Oh, ok, that makes sense. But there are a couple of fixes. You create the account with your corporate email. You just need the password.
And that part: you're potentially giving sensitive corporate info to the SaaS app, with your personal email, and you risk getting fired for that
If that one part is real, than SSO isn't adding any power to you (or to the DSO anyway). If it isn't, then the only thing SSO changes is the password one.
> SSO is just a handy feature that non-Enterprise customers usually don't need while Enterprise customers do
This isn’t true, IMO, most people just don’t realize there’s an alternative to one user account per service. We’ve convinced non-enterprise users to use an objectively bad solution of password managers because every SaaS service hides their SSO option behind enterprise pricing.
It's just a security measure. As a founder of a currently 4-person company, I want SSO everywhere I possibly can. It reduces attack vectors, and makes it so much easier to ensure nobody has access when they leave the company. Every product we use that doesn't offer SSO has to be added to our onboarding/offboarding checklists.
It comes down to this: Don't assume companies are incompetent at proper dealings around employee access to products they use just because they're small. These things tend to be correlated, but it hurts small companies trying to deal with this correctly.
Edit - Let me phrase it like this: By locking away account management and security tools you're implicitly stating only large enterprises should care about security.
> use-case or potential use-cases where you need SSO in an early-stage startup
In general, keeping track of >1 passwords means giving everyone a password manager and also means you can't integrate with the rest of your endpoint security stuff (like if you use Azure AD, it can check if you are coming from a corporate-owned device and give you different privileges or let you bypass 2FA). There are more creative ways to get people to move to a higher tier rather than locking a essential feature up there. As it is, I can pay for your highest plan or just use PowerApps/Google's equivalent.
Unfortunately, a need for SSO is about the only reliable way to gouge a large corporation. As a small fish you may like SSO, want SSO, you may even think you need SSO, but you really can get by without just fine. You're small - you can get around the requirements, or pivot, or whatever. A corporation is big and slow and can easily get themselves into a situation where not adding SSO will become a blocker for deals denominated in double-triple digit millions, but abandoning your product or the whole business segment will cost similar amount of money. In that situation, the vendor can have a field day milking the cash cow.
Small companies don't need sso because when an employee leaves, they just go into all their sass and remove the user or change the password. A large company can't work without SSO because in an org with hundreds of users they can't login to each SASS and disable and enable everyone coming and going at the company, which is many per month in some cases.
Bullshit article. The reason SMBs don't deploy SSO is because SaaS and other tooling puts SSO integration behind very high tier paywalls.
I'm talking pricing schemes where sure, you can sign up for a 20 person team on a service because that's the only expected user base in house, but the moment you ask for SSO they demand you license your entire employee headcount.
The author is not complaining on behalf of his own company, my dude. The author is pointing out a problem that affects everybody else who should be using SSO instead of risking their businesses with shared passwords, YOLO provisioning, and manual offboarding. And those people do not have a budget or a security team. But they probably have Google Apps.
SSO is, in 2018, just being decent about security. It is hard enough to operate securely; it is shitty behavior to make it inordinately harder for nontechnical people to do the right thing. (SCIM, however? That's something that directly benefits enterprises who have to operate in bulk.)
Wow. Who are these people’s customers? I can’t think of a single enterprise company (or really any company using SSO to manage their applications) that would find this acceptable. It would be instantly dead in the water for my small IT department.
I mean my company, which isn't small, jumped ship from G-suite based SSO for Okta a few years back out of business concern - so while single anecdotes don't make for proofs it's definitely not non-existent.
I'd also suggest just bringing your tone down, this isn't a fight and calling people on the other side of the argument "hyperventilating" doesn't really do anything to promote meaningful discussion.
Seen? SMBs need to be SOC2 (et al., such as PCI-DSS or HIPAA), and the requirement of controlling all accounts’ permissions at all times is often fulfilled with SSO. How else would you “reset the user’s password after 3 attempts” if the attacker can try the password 3 times on… all of your intranet websites? let alone on Cloud products.
SOC2 is indeed seen as an enterprise feature, but giving access to SMBs strengthens the global security landscape.
People just don't seem to understand that to do SSO properly and securely for your app it costs decent money and support time. Regardless of if you roll your own or buy 3rd party (recommended). We do include SSO by default but we really only sell to enterprises and the price is baked in. A lot startups won't have that luxury.
Additionally, they want decentralized logins. People use logins of work and their phone all the time. No work environment is going to give control out to help their employees for example.
No SAAS wants to be unable to help their users.
They mention that DNS isn't meant to be about auth and then they talk about signing your identity with your wallet private keys. I want that to be totally seperated!
And blockchain isn't meant for sso either.
So many people just won't understand any if this, this is just a dead born baby from the start. The statement "many people use this" is probably insignificant in relative terms. I'd be surprised if there are 50 on Belgium in a population of 10 million.
The problem is that everyone should have SSO, and that includes small orgs.
If you don't want your stuff used by small orgs that can't afford to pay, that's a totally reasonable standpoint. At the same time, though, if it's good they probably will use it despite not having SSO, and so that decision makessecurity (something that, by and large, benefits everyone) into an opt-in luxury good. Speaking only for me, I'd be uncomfortable espousing that as a philosophy.
- create user accounts at LittleApp, with your personal email, and have to remember a password.
Then, you're potentially giving sensitive corporate info to the SaaS app, with your personal email, and you risk getting fired for that.
Plus,new passwords are annoying !
- so you try integrating with the SSO solution from your MegaCorp, which means you have to talk to IT. Which means:
A/ you're going to have to wait because they're busy telling people to switch it off an on again ;
B/ they're now in a position to exert power over a decision you would like to make. Politics will ensue.
reply