Increase Business Agility by Reducing Your AD Footprint

When NASA re-engineered the space shuttle, they were heavily constrained by the size of the rocket boosters attached to it. These boosters were manufactured by an outside company and shipped by train, and thus limited by the size of American trains. U.S. train tracks were designed based on train tracks in the U.K., which were based on the old Roman roads, which were in turn designed to fit the wheels of Roman chariots. Those chariots were designed to fit exactly behind two horses―so, by proxy, the space shuttle’s new design was constrained by the size of two horses' butts.

This concept is called path constraint, and it comes up a lot with Active Directory (AD), a legacy system designed to address issues that may no longer be relevant. But most established companies are still dealing with an AD footprint that they are looking to eliminate.

How can Okta reduce your AD footprint?

AD was launched in the early 2000s and set out to solve problems of the day that are no longer relevant. Today, the need for an on-prem repository has almost vanished as employees continually engage with cloud-based services.

Implementing Okta as a centralized directory solution allows companies to have one source of truth for employee, partner, and customer data, while minimizing their AD footprint. In this way, users who are cloud-forward can be removed entirely from the AD, while those who remain are still visible on Okta’s platform.

For on-prem applications that need to authenticate to Okta, organizations can now use Okta’s LDAP Interface, which also allows for the addition of 2FA on top of LDAP calls.

Okta’s roadmap

At Okta we envision IT to be fast, agile, and modern. That means automation, single sources of truth, best of breed solutions, Day One access for employees, user identities, and more SaaS. Okta understands that getting there isn’t easy and can help you manage that complexity by providing solutions for your directory, workflow, and access management processes.

In 2018, Okta focused on flexibility and scalability. We removed email restriction and first and last name requirements for logins, and placed linked objects into Universal Directory (UD). We added Okta Hooks for developers and IT teams to modify flows, the LDAP interface (a hybrid IT game-changer), and improvements to Single Sign-On (SSO) login.

2019 will be focused on customization and flexibility, with further investments in:

  • Group profiles
  • UD object uniqueness
  • User types
  • Credential migration
  • Device platforms
  • Advanced import matching rules for AD
  • Granular import scheduling
  • Import job visibility and speed
  • Incremental import improvements
  • Automated agent management
  • Headless agent installations
  • Improved reporting and troubleshooting
  • App-based LDAP interface
  • Enforced authorization on each group
  • Certification-based access for Linux servers

Chick-fil-A: A case study

Chick-fil-A started as a single diner and now has 2,200 restaurants around the U.S. They used AD for both users and credentials, to control file permissions, and then extended it to web use, which was expensive. So they wrote their own sync engine to move identities from HR systems to AD, as well as their own web application security (WAS) for authorization, then streamlined this process with Oracle Identity Management (OIM).

When Chick-fil-A saw the need for cloud-based identity, they turned to Okta and its authentication, SSO, and multi-factor authentication (MFA) capabilities. Today, the company uses Okta for authentication with SSO to over 200 integrated apps and all of their MFA needs. When a new LDAP app is integrated, it is linked to Okta wherever possible. Okta is also supporting Chick-fil-A to reduce its AD dependencies on systems like Office 365, and its supporting programs, to make the organization more agile and secure.

How can you reduce AD dependencies?

Start with an inventory of what’s linked to AD. How many domains are there? How many forced domain controllers? Once you know what’s talking to your AD, you can start to chip away at them.

You may not be able to get rid of AD entirely, but its primary use should be as a managed data center. Once you get to that point, you’ll find that your AD footprint—and the associated headaches—are greatly reduced.

To learn more about how to minimize your AD footprint, read our Okta's Active Directory Integration datasheet.


To learn more about how to minimize your AD footprint, read Okta's Retire Active Directory eBook.