43 comments

[ 3.6 ms ] story [ 88.7 ms ] thread
SSO is such a blessing when used inside companies. Who the hell wants to manage acccounts/passwords in every webapp? Absolutely nobody once they get used to SSO.
it's amazing how many companies do not go in for SSO though, because it is often the "extremely expensive" tier.

I used to work for Ubisoft, a 20,000+ person company, and SSO was used for almost nothing because it was considered far too costly.

conversely: I worked for a Tencent owned studio recently and they used SSO for everything, it was amazing, until the Okta breach (and response, which is worse than the breach itself)

Now I'm at a startup, and the sentiment is the same as Ubisoft; better off buying a lastpass subscription than paying for SSO, even though there's many drawbacks to that approach.

Sadly, I find most products hide SSO functionality behind "Enterprise" plans, as if only large organizations have a need for it. Any organization can benefit from SSO, and I don't think it warrants the huge price increase developers think it does.
I'd love it even at home but there seem to be no good FOSS IDP systems. I wish....

At work we use PingID which is not very expensive compared to industry standard ones like Okta. But it's very poor in my opinion. It seems they're always lagging years behind competitors in terms of features.

I'm pretty close to deploying Keycloak at home
Thanks also. I had a look about 2 years ago during the big Corona lockdown bore and didn't come across it.
I'm thinking about doing the same thing. I just found out about "authenticating proxies", like traefik-forward-auth, and I'm hoping something like that plus keycloak would allow me to easily add 2fa/webauthn support to a couple of applications I host at home.

[0] https://github.com/mesosphere/traefik-forward-auth [1] https://brianturchyn.net/traefik-forwardauth-support-with-ke...

When I looked around, Keycloak stood out for being a credible enterprise OAUTH2 server with a free edition truly aimed at making me like the product as a user rather than aimed at roping me into eventually purchasing a support contract or buying premium extensions.

The most recent version of Keycloak jettisons JBoss in favor of Quarkus and everything about it is roundly better as a result. I'd been running a version from 2018 until this month!

for an iDP there's always Keycloak and Authentik; both incredibly viable.

The problem is not the hosting of it; it's that nothing will integrate with your iDP, so you can't use your personal keycloak/traefik instance with, say, your github or gitlab profile.

Mozilla Persona was a good idea of handling this[0] but sadly was retired.

[0]: https://en.wikipedia.org/wiki/Mozilla_Persona

Thanks, I didn't know that these existed. I will have a look at them.

I don't care about integrating with online services, it's more for my home stuff. I self-host everything of importance anyway. And most external services only integrate with IDPs on their most expensive corporate plans anyway (unless they integrate with Google, Apple or Microsoft consumer accounts which I don't use).

Kinda looking for a personal PKI as well (which can overlap a lot with IDP) but I'll see what these can provide. I looked about 2 years ago and didn't come across either of them.

PS: I did look exclusively for stuff that supported full passwordless Fido2 though, and perhaps this didn't at the time.
Is there an easy way to get started with SSO on a SAAS app? (Without paying per user on Okta/Auth0)

I'm currently using Firebase which supports sign-in with Microsoft, but not sure if that's technically the same as SSO.

Are you looking to offer SSO to users of your SAAS app? Firebase does support SAML: https://medium.com/@tfalvo/single-sign-on-sso-for-your-fireb...

Both Microsoft Azure AD and JumpCloud have free plans you can use for testing.

sign-in with Microsoft is indeed SSO.
"Sign in with..." is almost SSO. Federated authentication employs centralized authentication and can even support third-party identity providers. However, single sign-on is exactly like it sounds: You sign on once and have access to all SSO-enabled applications. This differs from "sign in with..." offerings, because you often have to sign in again. Compare this to, say, the user hub of Google Workspace: You are presented a list of applications, and when you click on one, you are instantly signed into it. This is SSO.
(comment deleted)
You might be a great candidate for Keycloak.
Looks great, thanks for the suggestion
If you are just testing, grab an AzureAD development account.

If you want something more permanant Keycloak is probably your best bet. I'm not aware of any other truly free ones

There are a couple of other free options I'm aware of.

* FusionAuth has a community edition which is free as long as you host it yourself and comply with the license ( https://fusionauth.io/license-faq#3 ). Free as in beer, at least. (Full disclosure, I work for FusionAuth.) Here's our SSO guide: https://fusionauth.io/docs/v1/tech/guides/single-sign-on

* If you want a SaaS solution, Cognito is an option, as is Azure AD B2C. They have good free tiers, as long as you don't want SAML integration (for Cognito, you're charged after 50 users).

* If you want to run your own, you could conceivably cobble something together on whatever tech stack you run. Ruby on rails, java/spring, django/python all have libraries which can be used to build OIDC servers. Then it's a question of setting up the sessions correctly. Here's an example I found via googling: https://tushartuteja.medium.com/a-simple-single-sign-on-sso-...

* As the parent comment mentioned, Keycloak is an option as well.

> The source code for the fusionauth-app bundle and all closed source libraries owned by FusionAuth cannot be decompiled or reverse engineered. This prevents companies from forking FusionAuth and creating their own solution to sell to their customers (i.e. like Amazon has done with ElasticSearch).

Is AGPL or one of those new licenses like the BSL not sufficient to prevent this sort of thing?

I am a big fan of Keycloak as it’s been mentioned a few times in previous comments. Maybe this could help someone interested in implementing SSO, but currently working on a full stack starter kit that has Keycloak support/integration included: https://appcket.org.
I wish there was a hall of fame of vendors who allow SSO for free or a low price. And I don’t mean “Sign-in with Google” - not everyone has company managed Google accounts.

Of the top of my head I can think of Mapbox and AWS where it’s free. Atlassian charges $4/month covering all their products (cheap if you use two or more).

Any more good examples?

We recently got Salesforce SSO at work using Microsoft Azure AD.
Mind you, AWS implementation is a bit broken. Can take non trivial engineering work to fix up proper SSO
Wow, we offer our clients SSO integration completely for free despite it being a bit of a fiddle sometimes, and I don't think it crossed anyone's mind to charge extra for it. Granted it's a breeze now we're using Auth0, but even before when I was wrangling an IdentityServer4 app I bashed together it wasn't that hard.
This page underestimates how much it costs to handle SSO as a service provider. Companies that want it are almost always large enough to demand custom contracts, procurement discounts, custom integration work (SSO beyond the big few providers almost always requires custom work), meetings, and security attestations.
Trying to help customers get SSO setup is definitely one of the most painful & elaborate chores we have to suffer at $CURRENTJOB.

We flat up wont do 2/3rds of the asks you listed, but just getting it wired up & going, providing some basic debugging to make it go... we really are apes with hammers trying to pound these systems into going, have little idea what we're doing, & are way undertooled. It feels like super complex tech that requires very specific expertise to wrangle.

That said, I think this site is a great & wonderful & moral cause & I support this wall of shame fully. It just needs to be there, as annoying as it is.

I see similar sentiments whenever SSOTax is mentioned. If providing it is a support burden, why not provide an unsupported standard self service SAML 2 integration that is validated against the top 2-3 identity providers, and make clear if the customer needs assistance with the integration or something custom it's $X hourly rate?

Why must everyone suffer the outrageous 'tax' if most are just using the same top 2-3 providers anyway.

When I pick SaaS solutions, AzureAD support in regular plans is definitely a big plus.
I thought this comment from Patio11 was topical and interesting:

> The right way to think of the "SSO tax" (where companies charge extra for security features) is "You are being offered a dual use product backed by a strong engineering team for far less than it would otherwise cost, with sophisticated enterprises picking up the slack."

https://twitter.com/patio11/status/1481293027331440640

Further down the thread:

> SSO is a segmentation lever, and a particularly powerful one because (as @tqbf notes), everybody in the sophisticated-and-well-monied segment is increasingly forced to purchase it.

> In this it is like asking a vendor for HIPAA-compliant services. Yes, enjoy 2X on the invoice.

https://twitter.com/patio11/status/1481293496506253321

I quote tweeted it and said:

> An interesting question is if/when will SSO become so prevalent that it won't be a point of pricing leverage any more?

> After all you used to have to pay (a fair bit) for SSL certs, until the industry recognized the benefits of them being widespread.

https://twitter.com/mooreds/status/1481300034448760842

I fully expect at some point in the future SSO will be as prevalent as SSL support is now.

Well browsers essentially started phasing out support for non SSL pages with password fields, which forced sites to get SSL and drive down the cost. Not sure if there is similar united front for SSO.
The amount of rent seeking by SSOaaS providers goes unremarked and unnoticed.

Pardon the annoying analogy but it's like Java programmers clutching at control which is undermined by not only the language but the JVM itself.

"Java is secure by design.": I get the full stop. You don't want me to say this. But it's not secure in practice.

SaaS vendors all have a vetted list of SSO providers (even if there's only one option in the list). Honestly I'd love to know how SSO vendors market themselves to app vendors. I've never worked with this in a corporate environment.

What I do know is that as a SaaS user, I'd like to be able to provide my own authentication or second factor and that's never in the signup.

We were very explicit in our decision for Crunchy Bridge [1] to not require an enterprise account or upcharge to support SSO enforcement [2] for teams. As a database provider you're trusting us with your data. SSO is a good security feature, you shouldn't have to pay extra for good security. In our mind it's likely to save us from you having a bad day which also helps us as the data provider.

1. https://www.crunchydata.com/products/crunchy-bridge/

2. https://docs.crunchybridge.com/concepts/single-sign-on/

(comment deleted)
This is one of our motivations at BoxyHQ, to commoditize enterprise-readiness features. SAML SSO should be available on all plans without crazy markups on the pricing. Vendors should separate their core enterprise features from undifferentiated ones like SSO.
As a normal home user, I avoid SSO like the plague. I don't want to wake up one day to find that Google has decided I'm a spammer or something, and turned off my Google account, thus disabling my login to 30 other sites.
Likewise, for personal stuff I prefer to create an account per site rather than login with a provider that could block me.

However at work it's a pain managing users on paid services, and getting access can sometimes take days. SSO makes a lot more sense for corporate accounts.