HackerTrans
TopNewTrendsCommentsPastAskShowJobs

deepakprab

no profile record

Submissions

[untitled]

1 points·by deepakprab·4 anni fa·0 comments

Be enterprise-ready: reasons not to build enterprise features

boxyhq.com
43 points·by deepakprab·4 anni fa·37 comments

Show HN: Open-source enterprise SSO – integrate SAML with a few lines of code

github.com
24 points·by deepakprab·4 anni fa·4 comments

Show HN: Open-source testing tool for SAML SSO integrations (mocksaml.com)

4 points·by deepakprab·4 anni fa·0 comments

Show HN: BoxyHQ – open-source alternative to Auth0/WorkOS

boxyhq.com
176 points·by deepakprab·4 anni fa·39 comments

comments

deepakprab
·3 anni fa·discuss
Tracking and mapping where your sensitive data goes is challenging and manual approaches always fall short. This is a very unique unique approach to preventing sensitive data leakage.
deepakprab
·4 anni fa·discuss
We (BoxyHQ) are an SSO and Directory Sync vendor like WorkOS and they are spot on with the details of the SAML vulnerabilities. We have guarded against these attacks so our customers don't have to but plenty of companies still roll out their own implementations, not all of them securely.
deepakprab
·4 anni fa·discuss
It's just riddled with vulnerabilities but most of them are now well known and mitigated.

OpenID was meant to be the successor but popularity wise SAML is still the champion with enterprises.

SCIM doesn't really have a successor afaik. Azure AD I think doesn't do password sync, I am not sure who twisted Okta's hands to get this implemented.
deepakprab
·4 anni fa·discuss
Great suggestion, SAML SSO should really become commodity and made available to all tiers. Enterprise tiers are clearly dictated RFP/Security Questionnaires, there's no bigger admin hassle than that.
deepakprab
·4 anni fa·discuss
You could make SSO setup self-served. Happy to help you simplify your SSO implementation so you can make it available across all tiers, open-source on an Apache 2.0 license - https://github.com/boxyhq/jackson
deepakprab
·4 anni fa·discuss
Indeed, one common interface for the sync that captures all the nuances of multiple identity providers implementing the SCIM protocol. Thanks IvoSolveoYCSS19.
deepakprab
·4 anni fa·discuss
Plugging in my startup BoxyHQ here. This is the reason why we open sourced our SAML integration - https://github.com/boxyhq/jackson, it should be commodity.
deepakprab
·4 anni fa·discuss
Plugging in my startup BoxyHQ here. This is the reason why we open sourced our SAML integration - https://github.com/boxyhq/jackson, it should be commodity.
deepakprab
·4 anni fa·discuss
I'd love to join the conversation. My email is deepak at boxyhq.com
deepakprab
·4 anni fa·discuss
Absolutely, we mention this excellent resource in the blog. Also https://www.enterprisegrade.io/ to take a self-assessment of your enterprise readiness.
deepakprab
·4 anni fa·discuss
I agree, something like 80 SaaS apps on average per enterprise apparently. I like to call it Death by SaaS! ;)
deepakprab
·4 anni fa·discuss
Which bits specifically? :)
deepakprab
·4 anni fa·discuss
You have to look at it from the perspective of the Enterprise and you'll see that everything you list as risks is exactly what helps them mitigate their other critical risks: - Lets them centralise access, provisioning and de-provisioning becomes simpler

- It lets them tick a bunch of compliance related checkboxes

- The stats on average number of SaaS apps used in enterprises is something like 80 apparently, you can imagine the insanity of managing access to all these

- The single point of failure is never usually a big concern compared to the centralised access they get on the back of SSO
deepakprab
·4 anni fa·discuss
Disclaimer: I am the co-founder of BoxyHQ, an open-source alternative to WorkOS.

Historically SSO (especially SAML), Directory Sync, Audit logs, enhanced roles/permissions, etc. have always been something that only Enterprises needed. We think this is now getting commoditised and should start becoming available to all customers, a big reason why our core products are on an Apache 2.0 license and startups can use it for free.

A lot of these features also tie back to security and compliance (please bear with me, I know compliance is normally just a peacock dance and has nothing to do with true security but it is still necessary to do the dance). They definitely come with a cost to implement (even if the solution is bought from vendors like us), maintain and more importantly customer support costs.

- One way to make these features table stakes would be to include it in all plans but for instance limit SSO to the top 5 Identity Providers (Okta, Azure, OneLogin, PingIdentity and Duo), normally the ones with bespoke SSO implementations are usually enterprises in any case so you can still command a higher price point for them. - Another effective way is to say that RFPs/Security Questionnaires are only included in the Enterprise tier, the other tiers should be able to make do with a DPA and your InfoSec policy/ISO 27001/SOC2 docs. For enterprises this step is something they cannot skip, it's part of the procurement process for them. - But the best thing to do if possible would be to add some core features/enhancements to your product that are absolutely essential for enterprises.

This is the point sso.tax is trying to make as well, they want the SSO feature to be available to everyone without having to pay a large premium on the price (which is usually high for startups/SMBs to justify paying for).

Ultimately you have to have the right price segmentation and the reality is even the best companies struggle with being able to serve all segments effectively.

Auth0 and Okta for example, after you hit some magical thresholds force you into talking to sales who then try to upsell enterprise plans and most startups can't afford those price points and anything less than those price points does not move the needle for Auth0/Okta so they end up ignoring the lower segments.
deepakprab
·4 anni fa·discuss
Thanks Eric,

That is a great suggestion. SSO starter content is in the works including product integration guides.

It is a nodejs service (or can be embedded as an npm). We are looking at potentially supporting other languages but for now our customers are happy deploying it as a separate service.

The core version is completely free to use (Apache 2.0), we already have paying self-hosted customers who are paying a monthly subscription fee. We'll be introducing a paid hosted version later and premium features for the self-hosted version.
deepakprab
·4 anni fa·discuss
Hey everyone, we are Deepak and Sama, co-founders of BoxyHQ. We are posting our enterprise SSO project to seek feedback from the Reddit community. Over the past few months, the team has been working really hard on our SAML SSO project, our early customers love us. It would be great if you can share some insights or ideas you’d like to see in the project going forward.

One of the most common requirements enterprises have for their SaaS providers is SSO (Single Sign-On) or SAML as it adds a layer of their internal authentication to your product. This way their users can access your product via one of their secure IdPs (Identity Providers), which manages access and security for the entire organization.

tl;dr → https://github.com/boxyhq/jackson The project is called SAML Jackson. Jackson implements the SAML login flow as an OAuth 2.0 flow, abstracting away all the complexities of the SAML protocol. Our objective is that anyone could Integrate SAML with just a few lines of code. Developers can easily add single sign-on authentication to their products, and it supports most identity providers via SAML 2.0.

More details about SAML Jackson features:

- Jackson acts as a SAML Service Provider (SP) proxy, we do not intend to add functionality to make it an Identity Provider. Keycloak or Ory would be a great choice if you are looking for a SAML IdP

- Integrates seamlessly with all popular OAuth 2.0 libraries out there

- Supports most SAML providers out there - Okta, Azure AD, Auth0, Azure AD, OneLogin, Google SAML, Shibboleth

- Supports PKCE flow, so suitable for SPA applications

- Support SAML login on native mobile apps, a huge advantage since the traditional SAML flow is a little tricky to support on a native mobile app

- Wide range of supported databases - Postgres, MariaDB, MySQL, MongoDB, Redis with an easy-to-extend interface to support other databases
deepakprab
·4 anni fa·discuss
Please do give SAML Jackson a try, we've married SAML with OAuth2.0 - https://github.com/boxyhq/jackson
deepakprab
·4 anni fa·discuss
This is one of our motivations at BoxyHQ, to commoditize enterprise-readiness features. SAML SSO should be available on all plans without crazy markups on the pricing. Vendors should separate their core enterprise features from undifferentiated ones like SSO.
deepakprab
·4 anni fa·discuss
Amazing, thank you. I'll definitely reach out if I have any questions.
deepakprab
·4 anni fa·discuss
Thanks mooreds, we are all working towards a common mission. Looking forward to expanding the market togather.