Okta and VMware are integrating their respective identity-management and managed digital-workspace technologies to enable context-aware authentication from desktop and mobile devices.

The partnership, one of several revealed at Okta’s annual Oktane conference last week in Las Vegas, is a joint-engineering effort that will give VMware’s Workspace ONE clients single sign-on (SSO), multifactor authentication (MFA) and ultimately conditional access to the 5,500 applications and SaaS solutions integrated with the Okta Identity Cloud portfolio.

The partnership is a boon to VMware partners proposing or supporting Workspace ONE to customers seeking stronger identity management and MFA capabilities with connectivity to Okta’s extensive ecosystem. It’s a veiled strike against Microsoft, which has made Azure Active Directory the cornerstone of bringing SSO to enterprises and commercial organizations. Azure AD is the identity-management service for Microsoft 365 and its piece parts, which includes various SKUs of Enterprise Management + Security (EMS), Intune, Office 365 and Dynamics 365. Okta and VMware individually were already among those offering the most formidable alternatives to Microsoft’s widely deployed identity management and unified endpoint management (UEM) solution. By banding together, Okta co-founder and CEO Todd McKinnon believes both companies can offer a more flexible authentication and workspace-management solution.

“Companies like Microsoft want you to use Office 365, Dynamics CRM [and] OneDrive; they don’t want you to use to use Box, Google Apps and Salesforce. It’s not their motivation,” McKinnon said in his keynote address at Oktane. “We don’t have a horse in the race. We want you to use the technology that’s going to make you most successful. This is our most important differentiator. Every product we build leverages these integrations to that effect.”

Okta's Todd McKinnon on stage at Okta Oktane 2018, May 23.

Okta’s Todd McKinnon on stage at Okta Oktane 2018, May 23.

While Okta announced more than 10 partnerships associated with various projects launched last week, McKinnon singled out the pact with VMware as the broadest and most strategic. VMware Workspace ONE customers later this year will be able to tap a wide spectrum of systems, applications and SaaS solutions via the Okta Identity Cloud, the companies said. Okta offers 5,500 native SSO connectors to those services through its Okta Integration Network, and has tools that let developers and partners enable integration into custom applications as well through its API platform.

“Okta and VMware share this common vision to enable any organization to use any technology,” said McKinnon.  

“What we need to figure out is, how do we empower our employees – our most valuable assets – to get the information they need on any device at any time?” said Noah Wasmer, senior VP and general manager of VMware’s end-user computing group, during a brief on-stage appearance during McKinnon’s keynote. “To do this we need to rethink management and security; we need to do this in a unique way, in what we call modern management, and it’s taking the market by storm.”

Both Okta and VMware, to some extent, also compete. For example, the VMware Identity Manager, available with Workspace ONE, also offers single sign-on, but Okta and Microsoft Azure AD are regarded as the leading identity-management providers. Executives at Okta and VMware said they have many shared customers, though they didn’t provide specific figures.

“I spend at least half of my time in large customer engagements and it’s actually kind of rare where it doesn’t come up from them that integration with VMware would be nice,” said Joe Diamond, Okta’s director of security product marketing.

Last week’s announcement was described primarily as a technical integration partnership but officials at both companies indicated there was more to come from a go-to-market perspective later in the year. They declined to elaborate.

The two companies have similar priorities. Both already have signaled that providing conditional access based on policies using AI are also key areas of focus, a capability Microsoft has also emphasized with EMS. VMware last year acquired Apteligent and recently integrated that company’s app performance and real-time analytics software to Workspace ONE. As the two companies work to bring conditional access to their solutions, Okta last week unveiled a new technology called ThreatInsight, which the company believes is a key step toward helping to replace passwords with a higher level of authentication based on the context of the user and the device.

For instance, someone using a corporate-issued PC in their office might not need to use MFA, but someone on their own device connecting from a public hotspot would be prompted to do so. ThreatInsight taps the characteristics of each specific device, location and network context, and gathers telemetry from its 4,350 customers and 5,500 integration partners. The ThreatInsight technology will use that telemetry and associate it with an organization’s policies for specific user types, locations, devices and policies based on risk tolerance of a specific application and data type.

“Inside of Okta, we’ve opened up the password and exposed it to the policy engine,” McKinnon explained. “Inside the policy engine, you can choose based on your scenario whether a password is required or not.”

The ThreatInsight capability will be offered in the second half of this year as an update to Okta’s Adaptive multi-factor authentication offering and to a new service called Adaptive SSO, a tool that will add a trust layer to third-party enterprise mobility management (EMM) solutions including VMWare’s AirWatch and MobileIron.

In another move to simplify authentication, Okta also announced Project Onramp, an initiative to bring one-click secure access to applications and data via the Okta Integration Network. The goal is to make Okta their hub for authentication partners’ respective services. The founding partners include Box, Facebook, OrgWiki, PagerDuty, RingCentral, McAfee, Zscaler and Zylo. Project Onramp partners that embed access to the Okta Integration Network will be able to give users one-click access to all their Okta-linked applications and services from the dashboards of their own platforms. In the case of the Workplace by Facebook service, users logging into the social network’s business collaboration service can automatically authenticate with all their apps and services from the Workplace by Facebook portal.

“That means those applications will show up in the Workplace [by Facebook] interface,” said Lesley Young, vice president of enterprise global sales at Workplace by Facebook. “That is huge, because it lets us be super productive.”

Looking to simplify embedding the SSO interface into third-party apps, the company also announced Sign In with Okta, which provides a secure widget based on the OpenID Connect specification for software developers and application providers. Okta announced support for OpenID Connect two years ago, noting that it gives partners a simpler alternative to the Security Assertion Markup Language (SAML) and Simple Cloud Identity Management (SCIM) specs. Sign In with Okta, set for release later this year, will provide a federated single sign-on experience for a provider’s B2B customers, partners, suppliers and contractors. Fuze, OrgWiki, VMware and Zylo are the initial launch partners.