SSO should be table stakes

I&#x27;m repeating myself here and apologize for it, but I think it&#x27;s worth keeping this on your mind in these discussions:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29892664" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29892664</a><p>The SSO tax is obnoxious and it&#x27;s obvious why everyone hates it, especially security professionals. But it has nothing to do with the cost of providing SSO features, and everything to do with market segmentation: by raising prices for large organizations (who reliably signal themselves by requiring SSO), you can cut or eliminate prices for small organizations. People who demand SSO are, essentially, flying business class, and paying for the back of the plane.

Man, I hate hate hate seeing the SSO portal 30 times a day, reaching for my phone to answer the popup every time. Which sometimes gets eaten by &quot;Focus Mode&quot; on my iPhone, or randomly goes to my watch and I have to look at both.<p>Wasn&#x27;t the dream to log in once in the morning, and have your SSO token be valid for all systems all day? Is anyone out there successfully putting the &quot;Single&quot; in &quot;Single Sign On&quot;?

Hi folks! Author here. Big fan of this topic, and happy to answer any questions you might have about it.<p>Also, the shameless self-promoter in me is required to let you know that we&#x27;re hiring a Lead Web Developer: <a href="https:&#x2F;&#x2F;tuple.app&#x2F;jobs&#x2F;web-developer" rel="nofollow">https:&#x2F;&#x2F;tuple.app&#x2F;jobs&#x2F;web-developer</a>.<p>If our stance on the topic of SSO&#x2F;security vs. profit appeals to you, please consider checking us out!

From a security engineering perspective I think strong authentication should be table stakes, and the proliferation of WebAuthn is a good starting point. For most enterprise companies it also likely makes sense from a risk management perspective. Single sign-on, however, is a convenience feature, not necesarily a security feature. And as such, I think it&#x27;s acceptable for it to be an add on subscription.<p>This is especially true when the application in question offers strong authentication with no opt outs, which doesn&#x27;t seem to be the case with Tuple -- I don&#x27;t see a way to set a second factor, and the app happily let me register with &#x27;password1234&#x27; as my password. Given their lack of strong authentication, I agree with SSO being part of the base subscription, for their own sake more than their customers&#x27;. I&#x27;d like to see them improve, revamp, or remove their direct login feature altogether.

At my previous gig I observed a few worrying things that were not fixed with security training:<p>- People still stored passwords on Slack channels, emails, Confluence, etc.<p>- People still used simple passwords such as &quot;password&quot;.<p>- Literally nobody who wasn&#x27;t already using a password manager started to use one.<p>In my opinion SSO, 2FA, etc. are absolutely needed at many places where people can&#x27;t be trusted with following basic advice and training.

I disagree. There are entire companies built around making it simpler to implement and manage SSO (like <a href="https:&#x2F;&#x2F;workos.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;workos.com&#x2F;</a> which we use) - it is time consuming to support. Enterprise pricing will always be about finding some way to gate enterprise users into a more expensive plans.<p>Let&#x27;s take Tuple as an example. You put &quot;Active user pricing&quot; into Enterprise plan. Why is that not &quot;table stakes&quot;? It does not involve complex tech, and not charging inactive users seems like a fair thing to offer all your customers?<p>This blog post feels like a &quot;beef marketing&quot; play out of Basecamp&#x27;s marketing book.

This is a straw man argument. Blog posts like this leave a bad taste in my mouth because of how transparently misleading they are.<p>Almost every SaaS business I’ve run into allows you to SSO with providers like Google, Office365, Slack, and other common sources of identity.<p>If your company is paying for SAML through Okta, you can afford enterprise pricing.<p>The way I know is Okta’s UX is horrible and only enterprise scale companies would inflict that upon their employees.

Reuse the session across applications. Min 24 hour expiration. The more times the user is forced to reauth, the higher the chances of a keylogger or over the shoulder attack successfully retrieving passwords. Also, more time is spent relogging into apps rather than getting things done.

Decent place to ask I guess: what&#x27;s the state-of-the-art for self-hosted SSO providers for a company that does a lot of self-hosting of open-source solutions? Like, if you&#x27;re <i>not</i> relying on 3rd-party support for this, aren&#x27;t using a cloud provider&#x27;s proprietary solutions, et c., how do you do it in 2022?

I wonder if the author discussed this with his support team? The reason my company charges for SSO is then increased support cost.<p>If everyone used Okta, no problem. But then you get an Enterpise customer who’s using their own home grown SSO solution an we get to spend weeks debugging login issues.

As a sysadmin, I simply want on-prem software to be able to take the username entered, create an LDAP DN, and try to do a simple <i>LDAP BIND</i> attempt against the server:port of my choice.<p>And I don&#x27;t want to have to create a service account for the software to do things like searches: try to do the bind, and let the person in if it works. Anything else must be optional (all the world is not AD).

SSO is a disaster and needs a lot of support, no matter how good your SSO implementation is. I think that&#x27;s why a lot of companies charge for it. We don&#x27;t charge extra for it, but the reality is it ups our support burden.

The fact that they use the &quot;SSO Wall of Shame&quot; (<a href="https:&#x2F;&#x2F;sso.tax&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sso.tax&#x2F;</a>) as a way to sell you on the idea is funny and counterintuitive.

As usually implemented it gives &quot;root on the entire universe&quot; to large tech companies, mainly Google and Microsoft for most sites and apps.

&gt; I recommend you create an enterprise tier, put SSO in it, and charge 2-5x your normal pricing<p>Good luck with that. We have enterprise clients who want SSO, and if we won&#x27;t implement it, they will--I guess through some sort of browser automation. In short, you price hike has to be less than their marginal cost of turning on their browser automation switch.

I mean at $35&#x2F;user month it better include SSO. That&#x27;s insanely expensive for the limited scope of this service. I&#x27;d rather buy Jetbrains at $32.45&#x2F;mo (after annual and 3 years of membership) and get a full suite of IDEs including remote pair programming that&#x27;s compatible on macOS, Windows, and Linux.

Disclaimer: I am the co-founder of BoxyHQ, an open-source alternative to WorkOS.<p>Historically SSO (especially SAML), Directory Sync, Audit logs, enhanced roles&#x2F;permissions, etc. have always been something that only Enterprises needed. We think this is now getting commoditised and should start becoming available to all customers, a big reason why our core products are on an Apache 2.0 license and startups can use it for free.<p>A lot of these features also tie back to security and compliance (please bear with me, I know compliance is normally just a peacock dance and has nothing to do with true security but it is still necessary to do the dance). They definitely come with a cost to implement (even if the solution is bought from vendors like us), maintain and more importantly customer support costs.<p>- One way to make these features table stakes would be to include it in all plans but for instance limit SSO to the top 5 Identity Providers (Okta, Azure, OneLogin, PingIdentity and Duo), normally the ones with bespoke SSO implementations are usually enterprises in any case so you can still command a higher price point for them. - Another effective way is to say that RFPs&#x2F;Security Questionnaires are only included in the Enterprise tier, the other tiers should be able to make do with a DPA and your InfoSec policy&#x2F;ISO 27001&#x2F;SOC2 docs. For enterprises this step is something they cannot skip, it&#x27;s part of the procurement process for them. - But the best thing to do if possible would be to add some core features&#x2F;enhancements to your product that are absolutely essential for enterprises.<p>This is the point sso.tax is trying to make as well, they want the SSO feature to be available to everyone without having to pay a large premium on the price (which is usually high for startups&#x2F;SMBs to justify paying for).<p>Ultimately you have to have the right price segmentation and the reality is even the best companies struggle with being able to serve all segments effectively.<p>Auth0 and Okta for example, after you hit some magical thresholds force you into talking to sales who then try to upsell enterprise plans and most startups can&#x27;t afford those price points and anything less than those price points does not move the needle for Auth0&#x2F;Okta so they end up ignoring the lower segments.

<a href="https:&#x2F;&#x2F;sso.tax&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sso.tax&#x2F;</a> a lot of companies put SSO behind a paywall. Not a fan of making users pay for basic security features.

I deal with a lot of security domains every day. It would be 10-100x more without SSO.<p>SSO isn&#x27;t the problem. Proliferation of apps is the problem. SSO is just the glue that evidences the problem.

Correct me if I’m wrong, but isn’t this why Apple, Microsoft, and Google are all pushing for WebAuthN&#x2F;FIDO login schemes?<p><a href="https:&#x2F;&#x2F;fidoalliance.org&#x2F;fido2-2&#x2F;fido2-web-authentication-webauthn&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fidoalliance.org&#x2F;fido2-2&#x2F;fido2-web-authentication-we...</a><p>Apple just talked about how they’re supporting FIDO with the new MacOS and iOS.

I&#x27;m seeing some posts reference <a href="https:&#x2F;&#x2F;sso.tax&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sso.tax&#x2F;</a> - as a SaaS product manager, it should be a great reference for you as it&#x27;s basically a showcasing of successful SaaS products that properly segment markets.

I agree with the premise of the article, but I would not focus solely on SAML. Support Oauth and OIDC, if for no other reason than easier GDPR compliance.

tl;dr: SSO seems like a big risk to me, from being a single point of failure, and I think we could use signed certificates instead.<p>So, I may be completely uninformed here, but I don&#x27;t see SSO as a good thing. I understand the advantages it has, but it gives an outside party the ability to restrict what your employees can do, should it so decide.<p>For example, we hear of Google banning people from accounts all of the time. Perhaps your company uses Google&#x27;s SSO for all of its vendor accounts. If Google decided to ban the admin accounts of your SSO, all of your employees are now unable to work. Perhaps that happens during an outage caused by a DDoS (maybe the DDoS effects were why Google banned you). At that point, your employees can do <i>nothing</i> to bring your systems back online. If they can&#x27;t, chances are you will go out of business if your revenue depends on your systems being online.<p>This seems like an <i>enormous</i> risk.<p>I&#x27;m no cryptographer, but here&#x27;s my design of something to replace SSO: instead of each vendor supporting SSO, they support &quot;certificate checks.&quot; When a user, your employee, logs on, the vendor contacts a pre-determined server, preferably controlled by you directly, for a certificate for the employee. Your server can either return one, cryptographically signed by your master key, of course, or refuse to return one.<p>If it returns one, and the signature is valid (maybe they expire after certain amount of time), then the vendor will let your employee on. If not, the vendor refuses access.<p>I believe that this system has the upside of SSO that access to all vendors for a particular employee can be revoked at any time by simply telling the server that <i>you</i> control to not return a certificate, but it also does not have the downside that centralized authentication for your business is controlled by someone else.<p>Of course, this also means that the employee cannot use one username and password for access to everything (unless they do it manually, of course; are you training your employees to not do that?). However, I think that that is actually an advantage because that single account sign on becomes a single point of failure. If that account is compromised, perhaps by phishing, the attacker now has access to all of the vendor accounts for that employee. Having separate username&#x2F;password pairs for all of the accounts is much better (you are having your employees use password managers, right?).<p>Am I right? If not, why? What am I missing?

I used to like watching Tuple, but the founder of Tuple has, in my opinion, become increasingly obsessed with money and what him and Tuple are able to do with it. From how he bragged about and marketed his $200k Stripe Capital loan (&quot;in this economy?!&quot;), to talking about overpaying engineers &quot;because we can&quot;, to saying $25&#x2F;mo is a rounding error for individuals (re: ngrok&#x27;s pricing change). I&#x27;m not a fan of this behavior, and this blog post echoes the same: he has money and wants everybody to know it. It&#x27;s a bad look, at least to me (fellow founder here using a throwaway). The majority of us are going to stick to using SSO as a way to charge enterprise customers more.

SSO is horrible. AMA