How Okta and our Partners can Help You Migrate off CA Siteminder for Good

The announcement that Broadcom and CA have entered an agreement for Broadcom to acquire CA and the subsequent cancellation of CA World raises questions for many companies with CA Siteminder deployments. While Okta doesn’t claim to be a 1-for-1 replacement for CA Siteminder, many organizations are betting their futures on Okta and bringing their legacy applications along for the ride – and for those of you on Siteminder today evaluating your options, we have a solution for you.

Identity for a Hybrid World

Technology is constantly changing, and many organizations today are employing heterogeneous, hybrid clouds and managing a mix of cloud and on-premises services, leaving IT to manage – and secure – an environment that’s constantly evolving.

Okta is 100% cloud-based, yet it integrates in various ways with legacy infrastructure and applications. We support the RADIUS protocol, a mature method for authenticating to infrastructure, equipment, even servers, as well as OpenIDConnect, SAML and WS-Federation, modern authentication standards which are commonly associated with modern web applications, but are equally applicable to third-party and custom applications. Okta can also handle Kerberos-based authentication flows for work laptops with our Agentless Desktop Single Sign-On feature. And with our new LDAP Interface, even LDAP-based authentication flows can be seamlessly migrated, deprecating directory servers in the process. This list will keep growing to meet to our customers’ needs.

We’ve committed to offering broad native support for all of these authentication methods and protocols for our customers, and as a result, Okta connects natively to many applications. For those that don’t, with a little bit of work, you can reconfigure or update them to support one of the modern standards above. The payoff for upgrading your applications and adding them to Okta is a seamless admin and end user experience across the board.

Bridge to Modern Standards: Header-Based Authentication

Of course, everyone wants to adopt the most modern of standards, but we’ve heard from our largest customers that can be hard to achieve for older, larger organizations who must support a myriad of legacy apps and infrastructure. These applications may be third-party applications that don’t include modern support, or custom applications which require code changes to upgrade. Sometimes they are ancient systems that just work and nobody wants to touch them! That’s why there’s a particular type of authentication and authorization that gained wide enterprises adoption over a decade ago: header-based authentication.

Header-based authentication securely provides identity information to a web application by injecting the attribute data into the HTTP Headers (thus, the name). Because the application has access to the HTTP headers, and because a trust relationship governs the management of that data, applications can use it to make access decisions. It’s a proprietary paradigm that emerged before modern authentication methods provided enough data, with flexibility enough for app developers.

Connect to Everything

In our effort to provide a future proof solution, Okta relies on partners to help support more legacy standards, like header-translation. Many of these hybrid access partners in the Okta Integration Network, like F5 Networks, Citrix or Akamai, already serve as a proxy for on-premises applications for an organization. Okta supports native integrations with these partners to deliver unified access across your hybrid environment regardless of the application type, location or the authentication protocol.

A Proven Approach

Our customers are already taking advantage of these partnerships. Pitney Bowes, for one, has reduced their dependency on IBM Tivoli Access Manager, another legacy identity technology, with Okta and F5. Over the course of months, Pitney Bowes migrated over 100 applications onto F5, which delivers them to end users at scale and with consumer-grade performance. By integrating Okta with F5, end user were able to log into the applications with single sign-on (SSO) from anywhere, without a VPN. The end users didn’t know that these were on-premises applications.

If you’re interested in hearing more about Pitney Bowes’ journey, check out this case study.

At the end of the day, know that we’re here to help with all of your identity needs. To help as you evaluate your options, we’ve created a whitepaper that walks through these approaches and considerations in much more detail. And I can’t leave you without saying: if you’re looking to deliver immediate value with a modern identity platform, but need a path forward for legacy applications, please consider Okta and our best-of-breed partners.