CAPA module SSO integration: Azure AD vs Okta for ETQ 2022 - experiences and recommendations

We’re planning our ETQ 2022 deployment and need to implement SSO for the CAPA module. Our organization already uses both Azure AD (for Office 365) and Okta (for other SaaS apps), so we have the flexibility to choose either as our identity provider for ETQ.

I’m particularly interested in hearing experiences around user provisioning automation, SAML attribute mapping for CAPA-specific roles, and how well each provider handles audit logging for compliance. We’re a regulated medical device manufacturer, so audit trail completeness is critical.

Has anyone implemented both and can share comparative insights? What about cost scaling as we add users - we’re expecting to grow from 200 to 500+ users over the next two years. Also curious about multi-tenant scenarios since we may need to support contractor access with federated identities.

What factors drove your decision between Azure AD and Okta for ETQ integration?

We went with Azure AD for our ETQ 2022 CAPA implementation primarily because of seamless integration with our existing Microsoft ecosystem. The user provisioning is automatic through SCIM - when we add someone to our AD security groups, they’re automatically provisioned in ETQ with the correct CAPA roles. The attribute mapping was straightforward, and the audit logs flow directly into our Azure Sentinel SIEM for compliance reporting.

On the cost question - we’re at 450 users and pay about $4/user/month for Okta Workforce Identity. It includes all the features we need for ETQ integration including lifecycle management and advanced MFA. Azure AD P2 would be cheaper if we used Microsoft for everything, but we have 40+ SaaS apps and Okta’s universal directory and provisioning across all of them justifies the cost. The ROI for us came from reduced helpdesk tickets and automated offboarding.

Thanks for the initial feedback. Jennifer - can you elaborate on the cost scaling with Okta? We’re concerned about per-user pricing as we grow. Carlos - does Azure AD handle federated contractor access well? We have about 30 contractors at any time from different organizations who need temporary CAPA access for supplier quality issues.

Having implemented both solutions for different clients, here’s my comprehensive comparison for ETQ 2022 CAPA module SSO:

User Provisioning Automation Differences: Azure AD with SCIM provisioning is tightly integrated if you’re in the Microsoft ecosystem - changes in AD groups automatically sync to ETQ within minutes. The provisioning profile maps AD security groups directly to ETQ roles. Okta’s lifecycle management is more sophisticated with workflow automation - you can set up conditional provisioning rules based on multiple attributes (department, title, location, custom fields). Okta also handles deprovisioning more gracefully with configurable suspension periods before full deletion.

For CAPA specifically, both handle the basic role provisioning well, but Okta’s attribute transformation capabilities are superior for complex role logic. Example: automatically assigning CAPA_Approver role only to users with manager title AND quality department AND specific certification status.

SAML Attribute Mapping for CAPA Roles: ETQ 2022 expects specific SAML attributes for role mapping: UserRole, Department, Location, and optional custom attributes. Azure AD attribute mapping is straightforward but limited - you map AD attributes to SAML claims through the enterprise application configuration. Works well for simple scenarios.

Okta’s attribute mapping includes expression language for complex transformations. We’ve built conditional mappings like: if(user.department==“Quality” AND user.title.contains(“Manager”), “CAPA_Manager”, “CAPA_User”). This eliminates manual role assignment in ETQ. Okta also supports dynamic group membership based on expressions, which feeds into role mapping.

Audit Logging and Compliance Reporting: Both are strong here but with different approaches. Azure AD audit logs integrate natively with Azure Monitor and can feed into Sentinel for SIEM. The logs are ISO 27001 and SOC 2 compliant. For FDA-regulated environments, the sign-in logs provide sufficient detail for Part 11 compliance - user authentication, timestamp, source IP, success/failure.

Okta’s System Log is more granular for identity events - it captures every attribute change, policy evaluation, and provisioning action. The built-in compliance reports are excellent for demonstrating segregation of duties and access reviews. Okta’s reporting UI is more user-friendly for QA managers who need to pull audit reports without IT help. Okta also provides more detailed MFA audit trails, which is valuable for demonstrating strong authentication controls.

Cost Scaling Models and Licensing: This is where the decision often tips. Azure AD costs depend on your Microsoft licensing:

• Azure AD Free (included with M365): Basic SSO works, but no automated provisioning
• Azure AD P1 (~$6/user/month): Adds SCIM provisioning, group-based role assignment
• Azure AD P2 (~$9/user/month): Adds conditional access policies, privileged identity management

If you already have M365 E3 or E5, you likely have P1 or P2 included, making Azure AD essentially zero incremental cost.

Okta Workforce Identity is $4-8/user/month depending on volume and features. At 500 users with advanced features (lifecycle management, API access, advanced MFA), expect $5-6/user/month. The cost is predictable and includes all features - no tiering.

For your growth from 200 to 500 users: Azure AD wins on cost if you’re already paying for M365 E3/E5. Okta wins if you’re not deeply invested in Microsoft and need multi-app SSO beyond just ETQ.

Multi-Tenant Federation Capabilities: This is critical for your contractor scenario. Azure AD B2B collaboration is excellent and free for guest users. Contractors authenticate through their home organization’s IdP (any SAML/OIDC provider), and you control their ETQ access through Azure AD groups. The audit trail shows both identities. We’ve had clients with 100+ federated partner organizations working seamlessly.

Okta’s federation is more flexible but requires configuration per partner organization. Okta-to-Okta federation is instant, but federating with other IdPs requires SAML trust setup. The advantage is more granular control over federated user attributes and session policies.

My Recommendation: Choose Azure AD if: You’re heavily invested in Microsoft 365 (E3/E5), want zero incremental cost, need simple role mapping, and have contractors with diverse IdPs (B2B handles any SAML provider).

Choose Okta if: You have multiple SaaS apps needing SSO, require sophisticated conditional role provisioning, want superior compliance reporting UI, or operate in a heterogeneous environment. The cost premium is justified by reduced manual administration and better user experience.

For a regulated medical device manufacturer with complex CAPA role requirements and contractor access, I’d lean toward Okta despite the cost. The lifecycle management automation and superior audit reporting will save significant QA team time and provide better compliance evidence during audits.

We’re using Okta and it’s been excellent. The lifecycle management is more sophisticated than what we had with Azure AD in our previous setup. Okta’s attribute mapping allows for complex conditional logic - we map CAPA roles based on department, location, and certification status. The audit logging is very granular, capturing every authentication attempt and attribute change. For compliance, Okta’s reporting is superior in my opinion, especially for demonstrating segregation of duties.

Azure AD B2B handles external users beautifully for our contractor scenario. They authenticate through their home organization’s IdP, but we control their ETQ role assignments through our Azure AD groups. No additional licensing cost for B2B guest users in our tier. The audit trail shows both their home org identity and our assigned permissions, which satisfies our auditors. We have about 50 external users at any time and it scales effortlessly.