As the former CTO of an Insurtech and Fintech startup I always had the “pleasure” to keep regulators and auditors happy. Think of documenting who has access to what, quarterly access reviews, yearly audits and so on…<p>Like many others we couldn’t justify the Enterprise-plan for every SaaS tool to simply get access to SSO and SCIM/SAML APIs. For Notion alone the cost would have nearly doubled to $14 per user per month. That’s insane! Mostly unknown to people, SSO Tax also limits access to APIs that are used for managing user access (SCIM/SAML).<p>This has proven to be an incredibly annoying roadblock that prevented me from doing anything useful with our user data:
- You want to download the current list of users and their permissions? Forget about it!
- You want to centrally assign user roles and permissions? Good luck with that!
- You want to delete user accounts immediately? Yeah right, like that's ever gonna happen!<p>It literally cost me hours to update our access matrix at the end of every quarter for our access reviews and manually assigning user accounts and permissions.<p>I figured, there must be a better way than praying to the SaaS gods to miraculously make the SSO Tax disappear (and open up SCIM/SAML along the way). That’s why I sat down a few weeks ago and started building OpenOwl (<a href="https://github.com/AccessOwl/open_owl">https://github.com/AccessOwl/open_owl</a>). It allows me to just plug in my user credentials and automatically download user lists, including permissions from SaaS tools.<p>Granted, OpenOwl is still a work in progress, and it's not perfect. At the moment it's limited to non-SSO login flows and covers only 7 SaaS vendors. My favorite part is that you can configure integrations as “recipes”. The goal was for anybody to be able to add new integrations (IT managers and developers alike). Therefore you ideally don’t even have to write any new code, just tell OpenOwl how the new SaaS vendor works.<p>What do you think? Have you dealt with manually maintaining a list of users and their permissions? Could this approach get us closer to overcoming parts of the SSO Tax?
For those wondering what the "SSO Tax" is, it refers to the excessive pricing practiced by SaaS providers to access the SSO feature on their product.<p>A documented rant has made the rounds at <a href="https://sso.tax" rel="nofollow">https://sso.tax</a> , which lists all vendors and their pricing of SSO.
I recommend some editing of the readme to clarify the tool's purpose. Initially I thought it might be an AI-generated spoof project since the description made no sense. I <i>think</i> the tool is for the following scenario: you are a manager in an organization where some set of your employees are using some specific SaaS (see list of currently supported SaaS'es below). You would like to see a list of the user accounts for your employees within your company's "domain" in said SaaS, along with some account metadata. This tool extracts that info using the SaaS domain management API.
Laughs in enterprise pricing... 14 dollars a user a month? Try 250.<p>Last time I talked with dbt on their enterprise plan for the Okta integration level they pitched us 3000 user/year with the clear acknowledgement that they just raised their prices 100% on their other tier and were about to do major price increases to their enterprise tier.
I have to say, I understood what this is really fast when I saw the README. It's really a great idea. I'dve been all over it before I :-) :-) retired.<p>It's going to save growing companies a fortune, by helping cancel promptly unused money-sucking accounts across the SaaS multiverses.<p>I just hope it's easy to use for superbusy founders, tech people now riding a success wave. Because those are often the people who do the account-cleanup job. If this tool is a pain in the *s to use, there's even more time down the hopper.<p>It's almost impossible for people like us to teach ourselves to delegate by inflicting pain on ourselves. And saving big money is worth some pain, amirite? Been there. Done that.<p>But HERE's an incentive to delegate:<p>* grab the most talented devops person you know.
* tell them about this open-source project
* delegate to them this account-cleanup PITA
* invite them to donate time to the open-source project and give them time to do so.
* but they still have to do the actual cleanup regularly.
* stand back and watch the growth of a REALLY USABLE open source money-leak-hunting project.<p>Every single YCombinator portfolio company would benefit from this. You VC guys? Get some really smart interns to work on this too.
I've done similar things in terraform in the past. But you eventually end up spending way too much time on it. If the tool isn't value enough for paying the premium, chances are there are other good alternatives, or we don't really need the tool to begin with. I just look at the individual plans as if they're student tickets for a conference.<p>Now lets talk about SaaS providers that don't offer any other way than paying by credit card. Not even pre-paying with a wire transfer. If you've ever tried to source a company credit card in a huge organization you know how hard that can be. And no way in hell I'm going to put $10k/month for various services on my personal credit card and expense it every month. It sometimes feel like they don't even want to run a business.
The SSO part is a bit confusing since it sounds like the product is letting you download account and permissions data based on your own api key. It might be helpful if you clarify how you can help with the SSO portion of things.
I really want to like this but the limitations described, requiring an admin account with 2FA disabled, makes this more risky than not using it at all.<p>Until those limitations are resolved, if that’s even possible, this feels like an audit hack rather than a security solution.
Shameless self-plug for an alternative tax that affects operational security and reliability teams: <a href="https://audit-logs.tax" rel="nofollow">https://audit-logs.tax</a><p>Understanding how your breach impacts me, or detecting how the abuse of your tools are used to impact our organizations shouldn't cost additional money or be gated to only enterprise contracts.<p>Happy to take PRs for other vendors logs being added: <a href="https://github.com/shellcromancer/audit-log-wall-of-shame">https://github.com/shellcromancer/audit-log-wall-of-shame</a>
As one who self-hosts a number of Open Source applications for a small group of family and friends, I would love to have a simple SSO proxy solution. Many "open core" applications don't include SSO in their Open Source offerings, thus locking small non-commercial users like me out of SSO features for my small non-commercial group.<p>I don't really need all of the auditing and compliance features this solution seems to currently offer- I just need a simple SSO proxy. If some one wants to build that, it could be a huge help for small non-commercial self-hosters like me.
<a href="https://github.com/doncicuto/glim">https://github.com/doncicuto/glim</a> :<p>> <i>Glim is a simple identity access management system that speaks some LDAP and has a REST API to manage users and groups</i><p>"Proxy LDAP to limit scope of access #60"
<a href="https://github.com/doncicuto/glim/issues/60">https://github.com/doncicuto/glim/issues/60</a>
I think your positioning is wrong. The problem this solves is auditing user accounts in SaaS applications. That is a great problem to be solving, and you can position yourself on that! Why talk about 'SSO Tax' when this has nothing to do with SSO?<p>There is at least one other 'open' library for solving this problem (<a href="https://github.com/ConductorOne/baton">https://github.com/ConductorOne/baton</a>).<p>However, I like how you're scraping web data for apps that don't have APIs. I've been waiting for someone to do that. That said, I want it built into other tooling I have purchased, so I don't have to implement myself.
This is cool, in that it might encourage SaaS providers to reduce the SSO tax. Discouraging security affects all of us whose data is held by other companies (ie everybody). I'm sure you'll get comments that you're being penny wise pound foolish and wasting your time with these hacks. That entirely depends on where your company is located.<p>As it supports so few services, putting the list up top in the README would be a good idea, and a quick explanation of what programming languages/methods can be used to add more services. The chances another organisation has picked the same 7 services as you is pretty low.
I think this is an amazing idea! I am struggling with a similar situation now.<p>Anything that will allow to semi-automate this, and get a periodic report that compares this to where the Single Point of Truth for the account list would be amazing.
It'd like some kind of chrome extension that will 'sso-ize' any 3rd party web app.<p>Ie. it will create a temporary deadbeef123@your-domain.com email address, use that to sign up to the 3rd party web app and keep the password secret from the user.<p>Then, when the user returns to the site, your on-site server provides the auth details for each logon (or even better, logs in for the user and just sets the right cookies).<p>For some sites, it will also make sure the user is a member of the right 'team', has access to the right shared documents, has their display name matching their name in the corp database, etc.
A fintech that can't pay $14 per user? How many employees do you have? "hours per quarter" but it's not worth the money? Where's the problem? Either you spend the money on a few hours of work for an intern or you fork over SSO money.<p>SSO isn't a tax. You either need a single method to disable an account across all providers instantly and enforce password policies globally, or you don't. Do the risk vs reward math and then put the line item in your budget. Get a discount or use a reseller to avoid retail.
As someone who has worked with SAML and other authn/authz technologies, I can only say that the reason for the SSO tax is because that stuff is unreasonably complicated and hard to make work. From things like Microsoft's half-baked proprietary version of SAML to the typical company's crappy in-house login system that was thrown together on top of a system built with security as an afterthought, doing SSO is never simple. Security as an afterthought is always way more difficult than if someone had thought about user roles and permission from the beginning. On top of that, even little companies expect to have things like "well, the execs never really log in, so we need to be able to delegate permissions, but only for things the execs want them to do. We can't give them permissions to sign off on bonuses for themselves".<p>Knowing what I know, I don't really begrudge any SSO provider their premium pricing.
I think using the term "Skip the SSO Tax.." has done a little disservice to you, and I understand why you chose that term, but this is more "Skip the SCIM tax" I think?<p>Regardless, I totally understand the use case and I can immediately put this to work for my team - we will likely contribute some recipes too.<p>Thanks for sharing!
That's what we try to simplify at Resmo. We integrate with 80+ most popular tools a company might be using. Of course there are some we don't cover yet. Only 3 tools requires paid-tier for API access. Also, we list access Login with Google data from your workspace. We gave a central place for you to list the users and their permissions.<p><a href="https://resmo.com/saas-discovery" rel="nofollow">https://resmo.com/saas-discovery</a><p>Then you can do `SELECT * FROM users WHERE mail = 'mustafa@resmo.com'`
“The SSO tax” is the unofficial name for the practice of software vendors significantly upcharging their customers for Single Sign-On.<p>(No, it's not Social Security Organization tax...)
As a dev who primarily uses Elixir, I was excited to see that you built OpenOwl with it!<p>Out of curiosity, what made you choose Elixir?<p>I wanted to use Elixir to build my PDF scraper (<a href="https://github.com/Nezteb/scrape-pdf">https://github.com/Nezteb/scrape-pdf</a>) but didn't want to spend too much time figuring out how to use Playwright from Elixir, so I went with Node. I'll have to borrow some of your methods!
the "SSO tax" is literally the entire SSO product, a solution to a legitimate problem that businesses face and gladly shell out $$$ to not deal with. if your suggestion is to not pay said $$$ and instead roll your own solution, more power to you, but you're not "skipping" the SSO tax, you're simply passing it onto a different team to do the work of what SSO would provide you.
Why don't companies instead of doing this simply say "if you have more than X employees you can only pick the enterprise tier"? Is it illegal or something?<p>I mean you could of course lie when signing up but if a company is risk averse enough to use SSO it's probably risk averse enough to not breach contracts.
How does that solve the problem SSO typically solves? It seems you're trying to replace it by syncing users from different tools? That seems worse than SSO and is unlikely to be acceptable, as most security certifications require SSO as a best practice, manually syncing users from different tools won't cut it. Also, implementing SAML-based SSO from scratch isn't that difficult, I did it for our enterprise product and it's barely 500 lines of code. However, we had a nice role-based access management in our tool already, so adding SSO was just a matter of mapping SSO data to our internal role models. That part is usually what causes most effort, i.e. fine-grained access control for different parts of your application, SSO just provides the identity and group management layer that you can use as a basis for that.<p>Apart from that, SSO is just a handy feature that non-Enterprise customers usually don't need while Enterprise customers do, so it's ideal for differentiating customers. That said an Enterprise edition contains much more than SSO in many cases, e.g. audit logging, containerized deployments, extensive support, etc.. That's what you pay for with an Enterprise offering, the SSO feature is just a small part of that.
Hey mathiasn, I totally feel your pain! I work with the same kind of solution and know how everything can get way more complex than people think, I really liked the "recipes" idea for integrations. If you don't mind how about we have a chat?
The SSO tax exists because it's historically been a roundabout way of segmenting the market into businesses vs. individuals and charging businesses more.