Skip to main content

Why our customers choose authentik

· 6 min read
Fletcher Heisler
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Entra ID, and Keycloak. Authentik Security is a public benefit company building on top of the open source project.

Identity and access management is a complex, sprawling space. Many of our largest customers come to us having implemented or inherited multiple identity providers, governance solutions, device management platforms, and other point solutions. All of these products help provide access to, or integrate with, many hundreds of applications for thousands of users (or more!) across endless groups and sub-organizations.

A few themes have emerged in why our enterprise customers most frequently choose to add yet another product and migrate their IAM needs to authentik. We will highlight some of those common use cases here in case they apply to your organization.

In short, our customers are saving time and money by streamlining their operations with a more flexible, reliable solution and a more responsive, trustworthy vendor. Here is what we most frequently hear from these customers:

1. "We need more flexibility."

When implementing a typical, rigid, out-of-the-box identity provider many of our customers experience a process similar to the following scenario:

  • First few months: great, they already integrate with 18 of our 20 applications!
  • Scaling up in the first year: actually, most of those integrations don't provide all the data we need to make them useful... Maybe we can build, run, and maintain our own side services to integrate some applications. We'll put in a feature request for the others.
  • In subsequent years: we're spending a tremendous amount of internal time patching up our own code to work with the IdP, fewer of these integrations work, and none of the applications we requested coverage for have been implemented!

The flexibility that authentik provides to integrate directly with any other service or API makes our approach a much more reliable long-term solution. While we have many prebuilt integrations, even for a completely new application our authentik APIs, custom property mappings, and expression policies are fully available to speak with a tremendous range of integrations.

With legacy closed-source SaaS vendors, functionality is contained within a black box. It's difficult, if not impossible, to expect custom functionality. Feature requests go into a black hole and customers are entirely at the mercy of the vendor's (often lack of) response. Speaking of...

2. "We're sick of Okta."

I wouldn't have titled it this way, except that's a direct quote from conversations with at least half a dozen different CISOs (sometimes with stronger language). And although Okta is the elephant in the room for current market share, we frequently hear similar feedback from companies who want to migrate away from Ping, Entra, or Keycloak. While these legacy providers have been in the market a long while, the product capabilities have stagnated while pricing continues to rise and poor security practices have not improved.

In 2023, we argued that SaaS identity providers are naturally incentivized to conceal breaches. We led that article by quoting Okta, which didn't warn its customers about a 2022 attack or its potential damage until two months later, when it admitted, "We didn't recognize that there was a risk to Okta and our customers."

We didn't plan on that article being a series, but it became one.

In multiple instances over the past couple years, we have helped migrate thousands of employees for companies looking to replace Okta because of its repeated security issues and lack of customer responsiveness.

Often these teams' complex security and integration needs simply cannot be supported by the legacy IdP. Instead, we are able to help set up many of the advanced flows and integrations required often while on an initial discovery call with the customer. This level of flexibility and easy customization means that these companies are able to seamlessly move thousand of employees off of Okta in a matter of a few weeks, not months or years, while avoiding disruption.

3. "We don't want to share our sensitive data."

Companies around the world are increasingly weary of sending their sensitive data to US SaaS providers. For many of our European customers, self-hosting is the default choice for most of their tools and infrastructure.

We also work with US companies in healthcare, fintech, and government who need to comply with HIPAA, FedRAMP, and other regulations. Being able to run a FIPS-compliant authentik instance in their own on-premise or private cloud infrastructure without sending us all of their user details makes this a much simpler prospect. We even have some security-critical environments that have deployed enterprise authentik completely airgapped.

As the number of breaches rises and the number of compliance requirements grows, not having to send all your sensitive data away to a black box SaaS provider with questionable security practices is a clear winning strategy for many companies.

4. "We need resiliency and availability."

This is another area where the standard SaaS providers often fall short of requirements. 99.99% uptime is not high availability when "down" means that none of your employees can access any of their business-critical applications.

We work with an emergency communications center that handles inbound calls as well as fire and law dispatch for over half a million citizens. They have half a dozen internet service providers for redundancy, but that wasn't good enough; they need reliable identity access even when everything else around is out of service and (literally) on fire. Their next best option was to cobble together a complex custom solution out of multiple products. With authentik, we were able to add reliable, flexible biometric and desktop-integrated access for their team members.

5. "We want to replace ClickOps with infrastructure as code (IaC)."

Modern security and IT teams are automating as much as they can, replacing error-prone manual processes with scripts and configurations that allow them to build and scale infrastructure easily, reliably, and repeatedly across environments.

With legacy IAM providers, clicking through inflexible setup screens is often the only option for configuration. This is a world of difference with authentik:

  • Our API is fully available for customers' use, so any action you can take in the UI can also be accomplished via a backend service, script, or agent.
  • Our blueprint system lets users template, automate and distribute authentik configurations. Blueprints can be used to automatically configure instances, manage config as code without any external tools, and to distribute application configs.
  • Configuration can also be managed by Terraform, and instances can be run on Docker or via Helm Chart for a Kubernetes installation.
  • Expression policies can further customize usage with additional code that defines specific implementations of flows and stages to enforce custom checks and validation.

This all leads to more reliable infrastructure, time saved from avoiding repetitive manual processes, and access policies that more closely align to the team's specific security goals.

If any of these concerns sound familiar, reach out! We would be happy to explore how authentik can help you and your team with your identity and access needs.