See PHI1406. See T13259 (concurrent discussion with the reporting install, task is unrelated). See private support thread in inbox. See PHI1189. See PHI1133.
We've see increasing interest in Okta, which is a OneLogin-like "Contact Sales" organization which literally has a "Gartner Magic Quadrant" reference in a homepage banner at time of writing.
Despite the similarities to OneLogin, Okta seems to be on much firmer technical footing than OneLogin. It supports a realistic-looking OAuth API and there's a fairly reasonable developer portal. My current model here is that last-generation Enterprise IT services (OneLogin) were just many layers of garbage wrapped around one another, and the new generation is many layers of garbage wrapped around a reasonable technical core (Duo, Okta). This is a step forward, at least.
This still runs into T13229, where I'd prefer to stop upstreaming enterprise sales glue and start licensing it, but we can cross that bridge when we come to it.
The current open questions are roughly:
- Does Okta OAuth basically work like every other OAuth?
- Does whatever API we get access to through Okta OAuth provide access to LDAP groups (relevant to PHI1406)?
- If no, can we treat Okta as an LDAP server instead?
- Then, if there's a path forward here, what's the licensing model?