The many problems with implementing Single Sign-On

Most SaaS startups wish to promote to enterprises, however many are unprepared for an enterprise’s most-requested requirement: single sign-on (SSO). SaaS merchandise are sometimes designed for usernames and passwords, not advanced integrations with id suppliers (IdPs) like Okta, Google, or Energetic Listing. 

When confronted with the problem of constructing these integrations, many builders will roll up their sleeves, learn authentication and authorization specs, and get to work. Sadly, there will be a lot room for interpretation in these specs that SSO implementation turns into troublesome, gradual, and dangerous. In case you are a small startup, or perhaps a mid-sized enterprise with a busy engineering group, this work generally is a main drain and decelerate your means to start buying enterprise shoppers.

It will possibly price valuable weeks (or months) to implement SSO for an enterprise deal and, to many builders’ shock, what labored for one enterprise buyer could not work for the following one. SSO is unexpectedly difficult to do accurately and constantly. Let’s break down why, then provide some different approaches.

Let me inform you concerning the first time I attempted to implement SSO. 

I began Nylas Mail in 2013 after writing the preliminary strains of code in my dorm room at MIT. It became a very successful open-source project, and we raised greater than $10M in an try and dethrone Microsoft Outlook. It wasn’t lengthy earlier than we wanted to commercialize, which is after we confronted an entire new viewers of consumers: IT leaders and procurement professionals. We had been excited to be chatting with enterprise shoppers about adoption, however they wanted enterprise options to roll out Nylas at scale. As a small startup, we had designed our app for on a regular basis customers and never for enterprise adoption, so we weren’t ready to combine with an IdP or fulfill different enterprise necessities. The work so as to add these options proved an excessive amount of for us, and saved us from industrial market success. 

The lesson right here is that with out SSO and different enterprise options, a product can solely go to this point.

The important thing factor to know about SSO is that it’s an integration downside. Most builders construct apps through the use of OSS packages, akin to Devise, which handles authentication for Ruby on Rails. This works for patrons with primary necessities, permitting individuals to make use of totally different fashions with excessive modularity. Sooner or later builders find yourself needing to combine their product with an IdP, normally starting with no matter their largest buyer wants. Completely different enterprises use totally different IdP options: some could use off-the-shelf options like Okta or Azure Energetic Listing, whereas others have their very own customized homegrown options.

Any vendor wishing to promote to those corporations should combine with all of those IdPs, which implies managing each IdP authentication and native credential-based customers (that’s, a username and password native to the seller’s platform). Since not one of the IdPs features identically and there are such a lot of SSO suppliers, you’ll want to keep up a number of integrations in parallel. 

If you wish to examine one other journey in including SSO to an enterprise product, here’s how Stack Overflow did it

SSO integration goes past constructing options and functionalities and guaranteeing they carry out. It takes appreciable work to seamlessly adapt an app’s login movement. Orchestration and have enablement are dependent upon IdP performance and require new enterprise logic with implications for cell and two-factor authentication (2FA). SSO normally has 2FA in-built too, creating further complexity that should be thought-about alongside different system-level integrations. 

There are a number of methods to implement SSO. One of the crucial common is thru an XML-based open commonplace referred to as Safety Assertion Markup Language (SAML). The SAML specification is versatile and has quite a lot of choices to cowl a variety of attainable circumstances. No two distributors implement the spec the identical approach. In different phrases, it’s not carried out constantly and there are a number of “flavors” of SAML. Because of this, it’s rife with alternatives for safety points.

To be clear, it’s not that the spec is designed poorly. Fairly, when the protocols had been designed, the designers wished to cowl numerous potentialities. So much will be accomplished with SAML that’s hardly ever carried out. However any SSO integration nonetheless must be able to help sure edge circumstances, which is the place the vulnerabilities floor.

SAML payloads

When making ready for an SSO integration, an enterprise vendor will possible conduct a safety overview of SAML code to search for exploitable code or flows. For instance, SAML makes use of certificates and signatures for payloads, which will be made specifically difficult by nested information buildings. That is helpful for administration of a number of ranges of IdP communication, notably at massive enterprises the place there could also be a number of layers of SAML authentication to go via. Every layer has signatures that want verification, a course of that may be like peeling an onion. A generalized SAML integration will be troublesome to implement and verify as a result of it’s not at all times hierarchical and requests between programs will be non-linear.

If each layer isn’t totally checked, malicious actors can misuse the payload. A typical SAML exploit is to switch legitimate responses and inject a unique invalid signature from an expired session. The explanation this works is straightforward: one of many SAML SSO builders wrote code that checks for legitimate signatures, however not via the whole response. Each layer of the SAML payload must be investigated via and thru. Most organizations don’t have multi-level ID programs, so this isn’t a very frequent exploit, however the protocol helps it as a result of it was designed with this sort of flexibility in thoughts.

Lack of standardization can simply result in failures and vulnerabilities

With regards to SSO, there are literally thousands of issues to get proper and numerous small particulars to account for. You possibly can implement one thing and get it working, however robustness will come from testing it in opposition to implementations. And whereas the specification is standardized, these implementations aren’t.

Contemplate writing a SAML integration for a brand new organizational platform. The platform could use canonical XML, however could not explicitly declare a namespace, which might trigger an authentication failure. Even when each events on both sides of the movement conform to the spec, there’s no assure that it’s going to work out of the field. It’s particularly painful when one get together makes even a small change to their implementation as a result of it may result in login failures which are particularly troublesome to troubleshoot. A person may name the IT division and say, “I can’t log in,” launching a wild goose chase in an effort to troubleshoot a problem with a small XML change on a system they don’t management.

SAML’s XML-based nature comes with XML-related challenges. Object ordering and association of nested entities (that’s, tags) could cause issues. Attribute mapping is non-standard throughout platforms. The identifiers for customers on platforms should not standardized. Generally you get an ID, generally an e-mail. Generally there’s no identifier and it’s one thing opaque like a serialized Energetic Listing string. It may be tempting to make use of an open-source library—nothing beats the low value of free—however not many open-source packages deal with XML nicely. 

App design can affect SAML performance and safety

SSO integration may also differ based mostly on the construction of an utility. For instance, I can log into GitHub with my private Gmail account after which bounce into one among my firm’s inside programs. GitHub is basically performing as a second authentication issue for my inside app, permitting me to skip over the first authentication mechanism for the app. You possibly can have major and secondary methods of authenticating—and totally different flows for e-mail and password authentication–however whether or not these programs work as designed is influenced by the character of the applying itself.

Once you’re constructing an app with SAML SSO, you don’t have to fret about altering usernames or passwords as a result of that may be accomplished outdoors of your utility. Nevertheless, the flows should replicate that actuality. Some IdP programs, akin to Microsoft’s Energetic Listing, which gives an opaque, distinctive string, don’t present an e-mail handle. When you don’t get an e-mail handle, then it’s a must to work out one other approach of figuring out and authenticating a person. That methodology could not work along with your utility’s information construction or general structure.

Many enterprise-ready SaaS apps begin SSO logins by asking for the group’s subdomain. A behind-the-scenes lookup directs you to the login type for that firm’s IdP login on that SaaS utility. The issue is {that a} malicious actor may have the ability to discover an exploit by typing quite a lot of firm subdomains and know who’s utilizing SSO and SAML. If that malicious actor is trying to make use of a newly-discovered safety vulnerability, it’s attainable that exploit will work on no less than one among these IdP login screens.

Constructing SSO-capable person interfaces is troublesome and each firm is doing one thing totally different. The most typical sample is to have username and password fields with some IdP icons beneath and in small textual content, “Register with SAML/SSO.” Apple’s iCloud login doesn’t present a password discipline immediately as a result of they verify whether or not the username’s area is roofed by an SSO movement. Slack makes use of customized CNAMEs of their URLs, like and sends you to the correct login movement. There’s no commonplace approach of doing it, which is why everybody does it otherwise.

One other complication associated to SAML-based SSO is onboarding new clients. Let’s say you’re a SaaS vendor and also you’ve simply signed your first huge contract with a significant enterprise. Now it’s time to get these enterprise customers into your programs. Your integration engineer will get the SAML integration arrange by working with the enterprise’s safety architect.

Establishing a SAML integration includes exchanging a set of information parameters, like redirect URLs, and discipline mapping of SAML attributes. There’s no clear spec for the way names needs to be (akin to case sensitivity), so testing will must be accomplished to make sure either side work. There’s additionally the necessity to add a certificates, which additionally has no clear methodology within the spec.

Testing the SAML integration is a large friction level for corporations and it’s virtually at all times accomplished manually, which implies the instruments for the setup are managed manually as nicely. At its most simple, corporations have used a easy spreadsheet or type for the info parameter change. The method is so vulnerable to breakage, it’s typically dealt with with white-glove personalised service. Constructing a multi-use admin panel for SAML is dear and troublesome, so corporations normally proceed with guide work till the mission turns into cost-prohibitive.

Coordinating, configuring, implementing, and testing SSO can take weeks if not months of back-and-forth communication. It’s an arduous course of, typically involving a lot of dialogue and work round authentication (“right here’s the validated id of a person”) and authorization (“listed here are the providers and options to which the validated person has entry”). Enterprise ID programs like SAML solely do authentication to show somebody is who they are saying they’re, leaving authorization as much as apps and providers. SAML needs to be brokering precise periods like a one-bit authorization, proving an individual is who they are saying they’re, virtually like scanning an RFID badge at a safety door. What occurs after they go via the door is one other factor altogether. 

Session administration challenges

Once you authenticate with SAML, you’re authenticating a person, however after that validation, you may’t verify that it’s nonetheless a present lively session. you had a present session at a cut-off date whenever you authenticated, however how lengthy does your session final? If it’s too quick—say, 24 hours—it may be a ache, requiring a login day-after-day for each person. There are methods to get round this in case you have entry to different id programs, however the level is: session administration is difficult.

For B2C SaaS merchandise, logging out customers has a damaging impact on retention and engagement. Most merchandise have a two-week cookie to maintain the session recent, however enterprise IT admins don’t at all times need that. SaaS distributors, particularly these simply promoting to their first enterprise buyer, could should rethink session administration for his or her apps. Then there are concerns for the way periods are managed on cell units. 

Offboarding customers

When an enterprise indicators a contract along with your product, they carry an entire slew of recent customers. However not all of these customers will keep for the lifetime of the contract. Quite a lot of processes must be designed for enterprise worker departures. For instance:

  • What occurs to a person’s information when an worker leaves?
  • Does the person’s information or account get transitioned to an administrative account?
  • Ought to all periods be revoked? In that case, how quickly and the way will you discover out they left?
  • How will shared gadgets be dealt with?
  • What must be deactivated and what must be preserved?

These are a number of vital questions to think about when promoting to enterprise clients. They’re not straightforward inquiries to reply, particularly if person deactivation is already carried out in an rigid approach.

When an worker departs a consumer group, maybe on unhealthy phrases, there’s an opportunity they’ve entry to delicate info, vital deliverables in progress, or shared paperwork with impactful monetary implications. And not using a strong plan for offboarding these customers, SaaS distributors can discover themselves on the important path for his or her enterprise shoppers’ HR, IT, and knowledge safety offboarding processes. If the worker chooses to sabotage or tamper with information to which they need to not have entry, that’s unhealthy information for the seller.

When promoting to an enterprise, your product wants to supply enterprise options. Implementing SSO—probably the most requested enterprise function—could require adjustments from utility and information structure to how a dev group operates and interacts with massive shoppers. There’s virtually nothing inside a SaaS app that doesn’t require reconsideration (or no less than a double verify) for supporting that first enterprise consumer.

SSO isn’t nearly constructing an enterprise-level function, however about sustaining a set of flows that allow totally different shoppers with totally different IdPs to make use of an app. Constructing SSO with SAML requires numerous selections and enterprise logic, which doesn’t occur organically. Moreover, it’s finest follow to make sure there’s a couple of individual on workers who understands the SAML implementation. In any other case, if the dev leaves and nobody is aware of the protocols, it may get messy quick. And enterprises don’t wish to fiddle with SAML.

By far, SSO is crucial enterprise function to implement, so if there’s solely sufficient price range for one function, it needs to be SSO. It’s the gateway to promoting to a ton of corporations. Going deeper, distributors ought to think about whether or not any of the next can be of further profit to their SAML SSO implementation:

  • Listing integration
  • Computerized person lifecycle administration
  • Deprovisioning customers
  • Auto-login for audit compliance and e-retention
  • SOC 2 compliance
  • GDPR
  • Granular role-based entry management (RBAC)
  • Enterprise key administration (convey your personal key and encryption)

Earlier than leaping head first into constructing SSO, check out WorkOS. SSO is simply one of the features we provide with just some strains of code in your app. We keep tight integration with the most well-liked IdPs, have an easy-to-use administration panel that enterprises love, provide dwell synchronization with enterprise person directories, and make multi-factor authentication a breeze.

Tags: partnercontent, single sign-on

More Posts