We use OKTA and seriously considered Onelogin. The difference was that OKTA gave us a bigger nonprofit discount.
With OKTA we have AD integration so that AD is the final authority for security/logins.
I know that it works with ADP, and probably 95% of other websites. We have about 20 programs we deal with and most work with OKTA. We have, for example, one app that is dependent upon Silverlight. That thing is just never going to work with OKTA. If you have a site, like many banks, where the username is one one page and the password is on the next, I find those rarely work.
Our biggest issues are:
1. training users to understand that if it's not a SAML or AD app like Gmail or O365, they need to change the password in OKTA when they change their password in the APP. ADP is an example of one app with a rigorous password change schedule that causes lots of helpdesk calls. When I've talked to folks at OKTA, the response has been "Yeah, ADP does not go out of its way to work with us. We use ADP for our payroll so we feel your pain".
2. You're going to be tied to Chrome. We don't mind because I want us to be a Chrome shop, but Chrome is the only browser that easily, invisibly, and reliably updates the OKTA agents. Firefox isn't bad, but hardly invisible. IE and Edge are disasters.
Here was the problem we had with IE/Edge: Whenever there was an update to the OKTA agent (which was frequently) it required the user to run an MSI or EXE.
Chrome updated the agent automagically and Firefox was somewhere in the middle.
You could probably get around this with a good deployment tool like PDQ Deploy.
I also want to be clear that I haven't tried to run OKTA on IE in about 2 years, so they may have a way around this now.