AD itself isn't, no. But the setup, configuration, patch management, security, etc., etc., all are. And that's usually where things fall apart.

Which is more or less exactly what you're paying these providers for: to manage all that other stuff for you so you don't have to. And with SSO, so your users don't have to manage multiple passwords for various accounts, which we've basically all been forced to accept just /doesn't happen/ and they will immediately reuse, trivialize, or just write down their passwords on a sticky note instead.

For most companies, that's a no-brainer.

Okta has been doing their thing for years now without much issue. Even this current bit seems to be overblown (if you trust what Okta is saying, and I will fully agree that they're probably incentivized to downplay the issue, but "whoops Okta got popped and now LAPSUS$ is in all your boxes" also doesn't seem to have happened). So whether that's enough for you, personally, to trust them isn't something I can say, but no one was really discussing Okta in specific--rather the concept of using outsourced IdP/SaaS services for AAA/SSO etc. as a general concept. Given that they've met the bar for inclusion in the Auth path of companies like AWS, though, I'd be comfortable arguing that far more competent people than anyone in this thread have taken a detailed look at their systems and determined they meet the bar.

Security through obscurity only works so long as you have people smart enough to make smart choices and then maintain them. While some amount of it can very reasonably be argued to increase security (eg, using non-standard ports for SSH in order to dissuade lazy port scan attempts), arguing that utilizing AD built atop a Win2000 box because "no one will expect that!" is obviously idiotic.

I'll agree with you that you can't simply go with the first company you see who offering a solution for your problem and assume that it's a high-quality solution. It's also an argument against third-party security by obscurity (picking a lesser-used provider on the grounds that they're less likely to get targeted): the smaller providers on shoe-string budgets are naturally more likely to be running "homegrown + marketing" setups of questionable reliability.

But really, if you can't afford to take a few days or a week or two to investigate some possible SaaS candidates and evaluate which one will meet your needs while providing the level of reliability you require...how are you going to afford to take the months it usually takes to hire sufficiently competent IT staff to set up an internal solution?

I love the implicit statement that you believe most businesses would be better off saddling their two overworked IT employees (who are 60% glorified help desk, 20% sys-admins, 15% scape goats, and MAYBE 5% security-minded) with developing, implementing, managing, and maintaining a home-grown local AAA system, rather than utilizing a vetted, highly reliable SaaS solution.

I mean, how many companies have got popped because they didn't / wouldn't update an AD server? Let alone all the other issues of poorly thought out and poorly maintained AAA infrastructure.

Sure, technically you're putting your eggs in one basket with SSO like that. But for most companies out there it's like arguing that instead of putting all their eggs in an armored basket protected by a squad of Marines whose only job is to protect that basket, they're better off giving a few eggs to random employees because at least "then you control the eggs!" Great way to end up with omelets.

By the same token, you could argue that any company who sells physical products should absolutely own and manage their own trucks and delivery fleet, since getting the product to the end customer is fundamental to everything the company does, and it makes no sense to throw that over the wall. Of course, you'd be laughed out of the room at most SMB's, given that USPS/UPS/FedEx/etc all exist to solve exactly that problem in a far more reliable and efficient way than hiring some kid with a pickup truck and hoping for the best.