0 has, but Okta is a publicly traded company; I’d sure hope they’d be able to put together some better documentation on common scenarios (you know, like connecting to your enterprise Azure AD).  Not only that, it felt a bit stingy to not provision a fully featured developer preview; how can one be expected to evaluate the product with a partial set of features?

First Look Conclusions

They say that first impressions are important and Auth0 definitely impresses with the ease of use, well designed interfaces, and superb investment in documentation.  I will continue to try to figure out Okta, but perhaps I expected more from them given their positioning in the market and premium price; I expected to breeze through it after using Auth0.

Both Auth0 and Okta are more like a hybrid of Azure AD and B2C; it’s not clear to me why Microsoft chose this two pronged approach to what should be a unified identity management platform (seems to be coming in the future).  Both seem to more or less abstract the clumsy XML editing of B2C custom policies with very well designed interfaces with Auth0 being particularly easy and accessible.

Azure Active Directory B2B will eventually support direct federation as well as invite-based mechanism currently supported.

Auth0 also has one particularly interesting feature: the ability to provision their capabilities on premise.  Still getting more info on this so it’s something to keep an eye on.

Look for future posts that focus more on the management features and additional capabilities like MFA and user management (login tracking, anomaly detection, etc).  After all, if not for these additional features, we could just directly add the Azure AD IdP to our application and skip the middle man.

You may also like...

3 Responses

  1. Sandrino says:

    Hi Charlie, for the Auth0 on-premises support you can find the docs here: https://auth0.com/docs/appliance/appliance-overview – this is basically for larger corporations/government institutions/… that want a dedicated deployment of Auth0 either in the Auth0 cloud environment, in their own cloud environment or within their own data center. There are different reasons why companies choose this, one example is the legal aspect (ie: having to store the data within a specific location).

    The Auth0 “public cloud” and the PSaaS are the same products, with some subtle differences that are documented here: https://auth0.com/docs/overview/deployment-models#feature-differences

  2. Mike A says:

    Nice article Charlie, thanks. I also was disappointed/annoyed with the removal of ACS as it was a super simple point-of-trust for our application teams to work with, and our ops teams to configure and control. Now we have to build dashboards and switchboards or custom widgets so that we can utilise multiple IDPs and maintain all the underlying config and plumbing…

    Maybe someone should spin up an ACS replacement. I see a real opportunity at corporate and consumer level for this tech, I don’t want to see “facebook” or “google” or “create account”, I want to see one point of trust and then I can ratify which identity I will use to authenticate, not what the application team thought they had to support.

    • Charles Chen says:

      Mike,

      I am with you 100% on ACS; there is a place in the world for software that is simple, just works, and works well.

      The Azure AD documentation indicates that future releases of Azure AD B2B will offer options for direct federation so it may be that those capabilities will roll into the Azure AD B2B feature set (where it makes the most sense given that federation really falls under the purview of “Business to Business”) in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *

Just a little arithmetic... *